Security Art Work

What is YARA?

When speaking about malware detection, there are mainly three ways of determining if a file is malicious: signatures, heuristics and string signatures.

The most widespread in the antivirus detection systems is the signature based detection, i.e. based in the HASH of a file, check it against a signature database and see if this file has previously been detected as malware. This kind of signature is useless for the detection of unknown malware, and to evade this system you just need to recompile the code in a different system or change a single bit.

In order to try to stop these evasion methods, the heuristic method is usually the chosen one. This method relies on the behaviour of the executable file and, according to the actions that it performs inside the system, it decides if it’s dealing with a malicious file. The main issue of this method is that, as many legit programs perform suspicious actions, it can generate a big amount of false positives.

Last but not least, there is the method which this article refers to: string signatures. This method is based in another kind of signatures, different from the aforementioned kind. Instead of using HASH signatures, it uses text or binary strings that uniquely identify a malware sample. That way, even if the file has been tampered with, if it still contains those string signatures, the analysts will be able to detect and classify the malware sample.

[Read more…]

Many things have changed in the Internet security in the last 10 years. Others have remained, however, with no change at all, like user identification by means of alphanumerical passwords. Nowadays, these passwords are still the most popular way of user authentication. Indeed, different studies show that 97% of the organizations use them. Despite its widely spread usage, the identification using alphanumerical passwords has some highlighted disadvantages: they are frequently forgotten and can be easily stolen.

Failures in user authentication can cause technical problems in addition to economic cost. In 2007 the losses due to phishing (user identity impersonation/theft) amounted to $3.2 billion. For all these reasons, research in alternative methods for user identification has come up. New designed methods try to avoid current problems of alphanumerical passwords in order to make the systems more secure in identification terms.

An alternative method for identification, based on passwords as well, is the use of graphical or audio passwords. In those, the user must recognize a set of images or sounds among the presented ones (recognizing methods). Click-based methods are another option for graphical (or audio) password. The user must click on some specific points previously selected of the image or audio track to get access to the system. Different alternatives based on the use of tokens have been recently presented as well. These are systems where the user possesses a personal device like a smart card with PIN, an USB memory with passwords, and so on.

Although some of the abovementioned methods are already used in some programs and applications, the alternative methods that are becoming more popular are the ones that use some user’s biometric to perform the identification. Biometrics is the science of recognizing a person by their personal features. There exist two main types: physical biometrics —the ones that refer to a physiological feature of the person— and behavioral biometrics —features related to the behavior of the user—.

There are several physical features that can be used to characterize a user. Among the most common ones we can find the fingerprint, the palmprint o palm-geometry, the face recognition and the iris recognition. On the other hand, the behavioral biometrics most frequently used for identification are: speech analysis, keystroke pattern, signature recognition and haptic pattern (movement/interaction with object).

The user authentication by means of biometrics has reached a good level of performance in the last few years, allowing its application in several systems. This improvement is due to the development of new biometric data acquisition devices along with the design of new algorithms for feature extraction and recognition.

The main reason for the popularity of the identification by biometrics is that copying them is very difficult, almost impossible. This, however, is also a drawback. In case they were copied, the fake user would have a lot of privileged information about the real user. This makes some users be reluctant of using biometrics for internet identification, as they are also used by many official organisms.

In spite of the large amount of alternative methods for identification designed in the last few years, none of them have shown to be superior, in general terms, to the so extended alphanumerical passwords. On the one hand, for accuracy reasons, and on the other hand for their usability and cost.

This has prompted the design of two-factor authentication methods, trying to solve the drawbacks associated to the different methods by combining two of them. The most popular two-factor method uses a user’s biometric in addition to an alphanumerical password. In this way, just copying the password or emulation the user’s biometric will not grant the fake user the access to the system.
Nonetheless, we cannot fully rely on these advanced methods. A more secure way of recognizing the users has prompted new advanced impersonation methods. Some examples are the MiTM (Man-in-the-middle) attacks or the Trojans attacks that instead of working in the identification phase, work on the phase were the data are sent. In this way, attackers obtain access to the system without impersonating the real user.

Thus, a more complex and secure method of authentication may only grant the security of the system for a period of time. Like in almost all security-related areas, the path of identification methods is a two-way road.

