Does your company take web security seriously

[Jimmy]

I was reading about Stuxnet and was thinking if it wasn't such a targeted attack it could take out many things. I know my work is safe because all of our controllers are isolated from any pc or network and all of the batching of dangerous goods is done manually.  But i suppose if it infects the programming software that I use to make changes it could be "fun"

http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

 

[ndictu]

What do you mean by isolated? Do you have a computer that has no network connections, plugged to the controllers and you program from there? How do you get the program there? Because unless you write it on that computer you are screwed.

Stuxnet could get there through network or a USB key, and all it took was a single infection to get through. It would install a kind of rootkit into the controller and patch the hole it used so from there on it's impossible to detect or get rid of by usual means. You would have to to disassemble it and use some internal programming interface to reflash it.

Rootkits are amazing, just imagine that you could right now have a rootkit on your computer and no antivirus in the world could detect it. You have to take the harddrive out to another machine and check them offline. Of course, that is assuming that the testing machine isn't infected and won't mask the presence of the rootkit on another drive

[ndictu]

But i suppose if it infects the programming software that I use to make changes it could be "fun"

BTW, another thought on this. If you don't know how compilers are made they usually start by bootstrapping it in another language and then as the language goes you can compile the new compiler using the old one. And then you have all the new features available and you can use them to write the new version and compile it using the old one and so on.

I've read about some company that for extra security would compile their C compiler. They would download all the patches, check them for malicious code and compile it using their internal version, thus knowing they weren't given a malicious compiler by a third party.

However, as they later found out, one employee added a feature to this compiler. It would do two things: detect authentication code and add a backdoor with a fixed name and password that would be able to log in and gain all privileges; and second, it would detect when it was compiling itself and would propagate this feature.

So, they had an infected compiler that compiled itself, and while the patches seemed OK it would infect them. And all software compiled using this compiler was vulnerable.

[baljemmett]

However, as they later found out, one employee added a feature to this compiler. It would do two things: detect authentication code and add a backdoor with a fixed name and password that would be able to log in and gain all privileges; and second, it would detect when it was compiling itself and would propagate this feature.

Sounds like Ken Thompson's Reflections on Trusting Trust, which appears to have gone for a burton along with a lot of Bell Labs stuff recently.  Hence the Google cache link

[Jimmy]

What do you mean by isolated?

Old laptop network card disable and only original version of software installed and carry the laptop to the controller and download program via rs232. I do burn backups to cd occasionally. I suppose if the laptop dies I would be in trouble. I know it looks pedantic but if something goes wrong I know I will have to fix the problem.

Some of the company's I have done work for the first thing they do is plug the internet in.

I worked for a company that doesn't own the rights to the software that runs their machines and have to rent the software that is maintained by a company on the the other side of the earth. I was new at the company and was called out to one machine that was doing weird things, it had been installed for only 2 weeks. When I got there the control screen was unresponsive and not talking to the plc correctly. I rang the company that installed the machineae, after half an hour (downtime was about 20k an hr) I was on the phone to tech support that didn't speak english good I asked him did anybody change anything on this machine he said "no"

The plant manager jumping up and down next to me yelling at me for being on the phone while the machine is not running. After talking on the phone for another half an hour and 20-25 people all staring me down, I asked the tech did anyone change anything on this site in the last 5 hrs. He said "maybe" I told him to download the program which he did and the machine next to it stopped running. They had mixed up which plc was for each machine and from the other side of the planet caused heaps of hair pulling.

I walked up to the plant manager and said if I am fixing a problem I don't need an audience, he interrupted "what was wrong with the machine"  I turned around and walked away and wrote a resignation letter and left it on his desk and avoided taking to anyone or updating the maintenance logs and left. When one of the other electricians asked me on my last day why I was leaving. I told him it was because I was spoken to like a dog and he said that is was normal for this company so I convinced him to leave too.

[Sionyn]

rootkits are detectable

through many ways like

1. alternative trust medium like a cd or dvd
2. behaviour based watching for api calls and over all timing and cpu utilization (major give away)
3. signature based detection
4. difference base by analysing api calls
5. integrity chaeck using cryptographic hash means   
6. memory dumps and kernel dumps of kernel level root kits

most conman rootkits are MBR rootkits which aren't too hard to defeat

if you intrested mark at sysinternal has rootkit detector comparing api results against the file system record

http://technet.microsoft.com/en-us/sysinternals/bb897445

[alm]

I know my work is safe because all of our controllers are isolated from any pc or network and all of the batching of dangerous goods is done manually.

Famous last works. Plenty of supposedly isolated systems get infected or hacked. The weakest link is always the people who are executing the policy. Especially if those people are complacent and believe they're perfectly safe.

rootkits are detectable

Some are. Modern hardware has some really nifty features like system management mode that are impossible to detect from software. As soon as the rootkit has full control of the system, it can hijack things like file system drivers so the checksums match. It can also remap the memory to hide itself. Gotta love those virtualization features!

