Fartashphoto's Blog

Stuxnet is something of a different beast

Posted in Uncategorized by fartashphoto on December 17, 2010

Damage from the Stuxnet virus has apparently set back the Iranian nuclear program by as much as two years, according to a German security expert talking to the Jerusalem Post. This makes the virus as effective as a military strike—but without loss of life or risk of full-blown war.

This comes amid claims that the virus is continuing to infect Iranian systems and disrupt the Iranian nuclear effort, and the news from IAEA last month that Iran had suspended work at its nuclear production facilities, likely as a result of the virus.

Speaking to the Post, an expert identified only as “Langer” (we believe the Post likely means Stuxnet expert Ralph Langner, but have not had confirmation at the time of writing) said that due to poor Iranian IT security expertise, the only effective way the country would be able to rid itself of the virus would be through discarding all infected machines. He said that, further, centrifuges would need to be replaced at Iran’s Natanz facility, as might a turbine at Bushehr. Centrifuges operating at between 807Hz and 1210Hz were believed to be a specific target of the virus.

Evidence of continued disruption comes from security firms providing solutions to industrial companies to deal with Stuxnet infections. Eric Byres, an expert from SCADA security firm Tofino Security, told the Post that his company’s website was receiving an increasing number of visits from Iranians in recent weeks, suggesting that dealing with Stuxnet and properly securing industrial automation and control systems was still a problem for the Iranians.

The authorship of Stuxnet remains unknown. In Langer’s view, the complexity means that the Israeli and US governments are likely to be the only groups who could have pulled it off. Indeed, the scale of the program is so expansive that he feels that the project may have been too large for any one country, and that the two governments may have collaborated on development.


Stuxnet Cyber Worm Spreads

Posted in Uncategorized by fartashphoto on November 20, 2010

The Stuxnet computer worm originally designed to target Iran’s nuclear plants has spread around the world in the past few months, and now U.S. security experts are warning that the worm could be modified to attack industrial control systems around the world.

First Cyber Super Weapon

Posted in Uncategorized by fartashphoto on November 19, 2010

The Stuxnet worm, a complicated piece of malware apparently engineered to disrupt Iranian uranium enrichment, could be modified to attack more industries, according to experts speaking to the Senate Homeland Security and Governmental Affairs Committee.

The widespread interconnection of corporate networks and use of SCADA systems means that industrial infrastructure is increasingly vulnerable to software attack. Such control systems are used in virtually every industry—food production, vehicle assembly, chemical manufacturing—and are commonly exposed to insecure networks. This leaves them vulnerable to tampering, such as with Stuxnet, as well as intellectual property theft.

The Stuxnet worm was both complex, using a range of techniques to infect machines and spread through networks, and carefully targeted, with a payload specifically designed to attack Siemens SCADA software. Together, these properties together make it uniquely dangerous. Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the committee that the “implications of Stuxnet are beyond any threat we have seen in the past.”

“The reality is that the current, porous state of our nation’s infrastructure means that it wouldn’t take malware as robust and sophisticated as Stuxnet to cripple many of our critical systems.” The committee continued, “Stuxnet has some 4,000 functions; by comparison, the software that runs the average email server has 2,000 functions. Stuxnet can even update itself automatically.”

Of the 44,000 known cases of Stuxnet infection, 60 percent are in Iran. As many as 1,600 computers in the United States have been infected. Stuxnet targets computers who use the Windows operating system and can do many things. Sean McGurk of the Department of Homeland Security summed up Stuxnet as a dangerous virus that appears invisible.

“This code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate…everything is running as expected.”

The Stuxnet worm traced to the Bible!

Posted in Uncategorized by fartashphoto on September 30, 2010

The Stuxnet, computer virus designed to attack industrial-control systems from Siemens AG has hit the computers of 6 million individuals and nearly 1,000 enterprises in China, the state-run Xinhua News Agency reported Wednesday, in the latest sign of the spread of the virus.

Iranian officials this week said the virus had infected computer systems at Iran’s first nuclear-power plant.

Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them.

That use of the word “Myrtus” — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment.

Then there is the allusion to myrtus — which may be telling, or may be a red herring.

Several of the teams of computer security researchers who have been dissecting the software found a text string that suggests that the attackers named their project Myrtus. The guava fruit is part of the Myrtus family, and one of the code modules is identified as Guava.

But some security experts see the reference as a signature allusion to Esther, a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project. Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel.

“The Iranians are already paranoid about the fact that some of their scientists have defected and several of their secret nuclear sites have been revealed,” one former intelligence official who still works on Iran issues said recently. “Whatever the origin and purpose of Stuxnet, it ramps up the psychological pressure.”

The reports on Iran show a fairly steady drop in the number of centrifuges used to enrich uranium at the main Natanz plant. After reaching a peak of 4,920 machines in May 2009, the numbers declined to 3,772 centrifuges this past August, the most recent reporting period. That is a decline of 23 percent.

It was Mr. Langner who first noted that Myrtus is an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively.

“If you read the Bible you can make a guess,” said Mr. Langner, in a telephone interview from Germany.

The Stuxnet has infected 30,000 computers in Iran

Posted in Uncategorized by fartashphoto on September 26, 2010

The Stuxnet computer worm has infected 30,000 computers in Iran but has failed to “cause serious damage,” Iranian officials were quoted as saying on Sunday.

Some 30,000 IP addresses have been infected by Stuxnet so far in Iran, Mahmoud Liayi, head of the information technology council at the ministry of industries, was quoted as saying by the government-run paper Iran Daily.

