The Times has a great piece on Stuxnet, the computer worm designed to destroy Iranian centrifuges. Stuxnet was a joint US/Israeli operation which was accidentally released across the Internet due to a programming error. Here’s Biden’s take on who fucked that up:
Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”
And here’s an eternal truth:
“It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”
Walker
Is this the first article where we have unofficial-official confirmation that it was military? The last Ars article I read was still coy about whether it was military.
Schlemizel
I work in IT security and one of my all time favorite social engineering tricks is to plant a thumb drive or two around a building/parking lot with an autorun trojan on it. It is very rare that the finder will not immediately run & plug it into their company PC. It will alert me and wait patiently for me to tell it what I want next, which is usually to find servers that their firewall block outside access to. There is always something to exploit on them to gain access into them.
Egg Berry
I thought it was interesting that the Bush administration was taking this approach because bombing would destabilize the ME further, while Cheney was calling for bomb strikes. I guess he did learn something after all
existential fish
something something bradley manning.
seriously though, good title.
lacp
So our cyber-assault was designed to keep the Persians from developing the nuclear-weapon capacity that our own intelligence sources said they weren’t developing. I feel safer already.
Commenting at Balloon Juice since 1937
If you’re interested in things like this, I highly recommend Mark Bowden’s Worm: The First Digital World War
The ‘throw thumb drives around the parking lot’ ploy seems to be fairly common and effective.
JPL
We now know why McCain is so upset. He was hoping for bloodshed and instead he got tubes.
Cermet
@Schlemizel: Both nice and very good to warn people about this trick – if more people did this (the warning!) all of us would have safer data – thanks for that heads up!
Lee
Not so funny IT Security story.
I work for a telecom company that is a subsidiary of a japanese company. The entire time I have worked here the IT Security team has been very good.
While the “Code Red” virus was tearing up networks across the globe our network was clean. It stayed clean for almost the entire life of the virus.
Then a Japanese visitor plugged into our network. Our parent company exempted their Japanese employees from our security for no other reason than their racism (the Japanese are too smart to get a virus so they don’t need the security). Within a few minutes our network was having issues. Thankfully our top notch security team was able to quickly contain it and our slowdown was only about a half a day.
Here is the kicker. Our parent company’s network was completely infested and they had NO IDEA. They had to have our security team clean their network. IIRC it took them about 2 weeks to clean it of the multiple virii.
Tom Levenson
Stares at thumb drive in his hand.
Channeling my inner George Carlin: who knew I had such power!
cat
I look forward to the coming investigation into who leaked details about a ongoing classified inteligence operation… Oh wait…
ThresherK
Another eternal truth:
“Any fool can write code. And often they do.”
–Philippe Kahn
What Have The Romans Ever Done for Us? (formerly MarkJ)
I’m not a real doctor, but I am a real worm, I am an actual worm. I live like a worm.
David Hunt
@Commenting at Balloon Juice since 1937:
I listened to an interview Terri Gross of Fresh Air did with a computer security guy a few years back and he mentioned this trick. He said that someone had managed to hack the Pentagon with that trick. On the bright side, he said that it had also failed on the CIA…
Raven
Are you with me Dr. . . ?
redshirt
USB drives or straight up steal a laptop. Didya hear control of the ISS was lost for a while last year due to a hack at NASA? Someone had control of the ISS. Crazy!
Wait till cars and body parts start getting hacked. It’s going to be one crazy future.
Interrobang
I’m pretty sure if I found a thumb drive somewhere, and I was really curious to see what was on it, I’d make sure I plugged it in to a non-networked system with as much locked down as possible, but I’m paranoid like that.
Because I’m paranoid like that, I’ve had a grand total of two virus attacks in the entire 16 years I’ve been running modern computer systems, and even now, I won’t do anything with that last HDD that had the virus on it unless I’m disconnected and locked down, because I don’t completely trust that it’s clean. Each time that’s happened, I’ve reinstalled the OS from scratch and rebuilt the filesystem, making sure I isolate all the data I want to keep.
I don’t work in computer security; I’m actually a technical writer. We’re supposedly the non-technical IT people.
gaz
@Interrobang: Or you could just disable autorun and sandbox anything you open on the drive, using one of the myriad of (often free) tools available. Much simpler – at least as safe, if not safer.
pacem appellant
Does it make it any better than this was the season 1 finale of “Sherlock”? I love the show, but as an IT guy, the thought of having any national secrets on a thumb drive seemed ridiculous. If this were my organization, and my superiors told me thumb drive, I’d minimally encrypt them. These drives were encrypted, right? No?. There’s your dude to blame, who ever is in charge of network security.
Peggy
Late to the party, one story. My IT husband had his shop bought by a HIPPA compliant hospital. Hyper security conscious, revamping everything, locking down their servers in a fingerprint locked offsite location. When they transport an encrypted thumbdrive, password is craftily disguised on a post-it.
redshirt
@Peggy: The irony of requiring complex passwords: Everyone writes them down and sticks them on their monitors.
pacem appellant
Best password advice ever, and eliminates post-its as a security breach:
http://xkcd.com/936/
And yes, we should be taking advice from online comics. duh!
redshirt
@pacem appellant: Indeed. I’ve been preaching it for years. Or a concatenation of a sentence into letters works well too.
Grumpy Code Monkey
@pacem appellant:
At my last defense-related job, thumb drives not owned by IT were explicitly banned. There was a standing policy that any personal thumb drive found on the premises (be it on your desk, sticking out of the USB port on your computer, being held in your hand, sitting on a table in the break room, whatever) immediately became IT property, where it was promptly wiped and given an asset tag.
The Other Bob
I work for the government where most everything I do can be FOIAed. Why care about security?