OMG the SCADA is Falling!!!

Let me say first that SCADA (supervisory control and data acquisition) attacks are real, they do happen and should be a real concern. But if we look at the recent press surrounding such attacks we see little in the way of any hard evidence that such an attack actually occurred. Instead we see rumor and accusation and a hell of of a lot of theory.

The most recent example is the report, first reported on by The Register that someone broke into a local water utility and caused a pump to fail by turning it off and on repeatedly. This is a completely plausible scenario but when we look a little closer at the report some holes start to develop.

The media gabbed a hold of this story and quickly spread it around, over sixty different articles that I can find so far, yet none of them cite ANY primary sources for the incident. That’s Journalism 101 folks, and I didn’t even take journalism class. The Register article quotes Joe Weiss, a managing partner for Applied Control Solutions talking about the attack. This would seem to lend provenance to the story and that the attack actually happened, but Weiss was not a primary source. Most of his quotes are hypothetical and refer to an ‘official government report’ that he refused to name. Weiss refused to state which water district was targeted other than to say the report was released on November 10th. According to Weiss a software vendor lost control of its customer username and password database which allowed attackers, who had been traced back to Russia, access to the systems.

The Register at least got a comment from the US Department of Homeland Security indicating the utility in question was located in Springfield, Illinois. I’m not sure why the Register did not pick up the phone and call Springfield but Kim Zetter from Wired did call. The Springfield water department denied it was them and said the attack took place in the Curran-Gardner water district. When she called Curran-Gardner they hung up on her.

By the time the story made it to C|Net they actually had a quote from DHS.

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.,”
DHS spokesman Peter Boogaard said in a statement. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The key words that I see are ‘no credible corroborated data’ – Bingo! Now, it is possible that DHS is downplaying this so as to not cause widespread panic but lets face it, this is DHS, their whole reason for existing is wide spread panic. So if they say there is ‘no credible corroborated data’ I’m going to go with that.

So what facts do we have that can be confirmed? I think it is pretty safe to say that a water pump somewhere in Illinois failed. I also think it is pretty safe to say that some secret government report blamed that failure on Russian hackers. Thats it. Everything else is pure speculation.

Now lets read between the lines shall we? Lets assume that a pump somewhere in Illinois, over the course of several weeks or even months turned itself off and on and failed. Pumps fail all the time, it happens, doesn’t mean they were hacked. Unfortunately we don’t know what kind of pump, who manufactured it or how long it had been turning off and on before someone noticed. Now what if the code controlling this system was flawed in such a way that the control loop code wasn’t working properly? Control loops are tricky things and it is easy to screw them up, especially if your a pump manufacturer and don’t really pay attention to closely to the software that controls them. Now I have no more evidence to say that this was a software glitch than I do to prove it was an external intrusion. But doesn’t a control software glitch sound a hell of a lot more possible than a russian breaking into a small Illinois township water district?

I think @Jack_daniel said it best “No one sentient doubts the vulnerability of SCADA systems, but for the love of $DEITY SHARE REAL DETAILS or crank up the skeptic settings.”

Late Update:

“Whether the burnout of that pump was related to this what might or might not have been a hacking, we don’t know,” said Don Craven, a water district trustee.”

That pretty much settles that in my book.

Although I have to share one last quote from the Curran-Gardner Water District trustee “I drank the water this morning.”

– SR

2011.11.25 – Update
One last update, looks like those strange Russian IP addresses actually came from Russia! Via a contractor who had authorized remote access. Imagine that. Yup, blame the contractor.

– SR

NASA Confirms but China Denies Satellite ‘hacking’

Since I posted my previous item regarding my suspicions as to the validity of the claims of ‘interference’ with a US Government satellite there have a few more developments.

First NASA has come out and ‘confirmed’ the interference.

According to NASA PAO: “NASA experienced two suspicious events with the Terra spacecraft in the summer and fall of 2008. There was no manipulation of data, no commands successfully sent to the satellite, and no data captured. NASA notified the Department of Defense, which is responsible for investigating any attempted interference with satellite operations. While we cannot discuss additional details regarding the attempted interference, our satellite operations and associated systems and information are safe and secure.

