[conspire] (forw) [skeptic] Ransomware and rotten doors
Rick Moen
rick at linuxmafia.com
Thu Jul 6 18:00:35 PDT 2017
----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----
Date: Thu, 6 Jul 2017 17:59:21 -0700
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at linuxmafia.com
Subject: [skeptic] Ransomware and rotten doors
Organization: If you lived here, you'd be $HOME already.
Interesting article here:
https://www.cnet.com/news/ransomware-attack-goldeneye-petya-cover-data-destroy-nation-state/
Ransomware attack is cover for something far more destructive
The GoldenEye attack wasn’t aiming at your wallet. It was trying to
destroy your data.
by Alfred Ng
July 1, 2017 5:00 AM PDT
[...]
But now experts believe nation-state attackers are using ransomware as
a screen, tempting victims to blame faceless hackers instead of the
countries allegedly behind the attacks. The real goal was to get at and
destroy data.
Article points out facts of the GoldenEye aka NotPetya episode
suggesting attackers didn't even credibly try to collect ransom money,
ergo that was a smokescreen, and the point was to leverage breakin
abilities to destroy stored data. (Affected large companies included
FedEx, Merck, Cadbury, and AP Moller-Maersk.)
FWIW, GoldenEye relied on the same flaw in antique SMBv1 network
protocol software in MS-Windows versions going back to NT 4.0 that I
dissected here on May 13th (about which, the obvious question is 'Why
the Gehenna is anyone still doing Network Neighborhood peer-to-peer
file/print sharing with an infamously terrible, 20-year-old, buggy,
badly implemented network protocol in 2017?).
Article references Russian attacks on Ukraine power-distribution
infrastructure via computer break-in. Here's a pretty good article
about that, I meant to mention earlier:
https://www.wired.com/story/russian-hackers-attack-ukraine/
Small excerpt:
But many global cybersecurity analysts have a much larger theory about
the endgame of Ukraine’s hacking epidemic: They believe Russia is using
the country as a cyberwar testing ground—a laboratory for perfecting new
forms of global online combat. And the digital explosives that Russia
has repeatedly set off in Ukraine are ones it has planted at least once
before in the civil infrastructure of the United States.
[...]
Earlier in 2014, the US government reported that hackers had planted
BlackEnergy on the networks of American power and water utilities.
Working from the government’s findings, FireEye had been able to pin
those intrusions, too, on Sandworm [a trojan clearly from Russia found
by security firms in Polish and Ukrainian energy firms and government
agencies].
Most disturbing of all for American analysts, Sandworm’s targets
extended across the Atlantic. Earlier in 2014, the US government
reported that hackers had planted BlackEnergy on the networks of
American power and water utilities. Working from the government’s
findings, FireEye had been able to pin those intrusions, too, on
Sandworm.
For Lee, the pieces came together: It looked like the same group that
had just snuffed out the lights for nearly a quarter-million Ukrainians
had not long ago infected the computers of American electric utilities
with the very same malware.
It had been just a few days since the Christmas blackout, and Assante
thought it was too early to start blaming the attack on any particular
hacker group—not to mention a government. But in Lee’s mind, alarms went
off. The Ukraine attack represented something more than a faraway
foreign case study. “An adversary that had already targeted American
energy utilities had crossed the line and taken down a power grid,” Lee
says. “It was an imminent threat to the United States.”
Related article:
https://www.wired.com/story/crash-override-malware/
'CRASH OVERRIDE': THE MALWARE THAT TOOK DOWN A POWER GRID
AUTHOR: ANDY GREENBERGANDY GREENBERG
06.12.1708:00 AM
(details of the mass computer attack that took down power infrastructure
in Ukraine)
[...]
While ESET warns that Crash Override could be adapted to affect other
types of critical infrastructure like transportation, gas lines, or
water facilities, Lee argues that would require rewriting other parts of
the code beyond its modular components. And he points out that if
power-grid operators closely monitor their control system networks—most
around the globe likely don't, he says—they should be able to spot the
malware's noisy reconnaissance scans before it launches its payloads.
"It sticks out like a sore thumb," Lee says.
Still, none of that should leave US grid officials complacent. The
malware that attacked Kiev's grid has turned out to be more
sophisticated, adaptable, and dangerous than the cybersecurity community
had imagined. And those features suggest that it's not going away. "In
my analysis, nothing about this attack looks like it’s singular," Lee
concludes. "The way it’s built and designed and run makes it look like
it was meant to be used multiple times. And not just in Ukraine."
