Add to book club
Loading your book clubs
There was a problem loading your book clubs. Please try again.
Not in a club?
Learn more
Join or create book clubs
Choose books together
Track your books
Bring your club to Amazon Book Clubs, start a new book club and invite your friends to join, or find a club that’s right for you for free.
Flip to back
Flip to front
Follow the Author
Something went wrong. Please try your request again later.
OK
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Hardcover – November 11, 2014
by
Kim Zetter
(Author)
|
Kim Zetter
(Author)
Find all the books, read about the author, and more.
See search results for this author
|
|
Price
|
New from | Used from |
|
Audible Audiobook, Unabridged
"Please retry"
|
$0.00
|
Free with your Audible trial | |
-
Print length448 pages
-
LanguageEnglish
-
PublisherCrown
-
Publication dateNovember 11, 2014
-
Dimensions6.4 x 1.42 x 9.61 inches
-
ISBN-10077043617X
-
ISBN-13978-0770436179
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
-
Apple
-
Android
-
Windows Phone
-
Android
|
Download to your computer
|
Kindle Cloud Reader
|
Customers who viewed this item also viewed
Page 1 of 1 Start overPage 1 of 1
What other items do customers buy after viewing this item?
Page 1 of 1 Start overPage 1 of 1
Editorial Reviews
Review
"Immensely enjoyable...Zetter turns a complicated and technical cyber- story into an engrossing whodunit...The age of digital warfare may well have begun."
--Washington Post
"An authoritative account of Stuxnet’s spread and discovery...[delivers] a sobering message about the vulnerability of the systems—train lines, water-treatment plants, electricity grids—that make modern life possible."
--Economist
"Exhaustively researched...Zetter gives a full account of this “hack of the century,” as the operation has been called, [but] the book goes well beyond its ostensible subject to offer a hair-raising introduction to the age of cyber warfare."
--Wall Street Journal
“Part detective story, part scary-brilliant treatise on the future of warfare…an ambitious, comprehensive, and engrossing book that should be required reading for anyone who cares about the threats that America—and the world—are sure to be facing over the coming years.”
—Kevin Mitnick, New York Times bestselling author of Ghost in the Wires and The Art of Intrusion
“Unpacks this complex issue with the panache of a spy thriller…even readers who can’t tell a PLC from an iPad will learn much from Zetter’s accessible, expertly crafted account.”
—Publishers Weekly (starred)
“A true techno-whodunit [that] offers a sharp account of past mischief and a glimpse of things to come…Zetter writes lucidly about mind-numbingly technical matters, reveling in the geekery of malware and espionage, and she takes the narrative down some dark electronic corridors… Governments, hackers and parties unknown are launching ticking computer time bombs every day, all coming to a laptop near you.”
--Kirkus
"An exciting and readable story of the world's first cyberweapon. Zetter not only explains the weapon and chronicles its discovery, but explains the motives and mechanics behind the attack -- and makes a powerful argument why this story matters."
--Bruce Schneier, author of Secrets and Lies and Schneier on Security
--Washington Post
"An authoritative account of Stuxnet’s spread and discovery...[delivers] a sobering message about the vulnerability of the systems—train lines, water-treatment plants, electricity grids—that make modern life possible."
--Economist
"Exhaustively researched...Zetter gives a full account of this “hack of the century,” as the operation has been called, [but] the book goes well beyond its ostensible subject to offer a hair-raising introduction to the age of cyber warfare."
--Wall Street Journal
“Part detective story, part scary-brilliant treatise on the future of warfare…an ambitious, comprehensive, and engrossing book that should be required reading for anyone who cares about the threats that America—and the world—are sure to be facing over the coming years.”
—Kevin Mitnick, New York Times bestselling author of Ghost in the Wires and The Art of Intrusion
“Unpacks this complex issue with the panache of a spy thriller…even readers who can’t tell a PLC from an iPad will learn much from Zetter’s accessible, expertly crafted account.”
—Publishers Weekly (starred)
“A true techno-whodunit [that] offers a sharp account of past mischief and a glimpse of things to come…Zetter writes lucidly about mind-numbingly technical matters, reveling in the geekery of malware and espionage, and she takes the narrative down some dark electronic corridors… Governments, hackers and parties unknown are launching ticking computer time bombs every day, all coming to a laptop near you.”
--Kirkus
"An exciting and readable story of the world's first cyberweapon. Zetter not only explains the weapon and chronicles its discovery, but explains the motives and mechanics behind the attack -- and makes a powerful argument why this story matters."
--Bruce Schneier, author of Secrets and Lies and Schneier on Security
About the Author
KIM ZETTER is an award-winning journalist who covers cybercrime, civil liberties, privacy, and security for Wired. She was among the first journalists to cover Stuxnet after its discovery and has authored many of the most comprehensive articles about it. She has also broken numerous stories over the years about WikiLeaks and Bradley Manning, NSA surveillance, and the hacker underground.
Excerpt. © Reprinted by permission. All rights reserved.
CHAPTER 1
EARLY WARNING
Sergey Ulasen is not the sort of person you’d expect to find at the center of an international incident. The thirty-one-year-old Belarusian has close-cropped blond hair, a lean boyish frame, and the open face and affable demeanor of someone who goes through life attracting few enemies and even fewer controversies. One of his favorite pastimes is spending the weekend at his grandmother’s country house outside Minsk, where he decompresses from weekday stresses, far from the reach of cell phones and the internet. But in June 2010, Ulasen encountered something unusual that soon propelled him into the international spotlight and into a world of new stress.1
It was a warm Thursday afternoon, and Ulasen, who headed the antivirus division of a small computer security firm in Belarus called Virus–BlokAda, was seated with his colleague Oleg Kupreev in their lab in downtown Minsk inside a drab, Soviet-era building about a block from the Svisloch River. They were sifting methodically through suspicious computer files they had recently found on a machine in Iran when something striking leapt out at Kupreev. He sat back in his chair and called Ulasen over to take a look. Ulasen scrolled through the code once, then again, to make sure he was seeing what he thought he saw. A tiny gasp escaped his throat. The code they had been inspecting the past few days, something they had until now considered a mildly interesting but nonetheless run-of-the-mill virus, had just revealed itself to be a work of quiet and diabolical genius.
Not only was it using a skillful rootkit to cloak itself and make it invisible to antivirus engines, it was using a shrewd zero-day exploit to propagate from machine to machine--an exploit that attacked a function so fundamental to the Windows operating system, it put millions of computers at risk of infection.
Exploits are attack code that hackers use to install viruses and other malicious tools onto machines. They take advantage of security vulnerabilities in browser software like Internet Explorer or applications like Adobe PDF Reader to slip a virus or Trojan horse onto a system, like a burglar using a crowbar to pry open a window and break into a house. If a victim visits a malicious website where the exploit lurks or clicks on a malicious e‑mail attachment containing an exploit, the exploit uses the security hole in the software to drop a malicious file onto their system. When software makers learn about such holes in their products, they generally produce “patches” to close them up and seal the intruders out, while antivirus firms like Ulasen’s add signatures to their scanners to detect any exploits that try to attack the vulnerabilities.
Zero-day exploits, however, aren’t ordinary exploits but are the hacking world’s most prized possession because they attack holes that are still unknown to the software maker and to the antivirus vendors--which means there are no antivirus signatures yet to detect the exploits and no patches available to fix the holes they attack.
