Recently Discovered ICS Vulnerability

Earlier this week, ICS-CERT announced that a new vulnerability was discovered in ICS products made by Endress+Hauser. The vulnerability affects the DTM library used by Endress+Hauser HART-based field devices in the FDT/DTM Frame Application. If a specially crafted packet manages to exploit the vulnerability, the DTM Frame Application will become unresponsive as result of a buffer overflow. Endress+Hauser has released a security update addressing this issue. Despite the fact that we haven’t observed this vulnerability being exploited in the wild, we highly recommend applying the patch by Endress+Hauser as soon as possible.
To minimize the risk of an ICS device being compromised by an attacker, be sure to consider the following general recommendations:
  • Discover and document – You can’t protect a system if you don’t know it exists. Take some time to identify and document all of the legacy and unsupported operating systems in your network.
  • Isolate  Segmenting the ICS system will reduce the risk of it being compromised by an attacker. Take some time to verify that it is inaccessible from any unnecessary business/ user networks.
  • Update and secure – Install all available patches and updates. Be sure that you are notified of any updates to the operating system, firmware and any installed applications.
  • Perform thorough log analysis – Implement some sort of centralized logging platform to ensure you have the ability to detect any anomalies that occur within these systems.
  • Leverage the use of an ICS honeypot – Creating a HoneyPot ICS device will help you discover suspicious activity within your network before it affects a production system.

Just a Quick Thought & Mini Rant…

Today, I ran across this article, and I found it interesting that many folks are discussing how “white hat hackers” could go about helping people by disclosing vulnerabilities before bad things happen. 

There are so many things wrong with this idea, I will just riff on a few here, but I am sure you have your own list….

First off, the idea of a corp of benevolent hackers combing the web for leaks and vulnerabilities is mostly fiction. It’s impractical in terms of scale, scope and legality at best. All 3 of those issues are immediate faults.

But, let’s assume that we have a group of folks doing that. They face a significant issue – what do they do when they discover a leak or vulnerability? For DECADES, the security and hacking communities have been debating and riffing on disclosure mechanisms and notifications. There remains NO SINGLE UNIFIED MECHANISM for this. For example, let’s say you find a vulnerability in a US retail web site. You can try to report it to the site owners (who may not be friendly and may try to prosecute you…), you can try to find a responsible CERT or ISAC for that vertical (who may also not be overly friendly or responsive…) or you can go public with the issue (which is really likely to be unfriendly and may lead to prosecution…). How exactly, do these honorable “white hat hackers” win in this scenario? What is their incentive? What if that web site is outside of the US, say in Thailand, how does the picture change? What if it is in the “dark web”, who exactly do they notify (not likely to be law enforcement, again given the history of unfriendly responses…) and how? What if it is a critical infrastructure site – like let’s say it is an exposed Russian nuclear materials storage center – how do they report and handle that? How can they be assured that the problem will be fixed and not leveraged for some nation-state activity before it is reported or mitigated? 

Sound complicated? IT IS… And, risky for most parties. Engaging in vulnerability hunting has it’s dangers and turning more folks loose on the Internet to hunt bugs and security issues also ups the risks for machines, companies and software already exposed to the Internet, since scan and probe traffic is likely to rise, and the skill sets of those hunting may not be commiserate with the complexity of the applications and deployments online. In other words, bad things may rise in frequency and severity, even as we seek to minimize them. Unintended consequences are certainly likely to emerge. This is a very complex system, so it is highly likely to be fragile in nature…

Another issue is the idea of “before bad things happen”. This is often a fallacy. Just because someone brings a vulnerability to you doesn’t mean they are the only ones who know about it. Proof of this? Many times during our penetration testing, we find severe vulnerabilities exposed to the Internet, and when we exploit them – someone else already has and the box has been pwned for a long long time before us. Usually, completely unknown to the owners of the systems and their monitoring tools. At best, “before bad things happen” is wishful thinking. At worst, it’s another chance for organizations, governments and law enforcement to shoot the messenger. 

Sadly, I don’t have the answers for these scenarios. But, I think it is fair for the community to discuss the questions. It’s not just Ashley Madison, it’s all of the past and future security issues out there. Someday, we are going to have to come up with some mechanism to make it easier for those who know of security issues. We also have to be very careful about calling for “white hat assistance” for the public at large. Like most things, we might simply be biting off more than we can chew… 

Got thoughts on this? Let me know. You can find me on Twitter at @lbhuston.


As many of you may have heard, businesses throughout the world have seen an increase in ransomware being used against them. What should businesses do to help prevent these sort of extortions from happening to them? This is what we will attempt to answer with this posting.

