Cisco 2010 Annual Security Report – Cybercrime ROI Matrix

ReadWrite Enterprise has a nice summary of the Cisco 2010 Annual Security Report. Here are some of the key points.

Cisco goes MBA-ish with a quadrant to show trends in cybercriminals’ attack methods.

Social engineering continues as a key technique. Cisco highlights the seven weaknesses social engineers exploit: sex appeal, greed, vanity, trust, sloth, compassion, and urgency. Cisco recalls the Robin Sage fiasco.

Java has become the number one target for cybercriminals replacing PDF.

And of course, Cisco acknowledges Stuxnet and the “evil” cybercrime winner.

Stuxnet’s Finnish-Chinese Connection – The Firewall – the world of security – Forbes

Stuxnet’s Finnish-Chinese Connection – The Firewall – the world of security – Forbes.

While we may never know for sure the originator of Stuxnet, Jeffrey Carr presents a credible, if circumstantial, alternative originator to the common assumption of Israel or the United States – the People’s Republic of China (PRC) – for the following reasons:

  • Vacon’s frequency converters are manufactured in Suzhou China.
  • In March, 2009, Chinese Customs arrested two Vacon employees.
  • The genuine digital certificates used by Stuxnet where stolen from RealTek Semiconductor, a Taiwanese company with a subsidiary in Suzhou, China.
  • China has direct access to Windows source code.

The article also discusses what China’s motives might be. You definitely want to read the whole article as well as Carr’s whitepaper.

Stuxnet source code released? Unlikely

Larry Seltzer believes the report from Britain’s Sky News that the source code for the Stuxnet worm is being traded on the black market and could be used by terrorists is highly unlikely. (The link to the story appears to be broken as of Saturday, 4:11pm EST. Try the main blog link, http://blogs.pcmag.com/securitywatch/ and scroll to the story.)

Larry is by no means the only skeptical security blogger. AVG’s Roger Thompson and Sophos’s Paul Ducklin agree.

Sky News may be confused by the fact that an exploit for one of the Stuxnet 0-day vulnerabilities was released a few days ago. While this is problematic, it is by no means Stuxnet itself.

Schneier on Security: Stuxnet

Schneier on Security: Stuxnet.

Excellent summary of Stuxnet. Separates facts from conjecture. Points out some of the erroneous descriptions you may have read, e.g. SCADA is incorrect.

Defending against Stuxnet

Palo Alto Networks Stuxnet – SCADA malware blog post describes all four Stuxnet vulnerabilities and how to defend against them.

The answer is a combination of policies which:

  • Block .LNK and .PIF files coming from the Internet to a private network
  • Disable RPC application traffic from the Internet to a private network
  • Deploy vulnerability protection profiles using the specific Palo Alto vulnerability signatures they developed to detect all four of the Windows vulnerabilities Stuxnet exploits.

This week Palo Alto Networks is releasing two new signatures which protect against the last of the four vulnerabilities, CVE-2010-2772. Microsoft does not have a patch for this one yet.

Rethinking Stuxnet | threatpost

Rethinking Stuxnet | threatpost.

What the sophistication of Stuxnet shows is a level of professionalism and seriousness that normally is attributed to governments and their intelligence agencies. They have the motive, the means and the opportunity to create a piece of malware of the magnitude of Stuxnet and pinning this on the government of Israel is perhaps a logical conclusion, given some of the evidence. There’s a hidden reference in the worm’s code to a date on which an Iranian Jew was executed, as well as some vague Biblical connections. Iran and Israel have a hostile, complicated history, and Israel also is thought to have elite offensive information security capabilities. And Iran had a huge number of Stuxnet infections, including at its Bushehr nuclear plant, which Israel presumably has a vested interest in damaging. Add that all together and you get a seemingly solid case for Israel having unleashed Stuxnet on Iran.

However:

There are no clear benefits that would accrue to Stuxnet’s creators if they made it easy for people to identify them. In fact, there are some major deterrents, including possible retaliation from the target.

In other words, if the Israelis were smart enough to build Stuxnet, why would they be so stupid as to leave clues that lead directly back to them?

Going forward I am going to avoid any posts tied to politics.

Stolen Digital Certificates Becoming Standard Malware Components | threatpost

Stolen Digital Certificates Becoming Standard Malware Components | threatpost.

One of the lesser known facts about Stuxnet is that it used two stolen digital certificates to bypass anti-malware systems.

“…many antimalware products and other security applications will whitelist binaries and files that are digitally signed. These components are simply trusted and passed along in most cases. The creators of Stuxnet obviously knew this and used it to their advantage. In the wake of the Stuxnet attack, security experts said that they expected other malware authors to follow the lead of Stuxnet and begin using digial signatures to evade security software, and that prediction is already being fulfilled.

Now that there is a new version of Zeus that’s digitally signed, it’s clear that digitally signed binaries can no longer be trusted. Will digital certificate black lists be added to anti-malware products?

Steve Bellovin on Stuxnet: The First Weaponized Software?

Steve Belllovin has posted a comprehensive analysis of Stuxnet in a post entitled, Stuxnet: The First Weaponized Software? His post also summarizes what is publicly known so far about Stuxnet. Well worth reading in its entirety.

Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch

Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch.

The security research community continues to marvel at the sophistication of Stuxnet. In fact, there is a growing body of opinion that Stuxnet must have been developed with government sponsorship. Since 58% of identified infections seem to have occurred in Iran, the two obvious countries attracting speculation are the United States and Israel.

Previously, I’ve written about Stuxnet on August 14September 15, and September 17.

Aside from the extremely precise targeted nature of Stuxnet, what is striking is that it took advantage of four different 0-day or unknown vulnerabilities.

If this is not a wake-up call for the need for specialized 0-day malware defenses, I don’t know what is.

‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security

‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought — Krebs on Security.

Brian Krebs has a detailed article on Stuxnet with details about its targeting Siemens industrial control systems.

“The mechanism [the Stuxnet worm] used to install the Siemens payload came at the very end, which means this isn’t a Siemens problem and that they could have substituted [General Electric], Rockwell or any other PLCs as the target system,” Weiss said. “At least one aspect of what Stuxnet does is to take control of the process and to be able to do…whatever the author or programmer wants it to do. That may be opening or closing a plant valve, turning a pump on or off, or speeding up a motor or slowing one down. This has potentially devastating consequences, and there needs to be a lot more attention focused on it.”