ste williams

Google is about to start the first upgrade to its SSL certification system in recent memory, and will move to 2048-bit encryption keys by the end of 2013. The first tranche of changes is planned for August 1.

The new requirements are laid out in a blog post and a FAQ on the topic. The upgrade, based on the guidelines from National Institute of Standards and Technology (NIST), will also see Google’s root certificate for signing all of its SSL certificates getting an upgrade from a 1024-bit key.

“There aren’t immediate concerns about these certificates being cracked,” a Google spokesman told El Reg, “but updating them now provides much better defense against any future risks.”

The upgrade is required because NIST thinks it’s technically possible that the standard could be broken pretty soon. The first reported factorization of a 768-bit RSA modulus came in December 2009, when an international team of computer scientists and cryptographers spent two-and-a-half years dedicating themselves to the task.

“A 1024-bit RSA modulus is still about one thousand times harder to factor than a 768-bit one,” the researchers reported. “If we are optimistic, it may be possible to factor a 1024-bit RSA modulus within the next decade.

“We can confidently say that if we restrict ourselves to an open community, academic effort as ours and unless something dramatic happens in factoring, we will not be able to factor a 1024-bit RSA modulus within the next five years. After that, all bets are off.”

NIST estimates it would take six or seven years for any attempt to have a realistic chance of success at breaking 1,024-bit keys, based on the speed of processor development and improvements in factoring computation.

That said, it’s still an estimate, and NIST had wanted to get the changeover done faster, with 2010 picked as the original transition date. But because the 1,024-bit standard was so ubiquitous, the schedule was pushed back until the end of this year.

It’s the first time anyone can remember the SSL encryption keys getting changed at Google, and it’s a measure of the power and sophistication of computer processors that the update is needed. Barring some breakthrough in quantum computing or coding practice, it should be some years before another upgrade is required. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/google_upgrade_ssl_certificates_schedule/

Intelligence files kept hidden for nearly 80 years have shown that the British government was bugging King Edward VIII’s phones in the days leading up to his abdication.

Neil Forbes Grant’s telegram confirming the King’s abdication.

Government officials were clearly panicking about what Edward would do and how the news would be received, so they monitored calls from Buckingham Palace and the King’s Windsor residence Fort Belvedere, as well as stopping telegrams leaking the news of his abdication and intimidating journalists to keep a lid on the news.

The London editor of the Cape Times, Neil Forbes Grant, was dragged in to face Home Secretary Sir John Simon after sending a telegram to South Africa on 6 December, 1936 saying that the King was going to give up the throne. The missive was one of two the General Post Office had intercepted with the leaked news.

Sir John lambasted Grant, reminding him that a false rumour that the country had lost the Battle of Waterloo in 1815 caused a financial crisis and ruined many people, and tried to pressure him to reveal his “highly placed source”.

“I asked him if he did not realise that his responsibilities as a journalist and an Englishman made the sending of such a message without definite authority as to its truth very improper and reckless,” Simon wrote.

Grant refused to give up his source and Simon relented, asking him to keep the interview “absolutely secret and between ourselves”. He also told Grant that there was “no truth” to the abdication rumour.

Edward abdicated at Fort Belvedere four days after Grant sent the telegram.

The papers come from a pile of documents deemed too sensitive and “difficult” to be stored in the classified section of the National Archives. Instead they were kept in a locked vault under the Cabinet Office.

Released through the National Archives, the collection shows the government’s frantic attempts to control the situation as Edward prepared to give up his throne to marry Mrs Wallis Simpson, an American divorcee and socialite. Edward, as head of the Church of England, could not marry Wallis while her former husband still lived – but he refused to give her up. In response, Sir John asked the GPO to monitor the King’s phone calls from 5 December, 1936.

The papers also show that the King himself asked the police to guard Simpson’s residence overlooking Regent’s Park a few months before his abdication. Edward asked Chief Inspector Storries to help make Simpson’s house “burglar proof” and to take steps to stop her from being “annoyed by pressmen, press photographers and other curious persons”. He also asked Storries to keep the instructions to himself.

A sketch of Chf Insp Storries’ security arrangements around Wallis Simpson’s house

Among the documents was a handwritten diagram of the stepped-up patrol around Simpson’s house, which police later had to deny the existence of when questioned by American newspapermen.

