Archive for the ‘STUXNET’ Category
Malware Wars!… Cyber-Wars!.. Cyber-Espionage-Wars! OH MY
X
Flame, DuQU, STUXNET, and now GAUSS:
Well, it was bound to happen and it finally did, a third variant of malware that is ostensibly connected to the story that Mikko Hypponen posted about after an email he got from a nuclear scientist in Iran has come to pass as true. The email claimed that a new piece of malware was playing AC/DC “Thunderstruck” at late hours on systems it had infected within the labs in Iran. I took this with a grain of salt and had some discussions with Mikko about it offline, he confirmed that the email came ostensibly from a known quantity in the AEOI and we left it at that, its unsubstantiated. Low and behold a week or two later and here we are with Eugene tweeting to the world that “GAUSS” is out there and has been since about 2011.
Gauss it seems had many functions and some of them are still unknown because there is an encryption around the payload that has yet to be cracked by anyone. Eugene has asked for a crowd sourced solution to that and I am sure that eventually someone will come out with the key and we will once again peer into the mind of these coders with a penchant for science and celestial mechanics. It seems from the data provided thus far from the reverse R&D that it is indeed the same folks doing the work with the same framework and foibles, and thus, it is again easily tied back to the US and Israel (allegedly per the mouthiness of Joe F-Bomb Veep) and that it is once again a weapon against the whole of the middle east with a decided targeting of Lebanon this time around. Which is an interesting target all the more since there has been some interesting financial news of late concerning banks and terror funding, but I digress…
I am sure many of you out there are already familiar with the technology of the malware so I am leaving all of that out here for perhaps another day. No, what I want to talk about is the larger paradigm here concerning the sandbox, espionage, warfare, and the infamous if not poorly named “CyberWar” going on as it becomes more and more apparent in scope. All of which seems to be centered on using massive malware schemes to hoover data as well as pull the trigger when necessary on periodic digital attacks on infrastructure. Something that truly has not been seen before Stuxnet and seems to only have geometrically progressed since Langer et al let the cat out of the bag on it.
Malware Wars:
Generally, in the information security sector, when I explain the prevalence of malware today I often go back to the beginning of the Morris worm. I explain the nature of early virus’ and how they were rather playful. I also explain that once the digital crime area became profitable and firewalls became a standard appliance in the network environment, the bad actors had to pivot to generally tunnel their data from the inside out home through such things as a firewall. This always seems to make sense to those I explain it to and today it is the norm. Malware, and the use of zero day as well as SE exploits to get the user to install software is the the way to go. It’s a form of digital judo really, using the opponents strength against them by finding their fulcrum weakness.
And so, it was only natural that the espionage groups of the world would turn to malware as the main means of gaining access to information that usually would take a human asset and a lot of time. By leveraging human nature and software flaws it has been a big win for some time now. I was actually amused that Henry Crumpton in the “Art of Intelligence” talks about how the CIA became a very early adopter of the network centric style of warfare. I imagine that some of the early malware out there used by spooks to steal from unprotected networks was CIA in origin and in fact that today’s Gauss probably has some relatives out there we have yet to see by people who have been doing this for some time now and we, the general public had no idea.
Times change though, and it seems that Eugene’s infrastructure for collecting data is creating a very wide dragnet for his people to find these infections and then reverse them. As we move forward expect to see more of these pop up, and surely soon, these will not just be US/UK/IL based attempts. Soon I think we will see the outsourced and insourced products of the likes of Iran and other nation states.. Perhaps we already have seen them, well, people like Mikko and Eugene may have at least. Who knows, maybe someday I will find something rooting about my network huh? Suffice to say, that this is just the beginning folks so get used to it.. And get used to seeing Eugene’s face and name popping up all over the place as well.. Superior showman that he is.
An Interesting Week of News About Lebanon and Bankers:
Meanwhile, I think it very telling and interesting as we see the scope of these malware attacks opening up, that not only one or two countries were targeted, but pretty much the whole of the Middle East as well. Seems its an equal opportunity thing, of course the malware never can quite be trusted to stay within the network or systems that it was meant for can we? There will always be spillage and potential for leaks that might tip off the opposition that its there. In the case of Gauss, it seems to have been targeted more at Lebanon, but, it may have been just one state out of a few it was really meant for. In the case of Lebanon though, and the fact that this piece of malware was also set to steal banking data from that area, one has to look on in wonder about the recent events surrounding HSBC.
Obviously this module was meant to be used either to just collect intelligence on banking going on as well as possibly a means to leverage those accounts in ways as yet undetermined by the rest of us. Only the makers and operators really know what the intent was there, but, one can extrapolate a bit. As terror finances go, the Middle East is the hotbed, so any intelligence on movement of money could be used in that light just as well as other ways to track the finances of criminal, geopolitical, and economic decisions being made there. Whether it be corporations or governmental bodies, this kind of intelligence would be highly prized and I can see why they would install that feature on Gauss.
All of this though, so close to the revelations of HSBC has me thinking about what else we might see coming down the pike soon on this front as well. Cur off the funding activities, and you make it much harder to conduct terrorism huh? Keep your eyes open.. You may see some interesting things happening soon, especially given that the Gauss is out of the bag now too. Operations will likely have to roll up a bit quicker.
Espionage vs. Sabotage vs. Overt Warfare of Cyber-Warfare:
Recently I have been working on some presentation stuff with someone on the whole cyberwar paradigm and this week just blew the lid off the whole debate again for me. The question as well as the rancor I have over the term “Cyberwar” has been going on some time now and in this instance as well as Stuxnet and Flame and DuQu, can we term it as cyberwar? Is this instead solely espionage? What about the elements of sabotage we saw in Stuxnet that caused actual kinetic reactions? Is that cyberwar? If there is no real war declared what do you term it other than sabotage within the confines of espionage and statecraft?
Then there is the whole issue of the use of “Cold War” to describe the whole effect of these operations. Now we have a possible cold war between those states like Iran who are now coding their own malware to attack our systems and to sabotage things to make our lives harder. Is that a war? A type of war? All of these questions are being bandied about all the while we are obviously prosecuting said war in theater as I write this. I personally am at a loss to say exactly what it is or what to term it really. Neither does the DoD at this point as they are still working on doctrine to put out there for the warriors to follow. Is there a need for prosecuting this war? It would seem that the US and others working with them seem to think so. I for one can understand the desire to and the hubris to actually do it.
Hubris though, has a funny way of coming back on you in spectacular blowback. This is my greatest fear and seemingly others, however, we still have a country and a government that is flailing about *cough the Senate cough* unable to do anything constructive to protect our own infrastructure even at a low level. So, i would think twice about the scenarios of actually leaking statements of “we did it” so quickly even if you perceive that the opposition has no current ability to strike back.. Cuz soon enough they will. It certainly won’t be a grand scale attack on our grid or telco when it does happen, but, we will likely see pockets of trouble and Iran or others will pop up with a smile, waving, and saying “HA HA!” when it does occur.
The Sandbox and The Wars We Are Prosecuting There by Malware Proxy:
Back to the Middle East though… We have been entrenched in there for so so long. Growing up I regularly watched the news reports about Lebanon and Israel, Iran and the hostages, Iraq, Saddam, Russian Proxy wars via terrorism, Ghadaffi and his ambitions as well as terror plots (which also hit close to home with the Lockerbee bombing) You kids today might think this is all new, but let me tell you, this has been going on for a long long time. One might even say thousands of years (Mecca anyone? Crusades?) So, it’s little wonder then that this would all be focused on the Med.
