Comments on: Nitol Botnet: You Will Never Break The Chain http://www.welivesecurity.com/2012/09/14/nitol-you-will-never-break-the-chain/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: Larry Constantine (Lior Samson) http://www.welivesecurity.com/2012/09/14/nitol-you-will-never-break-the-chain/#comment-1135 Wed, 19 Sep 2012 19:08:47 +0000 http://blog.eset.com/?p=15180#comment-1135 Both you and Leyden over at the Register show professionalism and attention to detail at its best. I appreciate the reasoned and measured response. We'll see whether any of this skeptical re-examination ever makes it into the mainstream press.

]]>
By: David Harley http://www.welivesecurity.com/2012/09/14/nitol-you-will-never-break-the-chain/#comment-1134 Sat, 15 Sep 2012 10:16:10 +0000 http://blog.eset.com/?p=15180#comment-1134 Thanks for your comment, Larry. I understand that your primary concern was the media’s credulous assumption that Sanger’s assertions are gospel truth, and I think that’s right. I readily admit that I haven’t read his book, but the 2nd-hand summaries I’ve seen don’t suggest pinpoint accuracy in all respects. If you’ve read John Leyden’s article in the Register, you’ll probably accept that in most respects we – the ESET researchers who responded to John Leyden’s request for technical information – were broadly in agreement with you. We couldn’t say it was totally impossible for Stuxnet to spread across the internet, but we agreed that the Sanger scenario as you described it was unlikely. As for whether Stuxnet went feral, I guess I can see in the light of your comment that when you said “First of all, the Stuxnet worm did not escape into the wild” you probably meant it didn’t escape into the wild as per Sanger’s scenario, in which case you’re probably right. However, the Cherry interview clearly suggested that Stuxnet wasn’t widespread. That’s true in the sense that tens of thousands of infections for a single family doesn’t generally make much of a blip on the radar: we see far more samples in a single day than that. But in the sense that this was a single family rather than a highly generic detection like INF/Autorun, it’s a significant if transient blip. But its infective capabilities via USB probably account for that better than a speculative back-infection from a PLC, so we’re not really disagreeing about that. The point, as far as I’m concerned, is that in my industry, the difference between in the wild and not in the wild can be a lot less than the 100,000 infections cited by Symantec. (FWIW, we have figures that broadly agree with theirs: I just cited Symantec because that was the source you used.) I suspect that distinction is more important to me than it is to you: that doesn’t make either of us wrong, but it still has importance in this corner of the the security industry. I’m no more a SCADA expert than you are an AV expert (probably less!), but I understand enough to agree totally with your broader agenda. Perhaps the best thing about this discussion is that Leyden did actually go out of his way to get some considered opinion across a range of expertise, rather than uncritically quote a single source and maybe lift a couple of soundbites from elsewhere. If there are journalists who are actually prepared to do research, there’s some hope for both our agendas. :)

]]>
By: Larry Constantine (Lior Samson) http://www.welivesecurity.com/2012/09/14/nitol-you-will-never-break-the-chain/#comment-1133 Fri, 14 Sep 2012 21:56:45 +0000 http://blog.eset.com/?p=15180#comment-1133 Actually, David, I was not claiming that Stuxnet did not escape into the wild, but that the particular scenario by which Sanger in his articles and book claimed the malware had escaped ranged from the highly implausible to the technologically impossible. The maps from Symantec suggest that the majority of infections were in closely related clusters that implied direct communication via intranet, VPN, or portable media (sneakernet). The software was never equipped for broad transmission and infection over the Internet.
My point was that the media should not give a blanket pass to Sanger but be more credulous about the technical and political claims in his reportage. He clearly got some things very wrong, but mainstream media are ignoring the fact, which calls into questions his sources, their agenda, or his interpretation, understanding, and reporting about these.
I am not and have never claimed myself to be an expert in networking or industrial security. I do have enough experience in industrial control systems (I helped Siemens design part of its STEP 7 series of PLC programming tools, the very tools that were compromised by Stuxnet) to know that Sanger's narrative is not believable.
My IEEE Spectrum interview (thanks, Steven Cherry) was just about getting a more skeptical and incredulous view out there, to stimulate debate among experts, and hopefully get the mainstream media dogging the footsteps of journalists who claim to be reporting the inside truth on stories of international importance.
I have been trying to raise awareness of the vulnerability of industrial control systems in general and critical infrastructure for a very long time through both my professional publications and fiction (e.g., Web Games). So my agenda goes considerably beyojnd Sanger and Stuxnet to the still broader issues.
–Prof. Larry Constantine (pen name, Lior Samson)

]]>