Author: Dave Lewis
May 7, 2008 at 9:28 pm · Filed under Critical Infrastructure, Disclosure, SCADA Security
Core Security, makers of the product Core Impact.
Nice folks.
I like the product.
Apparently they left the gate open and their brains ran away in the night. What am I talking about? Well, they posted a vulnerability in the software of SCADA vendor Wonderware.
From their posting:
A vulnerability was found in Wonderware SuiteLink Service (slssvc.exe) that could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario.
Fine. Good catch. I have been lucky enough to work with 10+ vendors so far on security vulnerabilities including one donkey outfit in ‘07. But, the rest were all professional. I was patient as I waited for them to get their **** together.
Now, on the SCADA side of the line we have another world that would make the Mad Hatter quite perplexed. There are some EMS vendors that require you speak to them slowly as more than several sentences per minute and they might, regrettably, spontaneously combust. It would appear, based on their apparent time line that WW is potentially one such firm.
That, however, doesn’t merit this,
An attacker can trigger the memory allocation operation failure by specifying an abnormally large length field in a Registration packet. The following binary excerpt shows where the problem is:
And here they provide the binary analysis.
They left the tracks at this point. I have released several vulnerabilities to date and not once did I release the actual code for the specific problem. What would that accomplish? I gave them the opportunity to patch the problem. They were able to address the issue with their respective customers and I got the byline.
Again from their time line,
Core has learned over the course of 13 years working in this particular field that it is fundamental to provide precise and accurate technical information about problems.
But, releasing the actual binary analysis? Let go of my leg.
Not cool. So much for responsible disclosure.
Article Link
Thx to CJ, M, Darko, Melanie and Bob for sending this one in!
(ed note: I do enjoy stirring it up. Looks like this one did the trick.)
Author: Dave Lewis
April 9, 2008 at 9:54 pm · Filed under Conventions, Critical Infrastructure
Earlier today there was a town hall meeting that reviewed the recent Cyber Storm II excercise. This was a massive simulated computer attack. I was involved in the first Cyber Storm exercise and one of the funniest parts of that was that someone took it upon themselves to return fire. Amusing, albeit counter productive.
From Information Week:
By the accounts of panelists at the RSA Conference in San Francisco who participated in the exercise, the simulated cyber crisis was hugely valuable; they just couldn’t share very much information about what went on.
Detailed information about Cyber Storm II will be made available later this summer in an after-action report, said Greg Garcia, assistant secretary for cybersecurity with the Department of Homeland Security.
It thus came as no surprise when U.S. CERT’s deputy director Randy Vickers acknowledged that the exercise showed there were still some shortfalls in information sharing during the simulated crisis.
Other panelists included Michigan CIO Dan Lohrmann, New Zealand’s managing director of critical infrastructure protection Paul McKittrick, Microsoft senior security specialist Paul Nicholas, and Dow senior information systems manager Christine Adams.
Read on.
Article Link
Tags: Cyber Storm II, RSA 2008, Defending Computers
Author: Dave Lewis
February 1, 2008 at 10:51 am · Filed under Critical Infrastructure
Wired magazine has a nice write up about the recent Cyber Storm exercise. The part that I find rather amusing is that during the exercise, one of the targets apparently wasn’t going to take it lying down. One of them counter-hacked.
From Wired:
In the middle of the biggest-ever “Cyber Storm” war game to test the nation’s hacker defenses, someone quietly targeted the very computers used to conduct the exercise.
The surprising culprit? The players themselves, the same government and corporate experts responsible for detecting and fending off attacks against vital computer systems, according to hundreds of pages of heavily censored files obtained by The Associated Press. Perplexed organizers sent everyone an urgent e-mail marked “IMPORTANT!” instructing them not to probe or attack the game’s control computers.
“Any time you get a group of (information technology) experts together, there’s always a desire, ‘Let’s show them what we can do,’” said George Foresman, a former senior Homeland Security official. “Whether its intent was embarrassment or a prank, we had to temper the enthusiasm of the players.”
The exercise was a big deal for all concerned.