We are conducting proxy wars not only because of 9/11 but also economic and energy reasons as well. You want a good taste of that? Take a look at “Three Days of the Condor” a movie about a fictional “reader” for the CIA who stumbles on to a plan to disrupt governments in the Middle East to affect oil prices and access. For every person that said the Iraq war and Afghanistan wasn’t about oil, I say to them look at the bigger picture. There are echoes there of control and access that you cannot ignore. Frankly, if there wasn’t oil and money in the region, I think we would have quite a different story to look on as regards our implementing our forces there.
So, with that in mind, and with terrorism and nuclear ambitions (Iran) look at the malware targeting going on. Look at all of the nascent “Arab Springs” going on (albeit really, these are not springs, these are uprisings) we have peoples who want not to live under oppressive regimes not just because they aren’t free to buy an iPhone or surf porn, but they are also oppressed tribes or sects that no longer wish to be abused. All of this though, all of the fighting and insurgency upsets the very delicate balance that is the Middle East. Something that we in the US for our part, have been trying to cultivate (stability) even if that stability came from another strongman that we really don’t care for, but, who will work with us in trade and positional relevance to other states.
In goes the malware.. Not only to see what’s going on, but also to stop things from happening. These areas can be notoriously hard to have HUMINT in and its just easier to send in malware and rely on human nature to have a larger boon in intelligence than to try and recruit people to spy. It’s as simple as that. Hear that sucking sound? That’s all their data going to a server in Virginia. In the eyes of the services and the government, this is clearly the rights means to the ends they desire.
We Have Many Tigers by The Tail and I Expect Blowback:
Like I said before though, blowback has a nasty habit of boomeranging and here we have multiple states to deal with. Sure, not all of them has the ability to strike back at us in kind, but, as you have seen in Bulgaria, the Iranians just decided to go with their usual Hezbollah proxy war of terrorism. Others may do the same, or, they may bide their time and start hiring coders on the internet. Maybe they will hire out of Russia, or China perhaps. Hell, it’s all for sale now in the net right? The problem overall is that since we claimed the Iran attack at Natanz, we now are not only the big boy on the block, we are now the go to to be blamed for anything. Even if we say we didn’t do it, who’s gonna really believe us?
The cyber-genie is out of the cyber-bottle.
Then, this week we saw something new occur. A PSYOP, albeit a bad one, was perpetrated by the Assad regime it seems. Reuters was hacked and stories tweeted/placed on the net about how the rebel forces in Aleppo had cut and run. It was an interesting idea, but, it was ineffective for a number of reasons. The crux though is that Reuters saw it and immediately said it was false. So, no one really believed the stories. However, a more subtle approach at PSYOPS or DISINFO campaigns is likely in the offing for the near future I’d think. Surely we have been doing this for a while against them, whether it be in the news cycles or more subtle sock puppets online in social media sites like Twitter or Facebook. The US has been doing this for a long time and is well practiced. Syria though, not so much.
I have mentioned the other events above, but here are some links to stories for you to read up on it…
- PSYOPS Operations by the nascent Syrian cyber warfare units on Reuters
- Hezbollah’s attack in Bulgaria (bus bombing) in response to STUXNET and other machinations
- Ostensible output of INTEL from Gauss that may have gotten HSBC in trouble and others to come (Terrorism funding and money laundering)
All in all though, I’d have to say that once the players become more sophisticated, we may in fact see some attacks against us that might work. Albeit those attacks will not be the “Cyber Pearl Harbor” that Dr. Cyberlove would like you to be afraid of. Politically too, there will be blowback from the Middle East now. I am sure that even after Wikileaks cables dump, the governments of the Med thought at least they could foresee what the US was up to and have a modicum of statecraft occur. Now though, I think we have pissed in the pool a bit too much and only have ourselves to blame with the shit hits the fan and we don’t have that many friends any more to rely on.
It’s a delicate balance.. #shutupeugene
Pandora’s Box Has Been Opened:
In the end, we have opened Pandora’s box and there is no way to get that which has escaped back into it. We have given the weapon framework away due to the nature of the carrier. Even if Gauss is encrypted, it will be broken and then what? Unlike traditional weapons that destroy themselves, the malware we have sent can be easily reverse engineered. It will give ideas to those wishing to create better versions and they will be turned on us in targeted and wide fashions to wreak as much digital havoc as possible. Unfortunately, you and I my friends are the collateral damage here, as we all depend on the systems that these types of malware insert themselves into and manipulate.
It is certainly evident as I stated above, our government here in the US is unable to come up with reasonable means to protect our systems. Systems that they do not own, Hell, the internet itself is not a government run or owned entity either, and yet they want to have an executive ability to shut it down? This alone shows you the problem of their thinking processes. They then decide to open the box and release the malware genie anyway… It’s all kind of scary when you think about it. If this is hard to concieve, lets put it in terms of biological weapons.. Weapons systems that have been banned since Nixon was in office.
The allusion should be quite easy to understand. Especially since malware was originally termed “Virus” There is a direct analogy there. Anyway, here’s the crux of it all. Just like bioweapons, digital “bioware” for lack of a better term, also cannot be controlled once let into the environment. Things mutate, whether at the hand of people or systems, things will not be contained within the intended victims. They will escape (as did all the malware we have seen) and will tend to have unforeseen consequences. God forbid we start really working on polymorphics again huh? If the circumstances are right, then, we could have a problem.
Will we eventually have to have another treaty ban on malware of this kind?
Time will tell.. Until then, we all will just be along for the cyberwar ride I guess. We seem to be steadily marching toward the “cyberwar” everyone is talking about… determined really to prosecute it… But will it get us anywhere?
K.
INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.
“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”
(Dante Alighieri; The Inferno)
The current state of the Security “Industry”
It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)
Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.
Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor” It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.
Often its the simple things that allow for complete compromise.. Not just some exotic 0day.
So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”
Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.
“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”
(Shakespeare; MacBeth)
Security Joan of Arc’s and their Security Crusade:
Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”
Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.
Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.
Think Richard Clarke (I heard that chuckle out there)
Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”
The subtle knife wins the battle.
“If the Apocalypse comes, beep me”
(Joss Whedon;Buffy the Vampire Slayer)
What’s the worst that could happen really?
The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.
Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.
The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.
So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..
But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.
“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.“
(John W. Vessey, Jr.)
How do we communicate and manipulate our elephants?
Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.
- The whole Joan of Arc thing above
- The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.
We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;
“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”
So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.
So, how do we communicate with these people and get them on the same page?
I have no answers save this;
“Some get it.. Some don’t”
That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.
“The greater our knowledge increases the more our ignorance unfolds”
(John F. Kennedy)
The Eternal Struggle
There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..
Eventually.
All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.
K.
The Son of Stuxnet… Methinks The Cart Be Before Ye Horse
My dear dear lord,
The purest treasure mortal times afford
Is spotless reputation—that away,
Men are but gilded loam, or painted clay.
A jewel in a ten-times barr’d-up chest
Is a bold spirit in a loyal breast.Mowbray, Richard II Act 1 Scene 1
As fate would have it, today I saw a tweet that said Symantec had a paper coming out on “Stuxnet II” I surfed on over and read the document and what I was left with was this;
“We rushed to judgement here and wanted to get this out to get attention before anyone else did.. Here’s STUXNET REDUX!”
Now, sure, the code base appears to be Stuxnet’s and yes, there are similarities because of this, however, calling this Stuxnet Redux or “Son of Stuxnet” is just a way of patently seeking attention through tabloid style assumptions put on the Internet. Let me pick this apart a bit and you decide…
Code Bases and Re-Tasking
So ok, the coders seemed to have access to the FULL source of Stuxnet. It has been out there a while and surely some people in the world of “APT” have had access to this. It’s not like it was some modified version of Ebola kept at Sverdlosk at Biopreparate. Had you even considered that it was released on purpose as chaff to get others to tinker with it and thus middy the waters?
I’m guessing not from the report that I read, hurried as it was and full of conclusions being jumped to. In fact, Symantec even said that they had not fully audited the code! C’mon…
Alrighty then, we have a newly released and re-tasked version of Stuxnet that turns out to be just a recon tool to steal data. I find it interesting that they make so much of this and intone that the coders of the original are up to shenanigans again but fail to even beg the question that it could be anyone with the requisite skills to cut into the original code (after it had been laid out for everyone to look at) and re-task it with a new time frame. Please note that there are not the original 0day attacks and multiplicity factors of infection vectors as well as exfiltration schemes.
So, not really so complicated as I see it.. You?
The original code/malware was very targeted and this, well this is really just like any other APT attack that I have seen out there.. In fact, in some ways its less clever than the APT attacks out there from the past.
So, really Symantec, take a step back and mull this all over again before you release.. Say.. Just who else had the code and you were worried about that would steal your thunder here?
Pathetic.
RATS, RECON, & Targets
Speaking of the infiltration/ex-filtration picture, I see from the report that they are linking the RAT to the original worm but have not real proof that it came from DUQU! It was found in situ on the box that they analyzed and make the assumed statement that it was “likely” downloaded by the malware via its comms to the C&C.
Once again I say “Evidence Much?”
You have no basis other than assumption but you make no real clarification on this. Though there is mention of a DQ.tmp file which I assume means that it came from the RAT.. But.. Proof again please? It’s the little things that count here and I see a great failure in your haste Symantec.
Another thing that is bugging me now is that the news cycle is making connections to DUQU with attacks on power grids.
HOLY WTF?
Symantec, DO YOU HAVE EVIDENCE of what companies were “Targeted” by this malware re-hash? If so, you should come out of the closet here a bit because this is BS unless you have proof. I of course understand that you cannot name the companies, but CONFIRM OR DENY that they were all Power companies before making claims and allusions that the media will just shriek at the top of their lungs placing more FUD on the headlines.
Or… Wait.. Now that might be an advantage to you guys huh?
Ponder.. Ponder…Ponder…
Well played….
What it all boils down to for me is this:
Someone re-tasked the malware and stuck a common RAT in it. Until you (Symantec) come up with more solid evidence of more interesting and technical attacks, then I call bullshit on you.
What? No Mention Of APT Here?
Meanwhile, I see that people are assiduously avoiding the APT word… Hmmmm What does this attack really remind one of… APT!
There, I said it.
APT attacks:
- Infiltrate
- Seek data
- Exfiltrate data
- Keep access
And therein lies the rub. DUQU has a 36 day shelf life. Now, this is good from a foot-printing level AND could be excellent for setting up the next attack vector that could include the component of sustained access. So, the reality here for me is that this was a foot print attempt on whatever companies it was set upon. It was a recon mission and that was all.
NOT STUXNET..NOT SON OF STUXNET!
Had you called it a Stuxnet like attack re-purposing code then I would have had less problems with your document Symantec. Instead we got FUD in a hurry.
Baseless Claims: Pictures Or It Never Happened!
Finally, I would like to see Symantec spend some more time here as well as see others pull this all apart. I want to see more proof before you all go off half cocked and get the straights all upset over an attack that may have nothing to do with the original.
Frankly, I find your faith in rationality disturbing… Symantec…
K.
Anonymous, SCADA, LULZ, DHS, and Motivations
Anonymous Is Interested In PLC’s & SCADA?
A recent .pdf bulletin put out by Homeland Security (i.e. DHS) claims that certain actors within Anonymous (and by that they mean “anonymous”, I added the distinction) have shown interest in at least Siemens SIMATIC PLC’s and how to locate them online for exploitation. It seems that DHS though warning about this threat, is not too concerned about its actually being exploited by the group because they lack the expertise to attack them. So, why the BOLO on this at all? If the collective cannot do the damage to the infrastructure that you are entrusted in keeping safe, then why report on it at all as credible intelligence? It would seem to some, myself included, that Anonymous is not the problem that they are really worried about on the macro scale, but instead, those who may claim to be Anonymous hitting small scale facilities or pockets of targets for their own purposes.
And therein lies the difference.
If indeed Anonymous the collective is looking at attacking SCADA, one has to wonder at their reasons to target such systems. After all, if Anonymous takes out the power or poisons the water, it will not look good for them PR wise. In fact, were such things to happen in the name of Anonymous, I can pretty much guarantee you all that they would be enemy #1 pretty darned quick post an attack. However, if they were to target a company such as a car maker that pollutes, then, you have a real agenda (per their social agenda of late) So, the targeting is really key here and I will cover that later on.
DHS Jumping The Shark?
The motivations of the release by DHS have also been called into question by some as to why they chose to talk about this at all. This is especially prescient since they take pains to say that the Anonymous movement “most likely” does not have the technical means and motive to really pull of these types of attacks on the infrastructure. So why even bother? Perhaps they are just covering their bases (or asses) just in case the Anon’s actually attack? Or perhaps, they too are clued in on the fact that even if claimed to be anonymous, it could be others working against the US (Nation State Actors) who have chosen to attack and use Anonymous as a cover so as to throw off attribution.
Either way, as some look at it, it is almost like they are daring Anonymous to do it out of spite because they are calling Anonymous’ factions and actors “inept” or “unskilled” which, might get their dander up a bit. All of these scenarios pretty much do not preclude someone hitting SCADA systems in the future and it being blamed on Anonymous, which will bring on a new wave of efforts by the government to stamp them out. Reciprocity being what it is, this too will mean that Anonymous might in fact gain strength and sympathy from such actions and fallout as well.
For me though, I just see DHS covering the bases so as to not be blamed later on should something happen. Not so much am I of the opinion that they are in some kind of propaganda war here with this little missive.
Motives, Means, Technical Abilities
So lets go with the theory that certain elements of the Anonymous collective want to mess with the infrastructure. Who would they target and why? More to the point, what companies would they target that fits their agenda?
- Telco?
- Power?
- Manufacturing?
Those are the three areas that I could see as potential attack vectors. Though, once again I have to say that the only two that I see as real possible would be the telco and manufacturing and even the telco would be dangerous for them to try as well. I mean, if you start messing with Ebay or Paypal that’s one thing, its quite another to mess with national infrastructure, as these two would be considered. If indeed Anonymous hit them and took them down for whatever reason, they would then be directly considered terrorists… And that would be seriously bad for their movement and its legitimacy.
Now, we do know that the Anon’s hit the BART system but as I remember it, it was BART that took out the communications infrastructure themselves so as to prevent communication between anon’s. So, this just doesn’t seem to fit for me either. Manufacturing though, as I made the case above, could be something they would try. It’s not national infrastructure and it will not take the country down if they stop something like cars being made.
Is it just me? Or does anyone else just see this as a non starter for Anonymous central? What I do see is the threat of other actors using the nomme de guerre of Anonymous as cover for their actions to mess with the national infrastructure. Perhaps some of these people might in fact be motivated by anonymous, but, my guess that if there were to happen, it would be nation state driven… And something I have been warning about for some time.
Anonymous, as an idea, as a movement, will be subverted by those looking to fulfil their own ends and justify their means. All the while, they will let the Anon’s take the fall for it.
Governments
Nations
Nation States
… AND.. Corporations.
You know, those with the money and the people who could pull off the technical hacks required to carry these capers off.. Not a bunch of rag tag hacktivists and hangers on.
Blowback
In the end, what I fear is that there will be a great deal of blowback on Anonymous even talking about hacking and messing with infrastructure. The same can be said for their attempts on taking down Wall Street or the NYSE with their DD0S. If they had succeeded, they would have been an annoyance really, but that would not have caused any great fluctuation in the markets I think. No, unless they hacked into NYSE itself and exposed the fact that they had root in there, I think that it would have a very minimal effect on Wall Street and the economy at large.
Not to say that everything is going ever so well now…
DHS seems to have jumped the shark a bit for me on their BOLO and the coverage of this just tends to add to the FUD concerning SCADA and PLC code. Hell, for that matter we have the new Symantec report on DUQU that yells out about it being the “Son of Stuxnet” but in reality, it is more like a clone of Stuxnet used for APT style attacks by persons uknown..
Get yer FUD here!
Same goes for this DHS warning.
Your results may vary…
K.
SCADA SCADA EVERYWHERE! STUXNET, SCADA, Terrorism, Nation State Terrorism & FUD
Yes, this diagram does come from a .gov site for an actual system... *sadpanda*
THE STUXPOCALYPSE:
“When he opened the seventh seal, there was silence in heaven as the malware began changing PLC code”
From the book of Langer & Wright: Revelation Chapter 1 Verse 1
The news cycle still is full of hand wringing over SCADA and Stuxnet while more government officials worry about “Stuxnet” being modified to attack other PLC systems that are vulnerable and riddled with 0day. I have written in the past that I had thought that all of this chicken little reporting and fear mongering was a little over the top and have been taken to task by the likes of certain people who shall remain un-named (though, you don’t have to look much further than the book of Stuxnet revelation above to know who I am talking about)
So, I decided to take some time and do a little research online to see just how bad things really are… With Google and Shodan.
What I Found:
Ok, well, once I began to dig into Shodan and Google I decided that I needed to define the scope a bit. So, I did searches for the popular systems like Siemens. What I discovered was that there were systems indeed online and with web gateways available. Some of these were systems for water treatment, some were for telco, and some were in fact for electrical networks. The numbers showed though, that at least through Shodan, there were not a preponderance of American systems just laying about. Europe though and other countries had a bit higher number of systems.
Once I got past the popular names though, I began to look for other vectors of attack. I thought perhaps I should look for the product names of the gateway products and sure enough, I located a bunch of them out there. The most popular one though (by numbers online) turned out to be a south American product/system and there were plenty of those out there. In fact, once I saw where they were located I had a fleeting thought about power outages in South America and how everyone was debating that they were hacked..
Mmm Could be… However, without real proof of that, I am unwilling to go on the record and be like the other pontificator’s out there.
Here’s a list of the product names sampled within the Shodan results.
Now, having done all this poking about the question then becomes just what systems are they using for PLC control and just how many companies are there out there? This becomes important as all of the talk is about “Stuxnet” and the apocalypse of the code being re-engineered to attack other facilities than Natanz and the Siemens System 7. I then went to the “Googles” and asked the following question of the great and wise oracle.
“How many PLC controller makers are there in the world?”
Out of the results I got here was the most relevant answer:
PLC controller manufacturers-getting one available through the internet
While finding PLC controller manufacturers to get a PLC, it is important to learn on how to control programmable logic controllers. A PLC programmer is known as person who has the ability to create a system by using PLC programming. Learning about PLC programming is the key for those who want to take part in the automation industry. When it comes to PLC controller manufacturers, some options are available such as Panasonic, Hitachi, Foxboro, Keyence and many more.
Well then, “many” is not a good enough answer for me and I am sure someone (who shall remain un-named) shall beg the question of had I been thorough enough. So, I went back to the great and wise “Google” and put it another way;
“Commonly used PLC systems”
What I got back was a site that was a kind of a ranking site for people to nominate the makers and systems. Culling the data from this page I get the following names:
- Allen-Bradley
- Siemens
- Mitsubishi
- AB
- OMRON
- Modicon
- GE 9030 and SLC100
- Rockwell
- Telemecanique
- Schneider Electric
And the list goes on a bit more… But you get the point. Not only are there many of them, but, this was also in 2000 when this list was started. So, there is likely to be a great change in the vendors that have popped up on the small scale. However, you can see that the biggies, or should I say “biggie” of Siemens is still pretty popular.
Alrighty then, So, there are many out there but there may be a monoculture of sorts going on due to the nature of choice per countries. As the site listed it, the US uses a lot of Siemens and Rockwell. In fact, the list suggested that Rockwell was over Siemens in the stats for the US. This could be the case, but either way, there is a case to be made that there may indeed be a monoculture issue here. Given that Siemens was pretty 0day riddled per the DEFCON presentation this year, we may indeed have a larger problem that one might think.
This depends though on the target of your attacks and the redundancy of the systems being attacked as well. However, it really does depend on the facts and figures of just how much of a monoculture in PLC/PID/SCADA systems and networks there are out there of varying types and configurations. It’s a complex ecosystem, and thus, to pull off a “Stux” attack en mass is going to be rather difficult. This is why the Stuxnet attack on Iran was so directed. They knew the specific models and systems within the Natanz facility and they programmed accordingly to damage them. In the case of a “Stuxpocalypse” the coders would have to program in every conceivable system type (and yes the PLC flaws do carry over so it may be a one size fits all in that case) but what about all the others? Are all these systems based on all the same code?
Regardless of the zero sum game theories on SCADA system security flaws being universal, then, one would have to create malware that would be in effect, polymorphic (Hell, should just say zenomorphic huh? Go all Alien) This would, as I have said in the past, make the payload pretty much bloatware in my book. So where is the efficacy or for that matter, the probability that the Stux is going to be modified to this level of pandemic generating scale? Never mind the task of getting it onto all of the systems needed to have the “apocalypse” that every chicken little seems to be worried about. I know, I have said this before, but I thought I would just re-iterate it all again. I just don’t see this being a large scale attack vector even from a nation state level. Pockets of attack yes, but not anything that is going to put us down for the count.
And that is what I am trying to say here. There is way too much FUD with all of the yammering I have seen and not enough rational thought. It’s, to quote “Team America”
Spottswoode: From what I.N.T.E.L.L.I.G.N.C.E has gathered, it would be 9/11 times 100.
Gary Johnston: 9/11 times a hundred? Jesus, that’s…
Spottswoode: Yes, 91,100.
Chris: Basically, all the worst parts of the bible.
Targets & Vectors:
Gas Pipelines
Yep, this would be bad for areas of the country. If gas pipelines exploded it would cause fires and destruction, likely loss of life etc etc. So, if someone were to make a concerted effort to locate all of the gas pipeline/producers networks and find out what PCS’s they are using they could do it. This would be nation state really and it is possible. However, this type of kinetic attack would have to be in tandem with other manoeuvres to attack the infrastructure. It’s a fire sale scenario really.. The fallout though of hitting one facility and causing damage/fear/deaths would the psyops side of it.. That is unless the aggressor is looking once again, to a larger attack on the country concurrently.
