ListenerFeedback4

From Paul's Security Weekly
Jump to: navigation, search

We need to review e-mails from October 14th forward. Check your e-mail clients, and flag some for your inclusion.

We'll post any links discussed here.

GENERAL

- Tips for people looking to get into computer security. Certifications? Places to start? General career advice?

- Wireless Cards - What are the two best ones and why? Someone needs to write an article....

- Funny: http://securityweekly.com/MSUpdateVirus.jpg

Corrections

- PHP file includes - we are planning another segment. One glaring error, yea no you can't view source in PHP pages.

-Guys,

I noticed during the Anniversary episode that you all were referring to x.509 certificates as "SSL certificates". As you were talking about using then to protect e-mail, there is no SSL involved there, as the standard used for that is S/MIME. Digital certificates can be used in a series of things, including but not only SSL. Usually, when you use certificates to protect TCP connections, it's part of a SSL usage. However, you can use them in other situations, like S/MIME, IPSEC (Windows does that) and Kerberos authentication (Windows again).

Augusto

- OS X kernel source is open, but you cannot compile your own kernel, just look at the source. Yeaaa.

- http://www.networkworld.com/community/?q=node/9520&netht=120606netflash - Slower Wifi speeds around the holidays?

[Paul Asadoorian] #1

Just kind of an off the wall question but I thought I would ask anyway. Do you guys have a favorite hacker movie? And another question I had was how did you guys get into penetration testing? Thanks.

Donnie Shroyer

DFAS-TIIOD/DE

ELAN Infrastructure/ Network Engineer

[Paul Asadoorian #2]

I managed to catch your live show at SANS in Las Vegas… really good time. SANS ISC had this link to hacking Tor nets and I immediately thought of you guys. Would you care to weigh in on this in a future show? Thanks!

http://isc.sans.org/diary.php?storyid=1794&rss

Jason

Security Weekly #3

Guys - love the podcast / change to hear you guys chat.

Sophos basically says that Symantec and McAffee are just wining about the kernel lockout and PatchGuard in Vista because they are not prepared (read smart) enought to do AV the way Sophos has.

http://sophos.com/pressoffice/news/articles/2006/10/vista-admins.html

Although their approach is not just file evaluation & pattern matching but Behavioural analysis.

What do you guys think??

It seem to possibly be getting closer to the idea of blocking what is not normal on the host. We should have an allowed list of actions and applications - most users only do X number of items 99% of the time IMHO.

~d -- David

Security Weekly #4

I recently put together a computer from the spare parts laying aroung the house. I found that the cdrom i was using did not work. I figured that I would use a distro of linux that boots off a usb drive to copy the windows install image to another partition on the HD so I could install it with a boot disk. The mother board didnt support usb booting. After some searching I can across this utility. Being as l33t as your sk1llz are you probably have a better way of doing tcp/ip via dos. This is a pretty good tool for the ubertechno challenged ( like me ). Great show keep up the great work.

http://www.netbootdisk.com/index.htm

ps. Paul, I watch Weeds too.

Chuck

Security Weekly #5

First off, thanks for the great Podcast. You guys are by far the most entertaining and educational InfoSec show going.

Couple of questions:

- WRT hacks: is there any update on the book you are writing? I'm running both OpenWRT and DD-WRT on WRT54GL but haven't really connected the dots on how this could be used in a pen-test scenario. I've figured out how to do kismet_drone, Nmap, Snort and Asterisk (sort of) but the best use so far seems to be using the WRT as a netcat relay because of memory limitations. There's gotta be some cool ideas like running Karma or ....? What do you guys do with them? How about a Top-10 list?

Eskimoke

Security Weekly #6

Haven't heard you guys mention anything about the new Wireless USB standards yet, it is an emerging technology and I am catching up on podcasts...so whatever...

Here's the details on the spec;

http://www.usb.org/developers/wusb/

In the lines of security it sounds like an ouch to me (bluetooth x10).

Anyway, great show.

Mike Edmond, OK

Security Weekly #7

Hey Guys;

I've been providing IT support services for small businesses for longer than I care to remember and have a question in regards to web and email content filtering. I have a particular client that has about 35 seats and is becoming concerned about inappropriate web and email usage. They want to be able to lock down http usage, and perhaps even monitor frivolous email messages. Is there one particular product you would recommend? I think I'd lean towards a hardware appliance solution and I realize there's a bunch of options out there, but just want to get some feedback from the PSW gang.

By the way, absolutely love the podcast and look forward to each new episode. I'd love to see a small How To/walk through segment for us old geeks (example: the actual steps and commands required to run a certain nmap option, etc). Keep up the great work!

Hemmy

[Larry] #1

Guys,

Just wanted to drop a couple notes on your commentary cause I work in the Control Systems / Critical Infrastructure Security area.

