Another Stuxnet Post

Larry Constantine disputes David Sanger's book about Stuxnet:

So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that had dealings with each other. Secondly, it couldn't have escaped over the Internet, as Sanger's account maintains, because it never had that capability built into it: It can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives. So it was never capable of spreading widely, and in fact the sequence of infections is always connected by a close chain. Another thing that Sanger got wrong ... was the notion that the worm escaped when an engineer connected his computer to the PLCs that were controlling the centrifuges and his computer became infected, which then later spread over the Internet. This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn't have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible. In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis' fault that suddenly allowed it to get onto the Internet because it no longer recognized its environment. Anybody who works in the field knows that this doesn't quite make sense, but in fact the last version, the last revision to Stuxnet, according to Symantec, had been in March, and it wasn't discovered until June 17. And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda.

EDITED TO ADD (9/14): Comment from Larry Constantine.

Posted on September 10, 2012 at 6:51 AM • 22 Comments

Comments

Danny MoulesSeptember 10, 2012 8:15 AM

Derp. If we assume his foreign policy reporting is as inaccurate, then it's no surprise he keeps winning honours and awards. Embellishment without evidence is exactly what you want to succeed in that domain. It's hard to believe this is a 'blip' -

It's so utterly failtastic it reeks of both being happily misleading and happily misled.

HerpSeptember 10, 2012 8:30 AM

Stuxnet: Leaks or Lies?

Makes Romney sound, again, like an empty suit: "This conduct is contemptible. It compromises our men and women in the field. Whoever provided classified information to the media, seeking political advantage for the administration, must be exposed, dismissed and punished."

hoodathunkitSeptember 10, 2012 9:19 AM

[devils advocate again]
Anytime —anytime— writers are dealing with 'confidential sources', insider information, and leaks, there is a high probability of misinformation. Insider leakers may not know all the details and 'fill in' to keep from appearing ignorant. More likely is deception, the misinformation machine never stops.

Assuming the worm was spread by LAN or media only (claimed above) there's still a probability of escape. Germany had 15 infections back when. But it doesn't explain the huge number of Indonesia and India infections. There is the possibility of Iran (targeted) deliberately spreading it to draw attention and discredit the makers; but why those countries? There is also the possibility of insider sabotage —a mole in the US or Israel— who spread it for the same reason.


GordonSeptember 10, 2012 9:44 AM

Constantine seems to be pushing an agenda as much as he claims that the book's author is. Stating that something cannot propagate over The Internet as it can only spread via LAN is peculiar. He goes on to justify his distinction by suggesting that Internet propagation implies to him vectors as wide as e-mail or web traffic, but the justification is based on semantics and is as technically wooly as the language that he criticises. Likewise, had somebody connected a system to the PLCs, they would likely be connected to the LAN on which the greater Stuxnet infector resided. Constantine is clearly an intelligent enough chap to understand that this could be how such a a connection was established and yet he chooses to distract the reader from such an interpretation.

Yes, it's clear that the author used language that was rather vague in technical terms - something that's sadly common in most mainstream accounts of computer crime. However, Constantine appears to be deliberately using those imprecisions to conflate the author's work into state disinformation and to dress the malware as something so highly targeted as to be unable to cause collateral damage.

One might reasonably wonder if Constantine is a willful carrier of another state message.

Doug CoulterSeptember 10, 2012 10:06 AM

Yup, two wrongs don't make a right, but two rights make a u turn. Disinfo all around most likely.

Or, even more likely perhaps - ignorance. It's a lot more widespread around the general populace than we'd prefer.

Clive RobinsonSeptember 10, 2012 10:45 AM

I read the article several days ago and I've been mulling it over off and on.

Firstly as others have pointed out neither party is realy impartial on the subject and the wiff of blatent self promotion can be smelled, likewise the general populace are some what technically illiterate at the best of times (which is not realy their fault they have other things to do with their lives, in the same way that most of the "tecnirati" drive cars but could not fix one for love or money). Which is why the parties concerned can get away with it.

But this is far from a unique occurrence, I find much of the news commentary I hear to be flawed these days.

Which is worrying as what becomes accepted history is usually based on the prevalent commentary at the time as seen twenty, thirty or a hundred years later, when judgment appears in many cases to be based on quantity of comment not it's quality.

It's sad but due to the preasures of instant news much that we hear or see on the news is actually far from being the truth. Thus as with many things it has become a race to the bottom where bottom feeders churn the dirt and the first casualty is truth that quality reporting brings.

Ask yourself a simple question, "Do you think that Watergate would get reported if it happened today?"

FigureitoutSeptember 10, 2012 2:11 PM

lol Bruce.."Another stuxnet post".

From the article: Now, it did have the capability of exploiting a hole in what’s called “remote procedure calls,” which—I don’t know the details—but might allow it, for example, to do something over a virtual private network.

