Archive for December, 2014

Thoughts on Security for Industrial Control Systems (ICS)

2014/12/30

For years (but no longer) Industrial Control SCADA systems, controlling PLCs, were “air gapped” from the Internet and from office LANs. Sadly, these systems often permitted dial-in for remote management. While air gapped systems might be an excuse (outdated thinking since Stuxnet) for a lack of design concern about security, dial-in should have stimulated designing for security. It did not. Many others have, for years, publicly bemoaned this industry-wide negligence. This note is simply to express my personal concern on just how bad the situation is.

Here are just a few common design problems:

  • Password protection is either non-existent or easily circumvented.
  • New code, even new firmware, can easily be installed remotely in PLCs, without significant authentication.
  • Network messages are sent to and from PLCs in clear text, easily decoded, and easily spoofed by a “man in the middle” attack.
  • SCADA/ICS networks are often lacking even basic network defense-in-depth (e.g., being partitioned into Zones with SCADA/ICS-aware firewalls on the conduits between each Zone).

One would think that with vast amounts of US infrastructure controlled by PLCs, the US government would take such security flaws with as much concern as, say, commercial airline security. In 2013 there was a tiny blip of concern for the security of automated medical devices such as drug infusion pumps, but I don’t hear howls of anguish over this. Fortunately or unfortunately there has not been an attack on industrial infrastructure anywhere near the magnitude of the 9/11/2001 attacks. The many smaller attacks, proof of concept experiments, and even Stuxnet have not raised ICS security to a national crisis level. From a government organizational level, ICS is nested somewhat down in the DHS hierarchy:

  1. DHS
    1. Office of Cybersecurity and Communciations (CS&C)
      1. National Cybersecurity and Communications Integration Center (NCCIC)
        1. US CERT
        2. ICS-CERT

ICS-CERT recently published some “tips” for security of ICSs. These are mostly just good tips for any system and don’t focus on design issues such as those above. I worry about their lack of focus. On the other hand, the ICS-CERT security advisories are definitely focused on ICS, but I’ve seen complaints that ICS-CERT does not address fundamental design issues. What is also unclear as of 2015 is how fast product providers are addressing even identified vulnerabilities. It appears to me that while the ICS industry has been glacially slow, compared to the commercial computer system industry, which is tracked by US-CERT, there is some noticeable improvement in the ICS space, but I don’t have any statistical data to support my feeling..

One thing that is clear to me is that operators of industrial control systems should be demanding security from their vendors – including security vendors – and should heavily insure against cyberattacks. Of course, no one wants to bear the cost of upgrades, and no one wants to pay for more insurance. That said, what’s the cost of a cyberattack taking out your factory? One of the lessons of the recent Sony breach is that the financial loss (so far) has been mitigated substantially by Sony’s cyber-insurance. Are industrial control systems well insured for cyber-attacks?

Advertisements

Operation Cleaver

2014/12/25

The book Hacking Exposed has long been on my bookshelf and is a favorite of mine. Its author, Stuart McClure, who is well-known in the security industry and who is founder and CEO of the security firm Cylance, wrote a passionate introduction to his company’s report on Iranian cyber-attack technology and cyber-exploits dubbed Operation Cleaver. After reading this introduction, I decided to dive deeply into the report.

The report calls Iran the “new China” relative to cyber-attack technology. Well, no, but it does force the many targeted governments to put Iran on their cyber-watch-lists. Iran not only has some sophisticated cyber-attack technology, it appears to be even more brazen than China or North Korea about going after infrastructure around the world. The report claims there have been attacked targets in: military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments.

The report reminds us that Iran was damaged by Stuxnet (2009-10), Duqu (2009-11), and Flame (2012). It reasonably speculates that these attacks motivate Iran to fund the development of advanced cyber-attack technology. It also points out that Iran has a relevant technology exchange agreement with North Korea.

The report lists as possible retaliation, the 2011 certificate compromises of Comodo and DigiNotar as well as the 2012 Shamoon campaign on RasGas and Saudi Aramco that impacted over 30,000 computers. In late 2012 and early 2013 further Iranian backlash consisted of DDoS attacks on US banks. In 2014, espionage operation Saffron Rose (attacking the US defense industry; the Fireeye report is excellent) and operation Newscaster (uses social media to collect email credentials of US and Israeli journalists, military and diplomatic personnel) are attributed to Iran.

