Siemens tells customers: "Stop protecting yourselves from our False Flag Plans!"

[Dig]

http://www.zdnet.co.uk/news/security-threats/2010/07/20/siemens-warns-stuxnet-targets-of-scada-password-risk-40089591/

Siemens warns Stuxnet targets of password risk
by Tom Espiner  July 20, 2010 12:09 PM PDT

Siemens has advised its customers not to change the default passwords hard-coded into its WinCC Scada product, even though the Stuxnet malware that exploits the critical infrastructure systems software is circulating in the wild.

Changing the passwords could affect the operations of critical infrastructure organizations such as utilities companies and electricity suppliers, according to Siemens.

"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens spokesman Michael Krampe in a statement on Monday.


How is that?

Why would the changing of the password in an offline system affect critical infrastructure organizations? Unless the plans for CYBER STORMING the US include an exploitation of multiple systems based on the default password.

Unless Siemens has a plan in place which requires that all default passwords be the same.

Why are they telling customers to keep a default password?

[Satyagraha]

From the same article...
http://www.zdnet.co.uk/news/security-threats/2010/07/20/siemens-warns-stuxnet-targets-of-scada-password-risk-40089591/?tag=mncol;txt

"This is a horrible situation," said Sophos senior technology consultant Graham Cluley in a blog post on Tuesday.

"Good security practice would be for the systems that look after critical infrastructure to not use the same password. Furthermore, the systems shouldn't be hard-coded to expect the password to always be the same (which results in any change to the password resulting in a right royal mess)."

Siemens declined to comment further on Tuesday, but it did say in a security advisory posted on its support forum on Tuesday that it is working with Microsoft to resolve the issue at the Windows operating system level. In addition, ZDNet UK understands that Siemens is rethinking the use of hard-coded default passwords in its systems.

[Satyagraha]

http://www.sophos.com/blogs/gc/g/2010/09/24/stuxnet-vancouver-virus-bulletin/

Another issue that has been largely ignored by the media is the response of Siemens, who developed the SCADA software that Stuxnet targets.

Stuxnet knows the default password used by the Siemens SCADA software, but - astonishingly - Siemens advised power plants and manufacturing facilities not to change their default password.

That's despite it being public knowledge on the web for some years.

[Dig]

July 19,2010: http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1&PostID=225690

Over the weekend my team has been investigating a new family of threats called Stuxnet that appear to be directed specifically at Siemens WinCC and PCS7 products via a previously unknown Windows vulnerability.  

At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line. Thus, I decided to create this email to let my friends and associates in the process control and SCADA world know what is happening. As best as I can determine, the facts are as follows:
This is a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008  and Windows 7.

There are no patches available from Microsoft at this time (There are work arounds which I will describe later).

 This malware is in the wild and probably has been for the past month.

The known variations of the malware are specifically directed at Siemens WinCC and PCS7 Products.

The malware is propagated via USB key. It may be also be propagated via network shares from other infected computers.

 Disabling AutoRun DOES NOT HELP! Simply viewing an infected USB using Windows Explorer will infect your computer.

The objective of the malware appears to be industrial espionage; i.e. to steal intellectual property from SCADA and process control systems. Specifically, the malware uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens.

The only known work arounds  are:

NOT installing any USB keys into any  Windows systems, regardless of the OS patch level or whether AutoRun has been disabled or not

Disable the displaying of icons for shortcuts (this involves editing the registry)

Disable the WebClient service

My team has attempted to extract and summarize all the relevant data (as of late Saturday night) and assemble it in a short white paper called “Analysis of Siemens WinCC/PCS7 Malware Attacks” which I have posted on my website in a secured area that can be accessed from www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware .

If you would like to down load the white paper, you will need to register on the web site and I will approve your registration as fast as I can. I have chosen to keep the whitepaper in a secure area as I do not want this information to be propagated to individuals that do not need to know and might not have our industries’ best interests at heart. People who are already www.tofinosecurity.com web members do not need to reregister.

Eric Byres P.Eng
Chief Technology Officer

Byres Security Inc.