We have all heard the old adage “an ounce of prevention is worth a pound of cure”, nothing could be truer, especially for this particular situation! So lets go over some of the preventative steps that your organization may follow before you become infected with ransomware:

  • User education and training! Start off with end-user education, you know the people who are actually going to see these sort of attacks. Lets not focus on just select few like your sys-admins, but rather the entire organization. Everyone has a part in keeping your business secure and education is the key.
  • As part of the education of the end-users, let them know who to contact if they see something suspicious, whether that is your help desk or someone who is designated for your organization to help guide them through the process of what to do. The end-users have to be able recognize that something has occurred in order for them to report it in the first place.
  • Organizations should enforce the least privileged methodology. This is a way to grant the minimum amount of access to files as the person needs to perform their job-related duties. If a person does not need read/write access to certain files don’t grant it. This will help keep the ransomware from doing the same since they work based on the privileges of the person who is logged in at the time and encrypt files that the person has read/ write access to.
  • Most organizations now configure their email servers to prohibit them from sending or receiving executable files. Make sure yours does too. The real issue here are macros that are enabled when sent with a document. As this is a potential attack vector for this and other types of malware.
  • Patch your software to the most current version. By not doing so you may be leaving the door open for a variety of malware to take advantage of your company. The malware will exploit flaws in the older versions of software that your company uses. We have seen time and time again where businesses aren’t aggressively keeping their software updated to the latest version and they are targeted by threat actors as a result.
  • If possible restrict the execution of programs from temp folders in a user’s profile. For example, “c:\users\<username>\folder\temp”. What do I mean by this? If a virus or ransomware in this case, were to attempt to use a temp folder as the first execution point it would be blocked from being allowed to do so by Group Policy Objects. So you effectively nix the ransomware before it has had a chance to infect your computer!
  • Organizations should consider implementing some sort of web filtering such as keeping track of blacklisted IP addresses or domains.
  • Whatever antivirus solution your company employs please ensure that they are updated with the latest virus definitions to increase their effectiveness. A company could even consider having different antivirus products for different purposes, such as having one product for desktops and another for email. That way the company is ensuring that there is some degree of overlap in their antivirus coverage!
  • Adobe’s Flash should be disabled at this point, as it really has been a very popular infection vector for ransomware. Disabling it would greatly reduce the amount of infection vectors available to would-be attackers.
  • Lastly, backups are really the only way to restore functionality to the affected systems once they have been compromised, providing a backup process already exists in your organization and that the backups are checked for completeness. This way if you do need to use your backups, they will get you back on your feet as soon as possible with the least amount of downtime.

As always the education of all of your employees is key to this or any other sort of security related incident before it happens. As is effective communication both before a security incident starts and during the response/ recovery process.

Risks Inherent in Utilizing Economies of Scale

The number of people in the United States has been increasing heavily over time and we are currently the third most populace country on the planet. In the last century, the population has more than tripled here, and it is estimated that we will add more than 100,000,000 to the current total by 2050. One of the things that help us cope with such huge numbers is taking advantage of economies of scale.
For example, we build truly giant ships to carry our oil and cargo because the bigger the ship is the more hydrodynamic advantage there is and the less cost there is per ton for transportation. Similarly, we build enormous power plants and network them into grids because it is more efficient and cheaper per kilowatt hour to do so. There are many more examples of this trend all across American commerce. While this practice indeed does work and enables us in many ways, it comes with a variety of costs; one of which is increased risk.
We stand to lose a lot of oil and cause major environmental catastrophes if someone starts sinking major super tankers, for example. And if an enemy starts destroying our large power plants (or critical nodes in the infrastructure connecting them), the impact could be very much worse than that.
I mention all of this, because now we are seeing the trend toward economies of scale coming into the information processing world, mainly in the form of cloud computing. This trend is inevitable because it truly is more efficient, cheaper and improves peoples’ lives in many ways. But it must be realized that this centralization of data processing and storage brings with it the same increase in impact if a major compromise occurs – and the greater the impact, the greater the risk.
What this means in the information security world is that we need to have more security assurance built into these large cloud systems. It should be stated like a natural law: the bigger the system, the more effective the security controls need to be. So before you put all of your valuables into the cloud, keep the risks inherent in economies of scale in mind and vet your cloud provider’s security measures. Make sure that they have all the technical, operational, physical and management controls in place. Ensure that their information security program is transparent and reactive to realistic criticism. And ensure that your own organization realizes the risks inherent in the cloud and plans accordingly as well. Remember, it is your own organization that is ultimately responsible for the security of their data no matter where it is stored or processed.

Podcast Episode 7 Now Available

The newest version of the State of Security Podcast is now available. You can go the main page here, or listen by clicking on the embedded player below.

