Handle Shmandle

A lot of people ask me why I still use a handle and go by ‘Space Rogue’ instead of using my real name. Trust me it is kinda awkward to go to a respectable con like BSides, Blackhat or even RSA and introduce myself as ‘Space Rogue’. People always ask me to repeat myself as if they didn’t hear me, then they get this weird look on their face like ‘who is this crazy person?’

The original handles came about because early multi-users systems, like UNIX and BBS systems, could only handle eight character login names. So people tended to get a little creative. Those handles became intimately identifiable with the personas behind the keyboards. Most of the people I still interact with from those days I still refer to by their handle. Jeff Moss will always be DT, Chris Wysopal at Veracode will always be ‘Weld’, Joe Grand will always be Kingpin, or just KP. Not just online but in face to face meetings as well. People who know my real name still refer to me as Space, SR or even Mr. Rogue when we are together. For me handles are easier identifiers than actual names, I seldom remember a name but I almost always remember a handle.

During the L0pht years handles were important. We felt we needed them to protect us from individual lawsuits that may be filed from the companies whose security holes we were exposing at the time. We went to great lengths to protect those handles. We gave up many press opportunities because numerous journalists couldn’t get past not having a real name to pin a quote to. I figured if my handle was good enough for a Senator to read into the Congressional Record it was good enough for a newspaper quote.

Somewhere along the line most of the people I knew who were using handles switched to using their real names, usually because of a job. There aren’t many people at the top of the InfoSec world these days that still uses a handle. (Of course there a few that use ‘normal’ sounding handles, and a few whose actual names sound like handles.)

For me it comes down to keeping my day job. I tend to do infrastructure, networks, servers, that sort of thing. Big deal right? Well a lot of company’s are still afraid of the evil ‘hacker’ label. I guess they don’t feel comfortable with having a ‘hacker’ have physical access to their networks, servers and other mission critical systems. Never mind my extensive experience in the IT field or that my ‘hacker’ background probably makes me a better IT Manager than anyone else they are probably able to hire. Companies tend to freak out and pull a knee jerk reactions.

Making my real name easily associated with ‘Space Rogue’ via a Google search does not assist the job search. I have lost at least one and possibly two jobs, and who knows how many potential jobs, when someone was able to make the connection between the two identities. Now they didn’t come right out and say ‘Oh your Space Rogue you can’t work here anymore’ but it can be pretty apparent when a company is trying to get rid of you and then you find out later that they made the connection somehow.

So while a lot of people ‘in the scene’ know my real name I keep my Infosec identity as Space Rogue separate from my IRL identity and will continue to do so. At least until there is a company that is willing to see the value behind the handle. With any luck I will be able to merge the handle with the real name and become ‘John “Space Rogue” Smith’

- SR

OMG the SCADA is Falling!!!

Let me say first that SCADA (supervisory control and data acquisition) attacks are real, they do happen and should be a real concern. But if we look at the recent press surrounding such attacks we see little in the way of any hard evidence that such an attack actually occurred. Instead we see rumor and accusation and a hell of of a lot of theory.

The most recent example is the report, first reported on by The Register that someone broke into a local water utility and caused a pump to fail by turning it off and on repeatedly. This is a completely plausible scenario but when we look a little closer at the report some holes start to develop.

The media gabbed a hold of this story and quickly spread it around, over sixty different articles that I can find so far, yet none of them cite ANY primary sources for the incident. That’s Journalism 101 folks, and I didn’t even take journalism class. The Register article quotes Joe Weiss, a managing partner for Applied Control Solutions talking about the attack. This would seem to lend provenance to the story and that the attack actually happened, but Weiss was not a primary source. Most of his quotes are hypothetical and refer to an ‘official government report’ that he refused to name. Weiss refused to state which water district was targeted other than to say the report was released on November 10th. According to Weiss a software vendor lost control of its customer username and password database which allowed attackers, who had been traced back to Russia, access to the systems.

The Register at least got a comment from the US Department of Homeland Security indicating the utility in question was located in Springfield, Illinois. I’m not sure why the Register did not pick up the phone and call Springfield but Kim Zetter from Wired did call. The Springfield water department denied it was them and said the attack took place in the Curran-Gardner water district. When she called Curran-Gardner they hung up on her.

By the time the story made it to C|Net they actually had a quote from DHS.


“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.,”
DHS spokesman Peter Boogaard said in a statement. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The key words that I see are ‘no credible corroborated data’ – Bingo! Now, it is possible that DHS is downplaying this so as to not cause widespread panic but lets face it, this is DHS, their whole reason for existing is wide spread panic. So if they say there is ‘no credible corroborated data’ I’m going to go with that.

So what facts do we have that can be confirmed? I think it is pretty safe to say that a water pump somewhere in Illinois failed. I also think it is pretty safe to say that some secret government report blamed that failure on Russian hackers. Thats it. Everything else is pure speculation.

Now lets read between the lines shall we? Lets assume that a pump somewhere in Illinois, over the course of several weeks or even months turned itself off and on and failed. Pumps fail all the time, it happens, doesn’t mean they were hacked. Unfortunately we don’t know what kind of pump, who manufactured it or how long it had been turning off and on before someone noticed. Now what if the code controlling this system was flawed in such a way that the control loop code wasn’t working properly? Control loops are tricky things and it is easy to screw them up, especially if your a pump manufacturer and don’t really pay attention to closely to the software that controls them. Now I have no more evidence to say that this was a software glitch than I do to prove it was an external intrusion. But doesn’t a control software glitch sound a hell of a lot more possible than a russian breaking into a small Illinois township water district?

I think @Jack_daniel said it best “No one sentient doubts the vulnerability of SCADA systems, but for the love of $DEITY SHARE REAL DETAILS or crank up the skeptic settings.”

Late Update:

“Whether the burnout of that pump was related to this what might or might not have been a hacking, we don’t know,” said Don Craven, a water district trustee.”

That pretty much settles that in my book.

Although I have to share one last quote from the Curran-Gardner Water District trustee “I drank the water this morning.”

- SR

2011.11.25 – Update
One last update, looks like those strange Russian IP addresses actually came from Russia! Via a contractor who had authorized remote access. Imagine that. Yup, blame the contractor.

- SR

NASA Confirms but China Denies Satellite ‘hacking’

Since I posted my previous item regarding my suspicions as to the validity of the claims of ‘interference’ with a US Government satellite there have a few more developments.

First NASA has come out and ‘confirmed’ the interference.

According to NASA PAO: “NASA experienced two suspicious events with the Terra spacecraft in the summer and fall of 2008. There was no manipulation of data, no commands successfully sent to the satellite, and no data captured. NASA notified the Department of Defense, which is responsible for investigating any attempted interference with satellite operations. While we cannot discuss additional details regarding the attempted interference, our satellite operations and associated systems and information are safe and secure.

Which if you read between the lines says absolutely nothing and denies everything. Just “two suspicious events” that caused no commands to be sent to any satellites, and no data changed or captured from a satellite. So what exactly constitutes a “suspicious event”? How the hell did we go from “suspicious event” to “OMG Hackers are controlling satellites!”?

This of course brings me right back to my original theory, that nothing of any significance actually happened, that some system got infected with malware and since that system was supposed to be air gapped and could control a satellite NASA had to inform DoD as a matter of protocol. So no satellites actually got ‘hacked’ and the cyber cold war continues as usual.

The second development is that China has denied all the accusations. Naturally. Specifically they claimed “This report is untrue and has ulterior motives. It’s not worth a comment,” which I agree with completely.