WarSclerotic

Report: 2 years left for solution to Iranian threat – Israel News, Ynetnews.

Senior US advisor believes still time to see if sanctions cause Iranian regime to back down or fall. New York Times: Evaluation unacceptable to Israel Yitzhak Benhorin

WASHINGTON – The US government believes there is still a window of two years in which to solve the Iranian nuclear issue by diplomatic means, the New York Times reported Tuesday.

The paper also quoted Gary Samore, special assistant to President Barack Obama and White House Coordinator for Arms Control and Weapons of Mass Destruction, who said to European experts there is still time to check whether sanctions will cause the Iranian regime to back down or even fall.

However, the newspaper also reported that this US evaluation is unacceptable to Israel, Britain and France, whose own evaluations are more urgent regarding the amount of time still available before a military option must be exercised. Furthermore, the newspaper said Israel would almost certainly not wait for the US if Iran goes beyond the “point of no return.”

A poll conducted by the German Marshall Fund reveals that some 68% of Americans and 58% of French citizens prefer military action over accepting a nuclear Iran. This data reflects the growing pressure on Obama, particularly from Jewish members of Congress, to think of the next stage in handling the Iranian nuclear threat.

Meanwhile, the process of tightening sanctions against Iran continues. The Bloomberg network reported Tuesday that sanctions imposed by Japan on the Islamic Republic will reduce the quantity of crude oil exported by Iran by some 25%. Tokyo announced Monday it is suspending its investments in oil and gas in Iran, mainly due to the latest round of sanctions imposed against Iran by the US.

Leading oil companies have joined Japan, including the UK-Dutch firm Shell, the French giant Total, Italy’s ENI and Norway’s Statoil. This means a significant reduction in Iran’s oil exports, a reduction of Iran’s ability to import distillates, a halt to work in existing oil fields and a freeze on development at new oil and gas fields in Iran.

The latest report from the US Government Accountability Office asserts that since the last sanctions law was passed on July 1, only five Chinese companies, one UAE company and one Singaporean company are still selling distillates to Iran despite the embargo. Of the 16 companies investigated, 11 halted all business with Iran immediately (the companies are those with investments of more than $20 million in Iran).

Meanwhile, Naftiran, a subsidiary of Iran’s national oil company, has been added to the blacklist of companies with which the US forbids American firms from doing business. Last week, the Swiss ambassador to Tehran, who handles US interests in the Islamic Republic, was called for talks on this issue.

Stuxnet: Fact vs. theory | InSecurity Complex – CNET News.

The Stuxnet worm has taken the computer security world by storm, inspiring talk of a top secret, government-sponsored cyberwar, and of a software program laden with obscure biblical references that call to mind not computer code, but “The Da Vinci Code.”

Stuxnet, which first made headlines in July, (CNET FAQ here) is believed to be the first known malware that targets the controls at industrial facilities such as power plants. At the time of its discovery, the assumption was that espionage lay behind the effort, but subsequent analysis by Symantec uncovered the ability of the malware to control plant operations outright, as CNET first reported back in mid-August.

What’s the real story on Stuxnet?

A German security researcher specializing in industrial-control systems suggested in mid-September that Stuxnet may have been created to sabotage a nuclear power plant in Iran. The hype and speculation have only grown from there.

Here’s a breakdown of fact versus theory regarding this intriguing worm.

Theory: The malware was distributed by Israel or the United States in an attempt to interfere with Iran’s nuclear program.

Fact: There’s no hard evidence as to who is behind the malware or even what country or operation was the intended target, though it’s clear most of the infections have been in Iran (about 60 percent, followed by Indonesia at about 18 percent and India at close to 10 percent, according to Symantec). Rather than establishing the target for Stuxnet, that statistic could merely indicate that Iran was less diligent about using security software to protect its systems, said Eric Chien, technical director of Symantec Security Response.

