17. September 2010 · Comments Off on ‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security · Categories: Malware · Tags: Stuxnet
Brian Krebs has a detailed article on Stuxnet with details about its targeting Siemens industrial control systems.
“The mechanism [the Stuxnet worm] used to install the Siemens payload came at the very end, which means this isn’t a Siemens problem and that they could have substituted [General Electric], Rockwell or any other PLCs as the target system,” Weiss said. “At least one aspect of what Stuxnet does is to take control of the process and to be able to do…whatever the author or programmer wants it to do. That may be opening or closing a plant valve, turning a pump on or off, or speeding up a motor or slowing one down. This has potentially devastating consequences, and there needs to be a lot more attention focused on it.”
Today’s round of Microsoft patches addresses a variety of issues including one of the Stuxnet-related zero-day vulnerabilities. Stuxnet actually leverages four different zero-day vulnerabilities! For more details go here, here and here. Computerworld has a more detailed article about Stuxnet: Siemans: Stuxnet worm hit industrial systems.
Security researchers [at Symantec] say that a new wave of attacks suggests that the malicious hackers behind a security compromise [Aurora] at Google and a number of other prestigious U.S. firms are back in business, this time using an unpatched security flaw in Adobe’s PDF (Portable Document Format) Reader application.
The post is well linked for background information on Aurora.
Bruce Schneier’s article last week entitled, Consumerization and Corporate IT Security, postulates that IT security has no choice but to loosen control in response to the consumerization of IT. In other words corporate use of consumer IT products cannot be controlled by IT Security.
Here at Cymbel, we became aware of this issue back in 2007 and began searching for solutions to this issue. There is no doubt that corporate employees must be allowed to take advantage of Web 2.0 applications and social networking. However, the enterprise can surely do this in a controlled manner and provide protection against the risks of using these applications.
Here are four solutions we offer to corporate IT Security to protect the organization while enabling the use of consumer IT products:
Palo Alto Networks provides a next generation firewall designed and built from the ground up to enable controlled use of Web 2.0 applications and social networking and protection against web-based malware. In the last 18 months, they’ve grown from 200 customers to 2,000 and they are now cash-flow positive. I would expect an IPO in the next 12-18 months.
FireEye provides protection against web-based zero-day and unknown threats using heuristics rather than signatures. It minimizes false positives by using VMWare based sandboxes on its appliances to run suspicious executables prior to alerting.
NexTier Networks is the first Data Loss Prevention system that uses semantics to classify documents rather than traditional fingerprinting. Therefore it can protect against malicious attempts at intellectual property exfiltration as well as structured data without massive pre-scanning or pre-tagging.
Zscaler provides cloud-based proxy services for protecting against web and email-based malware without having to deploy any premises equipment. This is especially suitable for organizations with many small locations. Zscaler also provides a lightweight agent for traveling users so their web and email traffic is also routed through their cloud-based service.
In addition, we recommend Sentrigo, a database protection solution, as another layer of our next generation defense-in-depth architecture focused on applications, users, and information.
With the increasing popularity of mobile devices like iPhones and Android-based phones, we are beginning to see targeted malware, raising the question, do we need anti-malware for our mobile devices? ReadWriteWeb Enterprise was prompted to write an article on this topic as a result of the Android game Tap Snake which was reported to be spyware.
It appears the mobile anti-malware market is fairly immature:
I took to the opportunity to test a few of the anti-malware apps available on the market: antivirus free from droidSecurity, Lookout, Symantec‘s Norton Mobile Security for Android beta, and Smobile. I was also going to try SmrtGuard, but I couldn’t get the app to activate before Tap Snake was removed from Android Market. Of those four apps, only one detected Tap Snake as a potential threat.
The article goes on to say that tightly controlling what apps can be loaded onto mobile devices may all enterprises need at this time.
McAfee (via Network World) just updated its “malware bait list” and Cameron Diaz came in number one.
Most anti-malware vendors, including McAfee offer a service to flag risky sites in search results that appear right in the search results, thus helping you avoid malware-laden web pages.
This is just another example of the “inside-out” attack style which, while rather random, is still a major risk considering that the bad guys watch for popular search terms and build sites to bait people.
16. August 2010 · Comments Off on Is there a Facebook “Dislike” button? · Categories: Malware
Apparently, there ought to be. Sophos’ Graham Cluley has a post about the virally spreading malware, Facebook Dislike button. While Facebook has a legitimate “Like” button, the “Dislike” button is malware.
Both Brian Krebs and Andy Greenberg (Forbes) are reporting that Network Solutions’ “parked” domain-default registered sites that have not been updated, which number between 500,000 to 5 million, have been infected with a compromised widget from GrowSmartBusiness.com.
By compromising GrowSmartBusiness.com, the attackers were then able to compromise the widgets deployed on the third party sites controlled by Network Solutions. While a widget gives a company tremendous leverage, so too it gives attackers leverage.
From a site owner’s perspective, no matter how rigorous you are with the security of your own site, you also must monitor all third party software you allow on your site, such as third party widgets and advertising networks.
From a corporate security perspective, URL filtering by itself provides no security. You may use URL filtering to control internet use, but that’s it. You must check all components of every web page being downloaded by every user with web access, all the time, whether the user is on your site or remote.
Finally, if you have users performing high risk transactions or processes, and those users also can browse the web, you must assume that their computers are compromised.
Apparently Juniper and McAfee think so. Juniper recently announced that it was acquiring SMobile Systems for $70 million. McAfee acquired TenCube. Another product in this space is Lookout.
Finally, which operating system do you think is more secure? Do you prefer closed vs. open source? Here is a recent article from Network World discussing this issue.
There has been a lot written about the Stuxnet malware in the last several weeks and rightfully so. Stuxnet not only infects Windows computers which supervise industrial control systems, but then goes on to infect the software running on individual Programmable Logic Controllers (PLCs) which control the actual subsystems of those industrial processes. (Each Windows computer controls some number of PLCs which actually run the industrial processes.)
Therefore Stuxnet enables the attacker to remotely cause an industrial automation system to malfunction. It gets even worse – the PLC malware is hidden in a way that PLC software engineers won’t notice the change! Thus Stuxnet is the first known rootkit for industrial control system.
And the vulnerability Stuxnet exploits was zero-day. In other words, the vulnerability was not known at the time Stuxnet began. Stuxnet was first detected in late July 2010, but now information is coming out that it really started in 2009! Some are saying that the sophistication of Stuxnet indicates nation-state involvement.
There has always been a lot of talk about the need to protect critical infrastructure. Now we are seeing a real threat which increases the risk of industrial control incidents, and therefore heightens the priority to deploy Boundary Defense Controls in these environments.