Journalists accumulate piles of notebooks filled mostly with a lot of innocuous stuff. Most of it never makes it to print or online. Unless of course you have to write a column and don’t have one thing you want to write about and just want to do what’s affectionately known as a notebook dump in journalism circles. Enjoy.
Pipelines under attack
Earlier this year, I was lucky enough to get a dose of reality regarding SCADA security—or SCADA insecurity as the case may be. At the Kaspersky Security Analyst Summit 2012, Terry McCorkle, a researcher who has a day job with a major U.S. manufacturer, talked about a project he and fellow researcher Billy Rios took on examining the reachability of Human Machine Interfaces (HMI) online. HMI translates SCADA data into a visual representation of an industrial system, essentially building a flowchart of industrial processes. McCorkle and Rios found 95 easily exploitable vulnerabilities on these Windows-based interfaces living online. Attackers exploiting these vulnerabilities could in theory flip switches on pumps, HVAC systems and a lot more, putting anything from IT data centers to prison door systems at risk.
Fast-forward to May, when DHS’ Industrial Control Systems (ICS) CERT team issued an alert about an APT-style attack on multiple natural gas pipeline organizations—most of those operating in the private sector. The ICS CERT alert describes a familiar attack progression: a spear phishing campaign targeting particular employees leading to malware-based intrusions into these sensitive systems dating all the way back to December. The alert goes on to describe how ICS-CERT is privately sharing information via briefings with pipeline companies on the nature of the attacks and possible mitigations. Very little is being disseminated publicly other than a recommendation to follow defensein- depth practices and educate users about social engineering and spear phishing.
SCADA security is a joke; McCorkle and Rios have said so, as have many others who dig into these systems.
SCADA security is a joke; McCorkle and Rios have said so, as have many others who dig into these systems. Operators won’t take these systems offline to patch them for fear of breaking processes. Also, there aren’t very many effective automated patch distribution tools for industrial systems. All of this tends to make one skeptical when you hear saber-rattling about a particular attack. Why did ICS-CERT feel compelled to go public with an alert if it had been talking to the affected parties all along? Is it coincidental that public alerts about months-old attacks just happen to surface as a security information- sharing legislation such as CISPA is prominent in the headlines? Who stands to gain and how? Sadly, too many questions, not enough answers.
Arrogance and Oracle security: Not an oxymoron
Adobe may have its share of security issues with its flagship products such as Flash and Reader, but at least you can expect a patch for known vulnerabilities. Can’t say the same for Oracle. Timeliness ain’t Oracle’s forte. Neither are complicated security patches. Oracle’s response to a zero-day vulnerability in its TNS Listener is laughable at best, arrogant at worst. Not only did the vendor apparently sit on the Oracle vulnerability for four years (that’s 1,460 days give or take a leap year or two), but once it got around to an update for the vulnerability in the April Critical Patch Update, it provided a workaround, not a patch. Seems a patch is too hard and won’t fix the issue until its next full release. “Such back-porting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions…” Did we mention exploit code has been released? Seems the researcher who reported the bug back during the Bush administration got his wires crossed; when he heard the problem was addressed in the CPU, he assumed patch, not workaround, and put up the details on Full Disclosure. Silly him; this is Oracle we’re talking about, where nothing can be taken for granted regarding security.
Odds and ends
- Mobile is hot, and we’re not above some bandwagon jumping. We surveyed our readers recently about their mobile security habits, policies and processes, and the results are in—and noteworthy. Look for a full report in the coming month at SearchSecurity.com, but let’s just say there isn’t a critical mass of mobile device security policies out there; a heckuva lot of personal devices access and store work-related data, and most of you are still concerned primarily with device loss and looking for management help—access control technology too.
- We’re a little more than six months away from the 10-year anniversary of the SQL Slammer worm, and a little more than a month away from the decade commemoration of David Litchfield’s Black Hat talk, which exposed the SQL Server vulnerability the 376-byte worm blasted through. Slammer is probably the most economical and effective piece of code in computing history. Less than 400 bytes slowed sections of the Internet to a crawl on that cold January 2003 Saturday morning. Slammer cemented the need for regular patching and probably sealed the deal for Microsoft to initiate Patch Tuesday (the first one was in October 2003). So if you happen to be at Black Hat next month and see David Litchfield, wish him a happy anniversary.
Michael S. Mimoso is the editorial director of TechTarget’s Security Media Group. Follow him on Twitter @Mike_Mimoso. Send comments on this column to firstname.lastname@example.org.