Archive for Jose Vicente Ortega

10 Steps to Securing SCADA Networks




Supervisory control and data acquisition (SCADA) are computer controlled systems that monitor and control industrial processes that exist in the physical world. These computers run applications that perform key functions in providing essential services and commodities such as electricity, natural gas, gasoline, water, waste treatment and transportation, making them a critical part of a nation’s infrastructure.

These systems were designed for functionality, focusing on performance, reliability, flexibility and safety, while not making security a priority and because it is not uncommon for these systems to have a 20 year life cycle, it will be years before more secure systems are in widespread use.


This makes SCADA’s potentially vulnerable to disruption of service, process redirection, or manipulation of data that could result in serious disruptions to organizations and nations alike.

Oil platform

In order to address this issue it is essential to take actions to implement security and establish management processes and controls.

Here are 10 steps to mitigate the risks in keeping these systems secure.

  1. Risk assessment

    Conduct a thorough risk assessment to identify systems and evaluate their properties and characteristics, discover threats and vulnerabilities that pose risk to the systems and finally address those risks by transferring, eliminating or accepting them.

  2. Implement security features provided by vendors

    Most older SCADA systems have no security features, which happen to be also the most prevalent. Some newer SCADA devices come with basic security features, but are usually disabled to ensure easy installation. Security features must be set to provide a maximum level of security and only lowering them after a rigorous risk assessment of the consequences of doing so.

  3. Do not rely on proprietary protocols

    SCADA systems sometimes use unique, proprietary protocols to communicate with servers and often this is the only security in place to protect the network. This however is not a wise risk mitigation strategy.

  4. Evaluate and strengthen security

    Penetration testing must be performed regularly to find vulnerabilities and fix them before an attacker does. Having a seconds set of eyes check out critical systems is a good security practice. Penetration testing not only serves to identify vulnerabilities; it also serves in verifying secure configurations are in place when installation is performed.

  5. Implement internal and external intrusion detection systems and establish 24/7 monitoring

    In order to be able to effectively respond to cyber attacks, it is necessary to establish an intrusion detection strategy that includes alerting network administrators of malicious network activity. Incident response procedures must be in place to allow an effective response to any attack. In addition to network monitoring, logging must be enabled on all systems.

    Scada water

  6. Conduct physical security surveys

    Any connection that has a SCADA connected to the network is a target, especially if they are in a unguarded remote sites. Conduct regular physical survey and inventory access points at each facility that has a connection to a SCADA system. Identify and assess remote telephone/computer network/fiber optic cables that could be tapped; radio and microwave links  that are exploitable; computer terminals that can be accessed; and wireless local are network access points.

  7. Define cyber security roles, responsibilities, and authorities for managers, sys admins and users.

    Its very important for the organization to understand the expectations associated with protecting information technology resources through the definition of clear roles and responsibilities. Personnel need to be given sufficient authority to carry out their assigned responsibility and a organizational structure must be in place defining how security issues are escalated and who is notified in an emergency.

  8. Document network architecture

    It is imperative that the organization design their networks with security in mind and continue to have a strong understanding of their network architecture throughout its lifecycle. An in depth understanding of the functions that the systems perform and the sensitivity of the stored information is critical. Without this understanding, risk cannot be properly assessed. Additionally it is very important to document the information security architecture and its components, while establishing controls to keep the documentation current.

  9. Establish a rigorous, ongoing risk management process

    A robust risk management process is needed to provide the organization with feedback on the effectiveness of the cyber security policy and its implementation. A mature organization is one that can self identify issues, conduct root cause analyses, and implement corrective actions to address the individual and systemic problems. Self-assessment processes are a normal part of an effective security program and include routine scanning for vulnerabilities, automated auditing of networks and self-assessment of performance or Key Performance Indicators (KPI).

  10. Establish effective configuration management processes

    Configuration management is a fundamental management process needed to maintain a secure network. It need to include both hardware and software configurations. Changes can easily introduce vulnerabilities that undermine network security, so processes are required to evaluate and control any change to ensure the network remains secure.

What is XKeyscore?

A couple of weeks ago The Guardian released new information about a program called XKeyscore the NSA operates, giving the government the capability to search emails, social media and browsing history amongst other data.

The presentation reveals fascinating insight into the program, its reach and capabilities.

Data is collected around the world at aprox. 150 sites, which seem to be clustered around Central America, Europe and the Middle East. It is pitched as unique because of its general capability allowing the operator to go “shallow” or “deep” when performing queries on the system.

NSA binoculars4

“Shallow”  query operations enable the analyzes of large data sets or in case of monitoring real-time activity (tipping), when the data rate is too high.

Because large amounts of time spent on the web is performing actions that are anonymous in some sense, XKeyscore has the capability to detect anomalies in the traffic that lead to intelligence and thus triggering traditional tasking.

On how to query the system the slides show the power lies in being able to look for anomalous events, giving specific examples such as:

  1. Someone whose language is out of place to the particular geographic region they are at.
  2. Someone using encryption which would signal they have something to hide.
  3. Someone searching the web for suspicious information.
  4. Show all encrypted word documents from Iran.
  5. Show all encryption usage in Iran.

XKeyscore stores extracts and authoring information on documents giving it the capability to trace where the document originated.

Data volumes are so high that according to the presentation, data collected never leave the sites, but is rather deleted at a finite time after being run through extract plugins which index and store metadata.

xkeyscore Traditionally collection of information is triggered by a strong-selector event when the target is known, but the system is capable to work back from an anomalous event to a strong selector, as well as tie in with other existing systems to allow collection after the event.