[Dig]

http://www.cio.com/article/599816/After_Worm_Siemens_Says_Don_t_Change_Passwords

"Whoever wrote the code really knew Siemens products," said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. "This is not an amateur."

By stealing a plant's SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company's products, he said.

Byres' company has been flooded with calls from worried Siemens customers trying to figure out how to stay ahead of the worm.

US-CERT has put out an advisory (ICS-ALERT-10-196-01) for the worm, but the information is not publicly available. According to Byres, however, changing the WinCC password would prevent critical components of the system from interacting with the WinCC system that manages them. "My guess is you would basically disable your whole system if you disable the whole password." [Isn't this a major, major, major, major flaw in the architecture?]

[...]

The Siemens system was designed "assuming that nobody would ever get into those passwords," Byres said. "It's an assumption that nobody will ever try very hard against you." The default username and passwords used by the worm's writers have been publicly known since they were posted to the Web in 2008, Byres said.


5 months ago it was exposed that 30 years of targeted attacks on Industrial Control Systems have been compiled in a database!

175 confirmed incidences!

Yet, Siemens and their contractors say:

The Siemens system was designed "assuming that nobody would ever get into those passwords," Byres said. "It's an assumption that nobody will ever try very hard against you."

175 incidences involving compromising industrial control systems!

Industrial Cyber-security Incidents Revealed
http://www.automationworld.com/news-6833
May 2010 (p.17)  Written by Wes Iversen, Managing Editor

         
With cyber incidents affecting control systems on the rise, a new report lays out trends seen in 2009 and makes comparisons to historical data.

The number of control-system cyber-security incidents in the water/wastewater industry rose sharply in 2009, while reported cyber incidents in the petroleum and chemical industries declined.

Those are among trends detailed in the “2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems,” published on March 29 by the Security Incidents Organization (SIO, www.securityincidents.org). The SIO is a non-profit organization formed last July to manage and provide public access to the database of industrial cyber incidents formerly housed at the British Columbia Institute of Technology (BCIT).

The database, now known as the Repository of Industrial Security Incidents (RISI), currently houses about 175 confirmed cyber incidents affecting control systems, with some going back to the 1980s, says John Cusimano, SIO managing director, and director of security services at exida (www.exida.com), a Sellersville, Pa., safety and security firm.

The First Worldwide Cybersecurity Summit

http://www.ewi.info/worldwide-cybersecurity-summit

[Dig]

At the same time I also became aware of a concerted Denial of Service attack against a number of the SCADA information networks such as SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line.

AT THE SAME TIME SIEMENS WAS FORCED TO LET THEIR CUSTOMERS KNOW ABOUT THE STUXNET ATTACK...

DOS ATTACKS HIT SERVERS WHICH COULD PROVIDE VALUABLE INFORMATION ON HOW TO PROTECT OUR NATIONAL SECURITY INTERESTS!

WHO DID THE DOS ATTACKS? WHO IS INVESTIGATING? IS IT PART OF THE STANDARD RESPONSE TO PERCEIVED TERRORISM BY DHS/PENTAGON?

IF SO, WHO AUTHORIZED THE ATTACKS ON THESE LIST SERVERS?

IF IT WAS NOT DHS/PENTAGON THEN WHY IS THERE NO INVESTIGATION?

[Anti_Illuminati]

http://www.zdnet.co.uk/news/security-threats/2010/07/20/siemens-warns-stuxnet-targets-of-scada-password-risk-40089591/

Siemens warns Stuxnet targets of password risk
by Tom Espiner  July 20, 2010 12:09 PM PDT

Siemens has advised its customers not to change the default passwords hard-coded into its WinCC Scada product, even though the Stuxnet malware that exploits the critical infrastructure systems software is circulating in the wild.

Changing the passwords could affect the operations of critical infrastructure organizations such as utilities companies and electricity suppliers, according to Siemens.

"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens spokesman Michael Krampe in a statement on Monday.

http://www.sunbeltsoftware.com/About/Security-News/?title=SCADA-systems-vulnerable-to-widely-available-hard-coded-password-19899917

SCADA systems vulnerable to widely available hard-coded password

July 20, 2010
Internet Security News

Security researchers have uncovered a complex piece of malware affecting command-and-control software installed in important infrastructures, Wired relays. The malware uses a default password that has been available online for two years to access Siemens’ Simatic WinCC SCADA system.

The SCADA system, which stands for supervisory control and data acquisition, are programs used in facilities to control operations. The systems have been heavily scrutinized recently for their lack of malware protection and their susceptibility to remote attacks, which can place control of utilities into the hands of dangerous criminals.

“Default passwords are and have been a major vulnerability for many years,” said Steve Bellovin, a computer scientist at Columbia University, Wired relays. “It’s irresponsible to put them in, in the first place, let alone in a system that doesn’t work if you change it.”

Software developers that code passwords into versions of their products allow dedicated third-parties to uncover the codes through diligent analysis. Different security methods, such as obfuscation techniques, can be implemented to make password retrieval more difficult on crooks.

[Dig]

http://www.wired.com/threatlevel/2010/07/siemens-scada/

News of the malware was first reported last week by security blogger Brian Krebs who said that a security firm in Belarus named VirusBlokAda had discovered it in June.

Boldewin’s analysis showed that once the malware is launched, it searches the computer for the presence of the Simatic WinCC software and then applies the hard-coded password, XXXXXXX [I cannot believe Wired magazine is also publishing this password. It is like they want it to be out there!], to access the control system’s database. Siemens indicated in a statement to reporters last week that it learned of the malware on July 14 and had assembled a team of experts to evaluate the problem. The company said it had also alerted customers to the potential risk of being infected by the virus. The statement made no mention of the hard coded password.

Hard-coded passwords aren’t a problem just for Siemens.

“Well over 50 percent of the control system suppliers” hard-code passwords into their software or firmware, says Joe Weiss, author of the book Protecting Industrial Control Systems from Electronic Threats.

"These systems were designed so they could be used efficiently and safely. Security was simply not one of the design issues.”


W T F ?

Manufacturers of Electronic Computer Controlled Industrial Control Systems which if not secure can cause millions to die in genocides caused by explosions in oil rigs, flooding of irrigation systems, damns to burst, gas leaks to explode, etc.  felt that... "Security was simply not one of the design issues.”?!?!?!?!?!?!?!?!?!?!

[Dig]

The "saviour" does not dare speak out against smart grids. He instead gives the "solution" based on a projected "reaction" to the manufactured "problem". His book was published a few weeks before Stuxnet was first discovered. Just like Lockheed Martin...he exposes the insanity of smart grids, yet explains how to "solve" the "problem" with yet even more "fake security" which gives more control to central authority.


Protecting Industrial Control Systems from Electronic Threats
http://www.momentumpress.net/books/protecting-industrial-control-systems-electronic-threats

Joe Weiss
Date:  05/10/2010
Print Price:  $59.95
Print ISBN:  978-1-60650-197-9
Pages:  327
Binding Type:  Softcover
E-book Price:  $52.95
E-book ISBN:  978-1-60650-199-3


Aimed at both the novice and expert in IT security and industrial control systems (ICS), this book will help readers gain a better understanding of protecting ICSs from electronic threats. Cyber security is getting much more attention and “SCADA security” (Supervisory Control and Data Acquisition) is a particularly important part of this field, as are Distributed Control Systems (DCS), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs), and all the other, field controllers, sensors, drives, and emission controls that make up the “intelligence” of modern industrial buildings and facilities.

Some Key Features include…

-How to better understand the convergence between Industrial Control Systems (ICS) and general IT systems
-Insight into educational needs and certifications
-How to conduct Risk and Vulnerability Assessments
-Descriptions and observations from malicious and unintentional ICS cyber incidents
-Recommendations for securing ICS


Praise

“For many years, Joe Weiss has been sounding the alarm regarding the potential adverse impact of the ‘law of unintended consequences’ on the evolving convergence between industrial control systems technology and information technology. In this informative book, he makes a strong case regarding the need for situational awareness, analytical thinking, dedicated personnel resources with appropriate training, and technical excellence when attempting to protect industrial process controls and SCADA systems from potential malicious or inadvertent cyber incidents.”—Dave Rahn, Registered Professional Engineer, with 35 years experience.

