Most Vulns Exploited By Stuxnet Worm Remain Unpatched 44
chicksdaddy writes with this excerpt from ThreatPost: "The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner. Writing on his personal blog, Langner said that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., whose products were targeted by the Stuxnet worm, Threatpost reports."
Vulns? (Score:5, Interesting)
When did vulns become a word?
And is it really a new story that many companies don't patch immediately for every vulnerability out there?
Re: (Score:3, Insightful)
Re: (Score:3)
The first one is correct. It is 'Does' as in plural "John Doe [wikipedia.org]".
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
'John and Jane Does' is correct. 'John Does' is lazy and sexist.
Re: (Score:3)
When did vulns become a word?
Apparently, some years ago. Here's [vuln.sg] a vulnerability information site created in 2006. [whoisdomain.net]
And is it really a new story that many companies don't patch immediately for every vulnerability out there?
It is when we're talking about a high-profile vulnerability.
Re: (Score:2)
Re: (Score:1)
When did vulns become a word?
So happy this was the first reply. What an obnoxious headline.
Re: (Score:2)
Power plants (Score:2)
Let's just hope such devices are not used in nuclear power plants. BTW, are power plants connected to the Internet?
Re: (Score:1)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
"air-gaped"
<style voice="InigoMontoya">
I do not think it means what you think it means.
</style>
Let's just say I'm not gonna google "gaped" at work. I'm just sayin'.
Re: (Score:2)
According to this article [computerworld.com] original versions of stuxnet attempted to spread via USB and while it did apparently spread it didn't spread far enough to hit the targeted system. Seems like the "spread via infected laptop" is the most likely.
Re: (Score:2)
Hope springs eternal!
If you're firewalled the vuln is not a worry. (Score:3, Informative)
In the electric utility industry if you are considered bulk power and have critical assets your firewalls must be configured with DENY (http://www.nerc.com/files/CIP-005-3.pdf) as the default rule and only allow defined connections. All the big players in the US and Canada have their control networked segmented off and they don't have access to the Internet.
Re: (Score:1)
Re: (Score:1)
Re: (Score:3)
Firewall won't help you against a infected laptop connecting directly to a PLC.
See this article [computerworld.com] or, even better, Ralph Langner's TED talk [ted.com].
Re: (Score:2)
Re: (Score:2)
So, how many have deny by default and each port (udp and tcp) from 1-65532 individually permitted for any source address?
How many have "no access to the internet" but wide open access to poorly protected machines that do have full internet access?
Of course, Iran's downfall was the sneakernet connection between the red and black networks.
Blackhat (Score:2, Interesting)
The blackhat presentation that supposedly will happen, though i believe the presentation will be killed at the last minute if not sooner, will shed light on a system that NO ONE at the top wants people to know about.
These systems are EVERYWHERE. They are ALL broken.
This isn't "chicken little", the DHS has already put an end to full disclosure of SCADA vulnerabilities and that only happens when they're REALLY scared.
People deserve to know the truth about these systems. If they are attacked it's the direct
Re: (Score:2)
Uh, no. DHS did not squelch anything. They made a request and NSS labs obliged.
This is important: the issue here is not about the PLC, it is about the process it controls. Ultimately Siemens is the small fry here. The real problem are the utilities and other critical infrastructure that depend upon this stuff. They can't just throw a patch at it like you would do with a PC. They have to validate that patch and that means expensive down time and careful planning. There are literally months when logistics
And so it begins... (Score:1)
What we're seeing here is the start of security considerations in these industries. This is as to facilities security as the "Green Card" email is to spam.
There is as close to no security in most of these facilities as makes no difference. If I can get on your network (disgruntled employee, WiFi leakage, worm, Trojan, etc. etc.) I can trash your system with software I can buy for $25 on eBay or from any of the factory automation vendors, or build it from available specs.
This is not a Siemens/Stuxnex probl
Re: (Score:2)
I can see laws being passed, but definitely nothing that actually will force companies to zip their flies up.
We will see laws mandating DRM, squashing anonymity, demanding websites have a license for any accounts, root/Administrator taken away from computer users, DRM stacks in all Internet connected hardware with core/edge NAC enforcing it, and so on. Basically, everything on the *AA laundry list of wants.
So, the next SCADA attack will likely result in the Internet ending up like Compuserve for everyone b