But zero-day exploits are rarely found in the wild. It takes time and skill for hackers to discover new holes and write workable exploits to attack them, so the vast majority of hackers simply rely on old vulnerabilities and exploits to spread their malware, counting on the fact that most computer users don’t often patch their machines or have up-to-date antivirus software installed, and that it can take vendors weeks or months to produce a patch for a known hole. Although more than 12 million viruses and other malicious files are captured each year, only about a dozen or so zero-days are found among them. Yet here the attackers were using an extremely valuable zero-day exploit, and a skillful rootkit, for a virus that, as far as Ulasen and Kupreev could tell, had only been found on machines in Iran so far. Something didn’t add up.
THE MYSTERY FILES had come to their attention a week earlier when a reseller of VirusBlokAda’s security software in Iran reported a persistent problem with a customer’s machine in that country. The computer was caught in a reboot loop, crashing and rebooting repeatedly while defying the efforts of technicians to control it.2 VirusBlokAda’s tech-support team had scanned the system remotely from Minsk to look for any malware their antivirus software might have missed, but came up with nothing. That’s when they called in Ulasen.
Ulasen had been hired by the antivirus firm while still in college. He was hired to be a programmer, but the staff at VirusBlokAda was so small, and Ulasen’s skills so keen, that within three years, at the age of twenty-six, he found himself leading the team that developed and maintained its antivirus engine. He also occasionally worked with the research team that deconstructed malicious threats. This was his favorite part of the job, though it was something he rarely got to do. So when the tech-support team asked him to weigh in on their mystery from Iran, he was happy to help.3
Ulasen assumed the problem must be a misconfiguration of software or an incompatibility between an application installed on the machine and the operating system. But then he learned it wasn’t just one machine in Iran that was crashing but multiple machines, including ones that administrators had wiped clean and rebuilt with a fresh installation of the operating system. So he suspected the culprit might be a worm lurking on the victim’s network, reinfecting scrubbed machines each time they were cleaned. He also suspected a rootkit was hiding the intruder from their antivirus engine. Ulasen had written anti-rootkit tools for his company in the past, so he was confident he’d be able to hunt this one down if it was there.
After getting permission to connect to one of the machines in Iran and remotely examine it, Ulasen and Kupreev zeroed in on six suspicious files--two modules and four other files--they thought were the source of the problem.4 Then with help from several colleagues in their lab, they spent the next several days picking at the files in fits and starts, hurling curses at times as they struggled to decipher what turned out to be surprisingly sophisticated code. As employees of a small firm that mostly developed antivirus products for government customers, they weren’t accustomed to taking on such complex challenges: they spent most of their days providing routine tech support to customers, not analyzing malicious threats. But they pressed forward nonetheless and eventually determined that one of the modules, a driver, was actually a “kernel-level” rootkit, as Ulasen had suspected.5
Rootkits come in several varieties, but the most difficult to detect are kernel-level rootkits, which burrow deep into the core of a machine to set up shop at the same privileged level where antivirus scanners work. If you think of a computer’s structure like the concentric circles of an archer’s target, the kernel is the bull’s eye, the part of the operating system that makes everything work. Most hackers write rootkits that operate at a machine’s outer layers--the user level, where applications run--because this is easier to do. But virus scanners can detect these--so a truly skilled hacker places his rootkit at the kernel level of the machine, where it can subvert the scanner. There, it serves as a kind of wingman for malicious files, running interference against scanners so the malware can do its dirty work unhindered and undetected. Kernel-level rootkits aren’t uncommon, but it takes sophisticated knowledge and a deft touch to build one that works well. And this one worked very well.6
Kupreev determined that the rootkit was designed to hide four malicious .LNK files--the four other suspicious files they’d found on the system in Iran. The malware appeared to be using an exploit composed of these malicious files to spread itself via infected USB flash drives, and the rootkit prevented the .LNK files from being seen on the flash drive. That’s when Kupreev called Ulasen over to have a look.
Exploits that spread malware via USB flash drives aren’t as common as those that spread them over the internet through websites and e‑mail attachments, but they aren’t unheard of, either. All of the USB exploits the two researchers had seen before, however, used the Autorun feature of the Windows operating system, which allowed malicious programs on a USB flash drive to execute as soon as the drive was inserted in a machine. But this exploit was more clever.7
Windows .LNK files are responsible for rendering the icons for the contents of a USB flash drive or other portable media device when it’s plugged into a PC. Insert a USB flash drive into a PC, and Windows Explorer or a similar tool automatically scans it for .LNK files to display the icon for a music file, Word document, or program stored on the flash drive.8 But in this case, the attackers embedded an exploit in a specially crafted .LNK file so that as soon as Windows Explorer scanned the file, it triggered the exploit to spring into action to surreptitiously deposit the USB’s malicious cargo onto the machine, like a military transport plane dropping camouflaged paratroopers onto enemy territory.
The .LNK exploit attacked such a fundamental feature of the Windows system that Ulasen wondered why no one had thought of it before. It was much worse than Autorun exploits, because those could be easily thwarted by disabling the Autorun feature on machines--a step many network administrators take as a matter of course because of Autorun’s known security risk. But there is no way to easily disable the .LNK function without causing other problems for users.
Ulasen searched a registry of exploits for any others that had used .LNK files in the past, but came up with nothing. That was when he suspected he was looking at a zero-day.
He took a USB flash drive infected with the malicious files and plugged it into a test machine running Windows 7, the newest version of the Microsoft operating system. The machine was fully patched with all the latest security updates. If the .LNK exploit was already known to Microsoft, patches on the system would prevent it from dropping the malicious files onto the machine. But if the .LNK exploit was a zero-day, nothing would stop it. He waited a few minutes to examine the computer and, sure enough, the malicious files were there.
He couldn’t believe it. VirusBlokAda, a tiny security firm that few in the world had ever heard of, had just discovered that rarest of trophies for a virus hunter. But this wasn’t just any zero-day exploit; it was one that worked against every version of the Windows operating system released since Windows 2000: the attackers had bundled four versions of their exploit together--in four different .LNK files--to make sure their attack worked against every version of Windows it was likely to encounter.9
Ulasen tried to wrap his head around the number of machines that were at risk of infection from this. But then something equally troubling struck him. The malicious driver module, and another driver module that got dropped onto targeted machines as part of the malicious cargo, had installed themselves seamlessly on their test machine, without any warning notice popping up on-screen to indicate they were doing so. Windows 7 had a security feature that was supposed to tell users if an unsigned driver, or one signed with an untrusted certificate, was trying to install itself on their machine. But these two drivers had loaded with no problem. That was because, Ulasen realized with alarm, they were signed with what appeared to be a legitimate digital certificate from a company called RealTek Semiconductor.10
Digital certificates are trusted security documents, like digital passports, that software makers use to sign their programs to authenticate them as legitimate products of their company. Microsoft digitally signs its programs and software updates, as do antivirus firms. Computers assume that a file signed with a legitimate digital certificate is trustworthy. But if attackers steal a Microsoft certificate and the private cryptographic “key” that Microsoft uses with the certificate to sign its files, they can fool a computer into thinking their malicious code is Microsoft code.
