[conspire] (forw) [skeptic] Ransomware and rotten doors

Rick Moen rick at linuxmafia.com
Thu Jul 6 18:00:35 PDT 2017


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Thu, 6 Jul 2017 17:59:21 -0700
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at linuxmafia.com
Subject: [skeptic] Ransomware and rotten doors
Organization: If you lived here, you'd be $HOME already.

Interesting article here:

https://www.cnet.com/news/ransomware-attack-goldeneye-petya-cover-data-destroy-nation-state/

  Ransomware attack is cover for something far more destructive
  The GoldenEye attack wasn’t aiming at your wallet. It was trying to
  destroy your data.

  by Alfred Ng
  July 1, 2017 5:00 AM PDT

  [...]
  But now experts believe nation-state attackers are using ransomware as
  a screen, tempting victims to blame faceless hackers instead of the
  countries allegedly behind the attacks. The real goal was to get at and
  destroy data.

Article points out facts of the GoldenEye aka NotPetya episode
suggesting attackers didn't even credibly try to collect ransom money, 
ergo that was a smokescreen, and the point was to leverage breakin
abilities to destroy stored data.  (Affected large companies included
FedEx, Merck, Cadbury, and AP Moller-Maersk.)

FWIW, GoldenEye relied on the same flaw in antique SMBv1 network
protocol software in MS-Windows versions going back to NT 4.0 that I
dissected here on May 13th (about which, the obvious question is 'Why
the Gehenna is anyone still doing Network Neighborhood peer-to-peer
file/print sharing with an infamously terrible, 20-year-old, buggy,
badly implemented network protocol in 2017?).

Article references Russian attacks on Ukraine power-distribution
infrastructure via computer break-in.  Here's a pretty good article
about that, I meant to mention earlier:
https://www.wired.com/story/russian-hackers-attack-ukraine/

Small excerpt:

  But many global cybersecurity analysts have a much larger theory about
  the endgame of Ukraine’s hacking epidemic: They believe Russia is using
  the country as a cyberwar testing ground—a laboratory for perfecting new
  forms of global online combat. And the digital explosives that Russia
  has repeatedly set off in Ukraine are ones it has planted at least once
  before in the civil infrastructure of the United States.
  [...]

  Earlier in 2014, the US government reported that hackers had planted
  BlackEnergy on the networks of American power and water utilities.
  Working from the government’s findings, FireEye had been able to pin
  those intrusions, too, on Sandworm [a trojan clearly from Russia found 
  by security firms in Polish and Ukrainian energy firms and government 
  agencies].

  Most disturbing of all for American analysts, Sandworm’s targets
  extended across the Atlantic. Earlier in 2014, the US government
  reported that hackers had planted BlackEnergy on the networks of
  American power and water utilities. Working from the government’s
  findings, FireEye had been able to pin those intrusions, too, on
  Sandworm.

  For Lee, the pieces came together: It looked like the same group that
  had just snuffed out the lights for nearly a quarter-­million Ukrainians
  had not long ago infected the computers of American electric utilities
  with the very same malware.

  It had been just a few days since the Christmas blackout, and Assante
  thought it was too early to start blaming the attack on any particular
  hacker group—not to mention a government. But in Lee’s mind, alarms went
  off. The Ukraine attack represented something more than a faraway
  foreign case study. “An adversary that had already targeted American
  energy utilities had crossed the line and taken down a power grid,” Lee
  says. “It was an imminent threat to the United States.”

Related article:
https://www.wired.com/story/crash-override-malware/

  'CRASH OVERRIDE': THE MALWARE THAT TOOK DOWN A POWER GRID
  AUTHOR: ANDY GREENBERGANDY GREENBERG 
  06.12.1708:00 AM

(details of the mass computer attack that took down power infrastructure
in Ukraine)

  [...]
  While ESET warns that Crash Override could be adapted to affect other
  types of critical infrastructure like transportation, gas lines, or
  water facilities, Lee argues that would require rewriting other parts of
  the code beyond its modular components. And he points out that if
  power-grid operators closely monitor their control system networks—most
  around the globe likely don't, he says—they should be able to spot the
  malware's noisy reconnaissance scans before it launches its payloads.
  "It sticks out like a sore thumb," Lee says. 

  Still, none of that should leave US grid officials complacent. The
  malware that attacked Kiev's grid has turned out to be more
  sophisticated, adaptable, and dangerous than the cybersecurity community
  had imagined. And those features suggest that it's not going away. "In
  my analysis, nothing about this attack looks like it’s singular," Lee
  concludes. "The way it’s built and designed and run makes it look like
  it was meant to be used multiple times. And not just in Ukraine."


