Rss

Archives for : environment

SCADA Security Presentation

This is a presentation I gave on SCADA security some time ago. It was originally set for about 2 hrs, although I broke it into 2 halves so if time permitted (or the partisipants wanted more inforamation), the backend of the presentation has many more areas and guidence relaing to SCADA, devices, environment security, etc.

I defined the following outcomes for the presentation:

  • Broaden the awareness and necessity of security within the SCADA environment.
  • Understanding of business role in the governance/risk identification process.
  • Heighten the understanding of technology risks.

I hope people find the material interesting and useful.

SCADA Security Presentation Derek Grocke

Hacking SCADA/SAS Systems Used Techniques, Known Incidents and Possible Mitigations

I have been working in the SCADA engineering, network design, project governance and security area for lots of years.

As a result I have many documents and techniques I will be sharing here. This is the first of many documents which I hope others will find informative and help others to understand and shape their approach to these environments.

Local file

SCADA considerations

Procedures

  • Corporate Information Protection
  • Security Management
  • Information Classification
  • Physical (and Environmental) Security
  • Personnel Security
  • Security Awareness Training
  • Security Incident Response
  • Security Monitoring
  • Network Security
  • PC/Workstation Security
  • Support and Operational Security Related
  • Encryption and Information Confidentiality
  • Authorization Controls
  • Identification and Authentication Mechanisms
  • Systems Life Cycle Security
  • Business Continuity Planning
  • Media Security
  • Third Party Services

Typical concerns and points discussion:

  • Inbound and out Bound FTP
  • Suggest use of DMZ
  • Suggest use of Secure FTP
  • Suggest use of restricted secure IP addresses / tunnelling
  • Suggest use of private feeds

Modem issues used with dial in services

  • No dial back
  • No Authentication
  • No Secure ID
  • Possibly automated scripts used, so hard coded usernames and passwords used.
  • Internet sharing may be turned on, allowing routing via workstations.

Increased data security and integrity considerations

  • Data backups
  • System redundancy
  • Site and content filtering
  • Virus protection
  • Standard system procurement (discounts and spares)
  • Network and services redundancy
  • Network monitoring
  • Service availability monitoring
  • Internal controls
  • Vendor / external service supplier
  • Capacity management
  • Change management system
  • Asset management system
  • Telecommunication and telephony bulk cost discounting
  • Etc.

Use and support for corporate application considerations

  • Email
  • Intranet
  • Internet
  • Corporate virus protection
  • Asset management
  • Change management
  • Project management
  • Performance / capacity management
  • Reduction of Cost
  • Use of corporate applications
  • Reduction of manual processes

Other things to keep in mind:

  • SCADA monitoring system must be isolated from network errors and systems events. This will prevent SCADA operational systems being effected by network or corporate system issues / outages.
  • Review Network topology to ensure internal and external vulnerabilities are not currently being and cannot be abused.
  • Review of router configurations
  • Use of change management system
  • Review remote dial in systems
  • Firewall SCADA systems off from corporate applications
  • Uncontrolled networks and systems within the SCADA environment will compromise the corporate environments integrity and security.
  • Determine if systems used within SCADA are built to a standard operating environment.

DUKPT Overview and Transaction notes

Hi,

I was asked on another post relating to DUKPT to provide some backgound. Given I have lots of material on the subject, I thought I would create this thread. Link

 

I will come back at some stage and expand on this when I get time.

Transaction Process narrative:

The diagram describes a mobile terminal/ATM is described using the a AS2805 (‘2805′) message type and 3DES DUKPT and dual direction auth SSL from the terminal to the aquirer (transaction switch).

A good explanation of DUKPT can also be found at Wikipedia.

 

Diagram of the flow

 

DUKPT transaction flow - terminal to bank

DUKPT transaction flow - terminal to bank

 

Background notes:

