Most Vulns Exploited By Stuxnet Worm Remain Unpatched

chicksdaddy writes with this excerpt from ThreatPost: "The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner. Writing on his personal blog, Langner said that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., whose products were targeted by the Stuxnet worm, Threatpost reports."

Vulns?

[Enderandrew]

When did vulns become a word?

And is it really a new story that many companies don't patch immediately for every vulnerability out there?

Re:Vulns?

[ArhcAngel]

First 23,000 filesharing Does and now Vulns...WTF? Did /. hire someone from gizmodo or engadget?

Re:Vulns?

[Lunix+Nutcase]

The first one is correct. It is 'Does' as in plural "John Doe".

Re:Vulns?

No, John Does is plural. Does is a lot of female deer. Vulns is just gibberish.

Re:Vulns?

[ArhcAngel]

John Does is correct. Does is lazy and incorrect.

Re:Vulns?

[chemicaldave]

When did vulns become a word?

Apparently, some years ago. Here's a vulnerability information site created in 2006.

And is it really a new story that many companies don't patch immediately for every vulnerability out there?

It is when we're talking about a high-profile vulnerability.

Re:Vulns?

[catmistake]

Whatever. I've been running my Siemann's centrifuge at home for years without AV or patches... I go online every day, and my system is still tight. Only idiots get viruses.

Re:Vulns?

Since the day that slashdot has a stupid 'Working' label at the bottom of the browser that doesn't go away.

Re:Vulns?

[bberens]

The plural of doe is doe. The plural of Doe is Does. Capitalization matters.

Re:Vulns?

[dloose]

When did vulns become a word?

So happy this was the first reply. What an obnoxious headline.

Re:Vulns?

[Bacon+Bits]

'John and Jane Does' is correct. 'John Does' is lazy and sexist.

Re:Vulns?

"Johns Doe"

Re:Vulns?

Shhhh. It's busy!

Let's be hype and use stupid abbreviations.

[pep939]

Vulns sounds much cooler than Vulnerabilities anyway. Lulz.

Power plants

[instagib]

Let's just hope such devices are not used in nuclear power plants. BTW, are power plants connected to the Internet?

Re:Power plants

[Lunaritian]

Wasn't the target of Stuxnet some nuclear power plant in Iran?

Re:Power plants

It was uranium enriching facilities, not power plants, the idea was to prevent the iranians form enriching uranium to obtain nuclear weapons.

Re:Power plants

[228e2]

Nah, they are on their own network, aka "air-gaped". They are compromised when idiots dont use proper cross domain solutions like usb drives, or even worse intermingle computers on restricted networks and the internet.

Re:Power plants

[idontgno]

"air-gaped"

<style voice="InigoMontoya">
I do not think it means what you think it means.
</style>

Let's just say I'm not gonna google "gaped" at work. I'm just sayin'.

Re:Power plants

I would say, yes they are, however the Siemens systems should not be directly connected to the out side world. IIRC the Stuxnet worm was ment to infect the Siemens systems via flash drive. It would infect non-control systems, hoping someone would cross contaminate the Siemens system with a infected flash drive from one of the non-control systems. I would imagine that most power plants operate in a similar fashion, however the threat could be mitigated by policy implementations (if the employee's followed them)

Re:Power plants

[grassy_knoll]

According to this article original versions of stuxnet attempted to spread via USB and while it did apparently spread it didn't spread far enough to hit the targeted system. Seems like the "spread via infected laptop" is the most likely.

Re:Power plants

[sjames]

Hope springs eternal!

put on tinfoil hats

Of course it's unpatched, the governments responsible for stuxnet have probably mandated that those vulns be left available for them.

Not quite. Uranium enrichment plants.

[mmell]

A place which makes fuel for a nuclear power plant - in this instance, a nuclear power plant designed to release terawatts of power over the course of a few milliseconds.

Of course....

if they got fixed, then the Western governments would be without backdoors into the systems of the Iranians, etc.

If you're firewalled the vuln is not a worry.