Attackers had used digital certificates to sign malicious files before. But they had used fake, self-signed certificates masquerading as legitimate ones, or had obtained real certificates through fraudulent means, such as creating a shell company to trick a certificate authority into issuing them a certificate under the shell company’s name.11 In both scenarios, attackers ran the risk that machines would view their certificate as suspicious and reject their file. In this case, the attackers had used a valid certificate from RealTek--a trusted hardware maker in Taiwan--to fool computers into thinking the drivers were legitimate RealTek drivers.
It was a tactic Ulasen had never seen before and it raised a lot of questions about how the attackers had pulled it off. One possibility was that they had hijacked the computer of a RealTek software developer and used his machine and credentials to get their code secretly signed.12
But it was also possible the attackers had simply stolen the signing key and certificate, or cert. For security reasons, smart companies store their certs and keys on offline servers or in hardware security modules that offered extra protection. But not everyone did this, and there were possible clues to suggest that RealTek’s cert had indeed been nabbed. A timestamp on the certificates showed that both of the drivers had been signed on January 25, 2010. Although one of the drivers had been compiled a year earlier on January 1, 2009, the other one was compiled just six minutes before it was signed. The rapid signing suggested the attackers might have had the RealTek key and cert in their possession. There was something notable about the compilation date of this driver, however. When hackers ran their source code through a compiler to translate it into the binary code that a machine could read, the compiler often placed a timestamp in the binary file. Though attackers could manipulate the timestamp to throw researchers off, this one appeared to be legitimate. It indicated that the driver had been compiled on July 14, two days after VirusBlokAda had gone public with news of Stuxnet.
The implications were disturbing. The use of a legitimate digital certificate to authenticate malicious files undermined the trustworthiness of the computer world’s signing architecture and called into question the legitimacy of any file signed with digital certificates thereafter. It was only a matter of time before other attackers copied the tactic and began stealing certificates as well.13 Ulasen needed to get the word out.
Responsible disclosure dictated that researchers who find vulnerabilities in software notify the relevant vendors before going public with the news to give the vendors time to patch the holes, so Ulasen dashed off e‑mails to both RealTek and Microsoft, notifying them of what his team had found.
But after two weeks passed with no response from either company, Ulasen and Kupreev decided they couldn’t keep quiet.14 The rest of the security community needed to know about the .LNK exploit. They had already added signatures to VirusBlokAda’s antivirus engine to detect the malicious files and were seeing infections pop up on machines all over the Middle East and beyond. The worm/virus was on the run and spreading quickly. They had to go public with the news.15
1 Ulasen and his team encountered the malware the week of June 24, 2010.
2 Ulasen has never disclosed the name of the reseller, but a link on VirusBlokAda’s website for its distributor in Iran points to vba32-ir.com, a site owned by the Deep Golden Recovery Corporation, a data-recovery firm in Iran.
3 Information about VirusBlokAda’s encounter with the malware comes from interviews with Sergey Ulasen and Oleg Kupreev, as well as from an account published by Kaspersky Lab in 2011, after the Russian antivirus firm hired Ulasen away from VirusBlokAda. That interview, “The Man Who Found Stuxnet--Sergey Ulasen in the Spotlight,” was published November 2, 2011, at eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight.
4 A module is a stand-alone component. It is often interchangeable and can be used with various programs.
5 Drivers are software programs that are used as interfaces between a device and a computer to make the device work with the machine. For example, a driver is required to allow a computer to communicate with a printer or digital camera that is connected to it--different drivers are available for different operating systems so that the same device will work with any computer. In this case the drivers were actually rootkits designed to install and conceal malicious files on the machine.
6 The reboot problem didn’t occur on other machines later found to be infected by the malware. So some researchers suspect the problem may have been an incompatibility between one of the malware’s drivers and VirusBlokAda’s antivirus software. The malware used the driver to install itself, and researchers at Kaspersky Lab in Russia suspected that when the driver injected the malware’s main file into the memory of the machines in Iran, this caused some machines to crash. Researchers at Kaspersky Lab later tried to reproduce the problem but got inconsistent results--sometimes a machine crashed, sometimes it didn’t. The irony is that the attackers had put a lot of effort into testing their malware against antivirus scanners from Kaspersky, Symantec, McAfee, and others, precisely to make sure their code wouldn’t be detected by the scanners or crash machines. But they apparently hadn’t tested it against VirusBlokAda’s scanning software. So if VBA’s scanner was the problem, it meant this tiny Belarusian firm had been their undoing in more ways than one.
7 Autorun is a convenience feature in Windows that allows programs on a USB flash drive, CD-ROM, or DVD, to automatically launch when the devices are inserted into a computer. It’s a known security risk, however, because any malicious program on the device will automatically launch as well.
8 If Autorun is disabled for security reasons, the malicious code on the flash drive that exploits this feature will not be able to launch automatically but will only launch if users specifically click on the file to open it.
9 The exploit worked against seven versions of Windows: Windows 2000, WinXP, Windows 2003, Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
10 With Windows Vista and Windows 7, a driver that isn’t signed with a trusted digital certificate that Microsoft recognizes will have trouble installing on the machine. On 32-bit Windows machines that have Vista or Windows 7 installed, a warning will display, telling the user the file is not signed or is not signed with a trusted certificate, forcing the user to make a decision about whether to let it install. On 64-bit Windows machines using either operating system, a file not signed with a trusted certificate simply won’t install at all. The malware VirusBlokAda found only worked on 32-bit Windows machines.
11 Certificate authorities dole out the signing certificates that companies use to sign their code and websites. The CAs are supposed to verify that an entity requesting a certificate has the authority to do so--to prevent someone other than Microsoft from obtaining a code-signing certificate in Microsoft’s name, for example--and to ensure that if someone applies for a signing certificate for a company they claim is theirs, it’s a real company producing real code. Some certificate authorities don’t do due diligence, however, and certificates are sometimes issued to malicious actors. There are also companies that, for a fee, will use their key and certificate to sign code for others. Hackers have used these companies in the past to sign their malware.
12 In September 2012, this is exactly what happened to Adobe. The software giant, which distributes the popular Adobe Reader and Flash Player programs, announced that attackers had breached its code-signing server to sign two malicious files with an Adobe certificate. Adobe stored its private signing keys in a device called a hardware security module, which should have prevented the attackers from accessing the keys to sign their malicious files. But they compromised a build server--a server used for developing software--which had the ability to interact with the code-signing system and get it to sign their files.
13 Ironically, on July 12, 2010, the day Ulasen went public with news about the malware, a researcher with the Finnish security firm F-Secure published a conference presentation about digital certificates, stating that, as of then, malware using stolen certificates had yet to be discovered. He noted, however, that this would inevitably happen now that new versions of Windows treated unsigned drivers with suspicion, pushing hackers to steal legitimate certificates to sign their malware. (See Jarno Niemela, “It’s Signed, Therefore It’s Clean, Right?” presented at the CARO conference in Helsinki, Finland; available at f‑secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf.) Indeed, not long after VirusBlokAda’s discovery of the RealTek certificate, other hackers were already attempting to use the same tactic. In September 2010, antivirus firms discovered Infostealer.Nimkey, a Trojan horse specifically designed to steal private key certificates from computers. This was followed over the next two years by a number of malicious programs signed with certificates apparently stolen from various trusted companies.
14 Ulasen contacted Microsoft through a general e‑mail address used for its security team. But Microsoft’s security response team receives more than 100,000 e‑mails a year, so it was understandable that an e‑mail sent to its general mailbox from an obscure antivirus firm in Belarus got lost in the queue.