There are countless QNX locals that are public, and i think a dozen or so remotes. I believe there are a few in milw0rm but most are located in the openqnx forums.

There are government regulations for Nuclear and Energy sectors for "cyber security". See NERC / FERC regs, and the NRC Nuclear Regulatory Commission. As well as upcoming guidelines from the Chemical sector.

If you're a Infragard_Secured list member by chance theres always information about this kind of stuff on there, as well as SIGs (Special Interest Groups) for a few of the Critical Infrastructure sectors. Also as mentioned in the ABCNews.com article WaterISAC was all over this one with the FBI, for each of the Critical Infrastructure sectors I'm pretty sure they have ISACs, much like they do for the Education / University arena right?

I'm not sure about the statement about moving the embedded devices to QNX, maybe you can clear that opinion up for me Twitchy. A lot of these "embedded devices" the ones truly at the end points controlling release of chemicals / valves, or controlling the flow of grid components, really don't need something like QNX, nor do they currently run them. The most advanced (and expensive) ones now come with embedded web servers, and snmp daemons to enable operators to read setpoints, etc. I find it way out of scope to run a full embedded RTOS on these things, the network stacks of veteran RTOSes may be more reliable but it comes at the price of having to secure an entire RTOS and all it's services (default install of QNX 6 -- the only thing I have installed right now -- has 8 network based services enabled) versus *maybe* a small static page only web server, and limited SNMP daemon and mib.

You're all right in wondering why these types of systems with direct control of infrastructures like this are connected to the internet but I'm not sure this incident is one of those cases. I haven't read all the coverage but at CIO.com (http://www.cio.com/blog_view.html?CID=26274) I read it like someone laptop was infected at home most likely via browser exploit and spamming / spyware software was installed, that person then brought the laptop into work and plugged it into the plant's network (which may or may not be directly connected to the internet). I don't mean to downplay the impact this incident *could* have had, but it seems like on every one of these incidents involving infrastructure, it's blown way the hell out of proportion and instead of a browser exploit -> spyware incident, it's a OMGWTFBBQ thing where some foreign government was plotting to poision people. Maybe the industry needs to be scared like that, but that doesn't make it any less disgusting to see the FUD.

Longer than I expected sorry fellas :) Happy early anniversary.

Ty

[Larry] #2

From an unamed individual:

Security Weekly security:

I am replying to your comments regarding control system (SCADA) security. There are several factors that must be considered before blanketly applying best practices. I would also like to address some issues regarding regulation and non-regulation in the control system industry.

I have a background in I.T. network management, I.T. security and engineering of control systems. I am under NDA agreements with multiple customers and therefore cannot speak on any particular system and as such can only comment generally. I have experience in the power, chemical, and food industries.


1. Generally control systems are updated infrequently. This is a gigantic concern of the real security professionals of which there are very few in SCADA (Supervisroy Control And Data Acquisition) systems. My recent experience has been in power plants. It is not unusual for turbine generator units to operate for months at a time without stopping. Extended downtime is generally scheduled every 12-18 months and longer downtime periods allowing complete system upgrades are generally every 4-6 years.

This has some serious concerns for system upgrades. Typically in the power industry, the only opportunity to complete major systems upgrades are every 4-6 years. This results in the fact that many control systems are years old and are running operating systems such as Solaris 2.5 and Windows NT. This introduces major security vulnerabilities that will not be fixed.


2. There are life safety and enviromental safety aspects to many of the control systems in the power, chemical, and water industries. These risks apply to employees and the general public. The risk of a malfunctioning control system is very high and can cause catastrophic equipment failures endangering employees. Malfunctioning control systems also can cause catostrophic HazMat releases or improperly handled food, pharmaceuticals, and wastewater. This safety risk issue works both ways. The requirement to safely operate a manufacturing plant is dependent on the plant not being hacked. The requirement also requires that any upgrades to any piece of software including anti-virus software must be thoroughly tested and cannot generally be applied while online. Note there are ways to safely do this online but these techniques are not trusted by the engineers (typically not IT) people in the field that maintain these systems.


3. Ideally there would be an airgap between the control system and any other network. In the real world this is not practical. Many control systems also have tools that collect and archive every point in the control system and store that data long term. For this information to be useful, this information must be rapidly available to engineers, management, and safety staff. These tools are often used for process optimization, engineering upgrade design, and environmental regulatory compliance. There are places where this information is provided directly to environmental regulators to support real time compliance monitoring. Unfortunately, this is also valuable information to attackers.


4. The process control hardware and software industry has not generally understod the importance of patching systems and maintaining quality security systems. Some newer regulations discussed later are starting to change this attitude primarily due to economic pressure.

