Category Archives: Safety

100 Million Devices Vulnerable and Likely Never Patched

What could go wrong?

As we rush headlong to deploy billions of Internet of Things devices with no regard to security, that doesn’t make security problems go away.

Security researchers today disclosed nine vulnerabilities affecting implementations of the Domain Name System protocol in popular TCP/IP network communication stacks running on at least 100 million devices.

And, like all good vulnerabilities, it has a catchy name: NAME: WRECK.

While this particular bug does affect a lot of IoT devices, it also affects servers.  

The servers are likely to get patched relatively quickly.

The IoT devices?  Well, when was the last time you patched your TV?

Oh, yeah, these vulnerabilities also affect industrial control equipment – like maybe your local water treatment plant or your local electric utility.

According to the researchers at Forescout and JSOF, the bug affects the following TCP stacks:

FreeBSD – this one used used by a whole lot of servers and will get fixed very quickly.

IPNet (AKA VxWorks 6.6) – used the the real time VxWorks operating system, which is used in a lot of Internet of Things devices.

NetX – Part of the ThreadX real time OS.  It is open source, but maintained by Microsoft as the Azure Real Time OS.  

Nucleus Net – Part of the nucleus OS maintained by a division of Siemens.  It is used in medical devices, industrial control, aerospace, consumer devices and IoT devices.

Hackers who can exploit these bugs can take over the devices.  That means they could, potentially, disable alarm systems, mess with a water treatment plant or make all the elevators in a high rise office go crazy (they won’t likely crash;  that is controlled by a different system).  If the vulnerable software runs a city’s traffic lights, it could , possibly, turn all the lights red.  Or all green.

These are all speculative, but if the hackers control the system, they could do almost anything and even lock the real owners out of the system.

It looks like most of these software packages are maintained.  By big companies – Microsoft.  Siemens.  And while FreeBSD is not commercial it is super maintained.

The problem is this.

DO YOU EVEN KNOW IF THE SYSTEMS IN YOUR COMPANY ARE RUNNING THIS SOFTWARE?  BY SYSTEMS I MEAN THAT CAMERA IN THE CORNER THAT YOU BOUGHT SOMEWHERE FIVE YEARS AGO OR THAT COOL NEW COFFEE MAKER WITH AN APP ON YOUR PHONE OR YOUR TV OR THE AIR CONDITIONING SYSTEM OR WHATEVER.

That is the problem.  The vast majority of these devices will never be patched.  Because people don’t even know they are vulnerable.  Some of those devices will be harmless, but others not so much.

Without a software bill of materials no one know what TCP/IP software is used in that smart TV.  Do you get the idea?

One thing that you can do is a really strong job of segmenting your network.  If you need help with that, contact us.

America’s Drinking Water-Easy to Poison

Well that is certainly not a comforting thought.

Last month the public water supply in a small town in Florida was hacked. Only PURE DUMB LUCK protected those citizens. Did the hacker use exotic unknown vulnerabilities to compromise the system? No. The city didn’t even have a firewall, was using software that was no longer being patched, and shared passwords that were never changed.

The mayor of the town declared victory. He said that the staff executed to perfection. In reality, they were lucky that an operator happened to see the hacker move the cursor on the screen after the hacker increased the amount of a poisonous chemical being added to the water by 100 times. This is not perfection. This is more like thankfully, we are not overseeing a mass funeral.

Experts say that these very basic protections are missing in many of the country’s 150,000 public water systems.

Admiral Frank Montgomery, executive director of the Congressionally chartered Cyberspace Solarium Commission likened it to a pilot landing after an engine caught fire in mid-air. Thankfully, we averted a major disaster.

The city claims that they have redundant electronic monitors at the plant to protect citizens. So did the utilities in Ukraine, but that didn’t stop the Russians from blowing up that pipeline several years ago.

The problem does get ugly from time to time (and smelly).