Snowden, PRISM, NSA… words, or buzzwords, that we’re used to listen in the media, specially during the last months. You know: when talking about technology, spying -of course, using “cyber” prefix- and some acronyms to get a slot in prime time :) I didn’t want to write about sensationalism, but at the end I could not resist: during holidays you have too spare time to read newspapers :)

Really, I don’t know where the news are… It’s a fact that USA, by NSA and other agencies, is spying us as much as they can… just like is a fact that dogs do bark. Yes, and? I have never understood the big surprise that everybody claims where talking about USA spying. Where is the surprise? Is really surprising that a country which a big technological capability uses it for its own good? Guys, I think in this world nobody is a charity nun… The problem is that here, in Spain, we don’t have a similar capability -and honestly, I don’t think we’ll be able to have one in short term-: we can snoop Tuenti :( And this is a big problem or, really, two big problems. The first one is that we rely on a third party to get information -information that is to be processed to get intelligence; yes, and the third party is obviously USA (what would you think, it was Andorra?) that today is our friend but tomorrow can be less friendly o, simply, cat have some interests that isn’t ours… And the second problem is that we are all vulnerable: in other words, we have to live with the fact that USA spy us when and how they want, and obviously this fact gives them an enviable advantage over us in any field. Spain is doubting about giving support to USA in, lets say, a military occupation of ACMECity? No problem: just before talking to us, US officials know all our points and can use this knowledge to convince us, in the best way, to get our support in almost anything… This is a problem for Spain, isn’t it? And worse: if we disagree we can unplug everything and go to plant potatoes, of course not using Microsoft products, not searching by Google, not sending information across Cisco routers and, finally, not touching anything that smells like American. Or much better, replacing the technology with Huawei and things like that… in this way we can involve in the spying game other countries that, of course, will respect our individual privacy and our global interests as a Nation… you know, don’t you? :)

IMHO the problem is not the fact that USA spy us to protect their interests: we can agree or we can’t, and lawyers, politicians, journalists… can talk for hours about ethics, international laws, privacy and things like that. But, being realistic, USA is doing the same that any country that can do that. It’s just so simple, and we, as I said before, can’t do that because we don’t have the required capabilities… If we had them, I hope we could do the same: to spy other countries. The real problem is a misuse of the information they get. A Service getting information to benefit its country (understanding “country” as government, companies, citizens…) is understandable, in spite of the fact that this can be bad for us, but if a Service do the same to defend the interests of an individual company, a particular or, worst, a politic party, this is, actors that can not be identified with a whole country, we are in front of a big and unjustified misuse of the information, IMHO. What did USA? I don’t know (somebody reading this who has more information about?) If USA is using the information for those particular interests, I don’t agree with them; if they use the information to defend their national interests or to get benefits over other countries, it’s OK for me. What do we complain about? About the fact that they *can* do that and we can’t? Let’s see, we are all in the security world and we all know that the war is harder than privacy laws, IT governance, compliance and so on. What we do think, that Google is giving us GMail in a free way, getting Gigabytes of free space to hold our mail? Gigabuytes, by the way, that as someone said, can only be stored in a SAN, a NAS or a NSA… :)

Now, the one million question: there is any light at the end of the tunnel? I think so, in spite that it’s only a single LED. Let’s assume that USA is spying us in its own benefit… what can we do? Two things, IMHO: to try to let them do it as less as possible -or to get more difficult to do- and to try that only USA spies us. In this blog we have said it before: let’s use national technology and services always that we can -and let’s make an effort to do it, because many times the comfortable way is to do just the opposite. And let’s use them always we are handling classified information. We can always find Spanish quality services, in almost any field I think… I doubt only when talking about products, in specific cases. In those cases, when we can’t use national technology, let’s use open technologies. And if we neither can use them, and we have to use products from other countries, let’s choose from countries that (at least today) are strategically close to us or that have interests as similar as possible with Spanish ones. In other words, I prefer to use Linksys just before of Huawei or Twitter before Weibo: as someone is going to spy to me, let’s USA to do it… they would do in any way… :)

Recently, Marc Ruef @mruef (Computec.ch) has released a new enhanced version of Vulscan, a Nmap script that he already presented in 2010, with basic Vulnerability Scanner capabilities.

