Dave Aitel dave at immunityinc.com
Tue Dec 23 09:29:40 EST 2014

It is a lot of work to take compile times from various Stuxnet, Flame,
Duqu, etc. DLL's and correlate them with the list of centrifuge
replacements that the IAEA puts out from the Iranian nuclear program.
You don't have to do any of that work. Kim Zetter has already done so,
and compiled them, with some interesting human interest interviews from
AV reverse engineers into her book
<http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/>. It is
worth a read, less for the parts about Stuxnet perhaps, than for how
Iran operated as it hid its nuclear weapons program from the public with
pathetically transparent lies and chicanery.

The book falters for predictable reasons: people not in the Paladin-like
white-hat world of AV are not going to talk to Kim about Stuxnet. Her
access to sources with insight into the world of mirrors is essentially
zero so some of the meat of the book is re-processed from the work of
Sanger (who had a General leaker to write from). The entire last chapter
(incomplete in the Google Play version of the book) reads like a
journalist wrote it, without any internal voice. It tries to predict the
future using the events of the book by quoting from various "expert
sources". It is the weakest chapter in the book.

In the same way the book, while balanced, avoids all the hard questions.
Did Microsoft have logs of the Flame authors getting their fake
certificate? Were they obviously complicit? Is the US behind the
assassinations of the Iranian nuclear scientists? Is that going too far?
Are cyber-scientists next?  All the AV characters seem mystified that
nobody in the US establishment seems curious where Stuxnet came from, or
wants to put a lot of effort into investigating it, and Kim seems
oblivious when her US-CERT sources blatantly lie to her face about it.
What does it /mean /that every AV company seems pretty good at finding
every other country's implants, but not their own country's? Mikko
Hypponen has commented
<http://www.wired.com/2012/06/internet-security-fail/> on the rather
emotional state of things when you've sold a product that is supposed to
detect malware and it clearly is performing poorly, since Stuxnet and
Friends have been around for almost a half-decade?

Also missing is the aftermath. It's hard to talk Stuxnet without looking
at the Cyber Sword of Justice and the personalities behind the Iranian
cyber team - many of whom are public and active on twitter/facebook/DD
etc.  Without amore global view <http://imgur.com/gallery/E4tFuD6> of
the conflict (and listening to Halvar) you miss the signs pointing
directly to Sony


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141223/ee26278b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141223/ee26278b/attachment.sig>

More information about the Dailydave mailing list