Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

310,465 views ・ 2011-03-29

TED


Dvaput kliknite na engleske titlove ispod za reprodukciju videozapisa.

Prevoditelj: Eva Juretic Recezent: Zlatko Smetisko
00:15
The idea behind the Stuxnet computer worm
0
15260
3000
Ideja koja stoji iza Stuxnet računalnog crva
00:18
is actually quite simple.
1
18260
2000
zapravo je prilično jednostavna.
00:20
We don't want Iran to get the bomb.
2
20260
3000
Ne želimo da Iran proizvede atomsku bombu.
00:23
Their major asset for developing nuclear weapons
3
23260
3000
Njihovo je glavno sredstvo za razvijanje nuklearnog oružja
00:26
is the Natanz uranium enrichment facility.
4
26260
4000
Natanz postrojenje za obogaćivanje urana.
00:30
The gray boxes that you see,
5
30260
2000
Sive kutije, koje vidite,
00:32
these are real-time control systems.
6
32260
3000
jesu kontrolni sistemi.
00:35
Now if we manage to compromise these systems
7
35260
3000
Ako uspijemo onesposobiti te sustave
00:38
that control drive speeds and valves,
8
38260
3000
koji kontroliraju brzinu i ventile,
00:41
we can actually cause a lot of problems
9
41260
3000
možemo stvoriti puno problema
00:44
with the centrifuge.
10
44260
2000
s centrifugom.
00:46
The gray boxes don't run Windows software;
11
46260
2000
Sive kutije ne podržavaju Windows software;
00:48
they are a completely different technology.
12
48260
3000
one koriste posve drugačiju tehnologiju.
00:51
But if we manage
13
51260
2000
Ali ako uspijemo
00:53
to place a good Windows virus
14
53260
3000
staviti dobar Windows virus
00:56
on a notebook
15
56260
2000
na laptop
00:58
that is used by a maintenance engineer
16
58260
2000
koji koristi inženjer za održavanje sustava
01:00
to configure this gray box,
17
60260
3000
prilikom konfiguriranja sustava,
01:03
then we are in business.
18
63260
2000
na konju smo.
01:05
And this is the plot behind Stuxnet.
19
65260
3000
I to je pozadina Stuxneta.
01:08
So we start with a Windows dropper.
20
68260
5000
Započinjemo Windows "dropper" virusom.
01:13
The payload goes onto the gray box,
21
73260
3000
Virus uđe u sivu kutiju,
01:16
damages the centrifuge,
22
76260
2000
ošteti centrifugu
01:18
and the Iranian nuclear program is delayed --
23
78260
2000
i time odgodi iranski nuklearni program --
01:20
mission accomplished.
24
80260
2000
misija završena.
01:22
That's easy, huh?
25
82260
2000
Jednostavno, zar ne?
01:24
I want to tell you how we found that out.
26
84260
3000
Želim vam objasniti kako smo to otkrili.
01:27
When we started our research on Stuxnet six months ago,
27
87260
3000
Kada smo prije šest mjeseci započeli istraživati Stuxneta,
01:30
it was completely unknown what the purpose of this thing was.
28
90260
3000
svrha mu je bila potpuno nepoznata.
01:33
The only thing that was known
29
93260
2000
Jedino što se znalo
01:35
is it's very, very complex on the Windows part, the dropper part,
30
95260
3000
je njegov iznimno složen softverski dio, složen "dropper" dio
01:38
used multiple zero-day vulnerabilities.
31
98260
3000
te da koristi mnoge neotkrivene slabosti Windowsa.
01:41
And it seemed to want to do something
32
101260
3000
Činilo se kako želi nešto
01:44
with these gray boxes, these real-time control systems.
33
104260
2000
s tim sivim kutijama, odnosno s kontrolnim sustavom.
01:46
So that got our attention,
34
106260
2000
To je privuklo našu pozornost,
01:48
and we started a lab project
35
108260
2000
pa smo počeli s laboratorijskim projektom
01:50
where we infected our environment with Stuxnet
36
110260
4000
u kojem smo zarazili našu okolinu sa Stuxnetom
01:54
and checked this thing out.
37
114260
2000
i promatrali što se događa.
01:56
And then some very funny things happened.
