Pipes and Bytes

There is another security threat that has being brewing for a long time now. This time is about the computers that control Industrial Processes and Utilities.

In the last few years the trend was to move all these dedicated systems to Windows based system. Windows have a lot of advantages, mainly related to the fact that applications are easier and cheaper to develop than any of the alternative. The availability of inexpensive hardware and thousands of developers, make the platform very competitive. The infrastructure afforded by the Internet bring the additional bonus that all these processes can be managed remotely with very little additional investment, a big incentive for companies to move their connectivity to a Wide Area Network situation.

The problem with this state of affairs (Windows system connected to the internet controlling vital equipment) is security. Although Microsoft have made progress improving the security of their OS’s, you don’t have to search very hard to find a staggering number of security holes still open. Moreover, keeping a Windows system secure requires a lot of vigilance and a proactive approach, not always a concern that has high priority for the operating companies. In many instances, management may not even be aware of the magnitude of the problem.

Because of the criticality of some pieces of equipment, the issue is one of national security. Sabotage by terrorist groups or enemy states would acquire a whole new meaning when somebody has the power to shut-down a significant portion of a country’s electric grid or water supply.

As it is usually the case with widely interconnected systems, the weakest link can be exploited by hackers to gain access to the system, thus, no matter how strong the protection of the important nodes is, failure to protect every possible node could bring the whole system down.

The problem certainly caught the attention of security experts and practitioners since at least a decade ago. Here some references to the problems from the SANS Institute reading room.

The ideas being floated around the concept of bug ridden smart-meters for the distribution grid will add another spin to this issue.

 

 

Open letter to Mr. Phisher

I received a very amusing e-mail today:

Hello,
It is with profound sense of sadness i wrote this email to you. I don’t know how you will find this but you just have to forgive me for not telling you before leaving. I traveled down to United Kingdom Yesterday for a short vacation but unfortunately,i was mugged at a gun point on my way to the hotel i lodged all my money and all other vital documents including my credit card and my cell phone have been stolen by muggers.
I’ve been to the embassy and the Police here but they’re not helping issues at all,Things are difficult here and i don’t know what to do at the moment that why i email to ask if you can lend me £1,500.00 so i can settle the hotel bill and get a returning ticket back home. Please do me this great help and i promise to refund the money as soon as i get back home.
I look forward to your positive response.
Thanks

This coming supposedly coming from the Gmail of a fellow engineer that happens to live in my town and is at 2 degrees of separation from me in the LinkedIn network.

Sorry, Mr. Phisher, I don’t know the guy enough to send the funds, my bad for not being more proactive in extending my network, he was just a step away! (if he really is the one who set the account with his name). It will help your cause if you read the newspapers, for the last few days there have been no flights to or from London, you know, the volcano thing.

I heard stories of people getting similar e-mails from people they know, some of the stories may be more verisimilar even. The would be phishers make good use of the information that can be gathered from social networks to craft these targeted e-mails.

 

Google problems may have bigger problems than people creating accounts to send phishing e-mails.

 

The Facebook password reset phising email

… has being showing up in my inboxes and those of my friends. You know the drill, do not open the attachment, even better, do not open the email.

GSM encryption really broken

GSM (Global System for Mobile communications) is an open, digital cellular technology used for voice and data services.

GSM supports voice calls and data transfer as well as the transmission of SMS. It operates in the 900MHz and 1.8GHz bands in Europe and the 1.9GHz and 850MHz bands in the US.

Australia, Canada and many South American countries use the 850MHz band for GSM and 3G. There are an estimated 4 billion users in more than 218 countries and its encryption scheme is irreversible broken by now.

At the 26th Chaos Communication Congress Nohl and Paget presented their plan to work out a code book for the A5/1 cipher used by GSM. Karsten Hohl, has recently announce that the full GSM codebook had been produced and the result is a 2TB file that can be used to decrypt and hear the audio in a matter of hours. This represents a turning point, because the big expense and time spent on the creation of the tables does not need to be repeated. The tables are available to hackers that need only to sniff the GSM traffic and spend only a few hours of searching through the tables to be able to hear the conversation.

The GSM spec includes a stronger cipher, A5/3, but both, the phone and the base station have to be able to handle it, otherwise the exchange will reverse back to the weaker cipher.  Carriers are very slow to make the necessary changes and A5/3 does not seem to have a very long life anyways.

 

Related links:

 

Cracking GSM phone crypto via distributed computing

The A5/1 code table site

 

Ontario privacy commissioner orders ‘strong encryption’ of health records

My prediction is that we are going to see more and more of these privacy commissioner orders as the guys in charge get more serious about not being sued.

Dont tell me you didn’t knew

Most people in Canada don’t trust them.

Maybe something I said.

Update:

On the other hand, it is a good tool to reach out to people you otherwise can’t talk to directly

The ‘Enigma’ of the broken GSM phones Encryption

Although it has been known for a few years, the weakness of encryption schemes for GSM phones is in the spotlight again. This time thanks to a group of hackers that made the whole business of listening in, easy and cheap.

GSM has been known to be hackable for years, but the problem is not being fixed as proactively as it should.

Could be drawn with the situation of the Enigma machines being sold around the world after WWII?

 

 

SSL 3.0 / TLS subjected to Man in the Middle Attack

An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.

Here is a list of links to websites where the issue is being followed:

http://www.phonefactor.com/sslgap/

IETF resources

Red Hat

SANS.org

Hackers expose slew of Hotmail acount passwords

Again,

Hackers expose slew of Hotmail acount passwords

Social Engineering and phishing really work.

See what I wrote on Passwords

Your tax Pounds at work – UK government to make ID thieves lives easier

Having all your personal information in one ID is not a very good idea, even if protected by a good encryption scheme. Having all your information in a card protected with a bad encryption scheme is definitely a bad idea.

That seems to be the case with the ID cards issued by the Home Office to foreign nationals working in the UK. As described in a news article, it looks that a cell phone fitted with an RFID scanner and a laptop is all the hardware you need to clone one of these cards and even change the information on it.

Embedded inside the card for foreigners is a microchip with the details of its bearer held in electronic form: name, date of birth, physical characteristics, fingerprints and so on, together with other information such as immigration status and whether the holder is entitled to State benefits.

This chip is the vital security measure that, so the Government believes, will make identity cards ‘unforgeable’.

But as I watch, Laurie picks up a mobile phone and, using just the handset and a laptop computer, electronically copies the ID card microchip and all its information in a matter of minutes.

He then creates a cloned card, and with a little help from another technology expert, he changes all the information the card contains – the physical details of the bearer, name, fingerprints and so on. And he doesn’t stop there.

[Read the whole Mail-Online article]

These cards use the same technology as the ID card for British citizens unveiled last week by Alan Johnson, the Home Secretary. ID thieves must be anxiously waiting for the introduction of government ID cards, which will facilitate their daily jobs.