[grink]

In the electric utility industry if you are considered bulk power and have critical assets your firewalls must be configured with DENY (http://www.nerc.com/files/CIP-005-3.pdf) as the default rule and only allow defined connections. All the big players in the US and Canada have their control networked segmented off and they don't have access to the Internet.

Re:If you're firewalled the vuln is not a worry.

I think this is a perfect example of someone who believes that if it's written so shall it be done.

This is not the real world.

SCADA systems are installed everywhere, not in datacenters with proper layered defense strategies. You simply cannot manage the hacked together networks in order to provide full remote access to these control systems which is demanded.

Security is an after thought.

Re:If you're firewalled the vuln is not a worry.

What kind of person doesn't have their firewall configured with DENY as default and only allow defined connections? If your firewall is configured to ALLOW by default and then you add rules to DENY specific things you are doing it wrong.

Re:If you're firewalled the vuln is not a worry.

[biodata]

It's one thing to set the defaults on the firewalls but another about who gets let inside? How many of these organisations employ oversees or offshore IT contractors with access inside the firewalls?

Re:If you're firewalled the vuln is not a worry.

As Stuxnet demonstrated, infecting a laptop that will eventually be used to configure a SCADA system can be enough The Internet does not have to be the attack vector and most people attacking a SCADA system are probably not worried about ex-filtrating data and just want to cause damage to/with the SCADA equipment.

Re:If you're firewalled the vuln is not a worry.

[chuckugly]

From what I recall the Iranians were pwned via thumb drives ......

Re:If you're firewalled the vuln is not a worry.

[grassy_knoll]

Firewall won't help you against a infected laptop connecting directly to a PLC.

See this article or, even better, Ralph Langner's TED talk.

Re:If you're firewalled the vuln is not a worry.

[betterunixthanunix]

Security should not be based on a single system like that. Your firewall may be compromised, an attacker may access to a system behind the firewall, etc. It is just bad practice to leave critical vulnerabilities unpatched.

Re:If you're firewalled the vuln is not a worry.

In the electric utility industry if you are considered bulk power and have critical assets your firewalls must be configured with DENY (http://www.nerc.com/files/CIP-005-3.pdf) as the default rule and only allow defined connections. All the big players in the US and Canada have their control networked segmented off and they don't have access to the Internet.

Except that's not how Stuxnet worked: it infected Windows machines, and then tried to find the Siemens' SCADA control software, and then infect that.

It doesn't matter whether the controllers were network enabled, as long as the desktops/laptops were. Even if they weren't, you could perhaps infect the PCs via USB keys.

Re:If you're firewalled the vuln is not a worry.

CIP-004 requires a Personel Risk Assessment done for each individual with access and CIP-005 which requires strong authentication for starters. CAN-0005 forbids remote access for a device that is not inside a PSP/ESP and treating the remote access device as a CCA, which in turn makes it subject to CIP-005 & CIP-007. The only exception I could see to provide remote support insight into what you're doing would be if you had a method to allow remote support to see your screen, but not have any sort of control. We have regulations to cover this, regular audits, and fines that back it up ($1M/violation/day).

http://www.ferc.gov/enforcement/civil-penalties.asp

Re:If you're firewalled the vuln is not a worry.

Iran's nuclear program facilities had firewalls configured with "DENY as the default rule" and weren't worrying about any "vuln" either. Haha.

Re:If you're firewalled the vuln is not a worry.

[sjames]

So, how many have deny by default and each port (udp and tcp) from 1-65532 individually permitted for any source address?

How many have "no access to the internet" but wide open access to poorly protected machines that do have full internet access?

Of course, Iran's downfall was the sneakernet connection between the red and black networks.

Blackhat

The blackhat presentation that supposedly will happen, though i believe the presentation will be killed at the last minute if not sooner, will shed light on a system that NO ONE at the top wants people to know about.

These systems are EVERYWHERE. They are ALL broken.

This isn't "chicken little", the DHS has already put an end to full disclosure of SCADA vulnerabilities and that only happens when they're REALLY scared.