German researcher Ralph Langner speculates that the Bushehr nuclear plant in Iran could be a target because it is believed to run the Siemens software Stuxnet was written to target. Others suspect the target was actually the uranium centrifuges in Natanz, a theory that seems more plausible to Gary McGraw, chief technology officer of Cigital. “Everyone seems to agree that Iran is the target, and data regarding the geography of the infection lends credence to that notion,” he writes.

In July, Wikileaks posted a notice (formerly here, but unavailable at publication time) that said:

Two weeks ago, a source associated with Iran’s nuclear program confidentially told WikiLeaks of a serious, recent, nuclear accident at Natanz. Natanz is the primary location of Iran’s nuclear enrichment program. WikiLeaks had reason to believe the source was credible, however contact with this source was lost. WikiLeaks would not normally mention such an incident without additional confirmation, however according to Iranian media and the BBC, today the head of Iran’s Atomic Energy Organization, Gholam Reza Aghazadeh, has resigned under mysterious circumstances. According to these reports, the resignation was tendered around 20 days ago.

On his blog, Frank Rieger, chief technology officer at security firm GSMK in Berlin, confirmed the resignation through official sources. He also noted that the number of operating centrifuges in Natanz shrank significantly around the time the accident mentioned by Wikileaks purportedly happened, based on data from Iran’s Atom Energy Agency.

An Iranian intelligence official said this weekend that authorities had detained several “spies” connected to cyberattacks against its nuclear program. Iranian officials have said that 30,000 computers were affected in the country as part of “electronic warfare against Iran,” according to The New York Times. Iran’s Mehr news agency quoted a top official in the Ministry of Communications and Information Technology as saying that the effect of “this spy worm in government systems is not serious” and had been “more or less” halted, the Times report said. The project manager at the Bushehr nuclear plant said workers there were trying to remove the malware from several affected computers, though it “has not caused any damage to major systems of the plant,” according to an Associated Press report. Over the weekend, Iran’s Intelligence Minister, commenting on the situation, said a number of “nuclear spies” had been arrested, though he declined to provide further details, according to the Tehran Times.

Specialists have hypothesized that it would take the resources of a nation state to create the software. It uses two forged digital signatures to sneak software onto computers and exploits five different Windows vulnerabilities, four of which are zero-day (two have been patched by Microsoft). Stuxnet also hides code in a rootkit on the infected system and exploits knowledge of a database server password hardcoded into the Siemens software. And it propagates in a number of ways, including through the four Windows holes, peer-to-peer communications, network shares, and USB drives. Stuxnet involves inside knowledge of Siemens WinCC/Step 7 software as it fingerprints a specific industrial control system, uploads an encrypted program, and modifies the code on the Siemens programmable logic controllers (PLCs) that control the automation of industrial processes like pressure valves, water pumps, turbines, and nuclear centrifuges, according to various researchers.

Symantec has reverse engineered the Stuxnet code and uncovered some references that could bolster the argument that Israel was behind the malware, all presented in this report (PDF). But it’s just as likely that the references are red herrings designed to divert attention away from the actual source. Stuxnet, for instance, will not infect a computer if “19790509” is in a registry key. Symantec noted that that could stand for the May 9, 1979 date of a famous execution of a prominent Iranian Jew in Tehran. But it’s also the day a Northwestern University graduate student was injured by a bomb made by the Unabomber. The numbers could also represent a birthday, some other event, or be completely random. There are also references to two file directory names in the code that Symantec said could be Jewish biblical references: “guavas” and “myrtus.” “Myrtus” is the Latin word for “Myrtle,” which was another name for Esther, the Jewish queen who saved her people from death in Persia. But “myrtus” could also stand for “my remote terminal units,” referring to a chip-controlled device that interfaces real-world objects to a distributed control system such as those used in critical infrastructure. “Symantec cautions readers on drawing any attribution conclusions,” the Symantec report says. “Attackers would have the natural desire to implicate another party.”

Theory: Stuxnet is designed to sabotage a plant, or blow something up.