[Jimmy]

I know my work is safe because all of our controllers are isolated from any pc or network and all of the batching of dangerous goods is done manually.

Famous last works. Plenty of supposedly isolated systems get infected or hacked. The weakest link is always the people who are executing the policy. Especially if those people are complacent and believe they're perfectly safe.

rootkits are detectable

Some are. Modern hardware has some really nifty features like system management mode that are impossible to detect from software. As soon as the rootkit has full control of the system, it can hijack things like file system drivers so the checksums match. It can also remap the memory to hide itself. Gotta love those visualization features!

Not famous last words, I forgot to mention I was the only one that looks after the programs. My boss told me to send a copy of the program to the machine manufacture because I had made so many changes. After hiding the comments I printed the program out and faxed it to them it took ages to send.

With Struxnet it was not a hack that you would be looking for it was a zero day hack and wan't even a root kill it changed the signals from the pc to the controller to do physical damage to the centrifuges in a nuclear facility

[vk6zgo]

One firm I worked for was paranoid about,not only web security,but anything to do with their product,to the extent that they wouldn't even let us see circuit diagrams
 of their"motherboards" (which were really interface boards,& used standard National Semiconductors circuitry)
They didn't like it when I pointed out that the physical security of the building was so poor that a burglar could have got in "with a sharp fingernail"!

VK6ZGO

[Sionyn]

odd behaviour of hardware still exists with SMM/firmware rootkits which is detectable but maybe not so much with your average user

[Bloch]

Well always updated windows and antivirus.

And Cisco firewalls.

No problems yet .....   

[ndictu]

odd behaviour of hardware still exists with SMM/firmware rootkits which is detectable but maybe not so much with your average user

From an outside scope. Unless there is something wrong with the rootkit you are unable to detect it while you run under its supervision.

Well always updated windows and antivirus.

And Cisco firewalls.

No problems yet .....   

I agree, unless you are doing something crazy secret there is no need for excessive security. The only threat is a targeted attack, just like stuxnet, and in that case you are screwed. There always will be a hole in your security, and someone will find it, sooner or later. But no need to make it easy for lame viruses by outdated systems.

[Sionyn]

so detectable

besides malware at its most part is VERY poorly written

stuxnet is different most likely written by Israel government.

also it did not ruin or damage centrifuge it merely made  appear and operate as if they were damaged.

[ndictu]

also it did not ruin or damage centrifuge it merely made  appear and operate as if they were damaged.

Huh, from I've read it alters the RPM once in a while for a brief moment, enough to sabotage the production but be hard to notice. It also masks all the feedback that could indicate what is going on so the system reports everything being fine while it messes up the process. But maybe that was a wrong analysis, I didn't follow it that closely so in the end it could be some other way.

[Sionyn]

yeah sans had a good article on it

[alm]

I agree, unless you are doing something crazy secret there is no need for excessive security. The only threat is a targeted attack, just like stuxnet, and in that case you are screwed. There always will be a hole in your security, and someone will find it, sooner or later. But no need to make it easy for lame viruses by outdated systems.

Sure, no need for extreme security for many applications. Just keep in mind that a determined person can most likely get their hands on your data, and plan for that.

so detectable

A lone photon is also detectable. Doesn't mean you will detect it. Yes, if you hook up a logic analyzer to the CPU, you can likely detect it (or at least the presence of SMM). Short of that, I wouldn't count on it. Root kits can remain dormant until a specified time or trigger, how will you detect them?

besides malware at its most part is VERY poorly written

Underestimating your enemy is a good start. Yes, your average virus is often fairly poorly written, but there are also very talented people working outside whatever group was responsible for Stuxnet, organized crime for example. Or industrial espionage. Or DRM (think Sony) .

[ndictu]

(think Sony) .

To be fair, all the attacks against Sony are their own fault. The security holes were so lame it boggles the mind how could code like that get into production. They must employ the most incompetent people ever.

Also, while rootkits are impressive I much more like botnets. The asymmetric cryptography we have today makes it easy to give them updates and commands over any channel you want, yet nobody except the creator with the private keys can do it.

For example, there are botnets with millions of infected computers that generate a few hundred domain names for each day and check them for instructions. Security researchers tried to stop it by purchasing all the domains before the attackers and thus making it impossible for them to issue commands. But all the attackers had to do was to register a domain many days in the future (that would be a few thousands domains and the researchers couldn't just buy them all) and deploy an update that made it a few thousand a day. Later they changed to a peer-to-peer architecture so now we don't even know how big the botnet is (before you could count the visits to the registered domain). I tried finding the name of this botnet and the article I've read about it but no luck. I found few that have a very similar behavior so this is probably very common these days.

