Category Archives: Security

Energy, Security

SCADA Exploits Roam Free

Leave a comment

It looks like Luigi Auriemma did only a quick check of SCADA systems before he came up with a giant list of flaws. He has decided to post his initial findings to Bugtraq:

The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment.

He points out in his post that he did not know anything about SCADA systems before the tests. Obviously that did not stop him from quickly finding many weaknesses.

Full-disclosure advisories and proof-of-concepts:
Siemens Tecnomatix FactoryLink:
http://aluigi.org/adv/factorylink_1-adv.txt
http://aluigi.org/adv/factorylink_2-adv.txt
http://aluigi.org/adv/factorylink_3-adv.txt
http://aluigi.org/adv/factorylink_4-adv.txt
http://aluigi.org/adv/factorylink_5-adv.txt
[…]

Open up factorylink_2-adv.txt and you will see the vulnerability levels can be very high — remote exploit.

CSService is a Windows service listening on port 7580.

All the file operations used by the service (opcodes 6, 8 and 10) allow to specify arbitrary files and directories (absolute paths) and it’s possible for an attacker to download any remote file on the server. Obviously it’s possible also to specify directory traversal paths.

First, to be fair, SCADA systems are often intended to live in a different world than other systems — single-user, single-role, etc. There may be a defense-in-depth or compensating control design to be considered that encapsulates a SCADA system. Langner talks about this some in his interview on Stuxnet. An unprotected CSService thus may have been built that way by design, to do one thing and do it well.

Second, I have found that critical infrastructure management can be dominated by a culture of data analysis. Staff are often told to punch holes into closed systems and environments to mine details needed for calculations. It can feel more like a financial firm trying to make real-time investment decisions than an engineering operation. Closed environments are under pressure to be opened in order for spreadsheets to run.

Third, the financially-focused managers boast about their speculation and risk-management skills. Yet they seem to rely more on faith than data analysis when it comes to risk relative to security controls. They raise defense-in-depth as a theory sufficient on its own instead of as a measured and managed practice to deploy controls more thoroughly. That usually means when you find a vulnerability like factorylink_2-adv someone will always emphasize my first point above and say “I believe that’s handled elsewhere.”

Putting the three above points together, the worlds of IT and SCADA are not nearly as separate and distinct as many want to believe. They must be managed to reflect this convergence or there is a risk of leaving gaps for attackers to exploit. Even worse, the depth of defense can go unmeasured and leave basic systems unprotected in environments exposed to high-risk multi-user threats.

That’s why Auriemma’s list should be taken seriously. Vendors need to secure their products, or at the very least test them for hostile scenarios and provide security warnings/guidance. The demand, however, really has to come from SCADA application consumers. I suspect that these full-disclosure vulnerability announcements will help improve the industry’s risk calculations — prove the value of paying for better security from the SCADA vendors. On the other hand, if management still does not get it, then regulations will probably have to tighten.

Security

SERE Expert Blasts Bush Torture Program

Leave a comment

Truthout has posted an interview with retired Air Force Capt. Michael Kearns. Kearns is a “‘master’ SERE [Survival Evasion Resistance Escape] instructor and decorated veteran who has previously held high-ranking positions within the Air Force Headquarters Staff and Department of Defense (DoD).”

He said he decided to come forward because he is outraged that [Dr. John Bruce Jessen, the psychologist who was under contract to the CIA,] used their work to help design the Bush administration’s torture program.

“I think it’s about time for SERE to come out from behind the veil of secrecy if we are to progress as a moral nation of laws,” Kearns said during a wide-ranging interview with Truthout. “To take this survival training program and turn it into some form of nationally sanctioned, purposeful program for the extraction of information, or to apply exploitation, is in total contradiction to human morality, and defies basic logic. When I first learned about interrogation, at basic intelligence training school, I read about Hans Scharff, a Nazi interrogator who later wrote an article for Argosy Magazine titled ‘Without Torture.’ That’s what I was taught – torture doesn’t work.”

What stands out in Jessen’s notes is that he believed torture was often used to produce false confessions.

Poetry, Security

Telephone-based Payment Card Data PCI Guidelines

2 Comments

The Security Standards Council (SSC) has released an information supplement on telephone-based payment card data. This is an update to PCI SSC FAQ 5362.

It now is clear that controls must be in place to clean and protect audio recordings; they violate PCI compliance if they store sensitive authentication data (SAD).

It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

The last sentence is the big clue. Known query tools pose a clear and present threat to SAD in audio files. The point of this supplement is to emphasize that the data needs to be protected due to the ease of querying and reading it. The controls must be documented and validated as usual.

The supplement provides a decision process flow to help illustrate different control areas. Even if no calls are recorded, for example, “Processing and transmission of cardholder data remain in scope for PCI DSS”.

One area of ambiguity remains.

Note the end of the sentence above where the Council says storage is prohibited “if that data can be queried”. Despite SAD media storage being prohibited there are some particular situations of storage — with additional controls — that may be allowed.

If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

A call center, which can validate recordings can not be data-mined, thus may be allowed to store SAD. However, at the same time the supplement says they are prohibited from storing SAD.

Pay particular attention to sensitive authentication data: Storage is not permitted.

All clear?

I wonder if the PCI Council has the humor to start a campaign called “SAD is bad. Get rid of it and be glad”. They could even distribute it as a song, in an audio file.

Security

US to Follow Chinese Common Cell Power Rule

Leave a comment

China was said to be trying to reduce waste when it passed a rule five years ago that all mobile devices must be charged by a common USB interface.

China, through YD/T 1591-2006 “Technical Requirements and Test Method of Charger and Interface for Mobile Telecommunication Terminal Equipment,” created a requirement that cell phones must be charged from a USB charger.

[…]

To converge all the external connection functionality onto a single USB interface, several problems need to be solved, including routing audio over the same interface as data, detecting what external accessories are connected, maintaining high performance for all devices, and keeping power low.

Europe followed in 2009. Now, despite Apple’s best efforts to deploy annoyingly proprietary interfaces, ComputerWorld says the US will follow the Chinese USB rule.

By January 2012, all U.S. cell phones will have a common micro-USB interface that will allow universal external power chargers to use the port, CTIA Chairman Dan Hesse announced at a keynote at CTIA here today.

The variety of charging ports used in cell phones and smartphones today has irritated American users for years, especially as Europe moved forward on a common micro USB interface for data devices.

Oh, that’s funny, ComputerWorld does not mention the Chinese at all.

I agree with their assessment of American irritation. One of the reasons I dumped every electronic device I owned with iPhone/iPod interface a couple years ago was because I moved to a USB-only rule at home and at work. I have been surprised to find hotel rooms and gyms with electronics that have Apple proprietary interfaces. It’s like seeing a treadmill with a Betamax slot.

Bottom line is that availability of power will go up while waste goes down with a rule like this. There are compromises in features and maybe even functionality, but availability improvements and waste reduction seem worth it to me.