Stuxnet Authors Made Key Errors

Trailrunner7 writes "There is a growing sentiment among security researchers that the programmers behind the Stuxnet attack may not have been the super-elite cadre of developers that they've been mythologized to be in the media. In fact, some experts say that Stuxnet could well have been far more effective and difficult to detect had the attackers not made a few elementary mistakes."

Fascinating...

[RsG]

For those who don't RTFAs, this one has something interesting, not mentioned in the summary. The analyst thought the worm might have started as something else and been re-purposed for sabotage. There might be two separate coder groups, one who made the original program and one who made it into a weapon. The latter group was apparently less skilled, though still would have needed a considerable breadth of knowledge.

Makes me wonder if the perpetrator might not be one of Iran's less advanced neighbours, instead of the US or Israel. After all, there are plenty of Middle Eastern nations who are worried about Iranian power and expansion. And there's two obvious suspects that would be blamed when it came to light.

Of course, it could also be that either American or Israeli coders were rushed, understaffed, over-compartmentalized or otherwise had the quality of their work reduced.

Yeah, sure...

[RichiH]

1) From what I read, and I read a lot on that topic, Stuxnet is pretty damn awesome. The exploits alone are estimated to have been worth a seven to eight figure...
2) Secrecy might not have been a priority.
3) Maybe they wanted to be detected to drive a point home.
4) Mindgame question: What if Russia, China or someone else did it and wanted to frame the USA & Israel?

So what were the mistakes...?

[Jahava]

Is there a good source for a technically in-depth list of the mistakes, rather than the vague "ignored several known techniques" summary crap the article discusses?

conspiracy 101

[Anne Honime]

It may very well be that the lack of proper cloaking was intentional, for at least two reasons : on the one hand, as long as the aim was reached, there was no need to reveal the full scope of expertise put behind it. Better keep still unknown cloaking techniques in case they may come handy in the future. On the second hand, stuxnet is certainly as much a psychological weapon as it is a technological one. What would be the interest to disrupt Iran's nuclear program if nobody knew what happened ? As such, it's a very good deterrent : any would be rogue third world country willing to go nuclear knows "someone" will take offense and knows that this "someone" has the abilities to bring their program down. But at this point, nobody can pinpoint who this "someone" may be with plausible certainty.

Re:Criticism is easy

[fuzzyfuzzyfungus]

Easy; but not always invalid. Encrypted command and control communications have been standard in the better purely monetary botnets for at least a few years now.

Everything is easier from the peanut gallery; but the notion that you have to be at least as good at your game as is a public-ally known strain of criminal in order to be considered for "super-spy" status seems like a very fair rule of thumb.

Re:Criticism is easy

[peragrin]

Smirking isn't a sign of guilt, but merely enjoying the outcome anyways.

Besides Russia has as much to lose. Think how many billions Russia loses if iran can make it's own fuel for the reactors Russia helped to build?

Re:Yeah, sure...

[Smiths]

I love how when

its 'North Korea and Venezuela' they 'dream their mad dreams of power and glory'
but the USA...
  we're just 'putting out diplomatic fires and cleaning up after natural disasters.'

and this gets modded Insightful?....groan

There is plenty of lessons in history to show what happens when you have a dim view of the world such as

'Our opponents have goals that are incompatible with ours'

groan....

This has all been worked out before. Its why international laws and respect for other nations sovereignty is important.

mondoweiss dot net

Re:Hell of a unit test

[TWX]

I know your post was intended for humor, but I have a more serious question that maybe someone can answer...

Did the modifications to the centrifuge control serve to damage the centrifuge, the contents of the centrifuge, or both? If the point was to damage the centrifuge, then the solution is determining why the centrifuges failed, correcting that, and ordering new centrifuges. If the point was to damage the nuclear material so that it isn't good enough to be used in a bomb, then the solution is to, again, determine why the centrifuges failed, and to figure out if it's possible to reprocess the material a second time to get it right, and if not, to start on a new batch of material. If the point was to do both, then not only do the centrifuges need to turn out bad product, but they have to do it subtly enough to not attract attention while the centrifuges slowly damage themselves, leading to a lot of bad product and a lot of bad centrifuges at the same time. Solution, determine the source of the problem, then replace the centrifuges and start processing again.

I would think that the goal would be to make the Iranians involved *think* that they were getting the grade of Uranium Hexafluoride that they had planned on while instead delivering to them substandard product, so when they built weapons they had Uranium that either would reach critical mass or else wouldn't be nearly as efficient and would cause a much smaller boom. Achieving this would require not damaging the centrifuges yet damaging what they produce. This would allow an adversary of Iran to take this in to account in both diplomatic circles (being willing to push Iran harder despite the threat of a nuclear exchange) and in military ones (actively planning strategy considering nuclear fizzles), and if that's the case, this worm's discovery means that it's only a short-term problem for the Iranians, not a long-term problem that would allow for strategic thinking. The discovery means that Iran is set back, not thwarted as it would have been if the worm had gone on undetected for years and years, and while expensive for Iran (even if they can reprocess existing product that wasn't processed right the first time), it's not damning to the long term goals.

Re:Criticism is easy

[OverlordQ]

but the notion that you have to be at least as good at your game as is a public-ally known strain of criminal in order to be considered for "super-spy" status seems like a very fair rule of thumb.

How about good enough to make people think you're not good enough so they underestimate you?

Re:Criticism is easy

[aaaaaaargh!]

I agree with the OP and want to mention another issue.

  Common encryption algorithms can be detected heuristically with high accuracy. Moreover, the original implementation/source code of the encryption can usually be identified. Perhaps the developers did not want the adversary to find out which implementation they used and for obvious reasons didn't want to use their own implementation. Also, when you use encryption, keys on the C&C endpoints are linked to the malware in a way that cannot plausibly denied -- not very desirable either.