Rss

Archives for : identification

SCADA Security Presentation

This is a presentation I gave on SCADA security some time ago. It was originally set for about 2 hrs, although I broke it into 2 halves so if time permitted (or the partisipants wanted more inforamation), the backend of the presentation has many more areas and guidence relaing to SCADA, devices, environment security, etc.

I defined the following outcomes for the presentation:

  • Broaden the awareness and necessity of security within the SCADA environment.
  • Understanding of business role in the governance/risk identification process.
  • Heighten the understanding of technology risks.

I hope people find the material interesting and useful.

SCADA Security Presentation Derek Grocke

SCADA considerations

Procedures

  • Corporate Information Protection
  • Security Management
  • Information Classification
  • Physical (and Environmental) Security
  • Personnel Security
  • Security Awareness Training
  • Security Incident Response
  • Security Monitoring
  • Network Security
  • PC/Workstation Security
  • Support and Operational Security Related
  • Encryption and Information Confidentiality
  • Authorization Controls
  • Identification and Authentication Mechanisms
  • Systems Life Cycle Security
  • Business Continuity Planning
  • Media Security
  • Third Party Services

Typical concerns and points discussion:

  • Inbound and out Bound FTP
  • Suggest use of DMZ
  • Suggest use of Secure FTP
  • Suggest use of restricted secure IP addresses / tunnelling
  • Suggest use of private feeds

Modem issues used with dial in services

  • No dial back
  • No Authentication
  • No Secure ID
  • Possibly automated scripts used, so hard coded usernames and passwords used.
  • Internet sharing may be turned on, allowing routing via workstations.

Increased data security and integrity considerations

  • Data backups
  • System redundancy
  • Site and content filtering
  • Virus protection
  • Standard system procurement (discounts and spares)
  • Network and services redundancy
  • Network monitoring
  • Service availability monitoring
  • Internal controls
  • Vendor / external service supplier
  • Capacity management
  • Change management system
  • Asset management system
  • Telecommunication and telephony bulk cost discounting
  • Etc.

Use and support for corporate application considerations

  • Email
  • Intranet
  • Internet
  • Corporate virus protection
  • Asset management
  • Change management
  • Project management
  • Performance / capacity management
  • Reduction of Cost
  • Use of corporate applications
  • Reduction of manual processes

Other things to keep in mind:

  • SCADA monitoring system must be isolated from network errors and systems events. This will prevent SCADA operational systems being effected by network or corporate system issues / outages.
  • Review Network topology to ensure internal and external vulnerabilities are not currently being and cannot be abused.
  • Review of router configurations
  • Use of change management system
  • Review remote dial in systems
  • Firewall SCADA systems off from corporate applications
  • Uncontrolled networks and systems within the SCADA environment will compromise the corporate environments integrity and security.
  • Determine if systems used within SCADA are built to a standard operating environment.

EFT Syetms and Device Considerations

EFT devices and systems differ depending on hardware vendor, country and bank / payment aggregator.
Below is a list of things you may like to consider. This list is off the top of my head so it is probably not complete.

Looking at the products and relationships us usually a good start.

Things to consider:

