Come to Jesus moment for SCADA developers
Published January 22, 2012 | 
A couple of years ago, Firesheep created a come to Jesus moment for many of the most popular web sites on the internet. It demonstrated for anyone interested (no skill needed) that not using SSL was bad, and that anyone’s account could be hacked. All responsible websites have responded by increasing their security and the internet is a better place for it.
At the S4 Conference SCADA systems were put under the wire brush and found as insecure as those websites targeted by Firesheep. Iran learned the hard way that SCADA isn’t secure with Stuxnet.
SCADA is designed by industrial engineers for industrial engineers, and not by computer security experts… and it shows. At the conference flaw after flaw was exposed which if exploited could cost billions and even cost lives. Unlike a Facebook account, SCADA controls physical processes and when something goes wrong, bad physical things can happen. The conference attendees speculated that there will be a Firesheep moment for SCADA and that the industry will have to react.
I agree and disagree. I do think that if I were to buy a new SCADA system, I’d be able to find a wide range of improved security offered. I also think that I’d find systems that were upgradable and that could be easily patched in the future against evolving threats. What I don’t see is any reasonable expectation that the existing fielded systems will ever be fixed. The flaws extend beyond the server farm and into small control boxes scattered around power plants and industrial sites. This is more like IE 6 than Firesheep. No matter how much Microsoft has tried, IE 6 still lives on. It will take touching every single flawed box and potentially redesigning every single system to secure them. Firesheep was countered by using SSL at the servers. If countering required each user to replace their laptop, we would still hear about Firesheep.
I don’t know if there will ever be an event that causes industry to touch all of those boxes and to upgrade them. Those boxes are a sunk cost and they just work.. so why change them. It will be easier for industry to implement procedural changes to reduce (but not eliminate) the risk. Some industries such as nuclear power plants may make the effort, but will the dairy farm? Additionally, I doubt that any warranty associated with these boxes included this. They work as designed, so therefore the fact that they were designed without sufficient security isn’t something likely covered under warranty.
The people that wrote Stuxnet were targeting a specific set of SCADA controllers and intentionally prevented their software from attacking outside of a narrow set of parameters. They were unable to prevent collateral damage, but they did go out of their way to do so. The worse case scenario for the SCADA industry (both manufactures and users) is someone releasing a variant of Stuxnet that is as discriminating as a nuclear weapon. Remember the Conficker virus? You know, the one that infected 15 million windows computers. It didn’t care who you were. Now, put the Stuxnet payload on something as nondescript as that, and you’ll get the worlds attention. You will also cause physical damage across a wide range of industries.
It is unlikely that the industry will recall their boxes and replace them for free. It is also unlikely that most industries will pay to replace their SCADA systems with newer secure ones. The best we can hope for is that industries start building response plans for when their SCADA systems are compromised. At some point some virus is going to be released into the wild that does impact SCADA. It may be something that was designed to target a small population, but who’s controls were poorly designed. It may be something designed to show off the skills of some 15 year old hacker… I don’t know… but it will happen. The question isn’t if or when, but how will industries respond and how well are those contingency plans written.
Lightsquared vs GPS
Published December 24, 2011 | There has been several experiments showing that Lightsquare’s systems interfere with GPS frequencies. Lightsquare is now seeking a ruling to put the blame on the GPS manufactures and therefore be permitted to roll out it’s system while forcing the GPS manufactures to fix their systems. If this goes through it will be a disaster. First of all, the GPS systems in question are already out in the market, and Lightsquare’s isn’t. Even if this was the fault of the GPS equipment, there is not economical or technical way to update every GPS device, especially those that are securely embedded inside of systems.