About these power-grid and water system networks:  These are what in the
industry are called SCADA computer networks (Supervisory control and
data acquisition), https://en.wikipedia.org/wiki/SCADA .  As it happens,
I gave an (I hope) entertaining talk in 2004 called 'Viruses and Trojans
and Worms, Oh My! Linux Security and the Bad Guys' Tools', slides here:
http://linuxmafia.com/~rick/eblug-lecture-2004-12-15.pdf
(Slides are no substitute for the actual lecture:  I used them to
highlight points I was making to the in-person attendees.)

Here's what I said on one of my slides about an attack on a SCADA
system, only very slightly tongue in cheek:

  "Viruses are canaries" example:

  Jan 25, 2003, 9:00 a.m., Saturday: Davis-Besse nuclear power plant,
  near Toledo, Ohio:

  SQL Slammer worm for Windows enters and overwhelms the SCADA network.
  Davis-Besse's safety-monitoring system was down for five hours.
  North American Electric Reliability Council reported that two other
  electric plants' (one hopes, non- nuclear) SCADA networks were also
  affected.

  Hooray for the virus! (relatively speaking)

As I said to the attendees, what I _meant_ was that SCADA networks 
must, must, must be airgapped from everything else, period, that 
anyone who cross-connects them should be hanged from a lamppost, and
that the finding of an MS-Windows worm from the outside Internet 
should be almost welcomed because it lets management find a much bigger
problem, that being the impermissible contamination of the network.

In fact, I said that a smart and skeptical SCADA network administrator 
would run a constantly running process on a SCADA computer (probably
monitoring the network switch's administrative port) seeking open
routes from anywhere on the SCADA network to any other network. and
instantly isolating any device that creates such a route.

My next slide elaborated:

  'The Slammer worm entered the Davis-Besse plant through a circuitous
  route. It began by penetrating the unsecured network of an unnamed
  Davis-Besse contractor, then squirmed through a T1 line bridging that
  network and Davis-Besse's corporate network. The T1 line, investigators
  later found, was one of multiple ingresses into Davis-Besse's business
  network that completely bypassed the plant's firewall, which was
  programmed to block the port Slammer used to spread.'

  '“This is in essence a backdoor from the Internet to the corporate
  internal network that was not monitored by Corporate personnel,” reads
  the April NRC filing by FirstEnergy's Dale Wuokko. “[S]ome people in
  Corporate's Network Services department were aware of this T1 connection
  and some were not”'

I further commented to the room that a 'firewall' was not adequate to
this situation anyway, leaving aside the (in effect) security sabotage
by the unnamed contractor.  There should be physical discontinuity,
period.  Airgapping, plus active measures to foil anyone doing what the
contractor did, plus keelhauling of anyone trying it.

So, here we are 14 years further down the road, and did anyone in the
power industry or water industry learn from the Davis-Besse horror?  
Maybe not.

Airgapping and active monitoring for unauthorised routes.  Dammit. 
That's the bloody bare minimum.


And loss of data?  Anyone care to guess the next concept I'm going to
mention?  Anyone?  Anyone?  Bueller?

_Backups._  Backups that get tested to make sure restore works and 
captures everything that all department heads certify suffices to 
cover all work product.  Backups that are kept normally detached
(airgapped).  Backups for which all needed software is reinstallable
from scratch from offline master copies of the installation sets plus 
all activation codes, etc.  Backups that keep getting made and keep
getting checked.  Timely, periodic, periodically test-restored,
adequately comprehensive backups stored detached from everything else.

When I was a computer network consultant, the very first thing I
discussed with clients was backup/restore.  I had a standing gag about
that:  I'd refer to what they had (assuming they had one) as their 
'restore system', the implication being that a backup is pointless
unless it provably can be restored, and restoring is overwhelmingly more
important than backup is.

I considered (and still do consider) backups with the above qualities to
be the #1 measure required for security.  Every other security measure
is drastically less important.

So, what the hell?  People are losing data because someone made a dumb
security mistake and 'ransomeware' effectively erased everything?  Where
are the timely, periodic, periodically test-restored, adequately
comprehensive backups stored detached?  Nowhere, obviously.

And that is the first problem the affected companies should fix.
Without that, 'security' problems like those discussed in the above
articles are, as John Kenneth Galbraith said of all successful
revolutions, 'the kicking in of a rotten door'.


_______________________________________________
skeptic mailing list
skeptic at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/skeptic
To reach the listadmin, mail rick at linuxmafia.com 

----- End forwarded message -----




More information about the conspire mailing list