The Rickety World of Industrial Control Systems

Industrial Control Systems (ICS) run everything from waste water to nuclear power.  Unfortunately, they are on pretty shaky ground.

During the cold war, Ronald Reagan’s CIA convinced the Russians to use American control software to manage a gas pipeline in Siberia.  Unfortunately for the Russians, the CIA placed a few time bombs in the software and after it was in use for a while, the software caused the pipeline to over pressure itself and blow up.  The explosion was so big that you could see it from space (see article).

The objective was to mess with the Russian economy and it worked.

Any wonder why the Chinese do not want to use Western technology, especially in their critical systems?

Well, things have not changed much in the last 30 years.  OLE for Process Control or OPC controls a lot of power, water and other plants.  Guess what – it only runs on Windows XP, the operating system that Microsoft stopped supporting last year.  That does not mean that all the bugs are out of it – just that the new ones don’t get patched.

Part of the problem with the ICS world is that when it first started everything was connected to the controller with purpose laid direct wires.  Then the Internet and wireless was invented and people figured out that they could save money not running all those wires.  Of course the controllers didn’t change – they didn’t add encryption, authentication or logging.  There are some band-aids, but they are just that.

We were able to blow up Iran’s centrifuges.  Maybe we are the good guys, but don’t fool yourself into thinking that the bad guys are trying to attack our infrastructure.  They are.  And don’t fool yourself into thinking that we are so much smarter than them that they can’t do to us what we did to them.  The Department of Energy’s Idaho National Lab demonstrated years ago that they were able to cause a one megawatt generator to execute that famous computer instruction – halt and catch fire.  Literally.  You can watch it on You Tube.

So why don’t fix it?  Do you have a few billion dollars to spare?  It would require redesigning most of our existing infrastructure to do that.  Actually, maybe a few tens of billions.

And, we would need to take that infrastructure offline while we do that because, let’s say, there is a valve that controls the flow of gas or water or sewage.  Either that valve is on the new system or the old system, typically not both.  You probably could leave both valves in there, but that makes it even more complicated.   Times millions of valves, gauges and other sensors.  As they say, it’s complicated.

And, we haven’t had a power plant blow up lately.  Least not that we know of.

So since the world does not APPEAR to be broken, we tend to leave well enough alone.  Until it is a crisis.  Here is another article on the subject.

We are likely going to live with this very fragile ecosystem until all the existing infrastructure gets replaced.  Like in a hundred years.

That is not a comforting thought.

Wait, maybe this is more comforting.  It could get fixed sooner if we have an incident like the Russian gas pipeline explosion described at the beginning of the article.  No.  That’s not more comforting. Forget I suggested that.

 

Facebooktwitterredditlinkedinmailby feather

News Bites

In case you were wondering, Siri is not being faithful.  Apple, Microsoft and other tech companies are sharing your voice with third parties.  But before you go ballistic, they are not selling the data.  Third parties such as Walk N’ Talk get your speech from these companies so that they can validate the quality of the speech translation.  And yes, it is a human being that has a job to listen to you and score Siri (see details) And yes, people do tell Siri some strange and naughty things.  I wrote about Samsung doing something similar a few weeks ago.

CERT at Carnegie Mellon is reporting a mDNS amplification DDoS (distributed denial of service) attack.  DDoS attacks take a web site down by overwhelming its servers in a variety of ways.  The effect, no matter the method, is that legitimate users cannot use the web site.   Banks are often attacked this way.  Amplification attacks are ones where the attacker can send a small number of bytes out and the reply is much bigger.  In this case, for each 1 byte of bandwidth the attacker needs to initiate the attack, he gets 10 bytes of attack traffic to the web site he is trying to take down.   In this mDNS attack, the attacker sends a request to a poorly configured DNS server with a fake address and the DNS server sends a large reply to the site being attacked.

In theory, mDNS servers should only respond to requests from their own local network, but researchers found at least 100,000 misconfigured servers that would respond to any address.  This means an attacker could send a 100 byte request to 100,000 servers and deluge a target server with 100 megabytes of trash.  Do this enough times per second and you will take down the target.

Since the traffic looks like it is coming from 100,000 servers all over the Internet, these attack are much harder to stop.

Uber is a disruptive business model and disruptive business models are messy.  Wired is reporting a new trouble Uber is having.  Besides the regulatory challenges, the lawsuits over drivers soliciting customers and worse and district attorneys sueing them for conducting bogus background checks, there is a new problem.  Uber’s new security chief Joe Sullivan, whom they stole from Facebook, has to deal with claims that a Denver Uber driver tried to break into a customer’s house after taking the customer to the airport.

