Cyber Pacifists

SSL Wrapping is Not Good Enough

2013-04-18T14:20:57Z

I've done quite a few assessments of insecure-by-design systems and have noticed a new trend: instead of creating a new protocol which has data integrity and authentication, there is a vendor push to instead wrap their existing protocols inside SSL. This is done in a variety of ways: stunnel is the easiest and cheapest way, but some vendors are even programmatically wrapping their protocol using SSL libs.

While it's good to see even this level of security on a control systems environment (where the most insecure-by-design protocols live at present), it's not a very good solution in the end. There are a lot of really smart people in the industry that believe in this method, and I respect them a lot. It's still not a very good solution.

Wrapping your insecure-by-design protocol in SSL and calling it good is easy for vendors, PITA for end users. The trouble lies in key management. Each system needs its own certificate for maximum benefit. Control systems by their very nature should not be allowed to reach out to the internet directly, and typically these systems are on a DNS domain that is not managed by ICANN. So obtaining certificates from a known CA is not practical.
]]>
Image by thievingjoker

Snarfing passwords for fun and profit (well, fun anyway)

2013-03-08T22:21:44Z

A recent flight home had me accidentally shoulder-surfing a major financial institution employee. I managed to catch him editing an internal switch/router configuration (probably Cisco? Although all the switch syntaxes blur together for me).

I caught a line similar to this:

enable password level 15

It caught my eye enough to eavesdrop for a while longer, until I snagged a legalese logon banner in the config, as well as the switches internal IP address (172.something).

Just a reminder to not edit sensitive files when in a public place. I'm certainly guilty as heck of this from time to time. It's a lesson especially useful for consultants to remember, as it's very tempting to start writing up the report for the latest engagement while on the flight home. You never know who is going to be looking over your shoulder to get a little info on a nice, juicy, target network.

The company in question has so far been cool to deal with...an IR guru and I chatted on the phone to figure who the bad employee was. I hope they don't get in trouble, but rather treat it as a life lesson that he shouldn't work so hard.

ASIO Wants You(r computer)

2013-01-13T00:16:13Z

Australia's CIA is making waves. News.com.au is reporting that ASIO wants permission to break into citizens computer in order to help find and track terrorists.

From the wipe(1) man page:

People should better think of their computing devices as facilities lended by the DHS.^WASIO.

There. Fixed that for you.

This is such a stupid idea that I don't understand how it even got started. Imagine using grandma's computer to send phishing email to a terror cell. Imagine that the terror cell has even a moderate amount of cyber sophistication and detects the phish and traces it down to its origin. Guess who the terror cell is going to retaliate against? Hint: it probably won't be ASIO workers. I liken this idea to using human shields...not the sort of thing that a free democracy should be doing.

Reversing an eBay'd RTU

2013-01-10T15:47:50Z

I recently picked up a GE D20 RTU from eBay. You might remember seeing one of these things reversed in Project Basecamp. I had to send back the Basecamp RTU back to the owner, so it was time to get one of my own.

The eBay unit was intriguing because it is a D20ME, the predecessor model to the one in Basecamp (that was a 'D20ME2'). Another cool thing about it was that it had a 10.0.0.0/8 ip address sticker in the photo. Could it be a still-configured RTU? I shelled out the money to find out.

Functionally it's equivalent (same amount of ram, same amount of flash, and even Ethernet), just a previous generation board. On this unit, the mainboard had 'bluewire' all over it, whereas the Basecamp model had a clean mainboard, and only bluewire kludges on the I/O modules. I'm really surprised to see such hardware schlock on critical infrastructure.

I built a serial cable to interface with the system, wired up the power supply, and booted it up. The default westronic/rd password was in use. So I snarfed the NVRAM (some ultra low voltage sram, luckily the batteries were still good). The D20 configuration is a binary tree of application configs. If you took my 'Hacking PLCs training class' you got a quick introduction to the configuration format. I wrote a parser for the file previously. This time, I got an opportunity to really use my parser to extract more than just the usernames and passwords.

