It’s been a while since I’ve put a post up here at ye olde bloge and despite the recommendation of many, I think it’s time to break the silence.
2009 was one heck of a year. 2010 is going to be ’same as before, but with feeling!’
Lets just review shall we?
Read more
Hello there!
My name is Lee Herloth (with a “Hard T”) and I work in critical infrastructure protection, specifically for an electric utility. I’ve been invited by the good folks here at Liquidmatrix.org to write a blog from time to time and I thank them for the opportunity.
I was ready to fire off a post about how utterly unprofessional, dangerous, and borderline criminal it is to see so many vendors testifying in front of the United States Congress in support of new legislation (no less then five active bills right now) designed, in title, to increase the security of varying critical infrastructures. However, I have thought better of that as it would not be fitting of a southern gentleman.
Instead, I will refrain from calling said vendors on the carpet for using their influence to back legislation that directs the government to use their auditing guidelines, risk assessment tools, or to anoint a singular person as the czar of all things critical infrastructure protection. Therefore, this post will be SANS any ranting lest the internal struggle of having done so Impact my Core values, for that surely would not be Weiss.
On any given day, there are tens of thousands of United States residents alone who are without power due to mundane reliability failures stemming from equipment failure, human error, weather, and physics – oh, and the occasional possum or two. However, “Oops! My bad”, isn’t a sexy headline. Instead, much like the current fuss around “swine flu”, that which has a catchy name will win the attention of the reactive politicians and people at large and the larger, more meaningful issues go unaddressed.
Yes, we are plugging in our critical infrastructure to your internet. We have no choice. You want cheap, clean, reliable power so off to the races we go. As with any new activity, there will be learning opportunities and missteps along the way, and we have much work to do.
I believe I have a rather unique insight into the industry and I’m passionate about protecting the infrastructure I’m charged to protect against all comers. Make no mistake about it – if we leave the future direction of critical infrastructure protection in the wrong hands, you will start to see a decrease in the reliability and affordability of your power. The cure, when offered by a snake-oil salesman, will be most definitely worse than the disease.
And with that, I bid you good day.
I don’t even know where to begin.
I feel like I’m being tortured by AM the media machine.
Lets run down the list…
First, Siobhan Gorman… you {{REDACTED}} tool.
The WSJ article you wrote is such an incredible fluff piece, my high-school newspaper editor wouldn’t have permitted it.
You have all kinds of awesome quotes, except for the ones that you actually need to be attributable in order for you to call yourself a journalist. How does trolling the clip files that Rebecca Smith found for you and calling a few embassies make your article ground breaking in any way.
Do you have NEW, SPECIFIC evidence? If you do, please forward it to the appropriate authorities or PUBLISH IT. You’ve got some speculation and it’s shit.
Next up, Dennis Fisher over at Threatpost with his “industry analyst” piece…
What the hell is your point exactly? It’s not like Kaspersky has anything to contribute here. You’re drumming up more crap without providing either details or passing your evidence to the people who need to see it.
Of course, once you’ve got one anti-virus vendor in the mix, here comes another… McAfee’s “Security Insights” blog entryby Phyllis Schneck is all about how one time, at security camp, she heard a story about a nuculer reactor being shut down by a contractor’s laptop.
And why stop at shilling your company’s failed products (why is anti-virus different from anti-spyware and sold under 200 different SKUs?) Why not start shilling your people! Watch as the University of Pittsburgh puts a plaintive call out to say “Hey, um, we got a guy!”
Gregory Reed, a professor of electrical and computer engineering in Pitt’s Swanson School of Engineering and director of the school’s Power and Energy Initiative, is available to comment on the significance of the reported espionage as an indicator of the electric power grid’s potential vulnerability.
In the fine tradition of “Will what you’re eating now KILL YOU???? We’ll tell you at Eleven!!!” television artists news journalists at ABC News would like you to know that your phone is not powered by the local utility. (It gets it’s power from the seething rage of Nortel Shareholders.)
To the retired engineer who wrote this screed on a ZD Net blog entry about the WSJ story… including this gem:
EVERY SCADA system that I have ever seen use it’s own dedicated communication network to carry data between the Master Station (the “base”), and the substation Remote Terminal Units (RTU’s) and with the powerplants.
Good lord man, SHUT THE FUCK UP. You are the reason that the system is the mess that it is – you think that’s even remotely true? I’VE NEVER SEEN A SCADA SYSTEM IN THE POWER INDUSTRY THAT WASN’T INTERNET CONNECTED. EVER.
