Category Archives: Security

Energy, Security

Siemens Security Advisory (SSA-625789)

Leave a comment

The Siemens CERT has posted a formal response to two CVSS level 7 vulnerabilities found in the SIMATIC S7-1200 CPU

  1. Replay attack. An attacker can sniff the traffic and then send it again to issue a command to the same controller.
  2. Denial of service for Firmware Version 02.00.02. Scanning the communication interface causes it to stop.

S7-1200

Workarounds, until the firmware is updated, are to disable unnecessary services and segment the network.

As a temporary measure, it is recommended to disable the web server. The ability to disable the web server is available in TIA Portal Version 11. In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap.

Security

Who Should be Responsible for Software Security?

Leave a comment

Here’s a strange paper from The Tenth Workshop on Economics of Information Security (WEIS 2011). It’s called “Who Should be Responsible for Software Security

I think their definition of zero-day is very lacking, to begin with:

A zero-day attack is defined as “an exploit, worm or a virus capable of crippling global web infrastructure either prior to, or within hours of, a public announcement of a computer system vulnerability” (McBride 2005).

Their definition is from a Computerworld article in 2005 by Siobhan McBride. Here is the part they cut off from the beginning of the original sentence:

While definitions of a zero day attack vary, it is generally considered to be…

Generally considered? In 2005? There is nothing to support the definition; no reference or study cited.

Public announcement and global severity seems to be the key factors in the McBride general definition. Reversing it shows how it fails a common sense test:

If an attack does not cripple global web infrastructure prior to, or within hours of, a public announcement can it still be a zero-day?

Stuxnet would be one obvious attack that many call a zero-day, which fails the definition.

I would rather see (as I said at the last BaySec meeting) a zero-day definition that is more along the lines of other industries and risk concerns like healthcare and energy where the measures are severe and unknown impact. It is characterised by extended resources that must be directed to figuring out what is happening because existing controls are ineffective and new ones have to be developed to detect and prevent it.

But I’ll go along with their definition for the sake of argument. There are other parts of the paper I find troubling.

Take this analysis of software security standards, for example:

…when zero-day attacks are more common events, the social benefits with security investment regulation become depressed. Since the risk associated with this type of attack cannot be shed by proper patch maintenance, it tends to get managed by significant reductions in usage which serve to control the network externalities. When usage is generally low, the social impact of security investment becomes marginalized

This is based on a strange assumption. They define zero-day attacks as something that lacks a patch. They define security investments as…I’m not sure. I could not find their definition, but it seems to be limited to a patch. No wonder, then, they conclude that investing in a patch becomes “depressed” for events that are not affected by a patch.

Their paper seems to boil down to a false argument known as a tautology.

Moving their argument to another risk scenario illustrates why this is wrong. Investing in security for dams, such as checking for causes of failure, will affect the ability of the dam to withstand floods and pressure never seen before. Should regulators require investment in security practices for building dams or should they say patches on dams do not prevent failure, therefore no incentive exists for investment?

Investing in patches for a poorly designed product is just one control option. It is not clear why the authors fixate on it as the only option for investment. It’s obvious that patches are not a good investment once the water is running over the top of a dam, but investing in dam designs that can be more resilient to flooding (i.e. spillways)…that’s a sound investment.

It’s a long and detailed paper that reads well written except for their ongoing dance around a tautology of patches.

They do not diminish the argument that security investments can be far more potent than patches, and regulators can increase the quality of products by making vendors responsible for poor design practices. It still stands to reason that regulators can have an impact on quality, which will help reduce the frequency of so-called zero-day flaws (e.g. the long tail of SMB and CVE-2011-0654).

Energy, Security

Pentagon Officially Recognizes Energy as Security Issue

Leave a comment

The US military has finally addressed energy risks in its planning, as explained by Federal News Radio

The Pentagon sent its first-ever operational energy strategy to Congress Tuesday, laying out the military’s intent to begin treating energy as a critical military capability.

The goal is to stop focusing on energy as merely a market commodity that must be purchased in order to sustain the department’s various missions.

Defense leaders think that change in thought processes could ultimately reduce the military’s demand for petroleum and promote the development of energy alternatives, with the Pentagon as a new leader in the market.

This marks a huge shift in American policy from the Bush Administration; the government’s investment in the current wars could soon spur much faster innovation in energy efficiency and reduced civilian dependency on oil.

Energy, History, Security

The Last Mountain

1 Comment

Movie PosterThe official selection of the 2011 Sundance Film Festival now is open in select cities. It will only play for a few days.

The Last Mountain documents the effects of coal companies on the environment, health and jobs in America.

  • Almost half of the electricity produced in the U.S. comes from the burning of coal.
  • In the last decade the coal mining industry spent more than $86 million, the railroad industry spent $350 million, and coal burning electric utilities spent more than $1 billion on political campaigns and lobbying.
  • Each year emissions from coal-fired power plants contribute to more than 10 million asthma attacks, brain damage in up to 600,000 newborn children, and 43,000 premature deaths.
  • The health and environmental costs associated with mining, transporting and burning coal, as reported by a new Harvard Medical School study, are estimated to be $345 billion annually – or more than 17¢ per kilowatt hour. These costs are often referred to as “externalities” since they are costs borne by the public which are not reflected in the price of coal-fired electricity.
  • Per the Harvard Medical School report noted above, the cost of coal electricity goes up by approximately 17¢ per kilowatt hour, totaling 23.1¢ – or nearly three times that of wind – if you include the following costs borne by the public: Air Pollution Illnesses, Mercury Poisoning, Health Damages from Carcinogens, Public Health Cost to Appalachia, Climate Change Impact.

Wow, coal costs triple when you account for impact on health? And it’s linked to criminal activity?

Over the past 10 years they’ve destroyed 1.4 million acres illegally. They’ve flattened 500 of the biggest mountains in West Virginia. They’ve illegally buried 2,200 miles of rivers and streams. They detonate the equivalent explosive power every week of the Hiroshima bomb, just in West Virginia.

The data being compiled brings to mind the movement that eliminated coal in London, England.

That city used to think that it had a naturally heavy fog, until they realised that it was a toxic cloud from burning coal. Change really came only after catastrophe, like the deadly winter of 1873

London is famous for its smoky, dirty skies and “pea-soup” nights wrapped in heavy fog. For many, the fog provides a romantic setting for mystery and intrigue, but even Sir Arthur Conan Doyle’s famous character, Dr. Watson, describes the fog as a “greasy, heavy brown swirl…condensing in oily drops upon the window panes.” During this winter, the fog lasted from November to February. In the week following the worst of it, deaths rose 75%.

Then there was the deadly winter of 1952

…a toxic mix of dense fog and sooty black coal smoke killed thousands of Londoners in four days. It remains the deadliest environmental episode in recorded history.

The so-called killer fog is not an especially well-remembered event, even though it changed the way the world looks at pollution. Before the incident, people in cities tended to accept pollution as a part of life. Afterward, more and more, they fought to limit the poisonous side effects of the industrial age.

[…]

Everyone in London walked blind for the next four days. By the time the smog blew off on Tuesday Dec. 9, thousands of Londoners were dead, and thousands more were about to die. Those who had survived no longer spoke of London’s romantic pea-soup fog.

Killer Coal in London

The effect of coal on London was captured by artists and writers of the time. Their work has become a reference point that still shows up today when discussing pollution, as found in a recent article by the New York Times:

There is a Dickensian feel to much of the region. Roads are covered in coal tar; houses are coated with soot; miners, their faces smeared almost entirely black, haul carts full of coal rocks; the air is thick with the smell of burning coal.

There are growing concerns about the impact of this coal boom on the environment. The Asian Development Bank says it is financing pollution control programs in Shanxi because the number of people suffering from lung cancer and other respiratory diseases in the province has soared over the past 20 years.

The difference in America clearly (pun not intended) seems to be that killer coal effects are being spread out over rural communities (the last mountains, lakes, streams) instead of cities and so it is hidden — taking much longer to be accounted for and traced to human decision.

Obvious lessons from history, such as Dickensian London or even a more recent Kathmandu, apparently are not enough to motivate the US to properly regulate coal, reduce harm and seek less costly (e.g. cleaner) alternatives.

“You won’t believe that this is America….and now it’s what we imagine Hell to be.” — Emmylou Harris