The Rickety World of Industrial Control Systems

Industrial Control Systems (ICS) run everything from waste water to nuclear power.  Unfortunately, they are on pretty shaky ground.

During the cold war, Ronald Reagan’s CIA convinced the Russians to use American control software to manage a gas pipeline in Siberia.  Unfortunately for the Russians, the CIA placed a few time bombs in the software and after it was in use for a while, the software caused the pipeline to over pressure itself and blow up.  The explosion was so big that you could see it from space (see article).

The objective was to mess with the Russian economy and it worked.

Any wonder why the Chinese do not want to use Western technology, especially in their critical systems?

Well, things have not changed much in the last 30 years.  OLE for Process Control or OPC controls a lot of power, water and other plants.  Guess what – it only runs on Windows XP, the operating system that Microsoft stopped supporting last year.  That does not mean that all the bugs are out of it – just that the new ones don’t get patched.

Part of the problem with the ICS world is that when it first started everything was connected to the controller with purpose laid direct wires.  Then the Internet and wireless was invented and people figured out that they could save money not running all those wires.  Of course the controllers didn’t change – they didn’t add encryption, authentication or logging.  There are some band-aids, but they are just that.

We were able to blow up Iran’s centrifuges.  Maybe we are the good guys, but don’t fool yourself into thinking that the bad guys are trying to attack our infrastructure.  They are.  And don’t fool yourself into thinking that we are so much smarter than them that they can’t do to us what we did to them.  The Department of Energy’s Idaho National Lab demonstrated years ago that they were able to cause a one megawatt generator to execute that famous computer instruction – halt and catch fire.  Literally.  You can watch it on You Tube.

So why don’t fix it?  Do you have a few billion dollars to spare?  It would require redesigning most of our existing infrastructure to do that.  Actually, maybe a few tens of billions.

And, we would need to take that infrastructure offline while we do that because, let’s say, there is a valve that controls the flow of gas or water or sewage.  Either that valve is on the new system or the old system, typically not both.  You probably could leave both valves in there, but that makes it even more complicated.   Times millions of valves, gauges and other sensors.  As they say, it’s complicated.

And, we haven’t had a power plant blow up lately.  Least not that we know of.

So since the world does not APPEAR to be broken, we tend to leave well enough alone.  Until it is a crisis.  Here is another article on the subject.

We are likely going to live with this very fragile ecosystem until all the existing infrastructure gets replaced.  Like in a hundred years.

That is not a comforting thought.

Wait, maybe this is more comforting.  It could get fixed sooner if we have an incident like the Russian gas pipeline explosion described at the beginning of the article.  No.  That’s not more comforting. Forget I suggested that.


News Bites

In case you were wondering, Siri is not being faithful.  Apple, Microsoft and other tech companies are sharing your voice with third parties.  But before you go ballistic, they are not selling the data.  Third parties such as Walk N’ Talk get your speech from these companies so that they can validate the quality of the speech translation.  And yes, it is a human being that has a job to listen to you and score Siri (see details) And yes, people do tell Siri some strange and naughty things.  I wrote about Samsung doing something similar a few weeks ago.

CERT at Carnegie Mellon is reporting a mDNS amplification DDoS (distributed denial of service) attack.  DDoS attacks take a web site down by overwhelming its servers in a variety of ways.  The effect, no matter the method, is that legitimate users cannot use the web site.   Banks are often attacked this way.  Amplification attacks are ones where the attacker can send a small number of bytes out and the reply is much bigger.  In this case, for each 1 byte of bandwidth the attacker needs to initiate the attack, he gets 10 bytes of attack traffic to the web site he is trying to take down.   In this mDNS attack, the attacker sends a request to a poorly configured DNS server with a fake address and the DNS server sends a large reply to the site being attacked.

In theory, mDNS servers should only respond to requests from their own local network, but researchers found at least 100,000 misconfigured servers that would respond to any address.  This means an attacker could send a 100 byte request to 100,000 servers and deluge a target server with 100 megabytes of trash.  Do this enough times per second and you will take down the target.

Since the traffic looks like it is coming from 100,000 servers all over the Internet, these attack are much harder to stop.

Uber is a disruptive business model and disruptive business models are messy.  Wired is reporting a new trouble Uber is having.  Besides the regulatory challenges, the lawsuits over drivers soliciting customers and worse and district attorneys sueing them for conducting bogus background checks, there is a new problem.  Uber’s new security chief Joe Sullivan, whom they stole from Facebook, has to deal with claims that a Denver Uber driver tried to break into a customer’s house after taking the customer to the airport.

Think about that for a minute.  Talk about an affiliated business arrangement.  The driver takes you to the airport, chatting up on the way.  He finds out where you are going, how long you are going to be gone and if anyone will be home.  He then uses that information to break into your house or sells those leads to other burglars for cash.  Now that is a synergistic business model.