Which if you read between the lines says absolutely nothing and denies everything. Just “two suspicious events” that caused no commands to be sent to any satellites, and no data changed or captured from a satellite. So what exactly constitutes a “suspicious event”? How the hell did we go from “suspicious event” to “OMG Hackers are controlling satellites!”?

This of course brings me right back to my original theory, that nothing of any significance actually happened, that some system got infected with malware and since that system was supposed to be air gapped and could control a satellite NASA had to inform DoD as a matter of protocol. So no satellites actually got ‘hacked’ and the cyber cold war continues as usual.

The second development is that China has denied all the accusations. Naturally. Specifically they claimed “This report is untrue and has ulterior motives. It’s not worth a comment,” which I agree with completely.

Rebuttal – “Hackers reportedly behind U.S. government satellite disruptions”

First some historical background, this is at least the third time I have seen a similar story over the last 15 years. “OMG ‘hackers’ can control a satellite”, the previous two times it turned out to be false. The first time I was one of the first people call the story suspect.

It is hard to find links that still work from 1999 but Reuters actually had to publish a retraction, if you can call it that

It reared its ugly head again a few years later and became “the second most mysterious unsolved cyber crime.” and it wasn’t even true. I have a blog post about that mess here with a some more supporting links.

I’ve seen similar stories pop up about once every five years or so, “OMG the world is gonna end, hackers control the skies, Aaarrrrggghhh!!!!” Remember the story a year or so ago where Taliban ‘hackers’ got control of a predator drone or some bullshit? When all it most likely was that they got a copy of the off the shelf control software, maybe. Never conclusively got the end of that one.

In all of these case there are similarities, blame some unknown entity, vague details and no verifiable information.

So lets look at this story. The accusation comes from some anonymous report, ok, ok, not actually anonymous but from the U.S.-China Economic and Security Review Commission. Hmmm, think they have an interest in pointing fingers? And I don’t see any actual names on the report (admittedly I haven’t looked to hard) So, first they blame China, naturally, who else you going to blame? They don’t blame kids in basements anymore, there is no profit motive in controlling satellites (well, unless you can keep control) so cyber criminals are right out, must be a nation state, and with the cyber cold war going full bore the biggest enemy is China, so lets blame them. Why not, they are just going to deny it like always.

As for specifics, they say the ‘hackers’ caused ‘interference’, WTF does that mean? Did they gain full control? Did they move the satellite from its intended orbit? Where they able to send unauthorized commands? Or did they merely ping the control systems? Maybe infected them with standard malware? Did they stand outside and try to jam the microwave signals? Just what the hell does ‘interference’ mean?

This report actually lists a suspect location for the attack, “may have used an Internet connection at the Svalbard Satellite Station in Spitsbergen, Norway”. But has anyone bothered to call anyone who works there to verify the story? Even to get a dry ‘no comment’? I haven’t seen one. Also notice the “may have” implying they don’t really know. How the hell could they not know?

I mean come on, think about it, this is a satellite installation, according their web page “the world’s largest commercial ground station with more than 31 state-of-the-art multi-mission and customer dedicated antenna systems in C-, L-, S- and X-band.” Whoa! Sounds like they know what they are doing. I would think that someone there would be able to give some sort of comment. If they are a commercial organization then letting word get out, unchallenged, that their systems got broke into and multi million dollar satellites are not under their control, sounds like there could be some liability there. Someone should be confirming the story and minimizing its impact or denying it outright. Something. No, all we have is a ‘may have’.

And lastly Satellite control systems are supposed to be air gapped, in other words not connected to the Internet. Granted there are numerous cases where the air gap got bridged, usually with a USB drive, the recent remote command center for Predators Drones being infected with malware comes to mind, so air gaps aren’t fool proof, but still you would think a breach of this magnitude would show up somewhere other than an almost unnoticed report put out by the U.S.-China Economic and Security Review Commission.

I have no facts or sources to confirm this but my theory is that the ‘interference’ was nothing more than run of the mill malware that infected the office and business systems of the Svalbard Satellite Station. One of the authors of this report got wind of it and and suddenly it becomes hackers interfere with satellites.

So, until I see some actual facts and verifiable sources I’m calling this whole story bullshit.