[Wartex]

Rootkits are amazing, just imagine that you could right now have a rootkit on your computer and no antivirus in the world could detect it. You have to take the harddrive out to another machine and check them offline. Of course, that is assuming that the testing machine isn't infected and won't mask the presence of the rootkit on another drive

Piece of cake. Leave computer idle and look in the router or using CurrPorts utility for in/outbound connections, write down the IP and google them or find destination network to see if it's suspicious. If IP has not been flagged yet by anybody else, plug the HDD into a 2nd PC and do a file content search for the IP in plaintext and HEX formats, checking if files are compressed like UPX/ZIP/BZ/RAR etc for example and decompress them before doing binary search.

If the rootkit is encrypted and polymorphic, most decent antiviruses will flag the code that does decryption. Yes, they are hard to get rid of but not THAT hard.

Because modern antivir companies have true hackers working there in the proper meaning of this word, the game is different now. Virmakers are always step ahead because they try to write something NEW, but antivir guys know most of the tricks, so even new shit can be killed of. The antivir companies have dozens of highly competent hackers working for them, while number of equal skill virmakers is very small.

[alm]

(think Sony) .

To be fair, all the attacks against Sony are their own fault. The security holes were so lame it boggles the mind how could code like that get into production. They must employ the most incompetent people ever.

I was referring to Sony's misguided attempt to install a rootkit as DRM.

Later they changed to a peer-to-peer architecture so now we don't even know how big the botnet is (before you could count the visits to the registered domain).

Quite ingenious indeed. Gotta love all those millions of unpatched, poorly maintained drones.

[alm]

Piece of cake. Leave computer idle and look in the router or using CurrPorts utility for in/outbound connections, write down the IP and google them or find destination network to see if it's suspicious.

Assuming the root kit is stupid enough to communicate all the time, as opposed to staying dormant until a certain point in time or passive trigger. Something like CurrPorts is obviously useless, any half decent root kit will cloak its files and sockets.

If IP has not been flagged yet by anybody else, plug the HDD into a 2nd PC and do a file content search for the IP in plaintext and HEX formats, checking if files are compressed like UPX/ZIP/BZ/RAR etc for example and decompress them before doing binary search.

Assuming it's using regular files for storage, and not free space or some other form of non-volatile storage like EEPROM.

If the rootkit is encrypted and polymorphic, most decent antiviruses will flag the code that does decryption. Yes, they are hard to get rid of but not THAT hard.

If it's just about obfuscating an IP address, something simplistic like rot13, XOR or NOT would be sufficient, and unlikely to be flagged as encryption.

Because modern antivir companies have true hackers working there in the proper meaning of this word, the game is different now. Virmakers are always step ahead because they try to write something NEW, but antivir guys know most of the tricks, so even new shit can be killed of. The antivir companies have dozens of highly competent hackers working for them, while number of equal skill virmakers is very small.

Anti-virus software is fine if you're not in the first group being infected (they need time to receive samples and send out new signatures), but it's by definition reactive. If the attack is very targeted, like Stuxnet, detection by anti-virus companies may also be hard. Do (did) they keep SCADA systems with the required Siemens hardware around as honeypots? I believe it took at least a few months from the release of Stuxnet to discovery by a security company, that's a few months time to wreak havoc. Even with large-scales worms which are detected faster, there's still a window of opportunity to infect systems before anti-virus will become active, and as soon as the system's infected, detection by anti-virus may be very hard.

Yes, most of us are low-profile targets who are not likely to be a subject of a targeted attack, but don't kid yourself that you're safe, it's just that nobody cares enough.

[ndictu]

If it's just about obfuscating an IP address, something simplistic like rot13, XOR or NOT would be sufficient, and unlikely to be flagged as encryption.

Pretty much everything but storing an IP string will prevent a simple search. Also, you never want to store a fixed IP. Too easy to shut down by the authorities. The domain generation is a simple solution because it gives you many predictable domains that you can point to your IP (or IP of a free webhosting and not leave any trace of your identity). In fact, you don't even need an IP, DNS records can have text data in them so if you just want simple commands and don't need much data transfered just use that.

 P2P is even better, but very complex and probably very hard in the beginnings where you have just a few infected machines.

Yes, most of us are low-profile targets who are not likely to be a subject of a targeted attack, but don't kid yourself that you're safe, it's just that nobody cares enough.

Exactly. The same reason many people think linux doesn't have viruses. Of course it does. But since the desktop use is minimal nobody cares so there is very little. Same with mac. For servers, most of the time the system is maintained by a competent person so the typical carpet-bombing viruses won't work and there are targeted attacks. There are many different exploit for linux apps and kernels and if you don't keep up to date any noob can download these exploits and use them against you. And then, of course, there are zero-days.

[Sionyn]

agreed like super node structure and list of compromised domains much like conficker worm

antivirus is bad though its more of behaviour issue you can't really really on anti virus their not very hard to curcomvent

its all really all behaviour issue
when it comes to malware defence
but as many aminstartors know endusers can and will do anything