28 December, 2006

Gifter - Million Dollar blog Post - Recap

I am reposting this one more time. - Million Dollar Blog Post

I think it is a great idea and this is the season to give.

You can do it painlessly here. It doesn't even take any money for you though if you want to sponsor I am sure they would be happy.

If you have a Digg account Digg it.

If you don't then get a Digg Account and Digg it. Put it on Delicious or Slashdot whatever.

Spread the meme.

Old Media Vs New Media

DBunker put an emphatic post up on Rago's recent rant against blogs.

I generally try to stay away from the political stuff.

For some reason I usually manage to tick off everyone in the discussion when I get going on them. Conservatives hate it when I go on about civil rights or separation of church and state and Liberals hate it when I talk about the free market and my thoughts on gun control. For that matter the Liberals I know typically get ticked off about my separation of church and state thoughts as well.

I do generally agree with the instapundit.

I want a world where a happily married gay couple (liberal trust cue) has a closet full of legally obtained assault weapons (conservative trust cue).

To put it in less contentious words I always vote in the manner I believe will limit the power of government over the rest of us the most. No matter who the "us" is and no matter what the parties are.

Generally I manage to hit the anti-trust cue's for pretty much every group when I get political.

Now that I have aired some of my political dirty laundry I really don't think the Rago article was a political item. It has been treated that way in half of the blog sphere. It fits the Evil Liberal MSM guy hates us meme to well to be ignored.

The fact of the matter is most of the Old Media simply doesn't get blogs. I know some of them and have talked at length with them about blogs but they simply don't understand the implications (or the possibilities).

Look to use one of Mike Murry's favorite topics - game theory - Blogging and Old Media are not in a zero sum game.

When Rago is a moron and attacks thousands of passionate and intelligent people it didn't have the effect of harming any of those people. As a matter of fact it upped the traffic for thousands of sites. It created fervour and therefore exchange of ideas.

It probably didn't hurt Rago that much either. I am sure that article got more traffic than any of the others he has written. Fellow "journalists" will commiserate and pat him on the back. Bloggers will be outraged and write at length about him often with links that many will follow imparting him with a voice he never had until then. In short everyone won this last round.

Of course if he keeps saying blatantly stupid things and believes in them sooner or later people will just ignore him. Just like David Duke and Cindy Sheehan who can only make the news by rising to new heights of idiocy and engaging with people who have clearly identified themselves as our enemies.

There is a more healthy and productive way for the two environments to engage. If you want call this Crazy Idea #6.

Full time media outlets (lets call this one Bob's Newspaper) need to assign one or more "reporters" and "editors" to the blog beat (yes I know most have already). Their job is basically one of engaging new bloggers and convincing them to feed directly (in addition to their main site) to Bob's Newpapers online site (probably via RSS).

They don't try to exercise control at all. Direct Control is what is making them fail. They just try to contain the mosh pit.

The "editor" fact checks the posts that get the most hits and feeds the data to the "Reporters". The reporters us this data along with (can't believe I am about to say this) original research to write stories about the blog posts. Everyone wins. Bob's newspaper gets a huge amount of free data and reporting while still being able to hold the worst stuff at arms length. Basically hundreds of unpaid freelancers. If the reporter trashes a blog hey that is traffic as well.

Bloggers win because, lets face the truth here, most of us are hit junkies and check our stats constantly. They link to us and our stats go up.

The best "Editors" will keep track of the facts and who is right most often. They might even start up a Fact based rating system to give kudo's points to blogs that are consistently right.

Slashdot and Digg kind of do this stuff already with a few exceptions.

In Slashdot or Digg if what is written matches a popular meme it will do well regardless whether it is correct or not and you see a lot of gaming on the system using these gut reactions. By adding in a level of accuracy incentive things get better.

In any case D-Bunker ( I have to think up an easier nick name for his pseudonym) is right in that they (the MSM [conservative trust cue here]) are missing the boat in many ways. I am just not sure he was right about Rago's blunder really missing it. If Rago is smart he could turn this into a New Coke thing. Of course judging from his responses so far he isn't that smart.

Rest and family time

I apologize for not putting anything down over the last few days. I am glad that D-Bunker has picked up for my slack. A few obvious good reasons for me not blogging but the biggest one was that I managed to get my wife interested in blogging.

I do most of my posts at home. I stage them then periodically post them during the day.

I haven't been able to get any time in on my home computer to stage any so the entire pattern has collapsed.

Anyway if you want to see what we were up to over the Christmas Holidays you can visit my wife's new blog.

Folded Gingham I have no clue what that means but she assures me that it means something in her circles.

Some good pictures of my kids there as well.

27 December, 2006

Musings about Vista

With all the fanfare of the coming release of Vista, there has been a fair amount of speculation and chatter this month on the SCADA Gospel list about its potential in SCADA and DCS systems. And of course, I would be remiss if I didn't mention Peter Gutman's paper about what Vista security may mean for device driver performance.

Taken together, I think Vista may have the ability to finally put a nail in many of the security problems that have been dogging Microsoft's reputation for almost as long as they've been writing operating systems. However, such power in the hands of the greedy may also prove their undoing. The use of Vista's security features to limit the use and re-use of content seems ominous to me. It also seems a bit scary that Vista demands signed drivers; and that Microsoft and Microsoft alone are the only ones who can hand out keys for such drivers. There won't be any open source drivers. Where does this leave small time Industrial Control Systems Integrators? I wonder if this is Microsoft's answer to Open Source Software --if it ain't signed by them, it won't run.

Going further, Vista seems focused in directions which may not be in line with current design policies of many control systems. According to Gutman, the security features it uses demand that video drivers be scanned every 30 milliseconds for certain "tilt bits" to verify that no "premium content" is being ripped. What does that do to control system performance? Does that reduce your Pentium Chip to something that runs at half the speed it had in previous OSs? Even if it doesn't, what happens if the the OS doesn't like your driver's behavior? It revokes the signature!

Remember all that stuff about embedded logic bombs? What if something a SCADA or DCS system does trips this? Do you trust the folks who write drivers to avoid all such problems? I don't. Are you ready to debug device driver minutia? I'm not. Somehow, given this permanent alternative, I'm starting to think that perhaps the Blue Screen of Death was not such a bad thing after all.

My verdict: Vista has some ugly features which will get in the way of any DCS or SCADA deployment. Not just now, but perhaps for many Service Packs to come (If Microsoft stays in business for that long). Microsoft would do well to heed the advice of Gutman and many others to temper their efforts at "managing content." I can smell what's coming next. Microsoft would probably like to deny their OS to most Open Source Software.

If they actually manage to do this, I tend to agree with Gutman: Microsoft will end up committing suicide. We'll see this once great firm shrivel up in to a shadow of it's former self. Those of us who depend on it in our Industrial Control Systems will be left with a bag of parts. Is this really where you wanted to go?

25 December, 2006

Rago's Rant, Part II

So Joseph Rago doesn't think much of Blogs? Well guess what, we bloggers don't think much of his ilk either. Credentialed Journalists indeed! It would be different if these so-called Journalists actually knew something besides Journalism. In fact, I'd settle for Journalists who actually understood their own craft, never mind what the rest of the world has to offer.

Yeah, we've seen lots of hard bitten Journalists lately. We've seen ignoramuses who couldn't detect blatently photoshopped images from their "photo-journalist" bretheren. We've seen people who selectively report what world leaders say. We've seen opinion and theories reported as fact. And they wonder why people hold them in such low regard? Wake Up Mr. Rago.

