Tuesday, September 20, 2011

EU BlackHat 2011: Cyberwar Overhyped, Escalating Cyber Conflict The Issue
- EU Keynote counters Ex-CIA Official's Warning


While imminent Cyberwar concerns have ramped up as of late, e.g., BlackHat 2011: Cyberwar is Coming- Ex-CIA Official Warns Black Hat 2011 Attendees, an insightful EU Black Hat 2011 - Keynote (video 1:15) with Bruce Schneier offers constructive and useful perspective:

“It’s not that that we’re fighting cyberwar, we’re increasingly seeing war-like tactics used in broader cyber conflicts. Non-nations can now deploy war-like tactics... a bunch of criminals getting tanks.. now what do you do?" - Bruce Schneier EU BlackHat 2011

Schneier points out that cyber war clearly is not happening now. Rhetoric surrounding cyberwar is exaggerated and harmful in its influence over policy. The debate language lacks good definitions - Don’t know when it starts, what it looks like, who is doing it, or when it’s over. Using the term “war” implies we’re helpless, we need to duck and cover, the government should handle it. Many measures merited in war time pose greater risk in peace time. Advantage is on the attackers side in cyber space with technology pushing capabilities out- so easy, kids can do it.

Further cyberwar high-level analysis commentary addresses topics such as preparing the battlefield, conducting attacks, etc. All advanced nations will need to have some cyber offensive capability as it's part of the war fighting theater now. It's also understood that the most advanced nations have extensive capabilities, e.g., placing logic bombs into enemy systems, potentially before broader conflicts starts. Reoccurring examples of precursor cyber-attacks being followed by more traditional military conflicts. US continues dragging feet on pursing international rules and treaties involving cyber conflicts given a perceived advantage. This stance really feeds the cyber arms race problem where every side assumes the worse. Related offensive decisions also need to be made at higher levels of government- Stuxnet types of attacks are reasonable to view as an act of war.

Critical Infrastructure concerns include widely believed examples of non-US criminal extortions, blackouts from hacking, e.g. Brazil. History is rich with market failure examples where common defense not adequately addressed by private industry. Private industry can only go so far and why we need government, with regulations only part of answer. The US is clearly more vulnerable than other nations; with risk is increasing, it's important to further address.

More:
- 60 minutes exposé - Cyber War: Sabotaging the System 6/13/2010 (video 18:02)
- “Next war might start with blackout, not a bang.” “Art of the Possible”

Tuesday, September 6, 2011

BlackHat and Defcon 2011: Top 10 Scariest Hacks
- Network World's take on a handful meriting the most concern

Las Vegas hosted Black Hat USA 2011 and Defcon 2011 conferences dished up a number of interesting hacking demonstrations applicable for critical infrastructure organizations. The wide ranging top ten identified by Network World (full slide show) included SCADA issues (Siemens, of course) and even a pretty significant ERP system issue (SAP).

Summary:
  1. Siemens S7 hack (top one!). Very scary considering just how dependent real world facilities are to systems with related security problems, issues go well beyond being specific to Siemens solutions!
  2. VoIP botnet control. Clever data ex-filtration, command and control methods using VoIP channel, touch tones phones.
  3. Powerline device takeover. Demonstrating a device that can tap into home power lines, monitor and control home alarm/security cameras, e.g., enable intruders to jam security gear then break in.
  4. Hacker drone. Off-the-shelf electronics used to create WASP (wireless aerial surveillance platform) executing flight plans while doing its work (crack codes, pick up cellphone calls, etc).
  5. Car hijack via phone networks. Using text messages over phone links to hack a Subaru Outback car alarm, unlock doors, starting vehicle. Similar to devices used in some critical infrastructure settings, raising concerns about knocking out power grids and water supplies.
  6. Hack faces to find Social Security numbers. Acquiring a person's Social Security number using nothing more than social networking photo, face recognition software, and a deducing algorithm.. interesting!
  7. Remotely shut down insulin pumps. Exposing a very difficult to resolve wireless security problem- could be fatal in wrong circumstances. The diabetic security researcher focused on issues with his own wireless pump.. "devices weren't designed with security in mind"
  8. Embedded Web server menace. Embedded web servers in photocopiers, printers may them easier to administer and be compromised, potentially pilfering produced documents. Easy fingerprinting and attack approaches demonstrated.
  9. Spreading false router tables. Demonstrated OSPF (open shortest path first) routing protocol having weaknesses permitting attackers to install false table entries on uncompromised routers, potentially affecting data streams (sending info to remote attacker) or just crippling networks.
  10. SAP flaw- Authentication. Showed how SAP system can be broken into, gaining administrative privileges. The researcher determined that half the systems examined were vulnerable to this issue. Easy to locate target systems with Google search. SAP is working towards releasing a related security update.
More:
- Insulin pump attack prompts call for federal probe‎ - Register 8/19/2011- Committee urges investigation into security standards for wireless medical devices.
- Black Hat 2011 USA Archive video, audio, slides added since Aug 2011 conference
- DEF CON 19 Archive - site stood up 9/5 w/slides, etc from Aug 2011 conference