"I look forward to reading Joe’s book based on my professional association with him over the last twenty years. His passion, technical excellence and expertise drives him to follow through with questions others often fail to comprehend or are afraid to ask - What is the root cause? - What are the generic implications? I expect no less from this book. It should help to extend the knowledge and ability of control system and IT practitioners working in this important area. Perhaps more importantly, it should help policy makers and leaders interested in making informed decisions – decisions that should lead to improved cyber security in industrial automation and control systems."—Robert C. Webb, PE, Industrial Control Systems Secure, LLC.

"Protecting Industrial Control Systems from Electronic Threats offers a unique and fresh perspective into control systems security. Weiss thoroughly outlines important distinctions between traditional IT and control systems risks. He makes a compelling case for advancing higher education in this field and the need for new certification programs. If you deem critical infrastructure important, you should read this book."—Jon Stanford, CGEIT, CISM, CISSP, industry security expert and CISO.

[Dig]

Siemens Roller Coaster Response to Stuxnet
http://www.digitalbond.com/index.php/2010/08/12/siemens-roller-coaster-response-to-stuxnet/

The Siemens response to Stuxnet has been like a roller coaster. It started diving low with limited information and bit of blame shifting as most organizations facing a vulnerability for the first time do. [Siemens is huge and obviously other parts of Siemens are well versed in handling vulnerability incidents, but I'm unaware of this product line having a publicly disclosed vuln] To their credit, Siemens quickly went uphill by creating a dedicated page, frequent updates, applicable warnings about fixes and more. Now that the Microsoft patch is out and the crisis mode has abated they seem to be diving down again by sidestepping the issue of recovering an authentic and reliable Siemens build.

I credit a Jake Brodsky entry on SCADASEC for raising the issue of where is the guidance from Siemens on cleaning out the damage to the Siemens components? It is not even mentioned on the Siemens’ Stuxnet page. Patching the Microsoft vulnerability may be the easy part of the remediation and far from sufficient. The Siemens’ page does have a Simatic Security Update executable with little information about what it does. It appears to be involved with the Microsoft patch, but maybe it is updating affected DLL’s

Symantec has provided the most detailed analysis of what Stuxnet tries to do to Siemens’ software, and the more they look at it, the nastier it seems. In a recent blog entry Symantec concludes:

Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.

You don’t have to understand all the gory details of the Symantec blog series to see the concern. They cover the s7otbxsx.dll wrapper, the Siemens’ functions and those that are “hooked” or intercepted and modified by the wrapper, and other Siemens modifications in this entry.

As can be seen in the screenshot above the first action that the wrapper .dll takes is to decode an encoded string and call LoadLibrary with that decoded string. The decoded string is “s7otbxsx.dll”. The wrapper .dll file needs to load the real .dll file in order to pass the calls along to the real .dll file after the wrapper .dll file has changed whatever data it wants.

Siemens should start back uphill again and provide detailed and verified information on what various versions of Stuxnet have done to their software, and the steps required to fully rid a system of these changes with a high degree of confidence. This is likely to require very detailed technical information — at least that is what I would demand if I was responsible for an infected system. The rigor of the detail would help convince me Siemens understood Stuxnet and would allow me to audit my control system for infection issues. Siemens might want to keep that information closely held, customers with NDA only, but there should be a section on the Siemens page highlighting the importance of cleaning out the affected Siemens’ code and how to get this information.

Author: Dale Peterson
Posted: August 12th, 2010 under Vulnerability Disclosure.
Comments: 4

[Dig]

"Security was not an issue"


Siemens: Stuxnet infected 14 industrial plants
http://www.zdnet.co.uk/news/security-threats/2010/09/16/siemens-stuxnet-infected-14-industrial-plants-40090140/
By Tom Espiner, ZDNet UK, 16 September, 2010 16:52

Stuxnet, a complicated piece of malware spread via USB, has infected 14 Siemens industrial systems around the world, according to the engineering technology company. Stuxnet malware attacks supervisory control and data acquisition (Scada) systems that use Siemens WinCC Scada software. The Siemens software is used by a range of critical infrastructure providers, such as utilities companies.