 In 2000, a former municipal wastewater contractor in Australia, rejected for a city job, remotely manipulated computer control systems to release 264,000 gallons of raw sewage, which poured into public parks, turned creek water black, spilled onto the grounds of a Hyatt Regency Hotel and generated a stench that investigators called “unbearable.”

This is not news.

As long ago as 2011, Homeland Security warned that hackers could gain access to American water systems using free and easily available Internet tools.

Booz Allen Hamilton said, in 2019, that America’s water utilities are a perfect target for cyberattacks.

And the Cyberspace Solarium Commission last year said that America’s water systems “remain largely ill-prepared to defend their networks from cyber-enabled disruption.”

But Congress fixed the problem in a 2018 law. Now every US water system serving more that 3,300 customers has to conduct a self-assessment of risks. That makes me feel better already. Oh, yeah, the assessments are not due yet, over two years after the law was signed. Tens of thousands of small systems are exempt. These utilities don’t have to do anything with the report. They don’t have to submit it to anyone. They just have to pinky-promise the EPA that they did one. And Congress allocated $30 million to fix any problems. For those that don’t have a calculator handy, that is $200 for each of the 150,000 public water systems. That should handle it.

The EPA is not much better. They said that drinking water systems need $472.6 billion in long-term fixes. But didn’t mention cybersecurity even once.

Part of the problem is money. Another part is an industry full of old timers who understand water but are pretty clueless when it comes to cyber. Finally, regulators are asleep at the switch. None of this bodes well for our safety.

Bottom line is that these water systems are crossing their fingers and hoping nothing happens. While the odds are good in the aggregate, I suspect public opinion will change the first time we kill a few thousand people because we didn’t think it was going to happen here. Credit: Propublica

NSA Says They Have A Big Blind Spot

NSA Director General Paul Nakasone testified before the Senate Armed Services Committee about the recent SolarWinds and Microsoft Exchange hacks. He said that foreign hackers are taking advantage of the Intelligence community’s blind spot – adversaries working INSIDE the United States.

Our adversaries can come into the United States, set up shop on the web, do their damage and be gone before a warrant can be issued – before we can have actual surveillance by a civilian authority.

To be clear, a warrant does not need to take a lot of time to get approved, but the NSA don’t need no stinking warrant. What is different is the FBI and others, most of the time, do need to get a warrant and getting a warrant requires probable cause and probable cause takes time to find. That is a constitutional problem, however. After 9/11, we did a whole bunch of new surveillance and some of that was ruled unconstitutional by the Supreme Court, but not until years later.

The problem is that no one – neither foreign not domestic, seems to have had any visibility into what the hackers were doing. In fact, neither law enforcement nor the intelligence community actually detected these attacks.

Nakasone said that we can’t connect the dots because we can’t see all the dots. Unlike dictatorships, in the US, we have separation of responsibilities and that does make things more difficult for those people who are tasked with protecting us.

While the NSA can legally intercept almost any signals that they are able to see internationally, inside the U.S., the FBI and others generally require a warrant to access information.

Of course the FBI and the NSA do not need any warrant to intercept traffic inside the government because the government can give them permission to do whatever they like. Given that the government was a major target, that seems like an important piece of information. The executive branch could have collected as much data as they wanted to using existing laws. Did they miss something? Could they have done something differently? Would that have changed the outcome? I don’t know the answer to any of these questions, but they are useful questions to ask.

Some folks – notably NOT General Nakasone – have suggested that the NSA needs to be allowed to spy inside the United States. That presents some minor legal problems, most notably the fourth amendment to the US Constitution.

Other people have suggested that even if we had allowed the NSA to spy on Americans in America, there is no indication that they would have detected these attacks. They might have. Or might not have.

Of course, if the private sector had a way to share their intelligence with the government in a way that protects Americans’ rights and protects the companies that share their data with the government.

I don’t think there is an easy answer. Sometimes the hackers are good – especially when they using an unlimited bank account as is often the case with state sponsored hacking.