NERC attempted to do damage control and managed to put their foot into the good work being done by their own CSO!
Cyber security is an area of concern for the electric grid. Though we are not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of. NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyber threats. There is definitely more to be done, and we look forward to continuing our work with the electric industry and our partners in U.S. and Canadian government to improve reliability standards, ensure appropriate emergency authority is in place to address imminent and specific cyber security threats, and ultimately ensure a safe, secure, and reliable energy future for North America.
That statement comes only one day after Michael Assante put out his ballsy “You’re not doing an ethical job of adhering to the spirit of the regulations” letter. How disingenuous is it to stab your own guy right in the back?
Those dim-witted dinosaurs at the AP of course, go to great lengths to put in actual quotes from their un-named source.
“The vulnerability may be bigger than we think,” the official said, adding that the level of sophistication necessary to pull off such intrusions is so high that it is “almost without a doubt” done by state sponsors.
(Please note that our team did a pen-test in 2001 and achieved access, without any more state-sponsoring than the engagement letter.)
Things do SLOWLY get better…
Forbes attempts to pull a “fair and balanced” piece out of the wreckage of “journalism” expressed so far.
The usually bright and adroit folks at the BBC even picked up the story… shame on you, you should know better. At least you quote @dakami thus gaining back some credibility, who really does grok the issues since our face off at DEFCON last summer (forever to be known as the “Killer Oreos” discussion).
Eventually, sanity returns and several organizations manage to put an extinguisher to all of the flaming hair…
- Infrastructurist interviews Stephen Flynn.
Federal Computer Week thinks FERC should get on the job.- bNet tries to calm you with soothing quotes.
- Kevin Poulsen over at Wired manages to not piss me off and tells you to follow the money – the NSA wants to pwn the grid.
I’m just absolutely beside myself.
Here’s some facts:
- The grid is not secure now.
- The grid cannot be made secure by using existing technology and (most importantly) staff.
- The asset owners are working actively to avoid doing anything.
- The government doesn’t know where to start – in the US or elsewhere – as they are busy with other things and too pwn’d by special interest groups.
- There is no CIP firewall.
- Your product does not (in and of itself) make anything NERC compliant.
- There are ways to solve the problems of the existing systems, but you’re going to have to think out-of-the-box… way out.
- There are always bad people.
- It is not currently in any nation-state’s interest to de-stabilize the US. (I’m leaving out crazy dictatorships on purpose.)
- It is simply a matter of following the money.
- The Senate, the NSA, DHS, and others are invested in this.
- I’m frustrated and I wish that the WSJ had handled this story with a lot more intelligence.
- I need to lie down now.
Thankfully there are a few sources of humour in all of this…
(picture CC from waltjabsco’s flickr stream)
Tags: SCADA, WSJ, cyberterror, BULLSHIT, DUMBASSES
I was pretty much forced to write about this article after I read it.
In an utter disregard for buzzwords, CNN Homeland Security Correspondent Jeanne Meserve has drunk heavily from the fountain of cyberdouchery. The article entitled “Smart Grid May Be Vulnerable to Hackers” briefly discusses the United States and its respective power companies anxiously deploying a high-tech power grid while simultaneously abusing the words “cyber” and “smart”.
Power companies are installing new automated meters at an astonishing rate which seems to be the first step in the roll out. The eventual goal is to improve electricity efficiency and reliability using sensors on your home meters that talk back to the power grid. President Obama is on board dishing out $4.5 billion towards all this.
So where does the problem lie?
Well some interesting quotes throughout the article define the issue very clearly. One of our friends at InGuardians, Ed Skoudis chimed in stating,
“I think we are putting the cart before the horse here to get this stuff rolled out very fast.”
Also, Matt Spaur, a product marketing analyst added my favorite tidbit,
“Any network can be hacked.”
All in all, this is obviously a huge security issue and if you even remotely (no pun intended) glanced at Live Free or Die Hard you’d get the picture. Electric grids are all ready “hackable” you just have to not be afraid of heights and be a huge fan of rubber. The automation wouldn’t necessarily create many new vulnerabilities, it would most definitely increase the risk by increasing the likelihood and severity of exploitation.
With this system in place there really is no room for “roll it out and patch it later.” We can all hope that the money makers take their time on this one and do it right.
Note from James – When Matt submitted this story, I was pleased to see that it’s not just the bitter old timers like Dave and I who find this stuff beyond the pale. What is important to remember though is that there is room to make all of these things happen, but it needs to start with everyone, including Smart-Ass Security Youngsters like me, dropping the ego at the door and coming back with solutions rather than just pointless bitching and moaning. There’s an opportunity to be awesome here, we should all, collectively, take it.