About these power-grid and water system networks: These are what in the
industry are called SCADA computer networks (Supervisory control and
data acquisition), https://en.wikipedia.org/wiki/SCADA . As it happens,
I gave an (I hope) entertaining talk in 2004 called 'Viruses and Trojans
and Worms, Oh My! Linux Security and the Bad Guys' Tools', slides here:
http://linuxmafia.com/~rick/eblug-lecture-2004-12-15.pdf
(Slides are no substitute for the actual lecture: I used them to
highlight points I was making to the in-person attendees.)
Here's what I said on one of my slides about an attack on a SCADA
system, only very slightly tongue in cheek:
"Viruses are canaries" example:
Jan 25, 2003, 9:00 a.m., Saturday: Davis-Besse nuclear power plant,
near Toledo, Ohio:
SQL Slammer worm for Windows enters and overwhelms the SCADA network.
Davis-Besse's safety-monitoring system was down for five hours.
North American Electric Reliability Council reported that two other
electric plants' (one hopes, non- nuclear) SCADA networks were also
affected.
Hooray for the virus! (relatively speaking)
As I said to the attendees, what I _meant_ was that SCADA networks
must, must, must be airgapped from everything else, period, that
anyone who cross-connects them should be hanged from a lamppost, and
that the finding of an MS-Windows worm from the outside Internet
should be almost welcomed because it lets management find a much bigger
problem, that being the impermissible contamination of the network.
In fact, I said that a smart and skeptical SCADA network administrator
would run a constantly running process on a SCADA computer (probably
monitoring the network switch's administrative port) seeking open
routes from anywhere on the SCADA network to any other network. and
instantly isolating any device that creates such a route.
My next slide elaborated:
'The Slammer worm entered the Davis-Besse plant through a circuitous
route. It began by penetrating the unsecured network of an unnamed
Davis-Besse contractor, then squirmed through a T1 line bridging that
network and Davis-Besse's corporate network. The T1 line, investigators
later found, was one of multiple ingresses into Davis-Besse's business
network that completely bypassed the plant's firewall, which was
programmed to block the port Slammer used to spread.'
'“This is in essence a backdoor from the Internet to the corporate
internal network that was not monitored by Corporate personnel,” reads
the April NRC filing by FirstEnergy's Dale Wuokko. “[S]ome people in
Corporate's Network Services department were aware of this T1 connection
and some were not”'
I further commented to the room that a 'firewall' was not adequate to
this situation anyway, leaving aside the (in effect) security sabotage
by the unnamed contractor. There should be physical discontinuity,
period. Airgapping, plus active measures to foil anyone doing what the
contractor did, plus keelhauling of anyone trying it.
So, here we are 14 years further down the road, and did anyone in the
power industry or water industry learn from the Davis-Besse horror?
Maybe not.
Airgapping and active monitoring for unauthorised routes. Dammit.
That's the bloody bare minimum.
And loss of data? Anyone care to guess the next concept I'm going to
mention? Anyone? Anyone? Bueller?
_Backups._ Backups that get tested to make sure restore works and
captures everything that all department heads certify suffices to
cover all work product. Backups that are kept normally detached
(airgapped). Backups for which all needed software is reinstallable
from scratch from offline master copies of the installation sets plus
all activation codes, etc. Backups that keep getting made and keep
getting checked. Timely, periodic, periodically test-restored,
adequately comprehensive backups stored detached from everything else.
When I was a computer network consultant, the very first thing I
discussed with clients was backup/restore. I had a standing gag about
that: I'd refer to what they had (assuming they had one) as their
'restore system', the implication being that a backup is pointless
unless it provably can be restored, and restoring is overwhelmingly more
important than backup is.
I considered (and still do consider) backups with the above qualities to
be the #1 measure required for security. Every other security measure
is drastically less important.
So, what the hell? People are losing data because someone made a dumb
security mistake and 'ransomeware' effectively erased everything? Where
are the timely, periodic, periodically test-restored, adequately
comprehensive backups stored detached? Nowhere, obviously.
And that is the first problem the affected companies should fix.
Without that, 'security' problems like those discussed in the above
articles are, as John Kenneth Galbraith said of all successful
revolutions, 'the kicking in of a rotten door'.
_______________________________________________
skeptic mailing list
skeptic at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/skeptic
To reach the listadmin, mail rick at linuxmafia.com
----- End forwarded message -----
More information about the conspire
mailing list