38
116260
3000
Počele su se događati čudne stvari.
01:59
Stuxnet behaved like a lab rat
39
119260
3000
Stuxnet se ponašao poput laboratorijskog štakora
02:02
that didn't like our cheese --
40
122260
3000
koji nije želio naš sir --
02:05
sniffed, but didn't want to eat.
41
125260
2000
pomirišao ga je, ali ga nije htio jesti.
02:07
Didn't make sense to me.
42
127260
2000
To nije imalo smisla.
02:09
And after we experimented with different flavors of cheese,
43
129260
3000
Nakon što smo eksperimentirali sa sirevima različitih okusa,
02:12
I realized, well, this is a directed attack.
44
132260
4000
shvatio sam kako se radi o direktnom napadu.
02:16
It's completely directed.
45
136260
2000
Potpuno je režiran.
02:18
The dropper is prowling actively
46
138260
2000
"Dropper" se aktivno prikrada
02:20
on the gray box
47
140260
2000
sivoj kutiji,
02:22
if a specific configuration is found,
48
142260
3000
ako pronađe određenu konfiguraciju
02:25
and even if the actual program code that it's trying to infect
49
145260
4000
i ako se program kojeg pokušava "zaraziti"
02:29
is actually running on that target.
50
149260
2000
odvija na željenoj meti.
02:31
And if not, Stuxnet does nothing.
51
151260
3000
Ako ne, Stuxnet ne čini ništa.
02:34
So that really got my attention,
52
154260
2000
To je zaokupilo moju pažnju,
02:36
and we started to work on this
53
156260
2000
i počeli smo neprestano
02:38
nearly around the clock,
54
158260
2000
raditi na tome
02:40
because I thought, "Well, we don't know what the target is.
55
160260
3000
jer sam mislio "Dobro, ne znamo što je meta.
02:43
It could be, let's say for example,
56
163260
2000
Mogla bi to biti, primjerice,
02:45
a U.S. power plant,
57
165260
2000
američka nuklearna elektrana
02:47
or a chemical plant in Germany.
58
167260
2000
ili kemijsko postrojenje u Njemačkoj.
02:49
So we better find out what the target is soon."
59
169260
3000
Bolje nam je da što prije otkrijemo metu.
02:52
So we extracted and decompiled
60
172260
2000
Izdvojili smo i rastavili
02:54
the attack code,
61
174260
2000
šifru napada
02:56
and we discovered that it's structured in two digital bombs --
62
176260
3000
te smo otkrili da je sastavljena u dvije digitalne bombe --
02:59
a smaller one and a bigger one.
63
179260
3000
manje i veće.
03:02
And we also saw that they are very professionally engineered
64
182260
4000
Isto tako, shvatili smo da su ih vrlo profesionalno sastavili
03:06
by people who obviously had all insider information.
65
186260
4000
ljudi koji su očito imali informacije iznutra.
03:10
They knew all the bits and bites
66
190260
2000
Znali su sve sitnice
03:12
that they had to attack.
67
192260
2000
koje su morali napasti.
03:14
They probably even know the shoe size of the operator.
68
194260
3000
Vjerojatno su znali i veličinu cipela rukovaoca.
03:17
So they know everything.
69
197260
2000
Znali su sve.
03:19
And if you have heard that the dropper of Stuxnet
70
199260
3000
Ako ste čuli da je Stuxnetov program za instaliranje virusa
03:22
is complex and high-tech,
71
202260
2000
kompeksan i visoko tehnološki razvijen,
03:24
let me tell you this:
72
204260
2000
reći ću vam sljedeće:
03:26
the payload is rocket science.
73
206260
2000
on je zapravo "kvantna fizika".
03:28
It's way above everything
74
208260
2000
Daleko je iznad svega
03:30
that we have ever seen before.
75
210260
3000
što smo do sada vidjeli.
03:33
Here you see a sample of this actual attack code.
76
213260
3000
Ovdje vidite uzorak stvarne šifre napada.
03:36
We are talking about --
77
216260
2000
Govorimo o
03:38
around about 15,000 lines of code.
78
218260
3000
otprilikie 15 tisuća redaka programskog koda.
03:41
Looks pretty much like old-style assembly language.
79
221260
3000
Izgleda kao stari asemblerski jezik.
