March 26, 2011, 9:13 PM — A Russian security company plans to release an upgraded exploit pack for industrial control software that incorporates a raft of new vulnerabilities released by an Italian security researcher.
The three-person company, called Gleg, is based in Moscow and specializes in vulnerability research. It recently began focusing on problems within SCADA (supervisory control and data acquisition) systems, which are used in factories, utilities and many other kinds of industrial applications, said Yuriy Gurkin, Gleg's CEO.
Gleg works with the Miami company Immunity, which sells a tool called Canvas, which is a framework for penetration testers wanting to try out the latest exploits against software vulnerabilities, along the same lines as the Metasploit tool.
Gleg supplies Immunity with exploit packs, which are add-ons with specific kinds of exploits, for Canvas. Gleg's main product is Agora, which integrates with Canvas. Agora is regularly updated with publicly disclosed zero-day, or new vulnerabilties and those discovered by its research team.
Canvas allows companies to figure out what kind of information a hacker could obtain, said Dave Aitel, CTO for Immunity.
"If you can't test against zero days, then you are not testing against a real-world situation," Aitel said.
About two weeks ago, Gleg released Agora SCADA+, a new add-on for Canvas, Gurkin said. It contains 27 exploits for SCADA software and will mostly likely have around 35 exploits when an upgrade is released next week, he said.
Gurkin said Gleg is incorporating the exploits written by Luigi Ariemma, who found about 50 vulnerabilities in four SCADA products made by Siemens, Iconics, 7-Technologies and Datac. All four companies had products with remotely exploitable vulnerabilities.
On his website, Ariemma self-published vulnerability details, which were also published on Bugtraq. He did not inform the vendors prior to releasing the information, something that is considered bad form by some in the security community. Officials at two of the vendors -- 7-Technologies and Datac -- said earlier this week they were working on patches.
Gurkin said he believes responsible disclosure practices are out of date.
"We, like Luigi, don't notify vendors," Gurkin said. "This is a waste of time."
However, Gleg's partner Immunity does vet organizations that are interested in buying Canvas to verify they are not going to use the product in a malicious way.