The RTU contained a complete configuration. This might not seem like a big deal, but consider this: GE D20 configurations contain 'tag data' similar to an OPC server. Tag data, if you're new to control systems, provide some human meaningful mapping between I/O for the control protocol (Modbus in this case). Tag data teaches you what you can control using an unauthenticated industrial protocol. While it's possible for a hacker to mess up a control system without this data, it is far easier to target an attack, and to hide it from operators, with this data. With tags, we know what the operators are going to be looking at on their HMI, and what they can control.

So this D20 was configured to monitor and operate a circuit breaker on a 360kV step-up transformer at a power plant owned by the Shell natural gas company. The RTU comment fields for logic contain upgrade notes, so I get the names of two engineers (Shell employees, one I could find on the Internet, the other has no internet presence). It also contains the IP addresses of Shell's Emerson Delta V DCS used to control the turbines in the power plant. Probably the RTU would report to the DCS that a breaker operation is underway, so that the control system can more quickly throttle down the generators and maintain their rotational speed (but better to ask a generator guru here, I'm mostly guessing).

Some IP addresses (for the DCS) are 10.0.0.0/8 addresses, but other systems which this D20 communicates with are IANA assigned addresses owned by Shell oil company. Probably these are hosts in a DMZ, but possibly they're on Shell's corporate network. ICMP doesn't reach these systems, so I would probably need access to Shell's corporate network at a minimum to touch them.

The logs in the RTU show its service dates. It was placed into service about six years ago and removed from service only two months ago. The d20 that was shipped to me was 'cut' from service -- the power cables to the power supply were literally cut off. Normally the D20 uses a fancy power board with fuses and a few serial ports, but luckily it does run just by splicing in a standard 120V power cable here in the US. All of the extra boards were cut off and removed, so it booted into fail state (ladder logic and other applications failed because the IO they rely on could not be contacted).

The RTU comes from the Tenaska Gateway generating station, which produces nearly 1GW of electricity for Texas. That makes it pretty significant. It's interesting to get so much data from the RTU. Control systems tend not to change much. Since the station is only about 12 years old, it's unclear if the control points would change with the replacement of the RTUs. The working theory is that Shell tossed these RTUs to replace with something different, perhaps the now-released GE D20MX?

Numerous security contact points at Shell did not return phone calls nor emails about the RTU find. I would like to thank EnergySec/NESCO for helping reach out to Shell, and to Digital Bond for helping with some power plant analysis.

I hope that this analysis causes at least a little stir -- I've said this before but it bears repeating: embedded controllers contain a ton of information about your process when you remove them from service. Unfortunately I've purchased quite a lot of still-configured equipment, parted ways with a lot of it (sent back to the original owner). Shell in this case never got in touch with me about getting the equipment back.

Controllers have no security. Be sure to properly dispose of your equipment. When in doubt, send it back to the manufacturer -- they'll know how to properly wipe the controller before scrapping it or selling as refurbished.

And if you're an attacker/terrrormonger, buying used equipment is a great way to learn about potential targets. The goal of a terror campaign is of course to target whatever you can...buying some preprogrammed equipment makes sense: choose your target based on what data is available and what opportunities present themselves.

Keep an eye out on the IOActive blog, where I'll be posting a howto on analyzing used industrial equipment. Also keep an eye out for some tools releases in the coming weeks. At the S4 conference there should be some fun ICS hacking tools coming out.

Happy Hacking!

Cyberwar Doctrine Analysis misses the Point

2012-12-10T16:00:05Z

An article in Threat Post misses a big point about Cyberwar Doctrine: it isn't about other countries.

Committing to a cyber attack is a pretty grey area as far as 'Acts of War' versus 'Pure Intelligence Gathering' is concerned. To exemplify this statement, consider a scenario:

US intelligence hears a report that a foreign leader was rushed to a hospital recently, but the government in that country is staying mute on what is wrong. In the interest of intelligence gathering, US Cyber Command decides to snarf hospital records from all capital city hospital networks in an effort to chase down rumored conditions (if a patient was admitted with rumored conditions at the right time, increased likelihood of meaningful report, "Like" the source, or whatever it is US Cyber Command does with good intel).