But, this is not the GPS manufacture’s fault as Lightsquare will have you believe. GPS receivers are just that, receivers. They only listen for the GPS signal that is broadcasted from the satellites above. The GPS signal is very weak, and therefore the receivers must be sensitive to pick them up the signal. If Lightsquare is broadcasting too close to the GPS frequencies, or on the GPS frequencies, of course these sensitive receivers will pick it up. Welcome to basic radio theory. GPS receivers have been around for many years, and have evolved. In the beginning it took a long time to pick up a satellite and only a few could be picked up at a time. That wasn’t good enough for either military or commercial use (no good if your GPS only starts working after you arrived at your destination), so they pushed up the sensitivity and improved the processing. Now they have GPS receivers that can find your location quickly, just like we want it. The outcome of this is that a small buffer is needed around the frequencies to ensure that they aren’t accidentally interfered with. That is the price we pay to have a GPS system that works, and that is the frequencies that Lightsquare wants to use.
Sorry Lightsquare. Much of our civil infrastructure, consumer electronics, and military systems rely on GPS. If your systems are going to interfere with them then you lose. If your system was already deployed and GPS was new, then the roles would be reversed. You are the one coming late to the frequency party and therefore get stuck dealing with the outcome of several years of evolution of GPS.
I like what Lightsquare is trying to do, and I do hope that they can find some frequency band that will work for them. However, the GPS bands must remain off-limits. It is unfortunate for any company that has a good idea, and believe that they have a right to develop systems that border on the GPS, that their plans get screwed. The Government did a poor job of laying down a foundation for frequency management. There was no way to do it well, given that no one had any idea as to how wireless technology would evolve. The FCC has done its best with what it has, but it is stuck with many legacy decisions and systems that abuse the frequencies they are given. At some point we’ll have to make the same transition as we did with standard to digital televisions, but this time with military radios, satellite communications, and commercial wireless devices. It will be a challenge and will likely take several hundred years to complete. Until then, Lightsquare and others like them are stuck with what we have, no matter how unfair it may seam.
Best of luck Lightsquare, but stay away from my GPS… it is often the only thing that knows where I’m going… and I’d like to get there someday.
How the Government Goes About Creating a Crappy App
Published November 23, 2011 | Rich Jones posted a wonderful piece on gun.io on this horrible mobile application that the Occupational Safety and Health Administration (OSHA) created. He estimated that he could have done it for about $600, so he submitted a Freedom of Information Act (FOIA) request to find out how much this piece of crap cost for the Taxpayers. In total, the Android App, IOS App, and the Blackberry App (which was never released) cost slightly over $200,000. That’s right, a $600 app for $200, 000. On top of the $200,000 for the applications, the source code isn’t publicly available as it is considered a trade secret by the contractor Eastern Research Group.
Rich goes on asking how this could happen. Well, I don’t have any inside information on how OSHA did this application but I can hypothesize how this happened. Rich goes on how he’d like the system to work, and I applaud him for that vision. Now, let me work through the likely steps that resulted in this piece of crap.
- Somewhere near the top of OSHA a Senior Executive Service (SES) manager decided that OSHA “needed an App”. Everyone in Government is doing Apps, and OSHA is not going to let everyone have one but themselves.
- The poor manager assigned to this task has no technical or coding background. He or She is a mid-level manager, just trying to put food on the table. When he asks the Boss “What do you want the App to do?”, the answer is something like “I don’t care, just make an App and leave me alone about it.” Here’s the first major problem… there is no actual reason for the App, and no one has thought this through.
- The manager must now write a Request for Proposal (RFP) for the development of the App. This process takes about six months if you are lucky, and you must go through multiple legal and contracting reviews. Any creativity or vision will be stripped out of the RFP as too risky or unusual. The RFP will have language such as “The Contractor shall produce an App that provides users information about OSHA”. There won’t be any mock-ups, diagrams, or use-cases… it is all just words.
- The RFP will be a Firm Fixed Price (FFP) contract which allows the Government from taking any risk, or requiring constant management of the contract to ensure that everything is going according to plan. A FFP contract means that the Government provides the contractor (ERG in this case) a flat fee for the App. If it costs ERG $600 to make the App, then the rest is profit.
