Category Archives: History

SCADA exploits released: Siemens SIMATIC

Every time I hear people tell me how it would take a nation state budget with an army of trained cyber warriors to design and infiltrate systems I wonder where they get their data from. Billy Rios has been kind enough to argue against this not only in theory but by demonstrating just how easy it was for him to find vulnerabilities in the Siemens SIMATIC system. Now he has released exploit details.

Nothing sophisticated here:

If a user changes their password to a new password that includes a special character, the password may automatically be reset to “100”. Yes, you read that correctly… if a user has any special characters in their password, it may be reset to “100”. You can read about these awesome design decisions (and many others) in the Siemens user manuals.

And again:

For those non-techies reading this… what can someone do with this non-existent bug? They can use this to gain remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world… aka they can take over a control system without knowing the username or password. No need to worry though, as there are “no open issues regarding authentication bypass bugs at Siemens.”

In his presentations he has pointed out that evaluation of the exploits is easy from the comfort of one’s own bedroom. In his latest post he also points to some (perhaps illegal) remote test options.

I’ve found MANY of these services listening on the Internet… in fact you can find a couple here: http://www.shodanhq.com/search?q=simatic+HMI
https://www.google.com/?#q=%22SIMATIC+HMI+Miniweb+on%22

A major tenet of my argument at the Dr. Stuxlove presentation was that we can do ourselves a serious disservice in risk management by overestimating the sophistication and talent of our adversaries. If the level of knowledge required to exploit a system is low then vendors will be under far more pressure to patch and fix.

Another interesting way of looking at this is to review the natural schism of resources in the security industry; there’s natural tension between remediation and investigation. Those monitoring for attacks may emphasize a presence of highly sophisticated adversaries because there is a direct link to their funding. If you put them into a complete risk equation and point out that vulnerabilities are easily fixed they will tell you that you just don’t understand how smart the people are that you are up against. Don’t be tempted to give them more money right away. That is the point at which you should ask them “define sophisticated”, which really means explain the details of vulnerabilities and the cost of remediation.

True security is to live a vulnerable lifestyle. When someone says driving a car safely is so sophisticated that you should spend millions on detection and investigation funds, you might be in a position to respond that wearing a seatbelt, installing airbags, brakes and suspension will work just fine for your risk management program. That is to say there is a balance of investment and overestimating the sophistication of threats may lead to less risk reduction than spending on innovation around the reduction of vulnerabilities.

Of course manufacturers first have to acknowledge that their emperor is naked — vulnerabilities are real.

For all the other vendors out there, please use this as a lesson on how NOT to treat security researchers who have been freely providing you security advice and have been quietly sitting for half a year on remote authentication bypasses for your products.

Since Siemens has “no open issues regarding authentication bypass bugs”, I guess it’s OK to talk about the issues we reported in May. Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure…. but Siemens wouldn’t lie… so I guess there is no authentication bypass.

Siemens has faced embarrassing exposure of public security issues in the past, public disclosure of easy exploits, and has released advisories so it will be interesting to watch how this episode plays out.

Billy Rios is thus doing a great service by pointing our attention to something Americans should already be very familiar with. A Siemens SIMATIC is Unsafe at any speed: there are Designed-In Dangers in critical infrastructure systems.

U.S. Authorizes Cyberoffense Defense

The FY2012 defense authorization act of December 13 included the following

Congress affirms that the Department of Defense has the
capability, and upon direction by the President may conduct
offensive operations in cyberspace to defend our Nation,
Allies and interests, subject to–
(1) the policy principles and legal regimes that the
Department follows for kinetic capabilities, including the
law of armed conflict; and
(2) the War Powers Resolution (50 U.S.C. 1541 et seq.).

It goes on to say that spying also is authorized

Military activities in cyberspace (sec. 954)
The House bill contained a provision (sec. 962) that would
clarify that the Secretary of Defense has the authority to
conduct clandestine cyberspace activities in support of
military operations pursuant to the Authorization for the Use
of Military Force (Public Law 107-40; title 50 United States
Code, section 1541 note) outside of the United States or to
defend against a cyber attack on an asset of the Department
of Defense.

And finally the War Powers Act may not be applicable

The conferees stress that, as with any use of force, the War
Powers Resolution may apply.

Oh, whoops, that says it may apply. I take that to mean force is authorized until someone objects or just notices that it should have been regulated under the War Powers Resolution. Obviously I’m not a lawyer, though.

The most interesting aspect of the development is how it could have a ripple effect to the private sector. As I wrote earlier, the Senate is talking about 2012 as the year for the government to retake a leadership role and help drive the security of unclassified, non-military computer systems.

