Videos online

Posted on November 6, 2010 by admin

It took us much more time than expected, but now we have the first 2 Videos on our new series on ICS and Scada Security online. The first video is about Malware – a more general Introduction and not specific for ICS. And I’m not talking about Stuxnet :-)

The second Video is about Multilevel Network Design – some ideas, how to protect the network: From the Enterprise Zone to the plantfloor.

I hope, this videos will help to understand some basics on ICS Security. But I need your help and comments, to plan and produce the followup videos. (And don’t tell me, that I should not plan a career as an actor :-)

Planned next videos:

ICS Assessment – how to do it NOT.

ICS and ICT policy framework

Risk-assessment for industrial control Systems

BTW: The side is optimized for mobile phones, so you can use you Iphone, Android or Blackberry to view the Blog and the videos.

Posted in Cyberthreads | Leave a comment

Supply Chain Attacks or just saving money…

Posted on September 29, 2010 by admin

Shadow Defence Minister David Johnston will seek to introduce new cybersecurity auditing powers into the Trusted Information Sharing Network (TISN) after ministerial advisors reported that government agencies have bought cheap foreign IT hardware loaded with malware.

The TISN is a government forum for sharing data pertinent to national cybersecurity between the public and private organisations in seven industries including banking, health, food and utilities.

The reforms would allow the TISN to harden baseline security standards required to interact with government.

Johnston told ZDNet Australia that he intends to push a ban on government agencies shirking expensive but trusted technology brands for cheap white-box goods after unnamed departments had discovered backdoor malware in computers, servers and processor chips.

Backdoor malware can provide an access point through which criminals can access and steal data, often silently. Figures released by the Australian Communications and Media Authority last week point to over 30,000 computers reportedly taking part in botnet activity every day.

Read more :

http://www.zdnet.com.au/cheap-hardware-infects-govt-agencies-339306199.htm

Posted in Cyberthreads | 1 Comment

Hacking commercial quantum cryptography systems

Posted on September 1, 2010 by admin

by

Lars Lydersen,, Carlos Wiechers, Christoffer Wittmann, Dominique Elser, Johannes Skaar & Vadim Makarov

“The peculiar properties of quantum mechanics allow two remote parties to communicate a private, secret key, which is protected from eavesdropping by the laws of physics. So-called quantum key distribution (QKD) implementations always rely on detectors to measure the relevant quantum property of single photons5. Here we demonstrate experimentally that the detectors in two commercially available QKD systems can be fully remote-controlled using specially tailored bright illumination. This makes it possible to tracelessly acquire the full secret key; we propose an eavesdropping apparatus built from off-the-shelf components. The loophole is likely to be present in most QKD systems using avalanche photodiodes to detect single photons. We believe that our findings are crucial for strengthening the security of practical QKD, by identifying and patching technological deficiencies.”
From:
http://www.nature.com/nphoton/journal/vaop/ncurrent/full/nphoton.2010.214.html

Congratulations!! That’s not just a hack, that’s a masterpiece. Will spoil the day for a lot of people.

Read more about the team on their homepage :
http://www.iet.ntnu.no/groups/optics/qcr/hacking-commercial-quantum-cryptography-2010

For a detailed paper – if you interested to understand the basics:
http://iopscience.iop.org/1367-2630/4/1/341/pdf/1367-2630_4_1_341.pdf

This is from “New Journal of Physics” with the title “Quantum key distribution over 67 Km with a plug&play System”

Posted in Cryptography, Cyberthreads | Tagged , , , | Leave a comment

Hard to believe…

Posted on August 19, 2010 by dokhyi

You know, I’m working for a long time in the field of ICS Security, and I thought, I’m on to their tricks. But they still can impress me :-(

Monitor and modify live process variables from an iPhone using ProSoft Technology Industrial Hotspots

The future of CI ICS

ProSoft Technology (www.prosoft-technology.com) is pleased to announce the support of the Industrial Hotspot series of radios in conjunction with Sweet William Automation’s new ScadaMobile application for the iPhone/iPod platform. The application is designed to provide engineers with access to live process control variables, and the ability to modify this data remotely from their iPhones. (Comment: Whow!!)

