Thursday, September 27, 2007

The "Invisible Threat" at the End of the Fiscal Year



It's hard not be cynical these days, especially when you see topics you have some knowledge of (or know the folks that are getting quoted) show up in the media. So the timing of the leaked/intentionally release "staged cyber attack" right before appropriation time makes a lot of sense. Get those earmarks while you still can. "Got to get them Dead Presidents" (to quote Tim Fite.)

From the CNN Story
The White House was briefed on the experiment, and DHS officials said they have since been working with the electric industry to devise a way to thwart such an attack.

"I can't say it [the vulnerability] has been eliminated. But I can say a lot of risk has been taken off the table," said Robert Jamison, acting undersecretary of DHS's National Protection and Programs Directorate.

Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix.
And from the AP Story (written by our old friend Ted Bridis, no doubt.)
President Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation." Ominously, the Idaho National Laboratory — which produced the new video — has described the risk as "the invisible threat.
Given that most people in the field know this sort of thing has always been possible, I'm curious why it has taken this long. Why now? Its been a month or two since the Black Hat press cycle? To me the fact that this experiment was leaked/released to the public is either a sign of immense vitality (things could never be better!) or extreme sickness for the SCADA Security community (the naysayers are questioning why so much money is being spent?) If I were forced to pick, I would go for the latter.

To me this attack is more interesting if taken more literally, meaning you don't try to make the stretch against large scale generation assets. How many large data centers have comparable generators and then there is HVAC. With all the focus on Power Grid security and Process Control Security, the folks over the Building Automation Systems are still back in the euphoric glory days of web services and the wonders of TCP/IP enabling embedded devices. If you think about comparable sort of HVAC equipment (or controllers) that are often directly connected to campus networks (nothing like seeing BacNet broadcasts when you sniff traffic on your switch port to make you feel warm and fuzzy.)

If the "risks have been taken off the table" then what is the point of the smoking generator? IMHO, the video was sort of a letdown. And the endgame is not nearly as interesting as the access requirements, components under attack, the messages getting sent, and specific sequence of events necessary to get there.

Saturday, September 22, 2007

Outing PeerTAB

Sometime back when it was still cold (probably in April, I around the time we had that last really wet snowfall of the year, perhaps even when I shot this video of my kids beating up our snowman -- it is amazing how many "snowman beating" videos are in Youtube) I got this wacky idea while stuck in traffic.

So the question I had, was why haven't we seen any global (or even Enterprise-wide) log/traffic/alert sharing tools which use P2P technologies? Why haven't we seen a decentralized Dshield? The answer, several months later, was PeerTAB.

Obviously there is no code yet, but there are a reasonably refined set of requirements. Just to be clear, this is not another log analysis tool, or a SIM. It is basically a [hopefully] thin layer on top of JXTA that would allow stuff like Snort logs, netflow-data (lets say from flow-tools), mod-security logs, or whatever to be contributed and searched across a global (or localized) P2P network. I had some initial success in using JRuby and JXTA but there is a lot more to do, so stay tuned.

And if you have any interest in learning about P2P Networking APIs and have some minimal of level of Java/Ruby competence and want to get involved in the project, let me know, let me know.

So which mods which brick the iPhone/iTouch?

So between Steve Jobs threats to combat hackers and the "genius" (who had this annoying cocky swagger) at the local Apple store in Skokie gloating about how users that hack their iPhones won't get support and others will automatically be "bricked" when then run iTunes, it will be interesting to see what happens and how Open the platform? For me running arbitrary apps is the whole point of even buying one of these devices.

Thursday, September 20, 2007

GNUCITIZEN: I liked you back when you were a temp!


About a year ago I started following GNUCITIZEN (back when it was just PDP) because the graphics were cool and there was interesting content like running Jython within your browser and even the AttackAPI.

But things started to get less and less interesting as GNUCITIZEN hit the Web 2.0 Security warpath--and other folks started blogging besides PDP. Then came the Firefox vuln (yeah the one you just updated for) and then today's pre-disclosure of a Acrobat 0-day.

The site is certainly on a downward trajectory and it was with a certain sadness that comes this time of the year [in North America when you know the days are getting shorter] when I read the profound advice not to open any PDF's. Another non-actionable disclosure. If you are going to pre-disclose (which I disagree with, but fine!) at least provide something useful, like a PoC. Otherwise, what is the point? A site that had the potential to be something interesting and off-beat like lcamtuf has devolved in to banal disclosure posturing. And we certainly could use a lot less of that.

Oh but it looks like the site is now down, so its not a total loss.

Wednesday, September 19, 2007

New Click Router Release!


While there are loads of crude packet generators like hping, sendip, nemesis (and back in the day I used to used a set of tools called spak in a TCP/IP Security course I wrote back in 1998) that you could use to reproduce various L2/L3 attack or send the arbitrary frame. But if you need to have tight control of the packet rate and packet size (like smartbits/avalanche) to do performance testing of forwarding devices, the free/Open Source tools are pretty primitive. The built in Linux packet generator allows a mean spew of frames (I measured around 300kpps on my T-61!) but it is either a firehose or a trickle since the delay mechanism was just not effective to set the consistent packet rate.