German computer security researcher, Ralph Langner suspected Stuxnet’s target was the Bushehr nuclear facility in Iran, where unspecified problems have been blamed for getting the facility fully operational.

Siemens, however, claims its software has not been installed at the Russian-built plant, and no Iranian official has hinted that nuclear facilities may have been infected by the malware.

“It is likely a (foreign) government project,” given its complexity, Iran’s telecommunications minister, Liayi added without giving further details.

“When Stuxnet is activated, the industrial automation systems start transmitting data about production lines to a main designated destination by the virus. There, the data is processed by the worm’s architects and then engineer plots to attack the country,” Liayi said.

The worm has been found lurking on Siemens systems mostly in India, Indonesia, Pakistan, but the heaviest infiltration appears to be in Iran, according to software security researchers.

News Update:Stuxnet Cyber Worm May Infect Iran’s Nuclear Program

Posted in Uncategorized by fartashphoto on September 24, 2010

Cyber security experts warned that Iran’s nuclear program could be the possible target of a destructive cyber worm, which may be powerful enough to collapse the entire industrial installations.

The Stuxnet Worm

Posted in Uncategorized by fartashphoto on September 23, 2010

One of the most sophisticated pieces of malware ever detected was probably targeting “high value” infrastructure in Iran, experts have told the BBC.

Stuxnet’s complexity suggests it could only have been written by a “nation state”, some researchers have claimed.

It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

It was first detected in June and has been intensely studied ever since.

“The fact that we see so many more infections in Iran than anywhere else in the world makes us think this threat was targeted at Iran and that there was something in Iran that was of very, very high value to whomever wrote it,” Liam O’Murchu of security firm Symantec, who has tracked the worm since it was first detected, told BBC News.

Some have speculated that it could have been aimed at disrupting Iran’s delayed Bushehr nuclear power plant or the uranium enrichment plant at Natanz.

However, the worm has also raised eyebrows because of the complexity of the code used and the fact that it bundled so many different techniques into one payload.

Security researchers are scratching their heads trying to determine the origin of the Stuxnet worm, a piece of malware that targets large industrial control systems. Judging by the way it’s constructed, the information it targets and some of the organizations that have been hit, the worm may have been created by a national government. Others, however, have their doubts.

Siemens SCADA

Nokia and Human Rights Abuses

Posted in Uncategorized by fartashphoto on August 26, 2010

An Iranian journalist is suing phone company Nokia over surveillance technology that helped Iranian authorities track and arrest him.

Isa Saharkhiz was captured and sent to jail more than a year ago and his family say has broken ribs from his severe beatings.

The journalist was charged with trying to overthrow the Iranian government because of an article he wrote during last year’s opposition protests.

Although Saharkhiz left Tehran and went into hiding authorities managed to track him down after he turned on his Nokia mobile phone briefly to give an interview.

Through his son in New York, the journalist is suing Nokia in a US court on the grounds he was beaten and mistreated because the company knowingly sold its surveillance technology to the Iranian regime, which is renowned for its human rights abuses.

“Nokia sold this technology to Iran knowing that it will be used not in the way that it was meant to be,” said Saharkhiz’s son Mehdi.

“We’re talking about a country that all around the world you’re not able to sell airplane spare parts to, but Nokia, for making a few more bucks they’ve risked so many people’s lives.

“We’re hoping to set a precedent so companies like this don’t sell people’s rights to make a few more dollars.”

Nokia has admitted selling the technology to Iran, which it says is a standard feature for law enforcement, but says Iran is to blame for misusing the technology.

It’s quite surprising to actually be writing this, I honestly never pictured Nokia would be in such a situation. From being the No. #1 manufacturer making devices that people liked and looked forward to, things sure have changed. It seems things have just gone downhill for them.

In fact, Nokia should try honestly answering these questions, I know a lot of people who are asking such questions… and if you don’t have an honest answer to even one of them, then you’ve got a problem Nokia!

Siemens SCADA

Posted in Uncategorized by fartashphoto on August 24, 2010

Computers in Iran have been hardest hit by a dangerous computer worm that tries to steal information from industrial control systems.

According to data compiled by Symantec, nearly 60 percent of all systems infected by the worm are located in Iran. Indonesia and India have also been hard-hit by the malicious software, known as Stuxnet

Siemens wouldn’t say how many customers it has in Iran, but the company now says that two German companies have been infected by the virus. A free virus scanner posted by Siemens earlier this week has been downloaded 1,500 times, a company spokesman said.

Siemens has made a program available for detecting and disinfecting malware attacking its software used to control power grids, gas refineries, and factories but warned customers who use it could disrupt sensitive plant operations.

Stuxnet, the worm is the first publicly identified piece of malware to target SCADA computers, which are used to control things such as manufacturing plants and utility systems. The worm copies itself to other USB systems on the computer and scans for Siemens Simatic WinCC or PCS 7 software. If it finds one of these programs, it tries to upload data from the systems to the Internet. It’s not clear if any of this has to do anything with Iran’s Nuclear Program also which is probable.

Siemens doesn’t know who built the worm, but is investigating and plans to pursue the matter to the “full extent of the law,” the company said on its website.

Siemens has come under blistering criticism for not removing the vulnerability two years ago, when, according to Wired.com, the default password threat first came to light. Some believe because of the complexity of the programming, the worm cannot be made by one person only and there should be a team working and developing it under an organization.