Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Stuxnet Malware Raises Critical Questions For Infrastructure Security

Veracode : 26 July, 2010  (Technical Article)
Veracode comments on the Siemens exploit with Stuxnet malware and calls for stricter enforcement of disclosure to enable faster action on closing vulnerabilities
As the Siemens Stuxnet malware story continues to unfold, it raises critical questions that all global organizations must address in terms of instituting more effective software security and IT Risk Management strategies. As this incident highlights heightened corporate espionage and sabotage risks using increasingly sophisticated attacks, security researchers at Veracode say more needs to be done by organizations to proactively protect against known and unknown zero-day security vulnerabilities in software including more effective security testing and instituting better public disclosure policies.

As has been widely reported in the Siemens case, the Stuxnet worm was programmed to take advantage of a zero-day vulnerability in Microsoft Corporation's Windows operating system, allowing it to spread through USB devices. Once a Siemens system is infected, the malware uses hard-coded default passwords, also referred to as "application backdoors," in Siemens' WinCC SCADA software to try and upload control-system data to a remote server.

"As critical systems like SCADA increasingly move from proprietary technologies to using more open and standardized third-party software, they are going to be as vulnerable as the systems compromised in highly-publicized breaches occurring at Google and TJX, among others," said Matt Moynahan, CEO, Veracode. "The fact that companies with such respected brands and mature software development processes still suffer from zero-day vulnerabilities is an issue. It is one thing to spend a lot of time, budget and political capital trying to improve a development process, but it is another to verify that process produced the desired outcome - secure code free from zero-day vulnerabilities. Existing tools based on testing source code are insufficient and not working as advertised to solve the secure coding problem. Given the amount of third-party code incorporated into any and every application, testing and verifying the software system in its fully-integrated final form should be a requirement. This is also the form in which it is being attacked."

According to the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list that Veracode contributed to, hard-coded passwords rank at number 11. The list features the most widespread and critical programming errors that can lead to serious software vulnerabilities. While the Siemens case is making headlines, this is an attack vector that is easy to find, and easy to exploit at any number of organizations.

"Hard-coded passwords are a type of application backdoor found in a lot of software that has not undergone proper security testing before shipping to customers. Veracode commonly finds this vulnerability in the software we test for our customers, and with the Siemens story bringing attention to it, we can expect this attack vector to continue to be exploited," said Veracode CTO Chris Wysopal.

This incident begs the question: "Why didn't Siemens fix the hard-coded password vulnerability when it was first publicly disclosed?" According to reports, the company waited more than two years and only started to fix it after being exploited by a worm. In this case, is it considered negligence when a company doesn't fix a critical known vulnerability and waits for their customers to be exploited?

"We know that Siemens cares deeply about its brand and customers - but more needs to be done. Companies like Siemens put their customers at risk and should be held responsible for egregious vulnerabilities in software that continues to be delivered to market. However, what's worse, in our opinion, is the impact on all the customers that purchased the software - without knowing about potential threats. Consider Siemens' customers like manufacturers or utility companies that are operating SCADA systems on critical infrastructure with the WinCC software. Those customers' end-users and shareholders have the right to expect that any software being used to run critical infrastructure has been put through proper security testing before being installed," continued Wysopal.

The way to solve the problem of vulnerable software in critical infrastructure is to have independent security tests for at least the vulnerabilities listed in the CWE/SANS Top 25 Most Dangerous Software Errors before the software is deployed. Otherwise, customers are just hoping that another company's systems are compromised, and a patch deployed, before their own systems are compromised. With the sophistication shown through this multi-stage USB attack, it is clear that hope is not a viable option.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo