Sunday, November 16, 2014

Chinese Spies are retiring: Spanish Waste & Drinking Water services don't need them

Industrial Control engineers do their work for them

Critical Infrastructure protection law is being deploying in Spain and new essential sectors will be covered this year. One of those sectors is Water and I have began to study that sector in depth.
My first findings are amazing and I will talk about them in my next posts.

This week I will show you how things have changed with social networks in these last years. Nowadays, everyone seems to find for celebrity through social network presence: Facebook, Twitter, LinkedIn and any other platform that let you show to the entire world how cool you are. (By the way, you could think this is what I am doing, but this is just Cyber Work).

Making some Internet spidering on Waste water plants around Spain I have found some "funny" staff.
In one SCADA control engineer personal blog I have found his complete CV describing all the projects he has been working in through his career. This is not bad by itself but when deep description on SCADA plant systems is present, it is getting worse....

Information you can find there is:
  • Plant Name and location
  • Automation elements description:
    • SCADA application redundant systems (Schneider Electric Monitor Pro)
    • 3 Telemecanique Unity devices (MODICOM PLCs)
    • Other PLC to control engines
    • Ethernet interconnection between them and a Modbus Gateway
    • Interconnection Diagram
    • Advantsys I/O modules 
Sure you can find many plants worse documented than this !!!!

Awareness is something we have to improve in the next months if we want to get a better Security Level in our critical infrastructure.

In the meantime, no Chinese spies required ......
Posted by at

Wednesday, November 5, 2014

New threats, Old vectors



In the last weeks I have been making some presentations on different Cyber Security Events in different Cities and with different attendants, but there is always a common question in all of them:

- "Can you talk us about the new Threats?".

My response is always the same:

- "Don't you have enough with the old ones?"

 I understand people can be worried about all Cyber espionage, Cyber Crime, Cyber attacks campaigns, but at the end of the day everything remains the same: "Nobody reads the F#@ Manual".

When talking about Dragonfly we have been dealing with old attack vectors:
  • Phising
  • Compromising vulnerable Web Sites
Nothing new in these attacks. Nothing a good awareness policy can't stop. Nothing a basic OWASP compliance test can not detect. Nothing has been done in those organizations in the last years on the security posture.

In the last 8 ENISE congress, some representative from the NATO Security Network Area was describing the top attacks NATO was registering, and surprisingly they were: Phising and DDOS.
May be the malware associated with the phising campaigns is more sophisticated (on the second round), but there must be always someone who press the attach link to activate the malware.

Why don't we stop the old attack vectors before proceeding to the new threats defenses ?

Posted by at

Thursday, October 2, 2014

Spanish Smart Meters under risk?

I love Paella, but not in these terms:

"We will talk about a device that is present in all houses, a smart power meter. This model is being installed in all houses and buildings, and it's already present in the 65% of the "paella" country."



Alberto Garcia Illera and Javier Vazquez Vidal are going to scare one big Spanish Electric Company with their presentation and their findings:

  • Each device stores the same pair of symmetric AES-128 encryption keys
  • With the encryption keys in hand, an attacker could easily sniff the data or inject his own commands into the device or devices
  • It is simple to spoof the identifier code on each device.
  • Turn off and on the lights remotely
  • Know power consumption in a house

 Who could ask for more? Availability, Integrity and confidentiality broken in one movement.

 Once again, an small team with not to much resources defeats a huge company security organization.
What are we doing wrong?. Are we reading the F... Manual in every project we start? I don't think so.
If we take a serious approach to security when designing architectures and solutions we didn't find later these kind of things.

 In Madrid we still remember the BiciMad Penis Video on rental Kiosks for a whole weekend:



Both incidents have the same root causes: Lack of deep risk analysis and strong security requirements on Design Phase.