People deserve to know the truth about these systems. If they are attacked it's the direct responsibility of the people who implemented the systems which will turn out to be lowest bidder contracted help with little to no dedication to security.

WE DESERVE EVERYTHING WE GET!

Re:Blackhat

[AB3A]

Uh, no. DHS did not squelch anything. They made a request and NSS labs obliged.

This is important: the issue here is not about the PLC, it is about the process it controls. Ultimately Siemens is the small fry here. The real problem are the utilities and other critical infrastructure that depend upon this stuff. They can't just throw a patch at it like you would do with a PC. They have to validate that patch and that means expensive down time and careful planning. There are literally months when logistics prevent me from patching. Divulging this stuff to the public so soon runs the risk of attacks against infrastructure that could not be patched in time.

The problem is that most people do not understand the reality of what PLC networks are like. If you're on the same network as a PLC, regardless of OEM, you own it. End of story.

The network where PLC gear works is not an office network. It was never designed to be compatible with office networks. The fact that they use commonplace protocols such as Ethernet and IP does not mean they're suitable for office computing. These choices were made primarily because these technologies are cheap, not because we were encouraging interconnection with offices. There is no technology available that can secure a PLC on a network. It inherently trusts the remote I/O it may have. It has to trust the programs it receives. Very few people, even among OEM companies, understand this.

Nobody has yet built a key server system designed to work at the latencies and diversity needed for industrial networking. It is not nearly as trivial as it may look. I say this as someone who is participating on the committee that is doing this very sort of thing. DNP (IEEE 1815) has a secure authentication addition to the protocol, compatible with IEC 62351-5. We are working very hard to make sure that this works in an environment where things can afford to take a little extra time if needed (in a SCADA system).

So far nobody has managed to do this with a PLC environment.

Thus, saying "if you send this or that to a PLC, you can break it" is silly. You don't even have to break the PLC, you can break the process it controls. That's far worse.

Meanwhile, with Siemens acting as if the WinCC compromise doesn't exist, I have to wonder if they understand what I have just written. They've known of this situation for over three years and what have they done? I'm glad our company doesn't use WinCC, and it will be a long time before we seriously consider using their PLC gear.

And so it begins...

What we're seeing here is the start of security considerations in these industries. This is as to facilities security as the "Green Card" email is to spam.

There is as close to no security in most of these facilities as makes no difference. If I can get on your network (disgruntled employee, WiFi leakage, worm, Trojan, etc. etc.) I can trash your system with software I can buy for $25 on eBay or from any of the factory automation vendors, or build it from available specs.

This is not a Siemens/Stuxnex problem, it's universal. All PLC vendors have a problem, all Windows SCADA/Factory Automation packages are vulnerable.

It's such an easy attack vector it's laughable.

The next step will be "security by obscurity", vendors locking down systems by not publishing information. Nothing will happen until there is a publicly visible attack, then we'll see a "Patriot Act" style response from the politicians, which will do nothing.

Re:And so it begins...

[mlts]

I can see laws being passed, but definitely nothing that actually will force companies to zip their flies up.

We will see laws mandating DRM, squashing anonymity, demanding websites have a license for any accounts, root/Administrator taken away from computer users, DRM stacks in all Internet connected hardware with core/edge NAC enforcing it, and so on. Basically, everything on the *AA laundry list of wants.

So, the next SCADA attack will likely result in the Internet ending up like Compuserve for everyone but the true blackhats... and I'm sure the ISPs will be more than willing to tack on the old Compuserve fees for hours on as well.

Stop using Windows

Personally, I think if you use Microsoft's quaint little desktop games-loader (oh sorry, its steet name is "Wnnn d'ohs") for anything critical, you should be jailed.

That's right, jailed.

For recklessly endangering life and property.

hello webmaster

[formation]

Check to see if your Company name is available http://bit.ly/m2IHF4

hello webmaster

[formation]

Check to see if your Company name is available http://bit.ly/m2IHF4