If you think that the biggest threat to your organization’s security comes from code injection, cross site scripting or other vulnerabilities in Web applications then think again: allowing your network to get infected with a worm could cause your company’s factories and other physical installations to explode. Quite literally.
That’s the conclusion of Ralph Langner, an industrial systems security expert, after analyzing the infamous Stuxnet worm and industrial control system rootkit, discovered earlier this year, which he dubs the “hack of the century.” Stuxnet targets Siemens industrial control systems which use Windows Control Center (WinCC) software and infiltrates programmable logic controllers – special purpose computer systems that control factory machinery, power generation installations and the like – in some cases preventing them from working as intended. “Stuxnet manipulates a fast running process. Based on process conditions, the original code that controls this fast running process will no longer be executed,” says Langner. “After the original code is no longer executed, we can expect that something will blow up soon. Something big,” he adds, ominously.
Langner suggests that the Stuxnet worm is so sophisticated that it may have been developed by a government agency, and says that it was clearly designed to sabotage physical installations. It may have been designed to target and destroy a specific site, such as Iran’s Bushehr nuclear facility. Iran has since reported that it’s struggling to contain the worm.
Whether the nuclear facility itself was the target is still a matter for speculation, but the concept of targeted sabotageware is troubling in the extreme. That’s because hackers and malware writers get more sophisticated over time. And that means that while Stuxnet may have been created by an elite government cyberwarfare team hoping to neutralize an enemy regime’s nuclear capabilities, give it a year or two and this type of malware will probably be being churned out by hackers hoping to use it to make themselves a whole lot of money.
If you think about it, it’s the logical extension of what is commonplace already: Organizations today are falling victim to highly targeted spearphishing attacks, and they are being extorted by ransomware which paralyzes individual machines and by organized crime gangs threatening to carry out Distributed Denial of Service (DDoS) attacks on ecommerce sites unless the owners pay a “protection” fee. The obvious conclusion is that the black hats will raise the stakes in the coming years, threatening not just to bring web transactions to a halt if payments aren’t made, but to stop production, sabotage machinery, and, literally, destroy factories.
If you’re responsible for securing your company’s infrastructure then allowing a worm to get loose on your network could one day be catastrophic.
DDoS attacks are still with us
That’s not to say that DDoS attacks are likely to go away any time soon, as members of the 4chan message board community reminded the world earlier this month. Protesting against those it holds responsible for action against the Pirate Bay torrent tracking site, 4chan’s “Anonymous” members launched Operation Payback is a Bitch.” This took the form of a DDoS attack against Aiplex, an Indian company that carries out DDoS attacks against torrent trackers, swiftly followed by attacks against the websites of the Motion Picture Association of America (MPAA) and the Recording Industry Association of America (RIAA.)
Anonymous may not be carrying out the attacks for monetary gain, but other people certainly are. Earlier this month Georgia -based security company Damballa announced that it has discovered a Chinese commercial DDoS service called IMDDOS, which anyone can hire. “The public website hosting the DDoS service, with various ‘plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure,” says Gunter Ollmann, vice president of research for Damballa. The company says IMDDOS offers different DDoSing services ranging from free basic services to paid ones which include 24 x 7 customer support. IMDDOS is also currently recruiting resale agents to promote its business Damballa says. (For more information, you are invited to contact a customer service agent using the Chinese QQ chat service. Good luck with that … )
SAP gets on board with “Patch *day”
Working out the best strategy for offering patches is a tricky one, involving a delicate balancing act between security and customer convenience, among other things. Microsoft’s regular monthly Patch Tuesday has its fans, but it’s also criticized for being too frequent, not frequent enough, and being so predictable that it leads to “exploit Wednesdays,” when hackers know – unless there is an out of cycle patch – that they have a full month to exploit a vulnerability. (It’s actually questionable whether exploit Wednesdays are really a problem – releasing an exploit a few days before a Patch Tuesday would probably leave Microsoft with insufficient time to come out with a patch, giving hackers more than a month of exploit time. But that’s another matter.)
In an apparent endorsement of Microsoft’s strategy, German ERP giant SAP – a company that has a deep commitment to security, enterprise computing and its customers – has decided to implement a monthly “Security Patch Day” scheduled to coincide with Microsoft’s Patch Tuesday, according to a report on The H Security. Updates will be provided by SAP’s Service Marketplace platform.
Has Microsoft really cleaned up its security game?
Interestingly Microsoft’s latest operating system products – Windows Server 2008 R2 and Windows 7 – seem less vulnerability prone than its older ones, at least if September’s Patch Tuesday is anything to go by. While Windows XP, Windows 2003 and Vista saw four critical vulnerabilities patched, three did not affect the new operating systems while the fourth was downgraded from critical to important. “These results show that organizations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them,” said Don Leatham, senior director of solutions and strategy at security firm Lumension, Cnet reports.
Could it be possible that finally, after all these years, Microsoft’s terrible security record is actually improving? Let’s see what October’s Patch Tuesday brings before jumping to any conclusions…