Stuxnet Worm Reveals Default Password Vulnerabilities
Monday, September 27, 2010
Just put it into production, it will be okay...
In the last two weeks, I've heard some things which made my blood boil. Such as the recent Stuxnet worm, continued cyber attacks against The Pentagon and NATO, and an article describing past U.S. electricity grid intrusions.
Perhaps, I am over simplifying the root causes but the information available to me makes me want to get up on the soap box to talk about security basics.
I have a love-hate relationship with the idea of computer appliances. On one hand, this pre-installed piece of hardware is ready-to-go. It has already been configured, tested, and you can pretty much guarantee it is going to work when you plug it in. This is a real operational cost savings.
On the other hand, I have many security concerns which stem from the “default” nature of their configuration. After all, an appliance usually runs on top of a general-purpose operating system combined with commonly available software such as databases.
After reading an article which identified the primary attack vector as a default password on a programmable logic controller (PLC), I cringed:
“The [Stuxnet] worm was directed at a very popular process controller (Siemens Simatic Programmable Logic Controller) and exploited a zero-day vulnerability in the PLC's WINCC SQL database.
The exploit lay bare the disconnect between the IT and Industrial Control Systems (ICS) communities. This particular PLC (as well as many other ICSs) burned the default passwords in software. The hackers exploited this design to get access to the database.”[1]
If you're an organization which deploys appliances, does the vendor provide the ability to change default parameters such as a password?
When it comes to minimizing the attack surface and applying patches, I hear so many reasons not to remove software and not to apply patches. I've heard that the cost to install software later is more than if they just delivered it in the original installation – besides, there is very few services or packages one can leave off the system.
As Colonel Sherman T. Potter, my favorite character from the television series M*A*S*H, would say, “Mule Muffins.”
I ran the following shell command on two generic Linux server installations to determine how many services were not running and their associated packages:
chkconfig --list |egrep -v ":on" |awk '{printf "rpm -q --file /etc/init.d/%s\n", $1}' |sh
In Fedora 12, there were approximately 30 services not running and in openSUSE 11 there were about 40 services. My argument is if the system is performing its assigned tasks and these services aren't running, then remove them before they become inadvertently started or associated tools are exploited.
This is no reflection on an operating system itself; it simply means that operating system distributions typically include many services for maximum interoperability and ease of configuration. Nonetheless, you should take a serious look at what isn't used on your system and remove it.
Every good operating environment should have a digitally signed software repository where system administrators can pull authorized software and patches. This only takes a few seconds and the beautiful thing about Linux packaging is that it resolves dependencies.
So, if you needed to add a webserver (e.g., Apache), all of the associated packages could easily be pulled and installed in your operating system very quickly.
When I read about the state of NATO systems and their reported reluctance to apply system patches, I began to grind my teeth:
NATO's systems are behind the U.S.'s, said one person familiar with U.S. assessments of NATO's systems after a recent trip the deputy defense secretary made there. "The Chinese totally owned them," this person said, adding that NATO hadn't installed many of the basic network security patches, because it had decided some of its computers were too important to ever turn off.[2]
NATO spokesman James Appathurai denied that the alliance's computers were regularly compromised. However, I didn't hear him dispute the fact that the systems were missing many of the basic security patches.
So, is it just a matter of time? Or have the systems already been comprised but NATO is unaware? Lastly, if the systems are so important, why isn't there any redundancy? A load-balanced or fail-over system?
How many applications have been deployed in your environment with default passwords? When was the last time they were patched? How many lingering, dormant services reside on your systems?
1. “Opinion: IT needs to help secure industrial control systems” by Joe Weiss of Computerworld (August 13, 2010)
2. “Cyber Attacks Test Pentagon, Allies and Foes” by SIOBHAN GORMAN in Washington and STEPHEN FIDLER in London, The Wall Street Journal (September 25, 2010)
Cross-posted from Security Blanket Technical Blog
Comments
Post a Comment