– Space Rogue

We would like your feedback

Getting your customers to fill out market satisfaction survey’s is all the rage these days. “We greatly appreciate your feedback ” Hey, its free demographic marketing! Its also usually ego stroking, studies show that people tend to skew their own responces to the positive side of things. Generally I don’t fill these things out at all. I just route these emails directly tot he trash bin. I don’t do free marketing research for your company. However, once in a while I get pissed off enough to waste ten minutes to fill out the survey, at least enough until I get to the comment box. (Didn’t put a comment box in your survey? Better hope all your executives have an asbestoes covered email inbox)

“You indicated that you are not very likely to recommend Verizon Business to a friend or a colleague. What can we do to improve?”

Not suck. You failed at every level, from order taking to product delivery to service connection. You failed at everything, multiple times. The only thing you can do to improve is just not suck. It isn’t really that hard. Seriously, I have never seen so much suckage, you suck at incomprehensable levels. I don’t mean to sit hear and call you names but I have never ever seen one organization just not care, about anything. This wasn’t just one bad employee, this was everyone, it was systemic within your organization. The order taker, the project lead, her boss, the implementer, the guys on the phone when I turned the circuit up, everyone. No one cared, and no one could do their job correctly the first time.

I have delt with Verizon off and on for years and years, there have always been problems. I have had dozens of circuits installed and every single one of them have had something go wrong. I expect it and I usually plan for for it. But this time, everything went wrong, order taker forgot to submit paperwork for me to sign until the last minute, the site survey was delayed by two weeks, and actually had to happen twice. Your Business unit could not talk with your Core unit. (What the hell is the differance?) You couldn’t pull cable, then you failed to connect the circuit the first time, or the second, then you forgot to send me the router you ordered for me two months prior! All the while I am attempting to get things corrected with the project manager and her boss. Basically, they didn’t care.

You have problems Verizon, deep problems. And now I am stuck with your line into my company like some grotesque festering infectous tentacle that I would rip out completely down the seven floors into your node if I could. You have your contract, you have me for three years and frankly I am so tired of fighting that now that the service is working, finally, I am too tired to change it. So yeah, you have my (companies) money Verizon, for now but as soon as this contract is up I will be switching and I will never ever EVER install another Verizon circuit ever again. I would rather install Comcast or so help me even RCN before I install another Verizon line.

Do you know who you are?

GAT circa 1995

The above photo was taken in the backyard of my house sometime around 1995 at one of the infamous 617 barbecues known as Grillathon. There are some people in that pic who are now rather famous in certain circles. There are a LOT of people who where at the BBQ who have gone on to bigger and better things within the infosec industry. There are even more people from the same 617 area who now head security departments at fortune 100 companies, hold high level positions at DOD, who hold millions of dollars of VC money in the palm of their hand.

Some have embraced their past, they openly admit who they associated with, and wear it almost as a badge of pride. Others actively hide away from it. They want no mention of their past associations or that they even once used a handle. <gasp> I’m not talking about admitting to past crimes or other transgressions. There is no need to say you pownd an entire country in 1998 (who didn’t), no, I’m just talking about admitting who you were, and who your friends were. I don’t understand why this scares some of us so much.

It is one thing to not advertise certain facts but its another to actively go out of your way to dissociate with your past, and it pisses me off. We all know who you are and who you were, do you?

Speaking of 617, you may have noticed Lady Ada (Limor Freid) on the cover of Wired this month (April 2011). One of dozens of people from the late nineties 617 BBS scene to go on to huge success. I’d love to make a list of people who where in the scene then and where they ended up but I suspect it would upset a lot of the people who are hiding their past.

I might do it anyway. I would be afraid of leaving people out, remind me who was around 617 back then and where they are now. If you were around back then and think making such a list would be a bad idea, let me know that to. I may not listen to you, but I might. Depends on how pissed I get about it.

Résumé Wackiness

So I recently decided to move to a new city, as I result I quit my job as an IT Manager. One of the last tasks I had was to place advertisements, read resumes, and interview prospective replacements. It had been a while since I had hired anyone and usually I had HR sifting through the first round of resumes. This time however, I was it, this company had no HR department. Considering that the position was not an entry level position I assumed that the people who would be applying for the job would know how to write a résumé, I was wrong, I was very very wrong. After tweeting out my frustrations many people asked what exactly I was seeing, so here it is.

