Archive

Archive for November, 2009

SCADAmobile for iPhone

November 25, 2009 1 comment

I just came across this iPhone App (ScadaMobile) from SweetWilliam Automation. (Company Website)

The App description states that the product can Monitor (display and change) PLC variables (tags) through local or remote wireless access.
ScadaMobile Interface

The Manual wich can be downloaded here describes how the App will access the PLCs over the internet.

“ScadaMobile is designed to communicate with PLCs without using dedicated servers or any specific software installed on a PC.

ScadaMobile communicates with OMRON PLC by sending FINS protocol commands. To establish a remote connection, a GPRS or ADSL router is needed at the PLC site, which will act as a bridge between the PLC LAN (Local Network) and the WWAN or WAN (Internet) to which a remote iPhone or iPod Touch will have access to. ” (Source: Section 4.1 in the Manual)
ScadaMobile Connectivity

As for the Security, The product seems to support VPN (L2TP/IPSEC) as well as TLS/SSL in addition to a PLC-stored password mechanism.

A password will be stored in the PLC data memory address D19998 as a 16 bit hexadecimal value (0 to FFFF) and you must match the password in your iPhone.
PLC Validation Password

My Comments:

– Apart from the Validation code, All the Network security controls are “Optional”
– No Password Complexity Requirements
– I couldn’t find anything about how the password is stored on the IPhone- But My guess that its not Encrypted. I guess I will try to find this by myself and will keep you posted.

It seems that there are many more remote access apps on the way and I would love to see independent code-security reviews on each and every one.

Finally, There are two versions from the app, ScadaMobile Lite for 3.0 $ with limitations on the number of processes. and the full version for 74.0 $.

Will IDNs Pose the Next Big Security Threat

November 22, 2009 Leave a comment

Last week ICANN (Internet Corporation for Assigned Names and Numbers) Which is the International body responsible for, among other things, administering the domain name system (DNS) announced that Countries can now apply for website domain names and TLDs “Top Level Domain Names” that are non-Roman characters. With countries like Egypt, China , Israel and Russia already applying for Arabic ,Chinese , Hebrew and Cyrillic respectively. marking the true beginning of IDNs (International Domain Names).

Experts expect the new breed of URLs to surface within a year, ICANN Chairman Peter Dengate Thrush noted in a statement, “The IDN program will encompass close to one hundred thousand characters, opening up the Internet to billions of potential users around the globe.”

“This is the biggest technical change to the Internet’s addressing system – the Domain Name System – in many years,” said Tina Dam, ICANN’s senior director of Internationalized Domain Names. “Right now, it’s not possible to get a domain name entirely in, for example, Chinese characters or Arabic characters. This is about to change.”

My Comment :
I think its a good step to increase the accessibility and usability of the Internet but it’s unlikely to come without a cost.

There is no way that we can properly manage this new system without DNSsec, which must be an international priority now.

DNS Security measures will need to be taken very seriously. The incidental difference between BankofAmerica.com from BánkofAmerica.com is just a small example of how criminals can exploit the new system.

Not to mention the foreseeable technical challenges in properly identifying the new breed of Phishing sites and SPAM Servers…etc, to sum it up this will be the biggest challenge to date facing the internet critical resources.

Former ICANN CEO stated back in 2006 that “There are 37 possible characters that can be used in domain names, but if non-English letters are allowed, this number would rise to 50,000 or more, ( My Comment: Actually more like a 100,000 ) said Twomey. He added that this could create problems where, for example, a character in Urdu looks identical to one in Arabic. This would confuse the system and make it difficult to direct users to the right website every time.

ICANN Announcement: HERE

The Empire Strikes Back – More on Brazil Blackouts

November 11, 2009 1 comment

2005, 2007 and now you can add November 2009.

Yesterday the Itaipu dam an important hydroelectric dam shared by Brazil and Paraguay failed last Tuesday night, pushing a large swath of central and southern Brazil into darkness, said the country’s minister of mines and energy, Edison Lobao. source (CNN)

A recent comment by bernardo from Brazil (Here) on my previous post implies that this is a coordinated attack that took place at exactly 22 hours. when die hard 4.0 was about to begin on FX Cine Latin America !!.
Die Hard 4.0 Schedule

The Official response so far was ” the exact cause was not yet known but atmospheric problems, an intense storm, may have contributed to or caused the transmission lines to Itaipu to shut down.” said the the country’s minister of mines and energy, Edison Lobao to reuters.

