Removing SCADA worm could disrupt power plants Siemens has made a program available for detecting and disinfecting malware attacking its software used to control power grids, gas refineries, and factories but warned customers who use it could disrupt sensitive plant operations. The Munich-based engineering company on Thursday began distributing Sysclean, a malware scanner …
ds9, season 1 episode 17, 'the forsaken'
a computer worm infects the stations computers and they cannot remove it and ultimately have to live with it.
never thought it possible and then i read this article.
maybe organisations will stop using windows for embedded and control systems? don't forget they use windows on iss and on military hardware these days.
By the sounds of it - Siemensdidn't think of such things and the software won't work if you change it from the one they provided.
The issue here is Siemens - if they had written it in Linux, it would have a default root password that you can't change if you want the software to work!
Siemens' security suckiness doesn't stop with their SCADA software.
They had us configure our WinXP PCs running their "Syngo Dynamics" medical image-viewing software to auto-login as "Administrator".
Support contract says if you don't follow their configurations, you void your support.
It was our executives' fault for not having processes in-place which required review by knowlegable IT people before purchase was approved.
Executives typically are "big-picture" people (Dilbert PowerPoint: * Oxygen is good; * Competition is bad; * I like Jello).
I can't see the stupidity stopping until they start handing out jail sentences to (our, and other deserving) corporate executives for criminal negligence.
And since "The Law" is just another bureaucracy, with "big-picture" people on top, that's not likely to happen.
Years and years ago, we warned 'em. "Don't use Microsoft software in SCADA or any other mission critical system. Please, PLEASE, **PLEASE!!** don't! If you do, it'll all end in tears! This is doubly true if said systems are connected to an external network and/or contain the capability for users to use removable media!"
But did the feckless idiots listen? Of course not.
This is what happens when Management and Marketing make decisions that are better left to technical folks. Not that Management & Marketing's egos can handle that reality, of course. It's going to get worse before it gets better, mark my words.
[1] Folks in the real computer security world, not the Microsoft hangers-on.
The tender was for a Windows NT 3.5 based SCADA system for monitoring the rod drops in a nuclear power plant. How we laughed. Then we realised they were serious...
Sleep sound though: all nuke plants run double-redundancy, and have 3 independent monitoring or control systems doing each function.
At least, that's the way it used to be, back in The Day.
Hmm... I actually may not sleep quite so soundly tonight.
Try early-mid 1981[1] ... I was working for Bigger Blue when the PC-DOS 0.98 beta & original IBM PC came out in pilot build ... everyone in the Glass House looked at each other and said "WTF is IBM thinking? Thank gawd/ess it can't do networking!" ... The rest, of course, is history ...
[1] I can't remember the exact month, but it was raining. Naturally.
The systems reported so far were infected via a USB stick, no internet connection required. If they were using a USB stick for data transfer instead of a network connection it's quite possible they were isolated from the rest of the network.
Since then ways to exploit the shortcut vulnerability over the network have been found.
As Jake said, many customers likely *were* warned of the inevitable risks, likely by people with lots of directly relevant experience, but the PHBs with their MBAs turned to the MS-dependent MCPs and MCSEs for "independent" input and not surprisingly the MS-dependent ecosystem offered approval of their ridiculous "cheapest is best" proposal (even when it's not even cheapest long-term), whereas the sensible answer for the business would have been to tell the Window box people where to go rather trying to fit a square product securely into a round hole.
I don't normally have much to say in favour of lawyers and insurance companies but here is the kind of case where they could and should actually do something to help (a) the general public (b) the respectable SCADA (and IT) community. An insurance company charges more for (or won't provide) flood insurance for properties at high risk of flooding.
Similarly, commercial outfits providing Windows-based product are at higher risk of causing damage to their customers' businesses than those providing secure product, therefore their liability insurance should cost more (or, if appropriate, perhaps in cases like this, their insurance should be declined completely until the risk is suitably mitigated).
Yrs etc,
Messrs Sue, Grabbit, and Runne
I used to work for one of the largest Insurance companies in the UK, we certainly used a lot of Windows, from NT4 onwards. We had One IBM mainframe, a handful of AS/400s, a couple of hundred UNIX boxes of varying types and about a thousand windows servers. (This was in the 90s, before Linux was really a viable choice.)
The bank I currently work for has a similar ratio of Mainframe to unix to Windows, but we are currently getting into Linux in a fairly big way. Linux however, is mainly replacing UNIX rather than Windows.