The 14 infected locations were mostly processing plants, and critical infrastructure organisations had not been affected, Siemens spokesman Wieland Simon told ZDNet UK on Thursday. "In no case did we note any damage," said Simon. "No critical infrastructure or production industry was infected."  Most of the infected plants are in Germany, and no cases have been reported in the UK, he added. On Wednesday, Microsoft published a patch for the Stuxnet malware, which combines the characteristics of a rootkit, a worm and a Trojan. Siemens is advising its customers to implement the fix as soon as possible. Globally, Stuxnet has infected between 90,000 and 100,000 systems, according to Symantec. Liam O'Murchu, a Symantec researcher, is scheduled to present a study of the malware at the Virus Bulletin VB2010 conference in Vancouver at the end of September, technology publication Computerworld UK noted on Thursday. The malware has code which allows a hacker to control industrial systems, and it hides using a number of rootkits. It spreads via USB sticks using a vulnerability in Microsoft Windows. "Any threat that is capable of taking control of a real-life physical system is worthy of a closer look," O'Murchu said in a submission to VB2010.

[Anti_Illuminati]

“Well over 50 percent of the control system suppliers” hard-code passwords into their software or firmware, says Joe Weiss, author of the book Protecting Industrial Control Systems from Electronic Threats.

And who are some of those other control system suppliers?:

http://www.sans.org/eu-scada-security-summit-2010/?ref=64793

1. Users of ABB, GE, Siemens, and Rockwell control systems will be in on the ground floor of a coordinated plan for dealing with both of the two most virulent cyber threats facing your systems. And if you use any other control systems, you'll come home with a game plan you can discuss with your vendor.

[birther truther tenther]

An analogy I have to Siemens, Ptech, PROMIS, and other cyber"security" frauds is like being in middle school P.E.

Imagine if the coach sold you all over-priced combo locks for your locker, but told you to keep the default combination. You can't buy a $2 lock at walmart as a substitute, you must buy his combo lock for $15, because the coach needs access to your locker with the keyhole in the back, to make sure you guys aren't hiding contraband.   Then you realize the next day someone posted the default combination on facebook/myspace and everyone realized that the everyone has the same code: 34 14 04.

Gee, why are my pants hanging off the ceiling, my shoes thrown across the locker room, and my backpack looted, and my locker door ajar?  Oh crap, someone figured out the combination.  Looks like I'll have to ask the coach to buy a new lock.  The coach gives me the new lock, with the default combination of 36 16 14.  Then I check Myspace and realize someone posted the new codes.

Crap, I have PE second hour, that means I won't make in time tomorrow morning .  Someone in first hour undid my lock, and my gym shoes, shirt, and shorts, are jacked.

Looks like I will have to get another lock from coach.  I tell the coach, "hey someone figures out my combination because the default is the same for everybody".  He reassures you.  "This third lock is even better," he claims,  "Now that it's YOUR FAULT that you keep getting your stuff jacked, but don't worry, I will make you MORE secure with this new lock that costs $20".  

I buy the $20 lock, and oh no, a week later someone figured out the combo.

Should I be gullible and buy a fourth lock like industry and government.  I better not dare question coach's "authority".  It would be "conspiracy theory" to suspect the coach of running a lock scam.

I tell the principal about the lock scam, and he accuses me of wearing a tin-foil hat, being anti-Semitic because the coach is Jewish, and that I need to stop being disrespectful of "authority".

So how do you guys like being ripped off?  Cybersecurity programs have inherent backdoors (the coach's keyhole in the back of the lock) or they are flimsy to the point of uselessness like sharing a default combination.

I just OVERSIMPLIFIED Anti_Illuminati's work so even a seventh grader can figure out that cybersecurity is a total hoax and a fraud.