Meanwhile, there are scandals of world shaking magnitude brewing all around the UN and nobody sees fit to report on it. Remember Oil for Food? What about all the interesting dirt that Claudia Rosette dug up years ago and continues to research? Has anyone seen fit to follow up on it?

We're blasted daily about reports of global warming. What we don't see are the numerous studies indicating that the consequences may not be as rapid or as dire as first thought. For example, the polar bear population study on the cover of Time? That was one study of many. It was the only study showing a decline in polar bear population. Guess which one got reported?

Sensationalism sells. That's what's wrong with the decendants of town criers. Nobody likes to yell "All's Well." It's much more fun to scream "THE EARTH IS BURNING" at the public. By the way, I do not doubt that the earth probably is warming. I merely question the hysteria that surrounds this issue: a hysteria fomented primarily by your colleagues, Mr. Rago.

As for my credentials, well, I feel I'm far more qualified to report about a SCADA system than any wordsmith who calls him/herself a Journalist. Sure enough, my description may not be as concise and my language may be rough around the edges. However I will be far more precise and I will use the correct terms. Shall I get a ghost writer to mediate this stuff, or would you prefer to read about first hand?

Let me ask a similar question: Do we need to be certified graduate with a computer science degree to write good software? Go look on Sourceforge. Yes, there are some folks who could use help writing a decently stable program. But if there weren't some really talented amateurs out there I wouldn't be typing this 'blog on an open source OS and browser.

This is also true about scientists, engineers, lawyers, doctors, and so on. Yeah, there are lots of amateurs out there. Many do not know as much as they should. But they're learning. And so is the public. Among the literate, you'll often find that popularity is not a bad guide for who knows their stuff and who doesn't.

Wait, did I say Popularity? Well, I guess I did. It is the same gauge we use to see how well newspapers and magazines measure up. Mr. Rago, I think you need to consider the message buried deep in those unworthy 'blogs. They just might know what you do not.

You see, I think Marshall McLuhan was wrong: The medium is not the message. It's all about the information, stupid.

22 December, 2006

Moneyball in Academia

Interesting Hiring Practices

I would like to see more of it in the Corporate world

but we seem to have trouble defining what "Win" means to us.

"Imbeciles eating poo flung by uncredentialed monkeys."

BY JOSEPH RAGO - AKA Iowahawk

"they have also demonstrated a remarkable antidisestablismentarianist ecumenicalisticationism in filling out that same role themselves. Because we are enshrouded in a protective membrane of elastic latex, while they enrobed of visciduous mucilage, everything they say bounceth off of us, and sticketh to them."

We are one of the infinite number of monkeys in front of an infinite number of typewriters.

An iterative experiment in written expression


--- Oh I give up. There is no way I can keep up with him. My Sarcasm instinct just isn't that sharp. Just go read his post instead.

http://www.typepad.com/t/trackback/7233750

21 December, 2006

Merry Christmas

For obvious reasons light blogging for the next several days.

20 December, 2006

Measurable Layers

Prediction #9 seems to have gotten at least some attention. I have had three separate requests (one in two parts so I am certain the author is interested) for expansion, and clarification.

I guess this is good. I obviously tapped into a healthy meme seed but I do have a bit of a dilemma.

I am not really sure what I meant.

Well I am sure what I meant but I am not really sure how to articulate it. (wow doesn't that leave me an easy out in 08)

Every attempt I have made turns out to just be a small part of the whole. It is like trying to draw a hypercube on a piece of paper. All I wind up with is a bunch of weird looking triangles, rectangles and squares.

The way I used to look at security was as a sort of modified OSI model. (way back when)

Control Physical Access
Locked TC and DC doors, Building Access, Wireless Access Controls

Control Switching/Electrical Access
More Wireless access controls, Mac Filtering, NAC (if it ever works), VLAN’s

Control Routed Access
ACL’s, Good Subnetting (Yes I know a subnet doesn’t stop anything by itself, but if you don’t get the routing right everything else is harder), Proper DMZ/Extranet/Segmentation

Control of Application Connectivity
Firewalls, Tunnels, Some Proxy Functions,

Control of Sessions and early SoD
Session Segregation, Basic SoD, Identity Controls

Control of Data access and Presentation
Db Controls, Site/share/page access, More Identity Controls, Middle SoD

Application Controls and Control of data manipulation and metadata
Business SoD, Application Design, Business use of Application, More Identity Controls

This approach actually still works in many cases but it lacks a lot of essentials. It is almost purely tactical and has no self awareness. It also focuses too much on access control/preventative controls and not enough on mitigation and prioritization.

A lot of people who talked about the OSI model used to jokingly add a few more layers.

Politics, Religion, and Money

I am not so sure that is a bad idea but I would probably add a few more layers and call them:

Process, Policy, Governance, Compliance, and Money

in that order.

If you do that combined with the other layers it looks a bit like ISO 17799 domains doesn’t it? Well perhaps with some CoBiT Control Objectives thrown in.

There are a few differences though. Instead of interrelated overlapping domains you have sequential (potentially superseding) layers in both directions. These are layers where (for a given threat) you can show a certain level of protection. Multiple layers can be stacked for increasing sequential protection versus a threat from a given vector.

So let’s add these into the mix. Do they overcome the shortcomings? Well not completely. There is one thing still missing, visibility.

So feed visibility as a subset requirement into each of the layers.

As a quick example of that meme:

A firewall is valuable because it stops some attacks

If you are able to see how many attacks occur “outside” the firewall and compare them with how many attacks make it “inside” the firewall you have added value. The value isn’t directly added to the control that is the firewall. The value is added at the Process layer where an evaluation of the effectiveness of the firewall occurs and other controls can be used to mitigate the identified weaknesses. It might also be added at the Compliance layer where an organization might have to meet PCI requirements on proof of effectiveness of controls (specifically the firewall as a Control).

So what I was trying to say when I wrote:

“Vendors that are able to encompass the concept of measurable layers in security will emerge (or in the case of the few that are already out there will do well financially)”

Is that vendors that are able to add or combine either automated or easy to implement means of measuring effectiveness of the controls they peddle will add value.

Also

Vendors that facilitate the process of not only tying controls to specific effectiveness but also representing the effect of overlapping controls on overall risk mitigation will add a great deal of value.

If you can demonstrably add value then you can make money.

That’s what I meant …

Sort of

So now I am circling around to tag the originator of the chain letter.

Password Incentives

Really good post over at Episteme on incentives for passwords.

In the DCS world there is almost no belief that anyone will ever be able to see systems let alone try to connect to them. When this misconception is combined with the difficulty (or for many systems the impossibility) of implementing access controls it is easy to see why there is so little protection in place.

Welcome

I would like to Welcome D-Bunker to the blogsphere as guest blogger here. Hopefully he will be able to keep me on track and if he enjoys it enough perhaps spin off into his own blog.

Update:

BTW as a No Shitter submariner short

When I was going through Nuke training at Windsor Ct. there was a shift engineer that lived in Springfield Mass who was named Homer Simpson. I have no idea if he knew Matt Groenig. This is the honest truth. The big difference was that he was a pretty smart guy.

Buckaroo Banzai

Moving through matter

Via Slashdot

My favorite quote from the Comments

There's no doubt a lot of fun speculation to be made here, but if you're going to get your science from the web, it's best to stay away from Slashdot.

19 December, 2006

NIST Draft SP 800-82

Greetings folks. Jim has kindly invited me to write an occasional guest blog here. This is my first effort at a formal 'blog writing. If you have comments on the format or subject matter, please tell me.

