A December outage in Ukraine that caused 225,000 customers to lose electricity was the work of hackers, a report prepared by US Department of Homeland Security officials has determined.

The report published Thursday by the DHS Industrial Control Systems Cyber Emergency Response Team largely agrees with analysis provided last month by a member of the SANS industrial control systems team—that the December 23 outage was caused by external hackers. As Ars reported earlier, the unscheduled interruptions are the first confirmed instance of someone using hacking to generate a power outage.

None of the analysis so far has determined the precise role played by "BlackEnergy," a malware package discovered in 2007 that infected at least three of the substations involved in the outage. While initial research speculated that BlackEnergy and an added data-wiping component called KillDisk may have given attackers access or allowed them to carry out destructive events causing the power to go out, the DHS report holds out the possibility that the two pieces of malware were used only after the outage in an attempt either to destroy evidence or make recovery more difficult.

 

think that only computers running Microsoft Windows are targeted by attackers, youre wrong! UNIX (used here as a generic term, not focusing on a specific distribution or brand) is a key operating system on the Internet. Many websites and other public services are relying on it (Netcraftis compiling interesting stats on this topic).">">Therefore it is mandatory to keep an eye on your servers by using proactive and reactive controls. Besides the classic monitoring of log files, reactive security controls may include a deeper check at the operating system level to look for suspicious activity like processes, files, ... On the proactive side, misconfigurationsmust also be tracked.">">A few days ago, Daniel Cid published an interesting article about the tool rootcheck.It is a component of the well known OSSEC suite but a stand alone versionexists. To use it, just follow"> # wget http://dcid.me/ossec-packages/rootcheck-latest.tar.gz# tar xzvf rootcheck-latest.tar.gz# cd rootcheck*# ./install.sh"> # ls -1 dbcis_debian_linux_rcl.txtcis_rhel5_linux_rcl.txtcis_rhel_linux_rcl.txtrootkit_files.txtrootkit_trojans.txtsystem_audit_rcl.txtwin_applications_rcl.txtwin_audit_rcl.txt">The provided files are good enough to write your owncustomrules.rootcheck works quite well but does not test the hardening level of your UNIX host. Its also a binary. They are two ways to use it: You must pre-compileallversions depending on your UNIX flavors (*BSD, Linux, Solaris,">">But, there is anothertoolthat I like: Lynis. It is an auditing tool which is compatible with many UNIX flavors and itdoes not require"> # wget https://cisofy.com/files/lynis-2.1.1.tar.gz# tar xzvf lynis-2.1.1.tar.gzor (to get the latest code)# git clone https://github.com/CISOfy/lynis # cd lynis# ./lynis audit system">By default, the scan runs in interactive mode and display colored output. But you can automate stuff and customize the tests performed. Here is a (brief)resume of the">File">Standard daemons settings">Here is small extracts of a generated report"> [08:57:29] Test: Checking PermitRootLogin in /etc/ssh/sshd_config[08:57:29] Result: Option PermitRootLogin found in /etc/ssh/sshd_config[08:57:29] Result: Option PermitRootLogin value is WITHOUT-PASSWORD[08:57:29] Result: SSH option PermitRootLogin is configured reasonably[08:57:29] Suggestion: Consider hardening of SSH configuration [test:SSH-7408] [details:PermitRootLogin (WITHOUT-PASSWORD -- NO)] [solution:-][08:57:29] Hardening: assigned 1 hardening points (max for this item: 3), current: 98, total: 154...[08:57:30] Performing test ID LOGG-2190 (Checking deleted files in file table)[08:57:30] Test: checking deleted files but are still in use[08:57:30] Result: found one or more files which are deleted, but still in use[08:57:30] Found deleted file: /tmp/tmpfHXNnZp[08:57:30] Found deleted file: /var/log/upstart/docker.log.1[08:57:30] Suggestion: Check what deleted files are still in use and why. [test:LOGG-2190] [details:-] [solution:-]...[08:57:31] Performing test ID BANN-7126 (Check issue banner file contents)[08:57:31] Test: Checking file /etc/issue contents for legal key words[08:57:31] Result: Found only 0 key words (5 or more suggested), to warn unauthorized users and could be increased[08:57:31] Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]...[08:57:31] Performing test ID CONT-8104 (Checking Docker info for any warnings)[08:57:31] Test: Check for any warnings[08:57:46] Result: found warning(s) in output[08:57:46] Output: No swap limit support[08:57:46] Suggestion: Run docker info to see warnings applicable to Docker daemon [test:CONT-8104] [details:-] [solution:-]...[08:57:47] Binary: found /usr/bin/gcc (world executable)[08:57:47] Hardening: assigned 2 hardening points (max for this item: 3), current: 151, total: 244[08:57:47] Result: at least one compiler could be better hardened by restricting executable access to root or group only">The generated report is complete and, as you can see, also contains suggestions to improve the host security. Other features can be added viaplugins. Profiles can be created to test specific environments:per operating system, per network zone (PCI, DMZ) or per security level. I also like the pentest">">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key