I will be giving a presentation on the Current Top Threats at the UC Berkeley School of Information this Weds, July 21st. Hope to see you there.
Windows viruses and rootkits themselves are nothing new. The announcement from a SCADA product vendor that based their system on the Windows OS is notable because the attacker has targeted weak controls common to customers of the vendor.
InfoWorld uses a provocative article title: New ‘weaponized’ virus targets industrial secrets
After a lot of hype at the start of the article, they finally get down to the facts.
The virus targets Siemens management software called Simatic WinCC, which runs on the Windows operating system.
“Siemens is reaching out to its sales team and will also speak directly to its customers to explain the circumstances,” Krampe said. “We are urging customers to carry out an active check of their computer systems with WinCC installations and use updated versions of antivirus software in addition to remaining vigilant about IT security in their production environments.”
In other words, another Windows OS attack has been developed and released. Do not rely on antivirus alone. Patch, baseline critical systems (gold image, etc.) and monitor them.
The article says this attack spreads via USB because Siemens SCADA systems “are typically not connected to the Internet for security reasons”. That is sometimes the case but I wager we will find them connected to networks that are connected to the Internet with questionable segmentation. I discuss this in my Top Ten Breaches presentations.
Once the USB device is plugged into the PC, the virus scans for a Siemens WinCC system or another USB device, according to Frank Boldewin, a security analyst with German IT service provider GAD, who has studied the code. It copies itself to any USB device it finds, but if it detects the Siemens software, it immediately tries to log in using a default password. Otherwise it does nothing, he said in an email interview.
That technique may work, because SCADA systems are often badly configured, with default passwords unchanged, Boldewin said.
When someone implies that SCADA systems are often badly configured we also must ask whether they believe that includes the network and other aspects of security managed by a utility. Take for example another part of the story that discusses the misconfiguration of “whitelist” controls in SCADA based on a technical description of the virus:
To get around Windows systems that require digital signatures — a common practice in SCADA environments — the virus uses a digital signature assigned to semiconductor maker Realtek.
A signature that is simply duplicated is a badly configured security control.
At the end of the day, this is an odd exploit story. Someone clearly made a strange decision to connect what could have been a very valuable zero day attack with the lowly self-replication of a worm. That makes it seems like it was designed to make noise and force a reaction more than pinpoint and quietly exploit a specific target for ill-gotten gains.
Security company Sophos told ZDNet UK on Friday that it was aware of instances of the malware spreading in India, Iran and Indonesia.
RackSpace and NASA have announced today the OpenStack Open Source Cloud Computing Software
The goal of OpenStack is to allow any organization to create and offer cloud computing capabilities using open source software running on standard hardware. OpenStack Compute is software for automatically creating and managing large groups of virtual private servers. OpenStack Storage is software for creating redundant, scalable object storage using clusters of commodity servers to store terabytes or even petabytes of data.
They only are in developer preview mode, but I searched the site and found no mention of security or compliance. Hopefully this will change by the first release in mid-October.
The remote code execution warning was posted yesterday for Windows Shell on XP: Microsoft Security Advisory (2286198).
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.
Turn off AutoPlay
It was no good anyway
Except for exploits
Update: Sophos says disabling autoplay is not an answer
Sophos senior technology consultant Graham Cluley told ZDNet UK that the rootkit circumvents preventative measures such as disabling autorun and autoplay in Windows.
“This waltzes around autorun disable,” said Cluley. “Simply viewing the icon will run the malware.”
I am unable to think of a single good reason to have a gasoline-powered lawn mower. Perhaps someone can enlighten me.
In the meantime, I noticed an excellent tutorial on how to convert gasoline mowers to electric, and recharge them with solar.
Compare the silent, clean and simple electric/solar model to even the smallest lawnmower gasoline engines that pollute 93 times as much as an automobile engine.
The NYT points out that 6 million gasoline mowers were shipped into California in one year. That is the equivalent of 600 million car engines pumping toxic fumes and noise into residential areas. Why?