Are We Talking About 'Cyberwar' Or Massive Incompetence?
from the perhaps-more-the-latter... dept
Rich Kulawiec points us to the news of Dillon Beresford of NSS Labs recently discovering (and revealing) that the Siemens control systems targeted by Stuxnet have massive security holes, including a hardcoded username/password combo ("basisk" for both, in case you were wondering). As Kulawiec noted:We have been treated, over the past few years, to an increasing chorus of hysteria and hype about "cyberwar". Some of that has come from governments eager to justify their increasing invasion of citizen privacy. Some of that has come from government contractors, eager to score more $100M do-nothing contracts. And since Stuxnet has come to light, it's been held up repeatedly as an example of the extreme cleverness of attackers.But that kind of stuff isn't quite as sexy as declaring "cyberwar" and asking for billions of dollars from the government.
But while Stuxnet is pretty darn clever, that's not the real problem. The real problem is that the incompetent morons at Siemens allowed this piece of crap to get out the door and into production environments. Thus the storyline isn't so much about the devious and subtle craft of Stuxnet's creators, as it is about the jaw-dropping negligence of Siemens: how could their QA miss this? How could they allow such a rudimentary, obvious mistake to pass?
We don't need to spend billions (or trillions) on elaborate cyberwar initiatives. We need to stop making fundamental mistakes. We need to stop doing the stupid things that we KNOW are stupid.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cyberwar, incompetence, stuxnet
Companies: siemens
Reader Comments
Subscribe: RSS
View by: Time | Thread
I could have sworn it was 12345 .... the same combo I use for my luggage
[ link to this | view in chronology ]
Or some engineer backdoor into the system. You know like the chip designers like to put little easter eggs on microchips like a hot pepper etched into some corner of the chip.
The less eyeballs something has the more chances such things can happen.
[ link to this | view in chronology ]
Re:
Managers give programmers very little time to do things right. They just want it done quick. If the first implementation works, then ship it. Security? We'll fix that in version 2.0. After we fix a bunch of other issues that customers actually care about.
[ link to this | view in chronology ]
I'll help em out
[ link to this | view in chronology ]
Re: I'll help em out
[ link to this | view in chronology ]
Re: I'll help em out
http://xkcd.com/936/
[ link to this | view in chronology ]
Re: Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: Re: Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: I'll help em out
http://www.hugamate.com/wp-content/uploads/2008/05/password1.jpg
and if any AC/troll thinks this is a dig at them... complex much? it is
[ link to this | view in chronology ]
Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: I'll help em out
The fault lies with the managers who changed the requirements and re-used the code without a proper review.
[ link to this | view in chronology ]
Re: I'll help em out
[ link to this | view in chronology ]
Re: Re: I'll help em out
[ link to this | view in chronology ]
dammit
M1st@k3n D0nkEy 0u+l3+ Pr0n
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Working in Automation
Management demanded that all this equipment talk so that they could monitor the plant while they are in their front offices or at corporate HQ. That drove network connectivity big time. Too much demand while not much effort put into the security as it really wasn't needed until recent days. With no funding to speak of (security doesn't get any more product out the door) this was a obvious result.
Stuxnet was an eye opener but not unexpected by us in the trenches. It is the management who controls budgets and until this event no one at my pay level had any attention of management.
[ link to this | view in chronology ]
Re: Working in Automation
I would also say, that if you have someone on your network able to sniff your network...you already lost.
I would also guess that Siemens is not the only Automation vendor that is vulnerable to these types of attacks.
[ link to this | view in chronology ]
Don't connect hyper critical things to the internet
Don't give them easily accessible usb ports
Don't make the button that screws the whole thing up large and red with a sign that says for gods sake don't press
Don't put it next to the coffee maker in the breakroom
Don't spend billions for a magic bullet that does not exist
The people screaming the loudest your in danger are the ones looking to get paid to develop a super system that will never actually work
The best defense is a good offense, hire grey hat hackers to hack the sites of people offering you services. No meetings with anyone they manage to penetrate.
[ link to this | view in chronology ]
Re:
Your cyberwar solutions are flawed.
The only real cyberwar solution is to pull an Osama/Flynn; get off the grid completely. Live in a cave without electronics.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
We had an annoying virus running around at work for the longest time, that was spread via flash drives. Every time we'd disinfect a machine it was infected again within a few days. I tried to get my boss to cough up a bit of cash to buy everybody Flash drives with a write-disable switch but he just said nobody would use the feature.