Windows is a stable, scalable, relatively inexpensive system. It is well proven and still does some things that just aren't easily doable on other systems. AD would be top of the list - all of our unix systems' single signon is actually handled by the Windows AD, as is the singon to all of our switches etc. etc.
"and about a thousand windows servers."
Half running the corporate WWW site, the other half serving powerpoint presentations, right?
"Windows is a stable, scalable, relatively inexpensive system."
Wow. What flavo(u)r was the coolaid?
"It is well proven and still does some things that just aren't easily doable on other systems."
You got THAT right ... Well proven to be nothing but a headache, and far easier to cock up than any other system targeting similar needs.
"AD would be top of the list - all of our unix systems' single signon is actually handled by the Windows AD, as is the singon to all of our switches etc. etc."
You don't see why there might be a few security problems there? And you claim to work for a bank? I don't suppose you'd like to name that bank, so I can divest ...
This appears to have been targeted at the control systems so would have been developed for a weakness in whatever hardware/software/human systems were in place.
Every system has vulnerabilities, the more they are in use the more likely they will be found. In this case it happened to have been on Windows which may have made it easer because of the wide availability of knowledge about it.
I'm not defending the security record of Windows, just thinking about it less emotively.
Not a single mention so far from a Linux fanboi chiming in with the standard response 'you should be running Linux, Linux will runn anything in the world 100% securely, phnar'
No system is 100% secure, you couldn't could you safeguard against an insider deliberately pressing the wrong buttons, bypassing shutdowns or opening the wrong valve to blow a power station to bits. Hacking doesn't have to be performed over the internet, it's just easier for lazy people.
The SCADA system is like the Central Nervous System of any living thing, when left alone it is sterile and nothing goes wrong, inject something malicious into it and all hell breaks lose, I can't see why you would want to integrate your system critical SCADA hardware with the rest of your network, and if you do have to have some interaction with it why not have a hardware barrier between them instead of a straight up connection.
What worries me is what disaster is going to happen before they are all finally forced to listen and so forced to change their system design. Who (or how many) have to die in a chaotic disaster before it finally changes. For example the potential for hackers in other countries to abuse this setup is huge and the potential damage they can cause is also huge.
People can easily die in a city in chaos simple from their own accidents (e.g. in the dark due to a power cut etc..). Plus the ensuing chaos can also delay getting medical help to people who need emergency help (even if the medical help they need isn't related to the power cuts, but simply they need medical help fast but can't get it due to traffic chaos simply as road networks fill up with people driving to relatives etc.. In chaos in a city, the road networks get flooded the same as the way phone networks get flooded in chaos and end up blocked and unusable simply from over use in all the chaos). So a few people could easily die in a city thrown into chaos.
Sadly whatever happens I fully expect the Management & Marketing egos to still cling to their usual same Passive Aggressive line of thinking they aways do, where it will always be someone else at fault and not them, as these arrogant Narcissists cannot believe they can be wrong in anything they do, so to them, it has to be someone else at fault. So who (or how many) have to pay the price for the Management & Marketing egos before it finally changes?. :(
Only someone brought up in a Windows-centric world could make an idiotic statement like that and hope that it had any credibility.
It's easier because Windows has more holes than a Swiss cheese. People find holes in Windows every day, just by trying things. They don't even need access to the source to find the holes.
People find lots of holes in Linux too, but (a) they do so helped considerably by access to the source (b) the design at the core of Linux means that most holes are of relatively little consequence (little need for stuff to run as root).
Other operating systems are available.
Please stop trotting out the "Windows needs to run stuff as Admin", it just doesn't. I have been working with Windows since NT3.51, seriously with Windows since NT4 and I have never come across software which needs to be run as Administrator. Just because something says it does, doesn't mean it does. Just because a lazy admin says it does, doesn't mean it does. Sometimes you have to be a bit clever or fix up badly written installer scripts, but you never need to run non-admin tasks as Administrator.
It should also be well understood that Linux may get a fix quickly, but that fix usually ends up in the unstable release while it is tested and made of suitable quality to release into a stable release. This can take weeks.
Now I use both Windows and Linux on a daily basis, it drives me nuts when people say problems with Windows are because it is badly written or had swiss cheese security, but problems with Linux are because it's not setup properly.
What your saying is that installer scripts need to be modified to not be run as admin out of the box. That is kind of silly. Many a sys admin will be to lazy to edit and mod installers. If I am not mistaken this vulnerability was released nearly a week ago. So I am failing to see you patch-time argument either. Based on those time lines Linux should have a stable fix released for it in a few days from now and meanwhile Windows isn't due for a stable patch release until Aug. (over a week away). There have been some very interesting interviews with some of the blackhat's out there and I have to agree with many of them, A major flaw in Windows servers is that they are too easy to setup and configure. When you make things to easy to do it makes those who support those systems less likely to truly understand how that system works, When your trying to protect that system from someone who truly understands that system the end result is pretty self explanatory.