First let me explain the what the job was. The company in question was a small 30+ person creative company. They had a mix of mostly PCs with a smattering of Macs, all authenticating against an Active Directory domain. They had a file server, a firewall, a security and telephone system, and a few other unusual tech pieces which is pretty much the same in any company. They needed one person to handle it all. I had already done most of the hard work by upgrading and organizing the mess that was there when I arrived several years earlier. The job needed someone to handle everything from paper jams and software updates to managing the VPN and telling the CEO what new technologies he should be looking at. Not an entry level job but not a CIO either.

The job description was initially posted to Craig’s List and then to Linked-In. One thing about my experience hiring for this position that was different than hiring elsewhere was that all the résumés came directly to me. No one filtered them out before hand. Résumés from Craig’s List came in one big bunch at first followed by a big surge from Linked-In. I would say I got 80% of all the resumes I received within a week of posting both ads. Linked-In seemed to have the longest tail with résumés arriving at a pretty steady rate for about two weeks although some people were still responding to the Craig’s List ad up to three weeks later. If you are looking for a job I would recommend looking for new listings daily. In this particular case we went from job posting to job offer in three weeks. People who applied during the third week did not get the same consideration as those that applied during the first week. The job was listed on a Tuesday and I was already interviewing people on that Friday. I suspect in some companies they may wait until they get all the submissions and then start going through them, however every position I have ever hired has been a ‘We need to fill this position now, get them in as soon as possible’. I’ve never had time to collect a bunch of résumés and then leisurely sort through them.

As for the résumés themselves… well, I was surprised. People seem to have forgotten what the résumé is for, it serves one purpose and one purpose only, to get the interview. That’s it. You will not get hired for any job based on how good your résumé is, what you might get is an interview. For the record I received over 80 résumés in three weeks. With that kind of competition you really need make sure your résumé is going to get you that interview. Out of those 80 applicants I actually brought in and interviewed eight people. I don’t know if that can be extrapolated to the wider job market as a whole but 10% sounds about right to me.

Something else that people seem to forget is that a real person is actually going to read the résumé eventually. All those buzzwords you use to get caught in the HR search engine are going to read like crap when a real person tries to decipher the buzzword and jargon filled ten page diatribe you submitted as a résumé. Which brings me to my third surprise, length. Seriously I see no reason at all to go beyond three pages, ever. In my book two is acceptable but if you really want to impress me go with one page. I received exactly one résumé that was one page long. Guess what, he got an interview. On the other end of the spectrum the longest one I got was seventeen pages and the second longest was eleven pages. I think I glanced at the first two pages of both and threw them on the ‘no’ pile.

I don’t usually check to see if a résumé has education listed, formal education does not impress me, I wasn’t hiring for an entry level position so I was looking for experience, however most people did list some sort of secondary education. It has been my experience that most schools force students to take some sort of career development class where they teach you how to write a résumé. Either most people forgot what they learned or schools are teaching shite. If you have never taken a résumé writing class or slept through that class in school find a class at your local Adult ed center and take it, or ask someone who works in HR to critique your résumé or something. Also don’t forget the cover letter. It doesn’t have to be long but I personally consider not including some sort of letter other than the résumé to be rude and lazy.

So what do I want to see on a résumé? First follow directions. If the job listing says to submit to a specific address then do so, don’t just hit reply on the Craigs List ad. This really upset me, if you can’t follow simple directions why should I hire you? Unfortunately it happened way to many times. At least half the résumés went to the wrong address.

The résumé should be easy to read. This should go without saying. This was for an IT Manager position not a graphic designer. Multiple colors and wacky fonts with strange layouts do not impress me. They go straight to the No pile.

If you are applying for an IT Manager position and your last job was a CTO then you are probably a bit over qualified and will end up in the No pile. If you are not really a CTO but just gave yourself the title because you are the only tech guy where you work, don’t. If you are applying for a lower position than you currently have then dumb down your résumé. If I think you are just going to jump ship as soon as you find something more on your level I’m not going to hire you. I probably got 20 or so résumés that list CTO or CIO as their last job, almost all of them wet straight to the ‘No’ pile.