Fact:Through its analysis of the code, Symantec has figured out the intricacies of files and instructions that Stuxnet injects into the programmable logic controller commands, but Symantec doesn’t have the context involving what the software is intended to do, because the outcome depends on the operation and equipment infected. “We know that it says to set this address to this value, but we don’t know what that translates to in the real world,” Chien said. To map what the code does in different environments, Symantec is looking to work with experts who have experience in multiple critical infrastructure industries.

Symantec’s report found the use of “0xDEADF007” to indicate when a process has reached its final state. The report suggests that it may refer to Dead Fool or Dead Foot, which refers to engine failure in an airplane. Even with those hints, it’s unclear whether the suggested intention would be to blow a system up or merely halt its operation.

In a demonstration at the Virus Bulletin Conference in Vancouver late last week, Symantec researcher Liam O’Murchu showed the potential real world effects of Stuxnet. He used an S7-300 PLC device connected to an air pump to program the pump to run for three seconds. He then showed how a Stuxnet-infected PLC could change the operation so the pump ran for 140 seconds instead, which burst an attached balloon in a dramatic climax, according to Threat Post.

Theory: The malware has already done its damage.

Fact: That actually could be the case and whomever was targeted has simply not disclosed it publicly, experts said. But, again, there’s no evidence of this. The software has definitely been around long enough for lots of things to have happened. Microsoft learned of the Stuxnet vulnerability in early July, but its research indicates that the worm was under development at least a year prior to that, said Jerry Bryant, group manager for Microsoft Response Communications. “However, according to an article that appeared last week in Hacking IT Security Magazine, the Windows Print Spooler vulnerability (MS10-061) was first made public in early 2009,” he said. “This vulnerability was independently rediscovered during the investigation of the Stuxnet malware by Kaspersky Labs and reported to Microsoft in late July of 2010.”

“They’ve been doing this for almost a year,” Chien said. “It’s possible they hit their target again and again.”

Theory: The code will stop spreading on June 24, 2012.

Fact: There is a “kill date” encoded into the malware, and it is designed to stop spreading on June 24, 2012. However, infected computers will still be able to communicate via peer-to-peer connections, and machines that are configured with the wrong date and time will continue to spread the malware after that date, according to Chien.

Theory: Stuxnet caused or contributed to the Gulf of Mexico oil spill at Deepwater Horizon.

Fact: Unlikely, though Deepwater Horizon did have some Siemens PLC systems on it, according to F-Secure.

Theory: Stuxnet infects only critical infrastructure systems.

Fact: Stuxnet has infected hundreds of thousands of computers, mostly home or office PCs not connected to industrial control systems, and only about 14 such systems, a Siemens representative told IDG News Service.

And more theories and predictions abound.

F-Secure’s blog discusses some theoretical possibilities for Stuxnet. “It could adjust motors, conveyor belts, pumps. It could stop a factory. With [the] right modifications, it could cause things to explode,” in theory, the blog post says. Siemens, the F-Secure post continues, announced last year that the code that Stuxnet infects “can now also control alarm systems, access controls, and doors. In theory, this could be used to gain access to top secret locations. Think Tom Cruise and ‘Mission Impossible.'”

Symantec’s Murchu outlines a possible attack scenario on CNET sister site ZDNet.

And Rodney Joffe, senior technologist at Neustar, calls Stuxnet a “precision guided cybermunition” and predicts that criminals will try to use Stuxnet to infect ATMs run by PLCs to steal money from the machines.

“If you ever needed real world evidence that malware could spread that ultimately could have life or death ramifications in ways people just don’t accept, this is your example,” said Joffe.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.

Read more: http://news.cnet.com/8301-27080_3-20018530-245.html#ixzz11UGgRwZM

Modern Warfare, Too – by Michael Tanji > Tablet Magazine – A New Read on Jewish Life.

The Stuxnet attack on Iran is a new development in the evolution of cyberwarfare

By Michael Tanji | Oct 5, 2010 7:00 AM

A scene from the new video game Modern Warfare 2.