  • The terminal or ATM firstly encrypts the user entered pin (may be a unique DUKPT key or static, depending on the design and banks involved) prior to incorporating it into the AS 2805 transaction message.
  • the message is then encrypted again using the DUKPT key which has been established through the merchant logon process within the aquirer Host Security Module (HSM) i.e. the user entered pin is encrypted separately and encapsulated within the DUKPT encrypted 2805 message to provide full message encryption.
  • In the diagram a separate dual authenticating SSL session is also used between the terminal/ATM and the aquirers infrastructure. This allowing the transaction including the pin to traverse the external Wired/GPRS/LAN within 2 primary independent layers of encryption, with a 3rd protecting the PIN.
  • When the transaction enters the aquirer environment the message encapsulation layer provided by SSL is removed.  This leaving the DUKPT’ed 2805 message which also encapsulates the separately encrypted PIN.
  • This encrypted message is passed to the aquirer switch engine through to the aquirer’s HSM for decryption of the 2805 message excluding the user entered pin.
  • This is when transactional information necessary for aquirer’s merchant reporting (truncated card number, transaction amount, transaction type, etc.) and fraud management data is collected.
  • The aquirer switch then passes the encrypted PIN to the aquirer HSM requesting that the PIN be decrypted using the aquirer’s PIN encryption and translated to the next banks (Bank 1)  PIN Encryption Key (Pin translation only occurs within the aquirer HSM) This is then sent back to the aquirer Switch engine as the Bank 1 encrypted PIN.
  • The aquirer switch engine then send the decrypted 2805 message with the newly encrypted PIN back to aquirer HSM to be encrypted with the Bank 1 MAC key.
  • The resultant Bank 1 key encrypted message is then sent to Bank 1 for processing and/or passing to the card issuer (using a similar process as described above).
  • When the result is received back from the issuing bank it is encrypted with the Bank 1 MAC key (the pin will not be present in the result message).
  • This is then decrypted by the aquirer HSM, the transaction fate result stored into the aquirer merchant reporting system and the transaction fate re-encrypted with the original aquirer DUKPT key (should be different per terminal/merchant instance) and the result sent back to the terminal through the original established SSL encrypted terminal connection.

The aquirer may terminate the the SSL connection on a hardware device such as a CISCO Content Service Switch (CSS), or equivalent instead of the design described in the diagram which terminates onto a SSL session server/gateway (Possibly including a Certificate Authority) or on the aquirer transaction switch.

When PIN blocks are received by the aquirer processing centre, the PIN encryption is translated from the terminal key to the Local Master Key (LMK) by the Host Security Modules (HSM).

When the message is sent on the upstream bank interchange link to the issuer or gateway , the aquirer HSM translates the encrypted PIN block from the LMK to the Zone Master Key (ZMK) of the aquirer interchange link. The PIN block is always encrypted using DEA3 (3DES) whenever outside of the Terminal or ATM.

HSM-8000-User Guide V2.2

VoIP and SIP links

I’m looking at the Microsoft OCS server and other SIP integration environments. So I thought I would put the links here for others who were interested. I am also considering the issues associated with Mitel VoIP and OCS integration.

It would be interesting if the Microsoft OCS could seamlessly allow the use of soft phones and the Mitel VoIP system. I assume a trunk needs to be setup between the two… Anyway something to look at.

http://communicationsserverteam.com/archive/2008/05/23/196.aspx

Office Communications Server 2007 VoIP Test Set

OCS Testing Tool

Connect Mitel and OCS2007

Mitel 3300 & OCS – Ring on deskphone and softphone

Connecting Mitel 3300cx and OCS

VOIP – MITEL 3300 SIP TRUNK TO OCS 2007

OCS 2007 Best Practices Analyzer

Lethal Toxins Entering Your Body

I recently read an article in a magazine and was shocked to see some of the toxic dangers which modern living introduce. Australian Men’s Health April 2008, by Susan Casey, pg 87.

I thought I would expand on this article here as a method of analysing some of the things Kerry and I need to be careful of. I hope this also assists others in understanding some of these dangers.

“Except for the small amount that’s been incinerated every bit of plastic ever manufactured still exists”

Toxic

Articles

Polycarbonate

Bottles (marked with a #7 in a triangle)

Cling wrap and plastic takeaway containers (marked with a #7)

Dangerous

Ingredients

Bisphenol A (BPA), a synthetic oestrogen, which can leach into the bottle’s contents when heated.span>

Phthalates, a probable human carcinogen and endocrine disruptor, can seep into food (especially fatty foods, such as delis meats and cheeses).

Linked to

Prostate cancer, reduced sperm count and reproductive-organ abnormalities, according to US studies at the universities of Missouri, Chicago and Cincinnati.

Reproductive problems like undescended testes and low sperm count, reveal researchers at New York’s University of Rochester and the Centres for Disease Control and Prevention in the US.

How to reduce your exposure

Pots, pans and bottles made from stainless steel are a non-toxic alternative. If you’re using polycarbonate, keep it out of the dishwasher and replace it every 60 days or if it’s scratched. Plastic releases toxins over tie when damaged or exposed to high heat.

Keep it out of microwave and dishwasher. Don’t store fatty or acidic foods in these containers, rather use waxed paper and buy meat wrapped in paper from the butcher. If you use plastic-wrapped cuts, trim the edges off where the product touched the wrapping.

 

Toxic

Articles

Polystyrene cups and takeaway containers (marked with a #6)

Fast-food containers (with waxy lining) and non-stick (Teflon) pans.

