Say Cyber Again.

I don’t think this will stay on YouTube very long I got an instant DMCA take down notice as soon as it was uploaded. I filed a dispute but we all know how those go so watch it now while you can.

Then They Came For Me…

First they came for Jackson,
and I didn’t speak out because I didn’t play D&D.

Then they came for Neidorf,
and I didn’t speak out because I trusted the phone company.

Then they came for Mitnick,
and I didn’t speak out because I thought the government was telling the truth.

Then they came for Watt,
and I didn’t speak up because I believed the prosecution.

Then they came for Swartz,
and I didn’t speak out because I never used JSTOR.

Then they came for me,
and there was no one left to speak for me.

Anatomy of Hype

Lets see if I can break this down chronologically.

On July 12, 2012 a third party marketing firm hired by Verizon had a large database of Verizon user information ‘copied’. Verizon claims the incident was reported to authorities but no breach actually happened.

This statement from Verizon raises several questions. 1. Why did a 3rd party marketing firm have possession of this data which contained much more than just names and addresses. 2. How exactly was the data copied and 3. If there was no breach why were the authorities involved?

On Friday December 21st a twitter user with the handle @TibitXimer (since removed) posts to Twitter and Pastebin that he was in possession of 3 million leaked accounts including plaintext passwords of Verizon Wireless customers. ZDNet publishes an ‘exclusive’ Exclusive: Hacker nabs 3m Verizon customer records (title has since been changed) covering the supposed breach. Of course the original story had no comment from Verizon or any verification of the data.

With a little digging around I find the link to the original Pastebin post by @TibitXimer and his link to the data. A link that goes to a pay for download site. I thought that was a little odd and wasn’t about to pay to download a breach database. After making a few posts to Twitter I got a sample of the data.

I could tell right away that it was not Verizon Wireless data and it looked to me like possibly Verizon FiOS data. I also did not see any passwords, plaintext or otherwise. After sharing the data with some other security people we decided pretty quickly amongst ourselves that the data was very similar to some other data that had been floating around the net for a few months.

After attempting to get a response from @TibitXimer via twitter to confirm this new information his twitter account, pastebin link and download link all quickly disappeared.

By Saturday December 22nd Forbes writes an article Verizon Denies Hacker Leaked 300,000 Customers’ Data-UPDATE with an actual update from Verizon. ZDNet does not bother to update their article until 8:00PM EST that evening with nothing but a one-sentence denial from Verizon.

On Sunday December 23rd The Next Web seems to put all the pieces together After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm and examines the
Verizon statement, the now disappeared @TibitXimer twitter feed and the statements from security professionals on the veracity of the data.

It is pretty obvious at this point that ZDNet has been trolled; while the results were spectacular (from a troll point of view) the troll itself was not very complicated or sophisticated. Now on Wednesday December 26th the original ZDNet story still stands with a one-sentence disclaimer from Verizon and a brief mention that the pastebin link no longer works. However, the still posted story makes no mention of the incorrectness of the data, its original source, its apparent age, the disappearance of the original poster and still alludes that this is a new Verizon breech.

I reached out to Charlie Osborne @ZDNetCharlie, the first name on the byline of the story, and asked if the story would be updated. She said that despite being listed first on the story she was not the lead contributor and therefore had no way to make edits. I’m not really sure I understand this, if my name was on the story I would want to make sure it was correct and would be calling my editor immediately even if it meant waking him up. I guess some people don’t care what their name gets attached to.

I shouldn’t be surprised at this as ZDnet has gotten rid of or lost all of their seasoned reporters. Charlie Osborne seems to have only recently begun writing technology after graduating with a medical anthropology degree. Zack Whittaker, who I presume is the lead contributor to the story hasn’t responded to my tweets asking for an update. He to has only recently started his writing career and it would appear that most of his stories lately have been centered on smartphones.

While I understand that new reporters need to start somewhere I would hope that ZDNet would have seasoned editors in place that would force fact checking, verification and confirmation of a story before publishing. Leaving a story such as this to fester on their website reflects poorly not just on ZDNet but on the InfoSec industry as a whole, not to mention the damage that it is doing to Verizon.

The excuse that it is Christmas does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. ZDNet did update this story, twice, but the information they provided was inadequate and is now outdated.

I ask ZDNet to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether.

For those of you who have seen my talk ‘Media Hype in the Information Security Industry’ you should recognize that this is just another example of a big hack that never really happened. Unfortunately it will not be the last.