UPDATE: Businessweek gets in on the action… watch out, you’ve managed to get your Wall Street all over my Critical Infrastructure.
Tags: cyberdouchery, cnn, smart grid
Nortel execs have apparently taken leave of their senses altogether. The company is completely in the crapper and the hangman is waiting on the scaffold for the company. The execs have seen fit to dole out $45 million in bonus cheques? I’m really not sure I can wrap my head around this one.
From the Toronto Star:
A Canadian court has allowed eight senior executives at Nortel Networks Corp to share in the bonuses the telecom equipment maker plans to pay out even as it fights for survival in bankruptcy protection.
Nortel already had court approval to pay out a total of $45 million in bonuses for close to 1,000 executive and nonexecutive employees.
Friday’s ruling by the Ontario Superior Court makes the eight senior executives, who do not include Chief Executive Mike Zafirovski, eligible to receive a share of this money, company spokesman Mohammed Nakhooda said.
Maybe I’m a touch out of it but, where is the logic here? The “retain talent” spin is obviously not worth the cash when you consider the bang up job that they’ve been doing. And to make matters even worse (or to finance the institutional theft) they recently cut 3,200 employees with no severance. I usually avoid profanity but, this is just fucked.
Circling the ‘tubez right now is an FTC complaint filed by the Electronic Privacy Information Center (EPIC) regarding the privacy and security risks surrounding Google services. (This comes hot on the heels of the Google Docs SNAFU.) The complaint covers all the basics: the fast adoption of Cloud Computing; the fundamental right to privacy; identity theft; and the whimsy with which consumers throw (potentially) sensitive data into the *gulp* “Cloud”. The most significant eyebrow raiser of the document, however, is Section 57:
57. Enjoin Google from offering Cloud Computing Services until safeguards are verifiably established.
Say WHAAAAT? Pause the juggernaut? Surely you jest! Oh, and surely they’ll cough up the dough for the Privacy Pizza, as cited in Section 58:
58. Compel Google to contribute $5,000,000 to a public fund that will help support research concerning privacy enhancing technologies, including encryption, effective data anonymization, and mobile location privacy.
(Although, Section 58 does sound a bit secksy, and I’m all for furthering this type of research.)
Earlier today, I posted my opinion on this whole kerfuffle to the PaulDotCom mailing list:
It’s almost as though EPIC need to remind everyone that they still exist
and haven’t become entirely decrepit and overshadowed by the EFF. The
document is well assembled, citing examples that most users *don’t*
consider when using Google services (or just about any *aaS, for that
matter). Incidentally, the complaint references a recently published
report from the World Privacy Forum on privacy risks in Cloud
Computing[1]. Both documents raise a few similar points.For example, how many of us actually read, end-to-end, the TOS and
privacy policy of the Provider? How many of us validate claims like
“your data are safe from unauthorized access when you store it on our
Cumulonimbus Mega Awesome Cloud Storage Platform”?I, for one, laud EPIC’s past efforts and the heart whence this complaint
emerges. However, like a few others, the request for enjoinment
basically negated my support for the complaint in its entirety.[1] http://www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf
The questionability of Google’s approach to (user) security and privacy is nothing new, but it doesn’t warrant a suspension of service altogether. Educating users about the inherent risks of placing anything outside of your own, little trust-boundary-bubble is paramount. We can start by teaching our own “EPIC” phrase: “When it comes to outsourced providers, Expecting Privacy Is Comical.”
Flame on.
(CC licensed image from Erica Marshall)
So I went out looking for the Helix Forensics Live CD today…
Sniff.
So what’s a guy to do?
Well, I whined about it for a while. I raged about it for a while. I bargained with myself to see if it was worth the $179 for the once or twice a year I needed it. I got depressed because yet another company has taken off with “monetizing it’s community” and finally, I decided to go looking for the ISO of the last version before they went sideways.
I learned about what happened…
and some (partial) alternatives…
- Raptor by Forward Discovery, Inc.
- Windows FE
- and more Windows FE
- and even more Windows FE
- The nebulous promise of HelixCE (community edition)
- C.A.IN.E. (Computer Aided Investigative Environment) Live CD
I’d just about given up when I came across this posting from one of my #sectwits friends – Rob Fuller (@mubix): Ask and you shall receive – SumoLinux
It seems that another one of the #sectwits – Marcus J. Carey has put together a fantastic DVD-based or USB-based distro called SUMO Linux which just happens to contain:
a compilation of the best Information Security distributions:
- Backtrack 3
- Helix 2.0
- Samurai Linux
- DBAN
- DVL
It’s available through the always impressive Pirate Bay torrent tracker here.