15 The malware, researchers would later discover, was a combination of a worm and virus. The worm portion allowed it to spread autonomously without user action, but once it was on a system, other components infected files, like a virus would, and required user action to spread.
EARLY WARNING
Sergey Ulasen is not the sort of person you’d expect to find at the center of an international incident. The thirty-one-year-old Belarusian has close-cropped blond hair, a lean boyish frame, and the open face and affable demeanor of someone who goes through life attracting few enemies and even fewer controversies. One of his favorite pastimes is spending the weekend at his grandmother’s country house outside Minsk, where he decompresses from weekday stresses, far from the reach of cell phones and the internet. But in June 2010, Ulasen encountered something unusual that soon propelled him into the international spotlight and into a world of new stress.1
It was a warm Thursday afternoon, and Ulasen, who headed the antivirus division of a small computer security firm in Belarus called Virus–BlokAda, was seated with his colleague Oleg Kupreev in their lab in downtown Minsk inside a drab, Soviet-era building about a block from the Svisloch River. They were sifting methodically through suspicious computer files they had recently found on a machine in Iran when something striking leapt out at Kupreev. He sat back in his chair and called Ulasen over to take a look. Ulasen scrolled through the code once, then again, to make sure he was seeing what he thought he saw. A tiny gasp escaped his throat. The code they had been inspecting the past few days, something they had until now considered a mildly interesting but nonetheless run-of-the-mill virus, had just revealed itself to be a work of quiet and diabolical genius.
Not only was it using a skillful rootkit to cloak itself and make it invisible to antivirus engines, it was using a shrewd zero-day exploit to propagate from machine to machine--an exploit that attacked a function so fundamental to the Windows operating system, it put millions of computers at risk of infection.
Exploits are attack code that hackers use to install viruses and other malicious tools onto machines. They take advantage of security vulnerabilities in browser software like Internet Explorer or applications like Adobe PDF Reader to slip a virus or Trojan horse onto a system, like a burglar using a crowbar to pry open a window and break into a house. If a victim visits a malicious website where the exploit lurks or clicks on a malicious e‑mail attachment containing an exploit, the exploit uses the security hole in the software to drop a malicious file onto their system. When software makers learn about such holes in their products, they generally produce “patches” to close them up and seal the intruders out, while antivirus firms like Ulasen’s add signatures to their scanners to detect any exploits that try to attack the vulnerabilities.
Zero-day exploits, however, aren’t ordinary exploits but are the hacking world’s most prized possession because they attack holes that are still unknown to the software maker and to the antivirus vendors--which means there are no antivirus signatures yet to detect the exploits and no patches available to fix the holes they attack.
But zero-day exploits are rarely found in the wild. It takes time and skill for hackers to discover new holes and write workable exploits to attack them, so the vast majority of hackers simply rely on old vulnerabilities and exploits to spread their malware, counting on the fact that most computer users don’t often patch their machines or have up-to-date antivirus software installed, and that it can take vendors weeks or months to produce a patch for a known hole. Although more than 12 million viruses and other malicious files are captured each year, only about a dozen or so zero-days are found among them. Yet here the attackers were using an extremely valuable zero-day exploit, and a skillful rootkit, for a virus that, as far as Ulasen and Kupreev could tell, had only been found on machines in Iran so far. Something didn’t add up.
THE MYSTERY FILES had come to their attention a week earlier when a reseller of VirusBlokAda’s security software in Iran reported a persistent problem with a customer’s machine in that country. The computer was caught in a reboot loop, crashing and rebooting repeatedly while defying the efforts of technicians to control it.2 VirusBlokAda’s tech-support team had scanned the system remotely from Minsk to look for any malware their antivirus software might have missed, but came up with nothing. That’s when they called in Ulasen.
Ulasen had been hired by the antivirus firm while still in college. He was hired to be a programmer, but the staff at VirusBlokAda was so small, and Ulasen’s skills so keen, that within three years, at the age of twenty-six, he found himself leading the team that developed and maintained its antivirus engine. He also occasionally worked with the research team that deconstructed malicious threats. This was his favorite part of the job, though it was something he rarely got to do. So when the tech-support team asked him to weigh in on their mystery from Iran, he was happy to help.3
Ulasen assumed the problem must be a misconfiguration of software or an incompatibility between an application installed on the machine and the operating system. But then he learned it wasn’t just one machine in Iran that was crashing but multiple machines, including ones that administrators had wiped clean and rebuilt with a fresh installation of the operating system. So he suspected the culprit might be a worm lurking on the victim’s network, reinfecting scrubbed machines each time they were cleaned. He also suspected a rootkit was hiding the intruder from their antivirus engine. Ulasen had written anti-rootkit tools for his company in the past, so he was confident he’d be able to hunt this one down if it was there.
After getting permission to connect to one of the machines in Iran and remotely examine it, Ulasen and Kupreev zeroed in on six suspicious files--two modules and four other files--they thought were the source of the problem.4 Then with help from several colleagues in their lab, they spent the next several days picking at the files in fits and starts, hurling curses at times as they struggled to decipher what turned out to be surprisingly sophisticated code. As employees of a small firm that mostly developed antivirus products for government customers, they weren’t accustomed to taking on such complex challenges: they spent most of their days providing routine tech support to customers, not analyzing malicious threats. But they pressed forward nonetheless and eventually determined that one of the modules, a driver, was actually a “kernel-level” rootkit, as Ulasen had suspected.5
Rootkits come in several varieties, but the most difficult to detect are kernel-level rootkits, which burrow deep into the core of a machine to set up shop at the same privileged level where antivirus scanners work. If you think of a computer’s structure like the concentric circles of an archer’s target, the kernel is the bull’s eye, the part of the operating system that makes everything work. Most hackers write rootkits that operate at a machine’s outer layers--the user level, where applications run--because this is easier to do. But virus scanners can detect these--so a truly skilled hacker places his rootkit at the kernel level of the machine, where it can subvert the scanner. There, it serves as a kind of wingman for malicious files, running interference against scanners so the malware can do its dirty work unhindered and undetected. Kernel-level rootkits aren’t uncommon, but it takes sophisticated knowledge and a deft touch to build one that works well. And this one worked very well.6
Kupreev determined that the rootkit was designed to hide four malicious .LNK files--the four other suspicious files they’d found on the system in Iran. The malware appeared to be using an exploit composed of these malicious files to spread itself via infected USB flash drives, and the rootkit prevented the .LNK files from being seen on the flash drive. That’s when Kupreev called Ulasen over to have a look.
Exploits that spread malware via USB flash drives aren’t as common as those that spread them over the internet through websites and e‑mail attachments, but they aren’t unheard of, either. All of the USB exploits the two researchers had seen before, however, used the Autorun feature of the Windows operating system, which allowed malicious programs on a USB flash drive to execute as soon as the drive was inserted in a machine. But this exploit was more clever.7
Windows .LNK files are responsible for rendering the icons for the contents of a USB flash drive or other portable media device when it’s plugged into a PC. Insert a USB flash drive into a PC, and Windows Explorer or a similar tool automatically scans it for .LNK files to display the icon for a music file, Word document, or program stored on the flash drive.8 But in this case, the attackers embedded an exploit in a specially crafted .LNK file so that as soon as Windows Explorer scanned the file, it triggered the exploit to spring into action to surreptitiously deposit the USB’s malicious cargo onto the machine, like a military transport plane dropping camouflaged paratroopers onto enemy territory.