NIST’s involvement after the Computer Security Act of 1987 was for that specific purpose so they technically aren’t forging new ground but rather back on a path started under the Reagan administration.

On the other hand this announcement that the government will invest in “offensive operations in cyberspace to defend” might just be the green light that some companies have been looking for to legitimize and subsidize their own “gray” or even “black” operations.

Is your information security department capable of a non-kinetic defense or gray cyberoffensive defense? Follow the U.S. government’s lead and you may have your team cracking servers, manipulating social networks and stealing credentials from your threats in no time, within the laws and purposes of defensive action of course (e.g. add a good lawyer to the team).

Updated to add the Preemptive Strike iPhone Theme. Don’t push that red button.

iPhone Preemptive Strike

Flow: Chapter 78, Tao Te Ching

Here is my attempt to translate of one of the teachings of Laozi, from Chapter 78 of the Tao Te Ching:

天下莫 (Nothing in this world) 柔弱 (is as gentle and weak) 于水 (as water).
而 (But to) 攻坚 (defeat) 强者 (the strong)
莫 (nothing) 之能胜 (can succeed)
以其无 (if it does not) 以易之 (change).
弱之 (The weak) 胜 (overcome) 强 (strong),
柔 (as gentle) 之 (can) 胜 (overcome) 刚 (hard).

Still working on the last lines, which seem to say the above is an impractical and confusing paradox. Can’t figure out yet if they are meant to be sarcastic in tone.

天下莫不知莫能行
是以圣人云,
受国之垢是谓社稷主
受国不祥是为天下王
正言若反

Bloomberg Fear: All Has Been Lost to Chinese

Anyone remember the controversy in Europe over Americans stealing commercial secrets? I’m not talking about Budweiser, Cheddar Cheese, Parmesan Cheese, Champagne, assembly lines or the millions of others ideas ruthlessly transfered to the American market in the 1800s and 1900s without any credit or attribution to the European sources they came from. I doubt any American you ask today knows Cheddar is from a town called Cheddar, England or even knows that such a town exists. The AP framed that old problem by quoting a prominent trade expert in America.

Gary Litman, vice president for European affairs for the U.S. Chamber of Commerce, said it’s too late to rename imitation Italian products that are already firmly established. “You cannot change history that easily,” he said.
[…]
Litman said most American buyers probably don’t care whether the cheese was made in Parma. “No one thinks it’s coming from Parma. They don’t even know where Parma is. They couldn’t find it on a map.”

No, not that controversy about imitations and knowledge transfer. I actually am talking about a different one; the much more recent case as described by the BBC in 2000 as “Big brother without a cause

The Echelon spy system, whose existence has only recently been acknowledged by US officials, is capable of hoovering up millions of phone calls, faxes and emails a minute.

Hoovering secrets? Why would America want to do that? Surely it is only for the safety and defense of the country. They can’t possibly be using it to steal secrets about cheese.

Its owners insist the system is dedicated to intercepting messages passed between terrorists and organised criminals.

But a report published by the European Parliament in February alleges that Echelon twice helped US companies gain a commercial advantage over European firms.

[…]

Mr Campbell believes that when the Cold War ended, this under-employed intelligence apparatus was put to use for economic gain.

“There’s no safeguards, no remedies, ” he said. “There’s nowhere you can go to say that they’ve been snooping on your international communications. It is a totally lawless world.”

Now that’s just crazy talk. Lawless world? Or is it…? Are there other examples of this kind of problem?

A lengthy Bloomberg article has just appeared that tries to paint the U.S. as innocent victim of Chinese lawless behavior. I find a strikingly familiar style to the story. Note this quote, for example.

“The situation we are in now is the consequence of three decades of hands-off approach by government in the development of the Internet,” Falkenrath said.

I think he means the lawless world that Campbell warned about in 2000. Falkenrath’s quote is vague so here’s an even better quote.

“What has been happening over the course of the last five years is that China — let’s call it for what it is — has been hacking its way into every corporation it can find listed in Dun & Bradstreet,” said Richard Clarke, former special adviser on cybersecurity to U.S. President George W. Bush, at an October conference on network security. “Every corporation in the U.S., every corporation in Asia, every corporation in Germany. And using a vacuum cleaner to suck data out in terabytes and petabytes. I don’t think you can overstate the damage to this country that has already been done.”

In contrast, U.S. cyberspies go after foreign governments and foreign military and terrorist groups, Clarke said.

“We are going after things to defend ourselves against future attacks,” he said.