Other papers released by the Cabinet Office outline a drunken night during Winston Churchill’s August 1942 mission to Moscow and his first face-to-face meeting with Soviet dictator Josef Stalin. Sir Alexander Cadogan, permanent under-secretary at the Foreign Office, was along for the trip and later wrote to Viscount Halifax that things weren’t going that well until Churchill got Stalin alone.

“Nothing can be imagined more awful than a Kremlin banquet, but it has to be endured. Unfortunately, Winston didn’t suffer it gladly. However, next morning, he was determined to fire his last bolt, and asked for a private talk, alone, with Stalin,” he wrote.

At around 1am, Cadogan was called to Stalin’s private rooms and found the war leaders a little worse for wear.

“There I found Winston and Stalin, and Molotov who has joined them, sitting with a heavily-laden board between them: food of all kinds crowned by a sucking [sic] pig, and innumerable bottles,” he said.

“What Stalin made me drink seemed pretty savage: Winston, who by that time was complaining of a slight headache, seemed wisely to be confining himself to a comparatively innocuous effervescent Caucasian red wine. Everyone seemed to be as merry as a marriage bell.

“I think the two great men really made contact and got on terms, Certainly, Winston was impressed and I think that feeling was reciprocated … Anyhow, conditions have been established in which messages exchanged between the two will mean twice as much, or more, than they did before.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/british_government_spied_on_own_king_cabinet_office_papers/

A New York detective allegedly hired hackers to spy on 19 fellow cops and at least 11 others – apparently in a bid to discover if any of them were sleeping with his ex.

Edwin Vargas, a 42-year-old Bronx investigator, is accused of spending $4,050 on an email-hacking service to obtain the usernames and passwords for 43 message inboxes in, it is believed, an obsessive quest to keep tabs on his former girlfriend.

He was arrested on Tuesday and appeared before a magistrate judge charged with conspiracy to commit computer hacking.

The detective, of Bronxville, New York, it is claimed, had suspected his ex-lover, with whom he had split after they had a child together, had started a new relationship with a fellow officer. The veteran cop of 20 years handed over between $50 and $250 to unnamed hackers for the login details of each inbox, it is claimed.

Vargas accessed at least one of his fellow cops’ accounts, the Feds said. He is also charged with unlawfully accessing the National Crime Information Center (NCIC) database by allegedly running unauthorised checks on two serving officers.

The prosecution also accused Vargas of paying hackers to snoop on the records of a mobile phone account belonging to one of his targets, as an FBI statement on the case explained:

After receiving the log-in credentials he had purchased from the e-mail hacking services, Vargas accessed at least one personal e-mail account belonging to a current NYPD officer. He also accessed an online cellular telephone account belonging to another victim. Vargas paid a total of more than $4,000 to entities associated with the e-mail hacking services.

An examination of the contents of the hard drive from Vargas’ NYPD computer revealed, among other things, that the Contacts section of his Gmail account included a list of at least 20 e-mail addresses, along with what appear to be telephone numbers, home addresses, and vehicle information corresponding to those e-mail addresses, as well as what appear to be the passwords for those e-mail addresses.

Vargas was released on bail after posting a $50,000 bond. Each of the two charges against him, allegedly committed between March 2011 and October 2012, carries a maximum sentence of one year in prison if he is convicted. “The charges contained in the complaint are merely accusations, and the defendant is presumed innocent unless and until proven guilty,” the Feds added in their joint statement with Manhattan’s US attorney.

At this stage, the officials omitted any mention of a motive for Vargas’ alleged wrongdoing but the New York Daily News, like the New York Times, claimed the suspect was motivated by a desire to spy of the mother of his three-year-old son. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/nypd_black_hat/

The identities of more than 15,000 South Africans who reported crimes or provided tip-offs to the police have been exposed following an attack on a SAPS (South African Police Service) website.

The names and personal details of whistleblowers and crime victims were lifted from www.saps.gov.za and uploaded to a bullet-proof hosting site.

Names, phone numbers, email addresses and ID numbers of people who thought they had been providing information in confidence and anonymously have been spaffed on the net.

The data dump includes information on 15,700 individuals who used the website from 2005, according to eNews Channel Africa, the local news service that broke the story of the leak. Usernames and passwords of around 40 SAPS personnel were also leaked.

The South African cops initially denied anything was amiss before confirming the breach after eNCA reporters had spoken to a number of individuals named in the data dump.

“Complaints range from rape cases opened in Durban to police brutality in Port Elizabeth,” the news service reports.

“Also on the list are ordinary South Africans asking for help in cases involving vehicle theft and illegal shebeens*. People have also complimented police on their work, including speedy responses to emergencies and help in cases.”

