Smart, tech-literate reporting from Ralph Langner on the two Stuxnets:
… Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet’s smaller and simpler attack routine — the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But the second and “forgotten” routine is about an order of magnitude more complex and stealthy. It qualifies as a nightmare for those who understand industrial control system security.
Aaand this seems important:
Stuxnet also provided a useful blueprint to future attackers by highlighting the royal road to infiltration of hard targets. Rather than trying to infiltrate directly by crawling through 15 firewalls, three data diodes, and an intrusion detection system, the attackers acted indirectly by infecting soft targets with legitimate access to ground zero: contractors.
Here’s something I’ve often wondered about: if you sprinkled an assortment of USB drives with provocative labels (“Project Z”? “Avengers FX reel”?) around, say, San Francisco’s Financial District, what proportion would get plugged in to office computers? I’m guessing 10%, maybe more. I consider myself as a test case here; I know the danger (most don’t) and it would still take all my willpower to throw a cool-looking drive away instead of checking it out.
Surely someone has conducted this experiment — is currently conducting it — driven, of course, not by curiosity but by malice. How many USB drives are lying in parking lots around the world right now, waiting to be picked up, carried inside…?
Link via Alexis Madrigal’s excellent 5 Intriguing Things email.