Nailing all of the pipelines though or a great number of them simultaneously… I really don’t see as all to feasible.
This is not the Stuxpocalypse you are looking for…
Electrical Facilities and Grids
Ok, so here we have an interesting conundrum. With the advent of the “smart” grid, this might in fact make it easier to have a larger percentage of failure within the system itself. Everything being tied together this way and monitored will only serve to make the system more susceptible to a single point of failure I think. Of course there are many people working on this issue and trying to make the smart grid more secure. We will see how that plays out down the road though. At present though, one would have to look at taking down the grid with malware.
Could it happen? Maybe, large sections could go out. Or, if you hit the central nervous system of the network you could potentially have large areas of the country down for a while. Now, can you use Stuxnet and PLC malware to make the grid eat itself en toto is the real question isn’t it? All at once? A cascade failure of epic proportions?
Not likely. Though the systems are connected, once again, the effort would have to be nation state, it would have to consider that the energy companies are using monocolture technologies, and code accordingly. So, I don’t see this as happening on the level of the FUD reporting out there would make it out.
Nuclear Facilities
To start off, I would like to cite an article on SCADA and Nuclear facilities to enlighten you all…
In retrospect, Lunsford says–and the Nuclear Regulatory Commission agrees–that government-mandated safeguards would have prevented him from triggering a nuclear meltdown. But he’s fairly certain that by accessing controls through the company’s network, he could have sabotaged the power supply to a large portion of the state. “It would have been as simple as closing a valve,” he says.
From America’s Hackable Backbone on Forbes back in 2007
I have said this before and now I will say it again. There will be no Chernobyl events here, and for those of you who know reactors, will know the reasons it will not be a Chernobyl event (design wise) However, the fact is that people worry about this because they think a meltdown is as easy as the China Syndrome. So, will Stuxnet or some other PLC hacking cause this to happen? Apparently no according to this IBM guy and the NRC.
*breathe people*
Could the system scram and be down for a while? Sure. That could happen and it would cause people to be without power for a while as they find out what happened. Having just gone through a tropical storm and power loss here, I can see how it would be irritating but it would not be the preamble to war… Or the apocalypse.
Supply Chain Attacks
Supply chain attacks are quite possible but, they are likely only to happen in pockets as the companies are all varied. So, you might not get your new car on time, or whatever else you wanted to buy or sell that you manufacture. This could be bad from a bottom line perspective monetarily, but, once again, this would not be an apocalypse. It is also key to note that with each company would be different PLC systems so that stux code would have to be very specific or hugely varied and bloated to work on a large scale.
Chemical Facilities
Here we have something that I for one kind of do worry about. It would not take a mass attack on all chemical facilities to cause mass panic and perhaps deaths. At the very least, a chemical production facility being affected by a PLC/Stuxnet like attack would cause evacuations in the area that the plant sits. If someone were to mod the Stux or create something new to attack the controllers at specific facilities, they could cause an explosion or release of toxins.
Ok, I can go with this one a bit… Still though, not an apocalypse. For that matter, one could just get some C-4 and get a job at the facility long enough to plant a bomb… and that is more AQ’s style than trying to create a super weapon out of Stuxnet for this purpose.
Water Treatment Facilities
Personally, the poop factory is only on here because there are so many of these facilities with an online SCADA presence according to Shodan. If someone were going to attack the infrastructure this way, they could flood the systems with waste and certain areas would have to live on bottled water a while. Surely not the Stuxpocalypse you are looking for here. Frankly, if a terrorist wanted to go after us this way, they would instead do what they have already tried to do in the past, poison the water with a toxin that they pour into it.
Not so worried here…
Telecommunications
Shodan showed many telco’s with SCADA online to access. Now, if I were looking to take over a country I’d use the old aphorism of going after the radio and TV first.. Sure, this could be done in pockets but once again, there is no silver bullet here, no digital Ebola, that is going to take out the networks of all of these carriers. So, this would be a nuisance, people would have issues, some may die due to 999 or 911 not working, but, yet again, not the Stuxpocalypse.
SCADA On The Internets and There ARE NO AIR GAPS!
*facepalm*
Once again, yes Virginia, SCADA systems are networked. Yes they are even connected to the Internet insecurely in some cases. Just like any other technology, the connections are made for the ease of use of the company/user. In fact, as I have said before and as you can see from the diagram at the top of this article, they in fact also use Microwave, WIFI, and other RF means to get far flung data from point A to B.
Yes.. It’s true.
However, so far in my looking around, the systems that I primarily see as having these types of connections (RF) are water, gas, and electric systems. So yeah, you could mess with them by RF and cause issues. However, I have also seen systems that were located in well areas with only puny locks to protect the doors to the facility and no one.. not a soul around for miles to stop you from picking them.
I’d say that is insecure… BUT, I have yet to see one of these sites that if I popped it and brought it down, would cause a cascade failure and the apocalypse… And therein lies the key to the rationality. All systems have pain points but the infrastructure is so large and it has been built with some redundancy to prevent a system wide failure from one node going down.
Meanwhile, back to the air gap thing. I actually saw ONE. One facility had a separate network and it was not V-LAN’d off to “logically separate it” I cannot name the facility, but lets just say it was involved with power generation. So, yes, they are in some cases air gapped (and you know who I am looking at when I say this.. Captain Generality) Other places, not so much. They have logical air gaps only and yes, those can be breached with the right hacking attacks. I must say that in other places people just didn’t even put any thought into it at all and its all just hanging out for anyone to access like a college girl in a tube top.
It all matters on who has done the planning and who’s watching the hen house. One hopes that post Stuxnet the government and the companies are working on cleaning up their flaws so as to prevent an attack.
Time will tell though… All these companies and infrastructures are snowflakes….
EMP’s Man Made & Solar… Now There’s Your Apocalypse:
So, you want a real apocalypse? Well then, just think on this. If there is a mass coronal ejection big enough, great swaths of the world could be hit by a nature made EMP. As the sun cycle seems to be ramping up a bit, we may just someday see this happen. If that happens, then you will see some real apocalypse events. I have written about this in the past and frankly think this is a greater threat than the supposed Stuxpocalypse everyone is all chicken little over. There are also small scale EMP weapons the Military have been working with along with the usual talk of a nuclear high altitude det to kick everything off and send us back to the stone age.
Each of these scenarios could happen but, probability wise, they are all pretty low I think.. Including the Stuxnet scenario.
One Last Parting Thought:
So once again, I have stepped into the breach between FUD and SANITY. I am hoping that sanity wins out, but, I know that in a world where Gregory Evans is alleged to be speaking to Congress about cyber security, I have little hope of being listened to by the masses. I will just go back to sharpening my blades, cleaning my guns, and preparing my bugout bags…
Oh, not for the apocalypse you think will be happening.. No.. For the apocalypse of stupid that will be happening thanks to the likes of CNN and the book of Langer and Wright.
K.
“What We Have Here… Is A Failure To Communicate” Stuxpocalypse and FUDDERY
FUD FUD FUD PUFFERY!
Once again I find myself having to respond to chicken little dullards spewing FUD across the internets to make themselves muy importante. Once more I have to say that the current FUD du jour on STUXNET and the fact of just how many SCADA systems are online is getting tedious. So, Mr. Wright, yet again I have to school you on the facts and disabuse you of the idea that you are correct in your thinking.
