Culture Jamming

[SCADA systems ICS-CERT alert issued]

FYI...

SCADA systems ICS-CERT alert issued...
- http://threatpost.com/en_us/blogs/search-engine-finds-vulnerable-scada-systems-110210
November 2, 2010 - "ICS-CERT, the emergency response team for industrial control systems, has warned companies that run SCADA (Supervisory Control and Data Acquisition) software that the systems running it may be easily discovered using a free Web based search engine dubbed Shodan. The warning came in the form of an ICS-CERT Alert*, published on October 28. The group, which is part of US-CERT, warns that "multiple independent security researchers" have reported using SHODAN to discover Internet facing SCADA systems in "several critical infrastructure sectors". The systems discovered range from systems used for remote access and monitoring, but also include systems with the ability to directly manage configuration of SCADA systems... Control system operators were advised to conduct an audit their existing systems, including those not directly connected to the Internet, to make sure that no weak or default passwords are being used. In addition, operators are advised to place any control systems behind firewalls and to isolate them from business networks. Virtual Private Networks (VPN) should be used for remote access to such systems and strong passwords and access management strategies should be employed..."
* http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-301-01.pdf

- http://www.us-cert.gov/control_systems/

- http://www.us-cert.gov/control_systems/ics-cert/index.html

 

[SCADA alerts/vulns posted]

FYI...

SCADA alerts/vulns posted...
- https://www.computerworld.com/s/article/9214990/SCADA_vulnerabilities_prompt_U.S._government_warning
March 23, 2011 - "... U.S. CERT's Industrial Control Systems Cyber Emergency Response Team issued four alerts* on Monday..."
* What's New... : http://www.us-cert.gov/control_systems/
(All PDF files)

- http://www.us-cert.gov/control_systems/ics-cert/

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229400160
March 23, 2011

 

[SCADA Alerts - ICONICS, Advantech, Samsung]

FYI...

SCADA Alerts - ICONICS, Advantech, Samsung...
- http://www.us-cert.gov/control_systems/ics-cert/
11 May 2011
• ICS-CERT Advisory ICSA-11-131-01-ICONICS GENESIS32 and BizViz ActiveX Stack Overflow - "... stack overflow vulnerability affecting ICONICS GENESIS32 and BizViz products"
• ICS-CERT Alert ICS-ALERT-11-131-01 - Advantech Studio ISSymbol ActiveX Control Buffer Overflow Vulnerabilities - "... multiple buffer overflow vulnerabilities in Advantech ISSymbol ActiveX Control and Advantech Studio"
9 May 2011
• ICS-CERT Alert ICS-ALERT-11-129-01 - Samsung Data Management Server Root Access"

- http://iconics.com/certs

- http://support.advantech.com/support/default.aspx

- http://www.samsung.com/us/support/
___

- http://isc.sans.edu/diary.html?storyid=10873
Last Updated: 2011-05-12 13:03:43 UTC

 

[SCADA/Siemens vuln detail remains in fog]

FYI...

SCADA/Siemens vuln detail remains in fog...
- http://www.csoonline.com/article/682738/a-botched-fix-not-legal-demands-nixed-scada-security-talk
May 23, 2011 - "After a presentation on SCADA (supervisory control and data acquisition) system exploits was pulled at the last minute from the TakeDownCon conference, accusations began to swirl that NSS Labs, the company that helped fund the research, had been told by the Department of Homeland Security (DHS) to pull the talk that would have exposed existing flaws in certain Siemens systems used to control critical infrastructure... Vik Phatak, chief technology officer at NSS Labs. "Siemens found out, near the last minute, that the mitigation they had planned didn't work. It could be bypassed," Phatak says. According to Phatak, DHS pointed to a broad context of risks should the talk go forward without proper mitigation. Following that, NSS Labs independently chose to postpone the talk... Siemens and DHS ICS CERT are expected to release advisories and fixes for the vulnerabilities within the week, Phatak said..."
* http://www.takedowncon.com/?page_id=1148
"Synopsis: Traditional perimeter network security is not a sufficient enough means on its own to defend against dynamic threats to applications already residing on enterprise systems and accessible over the Internet. Web-accessed databases are especially susceptible..."

- http://www.reuters.com/article/2011/05/24/siemens-security-idUSN2428619720110524
May 24, 2011

- http://www.us-cert.gov/control_systems/ics-cert/

 

[ICS-Siemens patches released]

FYI...