  • Card skimming methods
  • Some EFT POS devices restrict the connection of a skimmer
  • Review levels of associated fraud
  • Review devices and EFT methods
  • Review terminal identification (merchant and customer)
  • Manual processing. (internal and external)
  • eCommerce products
  • PC based software
  • Dedicated server services (Nobil, etc.)
  • Web based engine (Custom objects, Web pop-ups, etc)
  • Authorisation / identification methods (Merchant and customer)
  • TCPIP session hijacking / session spoofing
  • Direct Debit as well as Credit Cards.
  • Swift (methods and controls)
  • Telegraphic transfer (methods and controls)
  • Payment aggregator relationships (eg. Payment Tech, manual processing, cheque scanning, etc.)
  • Internet banking facilities (attack / penetration,  Certificate registration / management, ISP SLA’s, etc.)
  • Implementation of Smart Card and / or alternative customer recognition devices.
  • Outsourcing and associated risks / service level agreements
  • Payment processing
  • Payment clearance
  • Payment switching
  • Reporting (segregation of merchant / customers / aggregators / partners / local / international)
  • Fraud detection and reporting
  • 3rd party acquiring risks
  • Single merchant ID many businesses
  • Allows moneys to be laundered if the payment aggregator does not place appropriate controls on the merchant.
  • Encryption used
  • Internet / trusted partner / inter-bank / extranet
  • Private and / or public certificates
  • Single use certificates
  • Client side certificates
  • Remittance advice processes and controls.
  • EFT disaster recovery and manual fall back procedures (associated security and reconciliation risks)
  • Trusted partner relationships, SLA’s, liabilities and risks.
  • EFT regulatory / legal requirements (inter-bank and government)
  • Refund processing / authorisation. (policies, procedures, controls, etc.)
  • CVV, CVV-2 / CVC-2 processing and management. (http://www.atlanticpayment.com/CVV.htm)
  • Fraud detection mechanism (neural networks, inter-bank / department customer checks, etc)
  • Supported card schemes (AMEX/Visa/Mastercard/Discover/etc )
  • Review EFT floor limits (corporate and SME merchants)
  • Review the ability to withhold merchant settlement until the presence of fraud has been determined.
  • Review customer identification details. Such as (This varies around the world depending on local regulations / privacy laws)
  • Review real-time and batched processing methods and controls (sequence numbers, access to raw data, etc.)
  • Review processing with and without expiry dates. (exception controls and policies)
  • Review exception / fraud reports.
  • Review payment store and forward policies and procedures.
  • Review Pre-Auth and Completion controls.
  • Token based payment (eCash, etc)
  • Merchant reconciliation, reporting methods and controls (paper, Internet, email, PDF, Fax, etc.) and associated security.
  • Real time gross settlement policies, procedures and controls. (IT and amounts)
  • Card issuing policies and procedures. (customer ID checks, etc)
  • Banking infrastructure (ingress / egress) controls and security. (Web, partner, payment switches, outsourced infrastructure, monitoring / reporting.)
  • Use of Internet technologies for inter-bank transfers and remote equipment.
  • Physical security and controls of devices, ATM,s, line encryptors, etc.

Technology is always being challenged

I read a very interesting paper created by the University of Massachusetts, RSA Laboratories and Innealta, Inc.<<

This paper primarily relates to the compromise of contact less payment technologies (RFID) if the RFID and/or reader have not been implemented correctly or the solution provider has used an inappropriate type of RFID and discusses the challenges around Chip and Pin with respect to financial transactions e.g. EMV standards and compliance.

Additionally, the paper describes a RFID relay method which is being discussed within many forums around the world and we have now begun to see equipment being produced for the RFID skimmers/clonners to use for malicious means.

The overarching point of this paper is to use an appropriate RFID & Chip solutions which supports the security/privacy of the user and purpose of the transaction (financial or non financial)<<

The paper can be found at http://prisms.cs.umass.edu/~kevinfu/papers/RFID-CC-manuscript.pdf

In modern payment RFID & Chip solutions, newer devices can be used which possess a high degree of processing power and are therefore able to execute strong cryptographic methods (such as digital signatures) to protect the identification and payment information whilst the transaction is occurring.

These systems often utilise bidirectional authentication between the RFID/Chip scanner and the RFID tag/Chip prior to performing the transaction. These methods and cryptographic algorithms are accepted and proven to work within the traditional payment markets.

