root wrote:

root@The TITANs cometh [hr] Maybe the TITANs did it, but I'm betting on a certain nation state that I won't name in the interest of not bringing automated hacking attention to a website I like.

Current rumors around this incident focus on the Israelis as the prime candidates. I think Seed AI's ranked 5th in the list of possible sources. ^_^

root wrote:

There are two ways to hack a complex control system at the assembly level. Either you built it, or you have the resources to reverse engineer it. Complex industrial control systems are not a dime a dozen, so the reverse engineering team would have to find a way to get access to a few million dollars worth of equipment form Seimens, and enough equipment to go about the reverse engineering process.

There are some very talented SCADA hackers out there who simply work the night shift so that they can play around with and learn about what they work with. Or who probably work for contracting companies that set up SCADA systems. Just as, many years ago, some phone phreaks used to try to get jobs with AT&T so that they could learn more about the technologies that underlied telephony of the era. However, for a well funded organization, it would not surprise if the scenario you posit has happened.

root wrote:

This stack of equipment is shipped out to few enough locations that the only groups with enough sway to make records of that purchase disappear are nation states. And that is not even including the question of how the hell they got access to Windows source code.

They probably asked for it, just like the NSA did. For certain potentially highly sensitive applications, TLAs have asked for the source code for internal review under NDA before filing purchase orders. Some of their findings are very interesting, also - the NSA's Windows Security Guides make for fascinating reading.

root wrote:

And this is totally the kinds of hacks I think exist in Eclipse Phase. Computer security might have gotten better by orders of magnitude, but the possible vectors of attack will have grown much faster.

To say nothing of smarter. It would not surprise if some of the malware in EP was itself an AI construct, with its own stats and skills. Or perhaps even a delta fork of a cracker, so heavily customized that it may as well be an AI.

The Doctor wrote:

They really needed copies of the firmware for the hardware and not the hardware itself. Dumping EPROMs is not difficult, nor is getting hold of flashable firmware images from an FTP server (say) or someone's e-mail (unlikely, but worse things for OPSEC have happened over e-mail). I heard four zero-days. I got my hands on a copy of Stuxnet that I plan on reversing soon, so hopefully I will have some harder information to work from. As for using so many weaponized exploits in its transmission vector.. so far as I know that is highly unusual. At least, none of my colleagues who are in a position to talk about such say they have found any malware which packages so many.

It does have four zero-days acknowledged, but I've heard from many that it can be altered to have more as whomever created it decides to. It is p2p update-able and uses a unique handshake protocol for its own code (which is the element I'm most interested in checking out from my copy). It also contained 2 stolen certificates, which explains why it wasn't noticed right away. I think the big thing that people are talking about is the fact that this bad boy weighs in at half a megabyte. It's full capabilities haven't been cracked, not to mention that variants are cropping up everywhere. It leaves a lot of people wondering what else it might do, especially come the expiration date in 2012. Speaking of the stolen certificates, should anyone be suspicious that the 2 stolen certificates were from Taiwanese computer companies based in Hsinchu? Might that be a clue as to where this came from?

The Doctor wrote:

Peer-to-peer update mechanisms in malware are becoming more common these days, and not all of them are using variants of BitTorrent. Updating modular malware has been around for a while.

Well, yes and no. It's not uncommon for an updated version of a virus to be capable of updating older versions on the web through peer-to-peer software. It's far less common for a virus to be able to connect to a separate peer-to-peer network. I was under the belief that stuxnet uses the latter rather than the former.

The Doctor wrote:

I think it is more likely that the certificates were stolen from them because their security was compromised; maybe they even know about it now. It does not make much sense to make use of a reasonably scarce resource (a code signing certificate) for one's own black op.

I'm not assuming that they used it for their own dirty work, but rather that this might narrow down the search. The Chinese government would have every incentive to utilize Taiwanese certificates, as would any number of Taiwan's neighboring countries. Plus, I'm not fully convinced that this couldn't be the work of a serious hacktivism group that might have been incensed about the nuclear proliferation of Iran or any number of other current events... a group that is potentially based out of (or at least has members in) Taiwan.