From my time working at a company building HVDC links and national-grid interconnects (1992-1999), I seem to remember that the SCADA system was absolutely out of the control loop. Sure you'd use the SCADA to change things and to report the faults. But it was the real-time software that did everything.
So how was your SCADA different to that?
It's also worth asking the question: in 1998, what else would you have used? Linux was in its infancy (as in crawling, falling over all the time and spreading shit everywhere). Various *nix versions were stable but all needed a whole lot of specialist knowledge to write stuff for - and XWindows itself wasn't the most wonderful place to be for a front-end either. (I spent several years at uni writing stuff that ran under XWindows v11. Not fun.) DOS 6 was less stable than NT. And Win95/98 were absolute non-starters. The alternative would have been a complete custom solution - which is what most SCADA stuff was until they got with the NT-based program, and as a result it was vastly expensive for what it did. And even then, you're not guaranteed it's going to be any more stable either.
And a lot of the bespoke stuff is still chugging away 20 years later, doing the job it was designed for on the original hardware
Which makes the total cost of ownership over the 20 year design life span amazingly cheap
And, amazingly secure
There should be laws against running process control on common OSs - regardless of whether that's the abysmal windows or some other general purpose OS
RS/400, OS/390, VMS, TOPS-10/20, Netware, RISC OS, need I go on?
"Linux was in its infancy (as in crawling, falling over all the time and spreading shit everywhere)."
Horse shit. I had been running Slackware exclusively as my primary desktop for about 5 years in 1998 ... and in 1998, I was rolling out custom Slack installs at businesses & schools all over the SF Bay Area (mostly servers, granted, but then that's what we are talking about here).
"Various *nix versions were stable but all needed a whole lot of specialist knowledge to write stuff for"
Well, DUH! NEXTSTEP, AIX, HPUX, DigitalUNIX, SCOunix, Xenix, SunOS/Solaris, the BSDs, et alia, aren't toy OSes, designed for home use ... They are professional tools. That's why us professionals used them.
Please press "reboot now" to finish the update, or "reboot later" if you don't want the whole Grid to shut down just at the moment.
Windows Genuine Advantage. You know it makes sense.
[How do you do Windows Update on an air-gapped WinXP system anyway, without using equally unsafe removable media?]
How do you do Windows Update on an air-gapped WinXP system anyway, without using equally unsafe removable media?
You have a DMZ which contains a Windows Update Server and put the updates onto the update server from your production network and then allow the servers in the secure network to update from the server in the DMZ.
If you really need to keep systems totally air-gapped you put the update server into the same isolated network as the target machine and put the /tested and malware free/ updates onto the update server with removeable media.
Windows evolved off the LAN, which is why it was so full of gaping holes at the end of the 90s and the start of the 2000s. At first they stuffed all sorts of WAN in with integrated web, etc and then they secured it? Script kids that couldn't code C bitch slapped their OS over and over. Um, maybe they shouldn't have added so much scripting default? Maybe IE should have started out in a sand box and not integrated into the OS, well at least not if it was to be used for anything important. How about no HTML in email programs till they were ready? Windows is much better now, but far from perfect. And I do realize MS does not stand alone.
I wonder how much they charged the government, power companies, etc for systems that run on common-consumer software? And programs made with common-consumer libraries, compilers, API, etc. They should use something a little more cryptic and not something that school kids learn on. A system that requires tons of work to lock it down instead of tons of work to make it easy to use, the wrong system to use in anything so critical!
and learn to build even mission critical system control software such that it'll survive basic system upgrades. And oh, don't build on quicksand or ice, not even if it's really shiny and comes with a GUI. Time for our "real engineers" to grow up and get a Real Computer.
"in 1998, what else would you have used? "
OS/2 at the cheap end (98?), VMS in the bigger systems. Just ask the ex-FactoryLink people who used to use both of those but were, like pretty much everyone else, forced onto using Window boxes, and who are now part of Siemens' WinCC "SCADA" organisation.
To an extent, what you would use for a SCADA system also depends on what folk mean by SCADA, and the definition has become blurred. Now if it draws mimics and can move things, it's a SCADA system, even if it isn't.