The entire exercise cost over $3 million. Amusing that someone hacked them back.
Article Link
Tags: Cyberstorm, Cyber Storm, Critical Infrastructure
Author: Dave Lewis
January 18, 2008 at 7:43 am · Filed under Critical Infrastructure, SCADA Security
[UPDATE]: FERC Order 706 (.pdf)
From Utility Automation & Engineering:
The Federal Energy Regulatory Commission (FERC) approved eight new mandatory critical infrastructure protection (CIP) reliability standards designed to protect the nation’s bulk power system against potential disruptions from cyber security breaches.
The reliability standards were developed by the North American Electric Reliability Corporation (NERC), which FERC has designated as the electric reliability organization (ERO).
“Today we achieve a milestone by adopting the first mandatory and enforceable reliability standards that address cyber security concerns on the bulk power system in the United States,” FERC chairman Joseph T. Kelliher said. “The electric industry now can move on to the implementation of the standards in conjunction with improvement of these standards in order to increase the security and reliability of the bulk power system.”
Additional actions in the final rule direct the ERO to develop modifications to these reliability standards, via its reliability standards development process, and then submit them to FERC for approval. The modifications directed for development concern various oversight and technical issues pertaining to cyber protections. These include removal of language that allowed variable implementation of standards based on “reasonable business judgment” and a new framework of accountability surrounding exceptions based on technical feasibility.
The final rule also directs NERC to monitor the development and implementation of cyber security standards by the National Institute of Standards and Technology (NIST) to “determine if they contain provisions that will protect the Bulk-Power System better than the CIP Reliability Standards,” FERC said. But FERC did not direct NERC to adopt the NIST standards because that could lead to possible delays in putting into place any mandatory and enforceable standards.
(thx Brit)
Article Link
Tags: NERC, FERC, Cyber Security, Reliability Standards
Author: Dave Lewis
January 11, 2008 at 8:22 am · Filed under Critical Infrastructure
Who says critical infrastructure security isn’t important? Well not the folks that run the trams in Lodz, Poland. And certainly not the 12 people who were injured in the ensuing mess.
From Computer Weekly:
Polish police yesterday arrested a 14-year-old schoolboy for endangering public safety when he hacked the Lodz tram system and disrupted traffic.
Using a TV-style remote control he built himself, Adam Dabrowski allegedly changed the points on the city’s tram system. This derailed some tram cars, causing them to crash and injure up to 12 passengers.
Article Link
Tags: Polish Hacker, Lodz Trams Hacked, Critical Infrastructure
Author: Dave Lewis
November 29, 2007 at 12:04 pm · Filed under Critical Infrastructure
News this morning that an oil pipeline managed by Enbridge exploded caught fire outside Minnesota. Two workers were killed in the blast fire.
Now, normally I wouldn’t pick up on a story like this however, this is an example of how an accident in the wrong place at the wrong time can have a domino effect. This was a leak that was under repair when the accident happened. It does serve as an example of how badly things could possibly go wrong if security of critical infrastructure were to be compromised.
From Bloomberg.com:
Enbridge closed four pipelines that supply an average of 1.5 million barrels a day after a blast yesterday killed two workers. The company said today a fire is still burning at the Clearbrook terminal in Minnesota where the pipelines meet.
“It’s an important pipeline and it’s also where it’s being hit, these pipeline junctions are a nightmare,” said Rob Laughlin, a senior broker at MF Global Ltd. in London. Oil “could go up further if it’s shut for some time.”
Crude oil for January delivery gained as much as $4.55, or 5 percent, to $95.17 a barrel in electronic trading on the New York Mercantile Exchange. That’s the biggest gain since Oct. 31. The contract, which gained for the first time this week, traded at $94.24 at 10:45 a.m. in London.
“All our lines are shut down until we can safely start up the system,” Denise Hamsher, a spokeswoman for Calgary-based Enbridge, said today by telephone. “At least one or two lines will be shut down for quite sometime.”
Article Link
Tags: Critical Infrastructure, Oil Pipeline Fire, Infrastructure Damage
Explore
Security Bloggers Network