Infinity Ward

The Stuxnet worm is said to have negatively impacted computer systems in Iranian nuclear facilities such as the Bushehr reactor and the Natanz uranium enrichment plant, although the depth and breadth of its impact at these facilities are unclear. About Bushehr, Hamid Alipour, deputy head of Iran’s Information Technology Company, was quoted by the Iranian News Agency as saying, “The attack is still ongoing and new versions of this virus (sic) are spreading.” On September 26, Mahmoud Jafari, the project manager at the Bushehr plant, said the worm “has not caused any damage to major systems of the plant,” yet on September 29 Iran announced that the Bushehr plant would not go on line for at least another three months. A link between Stuxnet and a slow-down in uranium enrichment at Natanz is just as speculative but not unrealistic, given Stuxnet’s capabilities.

Two themes have emerged in media coverage of Stuxnet: that it is a “cyber weapon” designed to disable critical infrastructure computer systems, and that its sophistication is such that only a powerful nation-state could have created it. The reality is that Stuxnet is something special, but not in the way that most observers have noted.

The weaponization of computer code and the targeting of adversary computer systems is not a new phenomenon. It is simply an extremely rare one. What is significant is that the Stuxnet code focuses on critical infrastructure systems, which for a long time were thought to be too arcane and obscure to be targeted by online subversives.

Some background: Stuxnet is a worm, which is a subset of a larger body of computer programs called malicious software, or “malware.” You are probably already familiar with the most common form of malware: the computer virus. Worms differ from viruses in that worms operate independently of other programs; a virus must attach itself to some legitimate program in order to spread. A worm may not damage a computer or network, but its replication may degrade bandwidth and consume CPU power to the detriment of legitimate uses; viruses inevitably corrupt or otherwise modify legitimate programs to do things other than what their creators intended or their users desire.

There is no evidence that Stuxnet targeted the Bushehr nuclear facility specifically. What it does is look for systems that contain a particular kind of Siemens Supervisory Control and Data Acquisition (SCADA) software: specialized software that interacts with mechanical controls, used to operate things like power plants, water treatment facilities, and oil pipelines. The Siemens equipment targeted by Stuxnet happens to be installed at facilities in Iran, as well as in Germany (where most of the infections have been reported), the United States, and other parts of the world.

Stuxnet was probably not created in response to any recent developments in Iran. Earliest indications are that it was first seen in the wild in the summer of 2009. Does that coincide with the delivery and installation of Siemens software in Bushehr? That information is not likely to be in the public domain, and it’s something that Siemens, which does a lot of business with Iran, would not want to divulge. But Siemens officials have been quick to point out that the company has nothing to do with Bushehr, which suggests that any Siemens software running at the facility is unlicensed. If that’s the case, the only way Bushehr became a specific target of Stuxnet would be if someone who knew Bushehr is running Siemens software passed that information to Stuxnet’s creator or creators.

Siemens also does a fair bit of business in Israel, in both the public and private sectors, which would make Israeli access to the information needed to create Stuxnet fairly straightforward. Would Siemens work cooperatively with an Israeli organization that wanted to impact Siemens systems in specific Iranian locations? Software companies come to all sorts of arrangements with nations in order to do business with them. The alternative to not cooperating is often the inability to do business overseas. You could make the argument that such an arrangement is coercion, or in the case of trying to prevent a regime like Iran from obtaining nuclear weapons, you could say it was the right thing to do.

Creating malware is like creating other types of computer programs: You have a specific goal for what you want the program to accomplish, and you write instructions in a language that the computer will understand to accomplish those goals. Libraries of pre-written code exist so that you don’t have to write common functions from scratch. There is actually a market for malicious code—like modern Willie Suttons, criminals know that cybercrime is where the money is. Successful malware of this sort is fairly sophisticated, as evidenced by how often it sneaks past anti-virus products and how much money their masters are able to obtain from both individuals and large financial institutions.

Stuxnet is not run-of-the-mill malware, which is why so many are attributing its creation to a sophisticated, well-funded, probably state-sponsored organization. But building malware that stands out from the run-of-the-mill is not a particularly expensive or herculean effort. The assembly of such parts is not for amateurs, but the necessary skills are not as scarce as some would lead you to believe. What leads people to think that a very powerful actor is behind Stuxnet is that so many amateurs churn out so much crappy malware on a daily basis that anything sufficiently unique is a rarity and treated as such.

Perhaps the most important feature of Stuxnet has nothing to do with its construction, technical capabilities, or its speculative link to a contentious real-world situation, but the fact that it is much more in-line with traditional military or intelligence thinking than most malicious activity noted online to date. Malicious online activity linked to a real-world political-military situation is not new. Whether it’s a plane crash, an accidental bombing, or an all-out war, such attacks almost never cause any irreparable damage, and in most cases it becomes clear that the attackers targeted any system they could find; they did not take the time to identify and focus their energies on what is commonly referred to as a “legitimate military target.” Stuxnet does nothing but seek out legitimate targets, in the context of total war. It is an indicator that, at a minimum, confirms what observers of the information warfare field have suspected for some time: When the enemy comes, he’ll turn out the lights first. The worst-case scenario is that the ability to negatively impact critical infrastructure is becoming democratized, and claims about being able to do things like shut down the Internet won’t be far-fetched but instead commonplace.

It is not unrealistic to think that the authors of Stuxnet are Israeli. Like the United States, Israel has long been interested in developing and deploying cyber capabilities in its war-fighting arsenal. Like the United States, it also has seen those with advanced technical talent migrate from the armed forces and intelligence services into the private sector. It is also not unrealistic to think that Israel has access to the kind of information that would be required to target Siemens SCADA software. So, we have the means and the opportunity, now we need to look at the question of motive.

If the existence, much less the successful operation, of Bushehr is unacceptable to Israel, the means available to destroy, disable, or delay its launch must be evaluated. I cannot speak to the effectiveness of Israel’s capabilities in the first two categories, but Stuxnet is an excellent way to delay—even if briefly—activity at Bushehr.

For all its sophistication, though, Stuxnet is not really that effective a digital weapon. Digital weapons are not analogous to just any physical weapons; they’re disposable sniper rifles, not cluster bombs. They are meant to perform specific tasks, and because the arms race between cyber defenders and attackers is so close, attackers go into battle assuming that their weapons will work only once. To that end, Stuxnet may not have been designed to kill, but simply to disorient: cyber tear gas, if you will. It is also sophisticated enough, it is targeted enough, to make the sufficiently suspicious in Iran wonder if there is in fact not someone on the inside who has passed information about Bushehr’s SCADA systems to Israel.

Stuxnet may be Israeli-by-proxy. It is not clear to me that enough data exists to point to the ethnicity or country of origin of Stuxnet’s author or authors, but it is not unheard of for malware to have words, phrases, or names written inside the code that suggest its author wrote in a given language. Linguistic clues like the inclusion of the word “Myrtus” in Stuxnet’s code are an interesting hint, but it almost seems too obvious by half. Regardless, it would not be the first time that a nation had contracted out its offensive cyber capabilities.

The strategic advantages Israel gains via Stuxnet—regardless of whether or not it has any connection to it at all—are significant. Without launching a single aircraft, without firing a shot, without endangering the life of a single soldier, Stuxnet has provided Israel with a means to slow down activities at Bushehr, a means to occupy the time and energy of the Iranian intelligence and security apparatus, and a means to enhance its reputation—deserved or not—as a player in the realm of cyber conflict.

That is what we are really witnessing here in the Stuxnet case: the evolution of conflict. Nations do not have friends or enemies, they have allies and adversaries. The more connected we all become at local, national, and global levels, the more the destruction brought on by conventional war becomes undesirable. Effects-Based Operations, the early 1990s idea that military and nonmilitary methods had to be combined for a desired effect, has lost its luster in military circles, but the reasoning is sound enough: If you’re not actually going to bomb your adversaries back into the Stone Age, you don’t want to destroy the power plant, you just want to turn it off, because eventually you want the lights to come back.

