Letter from BlackHat Federal
Two weeks ago, we had the excellent Shmoocon hacker conference here in D.C., and this week I attended the BlackHat Federal conference, a slightly smaller security conference (nowhere near the size of the annual BlackHat Vegas con each summer) that's geared somewhat to the federal government IT space but also manages to includes much of the groundbreaking presentations common at the other cons.
Security researcher David Lichtfield of NGS Software kicked it off with a bang by releasing information on a previously unknown and critical flaw in Web software from Oracle Corp. that could let attackers seize control of Oracle databases. Lichtfield, who has found a number of flaws in Oracle's products and waited -- sometimes for years -- for the company to issue fixes, said he was disappointed that Oracle did not address the problem he raised in a recent patch update that fixed at least 82 other flaws.
Lichtfield said he opted to go public with his findings because Oracle was taking too long to mend serious problems with its software. Oracle quickly lashed back, saying he had put the company's customers at risk.
Researcher John Heasman, also with NGS, presented scary new research explaining how a rootkit could be planted into the computer's BIOS, a fundamental component of each computer that holds information and settings about the hardware installed on the system and how it should run.
Heasman showed how a computer's power management functions could be used to rewrite BIOS information to allow an attacker to plant malicious code and read information stored in system memory. Thanks to Sony BMG for introducing the lay computer user to the wonders of rootkits, which generally are employed by attackers to hide and remain on a system after they have already compromised its security.
The danger of malicious code in the BIOS, Heasman said, is that a rootkit could survive a complete hard-drive reinstallation or even a change in the machine's operating system. While the threat from BIOS-based rootkits is real, Heasman said he doesn't see this technique as something that would be easily exploitable through common viruses and worms, "simply because there are associated difficulties with getting the thing on the system in the first place."
Any given BIOS-attack method most likely would not work on all machines, as BIOS settings are manufacturer-specific. Mucking up something in the BIOS can cause systems to crash or fail to boot altogether, and today's professional hackers can't make money off a dead PC. "I see this more as a threat from insiders, someone who has physical access to the system," Heasman said.
Simson L. Garfinkel from Harvard University presented more research on how far too many businesses are leaving customer data on their computer hard drives when auctioning them on eBay or handing them over to liquidators. Simson has purchased nearly 1,000 hard drives off eBay and managed to track several of them back to their original owners.
One drive from a supermarket held 5,182 credit card numbers, while another from a bank ATM contained some 346 numbers. Another drive, which Simson traced back to a medical center, held more than 11,609 unique account numbers.
Simson said he's disturbed by the number of eBayers apparently willing to pay inordinate amounts of money for relatively old and small hard drives. "Drives that were used on servers are much more likely to contain sensitive and confidential data, and probably 30 percent of [drives on eBay] haven't been wiped. Nobody would legitimately buy a four-gigabyte server drive off eBay."
The final presentation I sat in on was from Robert Graham, a research engineer at Atlanta-based Internet Security Systems, who gave a rather alarming talk about how the increasing Internet-connectedness of the nation's SCADA systems -- networks and machines that control everything from power plants to manufacturing and pharmaceutical centers to water and sewage systems -- is exposing the nation to cyber terrorism.
Security experts have long predicted that terror groups could take advantage of these weaknesses to launch highly disruptive and potentially deadly cyber attacks, only to be laughed off as "chicken littles" when such attacks failed to materialize.
But Graham's talk, based on experience with a number of penetration tests ISS was hired to conduct at various companies that manage these control systems, showed that a great many SCADA systems were reachable and exploitable over the public Internet -- often through wireless networks that nobody knew were connected to the back-end controls. What's more, because most of those back-end systems are not considered reachable from the general Internet, many of the computers on SCADA networks require little or no authentication.
"Anyone can go to the store and buy a book on penetration testing that will give you all the knowledge you need to cause a widespread power blackout," Graham said. At the end of his presentation, Graham said his talk was designed to increase public awareness of the urgency of the SCADA security problem, not to scare the public into a wild panic.
When asked by several attendees why the public shouldn't panic, Graham responded -- somewhat ironically -- "Because it hasn't happened so far."
Posted by: Adam | January 27, 2006 3:21 PM | Report abuse
Posted by: Bk | January 27, 2006 4:34 PM | Report abuse
The comments to this entry are closed.