As mentioned in the paper, some solution store static digitally signed and/or encrypted data which is provided to the RFID/Chip reader when queried, but this data never changes from one transaction to another. This may allow a malicious individual to capture and re-inject the data into the reader at a later stage. The alternative to storing static digitally signed and/or encrypted data is to negotiate a key exchange at the time of the transaction in which the card/value information is encrypted and subsequently transmitted. With this method the transmitted data
changes on every transaction and therefore even if a malicious individual was to capture the encrypted transaction data from one transaction, this would not be accepted by the reader if re-injected at a later stage.

Although this is the case today, older RFID/Chip solutions often use technologies which are not appropriate for financial transactions and therefore may be compromised easily and in some cases without the knowledge of the card holder, merchant or acquirer.

I find this interesting how some of these less secure solution have been approved for use by acquiring banks and the card schemes around the world (if they were told) in recent years, where it has been seen that these solutions have utilised techniques or deployment methods which can be compromised. These technologies and techniques would never be approved within the Point of Sale (PoS) or traditional banking markets.

It can only be assumed that the need to get product to market quickly at the expense of proper testing, understanding and with due consideration to industry lessons learnt has succeeded again.

Bluetooth Wireless Specification

Source

This article is about the Bluetooth wireless specification. For King Harold Bluetooth, see Harold I of Denmark

Bluetooth is an industrial specification for wireless personal area networks (PANs).

Bluetooth provides a way to connect and exchange information between devices like personal digital assistants (PDAs), mobile phones, laptops, PCs, printers and digital cameras via a secure, low-cost, globally available short range radio frequency.

Bluetooth lets these devices talk to each other when they come in range, even if they’re not in the same room, as long as they are within 10 metres (32 feet) of each other.

The spec was first developed by Ericsson, later formalised by the Bluetooth Special Interest Group (SIG). The SIG was formally announced on May 20, 1999. It was established by Sony Ericsson, IBM, Intel, Toshiba and Nokia, and later joined by many other companies as Associate or Adopter members.

Table of contents

* 1 About the name
* 2 General information
o 2.1 Embedded Bluetooth
* 3 Features by version
o 3.1 Bluetooth 1.0 and 1.0B
o 3.2 Bluetooth 1.1
o 3.3 Bluetooth 1.2
o 3.4 Bluetooth 2.0
* 4 Future Bluetooth uses
* 5 Security concerns
* 6 Bluetooth profiles
* 7 See also
* 8 External links

About the name

The system is named after a Danish king Harald Blåtand (<arold Bluetooth in English), King of Denmark and Norway from 935 and 936 respectively, to 940 known for his unification of previously warring tribes from Denmark, Norway and Sweden. Bluetooth likewise was intended to unify different technologies like computers and mobile phones. The Bluetooth logo merges the Nordic runes for H and B.

General information

 

A typical Bluetooth mobile phone headset

The latest version currently available to consumers is 2.0, but few manufacturers have started shipping any products yet. Apple Computer, Inc. offered the first products supporting version 2.0 to end customers in January 2005. The core chips have been available to OEMs (from November 2004), so there will be an influx of 2.0 devices in mid-2005. The previous version, on which all earlier commercial devices are based, is called 1.2.

Bluetooth is a wireless radio standard primarily designed for low power consumption, with a short range (up to 10 meters [1], ) and with a low-cost transceiver microchip in each device.

It can be used to wirelessly connect peripherals like printers or keyboards to computers, or to have PDAs communicate with other nearby PDAs or computers.

Cell phones with integrated Bluetooth technology have also been sold in large numbers, and are able to connect to computers, PDAs and, specifically, to handsfree devices. BMW was the first motor vehicle manufacturer to install handsfree Bluetooth technology in its cars, adding it as an option on its 3 Series, 5 Series and X5 vehicles. Since then, other manufacturers have followed suit, with many vehicles, including the 2004 Toyota Prius and the 2004 Lexus LS 430. The Bluetooth car kits allow users with Bluetooth-equipped cell phones to make use of some of the phone’s features, such as making calls, while the phone itself can be left in a suitcase or in the boot/trunk, for instance.

The standard also includes support for more powerful, longer-range devices suitable for constructing wireless LANs.