The .LNK exploit attacked such a fundamental feature of the Windows system that Ulasen wondered why no one had thought of it before. It was much worse than Autorun exploits, because those could be easily thwarted by disabling the Autorun feature on machines--a step many network administrators take as a matter of course because of Autorun’s known security risk. But there is no way to easily disable the .LNK function without causing other problems for users.
Ulasen searched a registry of exploits for any others that had used .LNK files in the past, but came up with nothing. That was when he suspected he was looking at a zero-day.
He took a USB flash drive infected with the malicious files and plugged it into a test machine running Windows 7, the newest version of the Microsoft operating system. The machine was fully patched with all the latest security updates. If the .LNK exploit was already known to Microsoft, patches on the system would prevent it from dropping the malicious files onto the machine. But if the .LNK exploit was a zero-day, nothing would stop it. He waited a few minutes to examine the computer and, sure enough, the malicious files were there.
He couldn’t believe it. VirusBlokAda, a tiny security firm that few in the world had ever heard of, had just discovered that rarest of trophies for a virus hunter. But this wasn’t just any zero-day exploit; it was one that worked against every version of the Windows operating system released since Windows 2000: the attackers had bundled four versions of their exploit together--in four different .LNK files--to make sure their attack worked against every version of Windows it was likely to encounter.9
Ulasen tried to wrap his head around the number of machines that were at risk of infection from this. But then something equally troubling struck him. The malicious driver module, and another driver module that got dropped onto targeted machines as part of the malicious cargo, had installed themselves seamlessly on their test machine, without any warning notice popping up on-screen to indicate they were doing so. Windows 7 had a security feature that was supposed to tell users if an unsigned driver, or one signed with an untrusted certificate, was trying to install itself on their machine. But these two drivers had loaded with no problem. That was because, Ulasen realized with alarm, they were signed with what appeared to be a legitimate digital certificate from a company called RealTek Semiconductor.10
Digital certificates are trusted security documents, like digital passports, that software makers use to sign their programs to authenticate them as legitimate products of their company. Microsoft digitally signs its programs and software updates, as do antivirus firms. Computers assume that a file signed with a legitimate digital certificate is trustworthy. But if attackers steal a Microsoft certificate and the private cryptographic “key” that Microsoft uses with the certificate to sign its files, they can fool a computer into thinking their malicious code is Microsoft code.
Attackers had used digital certificates to sign malicious files before. But they had used fake, self-signed certificates masquerading as legitimate ones, or had obtained real certificates through fraudulent means, such as creating a shell company to trick a certificate authority into issuing them a certificate under the shell company’s name.11 In both scenarios, attackers ran the risk that machines would view their certificate as suspicious and reject their file. In this case, the attackers had used a valid certificate from RealTek--a trusted hardware maker in Taiwan--to fool computers into thinking the drivers were legitimate RealTek drivers.
It was a tactic Ulasen had never seen before and it raised a lot of questions about how the attackers had pulled it off. One possibility was that they had hijacked the computer of a RealTek software developer and used his machine and credentials to get their code secretly signed.12
But it was also possible the attackers had simply stolen the signing key and certificate, or cert. For security reasons, smart companies store their certs and keys on offline servers or in hardware security modules that offered extra protection. But not everyone did this, and there were possible clues to suggest that RealTek’s cert had indeed been nabbed. A timestamp on the certificates showed that both of the drivers had been signed on January 25, 2010. Although one of the drivers had been compiled a year earlier on January 1, 2009, the other one was compiled just six minutes before it was signed. The rapid signing suggested the attackers might have had the RealTek key and cert in their possession. There was something notable about the compilation date of this driver, however. When hackers ran their source code through a compiler to translate it into the binary code that a machine could read, the compiler often placed a timestamp in the binary file. Though attackers could manipulate the timestamp to throw researchers off, this one appeared to be legitimate. It indicated that the driver had been compiled on July 14, two days after VirusBlokAda had gone public with news of Stuxnet.
The implications were disturbing. The use of a legitimate digital certificate to authenticate malicious files undermined the trustworthiness of the computer world’s signing architecture and called into question the legitimacy of any file signed with digital certificates thereafter. It was only a matter of time before other attackers copied the tactic and began stealing certificates as well.13 Ulasen needed to get the word out.
Responsible disclosure dictated that researchers who find vulnerabilities in software notify the relevant vendors before going public with the news to give the vendors time to patch the holes, so Ulasen dashed off e‑mails to both RealTek and Microsoft, notifying them of what his team had found.
But after two weeks passed with no response from either company, Ulasen and Kupreev decided they couldn’t keep quiet.14 The rest of the security community needed to know about the .LNK exploit. They had already added signatures to VirusBlokAda’s antivirus engine to detect the malicious files and were seeing infections pop up on machines all over the Middle East and beyond. The worm/virus was on the run and spreading quickly. They had to go public with the news.15
1 Ulasen and his team encountered the malware the week of June 24, 2010.
2 Ulasen has never disclosed the name of the reseller, but a link on VirusBlokAda’s website for its distributor in Iran points to vba32-ir.com, a site owned by the Deep Golden Recovery Corporation, a data-recovery firm in Iran.
3 Information about VirusBlokAda’s encounter with the malware comes from interviews with Sergey Ulasen and Oleg Kupreev, as well as from an account published by Kaspersky Lab in 2011, after the Russian antivirus firm hired Ulasen away from VirusBlokAda. That interview, “The Man Who Found Stuxnet--Sergey Ulasen in the Spotlight,” was published November 2, 2011, at eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight.
4 A module is a stand-alone component. It is often interchangeable and can be used with various programs.
5 Drivers are software programs that are used as interfaces between a device and a computer to make the device work with the machine. For example, a driver is required to allow a computer to communicate with a printer or digital camera that is connected to it--different drivers are available for different operating systems so that the same device will work with any computer. In this case the drivers were actually rootkits designed to install and conceal malicious files on the machine.
6 The reboot problem didn’t occur on other machines later found to be infected by the malware. So some researchers suspect the problem may have been an incompatibility between one of the malware’s drivers and VirusBlokAda’s antivirus software. The malware used the driver to install itself, and researchers at Kaspersky Lab in Russia suspected that when the driver injected the malware’s main file into the memory of the machines in Iran, this caused some machines to crash. Researchers at Kaspersky Lab later tried to reproduce the problem but got inconsistent results--sometimes a machine crashed, sometimes it didn’t. The irony is that the attackers had put a lot of effort into testing their malware against antivirus scanners from Kaspersky, Symantec, McAfee, and others, precisely to make sure their code wouldn’t be detected by the scanners or crash machines. But they apparently hadn’t tested it against VirusBlokAda’s scanning software. So if VBA’s scanner was the problem, it meant this tiny Belarusian firm had been their undoing in more ways than one.
7 Autorun is a convenience feature in Windows that allows programs on a USB flash drive, CD-ROM, or DVD, to automatically launch when the devices are inserted into a computer. It’s a known security risk, however, because any malicious program on the device will automatically launch as well.
8 If Autorun is disabled for security reasons, the malicious code on the flash drive that exploits this feature will not be able to launch automatically but will only launch if users specifically click on the file to open it.