Administrator Accounts

UPDATE:  For those of you who are Mac users and laughing at the poor Windows users, this affects you too.  The Rootpipe malware silently escalated its privileges to your maximum privileges to launch an attack on your system.  Apple just recently fixed this, but ONLY FOR THE CURRENT VERSION OF OSx – apparently, it was a pain to fix.  So, this is good practice for both Windows and Mac users.

Most home users, at least on Windows and probably on the Mac, have the userid that they log in with every day set to be a local administrator.  Unfortunately, this is often the case in small businesses (and some large businesses) as well.

The reason why people do this is because certain actions require you to be an administrator and if you are not running as an administrator, you will either have to log off and log on as the administrator or see a pop up prompting you to enter the userid and password for an administrator account.  Sometimes, installing a new program or adding a printer are examples of when this happens.  In companies where the user is not given an administrator level account, they would need to open a help desk ticket.  This annoys the user and makes work for the help desk, so security goes out the window.

Years ago – like when Windows XP was first released – there were a lot of programs that required administrator level accounts just to run because they were poorly written.  When Microsoft added the UAC feature (user account control) and businesses stopped giving users administrator permissions, these companies got a lot of tech support calls and probably lost customers, so they fixed it so that you did not have to be an administrator to run the program.  The most common reason that you had to be an administrator is that the programs wrote to system protected folders, which is a no-no anyway.  There are still a few programs that the average bear might use where you need to be an administrator, but they are rare.

The downside to logging in every day as an administrator is that IF your computer becomes infected with malware, the malware can do anything to that computer – anything.

Where we are seeing this the most is with Ransomware malware like Cryptolocker.  Cryptolocker encrypts your files and suggests that if you pay them a ransom (typically a couple of hundred to a couple of thousand dollars), then they will send you the keys to decrypt your files.  Of course, if you have good backups, you can tell them to pound sand – or just ignore them.  If you don’t have good backups – and the files are important – then, for the most part, you have to pay the ransom.  Some variants of the malware not only encrypt your data files but also encrypt system files – effectively turning your computer into a very expensive brick.

If, when the malware is installed or activated on your computer, you are not running in the role of an administrator, the malware can do less damage.  In this case, less is definitely more.

To add insult to injury, if you have network access (like to a file server) or if you are an administrator in a small business and you have write access to other servers in the company (see this post from a few months ago – a non-profit organization lost their entire company infrastructure because an administrator was linked to all the company’s servers with write permissions), the effect can be, shall we say, dramatic.

This is a perfect example of convenience vs. security.

If it is more important to avoid logging in with extra permissions to do the occasional job that requires them vs. avoiding having all of your important files at home or work encrypted, then the all too common practice of running as an admin is a good strategy.

If, on the other hand, you don’t want to have to explain to the CEO of your company or your household (likely by looking in the mirror) why your systems are down, why you can’t get any work done and why you have to go buy some bitcoins and send them to Russia or China, then that extra step of NOT being a local (or worse yet, domain administrator at work) is a really good plan.  At work, this can be a “resume generating event”.

Convenience,  Security.  Pick either one.  You don’t get both.

See this article for some additional details.

U.S. and China Spar Over Cyber Security Rules

China Announced that recently (see post) that they were going to stop buying western tech, much to the dismay of companies like Cisco that sells $2 Bil a year in China.  Whether this is a move to counter the NSA or just a way to increase the sales of Chinese made tech is unclear.

Now the Chinese are saying (see article) that they want all encryption keys, back doors into equipment and to track personnel who have access to equipment. Of course, this is no different than what the FBI and NSA would like, but in China, they can just do it. Ttreasury Secretary Jacob Lew (see article) asked the Chinese to delay some of these requirements, but it is unclear what rules are being delayed or for how long.

One of the Chinese requirements is for western tech companies to hand over their source code for “review” (or perhaps to give to Chinese competitors).  Western tech companies need to consider whether the risk to their IP is worth the sales.  For example, for Cisco, $2 billion represents about 4% of their sales.  If they do give the Chinese their source code, how do they control it’s redistribution?  What if the Chinese find vulnerabilities?  The Chinese have even less motivation to tell Cisco than the NSA does.

Another requirement is to give China all encryption keys.  It is not clear how this is done exactly, because for the most part, users choose their own encryption keys.  When you set a key, do they have to silently send a copy to the Chinese government?

If they agree to do this, do they then do the same thing for the NSA, FBI, DHS and others?  It might be hard to argue that they won’t give the NSA or FBI the same concessions that they give to China?

And if they do create back doors for these guys, how to they make sure that the bad guys don’t find out about them.

It seems like a mess from my point of view.