Vulscan on the basis of the Nmap option -sV which shows us the versions of the services detected and interacting offline with various vulnerability databases, can alert us if any of those services is potentially vulnerable to any flaw included in any of those databases.

It brings the following pre-installed databases:

Vulnerability Database    URL
scipvuldb.csv             scip.ch/en/?vuldb
cve.csv                   cve.mitre.org
osvdb.csv                 osvdb.org (outdated, 02/03/2011)
securityfocus.csv         securityfocus.com/bid/
secunia.csv               secunia.com/advisories/historic/
securitytracker.csv       securitytracker.com

Therefore, a basic example of how this script works would be as follows. After adding the Vulscan folder to the scripts directory where we have our Nmap scripts directory (for testing I’ve used owaspbwa which I knew in advance that provides vulnerable services in port 22 and 80, among others), we run Nmap and this results in the following:

If neither is specified, it will interact with all the pre-installed databases. However, if we want, for example, to cross data with a single database, we’ll add the vulscandb option:

--script-args "vulscandb=basedatos.csv"

specifying the database that we want or even one of our own that we can easily create with the format:

<id>;<title>

One of the enhancements is the support for dynamic report templates using the vulscanoutput option which allows you to enforce your own report structure through the following argument:

--script-args "vulscanoutput='{id} - Title: {title} ({matches})\n'"

where:

A practical case of this script would be, for example, in an scenery where we are conducting a web audit, in which combining this and other NSE scripts for Web scanning of the many that Nmap added on its most significant last update launched one year ago, quickly create a first preliminary report about possible gaps found in that Website such as determining the default Web page title detected during the scanning process (http-title), displaying the directories most widely deployed as network servers or Web applications (http-enum), harvesting the e-mail addresses found during the scanning process (http-email-harvest) and finding the known vulnerabilities in accordance with the Web service service detected using vulscan:

nmap -sV --script=http-title,http-enum,http-email-harvest,vulscan -p80 172.16.94.128

The output report would resemble the following:

Note that, because of space limitations, I have handled the output report in order to avoid showing the full output and only some found vulnerabilities are displayed, not all of them.

Finally, we should take into account that this kind of vulnerability scanning depends to a large extent on Nmap capacity to obtain the version of the detected service, the amount of vulnerabilities documented in the databases and the accuracy of the pattern matching in cross-checking data.

I identified that Vulscan does only pick up the output versions of the nmap -sV option and interacts with them, however, i’d like it to take other outputs from Nse scripts such as html-cms.nse, that detects the scanned CMS version. It would be very useful to use both scripts so one of them detects the concrete CMS version and the other the potential vulnerabilities that could be found for that specific release. I’ve talked to @mruef and he told me that the problem is that it can not access other scripts information unless they provide them in any way such as an output file. The best solution would be that the other nse Scripts enter their identification data at the log output (see the Nmap API http://nmap.org/book/nse-api.html).

According to the Nmap API, the scripts can share information by storing values in a record (a special table available to all scripts). There is a global registry, nmap.registry, shared by all the scripts, whose information prevails during a full Nmap scan, in such a way that scripts can use it, for example, to store the values that later, sequentially, can be used by other script against the same machine within the same scanning, in a way that output of one script brings feedback to the other.

Marc Ruef is already working in a new version that will include new enhancements and features such as e.g. that vulscan 2.0 will support Exploit-DB and IBM X-Force.

References: http://www.scip.ch/?labs.20130625

It has long been known that the NSA and some similar organizations have suirvellance systems deployed to ensure the safety and protection of us all from evil. However, the NSA always preferred to keep secret to avoid being forced to reject the Nobel Peace Prize. However, after the case of Snowden, Manning, Assange and other rebels, it is clear that the situation has become has become unsustainable.

Luckily, the certainty that the NSA listens to our conversations, reads our emails, spies our activity on social networks and basically knows everything we do has not generated any notable movement at the political or social level, because they do it for our own good (now that I write down it, I clearly remember hearing that in more than one time in my childhood). It would not be desirable that the lust of justice and freedom of a few (literally) we are doomed to hell and existential chaos.