Functionally, the application creates a secure wireless interface between an iPhone device and an existing 802.11 wireless network on the plant-floor, effectively allowing an iPhone device to read Modbus TCP/IP and EtherNet/IP process control variables from Programmable Automation Controllers / Programmable Logic Controllers (PAC/PLCs) distributed throughout their plants. These live values are displayed in stylized lists and include user-established variance allowances and alarms. Engineers are able to monitor these variables in real time and make adjustments on the fly from an iPhone device.

Cumulative security features are offered by both the iPhone and the Industrial Hotspot radios to prevent unauthorized access to the network. The new 802.11n industrial hotspots feature WPA2-PSK and 802.11i RADIUS security, which prevent unauthorized access and modification to the network. ScadaMobile provides a feature upon configuration which requires the user to assign a matching security code as both a password for network access and as a Security Tag in the CPU. When ScadaMobile launches, the Security Code must match that on the CPU in order to create a connection.

That means: This App has the ability to read and write individual bits in Modbus registers from your Iphone. Also Scadamobile uses a template, which you prepare with MS Excel, then you download it from your MAC via a local fileserver on your MAC.

So, why do I see a problem?

  1. “Someone” can access a PLC with write(!) access  with a mobile consumer device, which is under full control of Apple computers.
  2. The App is not tested or certified by an independent and qualified organization  like ITSEC, NSA  etc. , only by Apple itself. No open criteria, nothing.
  3. It uses an MS Excel generated template, which gives additional room for attacks and transfering the data to your Iphone via a local file server, running uncontrolled on your private MAC.
  4. Even WPA2 is not really secure (Google for “Hole 196″ vulnerability or use this link).
  5. There are not that many 802.11n Router/Hotspots available, especially on the plant floor. Maybe best is to buy an Apple Airport. Looks good between all the old stuph in the rack…
  6. How secure is an Iphone???? It is meant for consumers – and even in Office IT, where all the sexy Blackberries are around, Iphone is not accepted as an Enterprise solution – because of security and management issues. But it is acceptable for SCADA?
  7. OK, I think I can fill this list for the rest of the day…
  • Potential Risks: Manipulation of PLC’s, DOS Attacks, Illegal Monitoring of critical Devices / Dataleakage. Want more?

Maybe it would be an idea to start with an App for Iphone/Ipad to just monitor data – read only access. Maybe via some kind of secure proxy. Or ssh tunnel. Sounds all much better for me.

Posted in Cyberthreads, Scada & ICS Security | Tagged , , , , , | 2 Comments

ISP Level Gmail Phishing (China)

Posted on August 17, 2010 by dokhyi

Oiwan Lam writes about ISP level phishing attempts, at Global Voices Advocacy:

In the past few days, there are many reports from Chinese internet users saying that when they try to access gmail account, they are redirected to a url: http://124.117.227.201/web/gmail/ and asked to re-enter their password.

Today NTDTV.com disclosed that the url is a phishing page for stealing users’ password. It is believed that local ISPs are involved in the phishing activities. The phishing website looks exactly the same with Gmail but the server is from Urumqi. Gmail login attempts are redirected to hxxp://124.117.227.201/web/gmail/ where they are asked to enter their password. Chinese users reporting this redirect believe that the redirects are being performed by the ISP. However, 124.117.227.201 is a CNC host in Xinjiang.

The original information can be found here : https://www.ntdtv.com/xtr/b5/2010/08/11/a417907_p.html

Comment: Attacking gmail is a trivial game – either phishing or cookie stealing attacks – as long as they do not use encryption by default. And to be on the safe side, what about 2FA?

Posted in Cyberthreads | Tagged , , , , , | Leave a comment

Some kind of over reaction?

Posted on August 17, 2010 by dokhyi

India: Government may ban Skype and Google
The government is now considering banning Google Mail and Skype after threatening to ban some BlackBerry services on 31 August.
Comment: Well, ok – Blackberry is using some kind of encryption. Skype is encrypted for the most of us, but Google Mail? So what next?  Ban hello-kitty.com?

