Archive for June, 2009

National Traffic Engineering

June 29, 2009 Leave a comment

I was going through some nice reports from (Arbor Networks) and some regional ISPs showing how Iranian internet traffic was manipulated and controlled before/during and after the elections ( also applicable for any scenario in which a government is trying to be in foul control ).

The reports show that the government controlled telecom provider -Data communication Company of Iran- (or DCI) couldn’t block the internet in general because that would be impossible without impacting business ( emails …etc ) and perhaps causing further social unrest.

So (DCI) choose a more balanced approach that utilizes application firewalls to selectively rate-limit selected Internet applications (either by payload inspection or ports) , mainly trying to limit video streaming and file sharing.

As you can see from this graph (Source Arbor Network report ) showing how the video traffic was high in demand right after the elections ” due to global interest” then traffic was suddenly blocked due to (DCI’s) application filtering policies

Video streaming in Iran

Apparently the new policy was to block (SSH , Streaming Video and File sharing ) all with a blocking rate of +80% , and rate-limit (Mail, HTTP and FTP ) all around 50% block rate. (See Blow)

Block Rates

Block Rates

You can see how the internet traffic in general was suffering exactly 1 day after the elections ( Graph below )

Iranian Internet Traffic

The Full reports can be found under :

Iranian Traffic Engineering
A Deeper Look at The Iranian Firewall

My Comments: State owned and controlled communication infrastructures and national internet gateways is the common setup in many countries so a similar scenario is always a valid threat, but I think that as more businesses and more economies come to rely on the internet its unlikely that we will see that happening again. or at least it will be a much tougher and costly decision exponentially with time.

AT&T and Qwest Joins the Holy Grail Race (aka SMART GRID )

June 24, 2009 Leave a comment

Companies are repositioning themselves to grab a piece of the smart grid lucrative pie. after my previous post talking about CISCO,HP,GOOGLE..etc all announcing SMART initiatives… it was about time for the telco giants to join the race.

Qwest Communications has partnered with Current Communications on a smart-grid offering for utility companies that combines the former’s DSL network with the latter’s broadband-over-powerline (BPL) technology.

Last march SmartSynch and AT&T signed a partnership whereby AT&aT’s wireless network is used to connect smart meters at commercial and industrial locations to around 100 different utilities’ back offices. “See Picture Bellow”



Yesterday AT&T announced that they are targeting a much more diverse SMART GRID role as previously perceived

“We are starting at the meter and working our way back up the grid to the power production plant and looking at automating all the different elements along that chain,” said Abhi Ingle, vice president of industry and mobility application solutions at AT&T. “We’re embedding wireless intelligence at different points in the grid to not just capture usage and dynamic pricing information from the end user, but to also look at outage management, fault detection and things of that nature.”

In the news report published HERE , Its mentioned that Under the terms of the agreement, AT&T and Cooper will co-sell two products, OutageAdvisor and VARAdvisor. OutageAdvisor is a sensor that hangs on electric delivery lines every couple of miles to locate and isolate faults and then communicate them directly back within the system in real-time over AT&T’s network. Ingle said this will lessen the time it takes to identify and correct faults, as well as reduce the likelihood of an outage.

The VARAdvisor sensor will serve as an alternative to manual inspection of equipment that controls the voltage supplied to consumers and detects fuse failures, which Ingle said will also help reduce the need for on-site inspections.

Categories: SMART GRID Tags:

A Shortlist of Reported SCADA Incidents

June 21, 2009 2 comments

In a good report by the Infrastructure Security Partnership ( called THE ROADMAP TO SECURE CONTROL SYSTEMS IN THE WATER SECTOR I found a good list that helped me remember several of the well-known, “Reported” SCADA incidents including:

Insider hacks into sewage treatment plant (Australia, 2001)—A former employee of the software development team repeatedly hacked (46 occasions) into the SCADA system that controlled a Queensland sewage treatment plant, releasing about 264,000 gallons of raw sewage into nearby rivers and parks. ( My Comments: If I remember correctly He was able to use the company WIFI from the company’s Parking Lot”.
Equipment malfunction at water storage dam (St. Louis, MO, 2005)—The gauges at the Sauk Water Storage Dam read differently than the gauges at the dam’s remote monitoring station, causing a catastrophic failure which released one billion gallons of water.
Intruder plants malicious software in a water treatment system (Harrisburg, PA, 2006)—A foreign hacker penetrated security of a water filtering plant through the internet. The intruder planted malicious software that was capable of affecting the plant’s water treatment operations.
Reported Vulnerability (Aurora 2007)—CNN reported a control system vulnerability that could damage generators and motors. (My Comments: Many argued the credibility of this test, But I think it was deliberately downplayed for the right reasons”.
Intruder sabotages a water canal SCADA system (Willows, CA, 2007)—An intruder installed unauthorized software and damaged the computer used to divert water from the Sacramento River.
• CIA Confirms Cyber Attack Caused Multi-City Power Outage (New Orleans, 2008)—CIA has information that cyber intrusions into utilities (followed by extortion demands) have been used to disrupt power equipment in several regions outside the United States.