 Time for a Paella.
Posted by at

Sunday, September 21, 2014

ICS SCADA Mobile: BYOD (Bring Your Own Disaster) to your control network

I have to confess I'm an "Apple Funboy". I used my iPads everyday to browse news, twitter, Cyber Security Blogs, etc.
Some days ago, I was browsing exploit-db.com as I used to do when working in IT Security projects. One of the first exploits I saw was related with an iPad application to transfer contents using WIFI (Air transfer from Darinshoft).



When I saw the description I couldn't believe it could be so easy and dangerous, so I downloaded and installed the App on my iPad. I try the exploit from my MacBook and ..... Bingo!!
I could crash the application and get contents although the web interface access was password protected.
(Exploit was communicated on August the 19th and Application is not yet patched)

All that made me think about the Mobile Apps to connect to SCADA systems and the IoT solutions big Automation Companies are designing.
Then I remember a nice article from Eric Byrnes that described the Software Quality problem the ICS have to face in a daily basis.

 "Academic research tells us that most commercial software contains 3 - 10 defects for every thousand lines of code (KLOC), and that 1% to 5% of these result in vulnerabilities. That works out to between 0.03 and 0.5 vulnerabilities per KLOC."

Translating those concepts to the Apple Store (September 2014) we could find the following:


So even supposing the smallest App size and the smallest vulnerability  impact rate, we are talking about millions of vulnerabilities only in the Apple Mobile Apps world.
If we do the same with Google Play, results roughly could doubled this.

We need to go back to basics and define security requirements from the very beginning in every App development  (Server, Desktop or Mobile), and be very cautious when thinking in applying these fancy iPads Apps in ICS. Even if your CEO is asking for the same solution he saw in his last meeting with other colleagues.





Posted by at

Thursday, September 11, 2014

Who the hell are you trusting on your Cyber Security Team?

Recently I found some paper published by one Center dependent from the US Department of Homeland Security:


In this paper they advised about the insiders threat and they gave some clues to detect strange behavior on your inner personnel:


It was very impressive:  100% of my Cyber Security consultants team match these indicators !!!!!

Now I am looking for good Cyber Security engineers that never access networks at odd times, only works 8 hours on labors days, never attend cell phone when out of the office or in Holidays, never read classified material, never show any interest on anything outside his perimeter and, most important, never enjoy a good beer after a long day of tapping, sniffing, tag classification and graph creation day!!!!

Surprisingly I am not finding any candidate !!!! Do you know why is this?

(You can find the whole paper Here )
Posted by at

Wednesday, September 10, 2014

"Close the Door Campaign" is becoming popular

Surprisingly, today I found this tweet from 



We are Top 10 !!!
I will continue the campaign until every Spanish ICS open port disappear from the Map!!!
Posted by at

Thursday, September 4, 2014

The Dragonfly campaign hangover in Spain (II)

I know Internet ICS open ports were not Dragonfly attack vectors but, in my opinion, that's not a good practice. There are a lot of open source and commercial solutions to access your industrial control devices over Internet in a secure and controlled way.

So, what the results were? .....



In this table you can see that the number of devices with these four open ICS protocol ports grew in the period.
On the other hand, the percentage of spanish open port devices compared with the total worldwide open port devices grew for ICCP and MODBUS TCP protocols, but decrease when talking about EthernetIP and BacNET protocols.

The summary data for the period is the following:
  • Total open ports worldwide
  • Total open ports in Spain
  • Percentage of Spanish devices over worldwide devices



Some findings:
  • Having in mind that the Spanish Gross Domestic Product on 2013 was just 1,83% of the worldwide GDP, every percentage protocol is over that. (Sometimes 3 or 4 times over)
  • Although the growth in the period is not big, it is a tendency just one month after a serious incident on industrial control systems organizations. Is our Cyber Security awareness growing in Spain? (I don't think so)
  • Most of the systems recorded by SHODAN were installed in critical sectors (as the banners showed). 
Some easy advices:
  • Shodan yourself!!!!. (It's Free and easy)
  • Ask your ICS provider for secure remote access solutions if you really need it.
  • Read this Blog peridically. (It's Free as well)




Posted by at
Subscribe to: Posts (Atom)