Polyvinyl chloride (PVC), used in vinyl flooring, shower curtains and car interiors.

Dangerous

Ingredients

Styrene, a possible human carcinogen, can leah into the contents of the cup.

Perfluoro-octanoic acid (PFOA), a grease-repelling flourotelomer chemical and likely human carcinogen, can transfer from the waxy-plastic coating onto the food inside, especially at high temperatures.

Vinyl chloride is a known human carcinogen that gives off gas into the surrounding air, so it’s inhaled instead of ingested.span>

Linked to

Cancer, warn scientists at the US Environmental Protection Agency’s (EPA) Office of Research and Development and the World Health Organisations International Agency for Research on Cancer.

Cancer, lung and kidney damage, according to studies at the EPA and Environmental Working Group in the US.

Cancer and liver damage, predicts both the EA and the Centre for Health and Environmental Justice in the US.

How to reduce your exposure

Never drink hot liquids out of polystyrene ups. Use paper ones (those without a wax lining) whenever possible or a ceramic coffee mug. If your takeaway comes in polystyrene, transfer it to ceramic dish or glass as soon as possible.

The best alternatives to drive-through and delivery are sit-down restaurants and home cooking. At home, never use Teflon-coated pans. If you own any, replace with non-toxic cookware made from copper, cast iron or stainless steel.

Use natural materials for home flooring. Buy a shower curtain made from hemp, which lasts longer and is naturally mildew-resistant. New vinyl gives off aerial toxins at highly concentrated levels, so open windows to air spaces where this material is present.

 

These are also great articles:

http://www.seattlepi.com/local/326907_plastic09.html

http://www.bravenewleaf.com/environment/2008/02/updated-repeat.html

http://www.breastcancerfund.org/clear-science/environmental-breast-cancer-links/plastics/

http://io9.com/how-to-recognize-the-plastics-that-are-hazardous-to-you-461587850

http://www.smallfootprintfamily.com/avoiding-toxins-in-plastic

http://articles.mercola.com/sites/articles/archive/2013/04/11/plastic-use.aspx

ISO 14443 contactless card

An international standard for proximity or contactless smart card communication

ISO 14443 contactless card

ISO 14443 is an international standard which describes how contactless cards and terminals should work to ensure industry-wide compatibility, for example in identity, security, payment, mass-transit and access control applications.

ISO standards are developed by the ISO, the International Organization for Standardization. Technical committees comprising experts from the industrial, technical and business sectors develop the standards to increase levels of quality, reliability and interoperability on a global scale.

Gemplus has always had a strong involvement in ISO definition of the chip card standards, and has been represented in the development of this international standard. The ISO 14443 is divided into 4 separate parts outlining physical characteristics, radio frequency power and signal interface, initialization and anti-collision and transmission protocol.

Gemplus has developed a wide range of contactless payment solutions based on the ISO 14443 international standard. The speed and convenience of contactless technology has created a significant demand for this sort of solution in environments such as fast food restaurants, gas stations, public transport services, banks and many others.

Serious flaws in bluetooth security lead to disclosure of personal data

source

 

 

Summary
In November 2003, Adam Laurie of A.L. Digital Ltd. discovered that there are serious flaws in the authentication and/or data transfer mechanisms on some bluetooth enabled devices. Specifically, three vulnerabilities have been found:

Firstly, confidential data can be obtained, anonymously, and without the owner’s knowledge or consent, from some bluetooth enabled mobile phones. This data includes, at least, the entire phone book and calendar, and the phone’s IMEI.

Secondly, it has been found that the complete memory contents of some mobile phones can be accessed by a previously trusted (“paired”) device that has since been removed from the trusted list. This data includes not only the phonebook and calendar, but media files such as pictures and text messages. In essence, the entire device can be “backed up” to an attacker’s own system.

Thirdly, access can be gained to the AT command set of the device, giving full access to the higher level commands and channels, such as data, voice and messaging. This third vulnerability was identified by Martin Herfurt, and they have since started working together on finding additional possible exploits resulting from this vulnerability.

Finally, the current trend for “Bluejacking” is promoting an environment which puts consumer devices at greater risk from the above attacks.
Vulnerabilities

The SNARF attack:
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain access to restricted portions of the stored data therein, including the entire phonebook (and any images or other data associated with the entries), calendar, real-time clock, business card, properties, change log, IMEI (International Mobile Equipment Identity [6], which uniquely identifies the phone to the mobile network, and is used in illegal phone ‘cloning’). This is normally only possible if the device is in “discoverable” or “visible” mode, but there are tools available on the Internet that allow even this safety net to be bypassed[4]. Further details will not be released at this time (see below for more on this), but the attack can and will be demonstrated to manufacturers and press if required.