--That's a confident statement, eh?

To me, it seems as though our national security apparatus wants us to have nightmares over what's possible; scare tactics. If anyone's ever met a "secret squirrel", you know they love to think that you're thinking "wth?!". If you've ever spotted them, then you also know they live for the eye-to-eye glare of their targets.

The concerns posters have brought up, is again, trust. You can't escape how important it is, and you can't escape all the lies, thus to verify the truth becomes a daunting task.

As an aside, does anyone crack up at the side stories in the article? The one that got me was the "smart meter fires".

@Clive

You ever notice how a news story typically has exactly the same words, in very similar or exactly the same order, across pretty much all news sites?

I have practically no respect for most journalists so I won't continue.

To answer your question, "no".

RookieSeptember 10, 2012 3:50 PM

@Clive Robinson
Ask yourself a simple question: "Do you think that Watergate would get reported if it happened today?"

I understand what you're saying about the reporting in this particular piece, and how reporting is often a race to the bottom where spin, innuendo, and assumptions take the place of hard facts. Most Edward R. Murrow wannabees look for shortcuts rather than depend on solid reporting to make a name for themselves.

That being said, I don't understand what I believe you are giving as a rhetorical question. Conspiracies like Watergate are actually very hard to keep secret, and despite the US sometimes suffering from shoddy reporting, we certainly don't lack for the quantity of reporting.

Yes, absolutely, Watergate would get reported today...ad nauseam, 7x24, with lurid details, panel discussions, talking heads, and self-described experts telling us "what it all means."

John HardinSeptember 10, 2012 5:03 PM

@Clive:

Do you think that Watergate would get reported if it happened today?

For your consideration I present the mainstream media's minimization of and attempt to ignore to death the BATF Fast and Furious scandal which, unlike Watergate, actually got people killed.

In answer to your question, whether a government scandal gets effectively reported depends entirely on which party would be embarrassed/impeached.

Clive RobinsonSeptember 10, 2012 5:12 PM

@ Rookie,

That being said, I don' understand what I believe you are giving as a rhetorica question

With hindsight I agree I could have put it better, what I was actually thinking about was the quality of journalim displayed and how the integrity of the reporting won through despite the administration's attempt to discredit the journalists and the paper.

As has been noted by @ Figureitout, I would not accept the words pushed by most modern journalists as anything other than an attempt "to put squirrels in my head" or regurgitate the attempts of others to do so.

Sadly most modern journalism (if you could call it that) is nowhere near acceptable for a "school paper" let alone a National or International paper, but that is what it has come to these days...

Michael LynnSeptember 10, 2012 10:11 PM

@Muhammad Naveed Khurshid

"Remember one thing dear. For every action there is equal and opposite reaction. Get ready for reaction, tomorrow is 9/11 :)"

Do be careful with how you word these things; that sounds perilously close to a threat. And in case you haven't noticed 9/11 is still not a topic which Americans have much of a sense of humor about.

BartonSeptember 11, 2012 6:49 AM

And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda.

In Soviet Russia, anti-virus programs block you!

Sorry, it was hanging there. Had to take it.

Clive RobinsonSeptember 11, 2012 3:33 PM

@ John Hardin,

For your consideration I present the mainstream media's minimization of and attempt to ignore to death the BATF Fast and Furious scandal which unlike Watergate, actually got people killed.

Ouch, I've looked it up in a few places, and it's real nasty. Not only 150+ Mexicans killed but also a US LEO who is in effect "one of their own", then to make it worse when someone within the Bureau of ATF does the honarable thing and in effect "blows the whistle" the Bureau turns on them and basicaly blaims them as being responsible...

It's realy nasty as many of the "semi-auto" weapons identified are fairly easy to convert to full auto either by replacing or bypassing the safety sear. I've seen a practical demonstration of the bypasing of the safety sear on a military range in the UK and it was done with just a matchstick on one of the weapon types mentioned...

What did those AFT think they were doing, where was their basic risk analysis... sometimes thinking you've a large pair of steel ones and you can do the John Wayne walk, actualy turns out very quickly that you are realy just a person with serious follow through issues with the brown stuff running down your legs, which you then shovel up and dump on somebody elses head in the vain hope you can still apear "lilly white" to those above...

John HardinSeptember 11, 2012 8:27 PM

@Clive:

There is evidence that "what they were thinking" was "inflate the numbers of traceable-to-US-gun-store firearms recovered at Mexican crime scenes to provide justification for more gun control laws in the US".

Lots of details you'll never hear from the mainstream media starting here.

Chris LawsonSeptember 11, 2012 10:20 PM

@John: as a general rule, stupidity or incompetence is a better explanation than conspiratorial malice...especially as the guns were intended to be traceable to Gunrunner, which means the blame was always going to point back to Gunrunner. I think it's more likely that this was a monumental cockup.

