Thursday, April 09, 2009

SCADA CyberSpy Reverse Forensics Contest




So given the hoopla on Chinese/Russian CyberSpy Hacking the Power Grid Story I figured it was time to break Blog-silence.

I had the misfortune of hearing Siobhan Gorman on NPR yesterday on my commute so I was still fuming yesterday about the vermin in the Intelligence Community that leak classified threat data on "background" to reporters to influence policy. This data cannot be repudiated not only because most journalists don't have the technical wherewith all to know better but because the leakers cannot be held accountable. The "good guys" in the IC (those that follow the rules and don't disclose secrets) cannot challenge (or confirm) it. It is a one-sided game that leads to bad policy, scaring the public, and bad legislation. Does anyone not remember Iraq and WMDs?

But I digress.

What was interesting about the Gorman interview was that she mentioned network forensic data that showed how control systems not only had been penetrated and were being remotely monitored and possibly controlled.

So some readers may remember the HoneyNet Projects Reverse Challenge. Basically a contest to analyze malware, if you never heard of it

What I think would be cool is some aspiring folks with the skills and time (I have some of the former but none of the latter) to basically create some forensic data, let's say packet captures that show the power grid being mapped, HMI's and PLCs being monitored, ICCP traffic being captured and retransmitted back to our Chinese and Russian masters so they can "monitor power flows" like Gorman mentioned in her interview. Remember be sure to visit APNIC and pick your IPs to spoof wisely.

The minimum entry can just be some packet captures, but you are guaranteed to at least place if you release actual tools used by our Chinese and Russian overlords to blackmail us at will and cause us to resort to cannibalism.

You get bonus points if you actually show some slight knowledge of Mandarin or Russian.

But here's the rub, don't release it on your blog don't talk about it at the next Con because there will inevitably be lots of presentations on the topic. Silently release your own "evidence of Chinese Russian control over the power grid" into a P2P network, or better yet let your laptop get stolen in an airport (make sure you have the right colored classification stickers on your laptop) and wait for your "data" to make the news.

No comments: