Roozbeh Zabihollahi

A while back WSJ published an article about 5 cyber security that everyone should read. I thought to myself, there is nothing for me to learn there, right? I was in the team who delivered the first internet banking in Iran, and since then have worked in several high profile websites and services. I figured let's check the first one from the list in Goodreads, "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon”, I did notice it has quite a lot of reviews and very positive feedback.

Back in 2009, I remember, every flash disk and hard drive that we did scan, happened to have Stuxnet virus. Well, I always had an up-to-the-date anti-virus running, mostly in Linux, never used Internet Explorer, how the hell all of my hard drives are infected? I also remember, back in 2010, there were all these debates about Israel has infected the nuclear sites in Iran, and the official were dismissing those incidents. So, I thought, let's read this book. There might be something to learn there. Oh, man! what a mind-blowing read 🤯 This book delivers.

Short Summary

The book goes over the details about each revision of Stuxnet (0.5, 1.0, 1.1, etc), and describes by details how precisely this piece of crafted software picks its victims and sabotages the expensive hardware that has been engineered in Natanz site.

Several times, in my past jobs, my company has been targeted by hackers, and we have lost assets and therefore have lost a lot of man-hours just to get back to our feet. Sometimes, the embarrassment was not so easy to forget. Every time though, it was a teenage hacker who was trying several exploits, open ports, stack overflows to destroy something, steal some money or ask for ransom. Stuxnet, on the other hand, is a whole different story.

When the Kaspersky researchers learned of it, they dubbed it the “God-mode exploit,” this book writes. It also quotes, “Cyber, in my modest opinion, will soon be revealed to be the biggest revolution in warfare, more than gunpowder and the utilization of air power in the last century,” Israeli Maj. Gen. Aviv Kochavi has said. This needs to be emphasized; Just like how guns and cannons has changed the landscape of wars and how emperors advanced their ambitions, Cyber is shaping how thrones are being overturned and history is being written. The book does not say this till page 409, which is all introduction to this major fact, in my humble opinion.

All politics aside, the book described how an army of cyber experts, inside of United States, and probably Israel, have capitalized on some bugs of Microsoft Windows 7 to be able to install the malware on host machines. "The attackers behind Duqu and Stuxnet had already struck at the underpinnings of the validation system that made the internet possible—first by stealing individual security certificates from the companies in Taiwan to sign the Stuxnet drivers, then by sending Duqu to steal data from a certificate authority itself. But this exploit went even further than that by subverting the trust between the world’s biggest software maker and its customers". When it said "world's biggest software maker", it was referring to Microsoft, which their software is being efficiently compromised to deliver the attacks that were intended by Stuxnet writers.

Let me summarized how it worked. When a person attached a USB drive, MS-Windows would check the contents of the drive to fetch the icon for the disk. In the process, the USB Flash can install a software, if and only if, the software is digitally signed by a certified Vendor. It turned out attackers has stolen some certificate from Taiwan 🤦🏽‍♂️ This was the way that Stuxnet has propagated itself to so many computers. Then, when engineers were trying to update the software on Natanz centrifuges (which was Siemens PLCs), the virus would change the compiled code and quietly attached a piece of software to binary. The extended binary would then being deployed by engineers to the centrifuges unconsciously. The update would change the rotation speed of the centrifuge and slowly destroy it. This all was happening when all of the engineers were running the most updated anti-virus, all security patches, and all security guidelines!

Frank Cilluffo, director of the Homeland Security Policy Institute of George Washington University told Congress, Cyberspace, he said, “is made for plausible deniability.”. There is a little bit of context when you read it here, but the author, Kim Zetter, speculates that Microsoft at some point might have cooperated in delivering the attack. However, in cyberspace, cyber is made for plausible deniability.

"They likely were just the shallow tip of a stockpile of tools and weapons the United States and Israel had built." This is scary. That shows state-run cyber armies are investing heavily to compromise computers and stealing intellectual properties and private personal data.

Actionable Item

Usually we instruct our engineers to avoid some actions. Do not click on links, be careful of phishing attack, install the latest patch, run the latest anti-virus, use sandboxed networks or intranets, and so forth. However, those engineers who unconsciously ported the virus to Natanz site, have done all the above! They are not guilty of carelessness or recklessness, what they let them though was the Microsoft Windows Update, Microsoft vulnerability in USB disk icon detection, Siemens PLC wide open bugs. and others.

So, I am telling you, if you are 100% careful, it is possible that the underlying software let you down. If you are tiny little bit sloppy, your secrets are probably exposed already.

Conclusion

Are we target of any of these attacks? Probably, yes. Are we unconsciously being spied on? Probably, yes. This book is highly recommended, and it would make you a little paranoid at first, but being careful is good.