Stuxnet's Legacy: Get Back to Basics or Get Owned

Gunkerty Jeb writes "Attacks such as Stuxnet, Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about. The plain fact is that most organizations are falling far short in protecting against the same threats that they've faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering. Old, every one of them. And yet, still incredibly effective at compromising networks in some of the best-known and theoretically best-protected companies."

Security is hard

No matter how much companies (and individuals) would like to pretend otherwise, security is really hard to do. It's not just a matter of having the right technology in place; people have to follow some inconvenient rules and exercise self control and common sense.

So we're always going to have some of these problems.

Re:Security is hard

[AvitarX]

Sometimes the slow drag of being protected against oneself costs more than the risk being averted though.

For example, the cost of code generators to access bank accounts online in Europe surely prevents some fraud, but how much compared to the cost of every generator, and the inconvenience of not having access if you lose it.

Similar with active protection virus software not too long ago. It caused instability and slowed things down immensely.

Re:Security is hard

[MstrFool]

No kidding. The only perfect security just happens to lock out all legitimate users as well. So long as some one can access the info, then some one else can find a way in as well, the more people that need to be able to access it, the more ways in there will be. It doesn't help that traditionally, security tends to be the lowest item on the list. Need to save money, most companies will skimp on security before they will skimp on janitorial. Guess they want to be sure the place looks nice for any one that breaks in. Same goes for computer systems. The order of importance seems to be, Make it look nice, Make it simple to use, Make it work, and make it secure. Sadly, it pays off to work it that way. If it looks good, people assume any problem with it is their own fault and not the program. Make it simple and most people don't realize just how few options they have and just how little they can really do with it. Make it work, well, folks expect problems and blame them selves, so we can fix the bugs later. Make it secure, but don't do anything that prevents to legitimate users from doing what they should... Good luck on that. Best example of how people react to a company making an attempt at doing the right thing and getting hammered for it is, and I /really/ hat to say this, but... Microsoft and their access controls in Vista/win7. They started to do it right and put in real security, and people went ballistic. Problem is, people didn't get pissed that it only locked the user out and let hackers through, they got pissed that it asked them before just doing things. Now, I'm not saying it couldn't be done better, it could have. But look at what people complained about, 'it's in the way', not 'it's insecure'. Right there shows why things will never be secure. People want convenience, not security, and people are the ones that pay for the work.

Re:Security is hard

[RichardJenkins]

But SQL injection vulnerabilities are pretty easy to avoid. I'd say in the general case SQL injection problems point are a good indication to avoid a company.

If you inadvertently allow malicious access to your DB via SQL injection - fine. Just don't fib by saying your company should be taken at all seriously when considering their security credentials.

Re:Security is hard

[commodore6502]

>>>trying to protect clients/users/family from themselves ...

(takes scissors to ethernet cable leading into generator, centrifuge, etc) SNIP. Okay it's secure. Never should have been on the internet in the first place.

Re:Security is hard

[PaladinAlpha]

Yeah, I mean, I think they should make cars that blow up if you don't check the oil, belts, timing belts, brakes, transmission, coolant, tires, hoses, spark plugs, wires, distributor caps/rotors, and air filters precisely at the best mileage for each! That way, people who refuse to help themselves by daring to drive a car without knowing the full maintenance schedule (and implications of missing parts of it) will be taken out of the education. Those stupid, incompetent, lazy people.

Re:Security is hard

[dudeman2]

Actually, those centrifuges were never on the public Internet. Stuxnet was cleverly designed to infect the workstations running Step 7 PLC programming software, hijack the communications with the PLC to install its payload on the PLC. I don't know if the Step 7 workstations were on the Internet either; they may have been infected by sneakernet - USB keys, CDROMs, and the like.

Re:Security is hard

[PhilipTheHermit]

There are a few things you can do, though:

1) Don't let your developers go berserk with their framework of choice. Standardize on something company-wide, thoroughly audit/evaluate it as a platform, assign staff to maintain and patch it, and train everyone else on how to securely develop for it. I know corporations hate to train or otherwise improve their staff, but at some point they're going to have to bite the bullet.