A Bluetooth device playing the role of “master” can communicate with up to 7 devices playing the role of “slave”. At any given instant in time, data can be transferred between the master and one slave; but the master switches rapidly from slave to slave in a round-robin fashion. (Simultaneous transmission from the master to multiple slaves is possible, but not used much in practice). These groups of up to 8 devices (1 master and 7 slaves) are called piconets.

The Bluetooth specification also allows connecting two or more piconets together to form a scatternet, with some devices acting as a bridge by simultaneously playing the master role in one piconet and the slave role in another piconet. These devices have yet to come, though are supposed to appear within the next two years.

Any device may perform an “inquiry” to find other devices to which to connect, and any device can be configured to respond to such inquiries.

Pairs of devices may establish a trusted relationship by learning (by user input) a shared secret known as a “passkey”. A device that wants to communicate only with a trusted device can cryptographically authenticate the identity of the other device. Trusted devices may also encrypt the data that they exchange over the air so that no one can listen in.

The protocol operates in the license-free ISM band at 2.45 GHz. In order to avoid interfering with other protocols which use the 2.45 GHz band, the Bluetooth protocol divides the band into 79 channels (each 1 MHz wide) and changes channels up to 1600 times per second. Implementations with versions 1.1 and 1.2 reach speeds of 723.1 kbit/s. Version 2.0 implementations feature Bluetooth Enhanced Data Rate (EDR), and thus reach 2.1 Mbit/s. Technically version 2.0 devices have a higher power consumption, but the three times faster rate reduces the transmission times, effectively reducing consumption to half that of 1.x devices (assuming equal traffic load).

Bluetooth differs from Wi-Fi in that the latter provides higher throughput and covers greater distances but requires more expensive hardware and higher power consumption. They use the same frequency range, but employ different multiplexing schemes. While Bluetooth is a cable replacement for a variety of applications, Wi-Fi is a cable replacement only for local area network access. A glib summary is that Bluetooth is wireless USB whereas Wi-Fi is wireless Ethernet.

Many USB Bluetooth adapters are available, some of which also include an IrDA adapter.

Embedded Bluetooth

Bluetooth devices and modules are increasingly being made available which come with an embedded stack and a standard UART port. The UART protocol can be as simple as the industry standard AT protocol, which allows the device to be configured to cable replacement mode. This means it now only takes a matter of hours (instead of weeks) to enable legacy wireless products that communicate via UART port.

Features by version

Bluetooth 1.0 and 1.0B

Versions 1.0 and 1.0B had numerous problems and the various manufacturers had great difficulties in making their products interoperable. 1.0 and 1.0B also had mandatory Bluetooth Hardware Device Address (BD_ADDR) transmission in the handshaking process, rendering anonymity impossible at a protocol level, which was a major set-back for services planned to be used in Bluetooth environments, such as Consumerism.

Bluetooth 1.1

In version 1.1 many errata found in the 1.0B specifications were fixed. There was added support for non-encrypted channels.

Bluetooth 1.2

This version is backwards compatible with 1.1 and the major enhancements include

  • Adaptive Frequency Hopping (AFH), which improves resistance to radio interference by avoiding using crowded frequencies in the hopping sequence
  • Higher transmission speeds in practice
  • extended Synchronous Connections (eSCO), which improves voice quality of audio links by allowing retransmissions of corrupted packets.
  • Received Signal Strength Indicator (RSSI)
  • Host Controller Interface (HCI) support for 3-wire UART
  • HCI access to timing information for Bluetooth applications.