This episode features:

This episode is a great interview with Mark “Phork” Carey. We riff on the future of technology & infosec, how machine learning might impact security in the long term, what it was like to build the application-centric web with Sun, lessons learned from decades of hardware hacking and whole lot more! The short for this month is with @pophop, so check out what the self-proclaimed “elder geek” has to say as he spreads some wisdom. Let us know what you think and send in ideas for other folks you would like to hear on the podcast. 


Keep it Simple: Creating an Incident Response Policy

Drafting an Incident Response Policy can seem overwhelming. At the beginning, it doesn’t seem feasible that a single document can help you maintain order during a breach. You may ask yourself if it’s even possible to prepare your team for responding to all of the latest Tactics, Techniques and Procedures (TTP) that attackers are leveraging. It’s not possible to craft a document that addresses every possible threat individually. However, you can create an effective policy that covers each major threat category as opposed to each individual attack.

If you’re not sure which categories to focus on, I recommend taking a look at Microsoft’s STRIDE Threat Model. STRIDE stands for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. By leveraging the STRIDE model (or any other threat model), you can create a policy that will be relevant for years to come. This “one size fits all” approach will not only make your policy more efficient, it will be much more effective.

After you’ve crafted your policy, be sure to take the time to walk through a few scenarios. It’s even worthwhile to bring in a 3rd party to help you simulate a computer security incident on a regular basis. This exercise can help you identify any gaps that exist within your policies and procedures. It will also demonstrate how a simple policy will help your company respond to the even the most complicated security issues.

Providing Security to a Grumpy End-user

Working in IT, one of my biggest challenges has been to convince end-users that it is worthwhile to forego a convenience in the name of security. Regardless of whether it’s requiring the use of multi-factor authentication or forcing a computer to auto-lock after a certain amount of idle time, it often boils down to the end-user facing some sort of hinderance to their productivity. I completely understand their frustrations. I’ve managed Active Directory networks that served around 15,000 people and still managed to lock out my account. Was I annoyed? Absolutely, but I understood the need for the control. If you take the time to explain security to the end-user, they’ll be more likely to understand your decisions.

Here are some tips I’ve found to be helpful when convincing an end-user to implement a security control:

  1. Remind – Remind them that you’re not making this change just for fun. It’s being completed to reduce the likelihood that your organization’s systems will be compromised by an attacker.
  2. Example – Give an example of a high-profile breach that could have been prevented by implementing this control. It’s likely that they’ve had their personal information exposed as a result of a breach within the last few years. Even if they (somehow) haven’t personally been affected by a data breach, they have a friend or family member who has. Using an example of something that has affected them personally will go a long way to helping them understand why it is worthwhile to implement a security control that could have an adverse affect on their productivity.
  3. Analogy – Still having trouble rationalizing why you’re implementing a new security system? Try to use an analogy to describe how the new control will help prevent an issue. For example, if they are upset that they can’t reuse a password across multiple systems, remind them that the key to their Ford vehicle won’t work on ALL Ford vehicles.
  4. Describe –  Take some time to describe why you’re implementing the new security control. It’s important to make the effort to explain the task in terms that the end-user will understand. Don’t use the complexity of the topic as an excuse. If you can’t explain the issue to a non-technical employee, chances are, you don’t understand it yourself.

DDoS Attack: Are You Ready To Respond?

A distributed denial of service attack is a malicious attempt to make machines, applications or other network services unavailable to legitimate users. There are many types of DDoS attacks including SYN and UDP floods, reflected attacks, application attacks and multi-vector attacks that employ several types of attacks in combination. In the past, it was typical for businesses to accept the risk of DDoS attacks since they were relatively rare and small scale. But that has all changed in recent years; both the number and scale of DDoS attacks have increased dramatically. Because of this trend many savvy businesses have changed their philosophies and taken steps to mitigate DDoS attacks. Unfortunately, this trend is far from universal. Many businesses remain complacent and have done little or nothing to prepare for DDoS attacks. Is your business one of these and if so, what should you do about it?

The first step I recommend taking is to perform a basic risk and impact study on the subject: how likely is it that my business will be attacked, and if it is, how badly will it hurt us? If the answer to either of these questions is unacceptable, then you should certainly move on to step two and start the process of incorporating DDoS into the incident response plan. In a nutshell – develop the policy language, include likely DDoS attack indicators and attack scenarios in the plan, develop specific strategies to counter these attacks, assign responsibilities to specific individuals and practice the plan. Sounds easy, but how do we go about doing that you may ask. Here are some basic tips:

• Contact your ISP. Get their advice, find out about their experience and capabilities with DDoS attacks, find out about any anti-DDoS tools they might have available and their cost, etc. If you don’t do anything else, at least take this step. You probably won’t be able to do much at all to counter a DDoS attack without your ISP’s help.

• Ensure that your team is fully aware of all the capabilities your present equipment and infrastructure has for handling DDoS attacks.