The BACKDOOR attack:
The backdoor attack involves establishing a trust relationship through the “pairing” mechanism, but ensuring that it no longer appears in the target’s register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants access to (but note that so far we have only tested file transfers). This means that not only can data be retrieved from the phone, but other services, such as modems or Internet, WAP and GPRS gateways may be accessed without the owner’s knowledge or consent. Indications are that once the backdoor is installed, the above SNARF attack will function on devices that previously denied access, and without the restrictions of a plain SNARF attack, so we strongly suspect that the other services will prove to be available also.

The BLUEBUG attack:
The bluebug attack creates a serial profile connection to the device, thereby giving full access to the AT command set, which can then be exploited using standard off the shelf tools, such as PPP for networking and gnokii for messaging, contact management, diverts and initiating calls. With this facility, it is possible to use the phone to initiate calls to premium rate numbers, send sms messages, read sms messages, connect to data services such as the Internet, and even monitor conversations in the vicinity of the phone. This latter is done via a voice call over the GSM network, so the listening post can be anywhere in the world. Bluetooth access is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, allowing the owner’s incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for identity theft by impersonation of the victim.

Bluejacking:
Although known to the technical community and early adopters for some time, the process now known as “Bluejacking”[1] has recently come to the fore in the consumer arena, and is becoming a popular mechanism for exchanging anonymous messages in public places. The technique involves abusing the bluetooth “pairing”[2] protocol, the system by which bluetooth devices authenticate each other, to pass a message during the initial “handshake” phase. This is possible because the “name” of the initiating bluetooth device is displayed on the target device as part of the handshake exchange, and, as the protocal allows a large user defined name field – up to 248 characters – the field itself can be used to pass the message. This is all well and good, and, on the face of it, fairly harmless, but, unfortunately, there is a down side. There is a potential security problem with this, and the more the practice grows and is accepted by the user community, and leveraged as a marketing tool by the vendors, the worse it will get. The problem lies in the fact that the protocol being abused is designed for information exchange. The ability to interface with other devices and exchange, update and synchronise data, is the raison d’être of bluetooth. The bluejacking technique is using the first part of a process that allows that exchange to take place, and is therefore open to further abuse if the handshake completes and the “bluejacker” successfully pairs with the target device. If such an event occurs, then all data on the target device becomes available to the initiator, including such things as phone books, calendars, pictures and text messages. As the current wave of PDA and telephony integration progresses, the volume and quality of such data will increase with the devices’ capabilities, leading to far more serious potential compromise. Given the furore that irrupted when a second-hand Blackberry PDA was sold without the previous owner’s data having been wiped[3], it is alarming to think of the consequences of a single bluejacker gathering an entire corporate staff’s contact details by simply attending a conference or camping outside their building or in their foyer with a bluetooth capable device and evil intent. Of course, corporates are not the only potential targets – a bluejacking expedition to, say, The House of Commons, or The US Senate, could provide some interesting, valuable and, who’s to say, potentially damaging or compromising data.<<<

 

The above may sound alarmist and far fetched, and the general reaction would probably be that most users would not be duped into allowing the connection to complete, so the risk is small. However, in today’s society of instant messaging, the average consumer is under a constant barrage of unsolicited messages in one form or another, whether it be by SPAM email, or “You have won!” style SMS text messages, and do not tend to treat them with much suspicion (although they may well be sceptical about the veracity of the offers). Another message popping up on their ‘phone saying something along the lines of “You have won 10,000 pounds! Enter this 4 digit PIN number and then dial 0900-SUCKER to collect your prize!” is unlikely to cause much alarm, and is more than likely to succeed in many cases.

Workarounds and fixes
We are not aware of any workarounds for the SNARF or BLUEBUG attacks at this time, other than to switch off bluetooth. For permanent fixes, see the ‘Fixes’ section at the bottom of the page.

To permanently remove a pairing, and protect against future BACKDOOR attacks, it seems you must perform a factory reset, but this will, of course, erase all your personal data.

To avoid Bluejacking, “just say no”. :)

The above methods work to the best of our knowledge, but, as the devices affected are running closed-source proprietary software, it not possible to verify that without the collaboration of the manufacturers. We therefore make no claims as to the level of protection they provide, and you must continue to use bluetooth at your own risk.

Who’s Vulnerable
To date the quantity of devices tested is not great. However, due to the fact that they are amongst the most popular brands, we still consider the affected group to be large. It is also assumed that there are shared implementations of the bluetooth stack, so what affects one model is likely to affect others. This table is accurate to the best of our knowledge, but without the cooperation of the manufacturers (which we currently do not have), it is not possible to conduct more extensive validation.