Safety concerns

One tipster – who had made a complaint about police brutality – expressed concerns about her safety in the wake of the breach. Daily newspaper The Star also spoke to someone who had complained to the police about a lack of apparent progress in the investigation of the rape of a 14 year-old girl. The complainant, who remained anonymous in The Star report, is clearly concerned about the safety of the victim.

A previous obscure hacker crew called @DomainerAnon, which claims an affiliation with loosely knit hacktivist collective Anonymous, claimed responsibility for the attack, which it said was pulled off using a SQL injection attack.

The group tweeted: “A message to SAP: You are responsible for the data you hold…. we have merely shown that you do not live up to your own Code of Conduct!”

Payback… but who’s paying?

The attack was apparently motivated by a protest against the death of 34 people when police opened fire on striking miners at the Marikana platinum mine last August.

The potential for collateral damage from @DomainerAnon’s actions is obvious, but the self-declared lone wolf group dismissed suggestions that it was potentially putting the lives of innocents and whistleblower on the line to further its political agenda in exchanges on Twitter (here and here).

In an interview with MyBroadband, a member of DomainerAnon attempting to justify the decision to release the stolen data said. “I laughed when I was accused of ‘blowing’ covers of so-called whistle-blowers,” Domainer said. “I read one email which complained to the police of their lack of service. Another mail reported their missing cat!”

It’s not the first time hacktivists have published personal details of private citizens from leaked websites to “embarrass the authorities”.

In June 2011, LulzSec released a number of documents pertaining to the Arizona Department of Public Safety.

Leaked data including email addresses and passwords of immigrants, as well as potentially sensitive police documents was dumped online in a protest against Arizona laws requiring those immigrants to carry documents at all times. Police officials at the time expressed concerns that leaked information on how Arizona cops combat gangs – as well as lists of some of the officers’ identities – put the lives of police at risk. ®

* Makeshift drinking taverns where often illegally brewed alcohol is consumed.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/saps_anon_hack/

Analysis Why does Bitcoin work? Fraudsters should have left it in cinders years ago, and might have done, if it wasn’t for two things: spam and the Byzantine Empire.

A Bitcoin is basically an entry in a ledger that is distributed across a network of computers. Bitcoins are transferred between parties by noting the transaction in the ledger. This might sound just like any other banking system except there’s a crucial difference: no one is in charge of the ledger.

It’s held across a network of computers and anyone can add their computer to the network when they wish – or leave when they wish. This may seem crazy, and an easy way for fraudsters to join the network and get their computer to update the ledger to give themselves new Bitcoins.

In 1997, a British cryptographer called Adam Back proposed an anti-spam approach called Hashcash. The basic idea was to make an email message contain proof that a computationally difficult problem, specific to the contents of the message, had been solved. Any email that didn’t contain this proof would be discarded by the recipient’s email server.

Ordinary users of email wouldn’t be inconvenienced because the amount of work for one email message would be tolerable, but spammers would be deterred because it would add up to a huge amount of money, in the form of the huge electricity bill run up by all the computers they’d need to buy to solve the mathematical problems.

In the end it didn’t work out as an anti-spam technique partly because spammers today use botnets, which are vast armies of hijacked computers. But the idea behind Hashcash was picked up and used for Bitcoin.

Coining it … how does Bitcoin stack up against national currencies?

The nitty-gritty detail of the crypto-currency

The basic idea behind Bitcoin is that blocks of transactions are chained together, each new block of transactions referring to the previous one. A block is validated by having a value computed for it that matches the hash signature of the block, with the difficulty of the matching calibrated automatically by the network. As members of the network get faster (using faster computers or entirely new generations of hardware engineered specifically for the task), the computation gets more difficult. It is designed to always take about ten minutes to match the hash.

A block cannot be altered without once again performing the computation and adding the proof-of-work to it. But crucially, this must then also be repeated for the block that was chained to it (since the proof of work for that block now will not match). It is a little like trying to alter a company’s accounts from a few years back: the balance sheet and profit-and-loss statements won’t tally forward properly, so each subsequent year will have to be changed too.

Stopping the fraudsters in their tracks

Historian William Lecky wrote in 1869 of the Byzantine Empire: “The universal verdict of history is that it constitutes, without a single exception, the most thoroughly base and despicable form that civilization has yet assumed.” Harsh, certainly. Byzantine has become a byword for treachery – and it is the basis for a classic problem in computer science: the Byzantine Generals Problem.

