Most Vulns Exploited By Stuxnet Worm Remain Unpatched

chicksdaddy writes with this excerpt from ThreatPost: "The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner. Writing on his personal blog, Langner said that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., whose products were targeted by the Stuxnet worm, Threatpost reports."

Vulns?

[Enderandrew]

When did vulns become a word?

And is it really a new story that many companies don't patch immediately for every vulnerability out there?

Re:

[ArhcAngel]

First 23,000 filesharing Does and now Vulns...WTF? Did /. hire someone from gizmodo or engadget?

Re:

[Lunix Nutcase]

The first one is correct. It is 'Does' as in plural "John Doe [wikipedia.org]".

Re:

[bberens]

The plural of doe is doe. The plural of Doe is Does. Capitalization matters.

Re:

[ArhcAngel]

John Does is correct. Does is lazy and incorrect.

Re:

[Bacon Bits]

'John and Jane Does' is correct. 'John Does' is lazy and sexist.

Re:

[chemicaldave]

When did vulns become a word?

Apparently, some years ago. Here's [vuln.sg] a vulnerability information site created in 2006. [whoisdomain.net]

And is it really a new story that many companies don't patch immediately for every vulnerability out there?

It is when we're talking about a high-profile vulnerability.

Re:

[catmistake]

Whatever. I've been running my Siemann's centrifuge at home for years without AV or patches... I go online every day, and my system is still tight. Only idiots get viruses.

Re:

[dloose]

When did vulns become a word?

So happy this was the first reply. What an obnoxious headline.

Let's be hype and use stupid abbreviations.

[pep939]

Vulns sounds much cooler than Vulnerabilities anyway. Lulz.

Power plants

[instagib]

Let's just hope such devices are not used in nuclear power plants. BTW, are power plants connected to the Internet?

Re:

[Lunaritian]

Wasn't the target of Stuxnet some nuclear power plant in Iran?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[228e2]

Nah, they are on their own network, aka "air-gaped". They are compromised when idiots dont use proper cross domain solutions like usb drives, or even worse intermingle computers on restricted networks and the internet.

Re:

[idontgno]

"air-gaped"

<style voice="InigoMontoya">
I do not think it means what you think it means.
</style>

Let's just say I'm not gonna google "gaped" at work. I'm just sayin'.

Re:

[grassy_knoll]

According to this article [computerworld.com] original versions of stuxnet attempted to spread via USB and while it did apparently spread it didn't spread far enough to hit the targeted system. Seems like the "spread via infected laptop" is the most likely.

Re:

[sjames]

Hope springs eternal!

If you're firewalled the vuln is not a worry.

[grink]

In the electric utility industry if you are considered bulk power and have critical assets your firewalls must be configured with DENY (http://www.nerc.com/files/CIP-005-3.pdf) as the default rule and only allow defined connections. All the big players in the US and Canada have their control networked segmented off and they don't have access to the Internet.

Re:

[biodata]

It's one thing to set the defaults on the firewalls but another about who gets let inside? How many of these organisations employ oversees or offshore IT contractors with access inside the firewalls?

Re:

[chuckugly]

From what I recall the Iranians were pwned via thumb drives ......

Re:

[grassy_knoll]

Firewall won't help you against a infected laptop connecting directly to a PLC.

See this article [computerworld.com] or, even better, Ralph Langner's TED talk [ted.com].

Re:

[betterunixthanunix]

Security should not be based on a single system like that. Your firewall may be compromised, an attacker may access to a system behind the firewall, etc. It is just bad practice to leave critical vulnerabilities unpatched.

Re:

[sjames]

So, how many have deny by default and each port (udp and tcp) from 1-65532 individually permitted for any source address?

How many have "no access to the internet" but wide open access to poorly protected machines that do have full internet access?

Of course, Iran's downfall was the sneakernet connection between the red and black networks.

Blackhat

[Anonymous Coward]

The blackhat presentation that supposedly will happen, though i believe the presentation will be killed at the last minute if not sooner, will shed light on a system that NO ONE at the top wants people to know about.

These systems are EVERYWHERE. They are ALL broken.

This isn't "chicken little", the DHS has already put an end to full disclosure of SCADA vulnerabilities and that only happens when they're REALLY scared.

People deserve to know the truth about these systems. If they are attacked it's the direct

Re:

[AB3A]

Uh, no. DHS did not squelch anything. They made a request and NSS labs obliged.

This is important: the issue here is not about the PLC, it is about the process it controls. Ultimately Siemens is the small fry here. The real problem are the utilities and other critical infrastructure that depend upon this stuff. They can't just throw a patch at it like you would do with a PC. They have to validate that patch and that means expensive down time and careful planning. There are literally months when logistics

And so it begins...

[Anonymous Coward]

What we're seeing here is the start of security considerations in these industries. This is as to facilities security as the "Green Card" email is to spam.

There is as close to no security in most of these facilities as makes no difference. If I can get on your network (disgruntled employee, WiFi leakage, worm, Trojan, etc. etc.) I can trash your system with software I can buy for $25 on eBay or from any of the factory automation vendors, or build it from available specs.

This is not a Siemens/Stuxnex probl

Re:

[mlts]

I can see laws being passed, but definitely nothing that actually will force companies to zip their flies up.

We will see laws mandating DRM, squashing anonymity, demanding websites have a license for any accounts, root/Administrator taken away from computer users, DRM stacks in all Internet connected hardware with core/edge NAC enforcing it, and so on. Basically, everything on the *AA laundry list of wants.

So, the next SCADA attack will likely result in the Internet ending up like Compuserve for everyone b