WarSclerotic

Mission possible: Stuxnet worm attacks no longer just Hollywood hype – ZDNet.

Commentary – Recent revelations about the wide-scale and targeted Stuxnet worm attack directed at a nuclear power plant in Iran should raise red flags to all IT security professionals and managers of critical infrastructure facilities such as power plants, air traffic control sites and government agencies around the world.

For years there have been many Jason Bourne or Mission Impossible type movies and best-selling novels centered around rogue hackers, fringe government operatives and assorted bad guys finding a way to break into a government facility, financial institution or a power company and shutting down the network, disrupting service or removing some secret information. In fact, the plot of the movie “Ocean’s Eleven” centered around George Clooney, Brad Pitt and others knocking out the power in Las Vegas so they could rob multiple casinos.

But until the Stuxnet worm came to light, these types of attacks were more Hollywood fantasy than cyber-reality. Now the game has changed and the Stuxnet worm attack is bringing up important IT security issues that need to be addressed.

Media reports indicate that during the first week of October Iranian officials have acknowledged that the Stuxnet worm has infected at least 30,000 Windows PCs in the country, among them some used by workers at the Bushehr nuclear power plant.

Stuxnet is a perfect example of an advanced persistent threat
Thanks to Stuxnet we’ve been hearing a lot lately about Advanced Persistent Threats (APTs). What are they? Are they really anything different than the malware and viruses we’ve seen for decades? They are, and the Stuxnet worm flooding the news is a perfect example why.

First off, Stuxnet is advanced. Very advanced. It takes advantage of four zero-day vulnerabilities, uses two different valid (stolen) digital certificates, and contains dozens of encrypted code blocks. It uses a rootkit to hide itself, peer-to-peer capabilities for remote command and control, and alters its behavior based on the systems on which it is infecting. Utilizing a nasty vulnerability within the Windows Shell, the attack occurs upon simply viewing files within Explorer.

Secondly, it is a targeted attack. Unlike common worms and malware, its goal is not to spread everywhere or to anyone. It was designed specifically to target SCADA (supervisory control and data acquisition) systems, or industrial control systems like those used in power plants and other critical infrastructure locations. Among other behaviors, it is designed to reprogram the PLCs (programmable logic controllers) used in these systems. The advanced nature of the worm, along with its very specific targets, helped Stuxnet elude detection for months, perhaps even a year. Targeted attacks often fly below the radar of the major antivirus security vendors.

A new weapon of mass destruction
Lastly, most experts agree, the Stuxnet worm is the work of organized, and quite likely state-sponsored, professionals. Its creation required detailed knowledge of the SCADA systems being targeted, it was written using multiple languages, and it rivals many commercial applications in both complexity and stability (it’s hard to perform all of the work Stuxnet does without crashing or destabilizing a system, risking detection). At nearly 500KB in size, it is notably larger than most malicious worms we’ve seen. These observations suggest that a team of engineers developed Stuxnet over a significant period of time – something that requires commitment and more importantly, money.

Aside from being more advanced than traditional attacks, it is different in motivation (purpose and target) and generation (who created it). Kudos to the army of security researchers that have, and are continuing to, dissect this worm. But the most notable attribute of Stuxnet is, in my opinion, its initial entry point. The attack initiated from a simple USB stick, just like the one in Operation Buckshot. All the sophisticated techniques in its arsenal, and Stuxnet still needed to be physically inserted into “patient zero.”

And therein lies two important lessons: Number one is that the host computer is still the most vulnerable point of an infrastructure. All the perimeter defenses in the world (IPS, IDS, firewalls, etc.) would not have stopped Stuxnet (or the DoD attack involved in Operation Buckshot). It was delivered directly to an endpoint. It’s like a building with motion sensors in every hallway with office doors that open directly to the outside world. Why bother navigating the hallways when you can walk right into a room?

Number two traditional reactive and signature based technologies will continue to fail at detecting these new and unknown attacks. Don’t you think there were antivirus products on at least some of the estimated 45,000 computers infected by Stuxnet?

There is advanced threat protection on the market that would have stopped Stuxnet from ever executing in the first place – with or without the Windows Shell Explorer flaw. If a file is not approved, it cannot execute, whether or not the execution is explicit or via some unknown vulnerability.

A number of experts have commented that Stuxnet marks a new era in cyber-warfare. I agree. Advanced threats like Stuxnet are the new weapons of mass destruction. Just as the attackers and their methods have evolved, the defenders and our methods must as well.

biography
Harry Sverdlove is the Chief Technology Officer for Bit9, an industry leader in Advanced Threat Protection solutions that aim to eliminate the risk caused by malicious, illegal and unauthorized software.

Clinton: US has no problem with Bushehr atomic plant.

By JPOST.COM STAFF
10/26/2010 19:29

US secretary of state says Washington more concerned with Iran’s facilities at Natanz, Qom where they fear weapons program conducted.

The United States does not see Iran’s Bushehr nuclear reactor as a threat, US Secretary of State Hillary Clinton said Tuesday, on the day that the Islamic Republic began fueling the core of the power plant.

Clinton said that the US is more concerned with other Iranian sites where they believe the Islamic Republic may be attempting to create nuclear weapons.

“Our problem is not with their reactor at Bushehr, our problem is with their facilities at places like Natanz and their secret facility at Qom and other places where we believe they are conducting their weapons program,” Clinton stated while addressing reporters at a meeting with Austria‘s foreign minister.

Iranian authorities began injecting uranium fuel rods into the core of the Bushehr nuclear power plant on Tuesday, Iranian Press TV reported.

According to the report, the nuclear plant will become operational once all 163 fuel rods have been injected into the plant’s core, and it should begin generating electricity in early 2011.

On Monday, an Iranian lawmaker declared Iran’s intent to continue with its nuclear program despite international concern.

“Despite all efforts and policies of America and the European Union to put sanctions on Iran, the fuel of the Bushehr power plant will be loaded into its core tomorrow,” Iranian MP Alaeddin Boroujerdi was quoted as saying by official media.

Boroujerdi is the head of the Iranian parliament’s national security and foreign policy committee.

News agencies in Iran also stated that celebrations would be held to mark Tuesday’s event.

EU: Iran nuclear talks ‘not serious’ – Haaretz Daily Newspaper | Israel News.

Iranian Foreign Ministry says no decision had yet been taken on attending the talks with U.S., U.K., China, France, Russia and Germany in November. By DPA

Iran’s failure to engage in “serious” international talks on its nuclear programme “is frankly ridiculous,” a senior European Union official complained on Tuesday, as the bloc
was waiting for Tehran’s response on its latest offer of dialogue.

	The reactor building of the Bushehr nuclear power plant is seen, just outside the southern city of Bushehr, Iran, Saturday, Aug. 21, 2010
	Photo by: AP

The EU’s foreign policy chief, Catherine Ashton, has proposed that talks between Iran and the 5+1 group – comprising the United States, Britain, China, France, Russia and Germany – resume November 15-17 in Vienna.

“It is now more than a year since there was any serious conversation with the Iranians, and that is frankly ridiculous and leads to a good deal of frustration on our part,” the EU source pointed out.

“I know this is shared by the Russians and the Chinese,” the official added.

Earlier on Tuesday, Iranian Foreign Ministry spokesman Ramin Mehmanparast had said that no decision had yet been taken on attending the talks proposed by Ashton.

“Evaluations are still going on as not only the date and venue but also the agenda should be clarified,” Mehmamparast said.

“We want the agenda to have content and not just form,” Mehmanparast added.

The EU source said Iran should reply “at least a couple of weeks in advance” before the proposed date, as “anything less begins to look not very serious.”

He also urged Iranian officials to use diplomatic channels rather than the media to express their willingness to talk.

Iranian Foreign Minister Manouchehr Mottaki later Tuesday rejected the remarks by the EU source and said negotiations are underway with the bloc to finalize a date and venue, as well as clarify the agenda.

“Both sides have expressed their political willingness to hold the negotiations and we hope that through talks which are underway, an understanding will also be reached on the agenda, besides date and venue,” Mottaki told the official news agency IRNA.

The 5+1 group wants talks to focus on the nuclear dispute and Iran’s refusal to suspend uranium enrichment while Tehran wants to discuss global issues.

“Pressures and ultimatums will not have any impact whatsoever on Iran’s firm willingness to follow its rights on pursuing a peaceful nuclear programme,”Mehmanparast noted.

Iran’s critics, however, worry it is using its nuclear programme to develop weapons.

The Iranian spokesman also condemned additional sanctions in the energy and financial sectors that EU foreign ministers approved in their final legal form on Monday, after having endorsed them politically in July.

“Contrary to what the EU claims, they just want to put pressure on the Iranian people and deprive them from their rights,” Mehmanparast said.

“But they should know that such decisions will have no impact whatsoever on the will of the people and they will not surrender to such pressures,” he said.

The full list of EU sanctions – adding to the measures agreed by the United Nations in June – is due to be published on the EU official gazette on Wednesday, officials from the bloc indicated.

ANALYSIS / Iran’s unlikely understanding with Saudi Arabia – Haaretz Daily Newspaper | Israel News.

Iran and Saudi Arabia are working together to divide up their sphere of influence in Lebanon and Iraq.

By Zvi Bar’el

“Iran is not the enemy, Israel is the enemy,” the head of the Center for Strategic Studies in Saudi Arabia declared in an interview with Al Jazeera. This was his response to a question on whether the $60 billion arms deal between Riyadh and Washington was meant to deter Iran. The American efforts to portray the deal as aimed against Tehran doesn’t fit with the Saudi point of view, and it seems this isn’t the only subject over which these two countries fail to see eye to eye.

	Iranian President Mahmoud Ahmadinejad addresses a summit on the Millennium Development Goals at the UN headquarters on Tuesday, Sept 21, 2010.
	Photo by: AP

Iranian President Mahmoud Ahmadinejad spoke with King Abdullah of Saudi Arabia twice last week, and Iran reported that a senior Iranian official would visit Riyadh soon. It’s not clear if it will be Foreign Minister Manouchehr Mottaki or the head of the National Security Council, Saeed Jalili.

But the frequent contacts between Iran and Saudi Arabia are not over the big arms deal or Iran’s nuclear plans. The two countries have concluded that they need to reach an agreement on two other issues regarding their sphere of influence in the region: Iraq and Lebanon.

Regarding Lebanon, Iran is trying to persuade Saudi Arabia to help stop the work of the special international tribunal investigating the assassination of former Lebanese Prime Minister Rafik Hariri. This would prevent the collapse of the Lebanese regime. While Iran is worried about Hezbollah’s status, it also doesn’t want Lebanon to collapse or fall into another civil war, whose results cannot be ensured.

Furious American

In this respect, Tehran doesn’t have to make too great an effort to get Riyadh’s support. This became clear last week to Jeffrey Feltman, the U.S. Assistant Secretary of State for Near Eastern Affairs and a former U.S. ambassador to Beirut, when he visited Riyadh. During his meeting with King Abdullah, the monarch tried to figure out America’s position if the international court’s work were stopped. Arab sources say Feltman was “furious but restrained,” and made it clear to the king that Washington was determined to support the tribunal.

With all due respect to the American insistence, if the client that is supposed to pay Washington $60 billion decides it’s vital to halt the tribunal’s work, it won’t make do with consulting the Americans. It will throw its full weight behind the efforts. Meanwhile, the indictment the tribunal is due to publish is not expected before February.

After all, what is happening in Lebanon – and Saudi Arabia can’t be accused of not supporting the establishment of the tribunal – is not isolated from other regional issues that involve the Saudis and Iran. Riyadh, which paid millions of dollars in Ayad Allawi’s election campaign in Iraq, is aware that his chances of being elected prime minister are diminishing. The aid last time helped Allawi win two seats more in parliament than his rival, outgoing Prime Minister Nouri al-Maliki.

Meanwhile, in the past two weeks, Maliki has visited Syria, Turkey, Iran and Egypt in an attempt to garner support. He is trying to persuade Iraq’s neighbors that he is worthy of being prime minister again. But that’s not enough. To win, he has to convince his rivals at home to forgo their aspirations of being Iraqi prime minister and join him.

No dream team

Tehran understands that it can’t get the Iraqi prime minister it was hoping for, Ibrahim al-Jaafari. But it has “convinced” the influential Iraqi religious leader, Muqtada al-Sadr, who is living in Iran until completing religious studies there, to support Maliki. Maliki is not exactly Iran’s dream prime minister, especially considering that he accused Tehran and Damascus of terrorist involvement.

He is also not a natural partner of Sadr, who won 39 of the 325 seats in parliament. Sadr has also not completely forgiven Maliki for sending Iraqi troops to wage a bloody battle against Sadr’s forces and arresting many of his supporters, some of whom are still in prison. But the Iranian pressure mounted, so Sadr agreed to announce his support for Maliki.

Nevertheless, even with Sadr’s support, Maliki will not be able to set up a coalition without getting at least one other bloc to support him, either the Kurds or Allawi. That’s why Iran needs Saudi Arabia’s help to try to persuade its proteges in Iraq, especially Allawi, to join such a coalition or at least not work against it.

For its part, Saudi Arabia is not prepared to give Iran gifts, but it also doesn’t want to lose all influence in Iraq. In Iraq as in Lebanon, Saudi Arabia realizes it’s in a relatively inferior position vis-a-vis Iran; all it can do in these countries is to prevent Tehran from wielding exclusive influence. This is what the discussion between Saudi Arabia and Iran is now focusing on: deliberations during which Riyadh will try to divide its sphere of influence in Iraq and Lebanon with Iran.

One significant element is missing from these moves – the United States. Washington seeks to promote the process at the international tribunal on the Lebanese issue, blame Hezbollah for the Hariri assassination, see Allawi as Iraqi prime minister and block Iran’s influence in the region.

Meanwhile, it seems the Americans are aiming too high. The real game is in the hands of local forces that are sketching the strategic map, which will be presented to Washington as a fait accompli.