LATE UPDATE: It looks like I wasn’t the only one to notice the sloppy reporting at ZDNet on this story. Dissent at the Dataloss DB has published Fool us once, shame on you. Fool us twice, we implement policies!

Book Review: This Machine Kills Secrets

Book Review: This Machine Kills Secrets
By: Andy Greenberg
Penguin Group 2012
ISBN 978-1-101-59358-5

*Page references have been taken from the electronic iPad version

I’ll admit I haven’t finished the whole book yet but the way the book portrays some events I was involved in differs from my own memory. I wanted to highlight those sections, especially since I am quoted in the book more than once. In general Greenberg has done an excellent job in describing the L0pht and some of the events that took place around it but I take issue with some of the descriptions of places and things, while not inaccurate, Greenberg’s choice of adjectives describes settings in entirely different lights than how I remember them.

“exploring the dark corners of the Internet and charting the back doors in labyrinth alleys” (pg. 203)

I have never understood this type of definition of the early Internet. The mid nineties Internet was small, it was unbelievably tiny compared with today. There were no “labyrinth alleys”, it was not a dark and foreboding place at all, at least not to me. To me it was just the opposite, the Internet helped to shine bright lights on subjects I knew little or nothing about at the time and not just technological topics. In the mid nineties the net was a wealth of information with easy access to experts on any subject. It was free from advertisements or sites just looking for page views. There was nothing really dark or labyrinth about it at all. Describing it as such two decades later makes for great reading though.

“where Mudge was often regarded as the most visible and brilliant member.” (pg 203)

This sentence implies that I, and the rest of the L0pht, thought Mudge was the most brilliant of all of us. Was he the most visible? Absolutely, and that was mostly by design. But was he the most brilliant? No, none of us were. All of us had our own strengths, our own areas of brilliance, including Mudge. The L0pht is the only organization I have ever been involved in that came as close as you can to a true egalitarian structure, a meritocracy, where no one was any more brilliant than any one else. We all had individual strengths, each strength complimented each others weaknesses, a lot of those strengths over lapped, but to imply, as Greenberg has, that Mudge was considered the most brilliant by the other members of the L0pht is woefully inaccurate.

“It was a young male scene drawn from an online bulletin board called the Works, where Zatko had made a name for himself under the pseudonym “Mudge.” (pg. 232)

First the board was known as The Works, a minor nitpick for sure, and it wasn’t 100% male but women were definitely outside the norm. By the time Works Gatherings were occurring everyone pretty much new Mudge anyway. Other boards such as ATDT East and Black Crawling Systems where considered much more ‘elite’ than The Works. The Works was more of a social hangout and info repository while other boards took the technological lead. That is why it fell onto The Works to have these in the flesh get-togethers known as Works Gatherings. This was long before 2600 meetings started happening in Boston, which the Works Gatherings eventually morphed into. But to say that Mudge or anyone made a name for themselves on The Works shows a lack of understanding of the dynamics of the early 90s BBS scene in the 617 area code. Such an understanding would probably take a lot longer to explain than the one sentence Greenberg gives it or the one paragraph I am giving it here.

“In later incarnations, the L0pht would add a PC with web access rigged to the toilet for convenient web browsing.” (pg. 232)

Yes, we had an old terminal in the bathroom. No, it was not rigged to browse the Internet or anything else. If I remember correctly it was either an early POS terminal or something used at an airline, I don’t remember, either way as far as I remember it did not work and you could not surf or do anything else on it. Even if it did the screen was about five inches diagonal and monochrome so who would want to?

“Space Rogue, a former army soldier with close cropped hair, hosted the Mac Whacked Archive, an FTP download site with the worlds largest collection of Apple hacking tools.” (pg 233)

It was the Whacked Mac Archives! I am going to blame this on Greenberg’s editors because I gave him an interview for this book and I know I didn’t give him the wrong name. Come on Andy, a simple Google search by your fact checker should have found this one. And another minor nitpick, it hosted Macintosh tools, not Apple. These days Mac and Apple pretty much mean the same thing but even as late as the mid nineties Macintosh software and Apple software were two completely different things.

“The first night Mudge entered the L0pht, the elite group of hackers were struck by his technical genius…” (pg 233)

Oh please, we were not, or at least I wasn’t. Greenberg is making it sound like some deity had descended from the heavens to walk among us mere mortals. Greenberg paints a very radiant picture here that would make a great movie scene but the reality is much more mundane. Very very few people were ever invited into the L0pht that we didn’t know, either in person or online, beforehand. So when Mudge first entered the L0pht we already knew him, who he was, and what he knew and he already knew, or knew of, us. The first meeting in the L0pht was mostly to discus L0pht logistics, like how much each person payed in rent, were he would sit, when we had meetings, etc… It was not an introduction. Were we impressed by his technical genius? Only so much as it matched our own. Mudge definitely has his own reality distortion field; his own cult of personality and that was definitely something that the L0pht needed at the time.

“But Count Zero was going through a messy divorce that kept him away from the L0pht for months at a time, long enough for Mudge to stake his claim.” (pg 233)

This reads like Mudge engineered some kind of coup to oust Count Zero and take control and that is absolutely NOT what happened. I will admit this episode was messy and handled about as well as a bunch of socially inept computer geeks could handle it but to imply that Mudge came in, kicked out Count Zero and took over is just flat out plain wrong.

“They sold T-shirts, attracted groupies…” (pg 234)

OK, how come no one told me about the groupies? Are there any left?

“At the next Black Hat security conference in Las Vegas, the software megalith’s executives took the L0pht out for an expensive dinner…” (pg 235)

This meeting did actually take place, I don’t remember if it was in conjunction with Black Hat or not, I seem to remember that it was not. Greenberg implies that the whole L0pht was present, we were not. Mudge was there, of course, and I think someone else might have attended but it definitely was not the whole L0pht as Greenberg implies.

“Eventually, several of the L0pht’s members would be hired to work for Microsoft as security consultants.” (pg 235)

As far as I know this is false, none of us were hired by Microsoft directly. I’ll admit I haven’t kept up with everyone’s employment history over the years so it is possible that maybe one of us did a few days or weeks of consulting but as far as I know that was not the case. What did happen sometime in the early 2000s is that Microsoft went on a massive security hiring binge, scooping up all the laid off talent from the security industry implosion after the dot com bubble burst. Many people who worked at @Stake, Guardent, Foundstone, etc ended up at Microsoft, some of them are still there but as far as I know no one from L0pht worked there in any capacity.

“…high level cabinet official travelled alone to clandestine meetings with digital miscreants.” (pg 241)

This sentence annoys me, especially the use of the words clandestine and miscreants. The meeting described here was not clandestine, I am sure it was on Clarke’s official travel schedule, and its not like we met in a dark alley or anything. In fact I’m not entirely sure this meeting happened exactly as it is described. I distinctly remember meeting Clarke with other L0pht members for the first time at John Harvard’s, we both had the chicken pot pie. Now maybe Mudge had an earlier meeting with Clarke as Greenberg described that I wasn’t aware of, I don’t know. Greenberg’s description of this cloak and dagger meeting seems more like a setup for a movie deal than something that actually happened. And what’s with the use of the word miscreant, the definition of which is depraved or villainous, come on.

“For a moment, Clarke huddled with his NSC colleagues in private conversation.” (pg 242)

The meeting Greenberg describes includes the L0pht, Clarke and four NSC guys but that is not how I remember it. At most there were two other guys with Clarke but I am pretty sure there was only one other guy with Clarke. I don’t remember most of the rest of this paragraph either. What I do remember took place in the parking lot outside the L0pht. Clarke was huddling with the other one or two NSC guys who were there, when Mudge standing of to the side with the rest of the L0pht guys yelled over to them, “Hey, we opened the Kimono and showed you ours, what are you guys talking about?” To which Clarke responded that he was very surprised by what he had witnessed at the L0pht and that up until that point he had always assumed that to do what we had been doing would take the support of a nation-state or other large organization, and not seven guys in a rented space in some warehouse. So Greenberg’s version has the same gist to it, just not exactly as how I remember.

“On the way they stopped at the NSA’s Cryptologic Museum and accidently drove past the guards into the agencies secure facility, before timidly backing out.” (pg 242)

If you have ever been to the Cryptological Museum you know that as described this isn’t really possible. The museum is public and open to anyone, however on the drive down we missed the exit off the highway for the museum, so we took the next exit. We found a place to turn around but before we realized it we were passing the NSA guard shack. Imagine a large Ford Econline van with out of state plates, at least four antennas on top and heavily tinted windows. We didn’t know if we should stop or keep going, the guard saluted us, we saluted back and the guard waved us through so we kept on driving. There really wasn’t anything timid about it. Once inside we quickly turned around, left and went back to the Museum. In fact if you ever go to the Cryptological Museum and look in the guest book back to 1998 you will see an entire page that we signed as “L0pht World Tour”

“and ended their trip hanging out with Secret Service agents at Archibald’s, a nearby strip club.” (pg 243)

Umm, no. We did not hang out with Secret Service agents at a strip club or any other type of club. I have no idea where Greenberg got this. It would definitely play well if Greenberg sells the movie rights to this book but it didn’t happen. I remember hanging out in the hotels Irish bar, having one glass of Guinness and then going to bed.

 

None of the items I have listed here are really all that egregious or detrimental to the story. However, since I was there, and I remember things slightly differently than how they have been portrayed by Greenberg I thought it important to illustrate those differences here. I think the biggest thing I have issue with is the tone Greenberg uses in certain sections, he accurately describes the physical L0pht as a technological clubhouse but then describes clandestine meetings and labels us as miscreants. The description of the L0pht and the events surrounding it only make up a few pages of the over all book but considering the inaccuracies and or liberties Greenberg has taken to describe this one small section I have to wonder what other parts have been slightly embellished or possibly misremembered from his other sources throughout the rest of the book.

On the other hand I am impressed by just how much Greenberg has gotten right. There have been numerous attempts over the years to accurately describe the L0pht and some of the events that surrounded it, despite the inaccuracies I have listed, this is as close as anyone has come. It is obvious that Greenberg put a lot of work into this book, or at least this section, and gathered information from a lot of sources.

Given the topical subject matter I would not be surprised at all to see this book optioned to a movie. Unfortunately a movie will only be two hours long and I don’t see how you would be able to fit this one chapter, let alone the entire book, into two hours without cutting out large chunks and glossing over the many details that took Greenberg so long to gather.

Hackers and Media Hype or Big Hacks That Never Really Happened

I have been giving my talk “Hackers and Media Hype or Big Hacks That Never Really Happened” for a few months now and I think it is time to retire it. You may have seen it at Shmoocon Epilogue, Source Boston or Hope 9. If not catch the video below. I also have the entire slide deck available including the bibliography if anyone is looking to check sources.

Here is the slide deck MediaHypeinInfoSec2012_HOPE.pptx

Emails From Michael In Iran

If publishing unsourced emails claiming to be from Iran is a newsworthy event then I guess we should all copy Mikko and do the same thing.

A few years ago I received a chain of emails from ‘Michael’ that started out as the normal ‘teach me to hack’ emails I receive on an almost daily basis but this email chain went on longer than usual and took several turns I don’t usually see in such emails. I thought they might be good for a laugh or a tear depending on your viewpoint.

TL;DR

The emails start in May of 2009 and go through to December, I have not included them all and have edited some for brevity.

Things start out simple enough saying how he is a 20yr old Iranian and is a fan of the L0pht. Pretty straight forward. I responded as I usually do to emails that are at least half way intelligent. I admit I don’t always get emails from Iran with a verifiable Iranian IP address.

Then comes the first turn, ‘Micheal’ asks me to teach him to ‘hack’ specifically so he can change his grades at University. For me thats a big no no right there. If you ask me to do, or teach you to do, anything even remotely illegal in email thats where I stop. I will no longer respond. I don’t want to be considered an accessory or an accomplice or be put in an un-winnable Adrian Lamo type situation. Not to mention the whole assisting a foreign power angle. So I just stopped responding.

But Michael wouldn’t give up, he sent me an email every day for weeks, then slowed down to a few times per week. Eventually he reached out other old L0pht members, those whose email address he could find, asking them if I was OK, saying he feared for my safety since I was not responding to emails. I will admit I felt a little bad at this because who knows maybe people just disappearing like that in his country is a sign of something sinister happening. I don’t know. My remorsefulness did not last long however.

Next came the names and the threats. ‘Michael’ called me a raciest and threatened to ‘destroy my life’ and that despite my lack of assistance he was going to become the worlds greatest hacker anyway and he was going direct his efforts at me. Then he was going to hack his University, graduate and travel to America to prove to me in person that he was a great hacker and that he did it all without my help.

I had a good laugh and a tear at the time, 2009, but as I read over these emails again and place them into the context of the ongoing ‘cyber’ cold war they really take on a different meaning. How many other people in Iran have similar motivations? I wonder if Michael ever made it through University, or maybe he got caught and ‘disappeared’? I will probably never know.

Email exchange with Michael from Iran

L0pht Hacker Space Visa

The L0pht was not the first hacker space, in fact at the time of its creation in Boston there were at least two other such spaces, Sinister House and Messiah Village, which later moved and became New Hack City, or simply New Hack. L0pht wasn’t even the cause of the recent explosion of hacker spaces across the globe. I like to think that as an early trail blazer L0pht had at least some influence in that explosion but I have no evidence to support it.

A few years ago I read about the Hacker Space Passport which I thought was a really cool idea except that my, and most peoples, do-it-yourself craft abilities are mostly sub optimal meaning that if I attempted to construct the Hacker Space Passport it would look like total crap. So I promptly forgot about it and went along with my day. But the idea was still sound, as you visit different Hacker Spaces or cons you would get a stamp in your Passport verifying your visit and giving you a sort of memento of your stay. Almost exactly like a real passport without the freedom grope, personal questions, and suspicious looks.

At some point when I wasn’t paying attention the Hacker Space Passport became somewhat popular. So much so that the online electronics store started by Lady Ada, who had visited the L0pht on several occasions, Adafruit Industries, has had some Hacker Space Passports professionally printed and is selling them for a whopping $2.95. As soon as I saw them I promptly ordered four. I am very impressed with the quality, almost exactly like my real passport, obviously without the RFID (although I am sure someone will find a way to hack one into it). It has multiple pages where people can get travel visa stamps for the hacker spaces they visit and a section in the front for identification, which is blank when you receive it. The visa pages have watermarked logos in the background of some famous hacker spaces and hacker cons. Trust me, it looks really cool, and I can’t wait to fill it with stamps from all over.

Of course the fact that the ID section of the passport was blank left me with a bit of a problem. I wanted it to look professional, which meant finding a typewriter to actually type my name into the passport. Umm, yeah, typewriters have pretty much fallen off the face of the planet and it requires much more effort than I am willing to expend on this project to find one. So I went to the arts and crafts store and picked up a .1mm fine art pen and wrote ‘SPACE’ and ‘ROGUE’ and ‘L0pht’ in the appropriate spots. I will print out my twitter avatar and stick it where the photo belongs. I also ordered some sticky hologram paper off eBay to cover the ID page to make it look all official.

On the Adafruit website Lady Ada has a video showing how your hacker space can create an official visa with a rubber stamp using a laser cutter. Which is cool and all, if you happen to have a laser cutter. I do not. So I spent $25 at one of those online rubber stamp companies and had one professionally made.

Now the L0pht doesn’t exist anymore, and hasn’t for over a decade, but in the eight or so years of its existence there were a large number of visitors, many of those visitors where from down the street and around the corner, some came from across the country or across the globe. Some came from government or big business. Most came to attend one of the L0phts legendary New Years parties, (always thrown on the absolute coldest day of the year) others came to just visit or talk about our latest research. To any of those people I say, get yourself a Hacker Space Passport, and I will stamp it with a historical L0pht visa to commemorate your visit. Now if you never had a chance to visit the L0pht and you have Passport, and really really want a stamp? We might be able to arrange something, especially if I am thirsty. (beer) I will carry the stamp around with me when I go out to cons so feel free to ask for stamp. I will be at Source, Thotcon, and YSTSCon as well as a few BSides in the next few months, catch me there and get your passport stamped!

FUD can Sometimes be Useful

There has been a story making the rounds the last few weeks that is really bugging me. I was going to let it slide but the story just won’t die and every time it comes around again I just get angrier. The problem is I don’t think the story is actually true, which wouldn’t be that big a deal if I could actually prove it wasn’t true but in this case its just a feeling, I have no proof, not even a preponderance of evidence, just a feeling.

The story is sort of infosec related and deals with the geotagging of photos uploaded to social media sites. This is a very real concern for people like the US Army who usually don’t want it known where high value targets like say, oh, AH-64 Apache helicopters might be parked. The problem I have is that I seriously doubt the scenario as presented by Steve Warren, deputy G2 for the Maneuver Center of Excellence actually happened.

“Warren cited a real-world example from 2007. When a new fleet of helicopters arrived with an aviation unit at a base in Iraq, some Soldiers took pictures on the flight line, he said. From the photos that were uploaded to the Internet, the enemy was able to determine the exact location of the helicopters inside the compound and conduct a mortar attack, destroying four of the AH-64 Apaches.”

