Sophos Cloud Optix
Last week I wrote a story on the compromise of an industrial control system in Illinois that destroyed a pump at a water processing facility. The same day a hacker came forward and posted internal information on pastebin.com from another compromised utility in South Houston, Texas.
Within hours of publication I was contacted by the hacker involved in the Texas incident and I was able to ask him a few questions via email about the state of critical infrastructure security.
In his original message to Naked Security he noted that he was able to access the systems at the South Houston facilities through two methods.
First he was able to connect to a variant of VNC that is accessible from the internet to capture the screenshots he posted. He also was able to access a web administration portal, which he claims he can still access.
He also commented “Don’t worry, I use my powers for good and such.” We can only hope that is true. He understands that his exploits are a crime and insists he is simply trying to draw attention to this problem.
–Interview begins–
Chester: It appears that many attacks against SCADA systems are opportunistic, ie. they target systems that are “wide open” rather than targeting specific facilities. Have you explored the security of specific systems, or have you simply been able to find the least secure systems?
pr0f: I have entered a couple of different kinds of systems, but I am under no illusions about my level of skill. These are the least secure systems.
Chester: You disclosed your attack on South Houston quick on the heels of the story about the water system attack in Illinois. Was this coincidental and what was the point in you disclosing your attack?
pr0f: It was deliberate. I was furious at the lack of proper government response. The response they gave was nothing more than “Nothing happened. Probably.” When clearly something did happen.
Chester: In your experience, where does the responsibility lie in these systems being configured so insecurely? With the system manufacturers, integrators, operators or a combination of all of them?
pr0f: Frankly, I think the operators are probably least at fault. They’re trained to operate these machines; they’re engineers, not netsec experts.
The manufacturers should have been working to the highest standards from the start, since these systems are difficult to update. And the integrators, people who are contracted to install them, should make sure they are actually as secure as possible, too.
Chester: Accessing the system you posted information about to pastebin is a crime in the United States. What changes could be made to the Computer Fraud and Abuse Act to encourage responsible disclosure of security flaws and unprotected systems?
pr0f: I really think that it should be a matter of intent and actual damage caused. Shutting one of these down is obviously a crime. Finding one and accessing it out of curiosity, then exposing how insecure it is responsibly, should perhaps be treated a lot more leniently (of course, I am a little biased here).
–Interview end–
In no way does Naked Security endorse pr0f’s methods, but he does raise some interesting points.
Unlike many of the data disclosures by the likes of Anonymous, he has not disclosed your personal details, but rather drawn attention to a rather serious problem many have had their heads in the sand over.
He acknowledges as much and stated “I’m aware I’m screwed when I get caught, if you’ll excuse my language.”
Like many security problems improvement in the safety of these systems will require manufacturers, consultants and operators to work together. Let us hope these two incidents are causing everyone involved to take a closer look at their own systems.
great post chet, thanks for the information. while you may be hesitant to praise pr0f, this type of attention to the insecure problems of basic infrastructure is the only way that change can be mandated, as sad as it is that we only have the money or time to worry about these things when they’re just theoretical. great post!
If this persons intent was to show the insecurity to a system and not to cause harm and he didn't distrubute the information then he shouldn't be "screwed" for his actions… If anything he should be praised for showing this company just how weak there systems are! The company to should be offereing him a JOB as well this way they know that he's on thier side as it's obvious their own tech personelle haven't done their own jobs to the higest possible standards!! and for a side note… SHAME on the government "hiding" the info on this breach… "nothing happened probably" HOW the hell would they know if they aren't as diligent in keeping sensitive info as secured as possible… I'm sure I'd have a flip out on someones head if my social security number was leaked for the world to see and someone to steal!
Still no proof that he actually broke into anything. Could have grabbed those screen shots from anywhere.
Spin this on it's head, and let's say the full force of the law is brought to bear on pr0f – he'd probably end up in jail. What message does that send out to the rest of the hackers out there? Some will stop hacking all together, but some will persist – the intellectual pursuit of identifying and exploring a security hole is difficult to resist.
Those that continue hacking would be much less likely to present evidence of the holes they've found and give the sysops chance to patch and remove the security flaws identified for fear of the law cracking down on them. So those holes remain to be discovered by other hackers, eventually the really bad guys, and you find your systems properly sabotaged.
Which all sounds pretty bad to me. To paraphrase LBJ, I'd rather have hackers like pr0f on the inside of the tent…
You are right jaidemoon. As I read the conversations above he's trying to help in some ways by exploring his capabilities to warn those using the type of infrastructure and its security.
Great post Mr. Chester Wisniewski.
At the risk of being corny, here's an analogy: The internet is like a door into your facility. Only instead of opening to the outside…. it opens to anywhere in the world.
In the oldern days, you only needed to be concerned with lockpicks from your community. If you had good enough policing you didn't need a real secure lock.
Now, with the internet, you are exposed to an entire WORLD of lockpicks.
It is dangerously naive to think that arresting a local lockpick here and there will have any real affect on your safety.
And then there's the case when your pissy lock may have implications for national security. Or the identity security of your clients.
If a burglar broke into a safety deposit box system because the bank chose to protect it with a $2 lock, the burglar would have perpetrated a crime. But wouldn't the bank be liable for negligence also?
Although his intentions may have been to help, where Pr0f crossed the line (IMHO) was posting the information to a very public place. He could have discretely informed the owners of the vulnerable system without making the information available to (perhaps) those with out such honorable motives. In this case I think ego got in the way of otherwise good intentions.
Agreed. I really wish a question would have been raised about why pr0f didn't attempt any kind of responsible disclosure (or coordinated disclosure, or whatever other term you prefer).
If the security of the system he compromised is a public safety issue (and this wouldn't be a story if it wasn't), shouldn't an effort be made to fix the issue before declaring to world+dog how to take down Houston's water/sewage systems?
Just because the government/utility company in Illinois responded in a way that didn't make you happy doesn't give you the right to endanger Houston residents. Don't get me wrong: I think it is perfectly fine to give the Houston operators a reasonable deadline before you'll publicly release the information, but the honorable thing is to at least give them an opportunity to minimize risk to human life before public disclosure.
s/heals/heels/
Excellent interview! I do have to disagree with his sentiments on where the responsibility lies. Not every SCADA system is deployed or run in the same way. My personal experience with (extremely) insecure SCADA as an Information Security Analyst has the blame laying in large part with the operators/engineers. The senior management in these areas came up as operators and many helped select and install the system in the beginning. They are extremely territorial about it and take any comments on its operation HIGHLY critically. This sentiment filters down to the current operators who take on the opinion of (near verbatim quote): "We built this thing before you IT jokers even EXISTED. We don't need you to tell us a damn thing about how it should be set up. It's run fine for years and will continue to do so for many more." Even more concerning is the fact that almost no one in these positions has a full picture on how it is designed and used.
Improperly built systems + time + ignorance + ego = The sad state of SCADA security we find ourselves in now.
@RogueScholar,
Sounds like you work for my organisation…. I hear those words and opinionated responses nearly time I raise SCADA security concerns.
The points you raise certainly ring true for me. Well said.
Until something happens to them or their own organisation nothing will change.
Pr0f is a whistleblower – whistleblower protections should apply.