Tuesday, June 26, 2012

Security Service(MI5) Director General speaks on cyber security

The Director General of the British Security Service(MI5), Jonathon Evans, spoke at Mansion House on security threats facing the UK including cyber security issues.  Some interesting points fromm the speech include the following.

"Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states. And the extent of what is going on is astonishing – with industrial-scale processes involving many thousands of people lying behind both State sponsored cyber espionage and organised cyber crime."

"What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and the commercially sensitive information that is the life-blood of our companies and corporations. And the threat to businesses relates not only to major industrial companies but also to their foreign subsidiaries, and to suppliers of professional services who may not be so well protected."

"One major London listed company with which we have worked estimates that it incurred revenue losses of some £800m as a result of hostile state cyber attack – not just through intellectual property loss but also from commercial disadvantage in contractual negotiations. "

The full speech is available here.

Friday, June 22, 2012

South Korea facing North Korean cyber attack campagin

South Korea is facing an increasing onslaught of cyber attacks from North Korea. Below is a list of the most recent significant incidents. This is a useful tactic for North Korea as it is difficult for South Korea to respond.North Korea has little Internet infrastructure to attack via computer network operations(CNO) and it would take an extreme North Korean attack involving loss of life to prompt South Korea responding militarily. South Korea, one of the most networked countries on Earth, has to just play defense and take the hits.

June 2012, South Korean Newspaper JoongAng Ilbo
In June 2012 cyber actors linked to North Korea attempted to destroy the newspaper's article database and the editing system which moves articles through the paper's intranet. Link. Previous blog entry.

April 2011, South Korean National Agricultural Co-operative Federation(NACF, Nonghyup Bank)
In April 2011 cyber actors linked to North Korea destroyed 100s of the Nonghyup Bank's internal computer servers disrupting banking services for millions of customers for over a week. Link.

March 2011, DDoS against South Korean websites
In March 2011 an advanced DDoS attack was launched against a number of South Korean websites, the computers used by the botnet which launched the attack were rendered unusable after the attack by overwriting the hard drive's Master Boot Record(MBR). Link.
The attacks in March were also linked to a covert North Korean operation to import computer games containing malware into South Korea. Link.

July 2009 DDoS against South Korean and US websites
In July 2009 several waves of DDoS attacks targeted South Korean and US websites. Link.

Further reading

"Increasing concerns regarding cyber warfare capabilities of North Korea", Security Affairs Blog
"North Korea's cyber warfare strength grows", Bloomberg News
"North Korea's IP address space"North Korean Tech blog

SCADA systems: 15 new HTML reply signatures and examples

There is an incredible variety of things now connected to the Internet from industrial control systems and digital video security systems to printers and VoIP telephone systems. Many of these systems provide a web service via HTTP on port 80. A good deal of information about these devices can be found by looking at the meta-data within a reply from a simple HTTP Get message. The Shodan system scans the Internet to acquire this information and its database now holds the records for millions of IP addresses around the world.

In the tables below I have put together a list of signatures(i.e search strings) that appear in the HTTP meta-data for 15 Supervisory Control and Data Acquisition(SCADA) systems. An additional list of 29 signatures is available in this paper by Cambridge University Master's student E P Leverett, the paper also has a great introduction to SCADA systems.
In the following analysis I follow the same engagement rules as E P Leverett which are from the joint US DHS & UK CPNI good practice guide.
  1. I will not interact with any system except to view a publicly accessible HTTP interface.
  2. I will not attempt to login to any system.
What sort of SCADA systems are out there? Here are  a couple of examples.

Wastewater overflow management pumping station, Boncourt, Switzerland

The SCADA system on this pump is a Schneider Electric FactoryCast system. According to the user manual.

"FactoryCast is a software package that allows you to customize a Web site on the Embedded Web Server module. The site can be accessed via a browser to view and modify data from a Quantum or Premium programmable logic controller (PLC)."

System home page

Found on Google maps

This small pumping station is used to manage wastewater overflow in the Basse-Allaine region of Switzerland. Wastewater from the town of Boncourt flows through a pipe down to the treatment plant in Grandvilliars,France. But what happens if there is heavy rain? Along the pipe's path are overflow stations which consist of a large underground basin, a pump and a overflow pipe leading to the Allaine river. When it rains the overflow first runs into the basin and the pump returns it to the pipe reducing the flow down the pipe and lessening the chance of overflow to the river. Of course if the rains are heavy enough then the basin will fill and wastewater will overflow into the river.

The installers of the Schneider system, Swiss firm Stebatec, have customized the embedded web site.

1.9MW solar power plant, Mysliv, Czech Republic

This system is running Schneider Electric FactoryCast.
News items give further details on this plant.

"On October 7, Solar Park Mysliv, located in the south-western part of Bohemia, 20 kilometers east of the city of Klatovy, started producing solar electricity. This is the first solar power plant Gehrlicher Solar AG has built in the Czech Republic. The plant has a peak performance of 1.99 MWp and comprises an area of 3.8 hectares. It will be producing 1.79 million kilowatt hours of green electricity and covering the electricity requirements of 510 three-person households. 8.844 Yingli modules and two SMA inverters were used in the construction."
Biomass boiler systems

Unknown HVAC system in Germany

This small HVAC system, running a Saia-Burgess PCD allows anyone level 0 access(the least privileged) which allows viewing of measurements.


Solar power plant, Coppola S.p.A, Scafati, Italy

Coppola is company located in Scafati, it's solar power system was installed by group magaldi.The system allows anyone to view solar plant measurements. It is running a SpiderControl system.


The security of some of these systems can be very weak. I have seen cases of the system login password being shown directly within the HTML source code of the publicly accessible device home page(anyone can view this source code using a browser's view HTML source button).