Think about that for a minute.  Talk about an affiliated business arrangement.  The driver takes you to the airport, chatting up on the way.  He finds out where you are going, how long you are going to be gone and if anyone will be home.  He then uses that information to break into your house or sells those leads to other burglars for cash.  Now that is a synergistic business model.

Facebooktwitterredditlinkedinmailby feather

Administrator Accounts

UPDATE:  For those of you who are Mac users and laughing at the poor Windows users, this affects you too.  The Rootpipe malware silently escalated its privileges to your maximum privileges to launch an attack on your system.  Apple just recently fixed this, but ONLY FOR THE CURRENT VERSION OF OSx – apparently, it was a pain to fix.  So, this is good practice for both Windows and Mac users.

Most home users, at least on Windows and probably on the Mac, have the userid that they log in with every day set to be a local administrator.  Unfortunately, this is often the case in small businesses (and some large businesses) as well.

The reason why people do this is because certain actions require you to be an administrator and if you are not running as an administrator, you will either have to log off and log on as the administrator or see a pop up prompting you to enter the userid and password for an administrator account.  Sometimes, installing a new program or adding a printer are examples of when this happens.  In companies where the user is not given an administrator level account, they would need to open a help desk ticket.  This annoys the user and makes work for the help desk, so security goes out the window.

Years ago – like when Windows XP was first released – there were a lot of programs that required administrator level accounts just to run because they were poorly written.  When Microsoft added the UAC feature (user account control) and businesses stopped giving users administrator permissions, these companies got a lot of tech support calls and probably lost customers, so they fixed it so that you did not have to be an administrator to run the program.  The most common reason that you had to be an administrator is that the programs wrote to system protected folders, which is a no-no anyway.  There are still a few programs that the average bear might use where you need to be an administrator, but they are rare.

The downside to logging in every day as an administrator is that IF your computer becomes infected with malware, the malware can do anything to that computer – anything.

Where we are seeing this the most is with Ransomware malware like Cryptolocker.  Cryptolocker encrypts your files and suggests that if you pay them a ransom (typically a couple of hundred to a couple of thousand dollars), then they will send you the keys to decrypt your files.  Of course, if you have good backups, you can tell them to pound sand – or just ignore them.  If you don’t have good backups – and the files are important – then, for the most part, you have to pay the ransom.  Some variants of the malware not only encrypt your data files but also encrypt system files – effectively turning your computer into a very expensive brick.

If, when the malware is installed or activated on your computer, you are not running in the role of an administrator, the malware can do less damage.  In this case, less is definitely more.

To add insult to injury, if you have network access (like to a file server) or if you are an administrator in a small business and you have write access to other servers in the company (see this post from a few months ago – a non-profit organization lost their entire company infrastructure because an administrator was linked to all the company’s servers with write permissions), the effect can be, shall we say, dramatic.

This is a perfect example of convenience vs. security.

If it is more important to avoid logging in with extra permissions to do the occasional job that requires them vs. avoiding having all of your important files at home or work encrypted, then the all too common practice of running as an admin is a good strategy.

If, on the other hand, you don’t want to have to explain to the CEO of your company or your household (likely by looking in the mirror) why your systems are down, why you can’t get any work done and why you have to go buy some bitcoins and send them to Russia or China, then that extra step of NOT being a local (or worse yet, domain administrator at work) is a really good plan.  At work, this can be a “resume generating event”.

Convenience,  Security.  Pick either one.  You don’t get both.

See this article for some additional details.

Facebooktwitterredditlinkedinmailby feather

U.S. and China Spar Over Cyber Security Rules

China Announced that recently (see post) that they were going to stop buying western tech, much to the dismay of companies like Cisco that sells $2 Bil a year in China.  Whether this is a move to counter the NSA or just a way to increase the sales of Chinese made tech is unclear.

Now the Chinese are saying (see article) that they want all encryption keys, back doors into equipment and to track personnel who have access to equipment. Of course, this is no different than what the FBI and NSA would like, but in China, they can just do it. Ttreasury Secretary Jacob Lew (see article) asked the Chinese to delay some of these requirements, but it is unclear what rules are being delayed or for how long.

One of the Chinese requirements is for western tech companies to hand over their source code for “review” (or perhaps to give to Chinese competitors).  Western tech companies need to consider whether the risk to their IP is worth the sales.  For example, for Cisco, $2 billion represents about 4% of their sales.  If they do give the Chinese their source code, how do they control it’s redistribution?  What if the Chinese find vulnerabilities?  The Chinese have even less motivation to tell Cisco than the NSA does.

Another requirement is to give China all encryption keys.  It is not clear how this is done exactly, because for the most part, users choose their own encryption keys.  When you set a key, do they have to silently send a copy to the Chinese government?

If they agree to do this, do they then do the same thing for the NSA, FBI, DHS and others?  It might be hard to argue that they won’t give the NSA or FBI the same concessions that they give to China?