One common answer I have heard when discussing security with vendors is that "If it isn't broke, don't fix it." They do not understand that once it is broken, it is too late to fix it. Much of this attitude stems from:

 - Historically these systems have been air-gapped from corporate networks
 - The primary measure has not been security but has been reliablity.  Each trip (unplanned shutdown) of a power plant will cost up to $100,000 in lost production and other related costs.  Similar numbers apply to other large manufacturing industries.  In petro-chemicals/oil these numbers are often much higher
 - Only in the last few years has TCP/IP become the dominant protocol in the industry and is probably at about a 50-60% adoption now. It is about 95% for new installations and upgrdades. Typically these systems have used propietary hardware and networking protocols.  These protocols were not built with security in mind, only availability


5. Availablility is designed in from the beginnning. Almost all systems have redundant control user interface computers. These systems are often known as operator consoles or Human-Machine interfaces (HMIs). The operator console master information is typically stored on a central computer that is used for engineering and design. This system does not need to be available for the control system to operate, only to make engineering changes. All information is then duplicated on every computer so as not to be dependent on any single computer for reliability.


6. The skill level of the majority of control systems engineers is not in I.T. It is in engineering and design of industrial controls. The network management was only because it had to be done. I know of multiple engineers that maintain these systems that only know the very basics of networking. In some cases, they do not even know what DNS is and might know what a host file is if naming is required by the control system. This is finally starting to improve dramatically as more recent college graduates are becoming common in the field.


7. The medium sized facilities/companies are finally getting some networking skills in the control systems groups. The very large companies have typically had I.T. working with the controls groups due to size and risk levels involved. Small companies still typically outsource to an engineering company to implement and do not have the skills to maintain the network much less understand the network.


Some of the all to common scary vulnerabilities that exist.

- The use of the administrator account by way too many people is common. It is not unusual for all engineering to be done from the administrator account and that account password is likely known by multiple people. This eliminates the need for the responsible person to actually learn network security. It is not even unusual that instrumentation technicians that maintain the field hardware to know this password.

- Systems are rarely and frequently never patched. The if it isn't broke, do not fix it attitude is as common among administrators as it is among vendors.

- Use of anti-virus is rare. The risk of a malfunctioning control system due to an anti-virus update malfunctioning is scarier than a virus or worm appearing on a network to the control engineer. This is because they understand and trust the emergency trips they have designed more than they understand the vendor supplied software.

- As the use of data collection systems increased, it was common to put two interfaces on the data collection server and tie one into the control system and the other into the corporate network. This allows a single exploit against a key computer to leave the entire control system vulnerable and unpatched. Only in the last 3-5 years has it become common to use firewalls to separate these networks. I know of several cases where the controls network was on the corporate network and am even aware of one VoIP system that ran across a control system to service PCs in control rooms.

- Wireless is beginning to be used for data collection and controls. The skill levels are not there to support the wireless networks. Think of the average wireless router in the house on a control network. At least the hardware is typically specialized and cannot be used without basic security enabled. One minor benefit is that physical access to a site is required to access these networks gue to electromagnetic noise typically in these plants providing longer distance access - though this almost assuredly can be beaten.

- An unbelievable level of trust among engineering staff that the physical security of the network protects the network.

- The use of default vendor passwords is especially scary and I would estimate that half of all control systems use vendor default passwords. This is less common though not uncommon among the larger high public safety risk industries.

- The use of common vulnerability assessment tools such as Nessus will crash systems. In some csaes, these vulnerability assessment tools will crash systems other than the system being scanned if completed over the network. Some older systems will crash as a result of repeated pings or ping sweeps on a network.


The situation is finally beginning to improve. There are some voluntary/semi-voluntary standards being developed to mandate security to be built into control systems networks in specific industries. These include:

- NERC (North American Electric Reliability Council) Critical Infrastructure Protection program. NERC has historically been a consortium of electric utilities and businesses that transmit power across the cross country high voltage lines. This standard is in process to become a government regulation. I have attached a copy of this standard so that you can see how week the standard is in places. For example, passwords must be 6 characters in length, non-default passwords, and changed annually. Their definition of a vulnerability assessment is also entertaining.

- ISA-SP99 (Instrument Society of America) security standard. This is still under development. This should finally be real pressure to the rest of the manufacturing industry vendors as it will set a standard for vendors not dependent on the power industry. It is expected that compliance with SP99 will be a common specification that can be mandated in the control systems acquisition process.

- MS-ISAC (Multi-State Information Sharing and Analysis Center) has a separate program to identify standards for selection of control systems. This program is being completed in conjunction with SANS.


Finally, the federal government's ISAC centers are also beginning to place pressure on some industries. There are serveral separate ISAC programs (separate from the above). These ISACs are private industry organizations that work closely with DHS. The real level effectiveness is not yet known and will vary between industries. Some of the ISACs include:

Agriculture Banking and Finance Chemical Industry and Hazardous Materials Electricity Oil and Gas Water

A more complete listing can be found at http://www.ni2ciel.org/ISACs


I hope you found this background information interesting. I really enjoy your podcast and find it far more valuable than the trade rags for staying informed on real threats and vulnerabilities. I believe the security industry and the controls industries needs some understanding of the risks related to manufacturing controls systems.