There are just so many things wrong with this story as it is presented to make it believable to me. Is it possible? Absolutely. Is it a real security concern? Most definitely. But did it really happen? I don’t think so.

First lets try to imagine how the US Army determined that the enemy downloaded the photos and extracted the GPS location in order to lob mortars at the helicopters. How did the Army find that out? Did they enemy carry a sign past the airbase front gate saying “Hey, grabbed your FaceBook pics HA! HA!” Did they capture an enemy combatant and water-board it out of him? Did they recover a laptop with a bunch of photos and map coordinates? Why are we only hearing about it five! years after happened? How did the Army determine how the enemy got the information? That part is never explained.

Lets look at a second more plausible explanation, assuming that helicopters actually did get blown up. A fleet of UH-64s are not easy to hide. If you’re a Iraqi sitting in your house eating your hummus and pita bread and you’re hear a fleet of UH-64s fly over head your gonna notice it. You put down the pita and look out the window to see the helicopters flying off to the nearby US Army base. Then you call your buddies, grab your motor tube and go have some fun. To me this makes a lot more sense than randomly grabbing pictures off FaceBook.

So if this is really a made up story why did the US Army release it? I suspect they know they have a very real problem of soldiers uploading geotagged photos to social media sites. They tried banning Facebook and other sites before and that didn’t work. And actually the military needs social media for morale reasons. The number one morale booster when I was in the service was mail, or more accurately communication home to family and loved ones and with todays military that communication happens over the Internet and with social media. We cannot turn it off. So you have to do the next best thing, educate the users/soldiers/sailors/airmen/marines not to post stupid stuff that will compromise your military situation. Loose lips sink ships, or in this case geotaged photos blow up helicopters (doesn’t really have the same ring to it.) Based on my own experience with educating users I suspect they have met with only limited success.

So this story of UH-64s being bombed via Facebook makes a perfect urban/military legend. To people in the military it does not matter if it was true or not the story will live on and spread and take on a life of its own. Now soldiers will double check their buddies when they take pictures because they won’t want mortors raining down on their own heads. Where training has failed peer pressure will succeed, and it gets repeated so many times it just magically become fact. Mission Accomplished.

But to those of us in infosec we need to look at this story for what it is, a possibility, not yet a reality, but something to look out for and to caution our clients against. Just remember not everything you read is true, the sky isn’t always falling but that doesn’t mean you shouldn’t pay attention.

Handle Shmandle

A lot of people ask me why I still use a handle and go by ‘Space Rogue’ instead of using my real name. Trust me it is kinda awkward to go to a respectable con like BSides, Blackhat or even RSA and introduce myself as ‘Space Rogue’. People always ask me to repeat myself as if they didn’t hear me, then they get this weird look on their face like ‘who is this crazy person?’

The original handles came about because early multi-users systems, like UNIX and BBS systems, could only handle eight character login names. So people tended to get a little creative. Those handles became intimately identifiable with the personas behind the keyboards. Most of the people I still interact with from those days I still refer to by their handle. Jeff Moss will always be DT, Chris Wysopal at Veracode will always be ‘Weld’, Joe Grand will always be Kingpin, or just KP. Not just online but in face to face meetings as well. People who know my real name still refer to me as Space, SR or even Mr. Rogue when we are together. For me handles are easier identifiers than actual names, I seldom remember a name but I almost always remember a handle.

During the L0pht years handles were important. We felt we needed them to protect us from individual lawsuits that may be filed from the companies whose security holes we were exposing at the time. We went to great lengths to protect those handles. We gave up many press opportunities because numerous journalists couldn’t get past not having a real name to pin a quote to. I figured if my handle was good enough for a Senator to read into the Congressional Record it was good enough for a newspaper quote.

Somewhere along the line most of the people I knew who were using handles switched to using their real names, usually because of a job. There aren’t many people at the top of the InfoSec world these days that still uses a handle. (Of course there a few that use ‘normal’ sounding handles, and a few whose actual names sound like handles.)

For me it comes down to keeping my day job. I tend to do infrastructure, networks, servers, that sort of thing. Big deal right? Well a lot of company’s are still afraid of the evil ‘hacker’ label. I guess they don’t feel comfortable with having a ‘hacker’ have physical access to their networks, servers and other mission critical systems. Never mind my extensive experience in the IT field or that my ‘hacker’ background probably makes me a better IT Manager than anyone else they are probably able to hire. Companies tend to freak out and pull a knee jerk reactions.