I received one résumé with no job history at all, just a list of certifications and schools. This guy had every cert I think I had ever heard of. There were more acronyms than words on the page. I got nothing against certs, and if you got ‘em put on there, they can’t hurt, unless they are the only thing you have. Personally I want to see experience. Even when I am hiring for an entry level position where applicants are likely to have no relevant experience I still want to see job history. Even if it is landscaper, Burger King and Best Buy, list it. I want to know that someone else thought you were worth hiring and that you could keep that job.

And speaking of experience the first thing I look for is job titles, make sure those stick out some how on the résumé. I want to see job titles and I want to see dates of employment. If you only list the year like say 2005-2006 and those years aren’t very far apart I’m going to get suspicious. I mean I’m a tech guy I understand people jump around a lot but if I see four jobs in three years there better be a logical progression of positions or you will end up in the ‘No’ pile.

Oh, and a biggie, fix ALL typos and grammar errors. The résumé should reflect your absolute best work, a typo, spelling error or simple grammar mistake probably won’t kill your chance at an interview but it won’t help and there is no reason for it. Get someone else to proof read it for you. Personally I suck at spelling and grammar, so much so that the way I write got its own name, ‘Spaceronics’, but there is no excuse for such mistakes on a résumé.

So if you want to get called in for an interview for a position I am hiring for keep the résumé short, three pages max, easy to read, highlight job titles and dates of employment and try to make your work history as relevant as possible. Dumb it down or smarten it up as necessary (Do NOT lie on the résumé, ever!) For a bonus make sure it prints out well. I think anyone who follows those steps and applies for a position they are somewhat qualified for should at least get a phone call. Good Luck.

Red Team Uniform

Allied Security Jacket

So I happened to be walking by the thrift store today and they had a rack of winter jackets on hangers outside on the sidewalk with a sign on them that said “Jackets $5.00″. The really interesting thing was that one of the jackets happened to be from the local security company Allied Security with the logos still prominently displayed. It would make a great costume for a Security Red Team. Something to think about next time you see a Security Guard wandering around somewhere maybe he shouldn’t be or who seems to be asking you a lot of unusual questions.

You sir are a bonafide Douchebag.

thefixer wrote:

Who gives a shit about your opinion, your an obsolete groupie, of obsolete hackers who sit around all day stroking eachothers cocks, at “cons” like blackhat, you spend your 3,000 on tickets, while the whole thing is a sham, no real blackhats there, just a bunch of tired ass white hats, stroking eachothers egos, trading stories of the glory days of the 90s, you are all hypocrite`s who have long since sold out and and spew your rhetoric from your comfy corporate desks. You are no longer the wiz kid who awes your parents and friends, no, You are now the thing you once hated, You are tools of infrastructure now, you wrap yourselves in the flag and serve the same system that is enslaving us all, you and your kind have contributed to this framework to end the wild west of the internet and take power from the poeple and give it to the fascists. You discust me.

You sir are a bonafide Douchebag.


Hackers Need Not Apply

Back in the nineties, the glory days of Hacking, just after the golden age of the late eighties, many companies were starting to get into the whole Internet Security thing. Everyone and their brother had an Internet Security company and VC were just crawling over each other to give them money. One thing most of the early companies had in common was a staunch refusal to hire ‘hackers’. They would give speeches at conferences and say ‘We hire only the best security experts, but no hackers’ They would issue press releases that said the same thing. I remember reading these and laughing because all the hackers I knew worked at these very same companies. (The ISS XForce said this all the time, and everyone who worked there was a hacker.)

At the time this was a brand new industry that basically took shape over night. There were so many security startups you literally couldn’t through a rock without hitting one. Foundstone, Guardent, @Stake, and those are just the big names that I remember off the top of my head, there were dozens of other smaller firms all vying for a piece of the pie and for the ever decreasing pool of talent. Basically if you knew what a war dialer was, could run a file of hashes through L0phtCrack and knew how to clear your browser cache you were hired as a Security expert at a 100K a year. It was that easy.