Examples of utilizing this approach to analyze data are also outlined:

  1. Finding a target that speaks German in Pakistan.
  2. Someone who has utilized Google maps to scope target locations.
  3. Who wrote a document and where that has been passed around through numerous people.
  4. Find all excel spreadsheets coming out of Iraq and map IP addresses. (Note: this particular point mentions MAC address which is incorrect.)

Another system comes to light named TAO (Tailored Access Operations) which provides XKeyscore with the capability to report on all exploitable machines in a particular country.

As new web services come online, the system scans metadata collected for the username which is likely reused from service to service, providing the discovery of new applications the agency had no idea about.

Future enhancement efforts centered around higher speeds, better presentation, VoIP, and adding metadata from Google Earth and EXIF tags. Keeping in mind this presentation is dated 2008, the future is here.

VoIP traffic can be collected and reconstructed; EXIF metadata is particularly interesting. From this metadata you could query for photos taken by an particular camera in a particular geographic region, on a particular date. Cross referencing exposure and time of day could let you determine if the photo was taken indoors or outdoors.


Examples of utilizing this approach to analyze data are also outlined:


LinkedIn Compromise of Passwords is Real

Multiple sources in the security field have reported today that LinkedIn was hacked and the list of password hashes posted on a forum.  I can also add myself to @ErrataRob findings confirming that my password was on that list.

At this time files posted on the forum have been taken down and LinkedIn has now confirmed that “some” of the user passwords are real.

Here is a small excerpt from the dump:


These passwords are encoded using a cryptographic hash function called SHA-1. A hash function is a one-way mathematical function that takes an arbitrary block of data and returns a fixed-size bit string.

In order to retrieve the password from this SHA-1 string, hackers use an attack known as a Rainbow Tables attack, which consists of calculating the hashes for the passwords; so once you get the hash to do a reverse lookup of the hash you have previously calculated and get the password. These tables of passwords and their hashes are widely available on the Internet including

If your password is simple, its pretty likely that your hash is already stored on a rainbow table.

So I calculated my SHA-1 hash by using the following command on my laptop.

echo -n ‘mypassword’ | openssl sha1

This command  calculates the one-way SHA1 hash for my password.

I then stripped the first 6 characters from the hash and looked it up in the combo_not.txt file that contained the compromised list of passwords.

YCombinator has a post that explains what the meaning of the initial “0”s mean within the hashes and the reason why I deleted the first 6 characters.

So the LinkedIn hack is real and you need to change your password NOW. If you happen to use that password for other websites, change those too and do not use that password again.

How could have LinkedIn prevents this:

Not only were the access controls that LinkedIn had in place prove to be insufficient, but they apparently had no detective controls to alert them that the breach occurred judging by their public responses and the silly statements that no evidence of breach had been found.

Furthermore LinkedIn could have made the password information useless if a technique called ‘salting‘ had been used on the stored hashes. This is common of web applications as many store users passwords as a hash in the database.

It would help LinkedIn’s reputation to be as forthcoming as they can with what they know as they know it.

UPDATE: Link to mirror forum here.

iPhone Forensics – Part 1

As with anything else its important to really understand the inner working of the iPhone before attempting to recover any data from it, as two things may happen: the device may be rendered useless or the data on it become contaminated which is just as bad when you are looking for evidence.

The iPhone runs a custom version of Mac OS X 10.5 (Leopard) with several differences which include:

  1. an ARM architecture as opposed to the Intel x86 architecture used on desktop machines
  2. special hardware including an accelerometer, proximity sensor, multi-touch capable screen and several radios including GSM, Wi-Fi and Bluetooth
  3. a user interface framework built around the iPhone to accommodate the proprietary hardware
  4. a signed kernel designed to prevent tampering

What can be recovered:

Information stored on the iPhone includes keyboard caches containing usernames, passwords, searches, and some history of what was ever typed on the phone.

Sections of map images from the phone’s Google Maps application, location searches and their coordinates can be found on the phone.

Browser cache and deleted items identifying what websites the user has visited.

Deleted voicemails, email and SMS messages can also be recovered.

A cache of screenshots of the user’s last activities which are kept to improve the experience of opening and closing applications.

Deleted images, address book entries, contacts, calendar events and other personal information can be recovered.

A very detailed call history list beyond what is visibly on the iPhone as well as deleted items from the history.

Disk Layout:

The iPhone uses a solid state NAND flash which is treated as a disk by storing a partition table and a formatted file system. Generally the iPhone will be configured with 2 partitions as shown below.

The first partition is the root which houses the operating system and all the preloaded applications on the iPhone. This partition is read-only and designed to stay like that. The size of the root partition varies depending on the version of the phone (size of the flash).

The remaining space is assigned to the user and is mounted as /private/var as shown above. This allows Apple to upgrade firmware of the devices without in theory touching the user data on the device.

To perform forensics on this type of environment we would need to make the root partition writable  to install forensics software in order to maintain the integrity of the data on the user’s data partition.


The iPhone can communicate in multiple ways including the serial port, 802.11 Wi-Fi and Bluetooth. AFC or Apple File Connection is a serial protocol used by iTunes to connect to the iPhone and transfer everything from music to software upgrades.

iTunes is not allowed access to the whole iPhone but is rather placed in a jailed environment. People familiar with Linux will understand the term “jailed”, which in general terms mean restricting access and operations to a specific area within the target device.

The hacker community coined the term “jailbreaking” after successfully breaking out of this restricted environment allowing pirated apps to be installed on the phone and unlocking it to be used with other carriers.

The Firmware:

Apple provides firmware updates on a periodic basis which update the operating system, radio baseband and other device firmware. Although these updates have not resulted in loss of user data, it is not recommended that the firmware be upgraded during the forensics process.

Reblog this post [with Zemanta]