ICS-Siemens patches released...
- https://www.computerworld.com/s/article/9217547/Siemens_fixes_industrial_flaws_found_by_hacker
June 10, 2011 - "Siemens has fixed bugs in its Simatic S7 industrial computer systems, used to control machines on factory floors, power stations and chemical plants. The patches*, released Friday, mark Siemens' first response to a high-profile computer security incident since the Stuxnet worm, which was discovered a year ago circulating on computer networks in Iran. Siemens fixed a pair of flaws in the S7-1200 controller, acknowledging that one could be leveraged to take control of the system using what's known as a replay attack. A second flaw, in a Web server that ships with the device, could give attackers a way to crash the system. However, the attacker would have to first find a way onto the victim's network before launching these attacks..."
* http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=50428932&caller=view
Patch: http://support.automation.siemens.com/WW/view/en/41886031/133100

- http://www.us-cert.gov/control_systems/ics-cert/
ICS-ALERT-11-161-01 Siemens S7-1200 PLC - Fri, 10 June 2011 - "... Siemens has released a Siemens Security Advisory and patch for the Siemens S7-1200 PLCs."
* http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-161-01.pdf

- http://www.securitytracker.com/id/1025671
June 16 2011

- http://www.theinquirer.net/inquirer/news/2078576/siemens-patches-industrial-controller-flaws-weaknesses-remain
Jun 13 2011 - "... there is a firmware update available for its S7-1200 programmable logic controller (PLC)... However, the United States Computer Emergency Readiness Team (US-CERT) claimed that the security patch only addresses "a portion" of the flaws*, although it confirmed the effectiveness of the patches and was working with Beresford and Siemens on other problems..."

 

[ClearSCADA vuln - updates available]

FYI...

ClearSCADA vuln - updates available
- http://secunia.com/advisories/44955/
Release Date: 2011-06-16
Criticality level: Moderately critical
Impact: Cross Site Scripting, System access
Where: From local network
Solution: Update to a fixed version. Please see the CERT advisory for more information.
US-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-10-314-01A.pdf

> http://www.us-cert.gov/control_systems/ics-cert/

- http://www.securitytracker.com/id/1025672
- http://www.securitytracker.com/id/1025673
Jun 16 2011

- http://secunia.com/advisories/44990/
- http://secunia.com/advisories/45033/
Release Date: 2011-06-20
___

- http://www.reuters.com/article/2011/06/17/us-cybersecurity-china-idUSTRE75G0CV20110617
Jun 16, 2011 - "... Sunway's products, widely used in China, are also deployed to a lesser extent in other countries including the United States... Beresford (NSS Labs) has worked with Sunway, Chinese authorities and the DHS to fix the bugs he found. Sunway has developed software patches to plug the holes..."

 

[ICS-Cert Alert 11-186-01 - Seimens]

FYI...

ICS-Cert Alert 11-186-01 - Seimens...
- http://www.us-cert.gov/control_systems/ics-cert/
5 July 2011 - "ICS-ALERT-11-186-01 "Password Protection Vulnerability in Siemens SIMATIC Controllers S7-200, S7-300, S7-400 and S7-1200 - This ALERT warns that replay attack vulnerabilities affecting the S7-1200 also are verified to affect the SIMATIC S7-200, S7-300, and S7-400 PLCs"
(PDF file)

CSSP Recommended Practices
- http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html

Potential Password Security Weakness in SIMATIC Controllers
- http://support.automation.siemens.com/WW/view/en/51401544
2011-07-05

> http://www.h-online.com/security/news/item/Even-more-Siemens-industry-control-systems-vulnerable-1275226.html
7 July 2011
___

- http://secunia.com/advisories/45164/
Release Date: 2011-07-08
Impact: Exposure of sensitive information
Where: From local network
Operating System: Siemens SIMATIC S7-200, SIMATIC S7-300, SIMATIC S7-400
Solution: Restrict access to trusted hosts only.

Also see:
- http://secunia.com/advisories/44961/
Last Update: 2011-07-08

- http://www.securitytracker.com/id/1025751
Jul 7 2011
> http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=50182361
2011-05-10

 

[Siemens SIMATIC S7-300 PLCs advisory]

FYI...

Siemens SIMATIC S7-300 PLCs advisory
- http://www.securitytracker.com/id/1025912
Aug 10 2011
Version(s): S7-300
Description: A vulnerability was reported in Siemens SIMATIC S7-300 PLCs...
S7-400 PLCs are not affected... vendor's advisory is available at:
- http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=51810333&caller=view

Also see: https://www.us-cert.gov/control_systems/ics-cert/
ICS-CERT advisory "ICSA-11-223-01 - Siemens SIMATIC PLCs Reported Issues Summary"

 

[ICS-ALERT-11-238-01A - Sunway ForceControl SCADA SEH]

FYI...

