Vulnerabilities in SCADA (Supervisory Control And Data Acquisition) are perceived as rare, however let us not overlook the fact that most SCADA systems deployed today are either controlled and monitored by software running on "standard" operating systems (i.e. Windows, Linux) or are themselves based on these operating systems. Thus the systems are probably exposed to a plethora of vulnerabilities known to affect these platforms. 

Last year, a short video clip was published with the results of a "secret" experiment on exploiting SCADA systems. Researchers spent a lot of time and money showing that sending specific command sequences to a generator would end up causing irreversible damage (as indicated by the inevitable smoke coming out of the tormented device). The truth is that they could spend 1/10 of the time and money by showing that if you turn off the cooling system of the generator (probably controlled by a Windows computer) you'll get the same effect.

All these SCADA exploits are just a reminder that most "civilization support" systems today are controlled by computers, most of them using standard operating systems, not to mention a web interface. It is definitely the time for governments all over the world to start setting and enforcing regulations not only for financial systems but also for those "civilization support" ones.

This seems like big news, even security expert Bruce Schneier took the time to blog about this research. The researchers conclude that current patch distribution schemes are insecure. The researchers do provide alternatives but for the meanwhile I find that these claims aren't mature enough, in a security manner of speech. After all, is that what we want - that Microsoft eliminates its patching process now that it knows that the vulnerability may be exploited as a result of distributing the patches?

That said, the research do have a point - the timeframe of hackers to attack unpatched systems is quite large when these systems rely on patch deployment as their sole means of protection.

This argument actually strengthens my claim that it is necessary to deploy 3^rd party components which provide virtual patching in order to minimize the window of opportunity for attackers. These virtual patches can be deployed quickly, providing a fast response time to protect against a potential attack by acting as the front guard before the system itself is properly fixed and updated.

• Xradia, in Concord, Calif., builds nondestructive X-ray microscopes used widely in the semiconductor industry, so it may be looking at a new method of inspecting chips based on soft X-ray tomography. Soft X-rays are powerful enough to penetrate the chip but not strong enough to do irreversible damage.
• Luna Innovations, in Roanoke, Va., specializes in creating anti-tamper features for FPGAs.  Their approach may involve narrowing down the number of possible unspecified functions. Chip security [is compared to] to a barricaded home. The front door and windows might offer vault-like protection, but there might be an unknown window in the basement. The Luna researchers are looking for the on-chip equivalent of the basement window.
• Raytheon, of Waltham, Mass., has expertise in hardware and logic testing. The company would use Boolean equivalence checking to analyze what types of inputs will generate certain outputs.
  

The Oklahoma Department of Corrections website was vulnerable to SQL Injection not by mistake but by design. Exposing information not only belonging to sex offenders (exposing the exposed), but also of other offenders. And as the SQL vulnerability had appeared through the state's Sexual and Violent Offender Registry, it actually allowed anonymous Web users to report their neighbor that moved the fence by 2 inches as a violent sex offender...

1. List of recommended capabilities. Tasks "that a WAF should be able to do"
   
2. More advanced capabilities listed as "additional recommended capabilities for certain environments".
3. Even more advanced capabilities listed as "additional considerations"

1. Prevent data leakage--meaning have the ability to inspect web application output and respond (allow, block, mask and/or alert) based on the active policy or rules, and log actions taken.
2. Inspect any protocol (proprietary or standardized) or data construct (proprietary or standardized) that is used to transmit data to or from a web application, when such protocols or data is not otherwise inspected at another point in the message flow.
   

This attack exploits an SQL injection vulnerability in order to inject HTML code into pages that create an IFRAME which downloads a malicious payload into the victim's browser. The Hacker Webzine gave quite a thorough analysis on this type of attack [traceback] - to summarize, the attacker uses a hexadecimal notation to represent character strings which contain the commands to be executed in the DB server. Unfortunately, traditional signatures against SQL Injection will not catch an attack vector using this evasion technique as mentioned is a past whitepaper of mine. This current massive SQL Injection attack has reminded me of the other immense SQL Injection attack which took place at the beginning of March. In that attack, hackers injected IFRAME tags to Websites' search result which eventually get indexed by Google. That attack in turn reminded me of another similar widespread attack which occurred in January which redirected users of those vulnerable sites to a different domain. In all these cases huge amounts of websites have been infected by script injection, using a single non-customized attack code. There must have been some kind of automation for so many sites to have been compromised within such a short time period. My guess is that the attacker used a botnet and Google searches to launch the attack, two techniques that combined together result in a tremendously fast and efficient distribution of malware. Search engines used as a platform for malware distribution is not a new concept, "The Search of Death" as described by the Imperva ADC warned of a mega-worm crawling its way to vulnerable websites using search engines, and we've seen the proliferation of the famous SantyWorm which defaces websites by exploiting certain php vulnerability - finding those vulnerable machines just by searching Google.

It would be interesting to see the details of these attacks unravel. Unfortunately, I do not believe that these massive attacks will fade out in the short run. On the contrary, I believe that the usage of SQL Injection as a method of site defacement and malware distribution will continue to be one of the most-spoken about security challenges we face this year.

• Manual review of application source code
• Proper use of automated source code analyzer (scanning) tools
• Manual web application security vulnerability assessments
• Proper use of automated web application security vulnerability assessment (scanning) tools.

The operational burden involved in patching production system across an enterprise is such that it effectively limits patching frequencey to once or twice a year. Even if we are the optimistic type of DBAs, we still have to assume a time frame of weeks until a patch is deployed. This is a huge window of opportunity for hackers to launch their attack campaigns. We have seen actual attack campaigns popping up as early as a day after a patch has been released.

