Stuxnet & Ethics!

Posted: October 20, 2010 in Shubham's Posts
We have so far heard mainly of ethical hacking by companies in order to test the robustness and the security features of their software and programs. But this is something new – kindly have a look at the following news in “Economist” –

A cyber-missile aimed at Iran?
Sep 24th 2010, 13:32 by T.S.
THE internet is abuzz this week with speculation about Stuxnet, a “groundbreaking” computer worm that attacks industrial-control systems. Put that way, it doesn’t sound very exciting. But the possibility that it might have been aimed at one set of industrial-control systems in particular—those inside Iranian nuclear facilities—has prompted one security expert to describe Stuxnet as a “cyber-missile”, designed to seek out and destroy a particular target. Its unusual sophistication, meanwhile, has prompted speculation that it is the work of a well-financed team working for a nation state, rather than a group of rogue hackers trying to steal industrial secrets or cause trouble. This, in turn, has led to suggestions that Israel, known for its high-tech prowess and (ahem) deep suspicion of Iran’s nuclear programme, might be behind it. But it is difficult to say how much truth there is in this juicy theory.

The facts are these. Stuxnet first came to light in June, when it was identified by VirusBlokAda, a security firm based in Belarus. The following month Siemens, a German industrial giant, warned its customers that their “supervisory control and data acquisition” (SCADA) management systems were vulnerable to the worm. Specifically, it targets a piece of Siemens software, called WinCC, which runs on Microsoft Windows. For security reasons such systems are usually not connected to the internet. But Stuxnet spreads via USB memory sticks, or key drives. When an infected memory stick is plugged into a computer, the Stuxnet software checks to see if WinCC is running. If it is, it tries to log in, install a backdoor control system and contact a server in Malaysia for instructions. If it cannot find a copy of WinCC, it looks for other USB devices and tries to copy itself onto them. It can also spread across local networks via shared folders and print spoolers. (Here are the gory details.)

At first it was assumed that Stuxnet was designed to conduct industrial espionage or allow hackers to hold companies to ransom by threatening to shut down vital systems. But it has some unusual characteristics. WinCC is a reasonably obscure SCADA management system. Hackers hoping to target as many companies as possible would have focused on other, more popular, control systems. And according to Ralph Langner, a German security expert who published his own analysis last week, Stuxnet examines the system it is running on and, only if certain very specific characteristics are found, shuts down specific processes. All this suggests that a particular system was being targeted.

Moreover, Stuxnet uses the combination of two compromised security certificates (stolen from companies in Taiwan) and a previously unknown security hole in Windows to launch itself automatically when a user tries to access a memory stick on which it is installed. The use of previously unknown security holes (known in the trade as “zero-day vulnerabilities”) by viruses is not unusual. But Stuxnet can exploit four entirely different ones in order to worm its way into a system. Normally, anyone who discovers a new zero-day exploit can expect to sell it for a handsome fee to hackers who can then make use of it. Whoever built Stuxnet, however, was prepared to pay for four such exploits, which cannot have been cheap, to boost its chances of success. They also had deep knowledge of particular control systems. So it seems to be an expensive piece of software aimed at one specific facility.

But which one? Microsoft said in August that more than 45,000 computers around the world had been infected by Stuxnet. An analysis by Symantec, a computer-security firm,found that 60% of infected machines were in Iran, 18% in Indonesia and 8% in India. It could be just a coincidence that Iran has been hardest hit. But if Stuxnet has been deliberately aimed at Iran, one possible target is its Bushehr nuclear reactor, though there is no specific evidence for this. It is true that according to this screenshot from UPI, the Bushehr reactor is controlled by Siemens systems, including the WinCC software that Stuxnet targets. Dr Langner speculates that it could have been infected via AtomStroyExport, the Russian firm that is building the plant. Bushehr has been dogged by problems for years and its opening was recently delayed once again. But given the long history of delays, there is no need to invoke a computer worm to explain the latest one. A rival theory is that the target was Iran’s uranium-enrichment plant at Natanz, and that Stuxnet successfully shut down some of its centrifuges in early 2009.

We are deep into the realm of speculation here. Readers are invited to follow the links in this post to wade as far as they like into the various conspiracy theories floating around (such as this one, which spots a Biblical reference in a project name buried in the Stuxnet code). Two further reports on the worm are due be released at a computer-security conference starting in Vancouver on September 29th. They may clear up some of the mysteries surrounding Stuxnet—but they may simply prompt further speculation.

Here is a video which tries to unravel Stuxnet and the uncertainities about it –

Well, this is amazing and raises serious questions about ethics.