Operation Cleaver seems to be staffed by a team of known and new players, some of whose members are described in the report. While Cleaver uses existing code, its new code seems to date from 2012, and its earliest attacks start in roughly 2013.

The hacking techniques of operation Cleaver are discussed in depth by the report. This depth and associated attribution to Iran were enough to convince me that operation Cleaver, and by association other Iranian cyber-attack teams, are serious threats.

I strongly recommend to all in the security industry: please read this report in detail. It is here. After being published, the FBI subsequently issued one of its “confidential flash” reports warning certain companies of potential Iranian attacks. [I haven’t seen its text.] McClure commented on the FBI “flash” that perhaps Iranian the potential for cyber-attacks is larger than Cylance’s initial research indicated. I would agree, there is no evidence indicating that the Cleaver team has subsumed Iran’s Ajax Security Team, The Iranian Cyber Army, and others. Finally, no one seems to understand the subtleties of Iranian supported, Iranian encouraged, Iranian tolerated, etc. for these groups, and the Cylance report provides no clues regarding Operation Cleaver’s government relationship.

Sands and Adelson – a secret cyber attack prior to Sony

2014/12/24

In October 2013, the ultra-conservative Sheldon Adelson spoke at the Yeshiva University Manhattan campus and called for bombing Iran.  Now Adelson, the 22nd richest person in the world, owns 50+ percent of the Las Vegas Sands Corp (LVS), which owns the Sands, the Venetian, and other such properties around the world.  On Feb 10, 2014 LVS was under a massive cyber attack, which LVS and the US Government kept secret until recently.  This December 11, 2014 Bloomberg published this 5 part report.  It’s a great read!

Updating Skype

2014/12/19

I updated my Skype today.  A cute dialog ensued, which in light of the Snowden disclosures, made me add some thoughts (in parentheses)…

“Welcome to the new revised Skype” (Enhanced for better NSA viewing…)

“Now you can easily have group chats” (With the NSA included…)

“Now you can share your photos”  (The NSA loves photos…)

Sigh, I’m looking for a Skype replacement….  Ideally one where I can encrypt my session…

The Cuckoo’s Egg – Revisited

2014/12/17

The other day I picked up a used copy of Cliff Stoll’s book The Cuckoo’s Egg about his search for a hacker, ultimately identified as a German, Markus Hess. Hess was using Stoll’s Lawrence Berkeley Labs computer as a base to infiltrate various government computers to steal (and sell to Russia’s KGB) government documents.

In this age of “Advanced Persistent Threats”, this 1986-8 threat was hardly “advanced”. In fact Hess’ basic break-in approach consisted of trying simple passwords for known system and vendor accounts. Today, this still an effective break-in approach! People are too lazy to create complex, but easy to remember, passwords.

Hess also used known bugs in system programs to escalate his privileges. Today, I get weekly CERT notifications of such bugs. There are hundreds of them announced annually. Nothing new (or advanced) here!

What did impress me about this story was that Hess was amazingly persistent. His efforts spanned many months. He was careful – always checking to see if some system person could be watching, and if so, quickly logging off. When a cracked password was changed for example, Hess quickly moved to another system and kept his attack going. “Persistent” threats aren’t new.

Hess copied password files to his system, presumably for off-line brute force (albeit simple) dictionary attacks to “guess” passwords. Some of these attacks were successful.

Also impressive was that Stoll set up an automated warning system to track Hess’ intrusions. It was not visible by Hess, but it automatically recorded his keystrokes on Stoll’s computer. Its design made it impossible for an intruder to delete or modify its records. It was an early threat detection system that of course was primitive compared to today’s detection systems, but it was instrumental to the discovery of Hess and Hess’ cohorts. Stoll also manually created a log notebook, which I would still recommend in the analysis of any attack. Such a notebook would include all aspects of an investigation, including interactions with network vendors, government agencies, and interested parties. Stoll’s astronomy training included “If you don’t record it, it didn’t happen…” – a good message for today’s network forensic engineers.

Another feature of Stoll’s detection system was the creation of what we today call a “honeypot”. His was rather simple: just some fake, but apparently interesting documents that needed system privileges to read. Stoll left open his computer so that the attacker could be tracked, but some government computers were forced to clamp down immediately. I’ve seen companies today, Google comes to mind, where systems are left vulnerable to track intruders so long as damage can be contained and not affect customers. Leaving a system and a honeypot open for the analysis of a threat is a good technique.

