Philosophically Secure

I can’t believe there hasn’t been more of a focus on SCADA security. This is the software that controls our truly critical infrastructure, like water supply systems, gas and oil pipelines, the electric grid, and so on. An attack on these systems will do more than bring down a website, preventing you from buying that new pair of shoes. It could potentially do serious damage, with immediate consequences affecting thousands of people.

From SecurityFocus, January, 2002:

“U.S. law enforcement and intelligence agencies have received indications that Al-Qaida members have sought information on Supervisory Control And Data Acquisition (SCADA) systems available on multiple SCADA-related Web sites,” reads the bulletin. “They specifically sought information on water supply and wastewater management practices in the U.S. and abroad.”

That’s what makes these recent discoveries of remotely exploitable vulnerabilities in OPC (a standard used to control many SCADA systems) inexcusable. A company called Neutralbit has published five vulnerabilities in various implementations of OPC, and there are no doubt many more to come.

While I’m no SCADA or OPC expert, perhaps we need a few more people who are experts to focus on the security of their systems. I believe they have some catching up to do… the “Technical Overview of OPC” that I found online is from 1998.

Update: A recent article from Dark Reading discusses the issue of SCADA security.

This is an interesting and detailed analysis, done by SecureWorks, of a previously unknown malware called Trojan.Gozi. It infected Windows XP SP2 machines and stole the user’s login credentials to online accounts, such as banking websites. The trojan has a clever way of grabbing the login and password data by monitoring HTTP POSTs, even when they use SSL. It does this by inserting itself as a shim between Internet Explorer and the network socket used to send the data, thereby accessing it before SSL encryption happens. Of course, everything is shipped back to the attacker’s server in Russia, and root kit techniques are used to hide its presence.

See the website for all the gory details, including dynamic and static analysis using a debugger.

Chris Shiflett has posted about a very interesting cross-site request forgery (CSRF) discovery using Amazon.com. Basically it’s a way of getting the user’s browser to make a particular HTTP GET request without the user knowing. The trick is that this particular request has more significant consequences than just retrieving data, like a GET request normally does. It takes advantage of the victim site’s trust of the user making the request, usually because he was previously logged in.

For example, when you login to Amazon, it keeps track of a cookie to easily identify you later. That’s how you get the friendly greeting on the front page. Of course, to purchase anything or perform any account maintenance tasks, you have to re-authenticate with your password.

The CSRF attack that Chris discovered allows a malicious website to add items to your Amazon shopping cart without your knowledge. I’ve put an example on my site, just to demonstrate it. Don’t worry, it wont actually buy anything, but you should be careful to remove the item from your cart - assuming you don’t really want to buy Ubuntu Unleashed.

How many times have I heard Mac users say that there are no viruses for Macs, that they don’t need to worry about security like their Windows counterparts. As anyone who has taken Security 101 can tell you, that’s just not true. There is no perfect, flawless operating system without any security vulnerabilities. If you still don’t believe that, check out the OS X patch Apple released this week. It contains several security-related fixes, including updates to the kernel, third party software, and Apple proprietary software. Basically, that’s all aspects of the operating system.

Several of the bugs allow for local user privilege escalation to root, as well as remote denial of service. Those are pretty serious issues, just like the ones all other operating systems have to deal with. I would love for the Mac platform to remain trouble-free for users, but they still need to realize that security is something to think about.

This short interview with Vint Cert, by Dark Reading, gives an inside look at Vint’s daily life. He talks a lot about his role at Google, as well as his many other responsibilities. I’m always amazed at how someone can be actively and productively involved in several organizations, all at once. He also mentions some of his personal hobbies and aspirations beyond work, as well as his opinion on improving Internet security. For example, the one person Vint says he would love to meet is Richard Dawkins. That alone should give you some insight into his beliefs.