So you say that SCADA is online… I never said they were’nt frankly. If you look closely at the sentence I actually say *crosses fingers* I KNOW that there are systems online and available to the internet TODAY, a simple Shodan search for Siemens Simatic PLC systems turns up 25 hits in the US alone. So, yes Mr. Wright, they are online and I knew this. I also was saying tongue in cheek that I had hoped that more of them would not be so readily available and that the people involved in management were taking care to remove the systems from non air gap networks.
Yes Craig, there is a problem, but, it is not of the EPIC proportions that you seem to be ascribing to as a member of the Langer echo chamber.
http://www.shodanhq.com/?q=PLC
http://www.shodanhq.com/?q=allen+bradley
http://www.shodanhq.com/?q=fanuc
http://www.shodanhq.com/?q=Rockwell
http://www.shodanhq.com/?q=Cimplicity
http://www.shodanhq.com/?q=Omron
http://www.shodanhq.com/?q=Novatech
http://www.shodanhq.com/?q=Citect
http://www.shodanhq.com/?q=RTU
http://www.shodanhq.com/?q=Modbus+Bridge
http://www.shodanhq.com/?q=modicon
http://www.shodanhq.com/?q=bacnet
http://www.shodanhq.com/?q=telemetry+gateway
http://www.shodanhq.com/?q=SIMATIC
http://www.shodanhq.com/?q=hmi
http://www.shodanhq.com/?q=siemens+-…er+-Subscriber
http://www.shodanhq.com/?q=scada+RTS
http://www.shodanhq.com/?q=SCHNEIDER
Above links from backtracklinux.com by way of infracritical.com
So Craig, your experiences, while not the outside the norm of mine and others in the business (inclusive of pentesting systems within airframe and engine facilities inclusive of SCADA used to control engines) has little bearing on the contention at the root of Mr. Langers diatribe about a “stuxpocalypse” In short, in order to have the “mass casualties” scenario he is crying about, the Stuxnet variants would have to be as varied as the number of makers of PLC systems out there. Just as the actual payload file to make a fire sale scenario happen would geometrically increase to have to become its own form of bloatware.
No Craig, I just don’t see it all happening. I see perhaps pockets of localized attacks on systems, but I do not see a large power failure as much as I see someone making the poop factory spill waste into the water systems. Quite simply, as I was trying to point out Langer is spreading a large amount of FUD in an attempt to garner attention.. Much like I think you have been with your posts on Island that have been.. Well, lackluster at best. It would seem by my reading, that you only comprehend half of what is said and then regurgitate the FUD interspersed with your own experiences.
Let me enlighten you some more..
I have also been told that it’s too expensive, or it’s not important, or it’s not on our agenda as well when it comes to remediation’s that I have recommended to companies, agencies, or governments. We all have, I know this. However, the point I was making was that post Stuxnet, I had hoped that all of these people were taking a new look and remediating the problems that we all know are there. I am not foolish enough to think that everything has an air gap and that all those systems connected to the SCADA themselves are fully patched. This does not mean though, that I think we have to be chicken little here and run around being the “Langer who cried wolf”
Which, you seem to be falling into that category Craig. Which once again makes me think that you are less of a source I would listen to, and perhaps this is why these people you speak of have not taken your advice.
Just an opinion Craig.
So, back to the problem at hand other than your puffery…
SCADA systems are all too often connected to non air gap networks. We all know this. Let me tell you a secret *this one’s for you Craig* Some of them even have WIRELESS connectivity! *yes, its true!*
INCONCEIVABLE!
So, do I think it is a problem? Yes. Do I think that there are so many of these systems online and readily available that we will have a fire sale as Mr. Langer would imply?
No.
Could someone (either state or hacktivist or miscreant) do something to select systems fairly easily if there are not remediations?
Yep.
Would the world end and there would be mass casualites?
No.
All of the systems at play have some redundancy built into them. Am I worried about a meltdown at a nuclear facility *Chernobyl style* if someone messes with some Simatic PLC’s?
No.
Why? Because the systems are redundant and deliberately so. Stuxnet did not cause a meltdown, it was not that kind of network. Stuxnet took out some centrifuges. Could someone infect a network/facility to the point of making all redundant systems fail and cause a meltdown in a nuke plant?
Maybe, but that is really pushing it.
So, sure, there are problems. I know this, you know this, we all know this. However, there is no need to go around whining about how no one will listen to you because you are whining pathetically about no one listening to you. All of this being done on the media who embellishes and uses the FUD to sell air time as well as makes it even worse! It would be better to just shut up and say I told you so than to add to the cacophony of FUD which will inure the masses into apathy.
So, where do we go from here?
As I mentioned before, the picture is bigger than whether or not SCADA systems (whether they be Xp, Windows 98, or NT 3.5.1) *shudder* Old, unpatched, or otherwise vulnerable systems still pose a large threat whether or not they are internet accessible (directly) The fact that physical access had to be had in order to load Stuxnet and then had a feature (p2p) built in as well as a re-infection vector for USB in general, shows that it was a rather complex effort. If someone were able to modify the payload to work on other systems and use it in a phishing exploit, sure, we would have many more potentially infected systems. However, unless they create the uber package I mentioned at the top of this piece, it would take a fair amount of footprinting to find the exact models and firmware being used. Not impossible, but not easy either.
See, its more about defense in depth (or should be) than it is “THE SKY IS FALLING!!”
Do changes need to happen?
YES!
One hopes that they are, but all of this debate and going off half cocked is pointless… And that was my main point.. Which you utterly failed to comprehend Craig. It just goes to show, no matter how many acronyms and letters you have after your name, or how big your bio at the bottom of articles online, do not really mean you have a grasp of the situation.
K.
STUXPOCALYPSE! HIDE YOUR WOMEN AND CHILDREN!
“Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems… That wakeup call lasted only about a week. Thereafter, everybody fell back into coma,” Langner told The Christian Science Monitor in a recent interview.
Ralphy, Ralphy, Ralphy, could it be that your company needs more attention? You personally perhaps? This crying “stuxpocalypse” thing is getting a little out of hand and seems rather low rent, well, wait a minute… Looking at that swank faux leopard pillow you have there, maybe this is your style.. Ok, back on topic.. Where was I?
Oh yes..
Ralph, sure, there are many systems out there running PLC’s and yes, they are likely vulnerable to any number of attacks. However, can you please look back and see how long it actually took persons unknown *cough* USA/UK/Israel *cough* to create the Stuxnet attack and breathe a little before you go crying to the likes of the Monitor? I’m sorry, but you are just making yourself look really.. Well.. Needy.
From the quotable “Langer” vol 2 :
“Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don’t have any significant level of cybersecurity for them,” Langner said.
The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates, the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares,” Langer stated.
“Most engineers are aware of the problem, it’s just that they don’t get the budget to fix the problem. The risk is just discounted. As long as management doesn’t see an immediate threat, there is a tendency to ignore it because it costs money to fix,” Langner explained.
“I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened.”
“I’m afraid cyber-arms control won’t be possible… It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first.”
Lets look at the facts shall we?
“Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don’t have any significant level of cybersecurity for them,” Langner said.
FACT CHECK: ALL the control systems? Really Ralph, that is not going to happen… You smell the hype here folks? MASS CASUALTIES! FUD FUD FUD I’m sorry, no Ralph, sure, if the system were taken down (say power) there would be, the old and infirm would be the first to go, but a wholesale “fire sale” is not going to happen. It’s really the stuff of movies.. Say, you been watching Die Hard recently?