So what did all us hackers do? Well, we got jobs naturally. We got jobs at the very same companies who said “We don’t hire hackers”. Very very few of us actually had criminal records and those who did usually had them sealed due to a juvenile status at the time. So when it came time to fill out the employment history on the job application you filled it out truthfully, Landscaper, Burger King, Tech Support, and now Security Expert. Nowhere did you write down ‘Hacker’. When we went into the job interview we did not wear a big sign around our necks that said ‘Hacker’.

At some point after @Stake acquired the hacker think tank L0pht Heavy Industries this whole ‘we don’t hire hackers’ thing started to change. A lot of companies saw that it added to their credibility to say that they had a hacker or two on staff or if they didn’t actually publicize it they definately didn’t make assinine statements like “We don’t hire Hackers”.

Well, I guess things have come around full circle. Because Enrique Salem over at Symantec has stated that “You always worry about [grey hats]. Symantec has a standing policy that we don’t hire anyone to be a part of our company who has done any kind of known hacking,” he said. “We will not employ hackers.”

Enrique has been at Symantec for 16 years now but maybe he was to busy doing whatever is was he was doing before he got the CEO job in April to realize that his company does hire hackers. Or at least they did ten years ago when they bought @Stake and its old L0pht (and CDC) members. (OK, so I guess technically they bought them and didn’t actually hire them but semantics.)(Hey, always wanted to make that pun, hehe) At least one of the old L0pht folks was still working there up until a few years ago.

But even now there are more people than I can count on one hand who I know personally that work at Symantec who are publicly well known hackers. They speak at Hacker cons, are known by their handles and call themselves hackers. They don’t go around advertising where they work but its not a big secret to those of us in the community. I don’t think they have criminal records and I doubt they go around breaking into other peoples computers but then hacker does not equal criminal.

If you want to go around and say “We don’t hire hackers” that’s fine, just realize that there aren’t going to be very many people left to hire and you sound like an idiot when you say it. (Hey, DHS, are you listening?)

PC Protect

Internet scams are a dime a dozen from pop ups for fake anti-virus software packages to cleverly designed phishing websites that look exactly like your banks login page. Internet criminals will try just about anything if they think they can get away with it. Today I think I ran into what I think is a totally new scam that definitely involves your land line telephone, and I am pretty sure it involves the Internet, but I’m not sure.

The telltale sign that you have been had is a monthly charge on your telephone bill for $19.99 for something called “PC Protect”. Now a business of any measurable size is going to a have a phone bill such that an additional charge of $19.99 is going to be barely noticeable and I suspect that this is exactly what whoever is doing this scam is counting on. Thankfully the company I work for has an eagle eyed accountant and when she spotted the extra charge she quickly brought it to my attention and asked what it was. I had no idea, but with a name like “PC Protect” my spidey sense started tingling immediately.

A quick google search turned up a snazzy one page website (which I can no longer seem to find) full of web 2.0 goodness that looked like it was just there to sign people up to some sort of anti-something service. At the bottom of the page in the tiny tiny fine print there was a statement about how people could dispute charges by calling a number. Well, obviously we called. The first time they claimed to be from quizrocket DOT com (no, I won’t actually link to the site) the second time they claimed to be usprizedraw DOT com. We complained about the charges and they basically said tough, that our employee John Smith authorized the charges. So we called Verizon who easily agreed to remove the charges.

All well and good but the question remains how did these people get the company phone number and an employee name to ping it to? Obviously I had a talk with John. John is one of those rare people who ‘gets it’ mostly from an IT perspective. He told me that he never visited either of those sites or any other site even remotely close to it, doesn’t use facebook, doesn’t fill out online quizzes and when he buys stuff online for the company he uses a fake phone number (Like I said, he ‘gets it’).

If it was anyone else I would probably just say he filled out a form somewhere and got phished, which is still possible. Or there may be undetected malware deep inside his machine that I haven’t found yet. (I will take a closer look soon). Looking closer at the company info I quickly started going nowhere, fake company names, with fake addresses etc…

I will be looking closer at this stuff over the next few days. If you have heard of PC Protect or if anything else in this sounds familiar let me know. In the meantime keep a close eye on your phone bills.