Warning Intelligence and negligence

Posted on by

I thought this was pretty big news:

“Judge rules that banks can sue Target for 2013 credit card hack”

Target case

Here’s the key quote from the actual decision:

Plaintiffs have plausibly alleged that Target’s actions and inactions—disabling certain security features and failing to heed the warning signs as the hackers’ attack began—caused foreseeable harm to Plaintiffs. Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered. And Plaintiffs’ allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data is also plausible. Imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.

I was particularly interested in “failing to heed the warning signs” part. As an intelligence professional, I have always found wisdom in the statement “willing ignorance is negligence”. Now we have a case where in the cyber world that may ultimately ring true.

Pointing to possible implications for critical infrastructure, we might consider Internet-connected ICS, including engineering lap tops with access to Web and Email. We have numerous documented cases where these configurations have led to compromise (see Havex and Black Energy).

If one of these led to real physical damage, I imagine the law suits would fly (assuming of course that the “cyber” cause could be accurately ascertained).

After five years of warning about the problems of connectering-up yer HMI to the public Internexus, I don’t think there should be much excuse for getting your plant compromised by anyone who can run a freely-available exploit tool (let alone by someone trying an unchanged default password!).

As a final note, and a point I’ve made before, to what extent should taxpayers be subsidizing incident response when then victim “failed to heed the warning signs”?

Head start on patching Honeywell vulns

Posted on by

So, back in November, Russian researchers dropped a load of ICS vulnerabilities. 25 in all. Honeywell seems to keep a pretty tight lip on the details. Maybe Positive Technologies, who discovered them, will shed more light on what’s really going on here.

PT honeywell

At any rate, looking through what details are public, Critical Intelligence realized that Honeywell reportedly released a patch for the vulnerabilities as far back of June 2014.

Well, in case you didn’t know, one of the other awesome things that Critical intelligence does is monitor for patches and new product releases for control systems software.

And guess what? Critical Intelligence included information about those patches in its June 5, 2014 report. So, if you had been subscribed to the Core ICS Intelligence service, and were running Honeywell Experion, you would have known about the availability of these patches six months ago. I think that’s pretty cool. What other group/firm has done that for its customers for five years?

Black Energy and ICS

Posted on by

Monday I had the opportunity of briefing on the SANS ICS Threat Briefing webinar. This was the inaugural SANS ICS Webinar on a “current” threat.

For me the highlight of the briefing was the following graphic.

Timeline

Over the past several years, numerous warnings given by Critical Intelligence would have helped affected asset owners avoid infection by “Black Energy/Sandworm”.

In short, if you waited for the federal government to tell you about it (on October 29, 2014), you were only two and half years late.

To listen to the whole archived Webinar, register here.

To get this type of forewarning for your ICS environment, request a sales call with Critical Intelligence.

Pwned up industrial routers

Posted on by

In my opinion, one of the most serious ICS bugs ever released was the RuggedCom authentication bypass vulnerability: CVE-2012-1803

It essentially allows users to connect to industrial-grade network devices if they know the MAC address. The MAC address is included by default on the Web server and in the Telnet response. If you get access to Telnet or HTTP, you pop the MAC address into a public script and you get the backdoor password.

I was browsing around Shodan the other day, and spotted what appear to be compromised Ruggedcom gear. How do I know they are compromised? Well look at the results and see for yourself:

ruggedcom owned

ruggedcom owned2

 

So, while you might not hear about compromised ICS/SCADA everyday. Here are couple of examples that it is happening to the unaware.

SCADA security poetry

Posted on by

Take a few minutes and enjoy some poetry, courtesy of Tyler Klingler:

scadadata

APT APT everywhere I look.
APT APT in every little nook.
APT solutions for needs both big and small.
But most of this APT is not APT at all.

I query Shodan for GoAhead Web.
As a sad thought goes through my head
A moment of grief when I realized
Finding PLCs is no more a surprise.

As I monitor the NVD
I find a pattern I should not see
Oh dear, Oh my, can it be
Another vuln for my PLC

Not willing to be entirely unimaginative, I had to add my own:

Don’t share a SCADA selfie
They’re really not that neat
You’ll paint a target on your back
That leads to your defeat