GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 1)

 forensics, links, recon, SCADA, vulnerabilities  43 Responses »
Jun 302009
 

My phone has been blowing up most of the day about this. To sum it up: On the evening of the 18th, a script kiddie that was involved in a previous post on this site (“Perl Hacking is Dead”), XXxxImmortalxxXX, contacted me and began to brag about hacking a hospital’s HVAC system. Upon further googling, it became apparent that XXxxImmortalxxXX was lying to me, and that it was the leader of the group Immortal had joined that allegedly carried out the attack. This attacker went by the name of “GhostExodus”.

As most of my readers here know, my research area is control systems/SCADA, specifically human-machine interface (HMI) software. Being involved in a field that involves elements of our critical infrastructure, I know how serious an incident involving a hospital’s HVAC system can be. Screenshots taken by the attacker showed an HMI that gave the user control over many elements of the hospital, including pumps and chillers in the operating room. Messing around with a system like this can seriously impact the health and safety of the patients.

I spent a large amount of time that weekend gathering up information on GhostExodus, and his hacker group, the “Electronik Tribulation Army”. Monday, I met with my major professor at Mississippi State University’s Critical Infrastructure Protection Center, where I work as a Ph.D. research assistant. I presented the information I had found, and we contacted the Texas attorney general’s office and the Jackson, MS FBI office, where we already had contacts. For the rest of the week, I cooperated with the FBI by sharing the information that I had found. GhostExodus was picked up by the FBI on Friday night.

I plan on sharing more, because there’s a huge amount of interesting data, images, and video involved with this case. The alleged attacker uploaded many videos of his actions to Youtube and other sites, and when I put it all together into a coherent lecture, it should be pretty informative and entertaining. Until then, there’s plenty of media coverage of the arrest:

Google News shows over 170 related stories.

The best and most accurate thing to read, however, is the criminal complaint against “Jesse William McGraw”. I have been informed that this is part of public record, however I have taken the liberty of editing out SSNs, DLs, VINs and such on this copy:

(Edit: moved it offsite, because it was chewing bandwidth a lot more bandwidth than you’d expect.  You can read it online or download it from the above link)

If you’re reading the above, I’m “CW-1″.

I plan on keeping you updated on further developments and more information as this progresses. There will also likely be some very interesting multi-media talks and lectures I can give on this, so if you want me to take the show on the road, get in touch.

For now, though, I’ve had a long day, and I shall rest :)

 Posted by wesley at 6:43 pm

Core Security: Fun with my web logs

 fun, lolwhat  3 Responses »
Jun 282009
 

Just a little noodling around, followed by fun facts:

HacBook:~ wesley$ nslookup coresecurity.com
Server:		10.0.0.1
Address:	10.0.0.1#53

Non-authoritative answer:
Name:	coresecurity.com
Address: 208.253.45.70

HacBook:~ wesley$ whois 208.253.45.70
MCI Communications Services, Inc. d/b/a Verizon Business UUNET1996B (NET-208-192-0-0-1)
208.192.0.0 - 208.255.255.255
CORE SECURITY TECHNOLOGIES UU-208-253-45-64-D9 (NET-208-253-45-64-1)
208.253.45.64 - 208.253.45.127

# ARIN WHOIS database, last updated 2009-06-28 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

HacBook:~ wesley$ grep 208.253.45 *.log > corelog_lol.txt
HacBook:~ wesley$ wc -l corelog_lol.txt
124 corelog_lol.txt

McGrew Security Late Show Fun Facts about Core Security visitors to the site :

And my favorite:

  • 1 computer with the FunWebProducts adware/spyware.

Update 6/29/09 3:26 PM

Someone at Core just figured out that mcgrewsecurity.com ranks higher than coresecurity.com for their own party:

20090629.log:208.253.45.86 - - [29/Jun/2009:14:15:29 -0400]
"GET /2009/06/24/core-security-apologizes-not-cool-enough-for-core-2009-gathering-proposed/ HTTP/1.0" 200 5366
"http://www.google.com/search?q=core+security+party+at+black+hat&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7ADBF_en"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

(and the FunWebProducts one came back)

 Posted by wesley at 8:58 pm

Bejtlich on Black Hat Budgeting

 links  No Responses »
Jun 272009
 

…and not the economies of running a popular security conference ;-) .

I’m not usually one to just drop a link as a post, but this one totally deserves it:

Richard Bejtlich is right on target with this one.  He describes how a criminal element could spend a one million dollar budget on what would be a very successful, profitable, and sustainable hacking enterprise.

It’s an extremely entertaining and informative read.

 Posted by wesley at 7:59 pm

Password Masking

 defense, pentesting  5 Responses »
Jun 262009
 

I’m going to have to disagree with Bruce Schneier and Jakob Nielson on this one:

I, and many other users, are often in situations where we are in the position of logging into systems in the vicinity of people with which we wouldn’t want to share the password.

Let’s look at the arguments against masking from the original story:

  • Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

I’m not sure I agree with the first one at all.  Password entry is so commonplace now that only the freshest of the new users would decide to not use a site or product because it masks passwords.  Everybody has experience with it and knows what they’re getting into.