The feds have been talking about a bill that would require companies to tell the gov about an attack, but that would be after the fact and that probably would not have helped in this case.

Still, we have to put our collective thinking caps on and try to figure out a solution. After 9-11 we came up with some reactionary responses and we are still arguing about the impact of that twenty years later. This time we should probably think about the long term implications. But we do need to think. Credit: The Cybersecurity 202/Washington Post

CISA-ICS CERT Releases 4 ICS Advisories

Earlier this month Homeland Security released 4 different advisories for industrial control system vulnerabilities. This comes in the wake of a successful breach of a water treatment plant in Florida. While that hack took advantage of poor cyber hygiene practices (obsolete unpatched software, shared passwords, etc.), it did call attention to the fact that our critical infrastructure is under attack.

#1 – JOHNSON CONTROLS EXACQ TECHNOLOGIES EXACQVISION

DHS says this vulnerability is remotely exploitable and requires only a low skill level to exploit. It affects all supported versions of the software and can expose sensitive information of hackers. For more details see this ICS CERT ADVISORY.

#2 – Hitachi ABB Power Grids eSOMS

Again, DHS says that this vulnerability requires only a low skill level to exploit. This vulnerability allows a hacker to gain access to report data. For more details see this ICS CERT ADVISORY.

#3 – Hitachi ABB Power Grids eSOMS Telerik

This is a different Hitachi ABB problem and it is related to path traversal (get to a directory that they should not have access to), deserialization of untrusted data, improper input validation, inadequate encryption and insufficiently protected credentials. This scores a 9.8 (out of 10) on the vulnerability Richter scale. A hacker could upload malicious files, steal sensitive data and execute arbitrary code. For more details see this ICS CERT ADVISORY.

#4 – Rockwell Automation Logix Controllers

This is an update to the alert issued last month and this one rates a 10 out of 10 on the vulnerability rating scale. This one is also exploitable remotely and requires low skill to exploit. The vulnerability would allow a hacker to bypass the login requirement, alter the system’s configuration or change the code in the controller. For more information on this alert, see this ICS CERT ADVISORY.

If we look at this as a whole, what do we see:

  • Most can be executed remotely
  • Not limited to a single vendor
  • Most require low skill to achieve
  • Hackers can steal data and/or corrupt the system

If these attacks were applied to systems like the Florida water system that was compromised, you could, potentially, cause physical damage (like an explosion), turn off services (like turn off power or gas) or poison people (as could have happened in the Florida water treatment plant attack).

The other problem is that industrial control system owners are notorious for not applying patches. They are concerned, probably rightfully, that a patch could cause an outage (Microsoft or Apple never, ever, broke anything when applying patches, right?) or stop the system from working.

Unfortunately, given the typically poor cyber hygiene practices and the increased connectivity to the Internet of these systems, along with the information about the vulnerabilities that are now publicly available, don’t be surprised if hackers take advantage of this.

As a consumer, unfortunately, there is not much that you can do. That means that regulators, who are often in bed with the regulatees (the Chairman of the Texas PUC was just caught on tape reassuring investors that the millions of dollars they stole from Texans during the deep freeze this month was safe and they would not be forced to give it back. AFTER the recording was made public, the Governor asked him to resign – only AFTER). Given the often too cozy relationship between the PUCs and utilities, I am not counting on much pressure, but we can hope.

Security News for the Week Ending March 12, 2021

Encrypted Phone Firm Sky ECC “Hacked” by Police

Police have arrested 48 people and confiscated 14 tons of Cocaine and over a million Euros, after decrypting a half billion messages and listening in on the bad guys for several weeks. The phone company said that they don’t think the encryption was cracked, but rather, they think the police seeded a bunch of phones with a fake version of the app which had a back door and then sold the phones as secure. Once they were able to seed these phones into the criminals hands, it was easy (relatively) to decrypt the messages. I don’t have any sympathy for the crooks and very clever on the part of the police. Credit: Vice

