As far as attacks like this are concerned, it never ceases to amaze me why computers that control the important/critical hardware are somehow connected to the Internet and/or are used without strong security measures. They should be isolated as much as possible.

Edit: chickenlittle beat me to it.

Where I work we use a siemens computer and PLC system to controll all the plant and equipment in a large office building. Nothing like as critical as a nuclear facility, but data loss or programme corruption could lead to substantial monetary loss.
The computer in qustion is used for all sorts of other purposes, including internet access.
This is called "value engineering" since it saves buying a second PC which would be a cause of serious financial hardship to a multi million pound business.
The password is written on the wall next to it !

My company has a client with remote locations across the country exchanging files with a central system. In order to minimize the risk of viruses, they still insist that the remote computers can not be connected to a local network or the internet, and they use dial-up to transfer the files.

Other clients with another product use sneaker-net to transfer files between systems. While not quite as secure because some viruses can be transferred to the media along with the desired file, it still limits exposure because of the physical transfer method.

(Maybe they should run OS/400 instead of Winders, but that's just a geeky server prejudice.)

Most systems can have adequate security, but it's expensive and time consuming to implement proper physical and logical security. Within the last year, the military has prohibited the use of USB drives on their systems.

Once upon a time DOD had itself a very nice secure network, which they got all infected to hell and gone by connecting it to the Internet. It seems that this is a lesson that people have to learn the hard way.

Keeping something disconnected doesn't completely eliminate the possibility of malware infection, unless you fill the network and USB ports with epoxy and post an armed guard to keep people from digging the epoxy out. Frequently, when sensitive systems are compromised, it's via an authorized channel, such as a software update that was infected with malware.

We were taught in the military that the closest you could get to a "safe" computer in the real world was to have it turned off 24/7, unplugged from everything, and sealed in a locked room under armed guard. And even then it wasn't totally safe.

You can take the most secure computer the military has, in the most secure room possible, with no internet connection to it... and then let a 18-year-old E-1 walk in with a video game he wants to load onto it and it all goes to crap right then. Seen it firsthand more times than I could count.

I wonder who the genius' are who created this thing? At least one thing about its creators is certain, they have absolutely no regard for its potentially disastrous effects on the global economy. What a bunch of losers. From today's news

Interesting - right now I'm reading "Cyber War" by Richard A. Clarke - he talks about our offensive cyber war capacity - which is informally ranked as No. 1 in the world - vs. our dependence on the Internet and our defensive capability - which in his estimation combine to make us the most vulnerable to being attacked of almost any country that is "in the rankings" as a cyber world power.

He makes some interesting parallels to how we don't have an established strategy for cyber war, and how this is similar to the first decade or two after the advent of nuclear warfare capability - a capability without a defined role, without guidance for when it would be used and, more importantly, limits on when it would NOT be used. And that's where we are with cyber war - no overarching strategy for the people who are wielding this to know when we would or would not use cyber warfare.

And he says that while we've developed intelligence-based and military-based cyber groups in each of the armed services that will defend the DOD-related sites, and Homeland Security has cyber capabilities to protect other government sites, NO one is tasked to protect the privately owned, critical infrastructure. Each private sector and company is on its own.

The Stuxnet worm was clearly a one-shot weapon. Once the flaws in the OS were patched it couldn't spread outside the control system. Clearing it from the control system might be a PITA, likely you have to shut everything down, but the process is routine. Once the OS is patched and the control system purged Stuxnet is gone. It will remain as a historical footnote. Possibly as a pet worm in someone's sandbox system where they can study and admire it.

The take away is that you don't connect critical systems to public networks. If there is any connection outside the system it is inherently insecure. Keep your OS and security software updated. Avoid Windows if you are concerned with security.

Usually people who write these things are not genius' they are people who are bored and have time on their hands. It doesn't take that much skill to write these types of worms/virus (We wrote simple boot sector virus' in college), all you need to know is some simple programming skills. You just need the time and nothing better to do so you just keep trying simple variations in your script until something breaks. Most of these kind of exploits are released this time of year as kids start to college, they pay their tuition, room and board, books, etc then have no $ left over for beer so they sit in their dorms bored. Its also why they don't consider the big picture effect of their actions, they are not genius' nor are they quite mature enough to fully understand the effects.

Holy moly. Looks like this thing has really gone global. Tens of thousands of companies are infected and it may have even been responsible for the disabling of an Indian satellite. Symantec's chief response guy has this to say:



Okay, so I also heard some pretty scary interviews from cyber security gurus on the radio today. My question is, should we be more concerned or is this stuxnet really as benign as the media portray? Because they're making it seem like a near miss.