Well, it is not like the U.S. is going to go around saying “hey everyone, we’re stealing your secrets” even if they were. So Clark could honestly believe what he is telling the press but it doesn’t change the fact that the U.S. might continue denying corporate espionage while actually performing it.

Ok, I know what you’re thinking. China has spies funded with state money. That makes it different from American spies because in America the spies are unorganized and beg on the street for pennies, right? Ashcroft paying Choicepoint tens of millions (before they payed him) to collect information on companies around the world and sell it to the government, that was an exception to the rule about funding spies with state money, right?

The Chinese are said to now be going at it with a national determination not seen since…the “hoovering” by Echelon.

Segmented tasking among various groups and sophisticated support infrastructure are among the tactics intelligence officials have revealed to Congress to show the hacking is centrally coordinated, the person said. U.S. investigators estimate Byzantine Foothold is made up of anywhere from several dozen hackers to more than one hundred, said the person, who declined to be identified because the matter is secret.

If they run that “sophisticated support infrastructure” anything like Choicepoint then all the U.S. has to do is get on the phone to China, give some random identity of a false company and offer to buy the data. Bada bing.

But seriously, the Bloomberg story starts off strong and repeats an old scary picture of a vacuum cleaner (vacuum one, vacuum two, vacuum three, vacuum four, vacuum five, etc.) sucking all the data out of America. Is it any coincidence that a company in Hong Kong acquired Hoover in 2007?

Then Bejtlich gets in a quote that changes the tone completely.

“The guys who get in first tend to be the best. If you can’t get in, the rest of the guys can’t do any work,” said Richard Bejtlich, chief security officer for Mandiant Corp., an Alexandria, Virginia-based security firm that specializes in cyber espionage. “We’ve seen some real skill problems with the people who are getting the data out. I guess they figure if they haven’t been caught by that point, they’ll have as many chances as they need to remove the data.”

The attackers have skill problems with their vacuum cleaner? The imagery is ruined. Who needs skill to use a vacuum? Now I see a bunch of guys running around in circles with USB drives, bumping into each other and falling down.

Such tracing is sometimes possible because of sloppiness and mistakes made by the spies, said another senior intelligence official who asked not to be named because the matter is classified. In one instance, a ranking officer in China’s People’s Liberation Army, or PLA, employed the same server used in cyberspying operations to communicate with his mistress, the intelligence official said.

Cue Benny Hill

But seriously, again, the story does have an interesting counterpoint to my point in a recent blog post. I asked if there was no risk of retribution and China has unlimited human resources then why the U.S. military is trying to convince us that there are a small number of attackers.

Bloomberg brings up the possibility of large numbers of Chinese entrepreneurs hacking for profit.

Driving China’s spike in cyberspying is the reality that hacking is cheaper than product development, especially given China’s vast pool of hackers, said a fourth U.S. intelligence official. That pool includes members of its militia, who hack on commission, the official said. They target computing, high technology and pharmaceutical companies whose products take lots of time and money to develop, the official said.

They don’t target our food and beverage industry?

Oh, right, they probably just go to Europe to steal the original information and not American knock-offs. I’m only being half-facetious. Europe obviously has a lot of IP at risk and innovation as good or even better than in America.

We heard complaints about Americans spying on European companies in 2000. The French complained in 2005 about China and there was a fair bit of discussion in 2010 about Renault. Why don’t we hear anything now from the European security experts, or from the European Generals and politicians, similar to the arguments by the U.S.? Where is the comparable outrage about the need to retaliate and fight the Chinese spies; why hasn’t Bloomberg included targets outside the U.S.?

Although I like the WSJ treatment of the topic far better than Bloomberg, they too fail to mention the European angle let alone other areas of the world with innovation (e.g. India, who is often trading harsh words with China). The reports from Europe seem to be far more cloak and dagger, as if their computers are impenetrable.

…an unnamed French company realised too late that a sample of its patented liquid had left the building after the visit of a Chinese delegation. It turned out one of the visitors had dipped his tie into the liquid to take home a sample in order to copy it.

Well then I guess we are left to imagine a Chinese cyberarmy squad throwing up their hands in disgust. American companies all were easily penetrated with just a simple email attachment but now, unable to get through through the French company’s defenses, one of the Chinese agents says “that’s it, I’m putting on a tie and going in”.

And then there is the case of Chinese students paying tuition and attending class to learn about vacuum cleaner technology from the British. What kind of elite cyberarmy agent pays tuition and actually goes to class? Those British computers must be seriously hardened to force students to attend classes. At least now we know where spies get the latest vacuuming techniques from…