- The RFP “goes out on the street” for proposal. The Government waits for about thirty or sixty days for responses. Contractors will write a proposal and the proposal that is “technically acceptable, lowest costs” wins. Now, there are two poison pills for new and smaller companies. The first is that they are judged on “past performance”. So, if you don’t have any, it counts against you. In reality no past performance equals a neutral score, but you can’t take biases out of the people reviewing the proposals. Secondly, the RFP contains a lot of boiler-plate requirements which are very costly to satisfy. Only companies that have made it their business to get Government contracts get Government contracts. It is just too difficult for others to break into the business, but occasionally it does happen. Most often a company will leverage one type of contract for another. So, if a company runs an IT Help Desk, they will suddenly consider them a software development house, with the often predicted bad results.
- The contractor will take as much time to do the work as possible, even if they aren’t really working on it. For a FFP contract, you don’t want to deliver too early. That would give the Government the chance to complain and force changes. But if you wait until just before the end of the “period of performance”, there isn’t enough time for the Government to react, so they just accept what was delivered.
- Finally, but the time the App is actually delivered the SES has moved on to another job, and the new SES’s response is “we have an App, why?, okay… might as well publish it”.
There you go, from poorly defined requirements to a somewhat functional App. This is not how it can happen, but this is how the system is designed to work. It could be redesigned and changed, but that requires an act of congress, and they haven’t really demonstrated their capabilities to pass well thought out and written laws lately.
Rich also goes into the inability to gain the source code. The default data rights for such a contract are Government Purpose Rights (GPR). GPR is kind of like open source, but only within Government channels. This assumes there the mid-level manager understands something about data rights. If not, the contractors will likely try to slip in even more restrictive data rights in their proposals. If the manager is a rebel, they could push for “unlimited rights” which would all OSHA to release the code, but that really takes a lot of effort, and assumes that one of these companies is even willing to accept that contract clause.
Rich makes some good points in his rant. Unfortunately, the established government contracting process has been established to maximize profit while minimizing productivity. In many ways it is a works program. Now, I’m sure that isn’t the true stated purpose of it, but is how it ends up. I would like to see the system change, but I’m not sure writing my congressman will help in this case.
Posted in Computers, Politics | 
Android, ERG, Government Contracting, iPhone, OSHA | 
Leave a commentVirus Takes Down AF Drones…WTF
Published October 8, 2011 | Wired has an article on a computer virus that has infected the Predator and Reaper control stations at Creech AFB. Someone screwed up big here. First of off, why was infected media introduced to the classified system? Secondly, why wasn’t there a clean backup that they could use to restore to?
These systems operate on a classified network. So, either the bad guy has access to the classified network and introduced the malware there (not a happy thought), or someone broke the rules and transferred media from the internet to the classified network (another no-no). Now, there are always exceptions to the rules, but in those cases all media should have been scanned prior to connecting them to the classified network. So, what happened here? Someone screwed up. Someone didn’t follow the rules assuming that they didn’t apply to them, or that what they were doing at the moment was too critical to slow down and follow the rules. Maybe the system they use to scan media was broken, or perhaps it wasn’t loaded with the right virus signatures. Either way, something went wrong.
Secondly, why don’t that have a clean system to backup from? This is a weapon system, not a video game. In the article they go on about how they had to build the system from scratch again and again, always resulting in the same re-infection? Why? Doesn’t the system have a clean backup? With the advent of virtual machines, snapshots, backup tapes, replication, and so on… you’d think they should be able to backup without a problem. Now, the exception would be if the virus is hiding in some firmware and if that is the case, they are in more trouble that they realize.