Probably in short they will awarded with the Nobel Peace Prize.

A few good men. (Vía wikiquote).

(Opinion article published by Manuel Benet in Valencia’s local newspaper on 2nd July 2013)

The documents leaked by Edward Snowden to The Guardian on a sophisticated global intelligence are, in essence, nothing new. For years has been known that the U.S. and some partners share the ECHELON spy network, involved in the past in several trade scandals. However, we should not underestimated Snowden contribution. While so far the details of the spy system of the National Security Agency (NSA, for short) were based on experts research, we know now not only that this program (PRISM) is larger, intelligent and more ambitious than anything we thought in the past, but that many countries have their own surveillance systems.

Perhaps due to films or literature we have always been accustomed to the fact that espionage is made between States, with objectives and specific actors under certain rules. However, it has now taken a step forward, with the monitoring and recording of any information that could be virtually recorded of millions of individuals around the planet: a system without control or limit that breaks with total impunity and the cooperation of the Internet corporations any idea of freedom, privacy and justice we might have. States have come to spy on its citizens in a move more typical of dictatorships than democracies.

However, despite the seriousness of the matter, no one seems very concerned; do not expect a massive desertion from social network and if we look at the press, Snowden is famous for not having disclosed a large number of documents classified about a global and massive surveillance program, but by the geopolitical tensions that his flight and persecution have created between the U.S. and China and Russia mostly.

Says one of the quotes attributed to Benjamin Franklin that those willing to sacrifice some of their essential liberty for some security deserve neither one nor the other. This seems to be our case. It’s been a long time ago since —despite the great efforts (maybe not always so great, ok) of the data protection agencies both national and transnational— we decided that our privacy had not, at last and after all, the importance they wanted us to think. Made that decision, the transition of our information to a digital world controlled by multinational corporations outside national and European requirements posed no trauma at all.

At first glance there is a big difference between your messages being scrutinized by a nest of spies like the NSA, an opaque entity key in the American intelligence, and knowing that Google scans your emails to position relevant ads. However, there is no such difference: (almost) no one cares about we being spied upon; that is a simple inconvenience that we have taken as inherent of the digital age and something makes me think that we do not even needed the Damocles Sword of terrorism. The saying that goes that if you have nothing to hide, you have nothing to fear, has been assumed almost by obligation with few complains.

We can draw one last thought. Edward Snowden was not 007; he had no license to kill and it was not (that we know) a double agent. It was ‘only’ a system administrator working for a NSA provider, one of the world’s safest organizations. From there he had access to a huge volume of classified documents that James Bond would not even have heard of. In light of this, do we really know who access our information?

(Please note this post was published last 6th may 2013 in the Spanish version of this blog)

In the latest weekly Metasploit update, the outstanding feature has been the incorporation of a new extension dedicated to Mimikatz.

Mimikatz is a tool developed by @gentilkiwi that allows dumping passwords in plain text through lsass as well as obtaining hashes from SAM among other features, and about which we have already spoken in our previous post about Metasploit module, sdel.

Mimikatz is detected as a malicious tool by the major anti-virus. According to Virustotal, today, at least 21 out of 46 anti-virus detect it, therefore, its use complicates the task of the pentester.

Nevertheless, thanks to the extension made by Meatballs1 to Metasploit, it is possible  to use Mimikatz through a meterpreter without having the antivirus alerting us, by leaving the disk untouched and running it completely in memory (a more comfortable alternative to execute flag -m). An example of its use would be as follows. After having obtained a shell in a target host, we load the Mimikatz extension:

Once loaded the extension in our meterpreter session, let´s have a look at the options that it offers us:

By executing, for example the “Kerberos” command, we obtain the credentials of this kind in plain text in our owned host:

Another example of execution would be using the “mimikatz_command” as we can see below:

With the “logonPasswords” parameter we get it to show us the concurrent sessions of users who are logged in on the compromised machine.

For the reader who wishes to delve deeply into the issue of how Windows stores your credentials, weaknesses in this regard, and how Mimikatz is able to exploit those weaknesses, I recommend this article as well as presentations on the  Gentilkiwi blog.