I also have to question the reliability of the info source you're pointing to. For instance, the page titled "ATF source confirms 'walking' guns to Mexico to 'pad' statistics" contains not a single reference to any source making any such quote. The author marks the accusation with a hyperlink that takes you to another page that also contains an accusation of "padding" from a "confirmed source" that is supported only by a link to yet another page...that plays the same linking trick. The author clearly has no such quote from a confirmed source or he would have just posted it instead of creating a tangle of links that promise to point to the actual quote but really just go around in circles.

Larry Constantine (Lior Samson)September 12, 2012 12:10 PM

Thanks, Bruce, for posting the excerpt and link and helping to stir up the discussion. To answer the posts collectively: (1) Yes, I have an agenda, and (2) yes, I may also have some of the details wrong.

On (1), my immediate agenda is fairly straightforward. I approached reporters and editorial departments at numerous mainstream print and online media with a plea to follow up on this story and dig deeper into Sanger's claims--not just on the Stuxnet details. Not one would pick up on the story. Sanger seems to be getting a free pass from the press on a body of claims that deserves closer scrutiny and greater skepticism. That studied indifference is in itself interesting and definitely not in the public interest.

(2) I have experience in industrial automation (I helped design part of the Siemens STEP 7 series of PLC programming tools), but am not an expert on industrial control systems or industrial security. I'm just waving a flag that calls a narrative into question.

@Gordon, specifically, I would refer to the Symantec dossier on Stuxnet, which catalogs and details the exploits used by Stuxnet for infection. In my reading, none of them could work over the Internet, although maybe I am mistaken. The fact is that all the infections were in close clusters, not widely scattered, despite the worm being characterized by the forensic analysts as "promiscuous."

It is particularly odd to claim that "had somebody connected a system to the PLCs, they would likely be connected to the LAN on which the greater Stuxnet infector resided." This never happens in industrial control installations and certainly not in secure facilities like Natanz. Any computer connected to the PLC is, at the time, isolated from all other connections, part of the (ineffective) "air gap" security practiced in industrial automation. My main point was that the infection cannot actually go from the PLC to a connected PC, such as an engineering workstation, and I still stand by that.

Was Sanger just using sloppy language? Possibly, but that, too, is a journalistic failure. Is this merely inconsequential detail? Perhaps, but then we wonder about other "inconsequential details" being muddled or misrepresented.

I mentioned potentially deliberate disinformation as only one possibility. I really do not know what is going on and, unlike Sanger, claim no special inside access. As to dressing Stuxnet as precision targeted malware, that's not my assertion; that case has been demonstrated beyond reasonable doubt by Ralph Langner, Symantec, Kaspersky, and others. And Sanger is not the only one with inside information to attribute authorship of Stuxnet to U.S. and Israeli intelligence. (See Raviv and Melman's new book, Spies Against Armageddon.)

"One might reasonably wonder if Constantine is a willful carrier of another state message." ROFL!

I do hope some enterprising, muckraking reporter looks into various of Sanger's claims. I for one would like to know more of what the real story is. I have a very long interest in the topic of the vulnerability of industrial control systems, which is why I made that the subject of one of my novels (Web Games), hoping to raise the public profile of the issue. I have also written professionally about the subject.

For that reason, this and other threads on the subject are definitely doing a public service. Keep up the good work and spread the word.

Muhammad Naveed KhurshidSeptember 16, 2012 2:59 AM

@Michael Lynn Remember, I told and warned that "For every action there is equal and opposite reaction. Get ready for reaction, tomorrow is 9/11 :)". You considered my words as a threat. Fair enough. On 11th September, Christopher Stevens, an Ambassador of U.S.A to Libra was assassinated together with three embassy staff members. Still people did not understand the meaning of opposite and equal reaction... They took another action of anti-Islam film. I think, those people have seen its reaction around the world...

What the hell do they want? What are their intentions? What are their motives? Why they are planning things against the religion Islam and Islamic countries? Do you want a proof of a former FBI informant who said, "The war of terror is not a war on terrorism, in fact, it is a war on Islam" Mosque Infiltration - FBI informant on dirty spy tactics.

Look what Terry Jones had done with Islam's holy book. I think people have seen its reaction...

@Larry Constantine Think, who stopped them from picking up that story? Its the fear of their own country intelligence... I know you are also one of those who fear to write on stuxnet. I know you lied that you have no understanding about industrial security system. How do I know that you lied? Because, if you were really unaware of industrial security system, you would not know Schneier and you wont comment on his blog. Your comments, words and practices did not match. I am sorry to say once again that you are a liar...

@Schenier @Clive You already know your own reality as mentioned by me in my earlier blog comments...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..