The devices known to be vulnerable at this time are:

Vulnerability Matrix (* = NOT Vulnerable)
Make Model Firmware Rev BACKDOOR SNARF when Visible SNARF when NOT Visible BUG
Ericsson T68 20R1B
20R2A013
20R2B013
20R2F004
20R5C001
? Yes No No
Sony Ericsson R520m 20R2G ? Yes No ?
Sony Ericsson T68i 20R1B
20R2A013
20R2B013
20R2F004
20R5C001
? Yes ? ?
Sony Ericsson T610 20R1A081
20R1L013
20R3C002
20R4C003
20R4D001
? Yes No ?
Sony Ericsson T610 20R1A081 ? ? ? Yes
Sony Ericsson Z1010 ? ? Yes ? ?
Sony Ericsson Z600 20R2C007
20R2F002
20R5B001
? Yes ? ?
Nokia 6310 04.10
04.20
4.07
4.80
5.22
5.50
? Yes Yes ?
Nokia 6310i 4.06
4.07
4.80
5.10
5.22
5.50
5.51
No Yes Yes Yes
Nokia 7650 ? Yes No (+) ? No
Nokia 8910 ? ? Yes Yes ?
Nokia 8910i ? ? Yes Yes ?
* Siemens S55 ? No No No No
* Siemens SX1 ? No No No No
Motorola V600 (++) ? No No No Yes
Motorola V80 (++) ? No No No Yes

+ We now believe the 7650 is only vulnerable to SNARF if it has already been BACKDOORed.
++ The V600 and V80 are discoverable for only 60 seconds, when first powered on or when this feature is user selected, and the window for BDADDR discovery is therefore very small. Motorola have stated that they will correct the vulnerability in current firmware.

Disclosure
What is the Philosophy of Full Disclosure, and why are we providing the tools and detailing the methods that allow this to be done? The reasoning is simple – by exposing the problem we are achieving two goals: firstly, to alert users that the dangers exist, in order that they can take their own precautions against compromise, and secondly, to put pressure on manufacturers to rectify the situation. Consumers have a right to expect that their confidential data is treated as such, and is not subject to simple compromise by poorly implemented protocols on consumer devices. Manufacturers have a duty of care to ensure that such protection is provided, but, in practice, commercial considerations will often take precedence, and, given the choice, they may choose to simply supress or hide the problem, or, even worse, push for laws that prevent the discovery and/or disclosure of such flaws[5]. In our humble opinion, laws provide scant consumer protection against the lawless.

After 13 months, and in consideration of the fact that affected manufacturers had acknowledged the issues and made updated firmware available, Full Disclosure took place at the Chaos Computer Club’s annual congress – 21C3, in Berlin, 2004.

Slides from the disclosure talk can be found here: http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf

Tools
Proof of concept utilities have been developed, but are not yet available in the wild. They are:

  • bluestumbler – Monitor and log all visible bluetooth devices (name, MAC, signal strength, capabilities), and identify manufacturer from MAC address lookup.
  • bluebrowse – Display available services on a selected device (FAX, Voice, OBEX etc).
  • bluejack – Send anoymous message to a target device (and optionally broadcast to all visible devices).
  • bluesnarf – Copy data from target device (everything if pairing succeeds, or a subset in other cases, including phonebook and calendar. In the latter case, user will not be alerted by any bluejack message).
  • bluebug – Set up covert serial channel to device.
    Tools will not be released at this time, so please do not ask. However, if you are a bona-fide manufacturer of bluetooth devices that we have been otherwise unable to contact, please feel free to get in touch for more details on how you can identify your device status.

Credits
The above vulnerabilities were discovered by Adam Laurie, during the course of his work with A.L. Digital, in November 2003, and this announcement was prepared thereafter by Adam and Ben Laurie for immediate release.

Adam Laurie is Managing Director and Chief Security Officer of A.L. Digital Ltd.

Ben Laurie is Technical Director of A.L. Digital, and author of Apache-SSL and contributor to many other open source projects, too numerous to expand on here.

A.L. Digital Ltd. are the owner operators of The Bunker, the world’s most secure data centre(s).
e: adam@algroup.co.uk
w: http://www.aldigital.co.uk

e: ben@algroup.co.uk
w: http://www.apache-ssl.org/ben.html

Further information relating to this disclosure will be updated at http://www.bluestumbler.org

References:
[1]

[2]

[3]

  • www.outlaw.com

[4]

  • bluesniff
  • btscanner
  • redfang

[5]

[6]