There is no doubt that in the last years we have made great progress in Information Security. Gradually, business begin to perceive the idea that security is an area that requires special attention, beyond what many consider “the IT crowd”. However, if it is not good to fall into the doom and gloom, we should not be too lenient: there’s still a long way to go and progress does not always occur at the speed at which, fortunately for criminals, would be advisable or desirable. Every day we see security breaches in organizations with a strong investment in technological infrastructure and security controls, which should give us an idea of ​​the imbalance of forces.

In this line, there are still many errors and beliefs that we can identify as the ten usual errors of SMEs (Small and Medium Enterprises) in Information Security and that mark the way to go these next years.

1. To think that their information or systems do not interest anyone. This is, without a doubt, the main obstacle to the improvement of the information security in an organization: “who may want to attack us?“. There are several powerful arguments against this. First, any equipment is useful for “botnets” or networks of zombie PCs controlled remotely, either a corporate PC or a teenager laptop; if it can be controlled remotely then it can be used with to report spam or attack systems. Secondly, perhaps no one is really interested in those systems, but a worm doing a massive scan could detect by chance a vulnerable system. Finally, many organizations underestimate the value of their information, both for foreign and internal competition: accounting balances, rates of prices, margins, processes of production, innovations, etc.

2. To believe that security is just technical and therefore responsibility of the IT Dept.. To limit the security to its technical side, obviously necessary, leads to neglect controls such as the legal and organizational ones. To manage security incidents and events, perform education on security issues, define responsibilities or address legal requirements are vital aspects to prevent threats such as phishing or social engineering.

3. An antivirus and a firewall are just enough. This is primarily the progress that we talked about in the first paragraph. Few organizations do not have currently an antivirus or a firewall. However, this leads to a false sense of security that makes them to forget that there are many threats, both technical and non-technical, that require more specific measures.

4. To think that security is a product and not a process. This error comes from past times when security was just one thing more of the many tasks within the IT dept. staff. However, things have changed significantly and security has acquired a status of its own. Anyone working in an HR department, production, logistics or accounting performs a daily maintenance, either updating their knowledge, keeping the industrial systems running, implementing new processes or adapting its operation to new legal requirements. The departments adapt to changes constantly. However, security is still considered an area that does not require any maintenance. Nothing is further from reality.

5. Confidentiality is just something of spies and large corporations.. It is true that large corporations and spies sign confidentiality (non-disclosure) agreements. But although many companies still think of them in terms of science fiction, that does not make them unnecessary in the field of the small and medium companies. Suppliers, customers, employees, stakeholders and any natural or legal person with access to the company information must sign confidentiality agreements whose purpose is to protect the information of the organization. Very few times such a small effort brings such huge profits.

6. To forget the security in corporate contracts. Today a simple order form is still in many cases the procedure to contract services. No formal service contract, no confidentiality clauses, no legal requirements nor information about the security measures the provider must apply on the information we provide. Ultimately, security, in all its areas, is still absent in the contracts that many SMEs sign with suppliers and/or customers.

7. Privacy, the great unknown. Although privacy has been a critical issue for the last decade and there are legal requirements in many countries, many companies still ignore their duties in this area and some of those who know choose not to carry out any action. Whether to avoid economic sanctions or “just” social responsibility to the people who gives us their personal data, any company should take the necessary measures to ensure the security of the personal data of their customers, employees, suppliers … (please note this point was adapted from the Spanish Personal Data Protection Act to a more general view).

8. Just to look outside threats. Without the desire to criminalize and despite the mass media news , it is well known in the field of security that most of the security problems come from within the organizations. In some cases, malicious users. But in many other cases it is sheer ignorance: an employee who uses an infected USB, opens an attachment or clicks on a link in an email or simply throws confidential information to the recycle bin. It is essential to adopt a permanent strategy of awareness in information security, including managerial staff that handles sensitive information, to prevent and mitigate risky behaviors for both the organization and the employee.

9. To provide Internet services regardless of their safety. A service offered to the Internet is accessible virtually by billions of people, some of which will have not certainly good intentions. Without losing sight of the necessary legal requirements (in many cases very easy to fulfill) that we have seen, the story repeats again and again: services that contain web forms vulnerable to attacks that existed a decade ago, webservers misconfigured or directly not configured, etc.

