Monthly Archives: February 2011

Energy, Food, History, Security

WTF is Wrong with Wisconsin?

Leave a comment

Provocative title? Although I originally am from Kansas I spent several years working and living in Wisconsin so I know the area fairly well. Remember the book called “What’s the Matter with Kansas” by Thomas Frank? It seems like he might want to publish a new edition that takes a look at the roots of the current crisis in Madison.

A movie might be an even better idea:

Consider, for example, the recent announcement of a clean water bill.

…the rules were developed after years of research and public input, including extensive stakeholder input from farmers, municipal water treatment systems, manufacturers, food processors, local governments and environmental groups. Organizations that supported passage of the rules included the Wisconsin Farm Bureau, the Dairy Business Association, the Potato and Vegetable Growers Association, the Wisconsin State Cranberry Growers Association, the Wisconsin Corn Growers Association, the Wisconsin Pork Association, the Wisconsin Cattlemen’s Association, the Municipal Environmental Group (representing local wastewater systems), Clean Wisconsin, Midwest Environmental Associates, the Wisconsin Association of Lakes, the Wisconsin River Alliance, Wisconsin Environment, and the Sierra Club.

[DNR Secretary Matt] Frank added, “We are currently working with all stakeholders on implementation guidelines as well as the design of a pollutant trading system that will lower the cost of compliance even further.”

Wow, that’s a broad-base of industry and organizations who have taken a careful and long-term approach to managing risk. Frank offers this explanation for the popular support.

“Wisconsin’s lakes and rivers are the foundation for our economy, our environment and our quality of life. Stakeholder groups came together to preserve that foundation by addressing phosphorus pollution comprehensively. Under this rule, Wisconsin can look forward to cleaner beaches, more swimmable lakes, improved public health, healthier fisheries and wildlife habitat.

Cleaning up waters polluted by excessive phosphorus is crucial to protecting our $12 billion tourism economy and our $2.75 billion fishing industry. Reducing phosphorus will protect private property values and local tax base, as shown by state and national research linking higher property values with water clarity.

Ok, the quality (safety) of water is essential to the state economy. This is not just based on conjecture and theory. Milwaukee has had a host of water contamination issues from heavy metals to a catastrophic water crisis of 1993.

The massive outbreak of waterborne cryptosporidiosis in Milwaukee, Wisconsin in 1993 is an example of how contaminated water distributed through a municipal water system can lead to a major public health crisis. As a result of the Cryptosporidium contamination, an estimated 403,000 Milwaukee residents developed diarrhea reflecting an attack rate of 52% of the population with more than 4,000 requiring hospitalization. Cryptosporidiosis was listed as the underlying or contributory cause of death in 54 residents following the outbreak, severely impacting susceptible populations most at risk. An estimated 725,000 productive days were lost as a result of the water contamination event and more than $54 million in lost work time and additional expenses to residents and local government resulted from the waterborne disease outbreak

So Wisconsin has some very real and local data on the harm from a failure to protect their water supplies, which include death and economic disaster. The 2010 Water Quality Report shows warnings for mercury and industrial contaminants for most of the state and shows how regulations have helped document, assess and reduce risk.

It all makes sense so far. Here’s the problem: Republicans in both the House and Senate of Wisconsin recently have tried to kill a bill that regulates phosphorous pollution in their water — a bill wanted by industries to protect and preserve water quality.

Believe it or not, despite the data and analysis I quote above, the Republicans argue that protecting water is too expensive a burden to the economy. They think municipal governments can not afford the security.

But their analysis fails on two very obvious and simple points:

  1. It is far more expensive and disruptive to clean up pollution in the environment than to prevent it.
  2. The state has developed their own localized approach after careful study and time for comment and feedback. A failure to follow-through will set themselves up for hasty and less palatable reaction to a disaster (e.g. 1993). A federal approach may also become necessary. An unwillingness to solve obvious health risks at the state level will not make solutions any easier or less expensive.

Perhaps the real reason they are intent on stopping state regulation is because they do not fear #2. They believe there will not be any federal investigation or regulation to prevent the next water quality crisis because of recent legal decisions, such as Rapanos vs. the United States in 2006, that block the government from testing for contamination in “non-navigable” water.

New York’s Assistant Commissioner for Water Resources James M. Tierney told The New York Times that the court decision creates a big problem. “There are whole watersheds that feed into New York’s drinking water supply that are, as of now, unprotected.” The EPA says that over 100 million Americans are drinking water that comes from unguarded sources.

That still leaves problem #1.

Perhaps the short-term blind-eye approach to contamination is best understood by looking at an obscure wetlands strategy by the new Wisconsin Governor. Government oversight for “every wetland in Brown County, both federal and nonfederal, of less than 3 acres in size” was declared “over regulation” — as if security is an impediment to business development.

Gov. Scott Walker has proposed exempting a parcel of Brown County wetlands owned by a Republican campaign donor from water quality standards.

The donor is said to seek the Governor’s assistance with relaxation of state security standards because he intends to fill in 2 acres of wetlands and build…a Bass Pro Shops store to sell fishing supplies. Really.

WTF is wrong with Wisconsin?

The Governor seems to think that ruining the security and economic base of the state by ignoring long-term damage from the contamination and destruction of resources is a good business plan. That’s like lighting your store on fire and then charging admission to watch it burn down. Not the best business strategy. You might end the day with a few more dollars in your pocket, but then what?

Applying just a tiny bit of common sense would make fishing store developers want to preserve and protect natural resources. I mean perhaps the Governor could use the same emphasis he has put into halting wind energy innovation (supposedly based on concern for the purity of the environment) and just apply it to water?