To a large extent it doesn’t matter who was behind the creation and release of Stuxnet; that it compromised computer systems at Bushehr is almost beside the point. Its mere existence provides both sides interested in Bushehr with ammunition to support their own agendas. The Iranians get to feel both smug and scared in that Stuxnet probably won’t neutralize activity at Bushehr (Stuxnet will naturally not be the cause of any delays, and the resumption of work will be quickly and loudly promoted), but the fact that it looks for systems they have may be enough to convince their security apparatus that someone on the inside cannot be trusted. Adversaries of Iran—whether they wrote Stuxnet or not—get to look alternately very scary in their ability to know what sort of systems are running in Bushehr and fairly inept in that they let a digital weapon get loose in public. Both the mullahs and their adversaries get a boogie man; both also get plausible deniability.

Michael Tanji is a former supervisory intelligence officer who worked on information warfare issues at the Defense Intelligence Agency. He is the editor of Threats in the Age of Obama.

Does Stuxnet Mean Cyberwar? | The Weekly Standard.

If so, are we ready?

BY Lee Smith

Iran: Western plot to blame for computer worm at nuclear plant – Haaretz Daily Newspaper | Israel News.

In strongest remarks since worm found, Iranian foreign ministry Ramin Mehmanparast declares plot will not make Iran ‘give up or stop’ its nuclear activities.

By The Associated Press

Iran claimed Tuesday that a computer worm found on the laptops of several employees at the country’s nuclear power plant was part of a covert Western plot to derail the Islamic Republic’s atomic program.

Iranian foreign ministry Ramin Mehmanparast declared that the plot would not make Iran “give up or stop” its nuclear activities, which the U.S. and its allies fear are geared toward making atomic weapons. Iran denies those charges.

Mehmanparast’s remarks on Tuesday were the strongest yet on Tehran’s suspicions over the worm.

The malicious computer code, designed to take over industrial sites such as the Bushehr nuclear power plant, has also emerged in India, Indonesia and the U.S.

Iran said the Stuxnet worm infected personal computers of Bushehr employees but not the plant’s main systems.

A senior Iranian official was quoted as saying on Monday that a small leak in a pool near the reactor caused a delay in starting up Iran’s first nuclear power plant but it has now been fixed.

Ali Akbar Salehi, head of Iran’s Atomic Energy Organization, also said the delay had nothing to do with the global Stuxnet computer virus believed mainly to have affected Iran.

Last week, Iranian officials said Stuxnet had hit staff computers at Bushehr, a symbol of Iran’s growing geopolitical sway and rejection of international efforts to curb its nuclear activity. But the virus had not affected major systems there, they said.

Security experts say the release of Stuxnet may have been a state-backed attack on Iran’s nuclear program, most likely originating in the United States or Israel, which accuse the country of seeking to develop atomic bombs. Iran denies this.

When Iran began loading fuel into Bushehr in August, officials said it would take two to three months for the plant to start producing electricity and that it would generate 1,000 megawatts, about 2.5 percent of the country’s power usage.

But Salehi said last week the fuel would soon be transferred to the core of the reactor and the plant would begin supplying energy in 2011, signalling a delay in its start-up.

He gave further details on Monday, saying “a small leak was observed in a pool next to the reactor and was curbed,” the official IRNA news agency reported.

Salehi added: “This leak caused the activities to be delayed for a few days. The leak has been fixed and the core of the reactor is working properly.”

Mark Fitzpatrick, at the International Institute for Strategic Studies, said Salehi might have been referring to a pool for receiving spent fuel rods from the reactor.

He said this did not sound “very serious” but suggested that Iran may be downplaying any problems at the plant.

“Typically Iran exaggerates everything about their nuclear program in a positive way,” Fitzpatrick said. “It could be more serious trouble than he has stated.”

Iran’s program includes uranium enrichment – separate from Bushehr – that Western leaders suspect is geared towards developing atomic bombs. Iran says it is refining uranium only for a future network of nuclear power plants.

Diplomats and security sources say Western governments and Israel view sabotage as one way of slowing Iran’s nuclear work

	Russian technicians working in the Bushehr control room in 2009.
	Photo by: Reuters