Siemens Patch Aims to Thwart Stuxnet Offspring
While it's good that Siemens is offering patches to plug problems with its PLCs, "people are really scared what the impact will be on a running process," said Tofino CTO Eric Byres. "Everyone has installed patches on their computer and had it run like crap for the next two days. That can get real ugly if you're talking about a nuclear reactor or a sewage plant or an oil refinery."
Jul 30, 2012 6:00 AM PT
Siemens, which made the industrial controllers targeted by the Stuxnet cyberweapon, announced last week that it was releasing some patches aimed at foiling attacks on its hardware similar to those mounted by the now-famous worm.
Previous versions of the controllers used in SCADA (Supervisory Control and Data Acquisition) systems allowed DLL (Dynamic-Link Library) files to be loaded into the devices without validation. The fix by Siemens prevents that from happening now.
"This is a step in the right direction," Eric Byres, CTO and vice president for engineering at Tofino Security Products, told TechNewsWorld.
"Sure, Stuxnet is yesterday's worm," he acknowledged, "but the hole is still there for this vulnerability. There are people who will say, 'They haven't patched that yet? I'll make a Son of Stuxnet.'"
Nevertheless, Siemens has more work to do to secure its PLC controllers, Byres continued, and that work won't be easy.
"There are some inherent design issues that span the world of PLCs that malware can take advantage of," he said.
While it's good that Siemens is offering patches to plug problems with its PLCs, there can be a significant lag time between when patches are released and when they're installed, as any IT vet knows. That lag is even worse when dealing with industrial systems, Byres noted.
"People are really scared what the impact will be on a running process," he explained. "Everyone has installed patches on their computer and had it run like crap for the next two days. That can get real ugly if you're talking about a nuclear reactor or a sewage plant or an oil refinery."
Get a Clueful
Clueful was bounced from Apple's App Store more than a week ago under mysterious circumstances. The app, made by Bitdefender, is designed to keep owners of Apple mobile devices informed about what's being done to the data in those devices by the apps running on them.
"Unfortunately, according to the NDA we have with Apple, Bitdefender cannot disclose any information regarding the reviewing process," Chief Security Researcher Alexandru Catalin Cosoi told TechNewsWorld.
"We would obviously love to discuss the feedback we got from Apple, but we cannot," he added.
That feedback apparently was encouraging to Bitdefender; the company expects to resubmit the app to Apple soon, Cosoi said.
Bitdefender also is mulling over the possibility of making the app for other platforms, he noted, "but right now, the main priority is getting Clueful back on the App Store."
Apple at Black Hat
When it comes to security conferences, Apple has been a little gun-shy in the past, but that wasn't the case last week when Platform Security Manager Dallas DeAtley delivered a presentation on iOS security at Black Hat 2012 in Las Vegas.
Apple's decision to come in from the cold was praised by some security pros. "We're really happy to see Apple at Black Hat," F-Secure Chief Research Officer Mikko Hypponen told TechNewsWorld. "They should have always been here."
The move may signal a change in attitude by the secretive company.
"Black Hat is not a crowd that will accept anything less than thorough disclosure and free discourse," Intego Virus Hunter Lysa Myers told TechNewsWorld.
"Apple's decision to attend the conference makes it seem as if the company's intent is to provide a view into what's going on behind the curtains of iOS," she added. "We definitely applaud this direction, as cooperating with the security industry will improve the security of the operating system overall."
An earlier appearance at Black Hat by Apple in 2008 was scotched when the company's security team couldn't get on the same page with its marketing department, and its presentation had to be pulled at the 11th hour.
July 23. Reports appear that more than 8 million usernames and passwords stolen four months ago from gaming website Gamigo have been posted to a public forum on the Web.
July 25. Oregon State Police open investigation of vendor that copied information from a check register at Oregon State University without authority, potentially compromising private information of students and employees at the institution between 1996 and 2009.
July 26. Report appears that 18-month data breach at Upper Valley Medical Center in Ohio could have compromised personal information of 15,000 people.
July 26. Global Payments reports the data breach that potentially exposed payment card information of millions of consumers will cost the company US$84.4 million.
July 27. Information Commissioner's Office (ICO), of the United Kingdom, reveals that it has been informed by Google that payload data collected by its Street View vehicles prior to May 2010 has not been destroyed as Google agreed to do in a pact with the ICO in November 2010.
July 26-Aug. 22. Data Breach Security Tour. A series of workshops sponsored by Utah to provide assistance to the nearly 800,000 citizens of the state affected by a healthcare data breaches.
Aug. 20-23. Gartner Catalyst Conference. San Diego, Calif. Standard price: $2,295.
Oct. 9-11. Crypto Commons. Hilton London Metropole, UK. Early bird price (by Aug. 10): Pounds 800, plus VAT. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
Oct. 25-31. Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.