I would like to add the following Incidents:

• January 8, 2008 –Teenage boy ‘hacks’ into the track control system of the Lodz city tram system, derailing four vehicles
He had adapted a television remote control so it could change track switches.

• In 2003 Slammer worm crashed Ohio nuke plant network “This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel” quoted the full report HERE (

• In 2000 Hackers cracked Gazprom security, controlled gas-flow switchboard,”we were very close to a major natural disaster” commented a russian minister as Reported Here :,9171,901020617260664,00.html

Also the report listed the following under How Can Cyber Events Affect Water Systems?

Cyber events can affect water system operations in a variety of ways, some with potentially significant adverse effects in public health. Cyber events could do the following:
• Interfere with the operation of water treatment equipment, which can cause chemical over or under-dosing
• Make unauthorized changes to programmed instruction in local processors to take control of water distribution or wastewater collection systems, resulting in disabled service, reduced pressure flows of water into fire hydrants, or overflow of untreated sewage into public waterways
• Modify the control systems software, producing unpredictable results
• Block data or send false information to operators to prevent them from being aware of conditions or to initiate inappropriate actions
• Change alarm thresholds or disable them
• Prevent access to account information
• Although many facilities have manual backup procedures in place, failures of multiple systems may overtax staff resources—even if each failure is manageable in itself
• Be used as ransomware

Social Media and Cyber Security

June 18, 2009 1 comment

I was reading a friend’s blog on how twitter decided to reschedule its maintenance downtime to accommodate the iranian elections !! As per twitter status blog, “A critical network upgrade must be performed to ensure continued operation of Twitter. In coordination with Twitter, our network host had planned this upgrade for tonight. However, our network partners at NTT America recognize the role Twitter is currently playing as an important communication tool in Iran. Tonight’s planned maintenance has been rescheduled to tomorrow between 2-3p PST (1:30a in Iran).” (official twitter blog post HERE )It is interesting that twitter decided to be offline during US peak hours, for the availability in Iran.

according to a ZDNET blog Apparently twitter was successfully used to coordinate a DDoS attack on several key pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Also, Back in April 2008 a group of Egyptian youth used Facebook to create a group (+70,000 members) to organize and coordinate a nationwide strike that quickly became a regional media hype (The Group’s page ).

under the basic terms of service it clearly says that:

“You may not use the service for any illegal or unauthorized purpose. International users agree to comply with all local laws regarding online conduct and acceptable content.” yet they agree to reschedule the maintenance schedule to accommodate the “freedom fighters” !

Its clear that web 2.0 is here to change the game, the problem is that its a game with no rules…yet.

He who can harness the power of hundreds of millions of “mostly teenage” users and direct them in any way imaginable will be the ultimate Bot master.



Incident Response Cheat Sheets

June 17, 2009 Leave a comment

Something is not feeling right , maybe you are hacked. You don’t know for sure yet, but you need to quickly qualify the potential incident. You also need to ask questions to make sense of the situation and determine how to proceed. It’s easy to make mistakes in the heat of the moment; Here are two cheat sheets that may help. (Source

The first sheet “Shown Below” is for system administrators, the second is for incident responders.

Incidents Response cheat Sheets

Incidents Response cheat Sheets

Download the (Security Incident Survey Cheat Sheet for Server Administrators)

Download the (Initial Security Incident Questionnaire for Responders)

A Worm Opens Door to Power-Grid Botnet

June 13, 2009 Leave a comment

A recent article in the Register(UK) quoted ioactive’s security experts that they managed to write the First Power-Grid worm, to be demonstrated in the upcoming BlackHat conference in Las Vegas.

The researchers tested about half a dozen smart meters and found that most of the devices ask for no encryption or authentication.

The worm will use the unauthenticated P2P update feature that comes with smart meters to send the malicious code.

