The Security Blog

It is amazing that over two years after I wrote my post The SCADA Scandal, that the problem still exist.  Nay, it grows larger, seemingly daily.

In a short but succinct post below, which was first posted here and is graciously made available to readers of this blog, Mourad explains:

Italian security researcher recently revealed details of several vulnerabilities in the system supervisory control and data acquisition (SCADA) from multiple vendors.
Luigi Auriemma has released details and proof of concept code for 6 vulnerabilities affecting popular SCADA systems.
Most of the vulnerabilities allow remote code execution, many of them are easy to use,” – says Luigi Auriemma. “At least three vendors have released patches, and Rockwell Automation is working on it right now.”

The affected products are:

• Beckhoff TwinCAT ‘TCATSysSrv.exe’ Network Packet Denial of Service Vulnerability
• Rockwell RSLogix Overflow Vulnerability
• Measuresoft ScadaPro Multiple Vulnerabilities
• Cogent DataHub Multiple Vulnerabilities
• AzeoTech DAQFacstory Stack Overflow
• Progea Movicon Multiple Vulnerabilities

It is amazing that we keep finding these holes daily.  Forget Stuxnet and the STARS.  These still exist in everyday life-support infrastructure and utilities networks we depend on for our very civilization.   Until when will they be allowed to exist unmitigated?

Permalink:http://arielsilverstone.com/scada/the-biggest-hole-keeps-getting-bigger/

Today, a CNN.com article stated that, predictably, 

Earlier this week, New Jersey-based Iranian blogger Mehdi Saharkhiz filed a lawsuit in a U.S. federal court against Nokia Siemens Networks on behalf of his father, Isa, who has been in an Iranian prison since July 2009.

In what is sure to be the baseline of its defense, Nokia-Siemens stated that the lawsuit is brought "in the wrong place, against the wrong party and on the wrong premise".   Oddly enough, NSN is not disputing that their equipment was used to spy on Iranian people, a defense they used in the past and now proves to be disingenuous.  There is no doubt that the Nokia-Siemens company, technically managed by a shell group of managers in Germany, we used to perform the surveillance after last year's elections in Iran, and that the result of such surveillance was the arrest, rapes, and executions, of many people who dared speak against the government there.  

Nokia-Siemens also states, to the European Union Parliament, no less, that  they left Iran in early 2009, and that they sold their last monitoring center there in March 2009.  

…soon after our formation as a company, we made a decision to exit from the monitoring center business, and closed a transaction to divest our remaining assets in March 2009, well before the disputed election in June. …

Really?

Nokia Siemens Is Lying.  Again.

The company's own website, has open jobs in Iran:  Want one?

A simple search on Linkedin shows that there are at least 76 people that list their current employer in Iran as Nokia-Siemens.  At least one of them has the title "Country Manager", a title which indicates that (a) there is enough business in that country to need a designated manager and (b) that the company is not based in Iran.  

And here is an employee that started working at NSN-Iran in January 2010.

Isn't it time for Nokia-Siemens to tell the truth?  Should they not divest and stop supporting that despotic, crazy, regime?

As for what we can do?

Well, we need to stop buying Nokia, Siemens, or Nokia-Siemens products.  We need to assess if anyone we find who works for NSN has a professional certification, especially around HR, Security or Networking, and complain to the certification organizations' boards, an ask for those certifications to be revoked (for performing unethical work)

And I would love to hear more ideas on how we can punish the Iranian government…   This Iranian Legal Odyssey should succeed further in punishing the Iranian regime for choosing its pariah way.