8/04/2011 Researcher demos attacks on Siemens industrial control systems

Thomas Brandstetter, a CERT program manager for Siemens, and Dillon Beresford, of NSS Labs, during Beresford's presentation on Siemens industrial control system vulnerabilities.

(Credit: Seth Rosenblatt/CNET)

LAS VEGAS--A researcher said today that he has discovered a number of vulnerabilities in programmable logic controllers (PLCs) from Siemens that are used to automate mechanical devices in utilities, power plants, and other industrial control environments and which could be remotely controlled to cause damage if connected to the Internet.

Dillon Beresford, a security researcher at NSS Labs, conducted demos of some attacks on the various Siemens Simatic Step 7 systems during his presentation at the Black Hat security conference here.

Beresford's work shows that it's possible to read and write data to a PLC memory even when password protection is enabled, retrieve sensitive information from the PLC, capture passwords, execute arbitrary commands, report false data back to the operator and lock the operator out of the PLC by changing the password, as well as completely disable the PLC, among other things, he said.

Attacks could be "wormed" and designed to spread to engineers' workstations or hop from system to system, Beresford said. "You can pretty much own everything on the automation network," he added.

In the long run, an attacker could damage equipment or make devices in the field explode or spin out of control, depending on what actions are taken, according to Beresford. "These capabilities have been used offensively before and they have caused things to explode," he said.

The problems were serious enough to prompt NERC (North American Electric Reliability Corp.) to release an alert just to utilities last night with mitigation information, but at the lowest level of alert, said Tim Roxey, director of Electric Sector Information Sharing and Analysis Center at NERC.

Separately, NERC released a public alert to warn utilities about findings of Don Bailey, senior security consultant at iSec Partners, who gave a presentation earlier in the day at Black Hat about telephony-based weaknesses related to PLCs. The vulnerabilities allowed him to unlock a car with a text message and also affect critical infrastructure environments.

These problems are worldwide. "It's not just the U.S. but around the globe," Roxey said during a news conference later in the day.

Although he focused on Siemens in his research and hardcoded passwords that create what he described as a "back door" to the PLC, attacks could be executed against systems from other vendors, Beresford said.

Part of the problem is that PLC protocols were designed without factoring in security. The protocol was intended to be open and packets are sent in plain text, he said, echoing concerns voiced by Jonathan Pollet, founder of Red Tiger Security, and Tom Parker, chief technology officer of FusionX, in their SCADA security workshop earlier in the week. "We need better access controls in PLCs," Beresford said. "That's something I believe Siemens is working on now."

Specifically, he was able to decrypt the hardcoded password in the system, which was "basisk"--which means "basic" in German--and create a command shell to dump memory in the PLC, look at the source code, execute commands, and intercept communications to and from the PLC, he said.

Such attacks are not really that difficult to pull off, with the right equipment, know-how, and ambition, he said. Experts speculated that last year's Stuxnet threat, which targeted Siemens Simatic Step 7 systems, was created by a nation-state or nation-state partners to sabotage Iran's nuclear development program. But, "single guys sitting in their basements could pull this off," he said.

Meanwhile, Beresford said that he also found what is known as an "easter egg," or hidden joke, in the Siemens code in the form of dancing monkeys and a German proverb that roughly translates to "all work and no play makes Jack a dull boy," he said, wearing a shirt with monkeys on it given to him by someone at Siemens.

Siemens is working to address the security issues that have cropped up, and ICS-CERT is working on an advisory, Beresford said.

Beresford introduced Thomas Brandstetter, a CERT program manager for Siemens, during his presentation and said of Siemens, "I give them a lot of credit for not trying to pull my talk." (Beresford canceled his talk on Siemens vulnerabilities at the last minute at a conference in May after U.S. cybersecurity and Siemens officials expressed concerns that fixes weren't ready.)

"At some point you really have to accept that there are vulnerabilities in your products, and even monkeys," Brandstetter, who was also wearing a monkey shirt, said to laughs from the audience. "Accepting this was the first step in order to be able to handle this professionally."

"What he's done is open up a can of worms that we've [researchers] known for a long time," Pollet of Red Tiger Security said in the news conference. "There's a systemic problem across all vendors around authentication for (SCADA communication) sessions."

"This type of an attack could cause regional impact on one plant or others in the regional area," and there could be cascading outages, Pollet said.

Read more: http://news.cnet.com/8301-27080_3-20087833-245/researcher-demos-attacks-on-siemens-industrial-control-systems/#ixzz1U7rPlWVi

@AtulPlayer

DefCon Kids joins adult hacker conferences

(Credit: DefCon)

LAS VEGAS--Hackers of all types will be making their annual pilgrimage to the Black Hat and DefCon security conferences this week, including children who will learn how to write ciphers, hack circuit boards, and pick locks.

This marks the first year for DefCon Kids, which targets children aged 8 to 16. The event will run alongside all of the regular DefCon security and hacking sessions and the fun events for the adults like Hacker Karaoke, Hacker Jeopardy, Mohawk-Con, and an alcoholic ice cream contest.