This challenge involves working out how to reach a valid consensus among a set of military generals when some of them are traitors and will send fraudulent messages. This is exactly the problem Bitcoins must face on the internet. The solution to the problem is voting. The Bitcoin network maintains the integrity of its ledger by the loyal members collectively outvoting traitors.

If a traitor computer tries to alter a transaction (undoing a payment to take back the money, for example) then it must also alter the transactions in blocks that came after. But because of the Hashcash approach this is computationally challenging and painfully slow, and by the time it has done this more blocks will have been chained by the rest of the network.

Thus, it is futile for a fraudster to compete with the rest of the Bitcoin network unless he can outpace it.

The wretched hive of scum and villainy on the internet generally cannot nobble the currency: even if they amassed a huge botnet of a million hijacked Windows machines it would be unlikely to exceed 6TH/s (trillion hash operations per second) yet the Bitcoin network is currently running at 58TH/s. Furthermore the performance of the Bitcoin network is set to grow quickly as dedicated chips (ASICs in other words) in Bitcoin mining rigs push PCs into obsolescence – and these rigs do not run Windows. There remains a risk that a well-funded organization (perhaps governmental) could amass the dedicated computing power required to swamp the Bitcoin network.

Defending against this risk is one of the motivations of engineers such as Yifu Guo at Avalon to get ASICs widely adopted.

Next page: Can you keep a secret? Bitcoin doesn’t

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/bitcoin_spam_byzantine_generals/

Security expert Raul Siles has warned that years after it was first identified, the Preferred Networks List (PNL) Wi-Fi bug remains unaddressed on many an iPhone, Android phone, and Windows or BlackBerry handset.

The problem itself is simple enough, reports HelpNet Security. When searching for networks, a poor Wi-Fi implementation can result in a device exposing its PNL list to eavesdroppers. This could allow an attacker to spoof one of the network that appears on the user’s list, becoming the vector for a man-in-the-middle attack.

PNL disclosure remains a problem in Android 2, 3 and 4, may occur when users add networks manually in iOS 1-6, and in BlackBerry 7, according to Siles. It has also been fixed in some versions of Windows Mobile.

Some mobile operating systems (BlackBerry, for example) give users enough control that the problem can be fixed manually – but only, Siles said, if the user knows there’s a problem and knows how to fix it.

Given the growing popularity of BYOD in the business environment, there’s the added danger of a fake preferred network being used to capture corporate logins. System administrators need to ensure that devices hide Wi-Fi network data (where this is possible), and Siles called for Android to be upgraded to allow users to hide new networks.

Siles adds:

I need to stress that these types of client attacks are commonly left unchecked and without consideration, the modern smartphone could become the ultimate digital “Trojan Horse”, allowing attacks to breach ultra-secure locations.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/wifi_pnl_bug_unpatched/

The infamous APT1 cyberespionage crew is diminished but not defeated following its public exposure three months ago.

Mandiant, the cyber security intelligence firm that d0xed APT1, detailing its tools and tactics as well as its affiliation to a Chinese People’s Liberation Army unit, has published a follow-up report this week describing it as “active and rebuilding”. APT1 was the most prolific cyber-espionage outfit tracked by Mandiant, of around 20 such groups within China.

Since its exposure, the operation has shifted towards the use of new tools and attack infrastructures while other similar outfits are carrying on much as before, Mandiant concludes in a blog post:

Mandiant’s report and the simultaneous release of 3,000+ indicators hindered APT1’s operations by causing the group to retool and change some operational methodology. Since the report, APT1 has stopped using the vast majority of the infrastructure that was disclosed with the release of the indicators.

However, APT1 maintained an extensive infrastructure of computer systems around the world, and it is highly likely that APT1 still maintains access to those systems or has utilised those systems to establish new attack infrastructure in the last three months.

One thing that has not changed is the activity level of many of the 20+ Advanced Persistent Threat (APT) groups of suspected Chinese origin that Mandiant tracks. These groups are still very active and Mandiant has observed no significant changes in their operations after the release of the APT1 report.

These groups also conduct cyber espionage campaigns against a broad range of victims and, based on Mandiant’s observations, they were not directly affected by the release of the Mandiant APT1 report.

The Mandiant report – which exposed the alleged methodology and targets of APT1 in some detail – has propelled the issue of China-based cyber-espionage geared towards the theft of intellectual property up the political agenda. Groups like APT1 typically use tactics such as zero-day exploits and spear phishing to run cyber-espionage campaigns against targets in multiple sectors, including defence contractors, government agencies, NGOs, the media, oil and gas production – and many more.