The Click Modular Router however, does not suffer form these limitations and I used it extensively this Spring when I was comparing interrupt utilization across OpenBSD and FreeBSD PF implementations. But unfortunately it only ran on older kernels (and believe me I tried) so today's release is good news.

I have been meaning to release a UbuntuTrinux-Click release that has an easy to deploy version of Click. Maybe this will help me get on to that task.

Sunday, September 16, 2007

iPhone Never, iTouch Maybe -- it all depends on the Apps



So even after the price drop, the iPhone is not tempting, but my [almost four year old] daughter couldn't keep her hands of the iTouch at the local Apple store and I'm intrigued if you can run the same apps as on the iPhone such as Dropbear and of course Ruby, Python, etc. It might be even worth $299. The idea of having a decently powered, 802.11 capable *BSD box, that you can easily move files to and from using standard tools (ssh, rsync, etc.) that fits in your pocket seems really cool.

This NerveGas character seems to be doing some cool stuff and there is a growing list of cool iphone hacks available and of course the iPhone Dev Wiki is definitely show promise.

But has anyone confirmed these growing number of apps and hacks run on the on the iTouch? If Colloquy runs on both I assume its the case, but there isn't much out there yet in on the iTouch.

Friday, September 14, 2007

The Men of SCADA Security (June Edition)



It's been a hectic week (and breathing too much filtered data-center air has not only given me a cough but also clouded my judgement) but thanks to Dale for making my night.

You must check this shit out.
It’s 2 a.m. at a major industrial facility, and about 20 yards from the rear perimeter, two figures dressed in full camouflage gear are slinking along the tree line just outside the plant fence. They’re wearing backpacks and carrying various paraphernalia, pausing occasionally to peer through night vision monoculars to scan the plant perimeter.

Although this was strangely reminiscent of the whole man that saved the internet farce, I guess this is good marketing within the parochial SCADA security community where everything is about a decade behind the rest of the security world.

But who I am to be judgmental? If this guess if it gets Ty and Jonathan more assessment dollars, good for them! But I wonder how much someone would have to pay me to wear BDU pants again and don a black T-shirt holding a laptop. But not the hard hats.

By the way, this reminds me of spot on parody of the whole para-military/martial-arts attitude of computer security folks in season 2 of the UK office, which is also a must watch.

Friday, September 07, 2007

More Shrewd Analysis from Richard Clarke



I happened to follow on of many posts on OBL 's new beard over on Andrew Sullivan's Daily Dish to silly article
with these amazing bits of intel analysis:
"It does look oddly like he is wearing a false beard," Richard Clarke, a former White House counterterrorism official and now ABC News consultant, said. "If we go back to the tape three years, he had a very white beard. This looks like a phony beard that has been passed on."


And is Richard Clarke on "my list?" Maybe, I started (but never finished) a blog on his silly Blackhat Keynote (no I didn't attend personally, since I don't do Las Vegas). I probably do have some lingering resentment towards the former Cybersecurity Czar for having to miss a bunch of Common Criteria conference sessions back in April 2002, when my group at Cisco had to do some BS prezo on the "Future of Internet Security" for him.

And if you are wondering where my technical blogs went (and are wishing I'd cut all this political crap), they are over on AngryRuby which actually isn't so angry anymore. Look for more JRoR fun this weekend!

Thursday, September 06, 2007

Folksy Fred? 'Fraid Not!

Although this is actually a pretty decent picture that made a positive first impression for some reason (squinty eyes, head cocked, bald-spot chopped off, dark shirt, hand reaching out...) I had the misfortune of watching Fred08's video this morning. I'll admit I was on the way out the door and the video was a bit choppy, but it was hard to watch. And then on the way home I heard the nice NPR Piece on his movies. They played all these really bad lines from really bad movies. Who could listen to this guy? But I guess some people watch these dreadful shows.

Dubya is painful enough to listen to, but this guy? The delivery was all wrong. Come on. Made me think I was listening to another Southern lawyer from North Carolina that is on the Democratic ticket, except Edwards is more articulate. It reminded me of a folksy, blue jean, tough guy video of Bush driving his truck on the ranch during the 2000 Republican convention that was at least effective albeit cheesy. (That sort of thing works against a Gore or Kerry but not against Clinton or Obama this year).

With the exception of McCain (and maybe Paul) both of which are probably unelectable, the clowns (and pandering to the "conservative base", which is somehow more pathetic than the Democrats pandering to the Anti-War vote, when of the outcome in Iraq will be likely the same regardless of which sides wins) the Republicans have in the race (yes, G-n-R are clowns) illustrate the desperation of the party that deserves a 1964 style ass-kicking if they go with someone like Fred--or deserves it period. Apparently the smart Republican candidates (much like Clinton in 2004) know it is best to sit this one out and watch the cultural conservative (meaning the gay-bashing, immigrant hating...) wing of the party get their clocks cleaned.