10. To forget systems and network management. Last but not least, many companies still neglect the required security maintenance of their servers and networks, leading to vulnerable network devices, WiFi access points that allow a person on the street to access the corporate network, internal databases accessible from the Internet, or servers not updated in years. Without mentioning that this leads to the most absolute ignorance about what happens in the infrastructure of the organization, where an intruder can do whatever he wants. The rest is left to the imagination.

This decalogue of errors, more common than one would think, could certainly be completed with many other specific problems that SMEs commit daily. However, if in a few years we could cross off at least half of these errors, we would have made great strides in securing our companies.

Some time ago we wrote about HoneySpider 2.0 and we made a quick look at its functionalities. Now let’s see one of the key pieces of this new version: workflows. We assume you have already installed HoneySpider 2.0 or that you are using the virtual machine provided by the project.

Given that we already have the application installed, first of all we have at hand the necessary documentation to define a workflow, which can be found here and here.

A workflow in HoneySpider 2.0 is composed of a series of processes, where each process is composed of services. These services contain input parameters and the ability to redirect its output to other processes. Let’s see a conceptual scheme of what is a workflow:

These workflows are defined in XML format. The following example will provide you with a very simple example workflow that performs a file analysis with rb-officecat (Nugget razorback) of the Office documents located in a set of web links:

<?xml version="1.0"?> 
<workflow> 
  <description> 
    Analyze files office files with officecat 
  </description> 
  <process id="main"> 
    <service name="feeder-list" id="feeder"> 
      <parameter name="uri">/tmp/file.txt</parameter> 
      <parameter name="domain_info">true</parameter> 
      <output process="process_url"/> 
    </service> 
  </process> 
  <process id="process_url"> 
    <service name="webclient" id="webclient0" ignore_errors="DEFUNCT"> 
      <parameter name="link_click_policy">0</parameter> 
      <parameter name="redirect_limit">20</parameter> 
      <parameter name="save_html">false</parameter> 
      <parameter name="save_images">false</parameter> 
      <parameter name="save_objects">true</parameter> 
      <parameter name="save_multimedia">false</parameter> 
      <parameter name="save_others">false</parameter> 
      <output process="report"/> 
    </service> 
    <service name="reporter" id="reporter0"> 
      <parameter name="serviceName">webclient</parameter> 
      <parameter name="template">webclient.jsont</parameter> 
    </service> 
    <!-- determine classification, taking into account propagation from child objects --> 
    <script>!findByValue("parent", #current). 
      {? #this.origin != "link" and #this.classification == "malicious"}.isEmpty 
       or rb_officecat_classification == "malicious" 
       ? (classification = "malicious") : 
         (classification = "benign")</script> 
    <service name="reporter" id="reporter1"> 
      <parameter name="serviceName"/> 
      <parameter name="template">url.jsont</parameter> 
    </service> 
  </process> 
  <process id="report"> 
    <service name="reporter" id="reporter4"> 
      <parameter name="serviceName">webclient</parameter> 
      <parameter name="template">webclient.jsont</parameter> 
    </service> 
    <service name="reporter" id="reporter5"> 
      <parameter name="serviceName">file</parameter> 
      <parameter name="template">file.jsont</parameter> 
    </service> 
    <conditional expr="content != null and (mime_type == 'application/msword' or 
         mime_type == 'application/vnd.ms-excel' or mime_type == 
		 'application/vnd.ms-powerpoint')"> 
      <true> 
        <service name="rb-officecat" id="office1"/> 
        <service name="reporter" id="reporter6" ignore_errors="INPUT"> 
          <parameter name="serviceName">rb-officecat</parameter> 
          <parameter name="template">rb-officecat.jsont</parameter> 
        </service> 
      </true> 
    </conditional> 
    <!-- determine classification, taking into account propagation from child objects --> 
    <script>!findByValue("parent", #current). 
    {? #this.origin != "link" and #this.classification == "malicious"}.isEmpty 
       or rb_officecat_classification == "malicious" 
? (classification = "malicious") : 
         (classification = "benign")</script> 
    <service name="reporter" id="reporter7"> 
      <parameter name="serviceName"/> 
      <parameter name="template">url.jsont</parameter> 
    </service> 
  </process> 
</workflow>

This workflow example should be interpreted as follows: we define a main process that uses the service “feeder-list“. It reads the links to be analyzed from a file located in /tmp/file.txt. The links are passed to the process_url process. This process uses the service “webclient” to visit those links, getting as a parameter some actions it should do or not to do, such as saving multimedia objects, and so on. The links collected for this service will be passed to the report process.