Making my real name easily associated with ‘Space Rogue’ via a Google search does not assist the job search. I have lost at least one and possibly two jobs, and who knows how many potential jobs, when someone was able to make the connection between the two identities. Now they didn’t come right out and say ‘Oh your Space Rogue you can’t work here anymore’ but it can be pretty apparent when a company is trying to get rid of you and then you find out later that they made the connection somehow.

So while a lot of people ‘in the scene’ know my real name I keep my Infosec identity as Space Rogue separate from my IRL identity and will continue to do so. At least until there is a company that is willing to see the value behind the handle. With any luck I will be able to merge the handle with the real name and become ‘John “Space Rogue” Smith’

- SR

OMG the SCADA is Falling!!!

Let me say first that SCADA (supervisory control and data acquisition) attacks are real, they do happen and should be a real concern. But if we look at the recent press surrounding such attacks we see little in the way of any hard evidence that such an attack actually occurred. Instead we see rumor and accusation and a hell of of a lot of theory.

The most recent example is the report, first reported on by The Register that someone broke into a local water utility and caused a pump to fail by turning it off and on repeatedly. This is a completely plausible scenario but when we look a little closer at the report some holes start to develop.

The media gabbed a hold of this story and quickly spread it around, over sixty different articles that I can find so far, yet none of them cite ANY primary sources for the incident. That’s Journalism 101 folks, and I didn’t even take journalism class. The Register article quotes Joe Weiss, a managing partner for Applied Control Solutions talking about the attack. This would seem to lend provenance to the story and that the attack actually happened, but Weiss was not a primary source. Most of his quotes are hypothetical and refer to an ‘official government report’ that he refused to name. Weiss refused to state which water district was targeted other than to say the report was released on November 10th. According to Weiss a software vendor lost control of its customer username and password database which allowed attackers, who had been traced back to Russia, access to the systems.

The Register at least got a comment from the US Department of Homeland Security indicating the utility in question was located in Springfield, Illinois. I’m not sure why the Register did not pick up the phone and call Springfield but Kim Zetter from Wired did call. The Springfield water department denied it was them and said the attack took place in the Curran-Gardner water district. When she called Curran-Gardner they hung up on her.

By the time the story made it to C|Net they actually had a quote from DHS.


“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.,”
DHS spokesman Peter Boogaard said in a statement. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The key words that I see are ‘no credible corroborated data’ – Bingo! Now, it is possible that DHS is downplaying this so as to not cause widespread panic but lets face it, this is DHS, their whole reason for existing is wide spread panic. So if they say there is ‘no credible corroborated data’ I’m going to go with that.

So what facts do we have that can be confirmed? I think it is pretty safe to say that a water pump somewhere in Illinois failed. I also think it is pretty safe to say that some secret government report blamed that failure on Russian hackers. Thats it. Everything else is pure speculation.

Now lets read between the lines shall we? Lets assume that a pump somewhere in Illinois, over the course of several weeks or even months turned itself off and on and failed. Pumps fail all the time, it happens, doesn’t mean they were hacked. Unfortunately we don’t know what kind of pump, who manufactured it or how long it had been turning off and on before someone noticed. Now what if the code controlling this system was flawed in such a way that the control loop code wasn’t working properly? Control loops are tricky things and it is easy to screw them up, especially if your a pump manufacturer and don’t really pay attention to closely to the software that controls them. Now I have no more evidence to say that this was a software glitch than I do to prove it was an external intrusion. But doesn’t a control software glitch sound a hell of a lot more possible than a russian breaking into a small Illinois township water district?

I think @Jack_daniel said it best “No one sentient doubts the vulnerability of SCADA systems, but for the love of $DEITY SHARE REAL DETAILS or crank up the skeptic settings.”

Late Update:

“Whether the burnout of that pump was related to this what might or might not have been a hacking, we don’t know,” said Don Craven, a water district trustee.”

That pretty much settles that in my book.

Although I have to share one last quote from the Curran-Gardner Water District trustee “I drank the water this morning.”

- SR

2011.11.25 – Update
One last update, looks like those strange Russian IP addresses actually came from Russia! Via a contractor who had authorized remote access. Imagine that. Yup, blame the contractor.

- SR