03:44
And I want to tell you how we were able
80
224260
2000
I želim vam reći kako smo uspjeli
03:46
to make sense out of this code.
81
226260
2000
shvatiti smisao tog programskog koda.
03:48
So what we were looking for is, first of all, system function calls,
82
228260
3000
Prvo smo tražili pozive funkcija sistema
03:51
because we know what they do.
83
231260
2000
jer smo znali što one rade.
03:53
And then we were looking for timers and data structures
84
233260
4000
Onda smo tražili vremenske zapise i strukture podataka
03:57
and trying to relate them to the real world --
85
237260
2000
i pokušali ih povezati sa stvarnim svijetom --
03:59
to potential real world targets.
86
239260
2000
s potencijalnim metama iz stvarnog svijeta.
04:01
So we do need target theories
87
241260
3000
Znači, ipak trebamo teorije o ciljevima
04:04
that we can prove or disprove.
88
244260
3000
kako bismo ih mogli dokazati ili opovrgnuti.
04:07
In order to get target theories,
89
247260
2000
Kako bi došli do teorija o ciljevima,
04:09
we remember
90
249260
2000
trebamo imati na umu
04:11
that it's definitely hardcore sabotage,
91
251260
2000
kako se sigurno radi o ozbiljnoj sabotaži,
04:13
it must be a high-value target
92
253260
2000
visoko vrijednom cilju
04:15
and it is most likely located in Iran,
93
255260
3000
koji se najvjerojatnije nalazi u Iranu
04:18
because that's where most of the infections had been reported.
94
258260
4000
jer je tamo prijavljen najveći broj zaraza ovim crvom.
04:22
Now you don't find several thousand targets in that area.
95
262260
3000
Nećete naći nekoliko tisuća meta u tom području.
04:25
It basically boils down
96
265260
2000
Načelno se to svodi
04:27
to the Bushehr nuclear power plant
97
267260
2000
na nuklearnu elektranu Bushehr
04:29
and to the Natanz fuel enrichment plant.
98
269260
2000
i na pogon za obogaćivanje goriva Natanz.
04:31
So I told my assistant,
99
271260
2000
Rekao sam svom pomoćniku,
04:33
"Get me a list of all centrifuge and power plant experts from our client base."
100
273260
3000
"Nabavi mi popis svih stručnjaka za centrifuge i elektrane iz naše baze klijenata."
04:36
And I phoned them up and picked their brain
101
276260
2000
Ja sam ih tada nazvao,
04:38
in an effort to match their expertise
102
278260
2000
te sam se potrudio ukopiti njihove spoznaje
04:40
with what we found in code and data.
103
280260
3000
s onim što smo našli u programskom kodu i podacima.
04:43
And that worked pretty well.
104
283260
2000
I to je funkcioniralo prilično dobro.
04:45
So we were able to associate
105
285260
2000
Uspjeli smo povezati
04:47
the small digital warhead
106
287260
2000
malu digitalnu bojnu glavu
04:49
with the rotor control.
107
289260
2000
s kontrolom rotora.
04:51
The rotor is that moving part within the centrifuge,
108
291260
3000
Rotor je ovaj pokretni dio unutar centrifuge,
04:54
that black object that you see.
109
294260
2000
crni objekt koji vidite.
04:56
And if you manipulate the speed of this rotor,
110
296260
3000
Ako manipulirate brzinom tog rotora,
04:59
you are actually able to crack the rotor
111
299260
2000
u mogućnosti ste slomiti rotor
05:01
and eventually even have the centrifuge explode.
112
301260
4000
i u konačnici postići eksploziju centrifuge.
05:05
What we also saw
113
305260
2000
Također smo vidjeli
05:07
is that the goal of the attack
114
307260
2000
da je cij napada
05:09
was really to do it slowly and creepy --
115
309260
3000
učiniti to sporo i jezivo --
05:12
obviously in an effort
116
312260
2000
očito u nadi
05:14
to drive maintenance engineers crazy,
117
314260
3000
da izludite inžinjere održavanja,
05:17
that they would not be able to figure this out quickly.
118
317260
3000
kako ne bi bili u mogućnosti naći rješenje u kratkom roku.
