Yesterday DHS ICS-CERT published an updated Joint Security
Awareness Report (JSAR) on Shamoon and an advisory for an Optimalog vulnerability
reported last year by Luigi.
Shamoon
US-CERT/ICS-CERT updated their earlier
advisory on Shamoon. The new
version adds almost three pages of mitigation measures that organizations
can take to protect themselves (actually only reduce their vulnerability) against
a Shamoon attack. The JSAR divides the mitigations into ‘tactical’ and ‘strategic’
measures. The measures are an interesting mixture of the common (‘Ensure that
password policy rules are enforced…’), the old school (‘Execute daily backups
of all critical systems.’) and new form (‘the whitelisting of legitimate
executable directories…’) security measures. Implementing all of the
recommended actions will require a lot of work, particularly training.
There still isn’t anything in the JSAR that reports any specific
ties of the Shamoon to control systems. Of course with the small number of
reported infections it is hard to tell exactly what may or may not be at risk.
At this point this is a low probability high consequence threat. That makes one
question the need to spend the time and money to implement the listed
mitigations. I guess that’s what CSO’s get the big money for.
Optimalog Vulnerability
Last November ICS-CERT published an
alert based upon an uncoordinated
disclosure by Luigi for the Optima APIFTP Server system. Yesterday ICS-CERT
published an
advisory on the twin vulnerabilities; a null pointer dereference and a loop
with unreachable exit condition. ICS-CERT reports that a relatively unskilled attacker
could use the publicly available exploit to remotely execute a denial of
service attack.
Optimalog has released a new version that no longer installs
the APIFTP server by default. If the APIFTP is
to be used, Optimalog recommends configuring “the firewall and VPN accordingly”.
There is no link to any Optimalog document or site that details that ‘accordingly’.
This advisory mentions Luigi’s
uncoordinated disclosure but does not provide links to Luigi’s web page
describing the vulnerability. Nor does it actually mention the original alert.
The latter is unusual, but I thought that ICS-CERT had finally gotten it
through their collective head that they had an obligation to give appropriate credit
to the intellectual property that forms the basis of their report. Reid
Wightman got credit last week, but Luigi doesn’t this week. I’m starting to see
a pattern here; Digital Bond and the Washington Post carry enough weight to
demand acknowledgement, an independent researcher doesn’t.
Posts
No comments:
Post a Comment