Leaving aside the time required for patch deployment, the fact that a security patch was released means that the vulnerability was already known to the vendor for several months, even up to 24 months... The vulnerability itself might have been present in the product for years (I have personally reported a vulnerability to a vendor, which has been present in all versions of the product for 10 years). Take for example the latest "Pwn to Own" contest by TippingPoint. The Vista Laptop was cracked, as Shane Macaulay exploited a Flash vulnerability. A few days later, Adobe announced that it knew of this bug, apparently it had been reported 5 months earlier, and yet the appropriate fix has been shipped out only last week. It is naïve to assume that the "bad" guys get to know about the vulnerabilities only when the patches are released. After all, malware markets are thriving and clandestine organizations pay top money to "security experts" to go ahead and find these security gaps (See talk by "Geekonomics" author David Rice who lectured on this underground world at last week's IT 360 conference in Toronto).

I haven't even mentioned yet the Botnet industry as a global industry as presented at the panel discussion on Wednesday's RSA 2008 Conference, didn't even start to talk about the operational hazards involved in patching production applications (see Microsoft's IIS patch problems last year and the list of software that would fail to correctly function when SP1 is applied to Windows Vista).

So, in fact we see once again that there is a huge window of opportunity for hackers to exploit known vulnerabilities where organizations rely on patching as their first line of defence. This of course calls for a different type of security solution provided by 3rd parties to provide timely detection of published vulnerabilities, as well as protection against 0-day attacks, without impacting the stability of the protected server / application. This type of solution in the form of an independent security gateway (sometimes referred to as "Virtual Patching") is probably a must have in today's turbulent information security reality.

On a completely different note, I'd like to mention an incident which happened last week where 370,000 HSBC customer details were lost. Originally, these records were supposed to be sent electronically through an encrypted channel under a well-established security policy. However, communication was down on a certain day and the records were sent via a courier service, but never really arrived as the disc got lost. Sort of reminds me of last year's incident where JFCU meant to transfer a file on an encrypted disk sent by courier, according to their set security policies, and because of some transmission error, the file was posted to the printer's Web site in an unencrypted format, the site later being indexed by Google for anyone to see. Seems that Murphy's Law which instates that if something may go wrong, it will go wrong definitely applies in the security realm - each time a security policy is bypassed, expect a security breach to happen.

I attended one of the most interesting customer meetings yesterday. It was interesting because the customer is asking to deploy SecureSphere in order to protect the entire universe. His universe. As you can guess, this company (let's keep the name to ourselves) is developing one of the coolest games. This is a multilayer online game that has its own economy. This economy is managed by the users and just like any other economy; some users are more corrupt than others. SecureSphere is protecting the treasury database, ensuring that (real life) gamers will not cheat and destroy the (virtual) economy. Just imagine that a virtual bank will start to offer cheap loans to other users that can not afford to pay mortgages... it can destroy the economy.... In short, I was very excited to learn about this opportunity and watch how imagination sometimes is well connected with reality.

So how is the car related to this post? On the way to the data center, we spotted one of those beauties. The Bugatti Veyron is the most powerful, most expensive, and fastest street-legal production car in the world, with a proven top speed of over 400 km/h (407 km/h or 253 mph). The title of the most expensive mass production car in the world comes with a price tag of $1,700,000. Watching this car and thinking about the economy, one can REALLY understand why treasury applications should be protected. Not just in the virtual world.   

Boston, MA

Today, I participated in a security panel that was (very well) organized by our partner, Netanium Network Security, Inc. Four different vendors, focusing on solving different aspects of information security, answered the moderator's questions and guided the audience through our collective experience. One of the guys at the audience asked us "what makes you better than your competitors". Each vendor answered slightly different, yet very similar, highlighting manageability, flexibility, scalability, ease of use etc. I decided to give a different perspective and explained that in my opinion, the reason that customers select our solutions and choose us as their trusted application data security and compliance companion is due to our ability to perform two tasks better than anyone else: 1) Being visionary, passionate and know exactly what needs to be developed and delivered in order to solve the problem, address customer needs, fit into their environment and create a platform for growth. 2) Ability to execute, as it is not enough to have a great vision. A great company is capable to take its vision and create the right products, providing the best support and deliver the necessary services.

I guess that in a way, I was saying that our solutions are better since we have faster products; it can be managed easier, scale better and provide the necessary flexibility. But we will sustain this advantage by continuing to deliver our vision.

What a great start for my first blog post with our new blogging system. Information security magazine published a review of six (6) web application firewall products. Beside winning this shoot-out review and scoring top marks in each category: ease of installation and configuration; administration; depth of security policy control; monitoring, alerting, auditing and reporting; and overall security effectiveness. SecureSphere received a rare compliment. The magazine names it "The closet thing to a silver bullet". Anyone in the security industry will tell you that "there is no silver bullet". I tend to agree. No product is perfect and its effectiveness is based on the defined policies and how well it's being integrated into the network, and more important the business process.  SecureSphere is not different in that sense, however, its administrative interface, security capabilities, multiple deployment options and depth of policy control makes it unique and different.  The metaphor of the silver bullet applies to any straightforward solution perceived to have extreme effectiveness, and when we're thinking about it, SecureSphere is indeed the closest thing to a silver bullet for application security and compliance: it was designed, engineered and built to solve application security problems.

Anyone that had to hunt werewolves, know what I'm talking about. http://en.wikipedia.org/wiki/Werewolf).

Read more about the review at http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1303838,00.html