New threats, Old vectors

In the last weeks I have been making some presentations on different Cyber Security Events in different Cities and with different attendants, but there is always a common question in all of them:

- "Can you talk us about the new Threats?".

My response is always the same:

- "Don't you have enough with the old ones?"

I understand people can be worried about all Cyber espionage, Cyber Crime, Cyber attacks campaigns, but at the end of the day everything remains the same: "Nobody reads the F#@ Manual".

When talking about Dragonfly we have been dealing with old attack vectors:

• Phising
• Compromising vulnerable Web Sites

Nothing new in these attacks. Nothing a good awareness policy can't stop. Nothing a basic OWASP compliance test can not detect. Nothing has been done in those organizations in the last years on the security posture.

In the last 8 ENISE congress, some representative from the NATO Security Network Area was describing the top attacks NATO was registering, and surprisingly they were: Phising and DDOS.
May be the malware associated with the phising campaigns is more sophisticated (on the second round), but there must be always someone who press the attach link to activate the malware.

Why don't we stop the old attack vectors before proceeding to the new threats defenses ?

Spanish Smart Meters under risk?

I love Paella, but not in these terms:

"We will talk about a device that is present in all houses, a smart power meter. This model is being installed in all houses and buildings, and it's already present in the 65% of the "paella" country."

Alberto Garcia Illera and Javier Vazquez Vidal are going to scare one big Spanish Electric Company with their presentation and their findings:

• Each device stores the same pair of symmetric AES-128 encryption keys
• With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices
• It is simple to spoof the identifier code on each device.
• Turn off and on the lights remotely
• Know power consumption in a house

Who could ask for more? Availability, Integrity and confidentiality broken in one movement.

Once again, an small team with not to much resources defeats a huge company security organization.
What are we doing wrong?. Are we reading the F... Manual in every project we start? I don't think so.
If we take a serious approach to security when designing architectures and solutions we didn't find later these kind of things.

In Madrid we still remember the BiciMad Penis Video on rental Kiosks for a whole weekend:

Both incidents have the same root causes: Lack of deep risk analysis and strong security requirements on Design Phase.

Time for a Paella.

ICS SCADA Mobile: BYOD (Bring Your Own Disaster) to your control network

I have to confess I'm an "Apple Funboy". I used my iPads everyday to browse news, twitter, Cyber Security Blogs, etc.
Some days ago, I was browsing exploit-db.com as I used to do when working in IT Security projects. One of the first exploits I saw was related with an iPad application to transfer contents using WIFI (Air transfer from Darinshoft).

When I saw the description I couldn't believe it could be so easy and dangerous, so I downloaded and installed the App on my iPad. I try the exploit from my MacBook and ..... Bingo!!
I could crash the application and get contents although the web interface access was password protected.
(Exploit was communicated on August the 19th and Application is not yet patched)

All that made me think about the Mobile Apps to connect to SCADA systems and the IoT solutions big Automation Companies are designing.
Then I remember a nice article from Eric Byrnes that described the Software Quality problem the ICS have to face in a daily basis.

"Academic research tells us that most commercial software contains 3 - 10 defects for every thousand lines of code (KLOC), and that 1% to 5% of these result in vulnerabilities. That works out to between 0.03 and 0.5 vulnerabilities per KLOC."

Translating those concepts to the Apple Store (September 2014) we could find the following:

So even supposing the smallest App size and the smallest vulnerability  impact rate, we are talking about millions of vulnerabilities only in the Apple Mobile Apps world.
If we do the same with Google Play, results roughly could doubled this.

We need to go back to basics and define security requirements from the very beginning in every App development  (Server, Desktop or Mobile), and be very cautious when thinking in applying these fancy iPads Apps in ICS. Even if your CEO is asking for the same solution he saw in his last meeting with other colleagues.

Who the hell are you trusting on your Cyber Security Team?

Recently I found some paper published by one Center dependent from the US Department of Homeland Security:

In this paper they advised about the insiders threat and they gave some clues to detect strange behavior on your inner personnel:

It was very impressive:  100% of my Cyber Security consultants team match these indicators !!!!!

Now I am looking for good Cyber Security engineers that never access networks at odd times, only works 8 hours on labors days, never attend cell phone when out of the office or in Holidays, never read classified material, never show any interest on anything outside his perimeter and, most important, never enjoy a good beer after a long day of tapping, sniffing, tag classification and graph creation day!!!!

Surprisingly I am not finding any candidate !!!! Do you know why is this?

(You can find the whole paper Here )

"Close the Door Campaign" is becoming popular

Surprisingly, today I found this tweet from John Matherly ‏@achillean 

We are Top 10 !!!
I will continue the campaign until every Spanish ICS open port disappear from the Map!!!

The Dragonfly campaign hangover in Spain (II)

I know Internet ICS open ports were not Dragonfly attack vectors but, in my opinion, that's not a good practice. There are a lot of open source and commercial solutions to access your industrial control devices over Internet in a secure and controlled way.

So, what the results were? .....

In this table you can see that the number of devices with these four open ICS protocol ports grew in the period.
On the other hand, the percentage of spanish open port devices compared with the total worldwide open port devices grew for ICCP and MODBUS TCP protocols, but decrease when talking about EthernetIP and BacNET protocols.

The summary data for the period is the following:

• Total open ports worldwide
• Total open ports in Spain
• Percentage of Spanish devices over worldwide devices

Some findings:

• Having in mind that the Spanish Gross Domestic Product on 2013 was just 1,83% of the worldwide GDP, every percentage protocol is over that. (Sometimes 3 or 4 times over)
• Although the growth in the period is not big, it is a tendency just one month after a serious incident on industrial control systems organizations. Is our Cyber Security awareness growing in Spain? (I don't think so)
• Most of the systems recorded by SHODAN were installed in critical sectors (as the banners showed). 

Some easy advices:

• Shodan yourself!!!!. (It's Free and easy)
• Ask your ICS provider for secure remote access solutions if you really need it.
• Read this Blog peridically. (It's Free as well)

The Dragonfly campaign hangover in Spain

Living in Spain and working in the Critical Infrastructure protection sector is a Risky Business.
On July I was very busy trying to know what the Dragonfly real impact in Spain was and writing some articles to increase Cyber Security awareness in Spanish Utility Companies.

Seems like after being "World Champions" on infections, companies should have taken some basic counter measures. (Maybe the simplest one could be an external black box audit to check the external visibility for the company infrastructure and services.)

But after twenty years trying to improve our Security level and knowing how things use to be managed here, I decided to try a little experiment.

From August the 14th and until Today I have been making some Shodan searching once a day to collect the worldwide and Spanish number of Internet open ports for the most famous industrial control protocols:

• ICCP/S7 (102 TCP)
• Modbus (502 TCP)
• EthernetIP (44818 TCP)
• BacNET (47808 UDP)

My bet was that situation would improve in the weeks to come, but if you want to know what the results were, stay tuned until my next post.