Posted in Cyberthreads | Tagged , | Leave a comment

Where are the solutions?

Posted on August 16, 2010 by george

Reading the articles on this and the linked sites show how big the problem with security is. Politicians and organizations launch lots of initiatives. Good, but where are the solutions to the issues? It seems there is a big gap between those who know that something must be done, those who have to do it and those who know how to do it.

Let me compare it to something everybody understands: SEX
We all know of the wonderful protection condoms can provide. But why is HIV still growing in some underdeveloped regions? Is a condom to expensive, or is the use too complex to use? Or didn’t we spread the message well enough?

Back to IT security. I had a customer (one of the top 50 German companies) using high end condoms (encryption products) for several years. One day the company found the condoms are too expensive, “Nothing happened in the last years, we really don’t need it”. Are we eventually a part of the undeveloped world (IT world)?

The conclusion is: You need either better marketing for condoms or you need to tell people how and why condoms work.

I will use this place to explain technologies and mechanisms in the future. Mainly techniques that avoid the doctor (CERT) by using protection, often encryption. If I can help the companies to reduce the staff required for their response team, than I did my job well. I hope I will see a lot of creative response!

Georg

Posted in Cyberthreads | Tagged , , | Leave a comment

More on the worm…

Posted on August 10, 2010 by admin

Stuxnet infections are continuing to rise with the total number of infected systems worldwide currently between 90,000 and 100,000, according to security vendor Symantec.
In an e-mail interview Thursday, Kevin Hogan, senior director for Symantec Security Response, noted that the company has observed “a consistent number of infections” since the malware was first detected last month. The number of infected countries, he added, now stands at 115.

Read Full
http://www.zdnetasia.com/stuxnet-infe … inue-to-rise-62201930.htm

Posted in Cyberthreads | Tagged , , , | Leave a comment

more on the worm part2

Posted on August 10, 2010 by admin

Augut 5, 2010
Robert McMillan
PC World

IDG News – A sophisticated worm designed to steal industrial secrets has been around for much longer than previously thought, according to security experts investigating the malicious software.
Called Stuxnet, the worm was unknown until mid-July, when it was identified by investigators with VirusBlockAda, a security vendor based in Minsk, Belarus. The worm is notable not only for its technical sophistication, but also for the fact that it targets the industrial control system computers designed to run factories and power plants.

Read Full
http://www.pcworld.com/printable/article/id=202609/printable.html

Posted in Cyberthreads | Tagged , , , | Leave a comment

All about this Stuxnet

Posted on August 10, 2010 by admin

Malware on the run...

Well, finally some malware hit the world of ICS.  And yes – it was time.  Everybody was talking about all the risks and the threat – but no bad guy had the mercy to show up with some ICS malware. But was it a worm – or a trojan, or no – it was a rootkit. Or maybe a virus? If you read all the news, it was a bit of everything …

However, everybody is happy now. The analysts are happy, because the worm finally appeared. The security industrie is happy, because they can sell all their office it security  solutions to the plant floor. The press is happy, because – well, it was summer and nothing else came up.  And the ICS admins are happy now, because the  now have something common with the office IT admins – facing the same threats.

Well, maybe not everybody. Because during all this hype, nobody was talking about solutions. Yes, a patch was out after a few days, but guys, we talk about ICS, not ICT. We cannot deploy a patch every week, so this is not the solution. And this is what I’m missing : Solutions. So called experts blame  the industriy not to be informed in time, others ask the government for more regulations. Looks all pretty helpless, right?

Folks, THIS worm was only the first of his kind, others will follow. There is no early warning, no law against cyber attacks. A Part of the ICS world is now there, where the Office IT is since more than 6 years – under attack of all kinds of more or less stupid malware.

So what to do?  Stop panic! Use available technologie, make use of the experiences of Cert’s and similar groups. You will find a bunch of readings, best practices and other papers there. Learn from the office IT and do not make the same mistakes twice.  Make sure, your prod net is separated – really separated. And set up some monitoring, so that you do not hear the bad news only from the press :-)

Posted in Scada & ICS Security | Tagged , , , , | Leave a comment