I guess the real last question is why are they using Windows at all? Why is the military using a commercial grade operating system that is the largest target on the planet for viruses to run a critical weapon system? Shouldn’t this be on SELinux? I bet the decision was made in the name of convenience and cost savings… so, how convenient is it now? Saving money? We need to realize that if IT systems are weapon systems, then we need to treat them as such. This isn’t the same as my PC at home. People generally don’t die if my PC goes up in smoke at home, but what happens if someone through the virus learns how to insert commands to a Reaper. How does it look when the Reaper fires a missile at friendly troops… and we learn that it was the result of someone highjacking the system. If they can highjack people using their bank’s website, they could certainly do this… and learning the system through a keylogger is the first step in that direction.
The Predator program has been an insane success. It went from a science project to a major weapon system overnight. Had it gone through the traditional acquisition cycle, it would have likely failed. However, in its rush to be fielded, they took shortcuts such as their selection of operating systems. It might be time now to rethink this. If you are going to go with Windows, then you need to secure it correctly. If you are a critical system, then you need to be able to boot from a clean backup. Yes, this means more engineering and more costs, without any obvious operational value… but it also means that you can continue to operate through these type of issues. Mission availability and robustness should be a valued operational characteristic. I doubt that this incident will cause anything to be changed. I just hope that it won’t take one of our UAV’s to be highjacked and the death of friendly troops to finally make us change how the system is designed and used.
Thanks Steve
Published October 8, 2011 | As everyone on this planet probably knows by now, Steve Jobs has died. I came late to the Cult of Mac and it wasn’t until not only was I ready to spend that kind of money, but also that they had developed an ecosystem worthy of me paying so much for a computer. Up to then I had been a Windows guy, and I always had an arsenal of utilities just to keep the machine working.
Steve was very lucky. Not only did he have a vision, but he also had the tenacity and resources to make his vision into reality. I think most importantly, he learned from his mistakes. It must have been something for him to see Apple take off based on his vision. How proud he must have felt for himself and his team, when the world’s shoppers embraced his vision with their checkbooks. I would guess it would be like being the head of NASA as the first man stepped on the Moon.
I don’t know if anyone else could duplicate Steve’s success. There are certainly many people out there with great visions, but few are as lucky to be surrounded by just the right opportunities and resources as Steve was. I would like to think that we will see more like Steve come out into the open.
Steve was a Buddhist, and if he is correct, he will be likely reincarnated. I like the concept and believe it myself. There may be a newborn somewhere with Steve’s soul, wailing away in his Mother’s arms. I have to wonder what such a baby will grow up to be like. Maybe someday in a few years we’ll see this rising star of a man and realize him for what he is, Steve 2.0. Until then, the world will morn his loss, as well as the loss of all who have passed.
Thanks Steve for the vision you brought to this world, and all of your hard work. Best of luck in the new life, and enjoy your iPad in your iCrib.
Computer Based Grading
Published August 14, 2011 | The Chronicle had an article on the Western Governors University and how it separates professors and those that grade papers. When I first read the article, I cringed a bit. I don’t know if I like this idea, but after thinking about it more, I think it has a lot of possibilities. First of all, just because you can teach, doesn’t mean that you can grade fairly. In the intelligence business, analysts are constantly fighting the notion of bias. The same is for teaching. If a teacher doesn’t grade the first or the fiftieth exam the same, it isn’t fair to either of those students.
I like what Western Governors is doing. If a computer can do the hard work of grading the exams, then the students get unbiased evaluations, and the teacher can focus on teaching. It must be interesting being a teacher there. To be able to teach without worrying about the workload of grading must be a good thing. But, you must also document the correct answers well, so someone else can grade the exam.
I have to wonder if the software will migrate into word processors. It would be interesting to be able to plug into the computer what the paper suppose to be about, and then it evaluates the paper as it is being written. If all you need is a B, then you stop when you have a B. It would be difficult to write the software where it isn’t an unfair tool, that is more of a crutch than an evaluation tool, but I think that may be possible. This type of thing could really open up a lot of possibilities for on-line testing, or for test preparation tools. You could have several SAT written exams available, so the computer could then grade you as you go. What a great way for preparing for the test.
