As promised last week, I continue my impressions from the Swiss Cyber Storm 4 conference which took place on June 13, 2013 in Lucerne.
In the second part of the conference Dr. Thomas Maillart, from EPFL in Lausanne and Berkley in the US presented his research on Human Timing in cyber attacks. This was the first presentation providing a positive outlook on the fight against cyber crime. His idea is that time is becoming a scarce resource; people, companies lack time to dedicate to their security and protection, and cyber criminals take advantage of this fact. He talked about the 80:20 rule. We don’t know exactly why, but generally when a patch is available we know that 80% of the users will update their system but 20% will not.
Dr. Maillant’s suggestion for protection of the infrastructure and network in the best possible way is to try to predict the bad guys’ next move. That requires statistical calculation and plenty of scenarios. Some of the applications he’s working on in his research are a “cyber weather” forecasting system or a Network Closed Circuit TV (NetCCTV).
The following presentation (“Internet cartography: Using Shodan to explore uncharted territories”) was the most interesting from my perspective. It was by John Matherly, the founder of SHODANHQ.com. This tool scares with its search capabilities! What Google is for finding websites that’s what SHODAN is for Internet devices. It scans the web randomly 24/7 to discover all connected devices: servers, webcams, SCADA controllers… it’s not intrusive and averages one month to cover the whole Internet. Of course, this search is available on IPv4 at the moment. SHODAN is checking a broad range of services; some of the less known are MongoDB, MemCache, but also MySQL, and other widely used basic services. It was absolutely shocking to discover that servers running a 20 year-old software like Windows NT 4 are still operational.
During his scans SHODAN listed some less known web server application like Rompager by Allegro, a nice web server solution but with not much security focus. Surprisingly, the known list of vulnerabilities is not very long because this product is not yet well-known.
Webcams are also well represented among connected devices. The level of security for this type of device is very low as well. For example, a domain may require a password to access the cam, but if you have a complete URL, the security can be simply bypassed. John was proud to give an example of a SHODAN user who was watching a webcam and saw a woman hurting an elderly person, her mother. He recorded the scene and reported it to the police who managed to identify the woman and prosecute her. Ironically, the webcam was installed by the woman herself to record what her mother was doing.
Another interesting case on digital device security caught my attention. If an iPhone is set up as a webserver, beware of the fact your personal data is available online with no security. Neither the exact version of the phone nor the vulnerable iOS was named.
The next part of the presentation was focusing on SCADA devices. The US government ran some research and through a project named SHINE, 500,000 SCADA devices were found online in the US. After further research 7,000 devices were identified as critical. The Critical Infrastructure CERT informed the operators of these devices and asked them to either remove the devices from the web or increase their security.
Europe seems to be behind in terms of protecting the Control Systems. Some people manage to get full access and control various infrastructures, such as cable cars, carwash stations, electricity production dam’s control system and even more bizarre, a crematorium.
A company proposing security for SCADA controllers launched a device which unfortunately contained a backdoor. The login was “factory” and the password was simply the MAC address which was listed on the login page. All SIEMENS Simatic controllers used to have even “administrator” as a login and “100”as a password.
I walked away with impression that SHODAN was a great tool for the right people, but it could be a dangerous service for organizations or individuals with less than noble intentions.
Next at the podium was Stefanie Frey from MELANI Ms. Frey is the coordinator for the National Cyber Strategy of Switzerland. For those who don’t closely follow the strategy of the Swiss federal government the presentation gave a comprehensive overview of the last decisions and publications. Ms. Frey reiterated that the risk-based approach was chosen by the Confederation, shifting the responsibility to actors and users.
Four workgroups are working on implementation of the strategy. The second workgroup, which is the most active, is taking care of the Incident Handling and is preparing a pilot operation with four cantons (Thurgau, St Gallen, Bern and Aargau). This project also involves Swisscom, Swiss ICT, MELANI, IBM and Microsoft.
MELANI shared its positive experiences so far with PPP (Public Private Partnership), with a hundred of companies and government agencies expressing interest in collaboration. There were two pertinent questions at the end of Ms. Frey’s presentation. One on why MELANI chose a risk-based strategy vs. a centralized cyber defense command which is more widely used. The answer was that Switzerland was not alone making such a choice. Finland and the UK have similar approaches to facing cyber threats. In addition, Swiss Army has formed a staff dedicated to cyber defense.
The second question was more related to MELANI reporting cyber incident occurrences quite late. This is something MELANI is looking to improve on.
The next speaker, Dr. Stefan Lüders, responsible for the security at CERN in Geneva (Centre Européen de Recherche Nucléaire) started his presentation with a statement that contrary to its name, CERN is no longer active in actual nuclear research. This speaker expressed his serious concerns with what he observes daily. Especially due to the lack of security of the industrial Control Systems (CS) he mentioned that “We are at the dawn of the Cold Cyber War”. He recommended reading the “electric grid vulnerability” report published in the US earlier in 2013. SACADA controllers were not designed with security in mind, so they need to be patched on a regular basis. The patching is requiring compliance test and a lot of non-regression testing. It’s facing rare and short maintenance windows. In addition the change of configuration of a controller can lead to the loss of the warranty from the manufacturer.
CERN has decided to delegate the responsibility for securing the Control Systems to their CS managers, simply because they are the ones can best assess the risk and work on the implementation plan. The authentication and login into the CS is full of legacy configurations and passwords, which was already mentioned by an earlier presenter. Often there was no encryption implemented due to the low resource availability. One of the solutions to increase the security of devices could be to search for similar devices on EBAY and pen test them, then report findings to the manufacturer and push them to fix the security holes.
The track of presentations which I attended was concluded by Marks Tibbs from the UK’s SOCA (Serious Organized Crime Agency) on the topic of “Industrialization of Cybercrime”. First he was explaining how criminals communicate with one another through forums, with the most popular tagline for conversations being ”Business opportunities”. Script in Ukraine and Garderplanet.com in Russia were mentioned among the best known forums. The network self-regulates and it’s based on trust and reporting of issues among criminals, so unreliable participants can be expelled.
Credit card fraud is a business that got enough volume and traction to be industrialized. A criminal can buy credits cards with the CVCs online, which can be then used easily for online purchases. Guess what! Payments are not made using credit cards, because they don’t trust them , but are rather done in cash using services like ¨Western Union” and ¨Web Money”. ¨Liberty Reserve” has been shut down by the authorities, because the investigators realized that only criminals were using its payment services. One can also find tools called “checkers” which verify validity of stolen credit cards. The price of the credit cards lots is also based on the level of freshness. The newer the batch is the higher the chances are the cards will still be valid for a period of time. The goal of SOCA is to disrupt as much as possible the cyber criminals’ business model.
In conclusion, I would describe Swiss Cyber Storm 4 as one the conferences that presents a wide spectrum of topics on current cyber issues. High-quality speakers and topics were complementary to one another. I heard from some of the participants that what they learned was quite scary and it seemed that nothing could be done to prevent the worse from happening. I believe that this is where companies like Kudelski Security and its peers have a role to play. We need to explain to the CIOs, CISOs, and other decision-makers that a 100% security is not realistic but preparing for the risks that can impact their specific organization is possible. Together we can define the best solution to help organizations secure their most critical assets, as well as their reputation.