I want to make everyone aware of a looming deadline for the first round of comments on a draft standard from the National Institute of Standards and Technology (part of the US Federal Government) known as SP 800-82.

This document is a reasonably technical outline of various security measures. Except for a few glitches here and there, it's a very complete and well done document. However, there is one glaring piece missing: It's a very complete bag of security tricks and policies. But it lacks any reference to the most important element to any security policy: The operators.

I hate to say this, but I'm going to anyway: It's the Homer Simpsons of this world who really matter here. They're the ones who will have to work and live with the security mania. They're the ones who are just trying to get their job done as safely and expeditiously as they reasonably can. They're the ones we need to sell this stuff to, or it all falls on the floor.

Look for them in this document. These people are nowhere to be found. Sure, in the executive summary, they mention IT, they mention Control Engineers, they mention the CIO or CSO, they even mention the system vendors. But they make very little mention of the plant operators.

Clearly, NIST is working on this problem as if it's almost entirely technical, not personal. Is it really? Or are they trying to solve a human problem with gadgetry?

Dangerous Toys

Ten Most Dangerous toys

Some of these are really pretty sad but

Check out number two. The Radiophobes will love it.

Again Via Slashdot

Blogging From Space

Pretty cool.

Symantec and SCADA

We used Symantec for SCADA protection at my last company and they worked reasonably well when properly integrated into the designs. They did have a problem with MTBF but I suppose that may have been a statistical fluke. Gary Sevounts is a good guy and we helped pull him into the Logiic project that I mentioned a few days ago. It looks like they were pretty successful.

Security Blog Chain Letter - Tagged

Mike at Episteme just told me that I haven't responded to his Security Blog Chain letter fast enough so I suppose that now my hair is going to fall out and my kids will cost me a fortune. (well with six kids you can count on the last one regardless of ignoring a chain letter)

I think I will have a little fun with this one.

:)

10 Predictions

1. 30 percent of the predictions we make will be flat out wrong but we will conveniently forget that we made them. (or better yet read them in a way that makes them seem prescient anyway)

2. The only reason we do better than random on the accuracy of the predictions is because some of the items are so easy to foresee that my 13 year old pointed them out two years ago.

3. Something bad will happen in the next year.

4. Some good things will happen next year.

5. After pointing out only the items we were right on we will congratulate ourselves then make another series of lists next year.

ok now that the obligatory curmudgeonous has been done the next five will be a bit more in line with the intent

6. There will be one or more worms released targeting SCADA systems specifically and using vulnerabilities specific to them. Expect them to effect both Historians and some PLC's.

7. There will be several fairly significant outages related to SCADA security failures but they won't be publicly identified as such. Possibly even a huge one. (left myself some leeway on that one didn't I)

8. Organizations (regardless of the type) that downplayed or reduced the capability of their Information Security teams will pay significantly in terms of incidents, stupid and improperly configured controls, and lost opportunities. (Most of them won't admit it though)

9. Vendors that are able to encompass the concept of measurable layers in security will emerge (or in the case of the few that are already out there do well financially)

10. Improperly performed vulnerability scans on control systems will get several people fired (or close to it) They might even be related to #7. - This one is for you CNI Operator

Oh Yea # 11

11. My Kids will cost me a lot of money but be worth every penny.

I'll Tag Digitabond now. Give us your predictions Dale or your hair will fall out and you will be forced to rely on blog marketed consulting gigs for income. (oh wait)

:)

Million Dollar Blog Post

Charity post

You comment they give money.

There is also a link at the site to support.

Via Emergent Chaos

Instapundit this is one you should jump on.

Invasion in the UK

I know several Gaelic speakers that might start getting concerned for (of?) their neighbors to the south

and I am sure the Welsh speakers are not going to be happy with this.

after all the progress they made in '99.

18 December, 2006

Sorry for the light blogging

Feeling a bit under the weather.

Will try to pick up the pace tomorrow.

Tenable SCADA webcast

This got delayed last week but is up now.

I haven't had the time to view it yet. If anyone gets to it before I do I'll be happy to move what they say up from comments.


Update:
The link wasn't working earlier but I believe it is now fixed.

17 December, 2006

Rapture for Nerds

So this is why they call it that.

One must be careful when one deals with exponential trends

Via Instapundit

15 December, 2006

Two Manufacturers delaying results

This is interesting both Dell and Apple are postponing their results. Not surprising but interesting. Options problems and investigations seem to be hitting tech companies more and more lately. I hope that Google factored this into their recent plan to trade options. I wonder how much this will play into industry valuation over the year.

14 December, 2006

LOGIIC solves the Oil industry SCADA problem - Well sort of :-)

LOGIIC was a pretty good project but this account really makes it sound like it is solving everything in the SCADA world. I am sure they have gotten a lot more done since I was involved and Ben and the other guys are great but I suspect that there is a lot more work to do. Mike P really did a good job on the press release on this one.
 
I wonder what Mike A at INL thinks. A little inter laboratory rivalry is a good thing.
 
Keep up the good work guys.
 
It would be interesting to see what they came up with after Symantec announced they were changing their hardware offers.
 
LOGIIC is worth looking into if you are in Oil or Refining.
 

UBS Insider Logic Bomb

I was offered a job at UBS about 6 years ago. I'm kind of glad I didn't take it.
 

SOX Compliance and Crumpled 3x5's

Digg This

When I was a wee lad I had to take part in a management training meeting. Of the week I was there I got only one thing of value (unless you count the pleasant and far too expensive stay at the Times Square Marriott and subsequent New York restaurant visits).

We did an exercise.

They divided the class up into about 10 groups of 4 to 5 people. They gave each group a bunch of 3x5 cards a few rolls of cellophane tape and a stapler with a bunch of staples (too bad it wasn't a Red Swingline) .

We had 3 minutes to plan then at the end of that time we had 2 minutes to build a 5 foot tall tower with our resources.

My team spent the three minutes dividing ourselves into an organized, highly efficient 3x5 card block creation assembly line and readying the floor space.

When the stopwatch started we started stapling the cards into small triangular blocks like good little assembly line workers. We made hundreds of them and passed them to our teammates who dutifully organized and stacked them. The leader circled the tower applying tape to hold the layers together. We were incredibly efficient, hard working, we paid attention to every detail and were ultimately unsuccessful.

Our tower got to be almost 3 feet high when they rang the bell. It was a pretty tower and we worked hard on it, but in the end it fell short of the 5 feet goal by close to half.

Two of the groups did succeed.

One of them strung out long strips of tape and slapped the 3x5 cards to them length wise. They crumpled these into three tubes then taped them together at the top. It only took them about 30 seconds to finish.

The second group had everyone on the team watch each of the other groups. When they saw the tube guys they imitated them. I think they probably finished in about a minute. Their strategy was obviously to imitate a successful strategy. After all the goal wasn't to be first it was just to get over 5 feet in less than 2 minutes.

When I first got involved in SOX compliance pieces, specifically the attestation process I felt either like the stapling person or (when I was in charge) like the group leader running around with the tape trying to hold the far too small (but very pretty and neatly organized) tower together.

Since then I have been through three successful audits at two different companies. One of which I helped manage.

Our most successful portions were done by crumpling the cards and taping them together at the top.
I am going to try to describe what went well over the next few weeks, so if you are having headaches stacking cards perhaps you can play the part of the second team instead.