And just like that – the answer to my problem could have been found not through endless Google searches, but through a quick query to some of the fantastic folks on Twitter who have come together in an intensely supportive community with Zach Lanier (@quine) as it’s leader and (often) lead jokester.
(I’m so gonna pay for that last link…)
(CC licensed image from Todd Binger’s Flickr Stream)
Tags: helix3, livecd, hunting, mubix, marcusjcarey, awesome
So I’m casually flipping through Slashdot (which I do a whole lot less than I did during the dot.com glory years) and I come across… Cybercrime-As-a-Service Takes Off.
At that point my head exploded.
I want to help Vlado Vajdic of Vasco who may or may not be selling CyberAuthentication-As-a-Service understand that what he’s described reminds me an awful lot of oh… I dunno… THE ENTIRE GODDAMN HISTORY OF CRIME.
There have always been people who would sell you a capability and then operate that capability for you as a service.
They’re usually called Mercenaries. Whether they are on the side of good or bad is simply a matter of perspective.
Hell, it’s what I do for a living! I’m a consultant. I’ll show you how to do something, help you if you have trouble, and heck, I’ll even do it for you.
Vlado is getting cranked up about the fact that there are bad guys who will do bad things for money. (She|He) is also very interested in you acquiring (His|Her) mercenary services as an antidote to bad guys. And of course, since it’s CYBER-, you’ll buy it, it’s automatically better.
Why in the hell do we so easily accept that as soon as you add the prefix “CYBER-” to something, it’s suddenly new and nearly incomprensible?
Pardon me, I need to reassemble my head.
(CC licensed image from Midnight-Digital’s Flickr Stream)
Tags: cyberdouchery, cybercrime-as-a-service, head, asplode, Vasco, Vlado Vajdic
First and foremost let’s get the “who the hell is this” out of the way. My name is Matt Johansen and I’m a recent college graduate starting on my path in Information Security. I have a technical background professionally and in my education but am growing more interested in the business aspects of security as I study for my CISSP exam. I’ve met a lot of great people that have been helping me along the way (honorable mention to my professor Kees Leune and all you Security Twits) including the LiquidMatrix team.
I came across some interesting stories about the all mighty Google cloud features in the past couple of days. The first was about Gdrive, a specific example of a broader idea of online storage space. This idea is growing ever more popular now that the “cloud” is becoming a buzz word in the community and Google is taking another step towards being the all mighty one. This is an old idea done a new way with most likely lots of Google flare such as booting from an online hard drive and automated backups.
Very interesting ideas that of course people are very excited about but leave it to the security people to kill the hype.
If done right this would be a great service just as network share drives with group or personal permission folders are great on closed networks. But an interesting point was discussed on a recent episode of Diggnation when Kevin Rose spoke of a certain targeting problem. In general the everyday user of this service would most likely be left alone but what about people more under a public spotlight. Kevin referred specifically to him or his co-host Alex putting up personal photos that some hacker savvy fan would love to get their hands on. Even without the ability to gain access to the drive a MITM attack would be very feasible as demonstrated on Gmail with The Middler at Shmoocon.
As for the confidence in Google and its ability to protect your privacy, I stumbled across another article about a Google Docs sharing bug. Google has sent a letter to users who have been affected by this bug explaining that some of their documents were shared with previous collaborators without you knowing it.
Alice: “Honey, who is this Eve woman and why are we working on a list of gifts for her?”
Bob: “…”
Actual letter sent by Google:
Dear Google Docs user,
We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.
To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.
We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.The Google Docs Team
It has been reported to have affected around .05% of Google Doc users which could still be a pretty large number but isn’t a major leak. This still raises a few questions especially when it comes to your confidence in upcoming services such as Gdrive and other people’s ability to access your data.
Just some food for thought!
-Matt Johansen
I’m so totally behind in my reading…
Think of this as an Internet Years time capsule of the news from a week ago.
(Hey — it’s less than two weeks to the Last HOPE — I’m freaking out here.)
The nice folks over at TechWeb’s Dark Reading put up an article about the ease of identity theft through plain ole meatspace hacking.
Much as I’ve said repeatedly, right now, most security policy/posture is predicated upon making the “right thing” the damn hardest possible thing.
If you’ve grappled with this version of the analog hole… how did it work out?
Participate!