And if they do create back doors for these guys, how to they make sure that the bad guys don’t find out about them.

It seems like a mess from my point of view.

 

 

 

Facebooktwitterredditlinkedinmailby feather

This Week In Hacks and Breaches

Too many attacks to write about individually, so I am just going to write a short blurb on each with a link.  Oh, My!

British Airways – hackers accessed “tens of thousands” of frequent flyer accounts forcing BA to lock down the system, denying users access to the system and requesting that they change their passwords (see link).  This does not appear to be a hack of the BA system itself, but rather accounts were used via compromised credentials (possibly via compromised PCs or phones?).

Puush, the screen sharing platform was hacked and users were told by the Puush update process to uninstall the old version and install the new (infected) version (see article).  Puush is telling users to install a new, new, uninfected version.  Puush says that passwords stored locally and in your browser – all of them – may be compromised, so change them all.

gitHub, the open source developer’s web site was hit by the largest denial of service attack they have seen.  After 4 days, they seem to have gotten the attack under control (see article).  The good news is that GitHub’s defenses seem to be holding.  It is believed that the Chinese are mad that GitHub is storing programs that help access banned sites.

The Indiana State Medical Association reported on March 26th that two backup drives with policy information for 40,000 people were stolen on February 13th.  Why they waited 6 weeks to report this is unclear.  It contained all the usual stuff – names, addresses, socials, and medical history.  The article does not say, but we should assume the drives were not encrypted (see article).

TheHill is reporting that thousands of Uber customer passwords are showing up for sale on the dark web.   The price is cheap – selling for as little as a dollar.

Uber says they were not breached.  Still, somehow, the userids and passwords are for sale.  The fact that Uber can’t find a breach also does not mean there wasn’t one.  Uber is particularly sensitive since the personal information for 50,000 of their drivers WAS taken from their servers last month.  That was not caused by a smart hacker, but rather by an employee (?ex-employee?) who posted the credentials to the database online.

A hacked Uber account is of limited value – you can use it to get an Uber cab, check a customer’s history and get their home address, among a few other things.

St. Mary’s Health reported that several employee’s userids and passwords were compromised as a result of an email hacking attempt (it sounds like it was not an attempt but rather a successful attack).  St. Mary’s said they found out about the breach on Dec 3, 2014 and on Jan 8, 2015 found out that the email accounts of these employees have protected health information for 4,400 patients.

This is small enough that I would not write about it normally, but it raises some questions.  It is vague but appears that protected health information was found in email.  Was it encrypted?  Is this a HIPAA violation on top of everything else?  Did they disclose this within the 60 day HIPAA requirement – this is not clear?

I assume the data was not encrypted, but if it was encrypted transparently, with the hackers knowing the userids and passwords of users, that does not help you in the least.  This is why one has to be very careful when implementing encryption – it may give you some protection or just the illusion of protection.

In the “This is embarrassing” column, The Department Of Justice is charging two former agents – one from the Secret Service and one from the DEA with money laundering and wire fraud for stealing crypto currency (bitcoins) related to the Silk Road darknet takedown.  Both were involved in the investigation (see article).

 

Facebooktwitterredditlinkedinmailby feather

Government “Equities Process” For Zero Day Vulnerabilities

Wired reported on the process that the U.S. Federal Government, and more specifically, the Intelligence Community, uses to decide when to keep bugs secret and use them against systems they want to attack and when to reveal them to the vendors to fix.

The bugs, known as zero days or O Days, are ones that have not been discovered yet.  According to the article, the government spends about $25 million to buy zero days, but there is not a lot of transparency in the process, so we don’t know if they are buying them from hackers or from services or a combination.  $25 Mil sounds like a lot to you and me, but to big companies, it is just a cost of doing business.

As early as 2008, the intelligence community figured out that they needed to have a policy regarding how they handle these bugs.  Since the NSA wears two hats – attacking systems and protecting systems, they have to decide whether to reveal a bug or keep it secret.  They decided to create a group inside the NSA’s Information Assurance Division to make these decisions.

Last year, the government intelligence reform committee reported that this process was flawed and needed to be rethought.  This goes back to reports from last year that the government knew about the SSL Heartbleed bug for several years and used it rather than reveal it.  The government denied that, but doubts remain.

At that time, Michael Daniels, the President’s advisor on cyber said that the government had a rigorous process for deciding which bugs to keep secret and which ones to reveal, but didn’t offer any details on that process or how many bugs they revealed vs. kept secret.

Last year Daniels revealed to Wired that the Equities Process had not been implemented to the degree that it should have been and the process was moved out of the NSA last year into the National Security Council.

The Wired article is an interesting insight into the challenges that the Intelligence Community has to face – choosing between protecting us and hacking into bad guys.

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed