Amichai Shulman: May 2008 Archives

Recently, a rare bug in a SCADA system by Invensys was disclosed - one which if exploited could cause a remote Denial of Service on the system. As these systems are deployed in power plants, dam control systems and other truly mission critical systems such an attack scenario is a major concern for the public.

Vulnerabilities in SCADA (Supervisory Control And Data Acquisition) are perceived as rare, however let us not overlook the fact that most SCADA systems deployed today are either controlled and monitored by software running on "standard" operating systems (i.e. Windows, Linux) or are themselves based on these operating systems. Thus the systems are probably exposed to a plethora of vulnerabilities known to affect these platforms. 

Last year, a short video clip was published with the results of a "secret" experiment on exploiting SCADA systems. Researchers spent a lot of time and money showing that sending specific command sequences to a generator would end up causing irreversible damage (as indicated by the inevitable smoke coming out of the tormented device). The truth is that they could spend 1/10 of the time and money by showing that if you turn off the cooling system of the generator (probably controlled by a Windows computer) you'll get the same effect.

All these SCADA exploits are just a reminder that most "civilization support" systems today are controlled by computers, most of them using standard operating systems, not to mention a web interface. It is definitely the time for governments all over the world to start setting and enforcing regulations not only for financial systems but also for those "civilization support" ones.

On May 18 security researchers will gather at the IEEE Symposium on Security and Privacy. One of the papers to be represented is "Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications" by David Brumley, Pongskin Poosankam, Dawn Song and Jiang Zheng. These researchers showed how given a Microsoft patch, they were able to reverse engineer the patch and create a quick exploit to the original code. Their point was to show how Microsoft's current deployment of patch shipment is at fault, allowing attackers access to an exploit before other users have even begun to download the patch, a system which requires a redesign.

This seems like big news, even security expert Bruce Schneier took the time to blog about this research. The researchers conclude that current patch distribution schemes are insecure. The researchers do provide alternatives but for the meanwhile I find that these claims aren't mature enough, in a security manner of speech. After all, is that what we want - that Microsoft eliminates its patching process now that it knows that the vulnerability may be exploited as a result of distributing the patches?

That said, the research do have a point - the timeframe of hackers to attack unpatched systems is quite large when these systems rely on patch deployment as their sole means of protection.

This argument actually strengthens my claim that it is necessary to deploy 3^rd party components which provide virtual patching in order to minimize the window of opportunity for attackers. These virtual patches can be deployed quickly, providing a fast response time to protect against a potential attack by acting as the front guard before the system itself is properly fixed and updated.

If you are wondering about the answer to this question regarding Web Application Security, you must read the following article in the Register and then get some further gory details and examples from the Daily WTF. In this story, the personal details of Oklahoma crime offenders were made public for at least three years. And I mean all the personal details: names, addresses, dates of birth, social security numbers, even medical records - the full monty.

The Oklahoma Department of Corrections website was vulnerable to SQL Injection not by mistake but by design. Exposing information not only belonging to sex offenders (exposing the exposed), but also of other offenders. And as the SQL vulnerability had appeared through the state's Sexual and Violent Offender Registry, it actually allowed anonymous Web users to report their neighbor that moved the fence by 2 inches as a violent sex offender...