Displaying items by tag: SCDA

Tuesday, 18 October 2011 21:14

New Malware Found with Stuxnet Similarities

84Just in case all of the warnings that we gave you before about SCDA (Supervisory Control and Data Acquisition) devices and how insecure most of them are was not enough. We now find that a new piece of malware that appears to be intended spy on industrial networks as a precursor to a future attack like the Stuxnet malware that hit last year. Dubbed Duqu because of a prefix attached to files the new malware creates this new bit of code is very concerning to security experts.

The code was found on several Windows based systems across multiple companies in Europe. These companies were not directly identified but all appear to have connections to industries that directly interact with basic infrastructure services.  As of right now Duqu appears content to just gather information and report back to its command and control servers (including using an internal key logger).  Duqu also appears to be sending JPG files back and forth between the server and the infected system, but as many found out to their dismay you can embed quite a bit of information in a JPG files so these could be used to send control instructions and responses or could be nothing more than test files right now.

So far researchers are at a loss as to what Duqu is collecting and why this is happening. They do know that the attacks have been going on since at least December 2010 and that the first variant identified used a stolen certificate much like the original Stuxnet did. Researchers at Symantec and McAfee also feel that the creators of this code had access to the source code of Stuxnet as the two pieces of Malware are very similar in the way they operate and the coding used. Both McAfee and Symantec have also stated that Duqu does not spread and that it does not appear to use any known exploits. This would indicate that the malware uses tactics like drive-by, or social engineering based exploits. These rely on human intervention to download and install the malicious code on a system usually via email or web link.

We personally wonder if this is related to some of the rumors about Anonymous stepping up their attacks on Governments and Large Corporations. After all with what they can gather using some fairly simple techniques (and a nice bit of coding) they can put some rather devastating plans into action very quickly. If this is the case (and this is all just speculation) then we might be looking at an attack that no one is really prepared for. Then again this could all be nothing more than a reconnaissance mission, especially considering the fact that the code uninstalls itself after 30 days…

Source Symantec and McAfee
Discuss this in our Forum

Published in News
Friday, 16 September 2011 23:34

More holes found in SCDA security

84Remember when we told you about the security holes in the supervisory control and data acquisition components (SCDA)? Well it looks like there are even more to be found out there in the wild. If you are surprised by this then you must have just crawled out from under a nice big rock. After all most of these components have not been upgraded in decades or are manufactured by companies that still believe that these components are not reachable.

Thanks to a 30-year old Italian researcher named Luigi Auriemma this problem is being brought to light. Most of the companies that are seeing this light are having pretty much the same reaction as you get when you stumble out into the day after a serious night of partying. They are closing their eyes and trying to ignore the big light in the sky. Auriemma, has been finding these new holes at an alarming (to the industry not to many security researchers) rate. He unveiled over 30 in March and has tossed out a few each month since then.

The holes tend to center around the PLCs or Programmable Logic Controllers. These are the devices that do all the heavy lifting and can be used to operate valves, motors etc. In short these are the parts that are the most critical in terms of the need to keep them secure. The odd thing about these new security holes is that when the need for connected SCDA, DCS and PLCs came around no thought was given to make sure they were secure. Then as the threats on the internet grew the manufacturers continued to ignore the need for security. It is a sad state of affairs to find that the majority of the major control systems in the US (and other countries) is connected to the internet without a thought for security.

There is good news though, some of the manufacturers appear to be starting to make a shift to thinking of these devices as the connected systems they are. This means they are preparing for better security precautions and building new software to help make unauthorized access more difficult. The question that has to be asked is; if they have waited so long are these companies up to the task of competing with the current crop of “bad guys”?

Discuss in our Forum

Published in News
Thursday, 04 August 2011 21:10

All our wireless beloing to them...

broken-lockRemember how we told you about that some of the world’s most sensitive infrastructure hardware could be vulnerable by simply searching for them on Google? Well now we hear that even your car can be compromised with the right gear, as a group of security experts showed at Black Hat in Las Vegas. By setting up their own GSM network (granted not an easy task) the group was able to unlock and then start a Subaru SUV.

What they did was to capture authentication messages sent from the control server to the car. Once they had these in hand they were able to send commands to the car using an Android based smart phone and that was pretty much it.

As more and more of the world goes wireless you have to worry about what security is (and can honestly be put) in place to protect from this type of attack. It is not uncommon for banks to run wireless as a backup (that is still open and in a passive state) many security cameras will operate over 3G now as well. With the SCDA vulnerability and one I have recently heard of that affects banking applications on both Android and the iPhone you have to wonder just who is in charge of keeping these things safe?

Source Engadget

Discuss this on our Forum

Published in News
Tuesday, 02 August 2011 21:42

You really can find everything on Google

84As the BlackHat conference kicks off in Vegas we hear rumors that some of the global Supervisory Control and Data Acquisition (SCADA) hardware is vulnerable over the internet. Although this is really nothing new what is new is that you can often find this hardware just by running the right searches on Google. According to Tom Parker, CTO at FusionX if you know the right strings and the devices you are looking for either have an embedded webserver or are connected to a system that is connected to the internet then you can send it control commands that can not only operate the equipment but could also cause permanent damage to it. Think of the scene in Die Hard 4 when the “bad guys” sent the commands to open up valves along the natural gas lines. This may sound far-fetched but it is not really.

The problem is that these devices are not sophisticated in the way we think about them. For example one that was used in the presentation is a PLC (Programmable Logic Controller) that they purchased with an embedded webserver (usually for easier operation) with this Parker’s team was able to find certain hardware strings and use Google to identify other PLCs on the internet. One even had a password attached to it. These controllers should never be on the internet as once they are compromised a malicious person (or persons) can wreak havoc on the systems they control.

If you ever wanted a clearer indication that the global infrastructure is vulnerable or that the old school corporate society is ignorant of how the world operates; here it is.  We said earlier to imagine Die Hard 4’s “Fire Sale” well in that scenario the hackers had to break into the system; in real life most of the control devices that can be located on the internet are not password protected, use no form of encryption (or simply cannot) and will not work with authentication… Scary when you get right down to it.

Source CNET

Discuss this on our forum

Published in News