Oil and Gas Targeted Attacks Hit Exxon and Conocophillips

A recent article in csmonitor revealed some details about targeted attacks that took place back in 2008. the article mentioned that At least three US oil companies were under targeted attacks originating from … yes you guessed right, China “Who else and why this news now !”.

The breaches reportedly, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide.

Quote:

“The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show.

The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says.”

end Quote.

My comments:

This is pretty normal in a world that is literally fighting for fuel and energy, China has been heavily investing in the oil rich district of Darfur, Sudan to the dismay of other influential players and that triggered a lot of violence. In 2009 China built 4 glorious football stadiums for Angola “Africa’s top Oil exporter providing 7% of the total US oil imports” as a token of friendship !. The same can be said about Halliburton and their exploitation of Iraqi oil.

It’s also evident that the next major conflict (Fight for oil included ) will be settled in cyber space or at least start in space. (Israel’s E-tack on Syria) and its up to each and every government/company to be prepared or be pwned.

Now is the best time to mark your territory in cyber space, as an early bird “and for a limited time only” you are allowed to hit below the belt and maximize the damage…simply because there are no belts, yet.

With international consensus on this subject missing, everything and anything is permitted till further notice. even the US and Google cant do anything about it except denouncing and threatening to pull out of the world biggest internet market (US can only denounce China Attacks).

The bottom line is that like everything else information gathering is taking another mean/conduit and that is the Internet. nowadays a country’s biggest asset might be a 15 years old who can infiltrate a radar system from his Playstation game console.

How many 15 year olds have you got ?

IEEE Launch a portal on SMART GRIDs

On the IEEE Smart Grid Web portal all IEEE activities and assets converge into a single place where users can explore and understand all the different and particular aspects of the Smart Grid.

The portal also features a (buy online) option for more than 100 IEEE smart grid related standards, including those called out in the NIST Smart Grid Interoperability Standards Framework.

The portal is also offering an online registration process for stakeholders to become involved in the technical and public policy aspects of the smart grid and renewable energy as voluntary resources.

You can sign-up here

SHODAN – listing SCADA servers on the Internet

SHODAN The online computer search engine that lets you find servers/ routers/ etc. by using simple search keywords (Ports,Services,KeyWords…etc).

Typing the word SCADA returns about 18 matches, most of them are RTS ( Time Servers ) used to synchronize the system/network time over the internet. others can be used to remotely log on a SCADA server using the Broadwin Webacess plugin.

SCADA Log On

Aircraft tracking for the masses

A friend told me about a free website that lets you track airplanes anywhere in the world, in real time (5 Min Difference ) using google maps.

Casper is a website that visualises (live) aircraft traffic . It can be used in showing tracks, labels and a heat map. The map can be zoomed and panned.

The system also provides specific flight information for instance: altitude, speed, manufacturer, model, carrier sign and departure or destination. The display of live data is currently delayed by 5 minutes for security reasons.

The screen shot below show the air traffic over northern Holland

The Flying Dutchman

I also found that you can carry around all this info in your pocket with apps such as this iphone app (Tracker Pro)

Tracker Pro

Now lets use the recently leaked (How to smuggle a bomb) TSA airport security manual (Here), add a pinch of live tracking (CASPER), pick one of the many innovative airplane blow-up plots (Here) and with minimum effort its pretty easy to at least attempt something worthy of making headlines.

Are Critical Infrastructure Cyber Attacks Really on the Rise ?

Recently many argued whether Cyber-attacks against Critical Infrastructures are real and dramatically on the rise, as the media would like us to think. (The recent Brazil’s Power Outage made headlines around the world).

Others confidently backed this Cyber-attacks downplay assumption by their statistical perception of a recent report by the Repository of Industrial security Incidents (RISI), RISI which keep track of “reported/verified” security incidents in the USA since 1982, recently stated that the incidents count has reached 164 in 2009. That’s basically an average of 6 incidents per year.

And then they asked a question.

If the US recorded 8 or 9 incidents next year, can we confidently say that the Cyber Attacks rate is dramatically on the rise, and that we should be really worried?

The answer is simple, I agree that in most countries there isn’t enough data (on a national level) at hand to confidently confirm or deny anything.