ICS-CERT SCADA Alerts update ...
> https://www.us-cert.gov/control_systems/ics-cert/

ICS-ALERT-11-238-01A - Sunway ForceControl SCADA SEH (PDF)
- http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-238-01A.pdf
31 Aug

Cyber Security for Industrial Control Systems... $4.1 Billion
- http://www.pikeresearch.com/newsroom/utility-investment-in-cyber-security-for-industrial-control-systems-to-total-4-1-billion-by-2018
August 23, 2011

Siemens vuln - update available
- https://secunia.com/advisories/45770/
Release Date: 2011-09-01
Criticality level: Highly critical
Impact: System access
Where: From remote
Software: Siemens SIMATIC WinCC Flexible 2005, Flexible 2007, Flexible 2008
Solution: Apply patches... see vendor's advisory
Original Advisory: Siemens:
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=50182361
2011-05-10
ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-02.pdf
July 1, 2011

> https://www.us-cert.gov/control_systems/ics-cert/archive.html
See: ICS-CERT Advisory "ICSA-11-175-02 - Siemens WinCC Exploitable Crashes"

 

[ClearSCADA vuln - updates available]

FYI...

ClearSCADA vuln - updates available
- http://www.securitytracker.com/id/1026009
Sep 5 2011
Impact: User access via network
Fix Available: Yes  Vendor Confirmed: Yes  
Version(s): 2005, 2007, 2009, 2010 R1.0
Description: A vulnerability was reported in ClearSCADA. A remote user can access diagnostic functions on the target system...
Solution: The vendor has issued a fix (2010 R1.1).
Vendor URL: http://www.clearscada.com/
> http://resourcecenter.controlmicrosystems.com/display/public/CS/ClearSCADA+2010+R1.1

ICS-CERT SCADA Alerts update ...
> https://www.us-cert.gov/control_systems/ics-cert/

- https://www.us-cert.gov/control_systems/pdf/ICSA-11-173-01.pdf
Aug 25, 2011

 

[0-day SCADA systems flaws]

FYI...

0-day SCADA systems flaws...
- https://www.computerworld.com/s/article/9220099/Researcher_discloses_zero_day_flaws_in_SCADA_systems
September 16, 2011 - "... disclosure prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning about the vulnerabilities. The most recent flaws discovered...  affect SCADA products from six vendors, including Rockwell Automation, Cogent Datahub, Measuresoft and Progea. Several of the flaws could enable remote execution attacks and denial-of-service attacks against the vulnerable systems... The disclosures prompted US-CERT's Industrial Control Systems Cyber Emergency Response Team* to issue advisories about the flaws..."
* http://www.us-cert.gov/control_systems/ics-cert/

 

[Stuxnet2 - follow-up for SCADA systems - "DuQu"]

FYI...

Stuxnet2 - follow-up for SCADA systems - "DuQu"
- https://isc.sans.edu/diary.html?storyid=11836
Last Updated: 2011-10-19 01:36:37 UTC - "... Symantec, McAfee and F-Secure*, to name a few security vendors, released information about what they are calling "DuQu"... because this malware creates some files on the user's temp folder, that starts with ~DQXXX.tmp (where the XXX can be any number)... There are several common aspects between DuQu and Stuxnet that leads to the conclusion that they were written by the same group. While the original Stuxnet was focused on Industrial systems, aka SCADA, this DuQu malware is mostly used on a recon process, and being used as an advanced RAT (Remote Administration Tool)... DuQu received commands via an encrypted config file, and seems to download a password stealer that is able to record several behaviors from user and machine and send to a Command and Control IP in India. Like some of the components of the original Stuxnet, this one was also able to decrypt and extract additional components embedded into other PE files... like Stuxnet, some components had a VALID digital signature..."
* http://www.f-secure.com/weblog/archives/00002255.html

- https://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01A.pdf
October 19, 2011
___

Duqu Q&A
- http://www.secureworks.com/research/threats/duqu/
October 26, 2011
___

- http://www.malwarecity.com/blog/duqu-another-worlds-most-advanced-piece-of-malware-1186.html
Oct 24, 2011

