Wedge Networks Inc.

LINK

Protecting their end-users from malware is a good thing and TalkTalk seems to be leading the way in this respect. However, TalkTalk seems to be confined by the technology supplied by Huawei. By using Deep Packet Inspection, TalkTalk is limited by what they can examine and they must collect information in order to see what threats the sessions contain. Had Talk Talk known about Wedge Networks’ technology, they would see that a better way to implement a system like this would be to use Deep Content Inspection where the company can see the full threat picture without the need for collecting any customer information, even if the information is totally anonymous. The contentious privacy issues would not even come into play.

Today, our life is heavily dependent on the digital infrastructure surrounding us. It is no wonder that the news of the first real attack on industry control systems (here), the Stuxnet malware, spread through the media like a wild fire.  The news was pushed by a friend to my iPhone just hours after it was published.

This link  provides a more in depth description of this Stuxnet malware. It gets into a control network via your typical USB drives. It targets a SCADA system from Siemens called Simatic WinCC which runs on the Windows platform. Once the machine is infected, a Trojan detects if the machine is running Siemens’ Simatic WinCC software. It then uses a default password that is hard-coded into the software to access the control system’s Microsoft SQL database.

Many security related publications have elaborated deep concerns about the potential damage that this type of malware can do.  Just last year, in the so called Aurora Project, researchers affiliated with the US government were able to demonstrate how malicious instructions transmitted through the network can physically blow up a 27 ton power generator and cause profound damage. From here, it is easy for the security minded to connect the dots.

SCADA systems, Sensor networks, automated process control devices: there are more machine-to-machine systems than those used by users like you and me. It is a real challenge to secure the machine-to-machine systems. In the case of Stuxnet, since the SCADA system is not on the internet, to achieve timely security updates is not an easy task. In the case of the Aurora Project, the power generator was controlled by embedded systems with very limited computing power to provide self-defences such as firewalling and antimalware. The cost effectiveness and convenience offered by the internet provide huge poll to webify the machine-to-machine systems. More security issues will arise in the future.

How do we protect our critical infrastructure against attacks as demonstrated by the Aurora Project and as realized by Stuxnet? First, access to the machine-to-machine systems has to be tightly controlled. If possible, the USB drives should be disabled or not provided at all. Second, the means of continuously updating the security defence at the whole network level needs to be implemented, even if the network itself is not connected to the public internet. For example, the Wedge BeSecure provides a way to update its security signature once per hour in an offline mode, a feature that was requested by infrastructure operators to stop the transmission of malware such as Stuxnet in their private networks. Third, security policies need to be enforced at the application content level to block malicious instructions while allowing the good instructions to go through.

Today’s Patch Tuesday marks two key events – the first, and for the first time Microsoft is able to provide a 33 day turn around patch to a zero-day attack.  And the second, is how protocol handlers can be a popular source of vulnerabilities.

This zero-day vulnerability was discovered by Google’s Zurich-based researcher Travis Ormandy and is common in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003.

For those technically inclined, you can read more about today’s Microsoft Patch Tuesday patches at the end of the message courtesy of Ryan Naraine here.  But for those of who you who want to quickly appreciate this vulnerability and to give you a feel for how serious this zero day attack is, in the address bar of your “Internet Explorer” browser, type in this command:

hcp://system/sysinfo/sysinfomain.htm?svr=<h1>test</h1>

You should find your browser prompting you to save a ‘file’ but in effect, invoking the Windows Help and Support Center.  In his posting Travis goes further to provide a script through which this exploit can be utilized to completely take over your Windows Server and you can read about it here.

This provides yet another case for why network based deep content malware inspection is required.  BeSecure Administrators can simply add a simple Regular Expression that blocks ‘hcp://” invocations.

Link

Is YOUR website protected?

Link