Monday, November 29, 2010

A Search Engine to Find Vulnerable Control Systems

If you have not had a chance to take a look at Shodan, I would suggest that you do so in short order.  Most hackers have been using Google Hacks for some time to find specific sites based on banner information.  As reported in a ICS-CERT Alert released on October 28 (ICS-Alert-10-301-01), independent security researchers employ the SHODAN search engine to discover Internet facing SCADA systems using potentially insecure mechanisms for authentication and authorization.  In most cases, the affected control system interfaces were designed to provide remote access for monitoring system status and/or certain asset management features. 

This again demonstrates why asset-owners need to re-evaluate and implement improved defense-in-depth strategies when providing remote access to trusted control system networks to not only prevent authorized access, but provide notification when a breach occurs and minimize the negative consequences of such a break.  I presented one such solution at the recent ICSJWG conference in Seattle (click here to view the presentation).

These vulnerable systems have been found to be readily accessible from the Internet and with tools, such as SHODAN, the resources required to identify them has been greatly reduced.  In addition to the increased risk of account brute forcing from having these systems available on the Internet, some of the identify systems continue to use default user names and passwords and/or common vendor accounts for remote access into these systems. These default/common accounts can in many cases be easily found in online documentation and/or online default password repositories, such as those presented at this site.

Monday, November 22, 2010

BackTrack 4 R2 Now Available for Download

For those involved in assessments and penetration testing, BackTrack is one of the essential tools in the box.  Offensive Security has recently released R2 with an updated kernel and several new enhancments.  You can download by clicking here.

Presentations Now Available from Fall ICSJWG Seattle Conference

The presentations from the Fall Conference of the U.S. Dept. of Homeland Security's (DHS) Industrial Control System Joint Working Group (ICSJWG) are now available by clicking here.

Friday, November 19, 2010

Cyber Security Standard Published to Protect Global Critical Infrastructure

The International Instrument Users Association (WIB), an international organization that represents global manufacturers in the industrial automation industry, announced the second version of the Process Control Domain Security Requirements For Vendors document – the first international standard that outlines a set of specific requirements focusing on cyber security best practices for suppliers of industrial automation and control systems.  View the updated standard by clicking here or viewing it from the reference links at the bottom of this page under "Recommended Reading".

Symantec Continues to Undercover the Secrets of Stuxnet

Symantec has released version 1.3 of their document entitled "W32.Stuxnet Dossier" available by clicking here, which provides additional details on how it not only targets specific controllers within the Siemens PCS7 control system (S7-315 or S7-417 CPUs with CP-342 Profibus modules), but also two specific variable frequency drives manufactured by Fararo Paya (Tehran, Iran) and Vacon (Finland).  The more that is discovered about Stuxnet, the more it demonstrates the sophistication of its developers and the targeted nature of the attack.

Monday, November 8, 2010

[Canvas] Agora 1.21. point release

1.21 point release with bugfixes and modules is available for download.
Two modules for SCADA systems and two web exploits this time.
While one SCADA module is unpatched in current official version, the
other is patchable, but we think is still usefull.

The exact list by now:
- Invensys Wonderware InFusion SCADA (and other products) Ax exploit.
- DATAC RealWin SCADA 1.06 Buffer Overflow Exploit. unpatched as of
- DNET Live-Stats 0.8 Local File Inclusion. unpatched as of 07.11.2010
- OvBB v0.16a Local File Inclusion. unpatched as of 07.11.2010

Friday, November 5, 2010

Stuxnet Under the Microsoft

By now, everyone has read the detailed report written by Symantec entitled "Win32.Stuxnet Dossier". has published an UPDATE (ver 1.2) to what appears to be an equally detailed report that takes a look at the well-crafted worm from a different perspective.  This is a document well worth reading, and can be downloaded by clicking here.

SCADA Security Certification

Are you considering a certification plan focused on the unique aspects of industrial control systems, including SCADA and DCS???  Consider the Certified SCADA Security Architect certification offered by IACRB.  I am the instructor for this course offered by InfoSec Institute.  Courses are regularly offered in Washington D.C., Chicago and Las Vegas.  Check it out.