Most of these SCADA systems are running on Windows. Gee, I wonder why they are vulnerable to viruses, worms, et al? I spent many, many years developing similar software using hardened real-time operating systems, which are used to run much more sensitive installations, such as nuclear power plant control systems, avionics manufacturing lines for the F117 stealth fighter, etc.. Anyone that uses Windows-based software for safety or security-critical systems should be sued into the poor house, and then put in jail for another 100 years - just my humble opinion. Witness the fiasco caused by using Windows for the Denver International Airport baggage handling system - $100's of millions were thrown away because of such boneheaded decisions.
Preaching "No Windows" to Management and Finance types is pointless.
What they will see, sooner or later, is the price of insurance for their plant. Do you for a moment think that Lloyds names regard Windows-based and Linux-based systems as equivalent? No, they don't.
When the insurance cost reaches the pain point then the plants will drop Windows.
Tell us, Fraser, what OS does Windows Update Server require to run?
Thought so.
And yes many readers are well aware that it is in principle possible to write Windows software that doesn't need to run as admin. Readers will also be well aware that until relatively recently, few people bothered to do so, so you'd get idiocies like being able to use a vulnerability in a widely-installed (but unnecessarily run-as-admin) help package to get admin privilege.
How many readers have checked that there are no unnecessary run-as-Admin processes on their systems?
Thought not.
As for having the IT department or even the relevant Engineering departments "fix up badly written installer scripts"? Are you insane, or just living on a different planet (or payroll) than the rest of us...
Is it too late to hope that one day the message will eventually sink in?
Once one or two of the big players in the MS-dependent ecosystem finally realise that their MS-dependency is *costing them money and business*, there will be a few changes in their business practices. And others will have to follow, rapidly, or go out of business. The London Stock Exchange's abandoning of Windows has already been mentioned. They weren't the first, they won't be the last, but they're probably the biggest one in public view so far.
Just because some people do stuff wrongly, doesn't mean to say that the system they do it on is a fundamentally flawed system.
I've come across many linux or unix systems that are badly setup, this doesn't make linux or unix bad in itself.
I've also had to hack installer scripts under linux to make the install work properly (not all software is available on a repo - certainly nothing commercial), that doesn't make the underlying system bad, just the script.
I totally fail to see what is insane about making sure that software is correctly installed - it's basic testing, if you have to modify a bit of a script to make it work properly, why not? You're almost certainly going to be packaging it up in some way, which will pretty much require this sort of work anyway.
As for objecting to using a Windows OS to update a Windows system - What's the problem? These would be secured from a physical POV and a Network POV. In the system I described, you put tested updates onto the updates server and these can be installed by the target machine, without any access to the outside world. You just have to make sure that the updates are properly tested - this is a problem with any updates system.
Hmm... Try getting schools to move away from Talking Write Away - for a basic WP package for kids its fairly good, different levels to introduce different ideas etc, but when we first started installing it, we were getting loads of complaints that it wouldn't print from a certain level - and, indeed, it wouldn't, until you gave it admin permissions. Here we are, something like 12 years later, and we've still got the same problem with it - the developers aren't really interested, it's still using vbrun300.dll for god's sake, but try getting users to change the level before printing.
Well written software, _shouldn't_ need admin privileges, unfortunately, finding that and getting the users to use it when it doesn't do a job as well as their poorly written current software does are two different things.
Because the PHB won't pay for it, that's why.
Because the PHB thinks WIndows is supposed to be cheap, that's why.
Because if the PHBs are going to approve time and money for DIY then they might as well realise that it's better to DIY on a rock solid base rather than a Swiss cheese base.
Is that enough for now?
Anyone still reading?
Here, courtesy of Chemist on a later thread on this vuln, is the CERT writeup on this vuln (as Fraser and MS fanboys round here obviously won't take anybody here's word for it).
Please note (1) this code contains a "run-as-Admin" hole (2) the code with the hole comes direct from MS HQ not some amateur SCADA outfit (3) this design feature cannot be fixed simply by "rewriting the installer" or any similar fix proposed round here (hello Fraser, how's your week looking?).
This is not just any old buffer overflow hole, this is Microsoft: another defective by design hole.
Now obviously that doesn't mean there aren't ways of fixing this to not run-as-Admin, but the fix needed to prevent this kind of shiny madness being repeated is in Redmond not in the field. Or in customer boardrooms (and not in MS-funded lunches for PHBs).
"http://www.kb.cert.org/vuls/id/940193
"Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing *dynamic icon functionality*. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be *processed within the context of the Windows Control Panel*, which will result in arbitrary code execution."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
