Friday, August 5, 2011

Dance, security monkey!

Long time readers will remember Borepatch's Laws of Security™.  Here's a quick recap:

Borepatch's First Law: "Free Download" is Internet-speak for "Open your mouth and close your eyes".

Borepatch's Second Law: Assume that all data on your phone (or Tablet) is public if you ever lose your phone.

Borepatch's Third Law:  Everything is vulnerable.  Get over it.

Now it's time for a new one:

Borepatch's Fourth Law: Everything is reachable from the Internet.  To reach some, you may have to try a little harder.  But everything can be reached.  Everything.

This last one is A Very Bad Thing Indeed.  Some systems were designed under the assumption that they would only ever be in a isolated universe.  Systems like Process Controllers, which run factories, electric power generation, oil refineries, chemical plants, natural gas pipelines - in other words, things that make spectacular, Earth Shattering Kabooms if they seize up.

It's the first week of August, which means it's time for the Black Hat Briefings - the most prestigious computer security conference.  This year, the announcements are a doozy:
LAS VEGAS — A security researcher has uncovered a slew of vulnerabilities in Siemens industrial control systems, including a hard-coded password, that would let attackers reprogram the systems with malicious commands to sabotage critical infrastructures and even lock out legitimate administrators
It's all here: a hard coded administrator password, failure to validate commands (meaning I could record sending a "Shut down RIGHT NOW" command in my lab and then inject that recording into a power generation station, a well known (and network visible) way to tell if you're talking to one of these devices over the network (a "Well Known Port"), and an easy way to dump all memory for examination.

Remember the Fourth Law: Everything's on the Internet.  It may just take a little more work to get to some of it:

Previously, Siemens has asserted that the attacks Beresford describes could be thwarted by air-gapping PLCs and their control computers from the internet. But according to Vik Phatak, CTO of NSS Labs, not all companies have a complete understanding of what constitutes an air-gapped system.

“We’ve talked to a number of different companies that have told us that their version of an air-gapped network [means] there’s no inbound connection, but they definitely have outbound connections to the internet for their employees,” Phatak said.

Even air-gapping a system would not work if someone plugged removable media containing malware into the system.
But coolest of all - the piece de resistance - is the hidden Easter Egg (humorous hidden software features) with dancing chimpanzees.  Srlsy:


That caption seems to be the German expression for "All work and no play makes Hermann a dull boy ..."

Helpful note to Corporate PR Directors everywhere: it's a good idea to ask your engineering department if your products contain easter eggs that will be shown on CNN every time your company's name comes up in the news.  Get them to sign a document attesting to that, under penalty of perjury.  No need to thank me, it's all part of the service.

So what can we tell about the security architecture of the Siemens industrial control systems? (Answer: it's wasn't an afterthought, it wasn't thought of at all).

And to all the poor IT Security schmucks responsible for these systems, it's time to get your dancing shoes on.

Sigh.  I'm not sure if this is the biggest security fail I've ever seen in going on 30 years in the field.  But I'm not sure it's not.

No comments: