Monthly Archives: March 2011

Security

WP Candy WordCamp Contest

Leave a comment

I can’t help but comment on the irony of the site called WP Candy. This is what I see when I load the main page:

"Fatal error: Call to undefined function mb_convert_case() in /home/gooroo/public_html/wp-content/plugins/breadcrumb-navxt/breadcrumb_navxt_admin.php on line 833"

Perhaps they were going to advertise WordCamp 2011, but instead when you load the page they toss their WordPress candy guts out into the open. Like a Piñata?

Maybe it’s a contest. Solve the error and you get a free ticket, or a speaker slot?

Hmmm, a case of the mb_convert_case? I say enable PHP multibyte character support and it should go away. Do I win?

Energy, Security

SCADA Exploits Roam Free

Leave a comment

It looks like Luigi Auriemma did only a quick check of SCADA systems before he came up with a giant list of flaws. He has decided to post his initial findings to Bugtraq:

The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment.

He points out in his post that he did not know anything about SCADA systems before the tests. Obviously that did not stop him from quickly finding many weaknesses.

Full-disclosure advisories and proof-of-concepts:
Siemens Tecnomatix FactoryLink:
http://aluigi.org/adv/factorylink_1-adv.txt
http://aluigi.org/adv/factorylink_2-adv.txt
http://aluigi.org/adv/factorylink_3-adv.txt
http://aluigi.org/adv/factorylink_4-adv.txt
http://aluigi.org/adv/factorylink_5-adv.txt
[…]

Open up factorylink_2-adv.txt and you will see the vulnerability levels can be very high — remote exploit.

CSService is a Windows service listening on port 7580.

All the file operations used by the service (opcodes 6, 8 and 10) allow to specify arbitrary files and directories (absolute paths) and it’s possible for an attacker to download any remote file on the server. Obviously it’s possible also to specify directory traversal paths.

First, to be fair, SCADA systems are often intended to live in a different world than other systems — single-user, single-role, etc. There may be a defense-in-depth or compensating control design to be considered that encapsulates a SCADA system. Langner talks about this some in his interview on Stuxnet. An unprotected CSService thus may have been built that way by design, to do one thing and do it well.

Second, I have found that critical infrastructure management can be dominated by a culture of data analysis. Staff are often told to punch holes into closed systems and environments to mine details needed for calculations. It can feel more like a financial firm trying to make real-time investment decisions than an engineering operation. Closed environments are under pressure to be opened in order for spreadsheets to run.

Third, the financially-focused managers boast about their speculation and risk-management skills. Yet they seem to rely more on faith than data analysis when it comes to risk relative to security controls. They raise defense-in-depth as a theory sufficient on its own instead of as a measured and managed practice to deploy controls more thoroughly. That usually means when you find a vulnerability like factorylink_2-adv someone will always emphasize my first point above and say “I believe that’s handled elsewhere.”

Putting the three above points together, the worlds of IT and SCADA are not nearly as separate and distinct as many want to believe. They must be managed to reflect this convergence or there is a risk of leaving gaps for attackers to exploit. Even worse, the depth of defense can go unmeasured and leave basic systems unprotected in environments exposed to high-risk multi-user threats.

That’s why Auriemma’s list should be taken seriously. Vendors need to secure their products, or at the very least test them for hostile scenarios and provide security warnings/guidance. The demand, however, really has to come from SCADA application consumers. I suspect that these full-disclosure vulnerability announcements will help improve the industry’s risk calculations — prove the value of paying for better security from the SCADA vendors. On the other hand, if management still does not get it, then regulations will probably have to tighten.

Security

SERE Expert Blasts Bush Torture Program

Leave a comment

Truthout has posted an interview with retired Air Force Capt. Michael Kearns. Kearns is a “‘master’ SERE [Survival Evasion Resistance Escape] instructor and decorated veteran who has previously held high-ranking positions within the Air Force Headquarters Staff and Department of Defense (DoD).”

He said he decided to come forward because he is outraged that [Dr. John Bruce Jessen, the psychologist who was under contract to the CIA,] used their work to help design the Bush administration’s torture program.

“I think it’s about time for SERE to come out from behind the veil of secrecy if we are to progress as a moral nation of laws,” Kearns said during a wide-ranging interview with Truthout. “To take this survival training program and turn it into some form of nationally sanctioned, purposeful program for the extraction of information, or to apply exploitation, is in total contradiction to human morality, and defies basic logic. When I first learned about interrogation, at basic intelligence training school, I read about Hans Scharff, a Nazi interrogator who later wrote an article for Argosy Magazine titled ‘Without Torture.’ That’s what I was taught – torture doesn’t work.”

What stands out in Jessen’s notes is that he believed torture was often used to produce false confessions.

Poetry, Security

Telephone-based Payment Card Data PCI Guidelines

2 Comments

The Security Standards Council (SSC) has released an information supplement on telephone-based payment card data. This is an update to PCI SSC FAQ 5362.

It now is clear that controls must be in place to clean and protect audio recordings; they violate PCI compliance if they store sensitive authentication data (SAD).

It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted. It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

The last sentence is the big clue. Known query tools pose a clear and present threat to SAD in audio files. The point of this supplement is to emphasize that the data needs to be protected due to the ease of querying and reading it. The controls must be documented and validated as usual.

The supplement provides a decision process flow to help illustrate different control areas. Even if no calls are recorded, for example, “Processing and transmission of cardholder data remain in scope for PCI DSS”.

One area of ambiguity remains.

Note the end of the sentence above where the Council says storage is prohibited “if that data can be queried”. Despite SAD media storage being prohibited there are some particular situations of storage — with additional controls — that may be allowed.

If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

A call center, which can validate recordings can not be data-mined, thus may be allowed to store SAD. However, at the same time the supplement says they are prohibited from storing SAD.

Pay particular attention to sensitive authentication data: Storage is not permitted.

All clear?

I wonder if the PCI Council has the humor to start a campaign called “SAD is bad. Get rid of it and be glad”. They could even distribute it as a song, in an audio file.