[Larry] #3

Guys,

You have probably answered this question 1000x, well make this 1001. I am a software developer in the VoIP field (my company manufactures VoIPGW's) and I am interested in transitioning to the computer forensics/security field.

I have read some postings on the securityfocus mailing lists where folks quibble over certs vs education vs experience, its all good but I will pose the question anyway, how do you guys think I should try and transition into this field?

Should I get a cert or two, should I try to apply for jobs in the field and play up my development, troubleshooting & VoIP experience?

I currently listen to all the relevant podcasts (Cyberspeak, Security Weekly, BlueBox and yes SecurityNow), I have a few books though they are more geared to computer forensics and analysis.

Just looking for some feedback from those in the know.

Thanks,

Grim Reaper

[Larry] #4

Hey guys,

A friend and I have servers that are just alike. Both of them are Exchange Servers, Domain Controllers, and basic web servers. We're looking for a server software firewall that will work well with our setups. We have had Outpost Firewall installed (www.agnitum.com/products/outpost/) and it did the job well, but a little too well. It didn't let a lot of things through, including a lot of things that were going back and forth in Exchange. This is more of a personal firewall instead of a server one.

Any suggestions? Thanks.

-Drew

[Larry] #5

Hey Guys

Great show!!!! I was hoping to get your opinion of something I learnt today in a vista class. I know windows bad, but it's how I make a living. Vista and Longhorn have a tool called "winrm" and it is a remote shell program. Basically you can execute commands on a remote machine on your network, ie ipconfig etc... The easiest way to set it up is winrm -quickconfig. Which is what I think most lame admins will use. The program then communicates via http, no certificates unless you set them up. It can work via https but that would require more effort.

To execute commands on a remote machine you need to be a domain admin, not to hard to get. My question is, is this as bad as I think it is? Say you gain domain admin rights in a large orgainsation you could very easily execute a command across the whole domain with very little effort.

I am new to the security world so I am learning as much as I can and woud be interest in your opinion on this command.

Take it easy.

Joshua

All the way from Melbourne, Australia

[Larry] #6

Hello from Finland guys,

First of all thank you for a great podcast and for rekindling my interest in security. For a good while now I've been ok with just knowing what to do with my networks without paying much attention to why I'm doing it. After listening to your podcast and keeping up with the blogs, I've really been anxious to get a deeper understanding of network security. I'm a software developer (sounds so much better than "low level code monkey" doesn't it?) so most of it isn't strictly my field but I'm fascinated by it none the less. I'm sure you guys know what I'm talking about.

So to this end I've been planning on rebuilding my home network to allow me to mess around and test the security of different network solutions without... you know, breaking the law. So essentially I have two questions for you:

1) How's the Apple MacBook as a hacking/pen testing platform? 2) Where can I get a good pair of emo glasses? The ones I have don't match the color of my Web 2.0 social networking site and...

Kidding. Haha? No? Moving on.

I like the idea of having Linux, OSX and Windows on the same machine and the MacBook is the only machine (that I can currently afford) that I can legally do that on. How's the wireless chipset and can you live with the lack of a PCMCIA slot? Is there any benefit to getting an external PRISM2 chipset card etc. and if so, what would be good for all three OSs. Info like that would be much appreciated, since the thing isn't cheap and I'd like to hear what it's actually like hacking-wise from people who don't have Apple logos tattooed on their foreheards...

And I actually do have a second question. Or I'd like a quick opinion, rather. My current home network is really bare bones right now so I'm buying some new gear soon to accompany the potential new notebook. I'm not asking for a review of my suggested devices or anything but I'll make a nice and confusing network map below and could you just tell me if at first glance there's something blatantly wrong with it, á la "Man, every n00b does that! Don't get Device A(tm), it's teh suck!" or something. Again, big thanks are in order.

So that's it. Honest. No more lengthy paragraphs or boring questions. There is the network map, tho...

Again, a huge thanks for all the stuff you guys put out. It's much appreciated all over the world.

All the best,

-Asko Aavamäki (Finnish names weren't made to be pronounced by sane people, so I'll go with "Hace". Which is supposed to rhyme with "case", "base" and "chase" even if it doesn't...)

PS: I kinda wondered if I should've posted this on the FiT forums or something, but I really wanted to know the security point of view, so I decided just to ask you guys :)

[Larry] #7

Larry,

Just curious if you had a recommendation for a commercial tool to replace LOphtcrack ... it appears that Symantec is not selling it anymore.

I need to do an evaluation of passwords on a Windows Active Directory domain.

Thanks!

Steve