If at all, some mischief mongers are behind this who out of sarcastic pleasure of sabotaging programmable logic controllers in industrial equipment, or for making money, use Stuxnet, it could be understandable; but if at all it is being used by governments to target their political enemies, it is very unfortunate. Although its use or release by anbody is unethical, but if it being used by governments then it is atrocious and highly condemnable. Athough not much is known about Stuxnet, and we may know more about it in future, but one thing is certain that it is big challenge for the cyber security experts.

Another fallout has been that Iran has apparently blocked the technology website “Ars Technica” for reporting on the Stuxnet virus, which has been found targeting industrial systems in the Middle Eastern nation. This action is also unethical and we also do not know as to what was reported that invoked such a strong reaction. I have browsed this website and failed to see anything that could have warranted such a step.

A very recent report at infowars says, “Stuxnet False Flag Launched For Web Takeover”. This is very interesting and if it is true, it should be fought tooth and nail to ensure privacy and freedom of speech & expression. The following  three videos explain how Stuxnet is being used as a false flag by the US government to takeover and control all aspects of the web and individual communications –

Here is a counter view. The following video blames Iran and Russia for raising the false flag of Stuxnet –

It is still unknown as to who really is behind, but to look at the ethics involved in this, I am analyzing the aims with which it could have been done. For this I assume that I am one of the following –

  1. A professional hacker
  2. A computer expert thief
  3. A terrorist
  4. A nation state
  5. An industrial unit
  6. A software company in cyber security

I will now analyze each case one by one.

A professional hacker
If I am a professional hacker, I try to invent code that can break into computer systems and bring them down. It is not necessarily for wrong motives and I do it for helping the software companies in making their software impregnable and secure. My aim for developing Stuxnet could be to highlight a potential threat with the most ethical objective and then to try to develop a safeguard for this. This action is not unethical and it should be ensured that the product does not fall into wrong hands.

A computer expert thief
If I am a computer expert thief, I try to break into secure computer systems and steal usernames and passwords for committing fraud and transferring money from others’ account into my own account. If I fail in my efforts, I may out of frustration; develop something that makes critical computer systems unworkable. This action is unethical.

A terrorist
If I am a terrorist, my aim is to terrorize people of a particular enemy country and to harm them as much as possible. If I use violent methods, there is destruction of life and there is a great danger to my own life also. A novel way to harm the enemy country would be to use stuxnet to cripple computer systems and vital infrastructure. This action is unethical.

A nation state
If I am a nation state, my aim as a responsibility towards my people would be to ensure that the computer systems in my country and critical infrastructure are safe and secure. I would try to test my computer systems with the most severe viruses and worms and try to make my computer systems capable of warding off any possible threat. In order to achieve this aim, I would develop Stuxnet and try to make my computer systems immune from attacks of even Stuxnet. This action is ethical.

On the other hand, as hinted in the above article in Economist, I might in order to harm my enemy states by developing and releasing Stuxnet in the computer systems of those states in order to harm their computer systems and infrastructure. This helps me in not getting identified and surreptitiously dealing a heavy blow to my enemy. It is much more cost effective also and my men and territory are not endangered in any way in these kinds of attacks. This action is unethical and reprehensible.

An industrial unit
If I am an industrial unit, my aim would be to secure my computer systems from any kind of breakdown and attacks, either intentional or unintentional. I would rather concentrate on my safety and security, rather than thinking of harming my competitors. In order to make myself assured about the preparedness of my systems, I would ask my IT team to constantly check the computer systems by exposing them to the deadliest and most virulent worms and viruses available. This action is not unethical.

Although this possibility is remote, I might even ask them to develop viruses to make my computer systems more secure and to ward off any unexpected attacks. In very rare cases, I might use worms like Stuxnet to harm my competitors. This action is unethical.

A software company in cyber security
If I am a software company in the field of cyber security, my basic job is to develop viruses and worms and then to find ways and means to neutralize them. My company gains recognition and makes more money, if I am able to demonstrate that my products can save any computer system from all the known viruses. I could even throw up an open challenge to hackers around the world, to hack my computer systems, and demonstrate to the world, that my products can ward off any possible threat to any computer. I could even show by developing a Stuxnet and an antidote to it, that I know ways and means to save computers from such virulent attacks. This action is ethical.

I might, out of greed, try to find buyers who would try to use Stuxnet for harming their enemies. The potential buyers could be nation states or terrorist organizations also. This action is unethical.

The mystery of Stuxnet will unravel in the days to come, but whatever it is, it is alarming and needs immediate attention both technologically and politically.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s