• Ensure that your IR and IT teams are aware that DDoS attacks are sometimes persistent and can last for days, weeks or more. Make plans for keeping your reactions strong and timely.

• Employ centralized logging and ensure that proper monitoring procedures are in place and reviewed.

• Make sure you maintain a whitelist of source IPs and protocols, major customers, critical service providers and partners that must be allowed access during attacks.

• If you are at high risk and impact levels for DDoS attacks, consider improving your infrastructure and/or employing specialized DDoS services or products. Cloud based servers, for example, have great capabilities for fighting DDoS.

• Ensure that applications, networks and operating systems that may be targeted in DDoS attacks are fully hardened.

Here’s hoping that no one out there targets your business with a major DDoS campaign. But if you think the possibility is high, better take a tip from the Boy Scouts and be prepared!

IoT Privacy Concerns

Lately, I’ve been amazed at how quickly the Internet of Things (IoT) has become a part of my life. Everything from speakers to a Crock-Pot (yes, a Crock-Pot) has been connected to my home wireless network at some point. As much as I enjoy all the conveniences that these devices provide me, I always consider the security implications prior to purchasing an Internet-connected device. It’s worthwhile to weigh the convenience of installing new Internet-connected equipment vs. the privacy issues that can occur if the device is compromised.

There have already been a variety of security issues stemming from the widespread adoption of IoT devices. Last fall, a website published links to over 73,000 unsecured camera throughout the world. These cameras monitored everything from shopping malls to people’s bedrooms. Without implementing proper controls around IoT devices, we will continue to see similar issues arise.

I don’t intend for this blog to scare people away from purchasing IoT devices. In fact, I will provide you with a few simple changes you can make to your IoT configurations that will reduce the privacy issues that can occur by installing an IoT system. These changes won’t necessarily diminish the conveniences you can gain by buying an Internet-connected thermostat or installing the latest IoT security camera. However, they will significantly reduce the risk associated with installing an IoT system.

A few recommendations for your new gadget:

  • Change the default password  – A majority of the aforementioned cameras were compromised because the owners did not change the system’s default password. By simply setting the password to something that will be difficult for an attacker to guess, you can reduce the risk of someone compromising your device.
  • Segment – Try to isolate your IoT devices from the rest of your home network. It is very possible that an attacker would use an IoT system as an entry-point to gain access to other systems.
  • Check for software updates – Make a routine to check for software/firmware updates for all of your IoT devices. These updates will often contain a security patch that can protect your system from being exploited.
  • Do not expose the device directly to the Internet – There shouldn’t be a need to expose an IoT device directly to the Internet. This will provide an attacker a much larger surface to attempt to exploit your device. If the system requires that configuration, it is worthwhile to consider another option.

Windows Server 2003 – End of Life

Windows Server 2003 has officially reached it’s end-of-life date. Does this mean that all of your Windows Server 2003 servers will be hacked on July 16th? Probably not. However, it is worthwhile to ensure that your organization has a plan in place to migrate all of your applications and services off of this legacy operating system. This is especially true if you have any Windows Server 2003 systems that are exposed to the internet. It is only a matter of time until a new vulnerability is discovered that affects this operating system.

As a former Windows Systems Administrator, I understand how difficult it can be to convince an application owner to invest the time and resources into migrating a system or service to a new operating system. Despite the fact that these systems have a heightened risk of being compromised, it’s very possible that your organization doesn’t have the financial resources to migrate your applications and services to a new operating system. You’re not alone. I found over 1.3 million servers running IIS 6.0 in Shodan. Over 688,000 of these servers are in the United States. However, there are still ways to reduce the risk of hosting these legacy operating systems until a migration plan is put into place.

A few ways to reduce the risk of hosting an application on a legacy operating system are:

  • Discover and document – You can’t protect a system if you don’t know it exists. Take some time to identify and document all of the legacy and unsupported operating systems in your network.
  • Learn about the application – Take some time to learn some details about the application. Is it still even being accessed? Who uses it? Why is it still hosted on an unsupported operating system? Are there other options available?
  • Educate the business users – If financial resources are an issue, take some time to explain the risks of hosting this application to the business users. Once they gain an understanding of the risk associated with hosting their application on a legacy OS, they can help secure funding to ensure that the application is upgraded.
  • Isolate – Segmenting the legacy system can reduce the risk that it is accessed by an attacker. It also can decrease the likelihood that a compromise of the legacy system will spread to other servers.
  • Update and secure – Install all available patches and updates. Not only for the operating system, but the hosted applications as well.
  • Perform thorough log analysis – Implement some sort of centralized logging platform to ensure you have the ability to detect any anomalies that occur within these systems.
  • Plan for the worst – Be prepared. Have a plan in place for responding to an incident involving these systems.