“The subject of Chinese attacks, such as those conducted by APT1, seems poised to stay front and center on the diplomatic agenda where, according to the New York Times, it will be a ‘central issue in an upcoming visit to China by President Obama’s national security adviser, Thomas Donilon’,” writes Dan McWhorter, Mandiant’s managing director for threat intelligence.

Mandiant’s findings run contrary to earlier expectations that public exposure might result in the dismantling of the Comment Crew. A few optimists even expected to see a more general reduction in the the activity of other Chinese cyber espionage threat groups.

Cyber Squared, another threat intelligence firm, reported a month ago that APT1 was still in business. However, at the time it said there was no discernible difference in the group’s implant technologies or command and control capabilities. The group’s target selection process also remained unaltered, according to Cyber Squared. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/mandiant_apt1_update/

The US electricity grid is under near constant attack from malware and cyber-criminals, yet most utility companies implement only the barest minimum of security standards, according to a new report released by Congressmen Ed Markey (D-MA) and Henry Waxman (D-CA).

“National security experts say that cyber attacks on America’s electric grid top the target list for terrorists and rogue states, yet we remain highly vulnerable to attacks,” Markey said in a statement. “We need to push electric utilities to enlist all of the measures they can now, and push for stronger standards in Congress that will keep our economy and our country safe from cyber warfare.”

Among the report’s findings, more than a dozen utilities surveyed said their systems were under “daily,” “frequent,” or “constant” attack, with one claiming to be the target of around 10,000 attempted cyber-attacks each month.

Yet although the companies admitted to being the targets of attacks, most said they complied only with mandatory cyber-security standards set by the North American Electric Reliability Corporation (NERC).

Only 21 per cent of investor-owned utilities, 44 per cent of municipal or cooperatively-owned utilities, and 62.5 per cent of federally-owned utilities said they had taken any additional, voluntary “Stuxnet measures,” as the report terms them.

Stuxnet, as most Reg readers will recall, was the mysterious malware that infected supervisory control and data acquisition (SCADA) systems in plants related to Iran’s nuclear enrichment facilities in 2010. Many security researchers believe it was a targeted attack initiated by the US government – and if the US can do it, then so can its enemies.

The report calls out the power grid as a particularly high-profile target for attacks because of its critical importance to industry and infrastructure. According to the report, power outages and disturbances are estimated to cost the US economy between $119bn and $188bn per year, with individual events costing $10bn or more.

“Cyber-attacks can create instant effects at very low cost, and are very difficult to positively attribute back to the attacker,” the report states. “It has been reported that actors based in China, Russia, and Iran have conducted cyber probes of U.S. grid systems, and that cyber-attacks have been conducted against critical infrastructure in other countries.”

By way of example, the report cites the 2012 malware attack on Saudi Aramco, Saudi Arabia’s massive, state-run oil company, which infected some 30,000 computers.

To help harden US infrastructure against such attacks, Markey and Waxman would like to see Congress grant the Federal Energy Regulatory Commission (FERC) additional authority to draft and enforce cyber-security standards among power utility companies.

The report points out that although President Obama signed an executive order in February 2013 identifying critical infrastructure areas and establishing a voluntary cyber-security framework, only an act of Congress can empower agencies to police the standards.

The full text of the report is available here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/us_power_grid_cyber_attack_report/

China is responsible up to 80 per cent of US intellectual property theft, which a government report has estimated accounts for $300bn in lost exports, roughly the equivalent of the current American trade balance with Asia.

“Unless current trends are reversed, there is a risk of stifling innovation, with adverse consequences for both developed and still developing countries,” the IP Commission report warns. “The American response to date of hectoring governments and prosecuting individuals has been utterly inadequate to deal with the problem.”

The commission, headed by the former ambassador to China and Republican presidential candidate Jon Huntsman, former director of national intelligence Admiral Dennis Blair, and aided by former Intel boss Craig Barrett, has spent the last year examining the state of IP theft in the US, and the results aren’t pretty.

An estimated 70 per cent of US corporate assets are tied up in “intangible assets” such as intellectual property, and around 6 per cent of this is being lost in IP theft every year, according to the commission. If China operated at the same level of IP law as the US, the result would be an estimated $107bn in additional annual sales for American companies and net employment could increase by 2.1 million jobs.