While the real cause of the problem remains to be unclear, it appears that hackers are not fond of the itaipu dam IT infrastructure. One thing for certain is that the itaipu servers has been “visited” before.

itaipu servers hacking incidents in 2000 and 2001

itaipu servers hacking incidents in 2000 and 2001

Incident Record Source: Zone-h

Brazil: 2007 Blackout Was not Caused by Hackers

November 10, 2009 4 comments

Few days Ago CBS’s “60 Minutes” featured a report about alleged cyber incidents that took place in Brazil back in 2005 and 2007. claiming that the major power outages that affected millions was caused by hackers.

Brazil Power Outage

Brazil Power Outage

Today Wired.com reported that Brazilian government officials disputed the CBS report over the weekend, and Raphael Mandarino Jr., director of the Homeland Security Information and Communication Directorate, told the newspaper Folha de S. Paulo that he’s investigated the claims and found no evidence of hacker attacks, adding that Brazil’s electric control systems are not directly connected to the internet.

The utility company involved, Furnas Centrais Elétricas, told Threat Level on Monday, it “has no knowledge of hackers acting in Furnas’ power transmission system.”

You can watch CBS “60 Minutes” Video (Here)
Source: Wired.com Report

The world’s largest nuclear plant constructor’s shares fall over systems security fears

November 8, 2009 Leave a comment

Shares in French state nuclear reactor builder Areva ( ARVCF.PK – news – people ) fell by 4% after France, Britain and Finland ordered it to modify their next-generation power plants on which it has staked future export growth. the new generation of French nuclear power reactors came under attack last week as opposition parties called for an inquiry into their security systems, after three nuclear safety bodies asked for changes to their design.

The three nuclear safety bodies cited concerns about the ‘adequacy of the safety systems’ and their independence from control systems. Keeping these areas independent helps prevent both failing together. the joint statement said.

The problems, which were first detected in June by the British Nuclear Installations Inspectorate (NII),concern the control and instrumentation (C&I) of the Areva-built EPR (European Pressurized Reactor). The C&I runs the computers and various systems that maintain the reactor’s performance, such as temperature and power output.

The concerns raised are related to the system that regulates its daily operations and the system that shuts it down in case of an incident, which are viewed as not being sufficiently independent of each other.

In its current state the software cannot guarantee the necessary safety requirements, the report noted.

Sources:
Reuters
Earthtimes

FDA: Our Approval is not Required for Security Patches

November 8, 2009 Leave a comment

For the first time since 2005, the FDA issued a statement to Medical device manufacturers and hospitals dealing with Healthcare IT systems:

The FDA’s Statements come as a reminder about “the shared responsibility of of cybersecurity”

FDA wants to remind you that cybersecurity for medical devices and their associated communication networks is a shared responsibility between medical device manufacturers and medical device user facilities. The proper maintenance of cybersecurity for medical devices and hospital networks is vitally important to public health because it ensures the integrity of the computer networks that support medical devices.

Further more the FDA clarified their position on security patches.

FDA approval is not required before installing changes, updates, or patches that address cybersecurity issues

The statement mentioned the fact that the FDA is aware of misinterpretation of the regulations for the cybersecurity of medical devices that are connected to computer networks. The regulations issued back in 2005 can be downloaded below.

Source: FDA’s official Reminder

Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (issued January 2005)

(End to End) Smart Grid Leading Players by Market Segment

November 2, 2009 Leave a comment

SMART Grid Big Guns

Comment:

The FACT that about 18 companies from the IT industry (Including: Google,Microsoft,IBM,CISCO,SAP,HP,Oracle and Intel) show up there mean that the competition is really heating up for the 3.4B $ stimulus/Appetizer package and that we are in for a whole new genre of vulnerability bulletins.

Source: GreenTechMedia

Categories: SMART GRID Tags: