Slides for CSE4243 GhostExodus lecture

 SCADA, skiddies  1 Response »
Aug 302009
 
Tommorow morning, I will be giving a lecture to the CS4243/6243 Information and Computer Security class at Mississippi State University.  It will cover the events that led up to, and followed from, the arrest of Jesse “GhostExodus” McGraw on charges of installing malicious code onto hospital computer systems, including a system that was the HMI (Human-Machine Interface) of the SCADA system controlling ventilation, air-conditioning, and various aspects of the surgery wing.
The purpose of the talk is to cover some of the more interesting points of evidence that was gathered, documents surrounding the arrest and indictment, and some of the aftermath.  To give the students some practical skills to take away, I’ll be discussing some of the methodology used that would be applicable when responding other incidents.  It’s difficult to fit everything into a 50-minute lecture, but I believe I’m hitting the most interesting and entertaining points, and will be happy to go into more detail with smaller groups of interested students afterwards.
I am making the slides available here, however you will notice that they mostly consist of images and screengrabs for me to use as talking points.  While they may or may not be interesting standing alone, I’ve uploaded them primarily to serve as a reference for the students that have attended the lecture.
GhostExodus / Carrell Clinic Incident

If I’m happy with how the lecture goes, I may use it as a reference to record some narration on top of the above slides and make it available on this site.
If you are in the area and wish to drop in on this lecture, you are welcome to do so.  It will be at 9:00 AM, Monday August 31, in Butler 103.
If you are a student in the class, coming here for the slides, and are new to the site, these are the posts related to this lecture:

Tommorow morning, I will be giving a lecture to the CS4243/6243 Information and Computer Security class at Mississippi State University.  It will cover the events that led up to, and followed from, the arrest of Jesse “GhostExodus” McGraw on charges of installing malicious code onto hospital computer systems, including a system that was the HMI (Human-Machine Interface) of the SCADA system controlling ventilation, air-conditioning, and various aspects of the surgery wing.

The purpose of the talk is to cover some of the more interesting points of evidence that was gathered, documents surrounding the arrest and indictment, and some of the aftermath.  To give the students some practical skills to take away, I’ll be discussing some of the methodology used that would be applicable when responding other incidents.  It’s difficult to fit everything into a 50-minute lecture, but I believe I’m hitting the most interesting and entertaining points, and will be happy to go into more detail with smaller groups of interested students afterwards.

I am making the slides available here, however you will notice that they mostly consist of images and screengrabs for me to use as talking points.  While they may or may not be interesting standing alone, I’ve uploaded them primarily to serve as a reference for the students that have attended the lecture:

If I’m happy with how the lecture goes, I may use it as a reference to record some narration on top of the above slides and make it available on this site.

If you are in the area and wish to drop in on this lecture, you are welcome to do so.  It will be at 9:00 AM, Monday August 31, in Butler 103.

If you are a student in the class, coming here for the slides, and are new to the site, these are the posts related to this lecture:

 Posted by wesley at 4:07 pm

Seth Hardy's Petition for an (ISC)2 Board Position

 certs  No Responses »
Aug 262009
 

A friend just pointed out Seth Hardy’s petition to be added to the ballot for an available seat on (ISC)2′s Board of Directors:

From everything I can see, Seth looks like a very qualified and motivated candidate, and deserves to, at the very least, be on the ballot for the members to select from.  He comes from a technical background and hopes to improve the technical quality of the CISSP exams.  You can check out his qualifications at the above page.

Getting on the ballot is a difficult matter, requiring that one percent of all CISSPs (633) sign a petition.  If you are a CISSP, and don’t mind Seth throwing his hat in the ring, please go and sign his petition.

 Posted by wesley at 6:06 am

Cisco weighs in on the GhostExodus control systems incident

 SCADA  5 Responses »
Aug 212009
 

Nicholas Leali at the Cisco Security Community blog has posted an excellent summary of the security lessons that can be learned from the control systems incident at Carrell Clinic:

Nicholas was kind enough to contact me for comments in the process of writing this article, as well as link back to this site.  He has done an excellent job of summarizing the precautions an organization can take to minimize the risk of a similar compromise, including physical access control, more careful vetting of employees, and rotating guards.

It’s a good article, and I recommend anyone following the incident on this site to check it out.

 Posted by wesley at 6:19 pm

Bye-bye Yahoo! Pipes

 web  1 Response »
Aug 202009
 

Someone, apparently trying to perform a really anemic denial-of-service or just trying to waste bandwidth, has written a Yahoo! Pipes application to repeatedly grab my front page. It shows up as a request for robots.txt with the user-agent “Yahoo Pipes 2.0″, and is followed by a lot of requests for “/” from hosts matching htproxy[num].ops.re[num].yahoo.net (htproxy3.ops.re4.yahoo.net, htproxy2.ops.re4.yahoo.net, etc.).

It doesn’t appear to be beefy enough to affect availability, so it’s more of an annoyance than anything.  It’s either someone too frightened to take his or her problems up with me directly, opting instead to hide behind a slow proxy, or it’s simply someone with a tragic bug in their Yahoo Pipes app.  I was willing to give it the benefit of doubt for a couple of days, but the latter possibility seems to be less and less likely as Pipes’ steady march continues.

What’s more, Yahoo Pipes’ abuse email (pipes-abuse@yahoo-inc.com) listed here bounces. I’ve sent my inquiry along to security@ and pipes-bd@, so hopefully someone there can fill me in more on what’s going on.

In the meantime, I’ve taken steps to block Yahoo Pipes from this site.  We’ll see how well that works.  If you are running a legitimate Pipes app that uses this site (doesn’t seem to be a lot of other Pipes activity in my logs), then this may break it, and you’ll just have to hang tight for a while.

Edit: Looks like a couple of people at yahoo have taken a look at the logs I emailed them.  I guess we’ll see if they write me back :)

Edit: Got a couple of responses.  The requests are coming from the Yahoo Query Language (a sister project of Pipes), and they’re looking into the problem.

Oh Bother Edit Again: Yahoo Query Language (YQL) is all kinds of messed up.  It spoofs a Firefox user agent for most of its requests, making it look like some skiddie tool when it freaks out and runs up over 9000 requests in 3 days.  I’d recommend robots.txt’ing it off, but there is/was/for-how-long-was-it-anyways a bug in it where it incorrectly parses it and goes to town on your site anyway.  That’ll be sorted out by the time you get to this, hopefully.

 Posted by wesley at 5:48 pm

A few Black Hat USA 2009 talks are available now

 blackhat, defcon, links  2 Responses »
Aug 052009
 

Much like last year, a few of the more high-profile talks from Black Hat this year have been released on the web site pretty soon after the conference:

The following talks have video available, as of this posting:

  • The Language of Trust: Exploiting Trust Relationships in Active Content – Mark Dowd, Ryan Smith, David Dewey
  • Something About Network Security – Dan Kaminsky
  • More Tricks for Defeating SSL – Moxie Marlinspike

Slides and papers are available for most of the other talks.

If anyone has a public (or private) lead on getting audio/video recordings for the rest of the conference, contact me.  I’m going to keep an eye out, and when I see anything new that’s publicly available, I’ll link it in a new post here.

 Posted by wesley at 8:03 am
© 2012 McGrew Security Suffusion theme by Sayontan Sinha