Some US-Market numbers from (EnergyPulse) to think about:

-More than two million smart meters in field use today
-Additional 17 million devices on order by over 73 participating utilities
-Smart Meters once deployed are expected to last 10-15 years.
-Many of the smart meters currently in production are built using vulnerable hardware like the Texas Instruments MSP430 “shown below from ebay”

The smart grid will gain a lot of momentum in the next few years due to many political, environmental and financial incentives. efforts worldwide are underway to develop/update the required legal and technical frameworks. Yet there are some pressing debates and issues. for Example:

-Is it OK to build the smart meters in a foreign country using foreign components? ( Chinese Firm Huawei hits back at cyberspy claims )
-Should a government impose or name a certain communication encryption algorithm?
-Should SCADA vulnerabilities be publicized as regular PC vulnerabilities ? we don’t hear often about vulnerabilities in the medical equipment/industry …do we?
– Its BlackHat 2020 and the freedom hackers group has just announced several critical vulnerabilities in the hardware deployed at millions of homes.. when shall I expect the electricity guy to come and replace my vulnerable meter ?

TI MSP 430

TI MSP 430

Cyber Assessment Methods for SCADA Security

June 10, 2009 Leave a comment

A good old white INL (Idaho National Labs) paper that describes vulnerability assessment methodologies used in ongoing research and assessment activities designed to identify and resolve vulnerabilities in SCADA systems. it was published in 2005 so some of the tools referenced might be outdated but the methodologies are nicely put.

Download the paper (HERE)

The Largest Security Tools List

June 10, 2009 Leave a comment

With all the security tools out there its really hard to keep up with everything…a friend pointed out this website that I personally find pretty much comprehensive and up to date. ( The Largest Security Tools List )
Website Screen Shot

Is the Cyber Threat To National Security Overblown?

June 7, 2009 Leave a comment

A recent article in with the title (Is the Hacking Threat To National Security Overblown?) argued if the governments are overblowing the issue only to get bigger budgets, more reach and power and control or its actually a real national threat.

The experts view was that its a real threat that can be justified but the actual threat levels are over-estimated.

I tend to have a different view..I believe that since its a threat that can have a direct/indirect impact on the daily life of humans then everyone (citizens and governments) should take note and act responsibly.

from the graph below (From a study by INL) you can see that our networked – IT Dependent society will certainly suffer from a domino effect if the Energy sector/suppliers suffer a service disruption.


I really don’t care if this disruption is caused by a storm or a DDOS. people who say that the threat levels of CIP IT-related risks are over-rated I can only say that the truth is that our knowledge of today’s Critical infrastructures information security is just like our knowledge of PC security ten years ago.

exactly 10-12 years ago we had pretty much the same debates about legislations, privacy issues,should the vendors be held accountable for vulnerable softwares, standards like BS7799…etc

another dimension of the problem is that most of the critical infrastructures “world wide” are reluctant to share lessons learned or incidents…due to corporate image fears and the competitive nature of the industries. So no one should claim to have the complete image, even within his own country. so let aside scenario’s like the world-wide impact of a cyber attack on Saudi’s Aramco for instance. (think of it as a cyber attack on NYS if you are using stocks for heating)

We are much more informed about every other type of national threat there is ( Natural disasters included ). yet we are much less informed about national level cyber risks/threats. probably because this is the newest of all threats.

so till we get our act together in terms of technology , legislations, standards and inter-connection impact and international cooperation I believe its only safer to treat cyber threats as the most critical till proven otherwise.

SCADA Stalkers and Cyber Borders

June 4, 2009 Leave a comment

I was reading a Team Cymru report called (Who is looking for your SCADA infrastructure) it reaffirms what every one in the field knows about certain countries / per region scanning certain SCADA infrastructures.

Its worrying that its practically very hard to point fingers or know for sure whether those scans from country “xyz” are deliberate or just a product of a major botnet.

So a question comes to my mind. Should a country be legally held responsible for scanning the SCADA infrastructure of another country ?

I believe that scanning SCADA systems transcends corporate espionage and profit oriented cyber crime for obvious reasons, and all due diligence should be exercised by countries to protect its infrastructure from being used to scan or infiltrate another country.

Automatically this leads to the debate about cyber borders, what should pass and what should pass with expectation of retaliations.

Most of the world is at a very early stage technologically to be able to police and enforce a cyber borders systems in which every country protects and is totally accountable for its cyber space exactly as we currently have controls over the ariel space for example.

Till we reach this level, a lot is happening and even more will happen with no one held undeniably accountable.