9 The exploit worked against seven versions of Windows: Windows 2000, WinXP, Windows 2003, Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
10 With Windows Vista and Windows 7, a driver that isn’t signed with a trusted digital certificate that Microsoft recognizes will have trouble installing on the machine. On 32-bit Windows machines that have Vista or Windows 7 installed, a warning will display, telling the user the file is not signed or is not signed with a trusted certificate, forcing the user to make a decision about whether to let it install. On 64-bit Windows machines using either operating system, a file not signed with a trusted certificate simply won’t install at all. The malware VirusBlokAda found only worked on 32-bit Windows machines.
11 Certificate authorities dole out the signing certificates that companies use to sign their code and websites. The CAs are supposed to verify that an entity requesting a certificate has the authority to do so--to prevent someone other than Microsoft from obtaining a code-signing certificate in Microsoft’s name, for example--and to ensure that if someone applies for a signing certificate for a company they claim is theirs, it’s a real company producing real code. Some certificate authorities don’t do due diligence, however, and certificates are sometimes issued to malicious actors. There are also companies that, for a fee, will use their key and certificate to sign code for others. Hackers have used these companies in the past to sign their malware.
12 In September 2012, this is exactly what happened to Adobe. The software giant, which distributes the popular Adobe Reader and Flash Player programs, announced that attackers had breached its code-signing server to sign two malicious files with an Adobe certificate. Adobe stored its private signing keys in a device called a hardware security module, which should have prevented the attackers from accessing the keys to sign their malicious files. But they compromised a build server--a server used for developing software--which had the ability to interact with the code-signing system and get it to sign their files.
13 Ironically, on July 12, 2010, the day Ulasen went public with news about the malware, a researcher with the Finnish security firm F-Secure published a conference presentation about digital certificates, stating that, as of then, malware using stolen certificates had yet to be discovered. He noted, however, that this would inevitably happen now that new versions of Windows treated unsigned drivers with suspicion, pushing hackers to steal legitimate certificates to sign their malware. (See Jarno Niemela, “It’s Signed, Therefore It’s Clean, Right?” presented at the CARO conference in Helsinki, Finland; available at f‑secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf.) Indeed, not long after VirusBlokAda’s discovery of the RealTek certificate, other hackers were already attempting to use the same tactic. In September 2010, antivirus firms discovered Infostealer.Nimkey, a Trojan horse specifically designed to steal private key certificates from computers. This was followed over the next two years by a number of malicious programs signed with certificates apparently stolen from various trusted companies.
14 Ulasen contacted Microsoft through a general e‑mail address used for its security team. But Microsoft’s security response team receives more than 100,000 e‑mails a year, so it was understandable that an e‑mail sent to its general mailbox from an obscure antivirus firm in Belarus got lost in the queue.
15 The malware, researchers would later discover, was a combination of a worm and virus. The worm portion allowed it to spread autonomously without user action, but once it was on a system, other components infected files, like a virus would, and required user action to spread.
Product details
- Publisher : Crown; First Edition (November 11, 2014)
- Language : English
- Hardcover : 448 pages
- ISBN-10 : 077043617X
- ISBN-13 : 978-0770436179
- Item Weight : 1.53 pounds
- Dimensions : 6.4 x 1.42 x 9.61 inches
-
Best Sellers Rank:
#270,226 in Books (See Top 100 in Books)
- #86 in Computer Viruses
- #107 in Computing Industry History
- #213 in Nuclear Weapons & Warfare History (Books)
- Customer Reviews:
Customer reviews
4.7 out of 5 stars
4.7 out of 5
771 global ratings
How are ratings calculated?
To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzes reviews to verify trustworthiness.
Top reviews
Top reviews from the United States
There was a problem filtering reviews right now. Please try again later.
Reviewed in the United States on June 18, 2020
Verified Purchase
Great, great detail on Stuxnet...3/4ths the book is centered around that, but it also covers Flame, DQ, and other related cyberwar malware. Great, great, coverage. Awesome writing. A few small technical details were wrong in some areas...the author isn't a cybersecurity expert...but she gets 99% of the details right and tells a great, compelling story. Perhaps my only bigger criticism is there is way too much use of long footnotes. She often includes paragraphs of footnotes on a page...and anything you're writing paragraphs you usually should include that information in the regular text. She has extensive, extensive footnoting...it's distracting...hard to read the tiny font, and really, again, just stuff that should have gone into the regular text. But the author is so, so, awesome at everything else that I would give her six starts if I could. Just a terrifically well down, well researched book. I'm glad I read it. I learned a lot...and I've been in the cybersecurity world for 33 years and I thought I knew a lot about Stuxnet and cyberwarfare. I stand corrected. I only knew a little.
9 people found this helpful
Report abuse
Reviewed in the United States on November 15, 2014
Verified Purchase
I know quite a few of the researchers that were involved in reverse engineering Stuxnet and Flame - so I was able to watch the story unfold with a behind the scenes view - what's presented in here is a very accurate, and insightful view of one of the most important security discoveries in recent years.
Stuxnet, et. al. presented the security industry with a huge problem - and the implications are still being sorted out to this day. Government use of malware, and how the industry should handle it when discovered are topics that are still being debated on a daily basis. Kim does a great job on explaining the issues, and giving readers plenty to think about.
From a technical perspective, the book goes into enough detail so that those of us familiar with the topic know exactly what is being discussed and it's implications, while not going overboard and overloading non-technical users with incomprehensible details. The book has a good narrative style, while covering technical detail and including details on the sources for information. Throughout the book are footnotes that list source information, additional notes that explain context, or provide additional details that don't fit in the narrative telling - I strongly suggest that you read the footnotes, as they offer very useful information.
All in all, I strongly recommend the book, well worth it.
Stuxnet, et. al. presented the security industry with a huge problem - and the implications are still being sorted out to this day. Government use of malware, and how the industry should handle it when discovered are topics that are still being debated on a daily basis. Kim does a great job on explaining the issues, and giving readers plenty to think about.
From a technical perspective, the book goes into enough detail so that those of us familiar with the topic know exactly what is being discussed and it's implications, while not going overboard and overloading non-technical users with incomprehensible details. The book has a good narrative style, while covering technical detail and including details on the sources for information. Throughout the book are footnotes that list source information, additional notes that explain context, or provide additional details that don't fit in the narrative telling - I strongly suggest that you read the footnotes, as they offer very useful information.
All in all, I strongly recommend the book, well worth it.
61 people found this helpful
Report abuse
Reviewed in the United States on April 19, 2018
Verified Purchase
This book is superbly researched and is written clearly and interestingly. It is quite outstanding in these two respects. To follow it, you will need to know a little bit about how computers and the internet work, but you don't need to know the technical parts. You do need to be a person who can cope with the technical terms and processes that are presented and described as you read along. Given that most readers will know how the story turned out, the author does a great job of maintaining the suspense of how the investigators (and the creators) did their work.
Toward the end I found it a little less interesting, but that was o.k. I had learned so much more than I set out to learn.
The Kindle version is very well implemented. You can check a footnote or a definition and go back to the text.
I am going to repeat myself and say that this book is a model of both research and of technical writing.
Toward the end I found it a little less interesting, but that was o.k. I had learned so much more than I set out to learn.
The Kindle version is very well implemented. You can check a footnote or a definition and go back to the text.
I am going to repeat myself and say that this book is a model of both research and of technical writing.
13 people found this helpful
Report abuse
Reviewed in the United States on February 15, 2021
Verified Purchase
The book was entertaining and well researched.