The most immediate problem is that US companies are being directly harmed by IP theft. The report cited a recent case where a US firm had perfected a miniaturized smartphone component, only to have its designs (and markets) stolen when Middle Kingdom companies undersold them using the purloined material.

China was also fingered in a US Senate Armed Services Committee investigation that found over 1,800 counterfeit electronic and mechanical products that were traced back to over 100 Chinese firms. Some factories building these fake goods employ 15,000 people at a time.

Other countries are also taking part in skinning the US on IP, according to the report.

“Russia, India, and other countries constitute important actors in a worldwide challenge,” it states. “Many issues are the same: poor legal environments for IPR, protectionist industrial policies, and a sense that IP theft is justified by a playing field that benefits developed countries.”

This is all leading to the long-term effect of discouraging research and development by US companies, the report suggests. There’s little point in spending vast amounts on RD if someone’s going to steal the result and manufacture it offshore.

Send lawyers, guns, and money

The report makes 21 recommendations, with the initial push being legislative. Congress needs to view IP theft as a matter of national security, the report suggests, and a foreign company’s record on the issue must be taken into account when deciding whether to allow foreign investors to operate in the US and use its banking and financial services.

Disclosure laws also have to be beefed up, so that when US companies suffer theft they have to report it and can be held accountable. The US should move away from the policy of trying to persuade governments to enforce IP laws and be more willing to use bodies like the International Trade Commission to pursue claims.

The report says increases are needed in the funding and investigative capabilities of the FBI and Department of Justice to go after IP offenders and, somewhat more controversially, it also recommends US companies should be freed up to take measures to fight back against attackers and retrieve stolen information.

“Currently, Internet attacks against hackers for purposes of self-defense are as illegal under U.S. law as the attacks by hackers themselves,” the report states. “If counterattacks against hackers were legal, there are many techniques that companies could employ that would cause severe damage to the capability of those conducting IP theft.”

Finally, offending companies must be penalized in cases of proven theft, to reduce the financial incentive for crime. This could involve a tariff on Chinese imports amounting to 150 per cent of the estimated value of IP theft and/or the withholding of an equivalent amount from the World Health Organization budget.

All this will make uncomfortable reading for President Obama as he prepares for his first meeting with the new Chinese president Xi Jinping next month. No doubt they will have lots to talk about on the IP front. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/us_government_report_chinese_ip_theft/

AUSCERT 2013 First the good news: for all the known vulnerabilities that exist in the SCADA world, exploiting them in a way that can actually “shut down a power plant” is harder than most people (particularly including media) realise.

That’s the reassuring view put forward by Mark Fabro of Lofty Perch, in his spot at this year’s AusCERT 2013.

That’s because even though in a fairly short time the number of known vulnerabilities in programmable logic controllers (PLCs) has gone from zero to 171, turning the existence of a vulnerability into a successful exploit is a much more complex task than merely launching an attack against the individual device.

The industry, he said, is “stuck in a bit of a funk” thinking that one vulnerability will bring down whole systems – chiefly because we forget that one of the main points of SCADA systems is to present information to an operator.

If an operator sees systems starting to raise alarms or doing things that aren’t in his operational manual, Fabro said, it’s expect the operator to take some sort of action, or at least investigate what’s going on. So to go from “here’s a vulnerability in one system” to “here’s a nationwide blackout” takes a lot more effort than we believe.

However, Fabro said, as attackers become more sophisticated and learn ore about both the SCADA systems and their control environments, the likelihood of more dangerous SCADA-based attacks increases.

A key part of defending against those attacks that may occur, he said, is to start with a thorough understanding of the “kill chain” – the number of steps and scenarios an attacker is forced to step through to achieve what they want.

Breaking into a system, finding its control system, presenting false information to an operator, and then exploiting the attack doesn’t sound too difficult. However, to attack the bulk power system, Fabro said “the attack tree we’ve built contains 143,000 scenarios the attacker would need to get by”, and if any one of those fails, “he can’t get in”.

And if you’re spotting a pattern emerging, you’re right: the operator isn’t just an important point of defence, but also the biggest weakness.

“Time and time again people are the vector, the kill-chain’s tipping point is at people,” he said. “An individual who was tricked and had done something inappropriate – clicked on the link in the e-mail, let someone into the facility.”

It points to a difficult cultural problem in defending industrial control systems, because in trying to instil a new security culture, “the people you’re risking upsetting are the ones you’re relying on to run the system.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/scada_security/