So I found a registry hack that turned off the XP autorun and went around to every machine I could find, disabled it, and cleaned off the virus if required (usually). And cleaned off every memory stick I could beat out of people. Win7 wasn't an issue because it doesn't operate by the rusty nail principle (injects you with every rusty nail it encounters just in case the nail has the cure for cancer).
Haven't seen the damned thing in more than a year.
While it's mildly inconvenient to have to open a browser by hand any time I insert a Flash drive, it's less annoying than having my settings changed and having to yet again track down and eradicate a stupid keylogger that's for a game we don't have anyway.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Why are you running an OS that can be infected by viruses?
One of the worst things that Microsoft has done for IT is to train newcomers that this circumstance is normal -- that is, that it's a reasonable thing for an OS to be extremely vulnerable to viruses, so much so that extra software (cue greedy AV vendors) is required to even have a slight chance of defending it.
But it's not normal. It's an aberration. Quality operating systems are nearly impervious to viruses, and those are the systems that should be used.
(What do I mean by "nearly impervious"? Try OpenBSD. No, really, try it. Try writing a virus that can successfully penetrate the system. Good luck with that.)
I don't use AV software because I don't need to, and I don't need to because I don't allow broken operating systems in my environment. And THAT is single biggest step that just about every organization could take toward better security.
But they won't. They're either too dim-witted to get past years of conditioning by Microsoft/AV vendors, or they're too stubborn, or they're too cheap, or they're too we've-always-done-it-this-way, or they're too unwilling to admit their error, or they're unwilling to learn, or whatever. They will resist and resist and resist...and meanwhile, their organizations will be hacked at will, whenever a bored teenager or two feels like it. (See: Anon, LulzSec, etc.) They will use the usual excuse ("Blame It On China") but really, why should the Chinese trouble themselves when any script kiddie can pwn their entire infrastructure?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Make up our mind, security or ease of use. They really are mutually exclusive.
i.e. No USB may be more secure, but it is a royal pain when needing to move data back and forth for support purposes, or for general archiving of data.
i.e. Air gap is more secure (possibly), but it makes it hard for a distributed company to monitor remote installations.
Also, management cannot have the pretty reports without a network connection of some sort.
[ link to this | view in chronology ]
Re: Re:
And stuxnet would not have made it to the system if someone hadn't connected something insecure to what should have been a secure machine on a secure network.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Auto execution
[ link to this | view in chronology ]
Re: Auto execution
[ link to this | view in chronology ]
[ link to this | view in chronology ]
But....
[ link to this | view in chronology ]
Why not (sarcasm follows)?
Sarcasm off - the USG needs to focus on using what we have to the max vice buying new shit. Focus on quality control, quality hiring and active management - vice foolishly trying to emulate "Best Business Practices" because it sounds professional. And Siemens just got away with selling a ball of schleck to the idiots who'd buy it - so remember that they're incompetent and stop buying their gear ... wait, Washington's BIG on name recognition, so that'll never work! (okay, sarcasm came back).
[ link to this | view in chronology ]
It's about the person acting on the Vulnerability
There are 4 basic external cyber threat models (aside from disgruntled employees).
1. State actors
2. Organized Crime
3. Social or political driven groups (LulzSec)
4. Opportunist
NIST actually has a special publication (SP 800-82) for PLC and other types of industrial control systems.
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
But, as others here have noted, businesses and even goverments aren't willing to shut down production lines to address cyber security. To make make matters worse in the case of industrial control systems that operate 24x7 with shift changes and control rooms, the use of more fixed passwords or certificates need to exist so other areas of defense need to be added to compensate. Also part of the problem is software and hardware manf never considered industrial systems as targets so never built in security and are very often painfully slow at rolling out security patches to OSs (both Linux and Windows based). People don't want to patch a system until it's been approved by the vendor. Nor is it easy to simply replace whole systems with new vendors.
Take a moment to read about the Smart Grid hacks: http://gigaom.com/cleantech/hacking-the-smart-grid/
Or the newer power meters on your house: http://www.nctimes.com/business/article_244ff4dc-7f2b-5a8b-96d2-dc14c17681bf.html
[ link to this | view in chronology ]
Siemens wasn't lazy, just responding to the market
You know, the same reasons Microsoft does what it usually does. Because otherwise people won't buy it!
[ link to this | view in chronology ]
IT security
http://www.unitask.com/2011/08/government-agencies-need-oracle-ebs-data-security-now-more-than-e ver/
Enjoy!
[ link to this | view in chronology ]