05:20
The big digital warhead -- we had a shot at this
119
320260
3000
Veliku digitalnu bojnu glavu -- imali smo priliku
05:23
by looking very closely
120
323260
2000
pomno promatriti
05:25
at data and data structures.
121
325260
2000
podatke i strukture podataka.
05:27
So for example, the number 164
122
327260
2000
Tako naprimjer, broj 164
05:29
really stands out in that code;
123
329260
2000
se zbilja ističe u tom kodu;
05:31
you can't overlook it.
124
331260
2000
ne možete ga previdjeti.
05:33
I started to research scientific literature
125
333260
2000
Počeo sam istraživati znanstvenu literaturu
05:35
on how these centrifuges
126
335260
2000
i otkrio kako su centrifuge
05:37
are actually built in Natanz
127
337260
2000
zapravo napravljene u Natanzu
05:39
and found they are structured
128
339260
2000
i saznao sam da su strukturirane
05:41
in what is called a cascade,
129
341260
2000
u tzv. kaskadu,
05:43
and each cascade holds 164 centrifuges.
130
343260
4000
od kojih svaka sadrži 164 centrifuge.
05:47
So that made sense, that was a match.
131
347260
2000
To je imalo smisla te se podudaralo.
05:49
And it even got better.
132
349260
2000
Čak je postalo bolje.
05:51
These centrifuges in Iran
133
351260
2000
Te su centrifuge u Iranu
05:53
are subdivided into 15, what is called, stages.
134
353260
4000
podijeljene u 15 tzv. faza.
05:57
And guess what we found in the attack code?
135
357260
2000
Pogodite što smo našli u kodu napada?
05:59
An almost identical structure.
136
359260
2000
Gotovo identičnu strukturu.
06:01
So again, that was a real good match.
137
361260
3000
Dakle, to je bila odlična podudarnost.
06:04
And this gave us very high confidence for what we were looking at.
138
364260
3000
To nam je dalo veliko samopouzdanje u ono što smo proučavali.
06:07
Now don't get me wrong here, it didn't go like this.
139
367260
3000
Nemojte me pogrešno shvatiti, nije išlo lako.
06:10
These results have been obtained
140
370260
3000
Ovi rezultati dobiveni su
06:13
over several weeks of really hard labor.
141
373260
3000
tijekom nekoliko tjedana zaista teškog rada.
06:16
And we often went into just a dead end
142
376260
3000
I često bi došli do mrtve točke i
06:19
and had to recover.
143
379260
2000
trebali smo se vratiti natrag.
06:21
Anyway, so we figured out
144
381260
2000
Tako smo shvatili
06:23
that both digital warheads
145
383260
2000
kako su obje digitalne bojne glave
06:25
were actually aiming at one and the same target,
146
385260
2000
zapravo usmjerene na jedan cilj,
06:27
but from different angles.
147
387260
2000
ali iz različitih kutova.
06:29
The small warhead is taking one cascade,
148
389260
3000
Mala bojna glava zauzima jednu kaskadu,
06:32
and spinning up the rotors and slowing them down,
149
392260
3000
okreće rotore te ih usporava,
06:35
and the big warhead
150
395260
2000
a velika bojna glava
06:37
is talking to six cascades
151
397260
2000
komunicira sa šest kaskada
06:39
and manipulating valves.
152
399260
2000
i manipulira ventilima.
06:41
So in all, we are very confident
153
401260
2000
Dakle jedino u što smo sigurni
06:43
that we have actually determined what the target is.
154
403260
2000
je da smo zapravo odredili što je cilj.
06:45
It is Natanz, and it is only Natanz.
155
405260
3000
To je Natanz, i to samo Natanz.
06:48
So we don't have to worry
156
408260
2000
Ne moramo se brinuti
06:50
that other targets
157
410260
2000
oko drugih meta
06:52
might be hit by Stuxnet.
158
412260
2000
koje bi mogle biti pogođene Stuxnetom.
06:54
Here's some very cool stuff that we saw --
159
414260
3000
Evo neke zgodne stvari koju smo uočili --
06:57
really knocked my socks off.
160
417260
2000
koja me zaista iznenadila.
06:59
Down there is the gray box,
161
419260
2000
Tu dolje je siva kutija,
07:01
and on the top you see the centrifuges.