FBI Warns of Far-Right Extremists Infiltrating Law Enforcement

The FBI issued a private warning that far right extremists including neo-Nazis are infiltrating law enforcement agencies and even the military in Texas and around the nation. They are doing this for two reasons. One is to find out what intelligence has been gathered on their organizations and second to learn techniques and practices (tradecraft) to use against the police and military if they need to. Evidence that this can be seen by the arrests of law enforcement officers for participating in the Capitol insurrection in January. Credit: Dailykos

UK Proposes Law to let Police Hoover Up Your Phone – If They Ask Nicely

A new UK bill was introduce that would allow the police and others to vacuum up all the data in your phone if you hand it over voluntarily. This comes after a year when the police were accused of vacuuming up too much data from phones which were handed over. People who do let the police extract everything from their phones are given no protections whatsoever. The data can be kept for up to 100 years. They will also introduce a “code of practice”, which while legally binding, is much less binding than a law. Victims of rape are being told that the cops will not proceed with prosecuting the criminals if the victim doesn’t consent to a “digital strip search” . Interesting definition of voluntary. Credit: The Register

Microsoft Removes Proof Of Concept Attack Code Against Microsoft Product from Github

Researchers often share so-called proof of concept code for exploiting bugs. In this case, the code showed how to exploit Microsoft Exchange and Microsoft decided to remove it from GitHub, the public code repository. Surprisingly, Microsoft owns Github and Microsoft has never removed any other Proof of Concept code from GitHub before. The removal is stupid and ham-handed because the code is available at a dozen other repositories anyway and it makes Microsoft look like they are trying to protect their own ass. They said that while they had patched the 10+ year old bugs, finally, the patches had not been out long enough. That might make sense if the code wasn’t available at a lot of other places. Credit: The Register

AMCA Settle Breach Lawsuit with State AGs for $21 Million

Medical debt collection agency AMCA settled a multi-state lawsuit filed by multiple Attorneys General for $21 million, but since they are in bankruptcy, the fine is suspended. They filed for bankruptcy after the breach. They said they spent $4 million as a result of the breach and had to take out a $2.5 million loan from their CEO to pay for that. I gather from this that they had no insurance (really?). In the mean time, there are numerous other lawsuits, so this is far from over. Credit: Cyberscoop and HIPAA Journal

Hackers Are Trying to Kill People

Literally. Serious.

Before there was a refrigerator that could tell you when you were out of milk or a baby monitor that you could listen to from around the world, critical infrastructure like water, power and electric was using Internet of Things technology to give you safe water and make sure the lights stayed on.

Except now, just like hackers want into your bank account, they are trying to hack that critical infrastructure.

For a Florida city, hackers came very close to poisoning the city’s water supply.

Luckily, water plant workers in Oldsmar, Florida, near Tampa, detected that an unauthorized person was remotely logged in. That would have been bad enough.

What is worse is that this person had attempted to change the amount of the chemical sodium hydroxide (also known as lye) from 100 parts per million to 11,100 parts per million.

If they had not detected this, there likely would be a lot of dead people.

The city of course is trying to downplay the situation, but it sounds like the attacker came very close to getting away with it.

You have to understand the lifecycle of this type of equipment and the financial pressure that utilities are under. Some of the equipment is 20, 30 even 40 years old. Needless to say, that old equipment doesn’t have the security features of today’s equipment.

In this case an employee was watching the screen and saw what the attacker did and was able to reverse it. What if the employee was doing something else at the moment?

Unfortunately, many of these utilities don’t have the money to fix the problem. However, if hackers manage to kill people, these same utilities will find the money.

When I was growing up there were a lot of accidents on the corner where I lived. We kept asking the city to install a traffic light but they had all sorts of excuses why they didn’t want to do it ($$$$$$$$). Then someone died on my front lawn. Amazingly, there was no longer any problem with installing a traffic light. Unfortunately, that seems to be the way it works in America. I hope I am not that victim. Credit: SC Magazine