2) Build an internal team and use them for your development needs. Mentor them, build institutional knowledge, have a succession plan in place. Stop contracting everything out to the other side of the planet and then feigning surprise when it falls over in the first stiff wind.

3) SIMPLICITY IS YOUR FRIEND. Don't let your developers make your site complex because they want to work with a cool framework or show off their skills. Do design reviews and simplify, simplify, simplify.

4) Treat all new developers as apprentices, and make them work under a "journeyman" for their first year (usually their probationary period) until they prove themselves and have learned how you do things.

It's not rocket science, it's common sense. Well... Common among older programmers, anyway.

Re:Security is hard

[John+Hasler]

I don't know if the Step 7 workstations were on the Internet either; they may have been infected by sneakernet - USB keys, CDROMs, and the like.

Rumor has it that USB keys were scattered in the parking lots.

Re:Security is hard

[Duradin]

Girls being used to social engineer men or using social engineering against men is as old as it gets. I'll leave it as an exercise for the reader to google up the reason why it works.

Re:Security is hard

[maxume]

Biometrics are terrible. You leave fingerprint everywhere, most fingerprint readers seem to be incredibly easy to bamboozle, it gives incentives to detach fingers, it is hard to get new fingerprints if you find out the ones you have are compromised, and on and on.

Now, for certain types of authentication they probably make a lot of sense, but not for medium value authentication across miscellaneous un-managed hardware.

Re:Security is hard

[Runaway1956]

As Flyerman points out, the 16 year old was posing as a man, and she social engineered a female within the organization. So, no, the girl didn't manipulate a guy via his hormones at all. The "security experts" failed repeatedly, on a number of fronts. Would you like the links to the real story? http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack-wikileaks.ars Please note, that I do not agree with a lot of what Anonymous does, but sometimes, they really do get things right. http://mashable.com/2011/02/19/anonymous-westboro/

This is more of an open problem

[IgnitusBoyone]

Well, the problem with most of these is even if you know about them it only takes one lazy employee to introduce them. So, its hard to be 100% vigilant against the threats and because it only takes one crack to break the damn, this makes it impossible for most security companies to improve.

Perspective

[TheRealMindChild]

SQL injection, phishing, malicious attachments, social engineering. Old, every one of them.

And every one of them gets learned the hard way by the new batch of up-and-comers. It isn't like the average knowledge of us IT folk has gotten any bigger. Old, season folks leave, and new, green folks join. Also, management.

Re:Perspective

[Dunbal]

Gee, here's a thought: old, seasoned folks one day will pass their knowledge down the line to the new generation. We can call it "education". Heck, we might even be able to charge money for it!

Re:Perspective

[COMON$]

Now this is a mixed message because coming up through the IT field it was the old timers causing the security problems. "What? I have to clean my inputs? This is the way I have always done it and this is how I am going to keep doing it" as well as "bah, our company is not a target".

Now it is 10 years after I entered the field full time, things are FAR FAR FAR FAR FAR better. Yes there are still old sites out there, there are still companies that don't update their security because they are struggling to keep the lights on. But seriously as opposed to 10 years ago, Infosec is widespread, companies have security training seminars for employees, Pentests are a regular phenomenon. This increased security is largely because those of us who grew up with tech, intentionally went into the field, and really enjoy the work are now getting to the 10-15 year range on experience and fixing all the damn problems our predecessors set before us. All the while doing our best to defend against the up and comers who are trying to push out projects as fast as possible to pad their resume.

Re:Perspective

[somersault]

The best solution is, as always, in between. You don't want people in 50 years time having no clue how to write a secure database library.

Re:Perspective

[Rary]

Shouldn't it be possible for the old seasoned professionals to write libraries and tools that make SQL injection all but impossible? Then all you have to do is convince the green new up and comers to use the existing tools. Only downside is that the newbies don't learn the lesson, but this particular lesson is pretty costly to learn the hard way.

In IT, there is this general belief that the seasoned professionals, also known as "old timers", are filled with antiquated and useless knowledge, while the green newbies, also known as "cutting edge fresh talent", know all the whiz-bang new way of doing things.