162
421260
3000
a na vrhu vidite centrifuge.
07:04
Now what this thing does
163
424260
2000
E sad, ono što ta stvar radi
07:06
is it intercepts the input values from sensors --
164
426260
3000
je hvatanje ulaznih vrijednosti sa senzora --
07:09
so for example, from pressure sensors
165
429260
2000
tako da se na primjer, sa senzora za pritisak
07:11
and vibration sensors --
166
431260
2000
i senzora za vibraciju
07:13
and it provides legitimate program code,
167
433260
3000
stvara pravi programski kod
07:16
which is still running during the attack,
168
436260
2000
koji još uvijek radi za vrijeme napada
07:18
with fake input data.
169
438260
2000
s lažnim ulaznim podacima.
07:20
And as a matter of fact, this fake input data
170
440260
2000
Zapravo su ovi lažni ulazni podaci
07:22
is actually prerecorded by Stuxnet.
171
442260
3000
unaprijed snimljni od strane Stuxneta.
07:25
So it's just like from the Hollywood movies
172
445260
2000
To je baš kao u Hollywoodskim filmovima
07:27
where during the heist,
173
447260
2000
gdje za vrijeme pljačke
07:29
the observation camera is fed with prerecorded video.
174
449260
3000
sigurnosna kamera prikazuje prethodno snimljeni video.
07:32
That's cool, huh?
175
452260
2000
To je cool, zar ne?
07:35
The idea here is obviously
176
455260
2000
Ovdje očito ideja nije
07:37
not only to fool the operators in the control room.
177
457260
3000
samo zavarati operatere u kontrolnoj sobi.
07:40
It actually is much more dangerous and aggressive.
178
460260
4000
Zapravo je mnogo opasnija i agresivnija.
07:44
The idea
179
464260
2000
Ideja je
07:46
is to circumvent a digital safety system.
180
466260
3000
nadmudriti digitalni sigurnosni sustav.
07:50
We need digital safety systems
181
470260
2000
Trebamo digitalne sigurnosne sustave
07:52
where a human operator could not act quick enough.
182
472260
3000
tamo gdje ljudi ne mogu djelovati dovoljno brzo.
07:55
So for example, in a power plant,
183
475260
2000
Na primjer, u elektrani,
07:57
when your big steam turbine gets too over speed,
184
477260
3000
gdje velika parna turbina dobiva veliko ubrzanje,
08:00
you must open relief valves within a millisecond.
185
480260
3000
morate otvoriti ventile unutar milisekunde.
08:03
Obviously, this cannot be done by a human operator.
186
483260
3000
Očito da to ne može obaviti čovjek.
08:06
So this is where we need digital safety systems.
187
486260
2000
Stoga su tu digitalni sigurnosni sistemi zaista potrebni.
08:08
And when they are compromised,
188
488260
2000
A kada su kompromitirani,
08:10
then real bad things can happen.
189
490260
3000
mogu se dogoditi stvarno loše stvari.
08:13
Your plant can blow up.
190
493260
2000
Vaša elektrana može eksplodirati.
08:15
And neither your operators nor your safety system will notice it.
191
495260
3000
A ni vaši operateri niti vaš sigurnosni sistem neće to uočiti.
08:18
That's scary.
192
498260
2000
To je strašno.
08:20
But it gets worse.
193
500260
2000
I postaje još gore.
08:22
And this is very important, what I'm going to say.
194
502260
3000
Ovo što ću sada reći jako je bitno.
08:25
Think about this:
195
505260
2000
Razmislite o ovome:
08:27
this attack is generic.
196
507260
3000
ovaj napad je opći.
08:30
It doesn't have anything to do, in specifics,
197
510260
4000
Nema neke konkretne veze
08:34
with centrifuges,
198
514260
2000
sa centrifugama
08:36
with uranium enrichment.
199
516260
3000
niti s obogaćivanjem urana.
08:39
So it would work as well, for example,
200
519260
3000
Tako da bi mogao funkcionirao, na primjer,
08:42
in a power plant
201
522260
2000
u elektrani
08:44
or in an automobile factory.
202
524260
3000
ili u automobilskoj tvornici.
08:47
It is generic.
203
527260
2000
On je opći.