SCADA systems
System Signature Shodan count Comments
Siemens building automation energy management Siemens Switzerland Ltd 449 http://www.buildingtechnologies.siemens.com
Beck IPC embedded controller IPC@CHIP 4038 For example used by Solar plant energy monitor solar-log.net,beck-ipc.com
SMA Solar remote solar plant monitoring/maintenance Sunny webbox 6675 SMA Solar Sunny webbox
Kieback&Peter Bus Module Controller BMR/0.09 85 kieback&Peter BMC. Controller for controlling,monitoring & operating HVAC systems.
Saia-Burgess Process Control Device(PCD) Saia PCD 839 saia-pcd.com,control devices for remote monitoring and machine control
Schneider Electric energy management/monitoring Schneider-WEB 197 Schneider FactoryCast system
Sciopta system software sciopta Webserver 2 System Software for Safety-Critical Embedded Applications, sciopta.com
Phoenix contact system running SpiderControl Phoenix-Contact 155 phoenixcontact.com,spidercontrol.net
Moxa industrial systems MoxaHttp 4734 moxa.com
Trihedral SCADA software "Server: VTS" 102 Trihedral VTS
Electro Industries/GaugeTech EIG Embedded Web Server 118 electroind.com
clearSCADA integrated SCADA host platform clearSCADA 13 www.clearscada.com
Delta enteliTOUCH DELTA enteliTOUCH 22 Delta entelitouch system
TAC Xentra control systems TAC/Xentra 53 Old systems,TAC now owned by Schneider Electric
Loxone home automation system Loxone 165 Home automation web control system


Links to further reading

SCADA security news and consulting, http://scadahacker.com/
SCADA security analysis, www.reversemode.com
SCADA security consulting firm, www.digitalbond.com
SCADA security consulting firm, www.tofinosecurity.com
US government ICS-CERT, www.us-cert.gov/control_systems/ics-cert
SCADA security consulting firm, www.scadahacker.com
SCADA security consulting firm, www.redtigersecurity.com

Some interesting articles on problems with Moxa systems in the Netherlands.

www.tofinosecurity.com/blog/cyber-security-nightmare-netherlands

The following are in Dutch.

webwereld.nl/nieuws/109526/zeeuwse-gemalen-te-hacken-via-scada-lek---update.html
webwereld.nl/nieuws/109565/scada-bedrijf-xylem-ontkent-kwetsbaarheden.html

Wednesday, June 13, 2012

JoongAng Ilbo cyber attack

In June 2012 the South Korean newspaper JoongAng Ilbo(중앙일보) was hit by a major cyber attack (해킹, 차원 다른 악의적 수법으로) which attempted to destroy the papers article database, editing and distribution system. News reports indicate that this attack was likely carried out by North Korean state actors and follows a threat made by North Korea earlier this year against several South Korean news outlets. In addition the attack left the following image on the paper's website joongang.co.kr
The text in yellow is a message from the hackers written using SQL and is as follows .
select count (*) from tbTarget // 1000000
select domain, d-day, method from tbTarget WHERE seqnumber = 2048 //www.joongang.co.kr, 2012-06-09, APT
select domain, d-day, method from tbTarget where seqnumber = 2049 //???.??????.???,2012 -??-19,???? < br /> select domain, d-day, method from tbTarget where seqnumber = 2050 //???.?????.???,2012 -??-29,??
select count (*) from tbHacker // 10000
select name, birthday, sex from tbHacker where age < 5 //IsOne, 2011-06-09, woman
There is a purported SQL query followed by the supposed result. This is threatening further attacks on the 19th and 29th day of an unknown month in 2012. The hacking group is calling itself "IsOne".

Tuesday, June 12, 2012

Only seven cyber attacks. The term is widely over used.


Many analysts misuse the term cyber attack, making it seem that operations better classed as espionage or vandalism are more dramatic than they really are. According to the Department of Defense, Computer Network Attack(CNA) consists of actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves(see Joint Pub 3-13). I would be even more strict that the DoD and suggest that denial of service operations have to be extremely significant for them to be classed as an attack. A bank or government website being unusable for a few days is hardly in the same class of operation as destroying information throughout an organization to cripple its operations.

I would argue that there has been only 7 publicly known cyber attacks in history and 3 of them are probably by North Korea. It is not surprising that all the attacks relate to significant real world conflicts.

June 2012, South Korean Newspaper JoongAng Ilbo
In June 2012 cyber actors linked to North Korea attempted to destroy the newspaper's article database and the editing system which moves articles through the paper's intranet. Link.

April 2012, Iranian Oil Ministry
Unknown cyber actors launched an attack against the Oil Ministry to destroy key ministry information. Link.

March 2012, Al Qaeda forums knocked offline
Unknown cyber actors disabled several major Al Qaeda online forums, the forums remained offline for many weeks. Link.

February 2012, BBC news
In early 2012 cyber actors linked to Iran launched an attack against the BBC's Persian language service, the attack seemed to be coordinated with Iranian satellite jamming efforts. Link.

April 2011, South Korean National Agricultural Co-operative Federation(NACF, Nonghyup Bank)
In April 2011 cyber actors linked to North Korea destroyed 100s of the Nonghyup Bank's internal computer servers disrupting banking services for millions of customers for over a week. Link.

March 2011, DDoS against South Korean websites
In March 2011 an advanced DDoS attack was launched against a number of South Korean websites, the computers used by the botnet which launched the attack were rendered unusable after the attack by overwriting the hard drive's Master Boot Record(MBR). Link.

2008-2010 Natanz, the Iranian centrifuge plant
According to the New York Times the US launched a cyber attack against Natanz to destroy centrifuges. Link.

Thursday, June 7, 2012