Some "Facts" that are fiction

13 December, 2006

We don't need no stinkin CIA

and the NSA has nothing on Google.

Snowcrash Gargoyles unite

These look pretty cool.

Found via Slashdot

Less than Zero Day - Dead horse ... beat

I know everyone has probably already read this but it is just one more argument for the Less than Zero Day meme that Alan started.

Security Blog with a Twist

I stumbled on this in Technorati

A new (at least I think it is new) security blog.

Pretty eclectic posts so look through for the security nuggets.

Not that many IT Sec bloggers out there with a Feme twist.

A visit to CORE

Mike has a post up about our visit to CORESecurity last week. Anyone who has read me for the last several months knows (to use Mikes phrase) I drank the Core kool-aid a long time ago. I have probably already burnt my fuel plugging them already so I will let Mike do some of the plugging for me.

Argghhh I can't help myself

I used it for several years including time I spent as a pen tester at an organization that did dozens of companies including large financials.

They have a great product and if you are a pen tester and not using it then you either:
  • Haven't actually looked at what they have
  • are arrogant think you know better than everyone else how to pen test and are ignorant of how much time and money you can save per test while at the same time improving consistent quality and therefore probably stiffing your customers
  • think it is cost prohibitive and have not talked to them about the options
  • Are new to the game and think Metasploit is the cat's meow or running a Nessus scan by itself is actually pen testing
  • Just have never heard about it

It has a place inside a non pen testing organization or normal IT shop as well

  • Improving credibility while pointing out vulnerabilities to sysadmins
  • providing CYA because of its detailed logging of what it does
  • Impressing the hell out of executives in IT and the business alike
  • Eliminating false positives from vuln scans
  • as part of a simplified process to ensure visibility of internal and cross boundary (read firewalls/DMZ/Segmentation) weaknesses (SCADA!!!)
  • To pen test yourself for less cost (You can do it monthly even in large companies)

I have used it on Automated Control systems (SCADA) without causing any problem including Honeywell, ABB/Rockwell Siemens and Emerson. (with proper notification and management of change of course)

OK Blatant plug finished. Hey if something works and has helped me I like to tell others.

Save the Users - or - Help Me Help You - CI4

Crazy Idea #4 - Potential new revenue stream for ISP's. - Digg this

About 6 to 10 years ago ( I can't remember exactly when but suppose it was about the time of code red or NIMDA) I was staring at a pile of papers on my desk. They were a dump of that months syslog and were about 6 inches high. The log for the previous month was in my hand and was only two pages long.

We had set up a pretty useful system for tracking down people that were trying to hack into our company. Our Internet facing Cisco router served as the first layer of defense. There was an ACL that watched incoming traffic and dumped all but a few ports. For HTML we got fancy and looked for some rudimentary "signatures" (about 40-50 of them) that caught things like unicode attacks and a few other items. Next in line was a SNORT box. They would log these events then forward them to a DMZ syslog behind the firewall. We also forwarded our Checkpoint firewall (which was the next line of defense after SNORT) logs to that box.

I had some Greps cron'ed to run periodically and forward their results to our SMTP server using a little mail script I wrote. HELO, MAIL TO, MAIL FROM, DATA, egrep, EHLO. We had some Network General Sniffers that alarmed for certain specific types of traffic (mostly stuff that looked like scans) and forwarded an email to the same address. The system worked really well and had for several years. We would have about 2 or three false alarms a week and just a few real ones a year. We even managed to track a few of them down and got involved with authorities in the country they were in. (two convictions, one promotion [he worked for us in another country and was trying to fix things])

It all changed overnight.

Pretty much everybody reading this blog is a security professional that went through this. (or possibly a controls engineer that I suspect is about to go through it. Remember 8 to 10 year lag)

It started with the large scale automated scans. Usually some idiot that had gotten hold of SATAN, SAINT or an early ping sweep utility and didn't know how to use it right. (honestly these started several years before) They were irritating but you could filter them in your greps. Early versions of Nessus and other versions of NMAP and HPING were more irritating because they were harder to filter and the ACL would miss chunks of them.

Then the worms ate into our brain.

Within a month or two those of us that had set up automated detection mechanisms were buried under an indecipherable morass of logs. Since then we as an industry have gotten a lot better at designing filters and managing the information chaos. Through a combination of layers, good design, luck and major initiatives by IT vendors we have somehow gotten to an acceptable equilibrium with the worms (at least for now) but the root problem has never rally been solved.

Staring at that pile of paper I had an idea. The only people who could fix this was the users and the only organizations that could help them were the ISP's. The ISP's could help their users and make money at it at the same time.

I have dropped this idea for almost three years because ISP's started to give away AV for free but recent events have revived it for me.

It is pretty simple really. The ISP (or someone hired by them) watches for suspect traffic from their address ranges. If they see hints of it they watch that address closer. If it is verified that the machine is acting improperly they use their systems to tie the address to a user and then an email. They all have the data just in different formats it might be RADIUS, MAC registrations, Mail logins, Cable modem registrations or just access logs.

They then send a email to the user informing them that there is probably a security problem on one of their systems. If they go to this web site (linked in the email) and follow the instructions it can be cleaned for free. For a simple fee of $5 a month (added to their existing bill) they can be added to the premium security service that will help to maintain their system in a clean state. For $10 a month they can be added to the platinum service that includes additional services and advanced protections.

Think of it. It is targeted marketing to someone who definitely has a need. Probably someone who is ignorant of the product and industry but has been barraged with mainstream news panic stories so is primed to react.

The first objection I usually hear is "why would they open the mail, They'll think it's spam"

Hello!!! They are infected by a trojan or worm so they obviously don't have that great of a brain-email-spam-phishing filter to begin with. Plus the carriers never need to ask for credit cards or other information. They build trust with a well developed mail and clearly branded site. If they want to be careful they can verify any orders out of band. Any info security people I plugged this with years ago looked at it with a paranoid eye.

The user doesn't.

They are link lemmings.

Besides it is certainly possible for problem accounts to send an actual snail mail.

Next objection - Exploratory Cost

It would be somewhat different for every ISP but most of the time the start up system would be very easy and inexpensive. You need some kind of Honeypot or IDS to catch the bad traffic. Chances are it already exists. You need to write a simple app to verify what traffic is actually bad. An app to link addresses to users. A site with a web based AV and spyware scan (honestly just use the company that is already being given away free). And an email app. If it makes money from the start up design then expand it to meet the needs/demand. Most ISP's already have these pieces they just need to develop the offering. At the very least it would defer some of the AV costs at the most a tidy profit center in the long run.

Next Objection - Why not do it for free

Because it doesn't have to be free. Oh the ISP's should still offer the free AV items but if a user isn't savy enough to use it then they might like a premium service that take the brain work out of it. A simple agent (uh oh I said the A word) to make sure that the AV and anti Spyware apps are up to date and working well could do. For the premium service they might throw in shredding apps, child filters, weekly security popup tip (that can be turned off of course), utilities (semi optimized) and/or periodic human verification. Pick and choose the mix to compete with the other guys. Obviously the Free AV approach isn't working that well any more.

Next Objection - Invasion of privacy!!!

First they are already watching this traffic for troubleshooting and incident response anyway so at the most this will bring it to the users attention (which is arguably a laudable goal in itself). Second it is entirely possible to set this up using only a honeypot that has no other uses and doesn't originate connections. If they don't come to you then you don't look at their traffic. There would still be plenty of opportunities.

