N.Y. Times with more Stuxnet details – what’s the conclusion?

It feels like all has been said about Stuxnet from a technical perspective that is even of remote interest to the average security professional but yesterday the N.Y. Times published an article titled “Israel Tests on Worm Called Crucial in Iran Nuclear Delay” shining some light on the political and intelligence side of the story. Before you run off to read the piece (and you absolutely should) i have to add that it doesn’t reveal any groundbreaking new details but pieces the various bits of publicly available information nicely together.

As i was reading that article the effort put into the creation and testing of the core payload amazed me; while the security community mainly focused on the sophistication of the exploits and – to an lesser extend – on the interaction with the PLCs the impressive amount of logistics and pulled strings to acquire and reproduce the targeted environment went somewhat unnoticed. The presentation “Adventures in analyzing Stuxnet” by Microsoft’s Bruce Deng given during the 27th Chaos Computer Club in Berlin, as interesting and entertaining it was, reinforced the perception that Stuxnet was notable mainly because of the amount of previously unknown or forgotten vulnerabilities leveraged to compromise the operating system supporting the real target. But (in my view at least) the lesson is far from Microsoft Windows being insecure, not fit for purpose, stuffed with security holes or similar comments observed during Bruce’s presentation – these remarks completely miss the point and momentousness of this operation. William J. Broad, John Markoff and David E. Sanger’s article should make it abundantly clear that compromise of the target is a minor obstacle at best and it wouldn’t have made any difference if the underlying Operating System is Microsoft Windows, Linux, BSD, Solaris or other. There is no point in me repeating what has been said about APT before but your standard controls and countermeasures will not discourage, deter or prevent an attacker as determined as in this scenario. I will refer to Mandiants excellent blog for further reading however. Great point to start would be “M-Trends: The Advance of the Persistent Threat“.