As far as overly simple passwords go, I think that the need to remember the password is the limiting factor here, not having to type it blind.  If you displayed the password back to the user as they typed it, I don’t think most users would choose any more complex passwords than they already have.  Copying and pasting passwords is actually a great idea here, but not quite like Jakob Nielson has put it.  If you have a password manager, like KeePass X, copy a masked password from there into a masked field, and it falls out of your copy buffer afterwards, you’ve got pretty good security even when someone is looking over your shoulder.  They could catch your password to unlock your manager, but looking over someone’s shoulder at the keyboard is magnitudes of order more difficult than reading a password off a screen, especially if the user can type it quickly (being one of the few passwords they actually have to remember).  Even if they do, that password won’t get them into a remote system, they’d have to get ahold of your password management db first.

The checkbox idea is alright, though:

Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.

I think more users would be at risk, more often than they think, if password fields were unmasked by default.  I would support having a checkbox like this checked by default in all situations.  Then a user will have to at least think for a moment and maybe assess their current situation before deciding to unmask.

If people start implementing non-masked fields because of this, I’m investing in a higher resolution camera with a good zoom.
Update:

Moyix made a really great point on twitter in response to this:

@McGrewSecurity Makes attacks like http://crypto.m2ci.org/unruh/publications/backes08compromising.html much more effective too :)

The link goes to a very interesting paper on reading data off LCD screens from the reflections on objects in the vicinity.  Not to put words in his mouth, but Bruce would, if he ever read this blog, likely argue that this is a movie-plot threat, but it looks pretty doable to me (and a fun project).

Moyix’s blog, “Push The Red Button” looks very nice too.  I’m definitely adding it to my reader.

 Posted by wesley at 8:31 am

Core Security Apologizes, "Not Cool Enough For Core 2009" gathering proposed

 fun, lolwhat  6 Responses »
Jun 242009
 

This afternoon I received a very polite call from Kim Legelis, the vice-president of marketing at Core Security.  She and I talked for some time about the problems I spoke about in yesterday’s post, and how changes need to be made to the process they use to invite people to their “cool kids” party at Black Hat.  Over the past day I have gotten feedback from readers of this blog and followers on twitter about other cases where Core hasn’t been the friendliest to deal with.  I took the conversation as an opportunity to mention those issues, as well, and that Core, as a company with a great product, needs to be a little more careful with how they interact with the community.

I enjoyed speaking with Kim candidly about the alienating (and silly) nature of the phone conversation I had yesterday.  She assures me that they’re taking the feedback and using it to improve their processes.  If that turns out to be the case, then great!  If you, as a reader, have had a bad experience contacting Core Security, either in the past or after this incident, I would encourage you to share it in the comments for this post.  I’m sure they’re reading now.

I’m looking forward to dropping by the Core Security booth at Black Hat USA 2009 this year.  If you are going too, perhaps we’ll arrange a “Not Cool Enough For Core 2009″ outing at a buffet that night.  I’ll even let you put yourself on a “Maybe List” for it, in case you want to stay in the “waiting list” limbo for Core’s ;-) .  If you are interested, leave a comment or drop me an email if you want to be private and sneaky about it.

 Posted by wesley at 3:53 pm

Core Security: You Just Might Not Be Cool Enough For Their Party

 lolwhat  5 Responses »
Jun 232009
 

Non-technical post here, however this might be useful if you’re running a business in this industry and want to learn how not to handle your relations with members of the community.

Core Security recently sent out emails about their party at Black Hat USA 2009, asking the recipients to claim their pass.  I assumed that Core were bright enough to do their homework and only send out invites to people they wanted to attend the party, but, as you’ll see, that’s not the case.  I filled out the form, submitted it, and made sure that a colleague of mine attending the conference had also received an invite and submitted a claim.

A week later, today, I get a phone call from Core Security.  The guy on the other end of the line asks me several questions about my affiliations (McGrewSecurity and the MSU CIPC/CCSR), company size, how I heard about Core Impact, etc.  All of this was information that I had already filled out on the form requesting my pass, which was sort of irritating to start with.  Then, he explained how all of this information would be passed to their marketing folks, in order to make a decision as to whether or not they want to issue me a pass to their party…  and that if I didn’t make the cut, I would go onto a waiting list.

I realize that a party like this is an opportunity for Core Security to reward loyal customers and woo potential large clients.  I realize that there is a need for a process like this.  That process should, however, be done in such a way that they’re not alienating large chunks of the community that they sent emails out to.  Do a little legwork and figure out who you’re asking to your party ahead of time, and you might just avoid awkward situations like this.

After being given the “you just might not be cool enough for the Core Security party” speech, you can imagine that I didn’t exactly have warm and fuzzy feelings towards Core after getting off the phone.  As a matter of fact, I couldn’t wait to get off the phone with the guy.  I’m sure that a lot of productive and contributing members of the security community that don’t work for large companies will feel the same way after being grilled over the phone.

And if I’m “just cool enough for the waiting list”, that’s almost worse.  Am I expected to sit around anticipating that lucky moment when enough people bail to allow me in?  Maybe I’m the only one who feels insulted to get a phone call for the sole purpose of ranking me, without having even bothered to look up anything about me beforehand or even the thinnest veil of being interested in any of it.

Core Impact’s a cool product and all, but after that encounter, I’m not in the mood to give them five bucks for it.  Maybe that doesn’t matter to them, because they’ll have a party full of folks who will give them much more.  If they keep riding rough with their relationships with members of the security community, however, they might find their talent pool and word-of-mouth support drying up.

 Posted by wesley at 1:13 pm
© 2012 McGrew Security Suffusion theme by Sayontan Sinha