"DefCon is a very adult orientated conference, more of a party then your typical conference. There will be adult language, alcohol and there may be nudity," the Defcon Kids site says. "The DefCon Kids conference room will be situated in and around the adult DefCon, therefore you and your kids will be exposed to a wide assortment of people, lifestyles and philosophies. We are not trying to scare you off but please research past DefCon conferences and understand the environment that you are bringing your child into."

The presenters at DefCon Kids are respected experts in the community and the talks seem interesting, regardless of your age. One presenter, however, will be speaking to peers.

"CyFi is a 10-year-old hacker, artist, and athlete living in California," says her bio on the site. "She has spoken publicly numerous times, usually at art galleries as a member of 'The American Show,' an underground art collective based in San Francisco. CyFi's first gallery showing was when she was four. Last year she performed at the SF MOMA Museum in San Francisco. DEFCON Kids will be her first public vulnerability disclosure. CyFi has had her identity stolen twice. She really likes coffee, but her mom doesn't let her drink it."

One look at the sessions for Black Hat (which runs Wednesday and Thursday) and DefCon (which runs Friday, Saturday and Sunday) and it's clear the conferences haven't gone all soft. There are plenty of talks on mobile malware and hacking, hacking risks with medical devices and threats to automated stock trading systems. Other topics will be vulnerabilities posed by linking critical infrastructure systems to the Internet and corporate networks and security issues that arise from the use of controllers in car security systems and prisons and Web servers in heating and cooling systems and DVRs.

In his talk titled "Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers," Michael Sutton, vice president of security research at Zscaler, will explain how corporations are exposing sensitive information through photocopiers and Voice-over-IP systems that can be discovered on the Internet through public Internet Protocol addresses. Hackers can remotely retrieve digital versions of documents duplicated on a photocopier and stored voicemails in VoIP backup systems, he said, adding that he found a host of other types of appliances accessible over the Internet that shouldn't be.

"People don't realize that these devices have a Web server," Sutton told CNET in a recent interview.

Another security conference will be happening in Las Vegas this Wednesday and Thursday. The event, called BSides, was created to offer the community a chance to hear talks that weren't accepted at Black Hat (although there are a few that overlap) and at lower cost.

For those attending any of the conferences, there are some security precautions that should be considered to keep preying eyes out of your devices:

1. Disable WiFi and Bluetooth
2. Try to connect to Web sites using https and use a virtual private network
3. Use strong passwords
4. Don't leave devices unguarded
5. Be wary of the ATMs in the vicinity of the conference

More suggestions are here.

Read more: http://news.cnet.com/8301-27080_3-20086690-245/defcon-kids-joins-adult-hacker-conferences/#ixzz1U7ooJCNZ

Wireless drone sniffs Wi-Fi, Bluetooth, phone signals

caption: Mike Tassey (l) and Rich Perkins (r) describe how they retrofitted a U.S. Army surplus target drone.

(Credit: Declan McCullagh/CNET)

LAS VEGAS--Forget Wi-Fi war driving. Now it's war flying.

A pair of security engineers showed up at the Black Hat security conference here to show off a prototype that can eavesdrop on Wi-Fi, phone, and Bluetooth signals: a retrofitted U.S. Army target drone, bristling with electronic gear and an array of antennas.

"Nobody's really looking at this from a threat perspective," said Mike Tassey, a security consultant who works for the U.S. government intelligence community. "There's some pretty evil stuff you can do from the sky."

The term war driving, meaning searching for Wi-Fi networks from a moving vehicle, was coined approximately a decade ago, of course (here's a CNET article from 2002). But aerial drones can gain access to places that might be off-limits to vehicles--and, in theory, can follow a moving signal surreptitiously from above.

Their prototype Wi-Fi drone, which was brought on stage yesterday but not flown, is made of reinforced foam and can carry 20 pounds. They added landing gear, a 2.5 horsepower motor powered by lithium polymer batteries, a telemetry link, an onboard computer running Ubuntu, and a payload of wireless sniffers and network-cracking tools.

"We can identify a target by his cell phone and follow him home to where enterprise security doesn't reach," Rich Perkins, a security engineer who describes his job as "supporting the U.S. government" and co-created the drone. "We can reverse engineer someone's life."

The drone--which they dubbed WASP, for Wireless Aerial Surveillance Platform--can stay aloft for about an hour. While it's an autonomous unmanned aerial vehicle, or UAV, in flight, the initial version requires manual operator control for takeoffs and landings. (It cost them between $6,000 and $7,000 to build in a garage, they said, not counting their own time.)

Their ulterior motive, however, is to do more than describe their wireless-sniffing prototype: it was to offer a warning about how terrorists and criminals can use UAVs in ways that traditional military and law enforcement may not be expecting.

"UAVs pose a couple of unique challenges to people who are responsible for protecting things," Tassey said.

Even the modest payload of UAVs could be devastating in biological or radiological attacks. Drug smugglers--or, perhaps, pharmaceutical entrepreneurs--could carry around $400,000 in heroin through one flight across a national border. And the small size of UAVs, and virtually nonexistent presence on radar, make them a challenge to detect and shoot down.

"There's no requirement for good intentions," Perkins said.

Read more: http://news.cnet.com/8301-31921_3-20088180-281/wireless-drone-sniffs-wi-fi-bluetooth-phone-signals/#ixzz1U7lRpBqC