Besides webclient, the process process_url has several services that generate output information for the web interface. Finally, the report process is where the service that scans the Office files with the razorback nugget, “rb-officecat” is located, besides printing information using the service report. We want to emphasize the importance to set which content must activate the service. In this case it has been limited to start running only with contents that apply.

After loading the workflow in our tool, we input it with a file with links. In our scenario we have included a link to a malicious office document, resulting in:

If we click on the detected document we will see the vulnerability detected by rb-officecat:

This is just one example of the detection abilities of this tool. As seen, the definition is simple and as we discussed in the previous post (ES) it has great possibilities. At this moment it is in an early stage and certain aspects will require fighting to get them to work as we want, but you can also report the problems in the Google group of the tool.

It is often admitted that ignorance is bliss. Conversely, another universal truth states that knowledge is power. I guess that we all have to find our place somewhere between both end members to keep our mental stability. However, when it comes to ICS cybersecurity knowledge is a must. The dark side lack of industrial processes know-how is the finger that plugs the hole in the dike, preventing the flood. But, as in the Dutch tale, this won’t last forever.

Security by obscurity paradigm is still firmly attached to many ICS managers’ views. This approach is absolutely unacceptable once you get even the slightest notion of the threat’s nature. Still, it is widely believed that the child will indefinitely keep on plugging the dike with his little finger.

Industrial processes knowledge and Stuxnet

Much has been said and written on Stuxnet, mainly because of its astounding refinement. However (please keep in mind that I’m an electrical engineer), what really shocks me is not its being the first malware specifically designed to attack an ICS, but the high degree of target’s physical processes knowledge involved.

Stuxnet was probably aimed to disrupt Iran’s uranium enrichment program. This material is used as fuel for nuclear power plants and in nuclear weapons construction. Uranium occurs in Nature as a mixture of two isotopes, ²³⁵U (lighter) and ²³⁸U (heavier). Natural concentration of ²³⁵U is under 1% whereas a concentration above 90% is required for military purposes (well over the 20% required for nuclear power plants). Enrichment process is usually performed inside centrifuges, machines that spin uranium gas at high speed. The heavier isotope experiences higher centrifugal acceleration and moves towards the spinning cylinder periphery while the lighter fraction (the useful one) remains by the rotation axis, where it is collected to be sequentially processed over and over again to reach the desired concentration. This is a very slow process because of the isotopes small atomic weight difference (3 atomic weight units to 238). In order to get enough material for the construction of a single device lots of time (or lots of money to provide a larger number of centrifuges) is required. To adjust the centrifuges speed frequency converters are used to drive the electric motors.

From this starting line, Stuxnet designers move on to tailor their strategy to the selected target: Iranian enrichment facilities. They tuned Stuxnet to pray on ICS with Siemens control systems (Simatic PLC and WinCC SCADA software) monitoring frequency inverters manufactured by Vacon (a finnish maker) and Fararo Paya (an iranian one). In addition, a number greater than 33 of this devices should be in place for the facility to qualify as a target. What is more, frequency settings should range from 807 Hz to 1,210 Hz (typical enrichment process settings).