I found it hilarious that in the course of watching Hess attack various government and government contractor systems, Stoll was told by the owners of these systems, “It’s impossible to break into our system; we run a secure site.” I’m reminded of all the retail vendor breaches occurring these days as well as the stuxnet-like attacks.

Finally, Stoll had trouble getting help from the FBI, the CIA, and the NSA. The FBI has certainly beefed up its computer expertise since 1988, but it still will refuse to help anyone to deal with an annoying hacker that does not cause serious financial damage. My recommendation here is to pre-prepare an argument for why a threat can potentially cost your company lots of money. Homeland Security has a bevy of agencies to combat cybercrime; learn about them here.

References

  1. Stoll published a May 1988 ACM article “Stalking the Wily Hacker” that outlines chasing Hess. His book is better and is also an easy and quick read.
  2. The Cuckoo’s Egg, Doubleday 1989
  3. TaoSecurity’s Richard Bejtlich’s excellent talk on chasing Hess (has good photos).
  4. “The KGB, the Computer, and Me”. Video that tells Stoll’s story.

Phishing Example

2014/12/06

My email spam filter caught this one, but I thought it was cute enough to post.  Note how it threatens to “suspend online access…”.  It is curiously timed, because Home Depot just notified its customers that in addition to credit card info stolen, email addresses were also stolen.  Their notification warned of potential phishing attacks (like this one).

 

Message Quarantine

From:

“Wells Fargo” <wellsonline@protection.system.com>

To:

gaynwinters@xxx.yyy

Subject:

Recent suspicious activity on your online account

Date:

Friday, Dec 05, 2014 09:06:31 AM EST

Dear Wells Fargo customer,

We have recently detected that a different computer user has attempted 
gaining access to your online account and multiple passwords were 
attempted with your user ID. It is necessary to re-confirm your 
account information and complete a profile update. You can do 
this by downloading the attached file and updating the necessary

fields.

Note: If this process is not completed within 24-48 hours we will be forced 
to suspend your account online access as it may have been used for 
fraudulent purposes. Completion of this update will avoid any possible
problems with your account.
Thank you for being a valued customer.

(C) 2014 Wells Fargo. All rights reserved.

Regin

2014/12/01

Regin

A friend of mine recently alerted me to the Symantec article on Regin. I felt a little abashed that I had not heard of such a major threat. The US CERT’s notice arrived in my email a day or so later, and it referenced the Kaspersky article on Regin. The Finnish company F-Secure has a brief but interesting report as well. I recommend reading these articles.

Briefly, Regin is a very sophisticated platform that sets up attacks in several phases, each from code that is both hidden and encrypted. Regin can be customized for specific, targeted attacks (good article by Wired). There are many “stage 5” add-ons for various types of information stealing and espionage.

From what I’ve read, the US has not been seriously targeted (yet).  There is some speculation that the US (NSA) and/or the UK (GCHQ) and/or Israel govt is a sponsor, but that speculation, while realistic, seems flimsy to me. Regin’s sophistication does argue for its developers having significant funding, e.g. from a nation-state. VirusTotal reports that most anti-virus programs now detect it.  I’ve searched my own system for the MD5s that are published, but found nothing.  I’m guessing that this is what most of the anti-virus vendors do as well. However, since Regin hides itself in various known ways, an anti-virus program could specifically look in those places. Perhaps some do. I’ve found no specific “Regin detectors” on line that claim to do a thorough search. If some reader knows of one, please let me know.

One question that always arises is whether removal is inadequate. This is likely but neither the Symantec nor the Kaspersky report mention this (as my feeble mind will recall).  All that would be necessary to recover from a deletion, this would be to hide another program which wakes up now and then and checks that “Regin is well”. If not, it could re-install Regin. It might not appear malicious, and such a check would only take milliseconds.  I don’t recall Stuxnet having this capability, but it certainly had this level of sophistication.

All in all, Regin seems to be at the same level of sophistication of Stuxnet and its descendants.  It is undoubtedly a harbinger of a new round of malware warfare that will come to the US soon enough. I strongly recommend not only learning about it (cf. above citations) but also staying abreast of new developments. After all, it is a platform, not a single attack.

-gayn