Sometimes, this is true, but sometimes it is not. As long as we continue to view this industry as being one that changes so rapidly that everything learned last week is obsolete, we will continue to make the same mistakes and reinvent the same flawed wheels.

Social Engineering

[arth1]

I thought phishing was a type of social engineering?

And social engineering isn't a technical problem likely to be "fixed" - it's a continuous education of users that can never be considered done or even successful.

phishing, malicious attachments, social engineerin

[Culture20]

If you fire the dummies, they just end up at someone else's company (and you get other companies' dummies. Ain't no technical fix for stupid, son.

Another take

[U8MyData]

I see a lot of comments about "dummies." Management needs to take a look at themselves as well. They hold the purse strings and the power of decision. In cases I have been exposed to, it's not the admins that are dropping the ball, it is the people making the decisions about things they do not appreciate or understand. Don't get me started on the overwhelming and pervasive attitude of users, "you mean I have to remember my password!?!"

Re:Another take

[mcmonkey]

I see a lot of comments about "dummies." Management needs to take a look at themselves as well. They hold the purse strings and the power of decision. In cases I have been exposed to, it's not the admins that are dropping the ball, it is the people making the decisions about things they do not appreciate or understand. Don't get me started on the overwhelming and pervasive attitude of users, "you mean I have to remember my password!?!"

As a user, don't get me started on admins & devs dropping the ball, making decisions about things they do not understand.

I spent 2 hours this week changing passwords for my work systems. I had 15 sets of credentials to update. Not all those systems are on the same 90-day expiration schedule as my main network ID, but I like to change them all at the same time. Otherwise, I'd never be able to keep my passwords straight.

And by 15 sets of credentials, I mean the user name is not the same for all of them, and for none of them was I able to choose my own user name. So that's 15 different combination of user names and passwords. And there is a 16th system I wasn't able to update because I don't remember the user name.

Some of these systems I rarely access. There's the company travel center and expense reports systems. I travel for business about once every 18 months. There's the benefits system I access once a year to update insurance information. I log on to those systems every 90 days to update passwords.

So here's our options: I write down my passwords. (Which of course is a big No No) I use the same password for all those systems. (Another big No No) I remember 15 different passwords, some for system I only access 4 or 5 times per year. (Impossible, for me at least)

Or the devs and admins can drop the BOFH attitude, and do their damn jobs. There is no excuse for these systems to not work with a single directory that lets me access them all with a single pair of user name and password. Management needs to stop accepting solutions which do not work with the company directory; the tech folks need to stop implementing solutions which do not work with the company directory.

So please, before you bitch about my inability to remember the 16 different passwords to the 10 or 11 different user names for the 16 systems I have at work, realize developers and admin are not the precious little snowflakes they sometimes act like.

Re:Another take

[turbidostato]

"As a user, don't get me started on admins & devs dropping the ball, making decisions about things they do not understand."

" had 15 sets of credentials to update [...] There is no excuse for these systems to not work with a single directory that lets me access them all with a single pair of user name and password."

Do you *really* think you have 15 different credentials because devs and admins? Really?

"Management needs to stop accepting solutions which do not work with the company directory"

Stop accepting!!!??? They are not accepting but *mandating* them each and every time they say "I want *this*, I want it *now* and I want it for peanuts". You can bet devs and specially sysadmins would be more than glad if managers would listen to them about minimal functionality, integration and maintenance.

Re:Won't get fixed in this release...

[Dunbal]

As a customer I want cost minimized too though. If regulation increases overall cost the cure is worse than the disease.

I'll just whip those Chinese children a little harder to increase production a few more percent so that you're happy.

PHP is a big part of the problem

[Animats]

PHP is a big part of the problem. PHP's interface to SQL encourages putting in parameters without proper escaping. Python has a slightly different interface, one where there's one SQL statement with fields represented by %s, and a tuple with the values to be filled in. The values are escaped automatically. If PHP had only such an interface, most SQL injection attacks would fail.

It would help if there was simply a restriction that only one SQL statement can be submitted per call. Since all the major SQL implementations now have transactions, there's no reason to put two statements in one call any more.

Another problem with PHP is a tendency to install a large number of standard PHP scripts which shouldn't be installed at all. Look at your server logs and you'll see constant attempts by hostile sites to call common bad scripts.

Hosting "control panels" implemented in PHP are part of the problem. If you have one of those, you can't just turn off PHP, even if you're not using it. Worse, "control panels" tend to run with very high privileges, and present a large attack face.

Re:PHP is a big part of the problem

[Shados]

I hate PHP too, but the problem there is PHP programmers, not PHP itself.

What you're talking about, as someone pointed out already, is prepared statements. Virtually all mainstream programming languages have the ability to use those, including PHP for almost as long as its been mainstreamed. The only issue is that the most commonly used MySQL interface didn't use them, and the community didn't push them.

They were available AND they were easier to use than the "bad" way of doing thing. You are NOT supposed to escape the data you send to the database, and its NOT what those interfaces you talk about do. The work done to make sure there's no injection is more subtle and lower level, as well as database dependent. Thats why no amount of string escaping is 100% safe.

Using prepared statements (what you're refering to without realizing it) is very very possible in PHP, is now (today) mainstream, and makes sure you're not vulnerable to sql injection (unless you do something impossibly stupid or try on purpose, but you have to try very hard).

PHP sucks balls and no one should use it, but thats not among the reasons why it does.

how is stuxnet an example of old vulnerabilities?

[SethJohnson]

I'm not sure how stuxnet is a proper illustration of old vulnerabilities being ignored. From what I recall of stuxnet, it is a WORM that exploits multiple zero-day vulnerabilities, at least one of which was due to security certs stolen from a hardware vendor in Asia.. Sure, best practices were ignored wherein industrial centrifuge controllers should have been physically firewalled from any devices that connect with other networks or devices.

But seriously, stuxnet isn't as good an example of a glaring security incompetence as the recent HBGary intrusion. That started with a simple SQL injection, and ended up with executive emails revealing nefarious corporate dealings by a company pretending to be a security consultant.

Here is an EXCELLENT technical dissection of the HBGary attack. Nothing spectacular involved. Just nuts-and-bolts hacking with impressive results.

Seth

Give a damn

[Runaway1956]

Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!

Re:Give a damn

[causality]

Thank you, Anonymous Coward. You've helped me to figure out exactly why Linux is more secure than Windows. It isn't the operating system. It isn't the user. It isn't any application, set of applications, or combination of utilities. It's right there in your post. "average users wont start giving a damn" For the most part, Linux users are those who give a damn. The attitude - nothing more, nothing less. You've got to give a damn, or the best system is just a non-secure mess of code!

I would add that there are reasons why systems like Linux appeal so much to this kind of user.

The biggest single one is that it doesn't assume you're an idiot. The system is built for users who intend to gradually become more and more familiar with how their systems work and how to maintain them. Users who traverse the learning curve at their own pace are rewarded with more and more ability to assume control and enjoy a system that does what they want the way they want to do it. You can also peek under the hood and see for yourself how things really work, with your skill level being the only limit. Generally things are made as simple as possible but no simpler, unlike Windows.

I would not classify Windows as easy to use, myself. I would call it easy to learn. Linux is quite easy to use if you have learned it. Learning how to use it is a one-time investment that continues to pay off. You can learn all about Windows but that won't make it much more convenient to automate, won't stop it from getting in your way whenever you try to do something advanced, and it won't stop it from trying to make you do things the way Microsoft intended.

The culture around Windows tends to encourage treating it like a black box and memorizing a set of steps to take in order to accomplish a specific task. The culture around Linux and Unix tends to encourage actually understanding how and why the tools work.

Linux also tends to be logical and predictable, the way you'd expect a machine to function. If something breaks, it broke for a good reason. It will stay broken until you fix it. When you fix it, it will stay fixed. You can actually get a meaningful error message that really does help you identify and isolate the problem. Windows has come a long, long way on these two points but it has yet to match the elegance of Linux and Unix. It's also helpful that all of the important configuration ultimately resides in plain text files. There is no opaque single point of failure like the Windows registry, which is a binary database that tends to become a mess over time.