The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates, the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares,” Langer stated.
FACT CHECK: Say Ralph, I seem to remember there being a whole cyber security initiative by the Obama admin that seems to me, covers this area. Though, yeah I would love to see an expedited process, people are looking at this AND knew about these types of attacks WAY before Stuxnet showed up! I mean, how do you think they got the idea in the first place to create such a vector of attack huh? I might also suggest that all of the people who you might be asking about this may not want to talk to you in the first place. It would be like me walking into your house as a stranger and asking “So, what’s your wife’s favourite position in bed?”
“Most engineers are aware of the problem, it’s just that they don’t get the budget to fix the problem. The risk is just discounted. As long as management doesn’t see an immediate threat, there is a tendency to ignore it because it costs money to fix,” Langner explained.
FACT CHECK: Uh yeah.. No.. After what happened in Iran, we are not likely to just avoid the issue altogether.. Once again, I point to the previous statement (wife –> sex –> positions) Rare are the vendors or the end users that are going to divulge the problems they have because they are afraid of compromise, no matter how hard it may be to carry out.
“I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened.”
FACT CHECK: Well more of a comment really //BEGIN SNARK/SAVE US RALPH! SAVE US!//END SNARK/ people listened.. though, not necessarily to you… Trust me.
“I’m afraid cyber-arms control won’t be possible… It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first.”
FACT CHECK: Gee Ralph, how about you forget the SCADA systems out there that now have attention and think about everything else out there online. Like, say, every frikkin Windows XP instance still out on the Internet and within private networks that are not patched? How about the fact that said systems are connected to the internet on a regular basis and SCADA aren’t (crosses fingers) Well, they aren’t “supposed” to be. Or did you miss that salient fact that it took a concerted effort to get the Stuxnet into the Iranian facility in the first place because they were NOT connected to the internet as readily as other places?
Ya know.. It’s called HUMINT. We needed someone to plant that USB or place it physically in a box on site. See Ralph, its not just some magic incantation and suddenly you’re infected.
Need I also remind you of the 4 0days used?
Yeah..
So please Ralph, get off the Stuxnet nipple.. We know about it.. We just aren’t talking to YOU about re-mediations.
STUXNET-APOCALYPSE! Say’s the Israeli Who Doesn’t Have Nuclear Silo’s and Bombs….
From Infosec Island
Tomer Teller, a security evangelist for Check Point, warned of the likelihood that the Stuxnet virus could be adapted to undermine systems that control nuclear missile arsenals.
Teller made the prediction at a conference in Sydney, Australia last week hosted by Check Point.
“Nuclear warheads are controlled by computers so if someone managed to slip a worm inside a facility that will reach the warhead component, they could launch it and than aim it back at the country’s facility… Stuxnet is the first cyber weapon that could cause major disruption” Teller explained.
Teller indicated he has conducted a detailed analysis of the Stuxnet code, and given the size and complexity of the file, Teller believes it is likely that a successful attack would require utilization of an insider.
“This is a huge file, it’s 1 megabyte [MB] of code and I respect the skill required to engineer that code as it is very complex,” Teller said.
The most likely avenue of for the attack, Teller postulated, would be through the use of a tainted USB drive.
“In order to get something trusted by Microsoft, you need to get those exploits signed… What we think happened is that an insider broke into JMicron, a chip manufacturing company based in Taiwan, as there is a computer at that office which is dedicated to signing these Microsoft drivers,” Teller said.
My first reaction to this posting online came when I saw it on Greg Evans website where he had scraped the story from another source (never mind why I was there) Since then, this story ended up on the headlines section of Infosec Island and once again my reaction is HOLY WTF? How does this get into the news cycle at all without people calling it into question rather vociferously?
So I decided to talk to a source of mine who is in the know about most things nuclear. I asked him if indeed the supposition I had that Stuxnet would be pretty much useless in a Silo because of the way the systems were designed to be ultra redundant as well as segregated within that redundancy. What I got back was the following:
OK, at a high-level:
– The ~concept~ of a StuxNet and Nuclear Silos really only applies to operational readiness. With the exception of Pakistan no ~known~ nuclear player doesn’t already implement a variant of the PAL and CMS systems in their launch controls.
– The levels of redundancy involved for both the ability to launch, preventing launch, arming, and self-destruction at exist in nuclear silos is quite possible the most perfectly decision/failure tree designed/redesigned systems known to man. This wasn’t due to a one-time effort, its been decades in the making.
– The availability of the hardware, software, network access, peripherals access, etc. is SOOOO ridiculously limited that ~development~ of such a tool would be purely speculative. This isn’t SIPREnet or CRONOS or NAUTILUS we’re talking about here. The levels of control and network isolation, and again redundancy, within these installations at major players is appropriately absurd.
– In terms of ancillary systems and operational readiness there are two ways to look at it. Could something cause a scare a a general shutdown due to FUD? Yes. Could something be used for ~press~ purposes to indicate a lack of operational readiness. Yes. The reality is that those who would be deterred in a MAD scenario know better.
– We’re talking submarines too, a WHOLE different level of player and communication and control systems. The likes of which are even further unknown and more specific.
– W/ submarines there is a different sort of risk because some major players (namely the UK) don’t have the same level of controls on subs so a rogue commander w/ a key could start a launch. If talking StuxNet like situations, you’re not reducing their readiness so easily. It is know in these cases from various leaks that the control pathways are also isolated by design and ~MECHANICAL~ to what might even be considering a fault.
– If you’re a Nation-State that has been tutored in the ‘art’ by the US or USSR you’re also likely to have bizarre levels of controls like fan speed detectors, temperature detection, computational state metrics, etc. to show the slightest change in behavior. Some of this was designed around the idea of more traditional things like a Y2K bug maybe affecting ~some~ system. This that are, to any person who designs hardware, known to be fairly absurd and unnecessary but indeed they would trigger an alarm to ~look~ at something.
– All that said.. could a StuxNet like system affect the ~production~ and ~development~ of a nuclear weapon? Yes and no. Yes as in it certainly could screw up enrichment (obviously) but wouldn’t screw up the end-result (hence why StuxNet was found in the first place).
So, once again, I call shenanigans on Tomer and this little story. At worst, if there were a Stux variant that were worked out AND carried into a silo it would cause (maybe) a failure to launch, it is much more likely that Stuxnet and variants would instead be more used (as it was in Iran) to manipulate the production of fissile material so as to have a weapon that would not actually work once launched in the payload vehicle. This story though, and the way it has been put out there by Tomer Teller, makes it sound as though imminent failure could happen to nuclear bombs and this is just not right.
Even more ludicrous is the idea that a Stux variant could infect a system and cause the payload to come back from where it was launched, in effect changing the target coordinates. THIS would be more along the lines of just some malware, not Stuxnet that would infect specific systems in guidance on board the payload vehicle, and that is a totally different animal from Stuxnet. Indeed, this would be a completely different effort altogether and would require something else completely.
You see, the point of stuxnet was that it was manipulating PLC code to specific PLC’s Tomer, what you are talking about would be something completely different.
Go back to firewall evangelizing and leave the nuclear weapons alone.
K.
PLC Controlers, Stuxnet, and Kinetic Attacks: Blackhat 2011
Since the advent of Stuxnet, the problem of SCADA (PLC) systems and their control vulnerabilities has become the focus of the world. In that this seems to be the new flavor of the day because someone (A nation state actor) decided to use those known vulnerabilities (at least 10 years worth of them) to exploit the Siemens systems at Natanz and Bushehr nuclear facilities in Iran we now have a new form of terrorist attack as Cofer Black pointed out in the keynote to Blackhat.
