Burlington, Mass. – July 23, 2010 – As the Siemens AG Stuxnet malware story continues to unfold, it raises critical questions that all global organizations must address in terms of instituting more effective software securityand IT risk management strategies. As this incident highlights heightened corporate espionage and sabotage risks using increasingly sophisticated attacks, security researchers at Veracode, Inc. say more needs to be done by organizations to proactively protect against known and unknown zero-day security vulnerabilities in software including more effective security testingand instituting better public disclosure policies.
As has been widely reported in the Siemens case, the Stuxnet worm was programmed to take advantage of a zero-dayvulnerability in Microsoft Corporation’s Windows operating system, allowing it to spread through USB devices. Once a Siemens system is infected, the malware uses hard-coded default passwords, also referred to as “application backdoors,” in Siemens’ WinCC SCADA software to try and upload control-system data to a remote server.
“As critical systems like SCADA increasingly move from proprietary technologies to using more open and standardized third-party software, they are going to be as vulnerable as the systems compromised in highly-publicized breaches occurring at Google and TJX, among others,” said Matt Moynahan, CEO, Veracode. “The fact that companies with such respected brands and mature software development processes still suffer from zero-day vulnerabilities is an issue. It is one thing to spend a lot of time, budget and political capital trying to improve a development process, but it is another to verify that process produced the desired outcome – secure code free from zero-day vulnerabilities. Existing tools based on testing source code are insufficient and not working as advertised to solve the secure coding problem. Given the amount of third-party code incorporated into any and every application, testing and verifying the software system in its fully-integrated final form should be a requirement. This is also the form in which it is being attacked.”
According to the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list that Veracode contributed to, hard-coded passwords rank at number 11. The list features the most widespread and critical programming errors that can lead to serious software vulnerabilities. While the Siemens case is making headlines, this is an attack vector that is easy to find, and easy to exploit at any number of organizations.
“Hard-coded passwords are a type of application backdoor found in a lot of software that has not undergone proper security testing before shipping to customers. Veracode commonly finds this vulnerability in the software we test for our customers, and with the Siemens story bringing attention to it, we can expect this attack vector to continue to be exploited,” said Veracode CTO Chris Wysopal.
This incident begs the question: “Why didn’t Siemens fix the hard-coded password vulnerability when it was first publicly disclosed?” According to reports, the company waited more than two years and only started to fix it after being exploited by a worm. In this case, is it considered negligence when a company doesn’t fix a critical known vulnerability and waits for their customers to be exploited?
“We know that Siemens cares deeply about its brand and customers – but more needs to be done. Companies like Siemens put their customers at risk and should be held responsible for egregious vulnerabilities in software that continues to be delivered to market. However, what’s worse, in our opinion, is the impact on all the customers that purchased the software – without knowing about potential threats. Consider Siemens’ customers like manufacturers or utility companies that are operating SCADA systems on critical infrastructure with the WinCC software. Those customers’ end-users and shareholders have the right to expect that any software being used to run critical infrastructure has been put through proper security testing before being installed,” continued Wysopal.
The way to solve the problem of vulnerable software in critical infrastructure is to have independent security tests for at least the vulnerabilities listed in the CWE/SANS Top 25 Most Dangerous Software Errors before the software is deployed. Otherwise, customers are just hoping that another company’s systems are compromised, and a patch deployed, before their own systems are compromised. With the sophistication shown through this multi-stage USB attack, it is clear that hope is not a viable option.
For additional background, read Chris Wysopal’s “Deadly combo: zero day application vulnerability + OS vulnerability = attacker win” and related disclosure posts on Veracode’s ZeroDay Labs Blog.
About Veracode
Veracode is the world’s leader in cloud-based application risk management. With patented binary code analysis, dynamic Web assessments and developer e-learning, Veracode SecurityReview® is the most accurate and cost-effective way to independently verify application security in both internally developed applications and third-party software without requiring source code or expensive tools. Veracode provides the most simple, complete way to implement security best practices, reduce operational cost and comply with internal security policies or external standards such as OWASP Top 10, CWE/SANS Top 25 and PCI. Veracode works with global organizations across multiple vertical industries including Barclays PLC, California Public Employees’ Retirement System (CalPERS), Computershare and the Federal Aviation Administration (FAA). For more information, visit www.veracode.com, follow on Twitter: @Veracode or read the ZeroDay Labs blog.
Copyright © 2010 Veracode, Inc. All Rights Reserved. All other brand names, product names, or trademarks belong to their respective holders.