Information Security News
When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? The following is the snort alert for this vulnerability, taken from the snort community rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:5;)
When you perform inline detection within electrical SCADA networks, latency is a big issue. That means you need to fully optimize the amount of checks so latency does not increase more than 3 ms. We also need to include other threats that could materialize from other threats different to malware, exploits and buffer overflows. I will detail in this diary some specific SCADA protocol packets that could be malicious traffic and cause terrible consecuences to the process infrastructure. Today I will detail malicious packets from DNP3 protocol.
The following text details DNP3 packet structure:
Source: Practical Industrial Data Communications
The following DNP3 functions could be used in a malicious way:
1. DNP3 Warm Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a partial restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. A typical DNP3 Warm Restart packet looks like the following:
The following filters recognize these packets:
alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0E|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Warm Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)
2. DNP3 Cold Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a full restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. Packet looks same as previous one with one little change: count three bytes from the last to the first and change 0E (DNP3 Warm Restart) to 0D (DNP3 Cold Restart).The following filters recognize these packets:
alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0D|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Cold Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)
3. DNP3 Time Change: When this packet is received, the IED or RTU can change the internal clock time and so orders received with specific timestamp won't be executed and logs will be placed in other different places so the operator can't see them in real time. A typical DNP3 Warm Restart packet looks like the following:
Wireshark can't fully filter this packets so the following tcpdump filter is provided: ip=2 and ip=0x32 and ip=1
SCADA Information Security is different from the regular IT information security practices. We need to cover the specific vectors to improve the security level of the associated industrial process.
The heavily marketed fingerprint sensor in Samsung's new Galaxy 5 smartphone has been defeated by whitehat hackers who were able to gain unfettered access to a PayPal account linked to the handset.
The hack, by researchers at Germany's Security Research Labs, is the latest to show the drawbacks of using fingerprints, iris scans, and other physical characteristics to authenticate an owner's identity to a computing device. While advocates promote biometrics as a safer and easier alternative to passwords, that information is leaked every time a person shops, rides a bus, or eats at a restaurant, giving attackers plenty of opportunity to steal and reuse it. This new exploit comes seven months after a separate team of whitehat hackers bypassed Apple's Touch ID fingerprint scanner less than 48 hours after it first became available.
"We expected we'd be able to spoof the S5's Finger Scanner, but I hoped it would at least be a challenge," Ben Schlabs, a researcher at SRLabs, wrote in an e-mail to Ars. "The S5 Finger Scanner feature offers nothing new except—because of the way it is implemented in this Android device—slightly higher risk than that already posed by previous devices."
Becrypt unveils latest innovative Secure Mobility solution at InfoSec Europe ...
SourceWire (press release)
London, UK, 15 April, 2014 – Becrypt will be demonstrating tVolution Mini, the latest addition to its range of innovative secure mobility solutions at InfoSec Europe. tVolution Mini is a secure miniature computer the size of a credit card which plugs ...
Posted by InfoSec News on Apr 15http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpayer-data/
Posted by InfoSec News on Apr 15http://www.dailymail.co.uk/news/article-2604805/Cosmetic-surgeons-targeted-hackers-personal-details-500-000-people-enquiries-clinic-stolen.html
Posted by InfoSec News on Apr 15http://www.wired.com/2014/04/tails/
Posted by InfoSec News on Apr 15http://www.nextgov.com/cybersecurity/2014/04/cyber-warrior-training-no-easy-task/82498/
Posted by InfoSec News on Apr 15http://healthitsecurity.com/2014/04/14/hipaa-security-risk-assessment-tool-small-provider-needs/