Dillon Beresford presented a talk on the Siemens 7 system vulnerabilities at Blackhat yesterday and did a great engineering job on the Siemens PLC system 7 attacks. However, in being so close to the subject, at least in the presentation, he seemed ill equipped to understand some of the ramifications of the exploit that was used against Iran and the amount of work that had to go into it to pull it off.
I say this because of the offhand comment that a single actor (hacker in a basement) could in fact have come up with the exploit code and he is technically right. He has singly come up with more exploit code and plugins to Metasploit to prove it, but, the attack on Iran was more complex than just exploit code for a Siemens 7 PLC. This too seemed to elude him in the statement that he did no understand the reasoning for the pivot point of the Windows machines that were infected with the worm that injected the code into the system 7.
The reasons for the attack vector pivot point is simply this;
The actors who created this exploit(s) wanted to be able to infect non connected systems at key hardened facilities that they did not have access to. Facilities that may have had regular network connections that might allow access to the worm and thus infect not only one site but many and not just the PLC systems themselves. This attack was multi purpose and needed to be persistent for a long time in order to carry out its mission goal.
And the goals seem pretty evident now:
Have the centrifuges eat themselves
Have the product from the centrifuges be compromised and thus put Iran’s nuclear program even further back.
The fact is, that the exploit code for the PLC’s was small in comparison to the amount of work and 0day that went into the worm itself. This is a key feature of the attack and something that Beresford seemed to miss. The worm was indeed the delivery system and it was likely carried into the Bushehr facility by a contractor (my thought is Russian as they were working on the Iranian program and had access) on a USB stick. Once inside, the malware had the ability to detect, spread, and inject the exploit code specific to the Siemens PLC systems at those facilities.
This brings me to a second point on all of this. The intelligence needed to know exactly what systems the Iranians had was something only a nation state actor could really have the resources to gather. This was in fact a nation state attack from all the signs of it. That it used exploits for SCADA systems that were known to be vulnerable for some time is the only twist. However, that twist had been used in the past and as long ago as the Reagan era.
An attack on a Russian pipeline was eventually disclosed by the CIA as a worm that attacked the systems of the pipeline (i.e. the PLC’s controlling the pressure of the gas) and caused a 3 kiloton explosion. This worm was likely created by the CIA and used to help dismantle the USSR.. Well at least cause some heavy damage to a pipeline that was in contention at the very least. So, this type of attack is NOT NEW. It was a quietly known vector of attack as far back (publically) as 2004 when it was revealed to the public at large, but much longer known about in intelligence circles.
The short and long, the exploits may be new in some cases, but, the type of attack is not at all.
The real difference today though is that we have the hacker community out there able to get their hands on code easily and even perhaps the PLC systems themselves to create even more exploits. Add to this that many SCADA systems have been connected to the Internet (as they should NEVER BE) ripe for attack and we have a big problem. However, the proof of concept now is out there, the exploit code is available and all it will take is an aggressor tenacious enough to write the malware to have another Stuxnet type attack on less hardened systems. An attack that could bring down the grid, cause the poop factory to explode and leak into our drinking water, or, like in Russia, have our pipelines explode in 3 kiloton explosions.
This Dillon is the key point and I know you get that. So, lets extrapolate further, how about in future conferences we have more of what Dillon did. He went to Siemens and gave them the exploit code and showed them the problems. They, unlike many companies, are taking up the challenge and not trying to hide the problems but instead are actively working on them to re-mediate. The next step is to go to EVERY PLC maker (wink wink Big O and the Administration.. Oh DHS maybe?) and bitch slap them into doing something about the problems? As Dillon pointed out, these systems are pretty open and inter-operable, so the code is likely to be just as bad everywhere.
If we don’t.. We are likley to wake up one day to a big explosion and it may just be an accident.. Or, it could be another targeted attack like Stuxnet.
K.
PS.. One small thing Dillon.. Please, attend Toastmasters. I think it would help you greatly. You speak too softly and did not enunciate.
Of PLC Controllers and Obvious Statements
The Summary from :
SCADA & PLC VULNERABILITIES IN CORRECTIONAL FACILITIES
by
Teague Newman Tiffany Rad, ELCnetworks, LLC John Strauchs, Strauchs, LLC
A logical conclusion to this research is that our findings do not only pertain to PLC and SCADA vulnerabilities in correctional facilities, but in any high-security location that uses these technologies as well as in manufacturing plants, transportation and just about anywhere that multiplexing is used. When securing the country’s most dangerous liabilities, we encourage that more attention be paid to access control, network security/segmentation and personnel policies. And as was the case with Stuxnet, proper adherence to secure operating procedures will greatly reduce the chances of infection of PLCs and control computers from the inside and outside of a secure facility.
Wait, you’re telling me that PLC systems (SCADA) are vulnerable and there are systems out there that are rather important that are likely vulnerable because of this?
NO WAY!
INCONCEIVABLE!
Sorry, just had to get that out of my system there. Seriously though, there is nothing new at all here with this white paper other than the fact that the prisons actually use these systems to keep the doors shut. Sure, if someone were savvy enough to get some code together (and it seems that there were some off the shelf exploits by the wording in the document) could possibly cause all of the doors in a penitentiary to open or close.
Uh, yeah.. Just like the same kinds of exploit code written for any other PLC system that is vulnerable (and lets face it, they all are) to make, say, a generator eat itself and burn up (see video here by DHS) Or maybe say, oh, I dunno, affect the rotational speeds of centrifuges in a nuclear fuel processing center?
Oh yeah, I remember now! That’s been done!
Stuxnet, still making waves in the news cycle was an important wake up call for the general public and not so much for the security world. Sure, the complexity and chaining of exploits (0day) to keep the Stux in the Natanz systems was APT all the way, but the concept of affecting SCADA systems adversly had been around for quite a long time. Just ask anyone who has maybe ping sweeped a factory with computer controlled PLC’s.
Shit will happen.
So, post Stuxnet, this paper and the presentation to follow at DEFCON this year seems more like a call for attention and perhaps a marketing scheme than anything revelatory befitting a talk at DEFCON. Having read the paper, it leaves me nonplussed as to why this s being presented at all. What is surprising is that companies and entities government or otherwise have not taken steps to insure that their PLC systems are not vulnerable. Furthermore, all those who use these systems for important functions like power regulation should in fact be screaming for security testing and upgrades to each and every maker of PLC systems. What we get though usually are excuses if not just silence
*crickets*
So, this paper and talk point out that prisons use the PLC’s and they are vulnerable to attack. It also makes mention that these systems seem to be connected to networks with internet connectivity!
SAY IT AIN’T SO!
Not much else to see here is there? These things we all know. In fact, the whole point of the Stuxnet attack was to blend it so that it would work in an air gapped as well as network environment! So, what exactly are you saying here Strauchs’ that is telling us anything we already didn’t know? Had the writers actually come up with some plans or legislation or even a call to arms for all PLC makers to secure their products, then I would say they have something to hang their hat on.. What you get here is “ho hum”
“Many places use PLC’s to control their operations”
“Many of those places connect their systems to networks with internet connections”
“The majority of PLC code is vulnerable to attack!”
…. Wait… Is that the CAPTAIN OBVIOUS sign in the sky over Las Vegas!?!?
See you there.
K.
Krypt3ia 