The trouble with the scenario? Breaking into a hospital's patient record system has the potential to deny service to that system for the hospital. In turn, it could mean slower patient access to care, and could actually cause deaths. If the country in question determines that the US executed the attack, could it be considered an act of war?

Congress, at the very least, would want answers. One of the first questions Congress would ask should be: "What are your rules for engagement and procedures for determining worst-case-scenario in a cyber intelligence gathering mission?"

Cyberwar Doctrine is currently more of a CYA for government hackers so that they can show the purse-string holders they are being responsible. In the end, it's a good thing: better to have too little hacking than too much, and better to err on the side of, "we could kill people by accident, maybe we shouldn't do this."

No doubt various countries are developing their own internal Cyberwar doctrines, and no doubt there will be a few major incidents of power outage/etc before countries sit at the same table and hash out the differences in their doctrines, spell out what constitutes war requiring physical retaliation.

Welcome to the 21st century.

News Weekly Round-Up

2012-12-07T12:45:17Z

Robert Clark, an attorney with the US Cyber Command, gave a nice interview with ABC News. In the interview, Clark gives a nice overview of some of the legal challenges involved with Cyber War. I can only imagine the frustration on the government hackers' facers when, finding the perfect exploit, they have to wait for a chain of approval and then just the right opportunity in order to exploit it.

Reason has a nice piece detailing both the technical and intelligence-gather difficulty of pulling off an effective attack, as well as highlighting the treaty challenges involved in Cyber. It's a pretty light article, lacking detail, but a nice find for anyone pondering the technical difficulties and legal issues in trying to black out a continent. My favorite articles about Stuxnet all highlight the "intelligence gathering" aspect -- no doubt the most difficult part in attacking any complex control system.

The Daily Mail has a piece on the US Pentagon's Plan X. Primarily a hype piece: 110 million USD in funding over 5 years is enough to cover maybe two dozen actual researchers with computers. Don't expect great or scary new weapons from this group, although we may see some follow-up ala the Washington Post's "Top Secret America" series.

Finally, Japan has been hit by another large earthquake this morning. Thankfully no major tsunamis this time. Our thoughts and hopes go out to everyone in Japan.

News Weekly Round-Up

2012-11-30T14:49:43Z

It's been quite a week in the realm of Cyber War...

The Small Wars Journal has a compelling piece about why practical intuition about warfare is mostly wrong when it comes to cyberwarfare. I think they're spot-on about a lot of things.

Bloomberg Business Week has a story about Solid Oak Software being hacked by China after filing a lawsuit against PRC stating that China's Green Dam is based on SOS' tool. It would be interest to see if there are similarities in the droppers used against SOS and those used against quite a lot of US firms of late.

Robert O'Harrow with the Washington Post has added a story to his Zero Day series. The most recent story covers "Cyber Ranges," -- training grounds used by government defenders (and presumably hackers) to practice kinetic affects against networks and control systems.

And finally Syria disconnected its Internet access and cell phones across the country, presumably in response to rebel forces. Syria maintains that terrorists performed the disconnection, but in my view it is highly unlikely that terrorists could shut down all external network connections and cell services simultaneously. A positive outcome from this is that we may finally see a rational discussion about the "Internet kill switch," in the United States: there shouldn't be one. Renesys has provided a nice map showing the likelihood of a kill switch by country. Fortunately the US is quite resistant.

Welcome to Cyber Pacifists

2012-11-29T13:49:36Z

Cyber Pacifists is a blog for former cyber warriors and those interested in cyber war. We're not all "Cyber Pacifists" per se -- Cyber War can be a good alternative to killing actual people -- but want to stop and meditate and think about the (over) use of the term.

This blog will also serve as a clearinghouse for cool hacks and analysis of cool hacks.

Anyone who considers themselves an expert at this stuff need not apply.