One thing I didn't care for was the oft repeated claim that "Stuxnet opened Pandora's Box".
No. It really didn't. This borderlines on American Exceptionalism. Nobody needed nor wanted our approval to start engaging in cyberwarfare. The Russians, Chinese, and others were already doing it without us. Never assume that everyone else needs or even cares for your approval to move on to the next evolution without you.
This is like blaming the bomb dropped on Hiroshima for why Hitler also wanted an atomic bomb... no... he just wanted a huge boomstick. The fact that the Americans wanted one too didn't make it special, and you are even getting details out of chronological order to make such a claim. A far more accurate analogy for StuxNet than the bomb dropped on Hiroshima would be to say it was the first time someone slapped a 10-digit grid coordinate capable precision GPS guidance system on a bomb instead of carpet bombing the city.
Nobody is special. We can all haz computerz now.
One thing I didn't care for was the oft repeated claim that "Stuxnet opened Pandora's Box".
No. It really didn't. This borderlines on American Exceptionalism. Nobody needed nor wanted our approval to start engaging in cyberwarfare. The Russians, Chinese, and others were already doing it without us. Never assume that everyone else needs or even cares for your approval to move on to the next evolution without you.
This is like blaming the bomb dropped on Hiroshima for why Hitler also wanted an atomic bomb... no... he just wanted a huge boomstick. The fact that the Americans wanted one too didn't make it special, and you are even getting details out of chronological order to make such a claim. A far more accurate analogy for StuxNet than the bomb dropped on Hiroshima would be to say it was the first time someone slapped a 10-digit grid coordinate capable precision GPS guidance system on a bomb instead of carpet bombing the city.
Nobody is special. We can all haz computerz now.
4 people found this helpful
Report abuse
Reviewed in the United States on June 12, 2017
Verified Purchase
This book is an examination of Stuxnet and related tools such as Duqu and Flame. In that capacity it is detailed and exhaustive--perhaps to a fault. On the whole, however, the story is fascinating and Kim Zetter does a great job telling it.
But more than just Stuxnet, the book examines the intersection of infrastructure and malware, and the growing military-cyber complex. This area of focus leads to perhaps the most interesting sections of the book. The chapter on vulnerabilities in US infrastructure is a real eye-opener.
Either one of these topics would make the book a must-read for those interested or involved in security and cyber warfare. Having both of them together, marshaled by an excellent author, is a real treat.
But more than just Stuxnet, the book examines the intersection of infrastructure and malware, and the growing military-cyber complex. This area of focus leads to perhaps the most interesting sections of the book. The chapter on vulnerabilities in US infrastructure is a real eye-opener.
Either one of these topics would make the book a must-read for those interested or involved in security and cyber warfare. Having both of them together, marshaled by an excellent author, is a real treat.
15 people found this helpful
Report abuse
Reviewed in the United States on March 27, 2019
Verified Purchase
if . . . you are a computer engineer or true hacker! Otherwise, be prepared to throw in the towel about 2/3's of the way in.
I'm no computer engineer, but I'm a pretty smart guy with an IQ of 137 and I can follow some pretty technical stuff, but I was glazed over by all the jargon that only has meaning to specialists in the fields.
Fortunately, my curiosity about the plot kept me going for as long as it did. But, too many pages read with too little motion in the storyline per pages. Gets bogged down in computerese.
I think if the book cut the jargon by half, and filled that space with more narrative around the plot and players, this would be an easy 5-star book.
So, I'm serious, this is a really good book for someone with the technical expertise to "enjoy" the detailed jargon. But for the average, intelligent reader, . . . you'll lose interest.
I'm no computer engineer, but I'm a pretty smart guy with an IQ of 137 and I can follow some pretty technical stuff, but I was glazed over by all the jargon that only has meaning to specialists in the fields.
Fortunately, my curiosity about the plot kept me going for as long as it did. But, too many pages read with too little motion in the storyline per pages. Gets bogged down in computerese.
I think if the book cut the jargon by half, and filled that space with more narrative around the plot and players, this would be an easy 5-star book.
So, I'm serious, this is a really good book for someone with the technical expertise to "enjoy" the detailed jargon. But for the average, intelligent reader, . . . you'll lose interest.
8 people found this helpful
Report abuse
Top reviews from other countries
commentator
4.0 out of 5 stars
Cyberwar - well-written, well-researched, well-reasoned
Reviewed in the United Kingdom on December 2, 2015Verified Purchase
This book tells the story – or at least part of the story – of Stuxnet, the malware that was employed allegedly by the US and Israeli intelligence services to disrupt Iran’s nuclear enrichment programme in the late 2000s. Some have described it as the first case of cyberwar, but actually, it was more the first spectacular case of international state-on-state cybersabotage, and part of a wider campaign against the Iranian programme that also included the targeted assassination of Iranian physicists and the imposition of sanctions. In the end, Stuxnet was only one piece in the jigsaw puzzle that led to the June 2015 diplomatic accord temporarily closing the road to an Iranian nuclear bomb.
Kim Zetter does a superb job in telling how Stuxnet was detected, analysed, dismantled and neutralised. An accomplished journalist for WIRED, the technology newspaper cum blog, she clearly excels at unfolding this intriguing and captivating narrative. The book is well researched, and Zetter is at her best when she is explaining complex technicalities such as ripping apart and reverse-engineering a malware code. The true heroes of her book are the analysts and researchers of Symantec, Kaspersky and other security research firms. These sections of the book are highly readable; and she writes with a lay, and not an expert audience in mind – which adds to the readability. Woven into this first part of the book is an excellent chapter on how the zero-day market came about in the first place. Zetter also does a good job when highlighting how these valiant private sector cyberwarriors had to strike a balance between protecting their clients – i.e., neutralising Stuxnet – and avoiding the cross-fire of a state-on-state confrontation.
Zetter’s story is so sound and authentic as she can draw extensively on interviews she held with the heroes of her book. The story becomes much thinner when it comes to the “other side”, i.e., the manufacturers and distributors of the malware – or, for that, its targets, i.,e, the computer and machinery operators in Iran. There, she entirely relies on public sources and on what others have already written about the topic. She does that diligently and exhaustively, after proper research, as it befits a good journalist. And given the fact that this deals with the murky world of intelligence where interviews are not lightly given, she probably had no alternatives. Yet, as a consequence, these parts of book lack the authenticity that has the part outlining the story of Stuxnet proper. She closes the book with a highly readable chapter on assessing the success of the malware. She concludes that Stuxnet was a qualified success in the sense that it contributed to slowing down the Iranian enrichment programme, which bought diplomats time to negotiate. Yet, it remains unclear whether this was actually the goal of Stuxnet, or whether it did not have a further purpose, such as forcing the total shutdown of the Iranian enrichment programme. Given her limited access to government sources, Zetter cannot answer this question. She also concludes that this ‘qualified success’ of slowing down Iran’s programme came at the price of exposing the US as a reckless promoter of cyberwar, thus undermining her own credibility on the international stage on the one hand and –more importantly – undermining the trust of users in the safety and security of the internet on the other hand. Maybe this is a bridge too far, as most people outside the US would already have a view of the US being rather double-minded when it comes to the internet and the utility of cyberwar, but regardless to the depth of international cynicism, she clearly has a point here.
The book has a few weaknesses. First, it is too long. On many instances, the narrative could be shorter and crisper. Sometimes, one gets a bit the feeling she wanted to make as much use of her interview material as possible. Secondly, and this may be related to the first point, the structure of the book is somewhat repetitive. A great part of chapters in the first part follows the same pattern: introducing a technie nerd, describing him (they are always “hims”) and his physical appearance and dress a bit, adding a few sprinkles about his private life (mostly on girl friends), and then delve into that part of the technical dissection of Stuxnet which this chapter is about– and this deep dive is then deep indeed. This makes the reading attractive at the beginning, as it gives a very low entry barrier to the average reader, but it becomes somewhat tiring further down the road. These are weaknesses you can easily live with as a reader. A worthwhile, highly recommendable read in any case.
Kim Zetter does a superb job in telling how Stuxnet was detected, analysed, dismantled and neutralised. An accomplished journalist for WIRED, the technology newspaper cum blog, she clearly excels at unfolding this intriguing and captivating narrative. The book is well researched, and Zetter is at her best when she is explaining complex technicalities such as ripping apart and reverse-engineering a malware code. The true heroes of her book are the analysts and researchers of Symantec, Kaspersky and other security research firms. These sections of the book are highly readable; and she writes with a lay, and not an expert audience in mind – which adds to the readability. Woven into this first part of the book is an excellent chapter on how the zero-day market came about in the first place. Zetter also does a good job when highlighting how these valiant private sector cyberwarriors had to strike a balance between protecting their clients – i.e., neutralising Stuxnet – and avoiding the cross-fire of a state-on-state confrontation.
Zetter’s story is so sound and authentic as she can draw extensively on interviews she held with the heroes of her book. The story becomes much thinner when it comes to the “other side”, i.e., the manufacturers and distributors of the malware – or, for that, its targets, i.,e, the computer and machinery operators in Iran. There, she entirely relies on public sources and on what others have already written about the topic. She does that diligently and exhaustively, after proper research, as it befits a good journalist. And given the fact that this deals with the murky world of intelligence where interviews are not lightly given, she probably had no alternatives. Yet, as a consequence, these parts of book lack the authenticity that has the part outlining the story of Stuxnet proper. She closes the book with a highly readable chapter on assessing the success of the malware. She concludes that Stuxnet was a qualified success in the sense that it contributed to slowing down the Iranian enrichment programme, which bought diplomats time to negotiate. Yet, it remains unclear whether this was actually the goal of Stuxnet, or whether it did not have a further purpose, such as forcing the total shutdown of the Iranian enrichment programme. Given her limited access to government sources, Zetter cannot answer this question. She also concludes that this ‘qualified success’ of slowing down Iran’s programme came at the price of exposing the US as a reckless promoter of cyberwar, thus undermining her own credibility on the international stage on the one hand and –more importantly – undermining the trust of users in the safety and security of the internet on the other hand. Maybe this is a bridge too far, as most people outside the US would already have a view of the US being rather double-minded when it comes to the internet and the utility of cyberwar, but regardless to the depth of international cynicism, she clearly has a point here.
The book has a few weaknesses. First, it is too long. On many instances, the narrative could be shorter and crisper. Sometimes, one gets a bit the feeling she wanted to make as much use of her interview material as possible. Secondly, and this may be related to the first point, the structure of the book is somewhat repetitive. A great part of chapters in the first part follows the same pattern: introducing a technie nerd, describing him (they are always “hims”) and his physical appearance and dress a bit, adding a few sprinkles about his private life (mostly on girl friends), and then delve into that part of the technical dissection of Stuxnet which this chapter is about– and this deep dive is then deep indeed. This makes the reading attractive at the beginning, as it gives a very low entry barrier to the average reader, but it becomes somewhat tiring further down the road. These are weaknesses you can easily live with as a reader. A worthwhile, highly recommendable read in any case.
12 people found this helpful
Report abuse
Peter Smith
5.0 out of 5 stars
Excellent
Reviewed in the United Kingdom on April 26, 2021Verified Purchase
This is well written, very accessible narrative of Stuxnet. That will appeal to the more technical reader. I was impressed by the detailed description that Zetter included, without hurting the narrative of the book. The length of the reviews on the page is evidence enough that people read it carefully and felt the need to share. Hugely recommended.
Beefox
4.0 out of 5 stars
It is all the better for it
Reviewed in the United Kingdom on March 30, 2016Verified Purchase
I bought this because I wanted to know more about the Stuxnet virus and the potential implication that it was created by western government(s) to sabotage the Iranian nuclear program. Incredibly interesting, and seemingly very few stones left unturned (as others have said, many references provided throughout).
I somewhat sat on the fence to start with, erring on the side of caution that governments could create such things and the dangers they could unleash. As I read on though, I couldn't help but be impressed at the ingenuity that these people must have gone to. Iran seems to be perceived in the media as a hard done by nation that's always being picked on. However, if your nation is having to hide nuclear complexes from the IAEA, design them to make them missile proof or if you conveniently 'forget' you had specific centrifuges then you probably deserve all you get...
This book doesn't seem to be a negative take on the issue of cyber-weapons, and remains impartial and well balanced. It is all the better for it. It discusses the business of zero day exploits and how they are (may?) traded between persons and government, with many hacks being held back for whatever reasons.
Brinksmanship for a new age.
I somewhat sat on the fence to start with, erring on the side of caution that governments could create such things and the dangers they could unleash. As I read on though, I couldn't help but be impressed at the ingenuity that these people must have gone to. Iran seems to be perceived in the media as a hard done by nation that's always being picked on. However, if your nation is having to hide nuclear complexes from the IAEA, design them to make them missile proof or if you conveniently 'forget' you had specific centrifuges then you probably deserve all you get...
This book doesn't seem to be a negative take on the issue of cyber-weapons, and remains impartial and well balanced. It is all the better for it. It discusses the business of zero day exploits and how they are (may?) traded between persons and government, with many hacks being held back for whatever reasons.
Brinksmanship for a new age.
3 people found this helpful
Report abuse
Edmund Kemper
5.0 out of 5 stars
Enjoyed this book!
Reviewed in the United Kingdom on December 1, 2017Verified Purchase
Excellent book. I first saw a documentary about the subject and I just had to learn more about Stuxnet. I have read a couple of books on US foreign policy towards Iran (and its main enemy Saudi Arabia) and this book complimented those books very well. It amazes me after all these years that US and western media still presents Iran as a threat to world peace even though US and Israel actions - which are described in this book - are nothing more than acts of war.
Mr. M. Hassan
5.0 out of 5 stars
Definitive book on Stuxnet
Reviewed in the United Kingdom on December 29, 2014Verified Purchase
This book reads like a thriller. What I was most impressed about was the amount of notes cited after each chapter. It just shows how much effort went into the whole book. The other aspect which is brilliant is that it doesn't just focus on the Stuxnet virus and that's it: it literally uses references from all the important people that had been brought into contact with it. This enables you to get a complete understanding about the virus's creators; what happened once the virus was released and most importantly - the implications from it.
Honestly if you've just heard of Stuxnet you really would want to read this: you'll be blown away by it (metaphorical joke there).
Honestly if you've just heard of Stuxnet you really would want to read this: you'll be blown away by it (metaphorical joke there).
Customers who bought this item also bought
Page 1 of 1 Start overPage 1 of 1
Pages with related products.
See and discover other items: network science, safe mode