The ISP's make more money, the users have more secure systems, the rest of us have a slightly improved security environment at least until the next gen of the battle. Everyone wins but the illegal spammers and worms.

Just another crazy idea.

12 December, 2006

Put the big gun in the back

So I am watching Aliens with my oldest son the other day and it gets to the scene when they are walking into the facility. The people with the huge machine guns are leading the way in.

My son pipes in "that's stupid"

me "huh"

him "That's stupid. The guys with the big guns should never go first they'll get killed. Send the short rifles in first. Big guns stay in the back and cover. Everyone who's ever played Ghost Recon or paintball knows that."

He is thirteen.

When you combine that with one of Maine's favorite pass times - Potato Guns

and things like this

and I'm not sure if I should be scared or proud.

I guess I'll stick with proud.

and no this isn't some silly security analogy. It has nothing to do with SCADA security.

... or does it ???

:) Digg This

Nessus - SCADA Plugins

Tenable just plugged their SCADA plugins that DigitalBond helped develop.

Your systems will eventually be scanned. If you do it yourself and start with Passive scanning then move with proper MOC to active scanning and remediation you will be ready for the ones you don't control, plan or know about.

Wireless, RAS, PPP, Web Gateway and ... Modbus

We have it all

I hope they are doing every piece right because there is a lot of room for error here.

For that matter the vendor might get everything fine and in this design it would be real easy to see a lot of customers mess it up.

They mention the word security "all in total security." once in their marketing blurb but I can't find any white papers at their site.

Show me the meat!!!

No search capability either.

Byres Security Mentioned at Digitalbond

Good post at Digitalbond on risk work and Mean time to compromise work that ByresSecurity has been doing.

Also I am pulling this up out of my comments section

"Jim, I would go further.. Eric is a truly genuine modest gentleman. He has the interests of the community at heart. Looking at the team he has assembled in his venture I am certain that his organisation will enjoy a great deal of success and the community will enjoy the benefits from his organisation's continuing research. The knowledge he share is helping to bridge the gap of Insufficient Training and awareness that exists in the industry. I wish every success to him with his appliance development project and eagerly await it's release into the market. Ron Southworth"

It is unusual for this many competitors, co-workers and customers to unify on a message but when it is the right one it makes sense.

Oh Yea - on Statcounter - Nano Tech

Some guy from Switzerland is currently reading everything I have about Nanotech.

:)

Statcounter - Update your browsers

One of the things I have discovered since I started blogging is StatCounter.

It is pretty amazing the amount of detail it can provide. I suppose I'm not surprised, after all I do information security for a living but there is still something stark about how much useful and useless information can be gathered.

Google Analytics is pretty useful as well but doesn't provide some of the detail you can get with Statcounter.

For example even though this is an Information Security Blog I can tell you that more than half of you are using MSIE 6.0 or earlier and are not even close to having it currently patched. For that matter less than a third of the FireFox (the next highest usage browser that hits me) are on the current version. There is at least one Opera user that is always up to date on his (or her) updates. It is pretty clear to me that the Netscape updates are automated because when a new update goes out I instantly see it.

Although I can't tie any of the information to an individual I can get a decent idea of what they are like.

I have two regular visitors from Israel. One hits me at almost exactly the same time every day. It looks like it is breakfast or just after he gets to work.

I have a couple of regular visitors from India. It might be the same person on multiple different systems because they are from different providers but the same city.

One or more of my frequent visitors travels a whole lot. They must have a lot of travel points at Hilton and Wyatt because I have seen them coming from all over Europe, the US and Asia from pops from those chains or ones affiliated with them.

I have had visitors from over a hundred countries and returns from over forty.

Most of my visits come from the UK, Canada, Australia and the US but together they make up only about half of my return visitors.

About 2/3rds of my visitors spend between 5 min and 30 min a visit at my site.

Sorry if that was a bit off topic but I thought that some of you might be interested in what bloggers can see of you when you visit their sites. I hope this doesn't cause anyone to block me because I love reading the stats. It might be good to update your browsers though.

Welcome to the blog and remember Big Brother is watching (and keeping logs) :)

Oh how I love Risk Formulas

The Square Root of Terrorism.

I actually do like them usually. Anyone who has heard me drone on will attest that I am always trying to find ways to make them empirical and evangelizing on their use in persuading managment. Still it is important to keep them in context.

11 December, 2006

The many uses of Echelon

Well now we know what it was used for in the 90's.

What privacy?

Nano Tech

350 Nano tech products

I read a few of the descriptions and some of them are underwhelming but it is a new field and obviously changing.

What are the odds?

I normally rail against "what if" this insanely improbable threat happens in this incredibly unusual way.

I call it the "what if" argument.

When I was in grade school there was a kid that liked to push peoples buttons. He would ask questions like

"What if I threw your math book out the bus window?"
"What if some guy came up and hit you in the face?"
"What if I tore your arm off in hit you with it?"

Clearly he was a bit deranged. It is also pretty transparent that he used it as a means to intimidate and control others.

I pretty regularly run into this kid in the info security world in the form of completely unrealistic risk assessments and audit findings. I am sure that the motive is better hidden from the author of these writings but the goal just might be the same.

Still we should keep in mind that sometimes the wildly improbable happens.

"What if a Thanksgiving parade float almost kills you then a private plane crashes into your house?"


Am I just perpetuating an urban legend here?

Byres Security - Site Up

Eric has the http://www.byressecurity.com/ site up and running full throttle now. There are a few pages that still need to be populated but if I know Eric he is focusing more on delivering to his current customers than marketing pushes.

His completed projects page will give you a good idea of what he has been up to.

The SCADA Information Security Community is a growing and I see more names entering it every day. I see many claiming they have been "doing SCADA security for a decade" (often more). Everyone claims to be a wizened sage or industry leader. It might be true for some of them but in reality the Ethernet and IP connectivity that has so greatly increased the operability and also risk of these systems has not been around for very long. I would view these claims with some scepticism.

Eric is one of the people that have been involved in it from the beginning. (demonstrably so, look at his papers) He has been involved in multiple industries not just one narrow clique and has actively provided working solutions.

This is obviously a blatant plug but it is one that I am proud to make and not being paid for. One that any company that is looking into fixing SCADA Security issues should pay attention to.

DNA Computers - Look out Diffie Hellman

This is pretty nifty from SciAm.

AND Gates on DNA. The process looks very involved but the new key I see here is that they can feed output directly into another calculation.

I imagine this could lend itself well to massively parallel computing.

Squeeze a few drops into a bunch of test tubes apply the filter gates for the thresholds. Wait for a few hours then sequence the output to find the next Mersenne prime. Diffie-Hellman look out.

I wonder what the key limiting points are for this.

The other interesting item was the manipulators.

The Singularity approaches.

More SCADA Expansion - UPS's - Caution

"Increase in oil and gas and power and process control vertical markets is likely to drive the industrial uninterruptible power supply (UPS) market of North America. The growth of this market mainly depends on the technology associated with the equipment and the demand from its end-user markets. "With UPS technology being saturated, the focus is purely on the growth of its industrial applications and the end user vertical market," according to the analyst of the study. "As the trend of oil and gas market in addition to power and process control market increases, the future of industrial UPS market looks bright and promising." "

I think it is great that people are paying attention to ensuring the reliability of their SCADA equipment. While I was at the oil company I saw at least one major (very major) incident related at least in part (there are always several failure that lead to major incidents) to a lack of proper power provisioning.

One Quick caution here.