Security

Hypervisor Anti-rootkit: Hooksafe

Leave a comment

Microsoft and researchers at North Carolina State suggest rootkits in virtual environments can be found and removed or blocked by leveraging the hypervisor’s physical memory:

With hook indirection, HookSafe relocates protected hooks to a continuous memory space and regulates accesses to them by leveraging hardware based page-level protection. Our experimental results with nine real-world rootkits show that HookSafe is effective in defeating their hook-hijacking attempts. Our performance benchmarks show that HookSafe only adds about 6% performance overhead.

Security

Cisco ASA 5500 IPv6 Vulnerability

Leave a comment

Cisco has released six new security patches including a couple for their firewall products. One (CVE-2011-0393) involves a denial of service condition when the ASA when configured to be in “transparent” mode .

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

* Transparent Firewall Packet Buffer Exhaustion Vulnerability
* Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
* Routing Information Protocol (RIP) Denial of Service Vulnerability
* Unauthorized File System Access Vulnerability

Transparent mode is like a bridge so you can listen at layer 2 and above instead of layer 3 (in routed mode). This means you can leave alone the addresses on either side of the firewall and filter on non-IP (using EtherType ACLs). Administrators who want to avoid changing IP address on servers, or firewall legacy systems, are likely advocates of transparent mode. It also may make it easier than routed mode to pass multicast or the ol’ non-routable protocols: “(AppleTalk, IPX, BPDUs, and MPLS)”.

The vulnerability stems from buffer exhaustion for a newer protocol. Ah, the irony. While transparent mode is good for silently managing older protocols, apparently it falls over when IPv6 starts to show up.

The number of available packet buffers may decrease when a security appliance receives IPv6 traffic and is not configured for IPv6 operation. Administrators can check packet buffer utilization by issuing the command show blocks and inspecting the output for the number of available 1,550-byte blocks. If the number of blocks is zero (indicated by 0 in the CNT column), then the security appliance may be experiencing this issue. For example:

    ciscoasa# show blocks 
      SIZE    MAX    LOW    CNT
         0    400    360    400
         4    200    199    199
        80    400    358    400
       256   1412   1381   1412
      1550   6274      0      0
      ...

So, we all now know a convenient, albeit noisy, way to find an (un-patched) Cisco ASA 5500 hiding in transparent mode.

Security

Langner Stuxnet Interview

1 Comment

Cigital interviews Ralph Langner of Langner Communications

Ralph was the first to determine that Stuxnet is a directed cybersecurity attack against the kinds of Siemens control systems used to control nuclear centrifuges in Iran. Gary and Ralph discuss what’s involved in introducing the concept of cybersecurity to control systems engineers, how anti-virus vendors originally responded to the Stuxnet, as well as plenty of detailed technical info about the worm with an emphasis on its payload.

#59 MP3

There is a little of the usual “for the first time” talk from Cigital and attempts to apply complex information security models to control systems, but Langner makes excellent points about the slow pace of change in engineering and the different, simple and intended design of control systems.

Siemens PLC

The bottom-line seems to be that the attack, aside from figuring out the Siemens calling conventions, was very basic. Note that at the end of the recording Cigital accuses Siemens of having no security and only just beginning their own security program. Reverse engineering of the calling conventions might be hard, but obviously that’s not the only way to figure them out…

  • “Single task real-time system” completely different from IT security. No authentication, no authorization.
  • Vulnerabilities in control systems are not bugs. Legitimate product features, they often can not be patched.
  • Speculation about attack on SCADA database to ex-filtrate intellectual property did not make sense. Raw data useless.
  • Affect on controller was the turning point in Langner investigation because “controllers is all we do. We don’t bother with Windows computers”.
  • Wireshark gave results very quickly. Easy to see infection.
  • Applied different Siemens equipment to infected Windows system. Process of elimination to figure out which specific controller type and target configuration for Natanz
  • Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well
  • Ladderlogic loader puts code onto a Siemens controller by ethernet or MPI or PROFIBUS, using that one DLL
  • Original Siemens DLL had symbolic information but attackers had to reverse engineer calling conventions (protected by obfuscation and believed to be insider knowledge)
  • Bad code ran simultaneously alongside Siemens code — “stealth system”
  • Very easy to insert calls at beginning of OB1 and OB35
  • OB1 main routine called when controller started (like main function but called in a loop many times per second). Stuxnet inserted at beginning of code block (inserts function calls) and makes decision to pass requests to legitimate code or intercept for 315
  • OB35 is an event handler called 10 times per second. Stuxnet inserted code at beginning of code block so it would be called 10 times per second
  • Easy to do. Controller has no checks for authenticity. No checks for code integrity. Just insert code. Works on any of millions of Siemens 7 controllers found in food and beverage, chemical plants, power plants, etc.
  • Frequency converter attacks will only work on specific models and specific installation — attack code queries how many frequency converters attached to 315
  • Reading values from frequency converter was compromised — every time a 315 function was called another function ran
  • Those who typically program controllers would just take system functions for granted. Attackers know they could be overwritten and the program would still work
  • Early mentions of Bushier were Langner’s fault due to speculation and layman understanding of strategic/natural targets of Israel. It was not a Stuxnet target despite presence of expensive Siemens 417 used there. In late September the data structures in code were linked to the actual plant layout in Natanz. Symantec was wrong because they focused on the delivery system instead of the payload. Must look at outside world and plant layout, not just do code analysis.
  • 417 used for safety (prevent disaster by monitoring thresholds), 315 used for production (produce uranium). The attack vectors were not about fooling operators, who are the last line of defense (could be at lunch or bathroom). Stuxnet attack on 417 designed to fool front-line automated safety systems that are meant to react within seconds.
  • The media did an excellent job reporting on the problem but the tax-payer funded organizations that are required to do the same did not (e.g. DHS)
  • Problem of security eduction is not the engineers — it is with the CEOs