I'd also say that the package management systems that come with Linux distros are vastly superior to the way software is acquired and installed on Windows. Instead of each third-party program having to chase down its own updates, often popping up nag screens requiring the user to complete the final step, you can update every last piece of software on your system with a single command. It's neater, less error-prone, and frankly less annoying. That counts for a lot considering how important it is to keep your system updated, considering how many Windows machines are compromised by exploiting already-patched vulnerabilities. Unfortunately I do not believe central software repositories would be possible on Windows, as the proprietary licenses of most Windows software would not allow third parties to redistribute them.

The users contributing the most to the rampant security problems are what I call permanent newbies. They hate learning new things. Somehow, they can use a tool for ten years without ever knowing much more about it than when they started. They don't even pick up knowledge here and there over time, let alone would they actively study anything. It is like they are too proud to do that. Asking them to do a bit of light reading for their own good is like asking an aristocrat to "fraternize with the help". It is a mentality to which I cannot easily relate. I cannot name anything non-trivial I do on a daily basis that I never learn new things about as I acquire more experience.

Re:Give a damn

[causality]

Managing an IT shop at a school, my biggest problem with the student workers was beating the "anyone who doesn't give a shit about computers is a stupid idiot" out of them.

I know it's a stage all geeks go through, but man is it irritating. The only thing that kept my rage in check was the knowledge that I was an even bigger douchebag at their age.

The thing to keep in mind is that for most of the planet computers are a means to an end. They are (and should be) practically invisible to the user when they work. The fact that we have to constantly harass users into sane behavior (e. g. "don't open that, it's a goddamn virus") isn't a reflection of their intelligence, it's a reflection of POOR DESIGN.

That's one "side" of it if you like. Certainly I have never advocated that we make things needlessly complex.

I am wondering how best to explain this because it's a mentality, a willingness to invest, a recognition of a certain mental laziness. I'll concentrate on some basic everyday things, for computers have become everyday tools.

I know more about driving today than back when I first obtained my driver's license. I have learned by doing, through experience. Specifically this has to do with defensive driving, with leaving margin for error for both myself and other drivers, with not surprising other drivers, not being surprised by them even when they screw up royally, etc. I pick up things from time to time after having observed them empirically.

I know more about how to manage money today than I did back when I got my very first bank account. Same deal for the driving; I pick things up over time and I make it a point to remember them. For the 401(k) I learned where the money was actually going, what the various funds represent, how much risk they each involve, etc. In other words, I did my homework even though at least some of the time I could leave it alone and trust someone else to take care of it.

Now in both cases I could balk at the effort. I could refuse to invest in the things I do daily. Especially for driving I could make a bunch of excuses about how "it's not FAIR" that it can be so dangerous sometimes, that this isn't my fault, that everybody else should always obey the law, that I shouldn't be expected to have split-seconds to deal with the situations created when they don't, etc etc... basically the equivalent of "I am not a computer expert!" when what you're asking for is basic competence.

Likewise, "it's not FAIR" that some bad people just love to break into computers and use them for evil purposes. Am I going to whine about that and resent anyone who points out that I can take steps to mitigate it? Or am I going to accept it as a fact of life and plan accordingly, which (here's the apparently painful part for mainstream America) might involve having to read up on the subject? I know which one I would choose.

Besides which you actually enjoy life a bit more when you are more involved in how it plays out. When you actually have some appreciation for the interconnected complexity of the things around you, some sense of awe that it works like it does. When everything you touch isn't some black box but instead, a system that has fundamental principles which people have learned to harness. Especially when you have some confidence that you can handle unexpected problems that come up, not because you are such an expert but because you understand fundamental problem-solving and it's okay to have to do it sometimes.

Like I said I am attempting to describe a mentality. I believe this mentality, like so many things, is being sacrificed at the altar of convenience. The funny thing about that, is that few things would seem as inconvenient to me as the predictable, preventable problems so many people are having. Yet the idea that one should grow in knowledge and experience with sufficient time is one they soundly reject, and for that there are consequences. Not because I say so, of course, but because that's the nature of the situation and no amount of denial will change that.