While I personally believe that the rate of Cyber-attacks against Critical Infrastructures “World Wide” is definitely rising, simply because of the improved Means and Motives. (Its easier and more rewarding today than 5 years ago).

I feel that when we talk critical infrastructure we often overlook that our world is now more interlinked and interdependent than it ever was. So even in the imaginary case of Zero incidents taking place in the USA as an example, this doesn’t mean that everything is ok and that the ultimate goal of Critical Infrastructure Protection is served. Right now I can name a company in North Africa that’s providing Paris with 30% of its total daily natural gas consumption. And another company in the Persian Gulf that’s providing the UK with +20 % of its daily natural gas needs. “Not to mention Aramco’s crude oil exports to the US ad Japan”.

Who can argue that a Cyber-attack on any of the examples above is less important and ultimately less effective compared to an attack on a French or UK based plant.

I believe that when thinking about Critical Infrastructures and judging whether attack rates are on the rise or declining it’s only wise to aggregate global statistics to get the true picture of the threat on the ground because in many ways this ecosystem works similar to the modern financial world. And focusing only on local statistics will often give a false feeling of security.

As an example, In the last Brazilian black out Every one seemed to neglect the fact that while two major Brazilian cities suffered, the entire country of Paraguay plunged into darkness. Does Paraguay’s Cyber-attacks clean sheet mean anything here?

I can also see this occurring in the entwined electrical grid of many EU countries and between several former Soviet Union countries.

Another example that comes to my mind comes from the communication sector, back in 2007 when on two separate occasions (one of them few days before the 2007 Gaza strip war) there was a major Internet blackout across the Middle East after targeting the region’s 3 main Internet Sub Marine fiber cables (although several hundred miles apart), this incident didn’t only affect the region but had cascading effect that reached up to the shores of India costing the country’s IT outsourcing economy millions of dollars in lost bandwidth. Was there an Attack on Indian critical infrastructure ?…No , did India suffer ?…Yes.

This is a global threat/issue and should always be treated as such. localized statistics while important are only part of the big picture.

Sub Marine Internet Cables

The UN is offering SCADA security training

SCADA security and CIP has been recognized by the UN as areas that pose significant threat to the international scene and has included both topics in their upcoming UN Cyber Crime training programs

The UN Courses has two difficulty levels:

-Basic : 1400 Euro
-Intermediate: 2500 Euro

- Snippets from the UN website-

The Basic-level SCADA & NCI Security course is 3 days long and is meant to provide a non-technical audience with an overview of the current state of SCADA and NCI architectures, and will include the following:

Introduction and examples of SCADA & NCIs,
Examples of real past incidents involving SCADA security failures,
Existing standards and best practices,
The difference between traditional IT security and SCADA/PCS security,
A special guest: an inside view from a SCADA vendor.

The 5-day Intermediate course is addressed to a technical audience and will include:

A special guest, highlighting the question of Open-source vs. SCADA,
Many live lab sessions showcasing both offensive and defensive techniques within a networked SCADA environment,
Historical and recent security incidents,
A special guest, discussing the task of hardening a SCADA infrastructure,
Discussion on performing penetration tests against NCIs.

More can be found on : UN SCADA Cyber Training

SCADAmobile for iPhone

I just came across this iPhone App (ScadaMobile) from SweetWilliam Automation. (Company Website)

The App description states that the product can Monitor (display and change) PLC variables (tags) through local or remote wireless access.

The Manual wich can be downloaded here describes how the App will access the PLCs over the internet.

“ScadaMobile is designed to communicate with PLCs without using dedicated servers or any specific software installed on a PC.

ScadaMobile communicates with OMRON PLC by sending FINS protocol commands. To establish a remote connection, a GPRS or ADSL router is needed at the PLC site, which will act as a bridge between the PLC LAN (Local Network) and the WWAN or WAN (Internet) to which a remote iPhone or iPod Touch will have access to. ” (Source: Section 4.1 in the Manual)

As for the Security, The product seems to support VPN (L2TP/IPSEC) as well as TLS/SSL in addition to a PLC-stored password mechanism.

A password will be stored in the PLC data memory address D19998 as a 16 bit hexadecimal value (0 to FFFF) and you must match the password in your iPhone.

My Comments:

- Apart from the Validation code, All the Network security controls are “Optional”
- No Password Complexity Requirements
- I couldn’t find anything about how the password is stored on the IPhone- But My guess that its not Encrypted. I guess I will try to find this by myself and will keep you posted.

It seems that there are many more remote access apps on the way and I would love to see independent code-security reviews on each and every one.

Finally, There are two versions from the app, ScadaMobile Lite for 3.0 $ with limitations on the number of processes. and the full version for 74.0 $.

Will IDNs Pose the Next Big Security Threat

Last week ICANN (Internet Corporation for Assigned Names and Numbers) Which is the International body responsible for, among other things, administering the domain name system (DNS) announced that Countries can now apply for website domain names and TLDs “Top Level Domain Names” that are non-Roman characters. With countries like Egypt, China , Israel and Russia already applying for Arabic ,Chinese , Hebrew and Cyrillic respectively. marking the true beginning of IDNs (International Domain Names).

Experts expect the new breed of URLs to surface within a year, ICANN Chairman Peter Dengate Thrush noted in a statement, “The IDN program will encompass close to one hundred thousand characters, opening up the Internet to billions of potential users around the globe.”

“This is the biggest technical change to the Internet’s addressing system – the Domain Name System – in many years,” said Tina Dam, ICANN’s senior director of Internationalized Domain Names. “Right now, it’s not possible to get a domain name entirely in, for example, Chinese characters or Arabic characters. This is about to change.”

My Comment :
I think its a good step to increase the accessibility and usability of the Internet but it’s unlikely to come without a cost.

There is no way that we can properly manage this new system without DNSsec, which must be an international priority now.

DNS Security measures will need to be taken very seriously. The incidental difference between BankofAmerica.com from BánkofAmerica.com is just a small example of how criminals can exploit the new system.

Not to mention the foreseeable technical challenges in properly identifying the new breed of Phishing sites and SPAM Servers…etc, to sum it up this will be the biggest challenge to date facing the internet critical resources.

Former ICANN CEO stated back in 2006 that “There are 37 possible characters that can be used in domain names, but if non-English letters are allowed, this number would rise to 50,000 or more, ( My Comment: Actually more like a 100,000 ) said Twomey. He added that this could create problems where, for example, a character in Urdu looks identical to one in Arabic. This would confuse the system and make it difficult to direct users to the right website every time.

ICANN Announcement: HERE

The Empire Strikes Back – More on Brazil Blackouts

2005, 2007 and now you can add November 2009.

Yesterday the Itaipu dam an important hydroelectric dam shared by Brazil and Paraguay failed last Tuesday night, pushing a large swath of central and southern Brazil into darkness, said the country’s minister of mines and energy, Edison Lobao. source (CNN)

A recent comment by bernardo from Brazil (Here) on my previous post implies that this is a coordinated attack that took place at exactly 22 hours. when die hard 4.0 was about to begin on FX Cine Latin America !!.

The Official response so far was ” the exact cause was not yet known but atmospheric problems, an intense storm, may have contributed to or caused the transmission lines to Itaipu to shut down.” said the the country’s minister of mines and energy, Edison Lobao to reuters.

While the real cause of the problem remains to be unclear, it appears that hackers are not fond of the itaipu dam IT infrastructure. One thing for certain is that the itaipu servers has been “visited” before.

itaipu servers hacking incidents in 2000 and 2001

Incident Record Source: Zone-h

Brazil: 2007 Blackout Was not Caused by Hackers

Few days Ago CBS’s “60 Minutes” featured a report about alleged cyber incidents that took place in Brazil back in 2005 and 2007. claiming that the major power outages that affected millions was caused by hackers.

Brazil Power Outage

Today Wired.com reported that Brazilian government officials disputed the CBS report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he’s investigated the claims and found no evidence of hacker attacks, adding that Brazil’s electric control systems are not directly connected to the internet.

The utility company involved, Furnas Centrais Elétricas, told Threat Level on Monday, it “has no knowledge of hackers acting in Furnas’ power transmission system.”

You can watch CBS “60 Minutes” Video (Here)
Source: Wired.com Report