I’m sorry to see that the software or the contract graders haven’t gained much traction. I hope that their success will promote a wider adoption of this technique.
Shady RAT… who dunnit?
Published August 6, 2011 | I was reading McAfee’s report on Shady RAT, and I have to give my hat off to McAfee. They were able to attribute the attacks to China without actually saying so. If you look at the map of the attacks, they all surround China, with the exception of the North American and European targets… who are also of interest to China. Now, to be fair… Russia was also noticeably untouched, and I guess you could interpret this attribution to Russia. But the target set do appear to be of interest to China, and to China alone.
This is not a surprise. China has long been suspected of conducting cyber attacks in support of their spying, and it looks like they have a longer history and deeper penetration than previously thought. Let’s be honest about it… probably every country with an internet connection uses the internet for spying. Maybe it is just using Google to do searches on topics of interest, maybe it is breaking into networks. China just seams to be very good at it, and prolific. Maybe someday we’ll have a cyber treaty in which nations will stop spying on each other this way, and then we’d get to worry about companies that do the same thing. I bet that we never get away from this and at some point we must accept that what we put on an internet connected network is likely going to end up in one or more intelligence agencies.
Siemens is so screwed
Published August 6, 2011 | Here we go again. Wired had an article on more of the computer tragedy known as Seimens. There was a presentation outlining the security (if you can call it that) of multiple Seimens industrial control systems. They found hard coded passwords, and even an easter egg in the systems. It looks like there was no one at Seimens awake at the wheel during the design of these systems. Security as an afterthought, and perhaps even an inconvenience.
I have to wonder if this will lead Seimens to the brink in this business. You can bet that their new customers have to be looking for other options. Seimens can respond in one of two ways. They can fold up and call it quits, leaving a legacy of being the laughingstock of the industrial control world… or they can make sweeping changes in their design philosophy, and become the leaders in secure industrial control. God knows that they have the motivation and lessons learned to overcome this and become leaders. It is sad that to date, you really aren’t hearing anything from Seimens. They are like a small kid getting beat up that is simply curled up in a ball… not even a call for “Mommy”, and certainly not fighting back.
I’m hoping that they will bounce back. They were once a well respected company, and there is a lot of money in bringing secure industrial controls to market.
Airport Scanners Fail German Tests
Published August 6, 2011 | AFP has reported that the TSA used body scanners are a failure.
Body scanners being tested at Germany’s Hamburg airport have had a thumbs down from the police, who say they trigger an alarm unnecessarily in seven out of 10 cases, a newspaper said Saturday.
Not a surprise to anyone that has been through them, nor any high school graduate. I’m glad that at least Germany is testing them. I get the feeling that the TSA skipped that part, drank the kool-aid, and emptied the piggy bank. Just because a defense contractor tells you that it will work doesn’t make it so. These scanners make no sense in an airport. They simply do not make flying any safer, but they do increase the ability of the TSA to terrorize, embarrass, and intimidate innocent travelers.
This doesn’t mean that these scanners don’t have a place in the world. These could be useful in Iraq and Afghanistan at entry control points to detect suicide bombers. However, the first bomber than blows them self up along with the scanner wins. I doubt you could make a bomb proof scanner, but it would be worth the false positives to stop a suicide bomber. But for the rest of the world, it is time to put some common sense into security and to address the reality that we can’t afford to live in a continuous police state.
Release the Polymorphic Malware
Published July 26, 2011 | Symantec had a report that we now need to worry about polymorphic malware. I’m not sure why this is news. We’ve seen polymorphic malware forever. Most of the time it changes due to modifications made by the authors in an attempt of either improving the malware, or avoiding detection. We’ve even seen malware that disguises itself and makes changes to itself to avoid detection. I guess this is a slow news day for Symantec, so they have to throw out something for the press.