Now comes my favorite part: choosing the attack mechanism. Once Stuxnet gains command and control of the system, it disrupts normal operation by forcing centrifuges spinning frequency (ie speed) to increase up to 1,410 Hz (above the maximum normal operation), then drop sharply to a value as low as 2 Hz (almost a complete halt, although machines rotating speed could depend on other factors), and then accelerate again to 1,064 Hz before returning to the normal operating sequence. This disruption repeats in predetermined cycles that involve, say, running at 1,410 Hz during 27 days, then a good dive down to 2 Hz and then 1,064 Hz again (resulting in good uranium shake) for another 27 days, and so on and on. This behavior does not affect all the devices in the same group, at least not simultaneously, but only a certain subset (to make malfunction detection harder, I guess). The goal is not only to disrupt the process. The goal is not to destroy the computer, or delete the program running on the PLC or any other action apparently definitive but, in practice, easily detected and fixed. These kind of actions would have warned the operator and the outcome would have been much restricted. It is obviously much more effective to cause the facility to produce uranium out of specifications for months for no apparent reason, something much more difficult to fix and therefore more harmful. The malware was intended to hide itself and its effects, so alarms logs and historians didn’t keep record of abnormal operation. Also, Stuxnet was able to reinfect a device in the event of original code being reloaded by the operators.

Lessons learned?

Beyond the initial shock (think of we poor ICS designers and operators and our broken safety feeling), there are some valuable lessons to be learned.

Much of the skepticism (real or fake) put up by ICS managers lays on their lack of understanding of the attack vectors and attacker’s goals. As far as they can see, a cyberattack is the digital equivalent of a carpet bombing, a blind and useless act of destruction. However, life ain’t that simple. As we can see from the Stuxnet case is that it is possible, given enough knowledge of an industrial process, to perform very sophisticated attacks aimed to cause much more damage in ways very difficult to fix: wastewater treatment plant discharges out of legal limits. An increase of non-compliant product resulting in economic cost and loss of reputation as it can be associated with missed deadlines or, worse, out-of-specs product reaching customers unnoticed (after all, statistical quality control samplings are designed to fit the ‘natural’ variability of our non disrupted process, so our standard sample size or sampling frequency may be inadequate to detect the situation). Or erroneous billing owing to altered data from meters (obviously up to destroy our reputation). What is worse, when we turn to our ICS it keeps telling that everything’s OK. And, let’s face it, how long will it take until you realize that maybe our control system has been hit by a cyberattack? After all, it is a risk that you have always dismissed…

You might regard yourself as a ‘good guy’.  You have lots of friends, a good reputation and no enemies. But, even if that’s true, in a global market where processes and machinery are increasingly standardized, who can tell for sure that you will not be victim of malware designed to hit a third party who just happens to share equipment or methods with you? Just one example: centrifugal machines originally used in olive oil production are now used to dewater sludges from (waste or fresh) water treatment plants.

Too often I hear arguments like ‘our system is not connected to the Internet’. Aside from the healthy skepticism that such an statement shall raise, we must remember that Stuxnet was designed to copy itself, whenever possible, by means of portable devices such as USB memory sticks or those PC used to load projects to PLC.

What every engineer knows

A short time ago the information used in industrial process engineering was paper-based and access to it was very limited: technical books purchase, suppliers technical data provided by salesmen, documentation gathered in specific technical courses, and so on: photocopies, photocopies, photocopies. The Internet has changed it all. Today we have almost unrestricted access to highly detailed and specific documentation from our very desktop PC. I remember the time when every engineer kept large amounts of information in various media. This personal treasure contained much of our knowledge and ability to design and its loss was a risk we could not afford. Today that is no longer necessary. The Internet is the ultimate file: pdf, pdf, pdf.

It’s amazing how much stuff about the processes and equipment in use in any given company lies out there, waiting to be discovered when appropriately searched. There is much more than technical documentation in the form of catalogs and data sheets. Providers often describe their references and success stories, sometimes in great detail, in multiple places: their websites, technical magazines, at conferences and fairs…The companies themselves sometimes release papers on their own state-of-the-art developments (or anything they are proud of). Constructors companies do just the same. When it comes to public infrastructures, Administrations grant tenders access to lots of detailed stuff. At least in Spain, some public projects are made available to every citizen to allow people to made allegations against the future infrastructure. You can find even undergraduate and post-doc academic works sponsored by companies regarded as critical operators: I have found academic papers describing the protocols and communication networks and control systems in real power grid substations of named companies. Sooner or later all this information makes it to the Internet.

Keeping this in mind, the next question is: do you really want to build your cybersecurity any longer on the idea that no one knows your industrial process?

Final note: specific data on Stuxnet and its performance is taken from the report published by Symantec (authors Nicolas Falliere, Liam O’Murchu, and Eric Chien) available here.