Pay attention to the security and management issues related to UPS's when installing them. They are often managed by SNMP or other trivially manipulated protocols and some of the more advanced ones can serve as entry points. Linux is often the underlying OS and while this isn't a problem in itself, it does mean that periodic attention to patching and version maintenance should be maintained.

Finally keep in mind that this is another avenue for attack/failure if it is on an essential system.

UPS's for MES and Historians is a good way to ensure you maintain the ability to monitor operations when there is a failure in what is normally a non vital portion of the power system. The fact that these systems are often on the normal power grid is often overlooked. For PLC's and RTU's obviously a well engineered power structure is more important.

Another item to add to the periodic maintenance list - verify power supply fail over mechanism and settings thereof.

Update:

Good Comment by Jake. Jake you should drop a line to DCSSEC at Gmail.com
It would be nice to strike up an out of band conversation.

More on RIAA, MPAA, and KAZAA

This seems to be a pretty decent blog on the RIAA, MPAA and other organizations attacking their customers.

Ray (the author of this blog) didn't seem to read the content of the third article I linked to in my weekend RIAA post but did provide some good factual context.

"After years of cat-and-mouse legal games, Zennstrom, Friis and Kazaa settled with the music industry in July for $100 million. They've rid themselves of Kazaa ownership, selling pieces in a series of legal maneuvers."

On the other hand perhaps I didn't articulate the issues in the post properly. My point was that although they had successfully settled in at least one the major cases they were in, they are apparently still being harassed. (admittedly from a different direction) This bothers me. There is no way to tell for sure but it certainly seems possible that this is a coordinated action. I would love to see someone look into who the lawyers are in the class action that Ray mentions. Are they associated with the Record Industry? If they are at the very least this is distasteful and a further example of how they are being bully's.

It is a shame that the recording industry continues to harass its most dedicated and innovative customers. If these "advocacy" organizations did their job properly then the industry's companies would see their profit margins expanding exponentially along with the growth of the Internet. Instead they choose to sue and hide their head in the sand. This is causing them to loose a lot of money.

The thing I was really stoked on was that the founder of Kazaa has set his eyes on another venue. It should be interesting to see what happens.

RFID Guardian

Pretty nifty project

Not sure if this is possible given the inherent issues in the process itself.

10 December, 2006

Baysean Math

Pretty good article on what makes many of the current filters tick. Many people spout it out this will help you understand it.

09 December, 2006

RIAA Class Action

This isn't the class action I was thinking about here.

Shame

Especially since he just started this and settled with the RIAA.

I wonder if this is being manipulated behind the curtain.

08 December, 2006

If your a real geek - SF

Check out this site.

Polonium - More on the Assassination

Digg This

This is getting disturbing

Like I said in my rant earlier this stuff is not easy to get ahold of at least not in the quantities we keep seeing. It is certainly possible that one contaminated individual spread it to all of these places. It is even likely that the reason that they are keeping the "witness" away for a bit is because they are worried that he is contaminated and it will be somehow detectable. (it would have to be a lot for an Alpha emitter to be detectable and just sloughing off to be swiped later).

According to information leaked from the post-mortem examination, Litvinenko died from a dose that could cost 30 million euros. This seems a bit too rich for a murder. - This seems to actually be very reasonable dosage estimate to me considering the rapid onset and the total bodily system collapse he had. To loose his hair from an alpha emitter in just a week would take a huge amount (radiological speaking).

To get this level of cross contamination of detectable levels of Polonium would take a nations involvement or some heavy duty terrorist type organization. The quantities would have to be huge (in terms of activity not mass or volume) To head off the normal anti US conspiracy buffs (idiots) the US (and all of the Western nations) tracks its contamination sources very well. There would be a easy to locate paper trail.

I don't usually get into politics on this blog or conspiracy but the radiological angle makes this one interesting to me.

and suggested that if a Russian intelligence agency had wanted to kill him, it would have been foolish to use polonium because its source could probably be traced. - The last part of this is partially true. Normally isotopes have a "fingerprint" that can be used to trace their origins. Polonium though makes this more difficult because it's final decay product is stable. If it is pure enough it probably couldn't be tracked and the minuscule amounts would make it even harder.

I think the Russian government is the obvious suspect but people should also be worried about his possible Chechen connections. I normally debunk the dirty bomb junk I hear but his possible connections to some radical elements (on both sides of the equation) and the presence of this much hard to obtain radioactive substance has me scratching my head.

I hope some really good people are chasing down all of the possible threads on this one because some of the potential implications are pretty scary.

In any case this was clearly all just off topic speculation. Interesting speculation but still just guess work.

Digg This

SCADA It's not just about your power anymore

An automated garage.

This reminded me of this Wired Article from August.

The moral?

It isn't just hackers you need to worry about when automating functions.

07 December, 2006

Multi Fuel Rotary

I always liked Rotary's

I like the cars they are in a bit more.

Some Sensor Descriptions

Sensors

Pressure Switch
A pressure switch trips at a certain predefined pressure. Its output is either on or off. They are used as warning devices for valve leakage, as integrated control sensors and as notification mechanisms for exceeding thresholds.

There are many different forms of pressure switches. The oldest is a simple spring resisted bellows that activates a physical switch when the spring tension is overcome.

Pressure Bellows

A pressure bellows is used to measure a range of pressures with a certain level of granularity. They are used in meteorological equipment, to measure liquid levels in tanks and gas or liquid pressures in pipelines and storage facilities.

A pressure sensor has a bellows which compresses or expands in response to an outside pressure. The movement of the bellows typically moves a transformer core and alters its electrical coupling. This signal is converted from an analog current or voltage measurement into a digital signal and fed to the PLC or RTU. In some cases the PLC/RTU is integrated into the sensor itself in others it simply receives the output in a known format.

Thermocouple

Thermocouples measure temperature and convert it into a voltage variance. They are used to monitor temperature remotely.
Thermocouples work by taking advantage of the differing electrical conductivity values of two dissimilar metals in contact with each other. Because different metals have a different electrical response at different temperatures they will form a potential difference at their junction point. This potential difference is measured. The voltage variance indicates the difference in temperature between the voltage measuring point and the temperature at the point that the dissimilar metals connect. Knowing these points of information allow the calculation of the temperature at the measuring point.

Valve Position Indicator

The simplest valve position indicator is a switch that is activated when the valve stem reaches a specific position. One switch is used for fully open and one for fully closed.

Repositioning of a transformer core is used in some implementations and activation of a traveling linked rheostat is used in others. These implementations can provide readings indicating a percentage of how open or closed a valve is. This is essential where the valve is used to throttle flow rate.

Fluid Flow Rate

Fluid Flow rate is usually measured using a Bernoulli gauge. For a given volume of flow with a smaller cross-sectional diameter path pressure of a fluid will increase. By measuring the pressure at both the smaller cross section and larger cross section and knowing the temperature and density of the fluid it is possible to calculate the flow rate.

I did this off the top of my head then realized
A lot of good stuff on Wiki

Welcome to my Nightmare

Good post over at Waltboyes about some of the current issues.

He ends it with welcome to my nightmare.

Ernie is a good guy and that would have been a fun round table to be at.

As I've mentioned before Invensys is one of the companies that "Get it".

But there is still a long way to go.

Brighter side of messing up - sort of

It is amazing how much attention (read traffic and email) you get when you mess up.

And to think I wanted today's threads to be about the Living Internet Meme

and Mike Rothman's Terminator post.

Boneheaded Mistake

I made a boneheaded mistake by making a statement with too little data on my PVS post. I have corrected it on the blog but the feed will still be wrong for some people.

No Excuses

You can read the corrected and updated post here.

Passive Vulnerability Scanning - SCADA

I stand behind the rest of the items on the post.

Passive Vulnerability Scanning (PVS) - SCADA

Update:
I made a huge mistake in this post. N-Circle does not offer passive vulnerability scanning. Instead of changeing the content (which I don't believe in for other than minor spelling and gramatical items) I am leaving this at both ends of the Post. Once more N-Circle does not offer PVS. Tenable does and Mu is sort of a varient.

Ok I have confession to make.

I have been ignoring an entire dimension of the SCADA scanning discussion.

I have ignored it for two reasons.

1. It just isn't that fun because it doesn't generate as much of a conundrum to argue about.
2. The thread started with a discussion of active and I wanted to stress the overall importance of scanning vs not, even if it means some risk.

Passive Vulnerability Scanning (PVS) is essentially sniffing network traffic and using known characteristics to identify systems that are likely to have vulnerabilities.

The guru's will probably jump all over me here but it is basically matching network traffic signatures to likely OS's, Patch levels, and applications and then linking that data to vulnerability information.

It isn't that new. I was following some Snort items similar to this a few years ago. They were comparing the snort rules hits against know characteristics from a variant of NMAP's fingerprints (or maybe it was QUESO... Whatever) and using that to passively identify OS and patch level.

The key here (and why it is germane to the SCADA Scanning discussion) is that passive vulnerability detection does not require you to touch the vulnerable system at all. This means that there is no realistic chance of causing a problem on it. You set up a mirror port and sniff the traffic. That is the only impact to the PCN.

Let's be clear here there are some weaknesses to doing it this way.

  • You only see systems who's traffic passes the monitored port so you can miss a lot depending on where you locate the sniff point.
  • There is only so much data you can acquire about a system based on watching its traffic and not interacting with it (though admittedly this is a surprisingly large amount).
  • It will have false positives (though there are mechanisms to weed those out)
  • It is not nearly as effective at identification and verification actual vulnerabilities.

But it is nearly risk free.

If you work in a shop that realistically has no chance of using a scan to identify your weaknesses this is a very good option.

It is also a good option as a preliminary investigation method before doing more intrusive actions.

Those actions still need to happen (as a matter of fact they probably already are without your knowledge) but this can buffer both the political and real risk.

There are a couple of companies doing this and I have already mentioned three.

N-Circle has been doing PVS for a while and integrates it neatly with the ability to match it against what active attacks are occurring. - Not True

Both MUSecurity and Tenable are developing signatures specific to SCADA.

The differentiators in this field is likely to be the quality and quantity of the matching, the collation of their library to your specific needs, and ease of monitoring/management.

Tenable probably has a lead in the SCADA side of this because of their engagement with Dale at Digitalbond but N-Circle is leading overall. - I'll stand by the first statment I was flat out wrong on the second

Update:
I made a huge mistake in this post. N-Circle does not offer passive vulnerability scanning. Instead of changeing the content (which I don't believe in for other than minor spelling and gramatical items) I am leaving this at both ends of the Post. Once more N-Circle does not offer PVS. Tenable does and Mu is sort of a varient.

06 December, 2006

Mike is worried about the Terminator

Digg This

He quotes Hawking's virus statement.

There is already another form of life we have created and it isn't that bad. It consumes resources, reacts to stimuli, replicates, it facilitates maintenance of its environment, its organized, it even forms symbiotic relationships... with us.

With SCADA it is even has direct effect. With items like Google it might even be developing some basic self awareness.

It is about as smart as a mouse now but getting smarter.

I don't see why it would turn on its white blood cells.

I would love it if someone could get this post to Stephen. If everyone spreads the link perhaps he will. It would be interesting to hear what he thinks.

A bit of outside the box but fun thinking.

Cheapskate Customers

Nice Scobleizer post on whether cheapskates make good first customers.

This reminded me of a conversation with Scott Blake one of my former CISO's.

He proved to me that even though I saved a couple of bucks a week in gas on my daily hour in each direction by driving 10 mph slower it wasn't worth it in lost time and productivity. Overall it was better for the environment for me to be more efficient.

I am a hybrid driving eco hippie but I still follow his advice.

(I suppose if I was a real hippie I would ride my bike to work or for that matter wouldn't live so far but I am not that crazy and no one can find a decent paying job in Maine right now)

Perhaps I'll do the veggie-diesel thing. Or This

A friend of mine at work drives one and it seems to work fine for him. Saves him a bit on fuel.

And yes I have worked for a paper company, oil company, and run a nuclear reactor and still consider myself eco-friendly. I've done more to improve the environment than ten dumpster diving brainwashed bozo's.

The Race is on - SCADA Security PDF

Another SCADA Security PDF

By Steven Smith

I don't recognize the name but not to bad of a paper. It looks like he has been doing this for a bit so we might have met and I just don't remember. Quotes from a number of good documents but some dentris as well. It won't break much new ground but good solid research. He quotes Eric (from ByresSecurity) a lot which of course makes me happy.

It is nice to see the meme spreading.

Feel free to drop a comment or an Email Steven if you ever read this post. We might have some friends in common.

Update:

Duh Now I know him he wrote the DSP Book. Should have realized sooner.

Malware Winning

Or at least more profitable than AV

Disturbing

Update:

In comments Ross says

"The premise of the article is flawed; by analogy it would be similar to saying law enforcement is losing the war with robbers because the annual amount of stuff stolen is greater than the lock industry's revenue. "

He is right of course. To be honest this was a bit of a slacker post. I'd say it was below my standard but hey you live with what you do right. In any case the article still had some interesting tidbits even if the conclusion is wrong.

Google Data - Google Desktop - Scanning SCADA

Digg This

There has been a fair amount of traffic regarding the security issues of applications like the Google desktop on the IT side in the last several months.

Within the ACS SCADA world (Update to fix spelling) you should consider the implications of the desktops but also the Google appliances. These devices are being installed by many organizations to simplify everything from Intranet Website development to E-discovery. Like most Google products they are very good at what they do.

The thing to keep in mind with them is that they are web crawlers on steroids. They don't just hit HTTP they also chase down many other file sharing and transfer mechanisms. Look at the databases they crawl as well. They will find Windows shares. They follow links and scan address ranges to index and cache data. They can be configured to limit the extent of the scan but in many cases this is haphazardly done.

Many PLC's have http interfaces now and all of the Historians I know about have some flavor of Db.

This takes on particular concern when placed in context of our recent discussions on the possible impacts of scanning.

Scanning Vs Not Scanning

More Scanning - Be careful

Ramifications of Scanning

and keep this in mind when considering what Securosis had to say.

The good news is that the vendors are getting better at designing these interfaces to be resilient.

Digg This

Bittorrent - and true virtualization - Crazy Idea?

Yesterday in my MPAA post I was a bit harsh on Bittorrent.

A number of religious adherents jumped to its defense.

My reply was basically, yes it can be used for good a tool is not in and of itself evil, but lets be honest it usually is insecure and used for less than reputable things.

They do have some good backing. They managed to Raise Money.

This is probably because they do have very innovative mechanisms of transferring data.

Something that I think would be interesting to see is a combination of Grid computing with file storage and transfer mechanisms wrapped with security layers that are easy for the end user to configure and easy for the user of the grid to use to protect their data.

05 December, 2006

Amrit says

"someone loves you"

I say "The Stupid shall be punished."

