The great and the good of the anti-virus industry are packing their suitcases and charging their iPads in readiness for a trip to Vancouver, the setting next week for the twentieth Virus Bulletin conference.
It’s the best opportunity that the malware fighters have each year to exchange discoveries, stories, and the occasional beer with their peers from other computer security companies. And it’s an excellent opportunity too for businesses to put a face to the people who are building their anti-virus software and delivering protection against tens of thousands of samples of new malware every day.
Over three days delegates at the Westin Bayshore hotel will hear about botnets, identity theft, mobile malware, targeted attacks, SEO poisoning and attacks on social networks, as well as much much more.
Sophos will be there in force, with experts from our labs presenting papers. Paul Baccas (aka “pob”) will be taking a close look at how we can heuristically detect malicious PDFs, and Mike Wood will be covering the use and abuse of digital signatures by malware.
What’s been getting most of the media attention, however, is the Stuxnet worm.
There have been numerous stories in the last few days about Stuxnet, with some claiming that it was deliberately coded to target an Iranian nuclear plant. But headlines suggesting it was designed to blow up power stations are perhaps a little sensationalist.
Yes, Stuxnet is a highly sophisticated piece of malware, which used a number of techniques which hadn’t been seen before (for instance, exploiting zero day vulnerabilities in Microsoft’s code).
Some of you will, no doubt, remember the YouTube video we made demonstrating how even with AutoRun and AutoPlay disabled, you can open a USB device (USB) and execute Stuxnet’s malicious code without user interaction.
And it’s true that Stuxnet was also a highly targeted attack – clearly focusing on messing with SCADA systems (often used by power plants and other infrastructure).
Although there’s been lots of speculation in the papers, the truth is that we don’t know if Stuxnet was created by, say, Israel. It’s very hard to prove 100% who created a piece of malware, and even more so to prove that it was done with the blessing of a government, army or secret service.
Israel has certainly been accused of hacking into other country’s computers before with military intentions (remember the story of how Mossad allegedly hacked a Syrian laptop and bombed a nuclear facility as a result?)
It’s also tricky to positively confirm that Iran was the target of Stuxnet either. It was, after all, seen in a number of other countries.
Another issue that has been largely ignored by the media is the response of Siemens, who developed the SCADA software that Stuxnet targets. Stuxnet knows the default password used by the Siemens SCADA software, but – astonishingly – Siemens advised power plants and manufacturing facilities not to change their default password. That’s despite it being public knowledge on the web for some years.
In summary – I think we need to be careful about pointing fingers without proof. I also reckon it’s more appropriate (if the claims are true) to call this a state-sponsored cyberattack rather than cyber-terrorism..
Of course, we shouldn’t be naive. Countries will use every dirty trick in the book to spy upon each other, disrupt activities, and grasp an advantage. We shouldn’t be surprised if military and intelligence agencies are engaged in this kind of behaviour, and we mustn’t fool ourselves into thinking that our own nations aren’t above using the internet to further their own ends too.
I think we will see more and more attacks which will be blamed on state-sponsored cyber-attacks in the future. There have been numerous attacks in the past which could be said to have possible military, political or economic motives, but it is very difficult to prove that a hack was ordered by Mossad or instead dreamt up by a Macclesfield student.
Certainly next week we’re expecting a fascinating conference in Vancouver – and my guess is that the talks related to Stuxnet will be amongst the best attended. I hope it doesn’t cast too much of a shadow over the other excellent research and talks which will be presented there.
But whatever your reason for looking forward to VB2010, I hope you have a great time. If you see me or any of the other guys from Sophos, please say hello. If you’re not lucky enough to get there, I’m sure plenty of people will be blogging and tweeting about the latest developments from Vancouver.