- http://blogs.cisco.com/security/duqu-the-next-stuxnet/
Mary Landesman | October 22, 2011 - "... Duqu is a trojan and is not self-propagating. Conversely, Stuxnet employed a very sophisticated system of self-propagation, including the use of the following exploits, four of which were zero-days at the time of discovery:
Windows Shell .LNK Vulnerability (MS10-046)
Print Spooler Vulnerability (MS10-061)
RPC Handling Vulnerability (MS08-067)
Windows Task Scheduler Vulnerability (MS10-092)
Win32k.sys Keyboard Layout Vulnerability (MS10-071) ...
Duqu appears to be part of a targeted attack designed to gain intelligence on sensitive systems. Targeted attacks, by nature, are not widespread. Thus far, Duqu has been detected at only a small number of companies, mainly in Europe..."
- http://tools.cisco.com/security/center/viewAlert.x?alertId=24425

- http://www.f-secure.com/weblog/archives/00002257.html
October 21, 2011

 

[India "Duqu" server components confiscated]

FYI...

India "Duqu" server components confiscated
- http://www.reuters.com/article/2011/10/28/cybersecurity-india-idUSN1E79R1G020111028
Oct 28, 2011 - "Indian authorities seized computer equipment from a data center in Mumbai as part of an investigation into the Duqu malicious software that some security experts warned could be the next big cyber threat. Two workers at a web-hosting company called Web Werks told Reuters that officials from India's Department of Information Technology last week took several hard drives and other components from a server that security firm Symantec Corp told them was communicating with computers infected with Duqu... The equipment seized from Web Werks, a privately held company in Mumbai with about 200 employees, might hold valuable data to help investigators determine who built Duqu and how it can be used... An official in India's Department of Information Technology who investigates cyber attacks also declined to discuss the matter..."
___

- http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01D.pdf
October 26, 2011 - "... determined after additional analysis that neither industrial control systems (ICSs) nor vendors/manufacturers were targeted by Duqu. In addition, as of October 21, 2011, there have been few infections, and there is no evidence based on current code analysis that Duqu presents a specific threat to ICSs. However, organizations should still remain vigilant against this and other sophisticated malware. ICS-CERT also recommends that the ICS community update intrusion prevention systems (IPSs) and antivirus systems to detect Duqu and other new threats. ICS-CERT will continue to analyze the malware, monitor the threat landscape, and report additional information as appropriate..."

 

[Hacks destroy water utility pump]

FYI...

Hacks destroy water utility pump
- http://www.theregister.co.uk/2011/11/17/water_utility_hacked/
17 November 2011 - "Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery... the breach was most likely performed after the attackers hacked into the maker of the supervisory control and data acquisition software used by the utility and stole user names and passwords belonging to the manufacturer's customers. The unknown attackers used IP addresses that originated in Russia... bare-bones details of the hack*..."
* http://community.controlglobal.com/content/water-system-hack-%E2%80%93-system-broken
___

- http://www.wired.com/threatlevel/2011/11/hackers-destroy-water-pump/all/1
November 18, 2011

- http://www.cnn.com/2011/11/18/us/cyber-attack-investigation/index.html
November 18, 2011

  https://www.us-cert.gov/control_systems/ics-cert/

   

[No evidence of a cyber intrusion in SCADA]

FYI...

No evidence of a cyber intrusion in SCADA
- https://krebsonsecurity.com/2011/11/dhs-blasts-reports-of-illinois-water-station-hack/
November 22, 2011 - "... in an email dispatch sent to state, local and industry officials late today, DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that after detailed analysis, DHS and the FBI “have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.” The ICS-CERT continued:
“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported. Analysis of the incident is ongoing and additional relevant information will be released as it becomes available”..."

- http://h-online.com/-1383976
23 November 2011
___

SCADA hacks published on Pastebin
- https://isc.sans.edu/diary.html?storyid=12088
Last Updated: 2011-11-23 15:50:30 UTC
___

- http://www.chron.com/news/houston-texas/article/Hacker-targets-South-Houston-sewer-system-2277795.php
November 19, 2011 - "A hacker identified only as "pr0f" posted diagrams of the South Houston sewer system online to show how easy it is to infiltrate the system. South Houston Mayor Joe Soto said Saturday that no harm was done to the sewer system, and the control system known as Supervisory Control and Data Acquisition has been taken offline. "The plant runs automatically anyway," said Soto, who said he found out Friday about the hacking. "We just disconnected the SCADA system. That takes us off being online, where someone could change some of the operations on their own." The Department of Homeland Security and FBI are responding to the incident and will be investigating, Soto said..."