Eventually anyways

MPAA - Commits Fraud to catch "petty theft"?

Digg This

A recent Wired Article spreads some light on the mechanisms the MPAA (and probably RIAA) uses to gain information on ISP customers.

If I was a lawyer defending people being accused of trading songs I would ask questions as to how exactly they obtained the IP addresses, MAC addresses and then most importantly linked them to individuals. From a technical standpoint these items are notoriously inaccurate, with changing processes and different mechanisms between providers. It is not that it cannot be done properly but if false pretenses are used to develop the data then a chance of error is much higher.

Of course most of the people being sued by these two organizations can't afford a lawyer.

So they are essentially assumed guilty and the evidence used to accuse them is obtained by at the very least questionable practices. Possibly illegal ones.

Let me be clear here. I strongly support the rights of people or organizations to choose what they do with data they own. If they want to lock their songs and movies down so tight that no one can reasonably watch or listen to them then I support their right to do so. I have not and will not steal music. I won't let my children do it and have taken steps to make it hard for my 13 year old to even try. I basically think that anyone who installs bit torrent, Limewire or any of the other p2p products on their home computers are essentially insane and asking for a problem of some sort.

Update in Comments on the "insane" statement.

If companies want to use legitimate tactics to track down people illegally profiting on their intellectual property then I support and would even help them.

If these companies want to irrationally impede even legitimate access to a product that they make money on by trying to get as wide a paying view as possible then more power to them.

but

They will go out of business in the long run. That too is their right.

I would, however, like to know how much money the RIAA and MPAA make on these essentially indefensible law suits. How much gets passed to the members? Any?

If I was a member of one of these organizations I would be asking why it is good for an organization that I pay to advocate for me to be suing my best customers and generating such consistently bad publicity.

I would also ask them how employing questionable or outright fraudulent activities has helped reduce my declining market share and profits. Activities that only recently resulted in the ouster of the CEO of a major tech company and a shake up of its Board.

Once more, for legitimate and warranted investigations I have no problem with this. It isn't hacking or fraud if you go to a company with warrant or evidence in hand. In the long run poor decisions and tactics hinder legitimate investigations. Real hacking and fraud are bad and usually illegal (the law is often one step behind) and should be treated as such by every reputable organization. If HP didn't teach that I don't know what will.

I saw some motion for establishing a class action against these organizations based on their methods. It would seem to me that there is a growing class of individuals out there that has lost a good deal of money based in part on deceptive and possibly illegal practices. I wonder if this would help or hinder that from occurring? Any Lawyers want to educate me?

This is a continued off topic rant from here

and from Rich here

Digg This

Fact #4 - Bad Guys Know

The Bad Guys Know
List of Facts

The bad guys are now realizing that there is something here.

When I first wrote this fact more than 2 years ago it was new. Now I don't know how anyone could deny it. They have found SCADA plans with terrorists. In case you think this is a new phenomonon that is only occuring because of the current hype it was talked about back in 2002 with reconisence to back it up then and even before.

For some reason I keep running into people who say we shouldn't talk so loud about it.

Well two replies to that.

Worms and malware don't care what I say.
The real bad guys have known for years.

If you are involved in engineering control systems and you are not already developing a layered approach to security you will have a problem sooner or later. You might put it off by delaying getting scans to see how well you stand up or by stating that "we don't connect our SCADA systems to the IT network" but if you have IP connected systems (and more and more organizations do) sooner or later you'll deal with it.

It is best to deal with it in a controled environment.

DRM and How Music Makes Money

Rich has a good music post over at Securosis

The infrastructure that was necessary for distribution of music is essentially gone now. There was the typical flopping associated with the realization of the demise but in the long run the music companies can only hold off reality for so long.

There are great ways for them to make money still though. Apple has proven this with the Ipod though I would say it is at a hybrid stage. In order for it to fully mature they need to realize that people should be able to choose their hardware. This is a similar mistake to the one they made with the Mac long ago.

The other thing to remember is that smart marketing still works. As a matter of fact it works better now than ever. A good marketing campaign could drive a premium on the cost of songs even in a relatively free environment.

Here is a model (certainly not the model though)

Company XYZ offers songs for sale via MP3 or other. Even DRM could be OK if someone could figure out an easy way to make it portable.

Three price points. (let the prices float some to meet the market optimise for profit)

$.25 for older songs, Recovered songs (get to this in a bit), and lesser know artists.

$1.00 for standard run and first purchase songs.

$3+ for premium content.

Find similar balances with some discounts for entire albums (or ensembles since you are not limited to songs)

Company XYZ tracks everything the customer purchases (OK a bit big brother but the customer does have a choice and this will be a service)

If the customer wants to make additional purchases of the same songs (because he lost his player, or forgot to backup, or just wants duplicates, or whatever else) he gets the lower price.

The key here is easy. People will ask why anyone would ever choose to repurchase. My guess is that everyone reading this has lost dozens perhaps thousands of files (music or otherwise) over the years. The question is would you pay pennies on the dollar to recover all of them (or most of them) with one click. If it is cheaper and easier to recover with a service like this why bother taking the time to manually back-up. This would probably happen more than once a year for many (non tech savvy) people.

It is an additional revenue stream.

Marketing pushes the premium content.

Anyone who has seen my weekend posts knows I like watching yahoo videos (which are pretty close to free you just have to sit through the adds) .

My nerdy post is one of my most hit posts. (Not sure what this says about me or my readers. Sorry guys)

This and the cheap music IPod are two relative successes. The vendors need to let go of some of their inherent prejudices and learn from the items that have made these a success.


From Rich
"Today it takes bands with an “installed base”, like BNL, to start cutting the cord. But MySpace and other sites show that our reliance on traditional sources for new music could easily decline."

This is absolutely true. Not only can it decline but it will and is already. If the big music companies don't wise up they will end up in an irreversible downward spiral.

People want a cheap, legal, easy and convenient way to get their entertainment. The big companies that leverage their marketing, existing content and talent to give people the easiest legal solution will make a fortune even if they charge next to nothing (especially if they charge next to nothing). The others will just go out of business.

ATM Hack

This post is interesting.

Original Story

Pretty good overview for a tech article in a normal Non-tech venue.

ATM's share quite a bit in common with ACS though I would hope they are in better shape from a security perspective.

They are often older tech. They are more difficult to update than other systems might be. Actual physical security is a mixture of both better and worse than typical IT systems. They are certainly closely watched but are often in an area where the actual owner has little control over the environment.

I am not an expert in these systems but would be interested in hearing from one.

04 December, 2006

Why I'm glad I wasn't and ELT or in Agang

San Diving

One of the other RC div guys did drop a tld down one though. He got to join the search.

The Speed of Meme

How Fast does a meme cross the internet?

ABB Paper

Old but good ABB paper on Security

Well not that old.

I forgot about the Train switching worm

Cell Phone bugging

Pretty decent post on using cell phones to bug. Or rather how to notice if it is happening.

The key is that for some phones it is possible to dial to them and turn them on without letting them ring. There are a lot of different ways to do it. In most cases (but not all) you have to have physical access to the device at least once.

Mike Larsen did some stuff on this back in the 90's I dug it up on packetstorm this weekend.

My Last gig was a major oil company. I spent a bit of time working with a few people in legal and acquisitions explaining this exact issue to them. Not because I was pushing it but because on more than one occasion it was run into. Always when overseas visiting a more ... lets say intrusive government. Actually several different countries.

It is more widespread than you might think. We caught it a few times usually when the other side was sloppy.