Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Veracode Examines Impact Of The Siemens Stuxnet Malware Attack

BURLINGTON, Mass.(BUSINESS WIRE) As the Siemens AG Stuxnet malware story continues to unfold, it raises critical questions that all global organizations must address in terms of instituting more effective software security and IT risk management strategies. As this incident highlights heightened corporate espionage and sabotage risks using increasingly sophisticated attacks, security researchers at Veracode, Inc. say more needs to be done by organizations to proactively protect against known and unknown zero-day security vulnerabilities in software including more effective security testing and instituting better public disclosure policies.

As has been widely reported in the Siemens case, the Stuxnet worm was programmed to take advantage of a zero-day vulnerability in Microsoft Corporation's Windows operating system, allowing it to spread through USB devices. Once a Siemens system is infected, the malware uses hard-coded default passwords, also referred to as "application backdoors," in Siemens' WinCC SCADA software to try and upload control-system data to a remote server.

"As critical systems like SCADA increasingly move from proprietary technologies to using more open and standardized third-party software, they are going to be as vulnerable as the systems compromised in highly-publicized breaches occurring at Google and TJX, among others," said Matt Moynahan, CEO, Veracode. "The fact that companies with such respected brands and mature software development processes still suffer from zero-day vulnerabilities is an issue. It is one thing to spend a lot of time, budget and political capital trying to improve a development process, but it is another to verify that process produced the desired outcome - secure code free from zero-day vulnerabilities. Existing tools based on testing source code are insufficient and not working as advertised to solve the secure coding problem. Given the amount of third-party code incorporated into any and every application, testing and verifying the software system in its fully-integrated final form should be a requirement. This is also the form in which it is being attacked."

Hard-Coded Passwords and Disclosure

According to the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list that Veracode contributed to, hard-coded passwords rank at number 11. The list features the most widespread and critical programming errors that can lead to serious software vulnerabilities. While the Siemens case is making headlines, this is an attack vector that is easy to find, and easy to exploit at any number of organizations.

  • 1