Thoughts and opinions on Stuxnet

October 9th, 2010

Stuxnet has been on of the biggest topics in InfoSec for a little while. I am not going to go into a whole lot of technical depth on it as I am more interested in the ramifications of it. There is a nice recap on Wikipedia if you need to catch up. Basically Stuxnet is the first confirmed (to the general public) attack on Supervisory Control and Data Acquisition (SCADA) systems. As it turns out, the systems that were attacked by Stuxnet had been infected for quite some time before being detected.

This scares me quite a bit as the writers of Stuxnet could have completely destroyed Nuclear Control Systems in any of the plants that it infected. I am not by any means an expert of anything but one of the first thoughts that come to my mind when I hear about this is the possibility of a remotely triggered nuclear accident to the extent of Chernobyl. If that does not scare anyone else, I am not sure what does.

I am sure there have been several controls put into place to prevent something like the Chernobyl accident happening again. We have had almost 25 years to learn from it and improve our technology and understanding of nuclear technology but one thing I have learned from the InfoSec world is to never say something can’t be done.

What Reality TV can teach us about Security

August 6th, 2010

I came across this TV show the other day called “The Colony” and it is on the Discovery Channel and is touted as a post apocalyptic exercise to see if a bunch of random strangers (with various different skill sets) can get together and rebuild after a major disaster. This concept is right up my ally as I eat up any kind of post apocalyptic survivalist content I can get my hands on so I decided to give it a shot. What it ended up being was a reality TV show. It disappointed me right off the bat but I stuck it out to see if there were any redeeming factors. What I ended up coming away with was a few new tricks for surviving a major disaster but what really struck me was the fact that they were preaching security.

As the show starts, the “survivors” or “colonists” get to this gigantic warehouse and set up shop. One of the first things they do is set up a very basic defense of the warehouse by closing and locking doors. Not a whole lot but it will keep the passer by deterred from getting into the warehouse. A few episodes in, one of the “colonists”, Joey (ex drug trafficker that spent six years in prison) started to be concerned about the security of the building and started bringing up the issue at their daily meetings. The group kept putting it of for more important things such as a shower stall with heated water. Joey brought it up once or twice saying that there was a section of the rear perimeter wall that was lacking barbed wire but it kept getting put on the back burner. Well guess what happened…

One night while they were all sleeping, a group of marauder started banging at the front gate, woke all of the “colonists” up, and grabbed their attention while two others hopped over the section of the wall that was lacking barbed wire. Those two¬†marauders that got in, then proceeded to ravage their food supply by taking all that they could and then smashing all of the rest. After it was all said and done, three or four days of food was gone. Can you guess what was the new priority the very next day?

The next day, the only thing they did was security. They got the barbed wire over the patch of wall that didn’t have it, they made entrances inaccessible, they reinforced walls, and started projects for building weapons. This is just one example of their security being breached. They also received attacks similar to insider attacks and brute force attacks. The cool thing about this is that it can all relate over to the world of computer systems and network security and the defenses against these attacks map directly over as well.

There are a few points that get displayed really well

a) Security is really only a feeling
    •Just because you feel secure with high walls and some security precautions does not mean you really are secure
b) Security is not something you can throw on the back burner and expect to come out unscathed
c) Always prepare for the Advanced Persistent Threat (ooohhh! buzzword!) and targeted attacks
d) Listen to the the people that specialize in their field
e) Noah built the Arc before the flood
    •Security should be implemented before the compromise

All in all, it was really comforting to see a show put out for the general public that demonstrates some of the issues that we face in InfoSec and may possibly help us get another step forward in education about the issues as well as security as a standard practice across all systems and networks.

Black Hat Briefings Day 2

July 30th, 2010

I unfortunately was not able to do very much at Black Hat day 2 due to having a ton of work to do to actually make sure the con didn’t fall apart. Mainly I got stuck in helping distribute Defcon badges. It was the first time they have actually given out Defcon badges at Black Hat. I did get to see the keynote though. Day 2′s keynote was (in my opinion) 100x better than Day 1.

Again, this speaker was obsessed with the word “cyber” but he actually used it where appropriate and where it made sense. As he was of the military background, he was talking about how the military has four domains (land, air, water, space) and they are all made by God (or exist naturally if that is what you prefer) but there is a new domain that they have to take into account that is made by man. This is the “Cyber” domain. The key differences between these domains, is not only natural vs unnatural but you can generally apply the same techniques between the 4 natural domains but that is not true in the Cyber domain.

I am not going to go completely into full detailed analysis about his talk but there was nothing that I disagreed with and thought he was absolutely spot on. Again, Ii am not sure if I will return next year for the briefings or if I will just go ahead and hit up B-Sides. We will just have to see what happens as it is another full year away.

Black Hat Briefings Day 1

July 28th, 2010

For anyone interested, here is the schedule for what talks I attended today at Black Hat and the ones I plan on going to tomorrow I will go ahead and post my thoughts and opinions on the various different talks.

Started out the day like most conference attendees at the Keynote. The keynote was given by some chick from the DHS. Overall opinion, it was pretty lame. She started right off the bat by saying she wasn’t apart of the security community and it became very apparent along with her lack of any technical knowledge. I don’t expect her to be “super uber 1337 h@x0R” but to have some knowledge of what she was talking about. She kept relating everything to the Army and had a fetish for the word “cyber-space” I would not be surprised to see the word “cyber-space” in the transcript more than 30 times. After the disappointment of the Keynote I made my way down to go see “WPA Migration Mode: WEP is back to haunt you…”

I was hoping “WPA Migration Mode: WEP is back to haunt you…” would be some new tech for cracking WPA but didn’t really know what to expect due to the lack of media coverage. As it turns out, Cisco has this migration mode for when you are moving from WEP to WPA that allows both to be used sanctimoniously and then just bridges the two together. The entire premise of the talk was that people forget to turn this mode off after fully migrating and thus still accepting WEP connections. All though it was not a bad talk, it did not deserve a slot at Black Hat as it is only used by people who

A) Use Cisco wireless gear
B) Try to migrate between WEP and WPA softly
C) Are dumb enough to forget to change it. 

Now, I do not have any personal look into the market and what organizations are doing with their wireless infrastructure but I would imagine that it would be fairly small. In any case, once you find out that they are still accepting WEP connections, it is just business as usual by cracking WEP. I do have to give them a little more credit though. They wrote a patch for aircrack that allowed it to crack this way as it wouldn’t crack it due to a limitation it has for TKIP.

After the WPA stuff I headed down to “Balancing the Pwn Trade Deficit” by the guys at Attack Research. This talk was all about the Chinese hacker scene. It was a really unique talk as they did not take the position of China bashing like it seems the rest of the industry does and I must say I loved it. They talked the cultural differences as you can very clearly see it in their source code as they name things such as variables and functions with J-Pop lyrics. They spent the majority of the time talking about Chinese malware and exploit generators. Going into the talk, I had some small idea about how sophisticated some pieces of malware are such as the zeus-bot but I I was almost dumbfounded by things such as 24/7 support over phone and QQ (Chinese equivalent to ICQ) as well as having to have active accounts with the creators in order to generate an exploit. In the end, it came down to the fact that the Chinese scene is just like the one here in the States where they have the white/black hat classification as well as similar targets and motivations.

Next up was the talk of the year. Mr. Barnaby Jack with his talk on Jackpotting Automated Teller Machines. Got a nice cozy seat up front due to the Blackhat Jersey. He began out with saying that it is not all about the payoff and it was about the journey to the payoff. He went through with us some of his first attempts at getting access into the ATM’s using JTAG interfaces and having to get explorer.exe to execute on it (as they all run Windows CE). Once this was demonstrated, he showed us the tool he created for exploiting the ATM’s called Dillinger where you simply connect to the ATM on its management port. Once you can connect to it, you have the choice of Testing the Exploit, Upload his Root Kit, resetting to defaults, retrieve Credit Card Track Data, or Jackpotting it (photo here). It was incredibly entertaining to see the money fall out of the ATM while it was playing shitty MIDI song. It was absolutely fantastic and left confirming my opinion that he is just a bad-ass.

Now, I decided to go to one of the most brutal talks I have ever seen. I went and saw “Harder, Better, Faster, Stronger: Semi-Auto Vulnerability Research” by the SourceFire VRT guys. As I am not really good at any type of coding or vulnerability development, a lot of it went way over my head but they did introduce a tool that it looks like would almost revolutionize that space.

Last talk of the day was the other one that got a lot of hype, it was “Getting In Bed With Robin Sage”. The basic premise was that he got this hot chick’s picture and posed as a chick in the security industry. Apparently in the end he was able to get job offers from the likes of Google and Lockheed. This was hands down the worst talk I have ever seen in my entire life. The speaker was so incredibly disorganized that he could not, stick to his own slides and spent most of the time getting into it with Chris Nickerson and browsing his file system taunting people with pictures of incriminating emails but never actually opening them to show people. It was so bad, about half of the people got up and left half way through and one guy had to ask him really what exactly he did as he never explained exactly what happened and what he did. At that point, I had to get up and walk out as well.

All in all, it was a little above average. There were some awesome talks but some really downer talks as well. We will see what happens tomorrow but I am thinking I may have to just do the whole BSides thing next year.

Another year of Black Hat/Defcon

July 21st, 2010

Black Hat and Defcon are upon us again this year. This means nothing more than covering miles of ground during setup and tear down of training classes and briefing rooms followed by epic parties with free booze supplied by several top names in the industry. Just to set the record strait, I don’t go to the parties nor the free room in Caesars for a week and a half but I go because I always learn so many new things and come away inspired. I am super excited and cant wait to get there.

); ?