Tuesday, December 21, 2010

FCC Approves Plan to Regulate Internet

Today, this change seems harmless, but it could be the beginning of a new round of legislation and associated governmental control that could impact how we use our broadband resources.  This needs to be considered as we review current communications required for wide-area SCADA systems.
The rules would prohibit phone and cable companies from abusing their control over broadband connections to discriminate against rival content or services, such as Internet phone calls or online video, or play favorites with Web traffic.

Read more: http://www.foxnews.com/politics/2010/12/21/fcc-poised-pass-network-neutrality-rules/#ixzz18n9TuxYJ

ODVA Announces New Editions of CIP Network Specifications

The ODVA has recently released updates to their specifications for EtherNet/IP, DeviceNet, CompoNet and ControlNet technologies, and the CIP Safety extension to the EtherNet/IP and DeviceNet networks. This release provides 44 enhancements to the specifications, including the additional of "quick-connect" functionality and the CIP safety extension to Ethernet/IP and DeviceNet.

As with most ICS protocols, there is little in terms of security, and this is no different with the ODVA protocols.  In general, ICS protocols lack appropriate authentication between data users and data owners.  Even if authentication is provided, there is little in the way of preventing session hijacking from occurring between authenticated sources due to the inability of most ICS devices to support embedded, on-board encryption (aka tunnels).  This means that a sound SCADA design needs to begin with a thoroughly documented architecture diagram highlighting various control zones and communication conduits, and then provide sufficient compensating controls within the zones and conduits to mitigate the likelihood of a successful attack.

For additional information, you can view the ODVA announcement by clicking here.

Friday, December 17, 2010

Metasploit releases Framework 3.5.1

Any ethical hacker realizes the importance of the Metasploit Framework.  The features and functions available facilitate simple to advanced system exploitation invaluable to comprehensive assessments and pen tests.  On December 15, Rapid 7 released an updated Framework 3.5.1.  You can view the Release Notes by clicking here.  This update includes 47 new modules since the last point release, bringing the total to 635 exploit modules.

What is worthy of mention in a SCADA blog is the inclusion of some new control system related exploits.  Specifically addressed in 3.5.1:
  • MOXA MediaDPPlayback ActiveX Control Buffer Overview
  • MOXA Device Manager Tool 2.1 Buffer Overview
  • BACnet OPC Client Buffer Overflow
  • CitectSCADA/CitectFacilities ODBC Buffer Overview
  • DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
This adds to some of the SCADA modules that are already included in previous updates, specifically the following modules which be used to exploit various aspects of the Stuxnet worm:
  • MS10-046: Shortcut LNK vulnerability used to install Stuxnet
  • MS10-061: Print Spooler vulnerability used to propagate and replicate Stuxnet
  • MS08-067: SMB vulnerability used to propagate and replicate Stuxnet
If you want access to the 2 other Stuxnet exploits (MS10-073 and 092), consider using Immunity's CANVAS product.  These exploit modules were released October 5 (well in advance of the security patches!).

Of course, always remember to update your local Metasploit database by running "svnupdate" or "msfupdate" depending on your version.

Wednesday, December 15, 2010

Final Stuxnet EoP Vulnerability Patched on Tuesday as MS10-092

It has been almost five months since Stuxnet was discovered in July of this year. However, the intricacies of this highly sophisticated worm have challenged the best minds in security research. This week on "Patch Tuesday", Microsoft released a record 17 patches to address 40 vulnerabilities. You can view the Microsoft Security Bulletin Summary for December 2010 by clicking here.

For those of you interested, the exploit code for the Task Scheduler EoP 0-day was made available on November 20. You can review this code by clicking here.

Interesting enough, this is the third time this year that Microsoft has set a record for closing vulnerabilities on Patch Tuesday. On a year-over-year basis, Microsoft closed out 2010 issuing 106 bulletins, compared with 74 in 2009, 78 in 2008. However, what is more interesting is that in these 106 bulletins, Microsoft has patched 261 vulnerabilities compared to 170 in 2009. This data, as published in Information Week confirms the growing trend in both number and complexity of the exploits released (and discovered!).

Friday, December 10, 2010

Database of Industrial Cyber Security Incidents

I just obtained some hot news from AutomationWorld.com ...

"For a limited time,” says a recent announcement from the non-profit organization, the SIO is offering a 25 percent discount on all new RISI memberships and membership renewals. What’s more, if you sign up now, your company will also receive a newly released RISI report providing a study of more than 50 control system incidents caused by malware such as viruses, Trojans and worms.

What’s RISI? It is the Repository of Industrial Security Incidents, a member-supported database of industrial control-system cyber-security incidents that is billed as the largest known database of its kind. Its purpose is to collect, investigate, analyze and share important industrial security incidents among member companies so that they can learn from the experiences of others. RISI includes accidental cyber-related incidents, as well as deliberate events that have resulted in loss of control, loss of production or a process safety incident.

Read the entire new article by clicking here.

Tuesday, December 7, 2010

Comparing Software Vulnerabilities

A key component in any control system security program is a complete analysis of all client-side applications covering not only the base operating system, but also the often necessary add-ons.  Security vulnerability management firm Secunia just announced the availability of security "factsheets".  Click here to read the press release, or click here to go directly to the factsheet site.

As always, it is important to address all client-side applications that exist on any control system node (server, HMI, historian, application/batch, etc.) and make sure that they are properly patched.  This requires a conscience look at how to manage updates outside the traditional "Windows Update" or WSUS arena.

Monday, December 6, 2010

Langer's "Controller Integrity Checker" for Siemens S7

This is an interesting article and product from Roger Langer that talks of a mitigation tool for post-Stuxnet malware and potential vulnerability exploits.  Read the full article by clicking here.  This continues to stress the need to a thorough review of all security risks within a facility, and the development of a comprehensive security program that offers a solid defense-in-depth strategy to offer three primary goals:
  • Mitigate the attack entirely, if possible, including timely detection of the attack
  • Contain the attack, and minimize the negative consequences associated with the attack
  • Provide sufficient forensic data to investigate the attack and adjust the DiD program to prevent future attacks

Thursday, December 2, 2010

November issue of Hakin9: Botnets, Malware, Spyware |

Click here to view the November issue.

Hakin9 has released their November Free Issue of Hakin9 Magazine. This month the magazine has articles focused in Botnets, Malwares and Spywares.
Here is a briefing of what you can find in it:
  • A brief analysis of the cyber security threat by Julian Evans
  • Cyber State-Bullying by Matthew Jonkman
  • The Spyware Within You by Rajat Khare
  • The Ear of Sauron by John Aycock
  • dasbot: controlling IRC via bash by Israel Torres
  • Knowing VoIP Part II – Getting deeper to the settings by Winston Santos
  • TDSS botnet – full disclosure. Part II by Andrey Rassokhin and Dmitry Oleksyuk
  • Search Engine Security and Privacy – Part 2 by Rebecca Wynn