Is Stuxnet the Beginning of the Cyberwar Era?

Published: 2010-09-24
Last Updated: 2010-09-24 20:32:44 UTC
by John Bambenek (Version: 1)
4 comment(s)

Since the news of Stuxnet has reached the popular media, it's probably time for a quick diary on the subject. Securnia has write-ups on two of the unpatched security vulnerabilities that allow privilege escalation that Stuxnet relies on here and here.  Symantec also has a series on Stuxnet that you can read up on here.  While Stuxnet does use the LNK vulnerability, it existed before then using other modes of infection (for instance, via USB keys).  Another interesting note is that it exploited one of the same vulnerabilities that Conficker did.  Among other things, Conficker was a real problem for embedded systems (particularly those embedded systems that ran Windows).  Hospitals and health care facilities had a lot of trouble with Conficker, for instance, with their equipment.

One of the working theories is that Stuxnet was designed to attack Iranian facilities and may have had it's origin in Israel.  It's important to note that initial statistics showed that India and Indonesia made up a higher precentage of compromises than Iran but around the end of July, Iran had the bulk of infections. 

Assuming it is an attempt to attack the Iranian facilities, I suppose it's better to launch a cyberattack than to go all Osirak circa 1981.  But the moral and philosophical implications are probably best for another venue. 

An important thing to note when it comes to cyberwar, there is a lot of hype that attempts to make this a more dangerous threat than it probably is (at this specific point in time).  A healthy dose of skepticism is warranted, in part, because with any cyberattack it is very difficult to determine who is really behind an attack or why.  Incident responders only have (and can only get) a piece of the information, what the attack attempts to do and the forensic details of that attack.  Forensically examining a botnet C&C to determine who was behind it and what happened historically gets to be much more difficult. The reasons for that are as much legal and practical as they are technical.  Simply put, most "bad people" know to operate in jurisdictions least likely to cooperate with "the good guys".

What we do know is that many countries and organizations are looking for ways to use electronic ifnrastructure to cripple opponents and that this is not a new development.  Information systems have always been a rich target for espionage.  Sabotage has always been an element of covert warfare as well.  In so far as elements of our critical infrastructure depend and/or are controlled by information systems, electronic sabotage becomes a more real possibility.  In the current case, however, Stuxnet being a tool of cyber-sabotage is a theory that fits the facts but far from the only theory.  In short, the jury is still out.

At this point, most common malware detection tools will detect this. However, one of the key infection mechanisms early-on was USB keys.  A popular mode of pen-testers to test an organization is to drop USB keys in a parking lot, send "free" keys in with vendor logos and the like to get individuals in an organization to plug USB keys into the organizations network.  This is an easy to defect vector of attack by employing security education, USB port security and disabling AutoRun.  It's trivial to use USB keys and to create custom malware that will bypass all AV.  It's also easy (but not trivial) to shut down this vector.  For larger organizations, the solution may be to simply distribute your own "branded" USB keys for users to move data around which may be a proper balance between security and usability.

--
John Bambenek
bambenek at gmail /dot/ com

Keywords:
4 comment(s)

Comments

No, it isn't. It is just one more along the way in bringing new weapons to the great game.
Distributing your own branded USB keys for internal use isn't a very good solution, either. People still take them home and put things on them that aren't supposed to be there (like MP3s and malicious PDFs) and the keys get infected and brought back.

Setting up boxen to automatically scan all removable storage devices the moment they are registered helps mitigate this somewhat.

Don't forget the risks posed by MP3 players (I had way too much fun with those when I was a pentester) and smartphones that can be mounted as drives ("Excuse me, can I plug my phone into your USB port? I forgot my charger.")
I run a media encryption system that is designed specifically to counter this threat of USB and external media based malware. The client software scans all media with our AV within a sandbox environment before allowing the device to access the host OS. It also controls access to the device, barring users from executing any software held on the device unless they have been granted permissions from the server.

the software is highly configurable, and if we were to be more paranoid about infection, we can limit access by device ID, user ID and Host machine, or any combination of the 3.
in the event of a machine being taken outside the network, we have set the software to commence a full external media lockdown until the machine can communicate with the server, either by re-entry to the network or via VPN.

everything is logged

all in all, this severely hampers any attempts to infect our network via external media, essentially requiring a user with highly elevated privileges to be the one who uses the infected stick and for the malware itself not to be detectable by our AV.

the software also allows users to encrypt their devices, meaning that a pre-authorized USB device cannot easily be 'borrowed' and infected without the user's knowledge

obviously this alone will not secure a network from attacks, but it is something that any secure network should have. The software is not beyond the budget of any of these large companies and why they dont use the many media control options available is beyond me!
If the theory about the targeted attack by a Nation-State is correct, then this is still not Cyber-War in my opinion. In war, you know your opponent. You battle head-to-head. In the Internet real, this could be something like a DoS attack. You see it's happening (even though you may not know who's behind it).

Stealthy infecting a country with a targeted virus/worm/trojan sounds more like "Cyber-Covert-Action" to me. Think Special Ops commandos stealthy infiltrating to conduct sabotage. It seems to me that Stuxnet would be more Cyber-Cover-Action or Cyber-Special-Ops or whatever you want to call it. But not outright "war".

(Okay, so I quibble over a definition. But with everyone and their mother using Cyber-War to define any sort of "aggressive IT action", I think it's time that we being defining and using the term properly.)

Diary Archives