Just a quick update on the happenings here at Blackhat. The good news is that this year the quality of the presentations seems to have improved, or maybe I’be just gotten better at choosing interesting sessions.
Most of the research that had a direct impact on control systems, specifically in the electric sector, was presented yesterday. We’ll start with the smart meter/AMI work from Mike Davis that I mentioned earlier. All in all I don’t think this presentation revealed much that we didn’t already know, many of the smart meters have significant implementation flaws. Some of this is due to poor coding standards, creating situations for buffer overflows and other standard bugs to occur, but the more serious problems involve things like poorly implemented cryptography and firmware signing. That said, the presentation was heavily sanitized, likely due to legal concerns as well as practical ones, and I was left wanting to know a lot more and I know many others in the audience felt the same way.
Grand, Applebaum, and Tarnovskys presentation on attacks against smart parking meters was impressive. Much like the devices we typically think of in critical systems, these devices were not designed to stand up to any sort of an attack outside of vandalism. Municipalities are investing very heavily into building out their parking systems, and with it being incredibly easy to bypass the payment mechanism with commodity parts, many of which were used in the widespread practice of hacking satellite systems, they should probably take a closer look at these devices before rolling them out in such force. This all assumes an independent node approach, networked devices could cause even more problems, similar to the AMI meters above.
And the last one Ill mention in this post is Moxie Marlinspikes demonstration of a new technique to attack SSL certificates. An excellent presentation, and one that you can, and should watch. Theres still a lot of problems to be worked out in the trust architecture/framework we’ve built, insights like these wont be the last.
Thats all for now, I’m off to Defcon to learn some more, they’ll be more follow-up posts on the conference material, and likely more from the conversations here. There is a lot more control system presence than most would think, and I’ve had some excellent discussions with everyone from operators to consulting groups to vendors.
Onto a few more highlights from Blackhat. Dowd, Smith, and Deweys presentation on The Language of Trust was excellent, and the bug highlighted in the presentation, MS09-035, is going to be around for a very long time. This bug was the result of a typo, an ‘&’ where one shouldn’t have been. An interesting and very subtle bug, and one that probably couldn’t have been found any other way except with deep down cyborg like binary analysis from this team. So what is the impact of this bug and why does it matter to a control system operators? So we all know how much developers in control system component like to use ActiveX controls, they’re easy drop ins and let you get to the meat of what you’re doing quickly, and every month or so a bunch of them get killbitted (blacklisted) where they can’t be instantiated in things like Internet Explorer, right? Well, all those just went out the window, and until the patch from MS is applied they’re all back, and you’re just a vulnerable as you were on the day they first were installed on your system. This should be a top priority patch for any system that has Internet Explorer installed and has a network connection, and with the trend towards web based HMIs and management consoles, this really is something you should get done sooner rather than later.
I also was able to see an excellent presentation on developer education from Andrew Rook, and I agreed with almost everything. We tend to teach developers about developing quality code in a very backwards way, showing them all the different ways something can break, and analogous to the drivers education videos with all the gruesome crashes that many of us had to suffer through. These videos didn’t make us better drivers, and after a while you feel like it was almost inevitable and made you less safe in the long run. Of course a certain amount of fear is a good thing, and nothing drives home the point like a memory corruption resulting in a shell, but we have to channel that. We need to encourage developers to have a deeper understanding of the tools that they’re using to create our systems, what the underlying concepts and philosophies of a given language/library are, what are the potential pitfalls and how to avoid them. What we need to avoid, and what far too many security consultants and “experts” are doing is just pushing another checklist onto people, and creating a de facto compliance requirement. And I think we all know what those lead to, the bare minimum.
And moving on to more of an attacker/penetration testers point of view, the metasploit track at both Blackhat and Defcon was excellent. I know a lot of people are apprehensive about the framework, but I think you have to take the tool for what it is, and realize its become an incredible platform for people like me who like working with the pointy end of the security stick. There’s too much to go into in a short post like this, since it was about 6 hours of 20 minute talks, but I’ll mention a few. Moore and Trammels wardailing additions that we’ve mentioned here before are growing up fast, excellent tools that I look forward to using on the next assesment that I’m on with a lot of dialup access. Valsmith and co’s Metaphish looks to give us a much more structured and more quantifiable way to test our employees for how successful a phishing attack could be. Often overlooked and ignored, but user education is still our best bet, and teaching people how to identify a phishing attack by demonstrating one might be the best way to keep them from clicking on a link without thinking the next time. Many other very interesting things going on with MSF.
There’s another presentation or two that I’m going to highlight specifically, but thats going to conclude my overview posts. Aside from the presentations, one of the more interesting things I noticed was how every other vendor had something about SCADA in their marketing materials, but almost no one has done anything with it or anything that they could tell me about. I’m wondering if those smart grid commercials have got the marketeers thinking that using the magic words “SCADA” and “smart grid” or “AMI” will make the contract faeries show up? Of course there’s no reason to completely discount a vendor new in the space, but the last thing we need in control systems are more blinking lights (probably blue ones) that give a false sense of security and one more service agreement to manage and most security products do little more than that.