08:49
And you don't have -- as an attacker --
204
529260
2000
Ne morate -- kao napadač --
08:51
you don't have to deliver this payload
205
531260
3000
dostaviti virus
08:54
by a USB stick,
206
534260
2000
preko USB stick-a
08:56
as we saw it in the case of Stuxnet.
207
536260
2000
kao u slučaju Stuxneta.
08:58
You could also use conventional worm technology for spreading.
208
538260
3000
Možete koristiti i uobičajenu metodu zaraze računala putem crva.
09:01
Just spread it as wide as possible.
209
541260
3000
Samo ga proširite što je više moguće.
09:04
And if you do that,
210
544260
2000
Ako to učinite,
09:06
what you end up with
211
546260
2000
kao rezultat dobit ćete
09:08
is a cyber weapon of mass destruction.
212
548260
5000
virtualno oružje za masovno uništenje.
09:14
That's the consequence
213
554260
2000
To je posljedica
09:16
that we have to face.
214
556260
3000
s kojom se moramo suočiti.
09:19
So unfortunately,
215
559260
3000
Tako da nažalost,
09:22
the biggest number of targets for such attacks
216
562260
3000
najveći broj meta za takve napade
09:25
are not in the Middle East.
217
565260
2000
nije na Bliskom Istoku.
09:27
They're in the United States and Europe and in Japan.
218
567260
3000
One su u Sjedinjenim Američkim Državama, Europi i Japanu.
09:30
So all of the green areas,
219
570260
2000
Sva zelena područja,
09:32
these are your target-rich environments.
220
572260
3000
to su vaše mete.
09:35
We have to face the consequences,
221
575260
3000
Moramo se součiti s posljedicama,
09:38
and we better start to prepare right now.
222
578260
3000
i bolje nam je da se odmah pripremimo na njih.
09:41
Thanks.
223
581260
2000
Hvala.
09:43
(Applause)
224
583260
6000
(Pljesak)
09:49
Chris Anderson: I've got a question.
225
589260
2000
Chris Anderson: Imam pitanje.
09:53
Ralph, it's been quite widely reported
226
593260
2000
Ralph, poprilično je zastupljeno mišljenje,
09:55
that people assume that Mossad
227
595260
2000
ljudi pretpostavljaju da se Mossad
09:57
is the main entity behind this.
228
597260
2000
krije iza svega.
09:59
Is that your opinion?
229
599260
3000
Dijelite li i Vi to mišljenje?
10:02
Ralph Langner: Okay, you really want to hear that?
230
602260
2000
Ralph Langner: U redu, stvarno želite čuti?
10:04
Yeah. Okay.
231
604260
2000
Da, onda uredu.
10:06
My opinion is that the Mossad is involved,
232
606260
3000
Moje mišljenje je da Mossad je umiješan,
10:09
but that the leading force is not Israel.
233
609260
3000
ali Izrael nije vodeća sila.
10:12
So the leading force behind that
234
612260
2000
Vodeća sila koja stoji iza svega
10:14
is the cyber superpower.
235
614260
3000
je virtualna supersila.
10:17
There is only one,
236
617260
2000
Samo je jedna takva,
10:19
and that's the United States --
237
619260
2000
Sjedinjene Američke Države --
10:21
fortunately, fortunately.
238
621260
2000
na sreću.
10:23
Because otherwise,
239
623260
2000
U protivnom
10:25
our problems would even be bigger.
240
625260
3000
naši bi problemi bili još veći.
10:28
CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.
241
628260
4000
CA: Hvala vam što ste nas tako isprepadali. Hvala, Ralph.
10:32
(Applause)
242
632260
2000
(Pljesak)
O ovoj web stranici

Ova stranica će vas upoznati s YouTube videozapisima koji su korisni za učenje engleskog jezika. Vidjet ćete lekcije engleskog koje vode vrhunski profesori iz cijelog svijeta. Dvaput kliknite na engleske titlove prikazane na svakoj video stranici da biste reproducirali video s tog mjesta. Titlovi se pomiču sinkronizirano s reprodukcijom videozapisa. Ako imate bilo kakvih komentara ili zahtjeva, obratite nam se putem ovog obrasca za kontakt.

https://forms.gle/WvT1wiN1qDtmnspy7