Bluetooth 2.0

This version is backwards compatible with 1.x and the major enhancements include

  • Non-hopping narrowband channel(s) introduced. These are faster but have been criticised as defeating a built-in security mechanism of earlier versions; however frequency hopping is hardly a reliable security mechanism by today’s standards. Rather, Bluetooth security is based mostly on cryptography.
  • Broadcast/multicast support. Non-hopping channels are used for advertising Bluetooth service profiles offered by various devices to high volumes of Bluetooth devices simultaneously, since there is no need to perform handshaking with every device. (In previous versions the handshaking process takes a bit over one second.)
  • Enhanced Data Rate (EDR) of 2.1 Mbit/s.
  • Built-in quality of service.
  • Distributed media-access control protocols.
  • Faster response times.
  • Halved power consumption due to shorter duty cycles.

Future Bluetooth uses

One of the ways Bluetooth technology may become useful is in Voice over IP. When VOIP becomes more widespread, companies may find it unnecessary to employ telephones physically similar to today’s analogue telephone hardware. Bluetooth may then end up being used for communication between a cordless phone and a computer listening for VOIP and with an infrared PCI card acting as a base for the cordless phone. The cordless phone would then just require a cradle for charging. Bluetooth would naturally be used here to allow the cordless phone to remain operational for a reasonably long period.

Security concerns

In November 2003, Ben and Adam Laurie from A.L. Digital Ltd. discovered that serious flaws in Bluetooth security lead to disclosure of personal data (see http://bluestumbler.org). It should be noted however that the reported security problems concerned some poor implementations of Bluetooth, rather than the protocol itself.

In a subsequent experiment, Martin Herfurt from the trifinite.group was able to do a field-trial at the CeBIT fairgrounds showing the importance of the problem to the world. A new attack called BlueBug was used for this experiment.

In April 2004, security consultants @Stake revealed a security flaw that makes it possible to crack into conversations on Bluetooth based wireless headsets by reverse engineering the PIN.

This is one of a number of concerns that have been raised over the security of Bluetooth communications. In 2004 the first purported virus using Bluetooth to spread itself among mobile phones appeared for the Symbian OS. The virus was first described by Kaspersky Labs and requires users to confirm the installation of unknown software before it can propagate. The virus was written as a proof-of-concept by a group of virus writers known as 29a and sent to anti-virus groups. Because of this, it should not be regarded as a security failure of either Bluetooth or the Symbian OS. It has not propagated ‘in the wild’.

In August 2004, a world-record-setting experiment (see also Bluetooth sniping) showed that with directional antennas the range of class 2 Bluetooth radios could be extended to one mile. This enables attackers to access vulnerable Bluetooth-devices from a distance beyond expectation.

Bluetooth uses the SAFER+ algorithm for authentication and key generation.

Bluetooth profiles

In order to use Bluetooth, a device must be able to interpret certain Bluetooth profiles. These define the possible applications. Following profiles are defined:

  • Generic Access Profile (GAP)
  • Service Discovery Application Profile (SDAP)
  • Cordless Telephony Profile (CTP)
  • Intercom Profile (IP)
  • Serial Port Profile (SPP)
  • Headset Profile (HSP)
  • Dial-up Networking Profile (DUNP)
  • Fax Profile
  • LAN Access Profile (LAP)
  • Generic Object Exchange Profile (GOEP)
  • Object Push Profile (OPP)
  • File Transfer Profile (FTP)
  • Synchronisation Profile (SP)

This profile allows synchronisation of Personal Information Manager (PIM) items. As this profile originated as part of the infra-red specifications but has been adopted by the Bluetooth SIG to form part of the main Bluetooth specification, it is also commonly referred to as IrMC Synchronisation.

  • Hands-Free Profile (HFP)
  • Human Interface Device Profile (HID)
  • Hard Copy Replacement Profile (HCRP)
  • Basic Imaging Profile (BIP)
  • Personal Area Networking Profile (PAN)
  • Basic Printing Profile (BPP)
  • Advanced Audio Distribution Profile (A2DP)
  • Audio Video Remote Control Profile (AVRCP)
  • SIM Access Profile (SAP)

Compatibility of products with profiles can be verified on the Bluetooth Qualification website.

See also

External links