Network News

X My Profile
View More Activity

Some Highlights from CanSecWest

In any sufficiently complex system -- be it a corporate computer network or the public telephone system -- figuring out how all the moving parts are supposed to work and keeping them functioning demands highly specialized knowledge as well as near real-time information on the system's overall health, stability and security.

But as companies rush to provide and embrace new -- and often hastily designed -- products and services designed to ride on top of core systems, the overall complexity often rises to a level that frequently is beyond the grasp of even those who originally designed its constituent parts.

This dynamic unfortunately feeds right into the hands of clever criminals who profit from exploiting system design flaws by causing a network to behave in manner that its designers never intended or even conceived. In such an environment, companies are placing an increasingly higher premium on timely intelligence about threats that could undermine the integrity of the networks and software they use to support their businesses.

Last week at the CanSecWest security conference in Vancouver, B.C., the attendees were mainly security experts who get paid to think like the bad guys and find the flaws and holes in complex communications systems and software before criminals can exploit them.

"The people speaking here are individuals who have taken a particular domain and exhaustively made sense of it to the point where they can subvert it in a variety of different ways," said Tim Keanini, chief technology officer for nCircle, a vulnerability management company in San Francisco. "In many respects, these guys understand the technology better than people who put it together."

Internet-based telephone networks, also known as "voice over IP" or VoIP for short, are a great example of how security often decreases as complexity increases.

Nico Fischbach, a senior manager in charge of network engineering security for the City of London Telecom (COLT), gave a talk about how most VoIP providers run their entire networks on Linux and Windows systems that have few, if any, security patches installed. The reason, he said, is many companies that make the software and hardware that COLT other VoIP providers use (some of the bigger VoIP hardware and software providers include Alcatel, Lucent, Cisco and Seimens) state that they will not support customers who deviate from the configuration that the products are designed to run on --- basically stock operating system installations with no patches, service packs or other security measures in place.

"I can't tell you how many times we've gone to a vendor to say we need you to fix the software so that we can harden the security of the systems that support it, and they just say if you do that you'll break it and we will no longer support you," Fischbach said.

Fischbach said many companies who are moving to VoIP find themselves in a similar situation when they figure out that they must poke all kinds of holes in their firewalls just to be able to make and receive Internet-based phone calls.

"When a customer calls and says their phones don't work, their setups are so complex that trying to find out exact where the problem might be located is a total nightmare," he said. In the end, the customer often winds up potentially exposing their VoIP systems to anyone on the network who wants to eavesdrop on or intercept internal communications.

It's not just consumer-oriented services like VoIP where these problems emerge. Few man-made technology systems are as complex and in need of securing than the nation's supervisory control and data acquisition (SCADA) systems, networks of hardware devices used to remotely control many of the world's most vital infrastructures, from the power grid to oil and gas refining and distribution, to water and waste systems to chemical processing and manufacturing systems.

'SCADA' Threats

SCADA systems have been in use for decades, but only fairly recently have they been hooked up to Windows PCs and to the public Internet. Like Fishbach's VoIP networks, SCADA systems are extremely difficult to patch or harden against certain types of attacks, and as such remain highly vulnerable to compromise or disruption, said Eric J. Byres, a research leader at the Critical Infrastructure Security Center at the British Columbia Institute of Technology.

Byres told of one U.S. pharmaceutical manufacturing company he worked with that was running its SCADA networks over Windows 95 machines. The company said that that if it tried to patch the machines or upgrade to a newer operating system, the Food and Drug Administration would have forced it to re-certify the SCADA setup at a cost of more than $200,000.

Byres and his team have been tracking cyber incidents related to SCADA systems going back to 1982. Between 1982 and 2001, they found that just 27 percent of the incidents were from external attacks -- usually from disgruntled employees. But in the 103 incidents recorded by 17 companies in 5 countries from 2001 to Oct. 2005, the majority were caused by external attacks, usually from automated threats such as network worms like "Blaster" and "Slammer."

"The first thing we're seeing is that regular cyber accidents [with SCADA systems] have flatlined while the external attacks have just taken off," Byres said. "The second thing is that the complexity of these SCADA systems after they have been given Internet connections has just exploded."

Controlling SCADA networks with systems that can take months or even years to update with security patches is bad enough, but a great many of the switches and devices that comprise a SCADA network can fail or shut down if they encounter Internet traffic that is somehow malformed or overwhelming, Byres said. He and his team led a demo in which they scanned a SCADA device with a common vulnerability and network traffic scanner, only to watch the thing crash after a few seconds (most SCADA devices that crash can be brought back to normal with a simple reboot, but SCADA networks such as those used in power generation and oil gas systems consist of thousands of devices that often are many hundreds of miles away from the nearest technician.)

IPv6 Worries

Another presentation highlighted the security problems brought on by the complexity of networks and computer systems being built to support "Internet protocol version 6." IPv6, as it is more commonly known, is the next generation of the network standards designed primarily to vastly increase the number of free Internet address spaces.

IPv6 is expected to one day replace IPv4 (the current standard), and while some Internet service providers and companies have already built networks that run IPv6 -- primarily those in China, Japan and South Korea -- it remains unclear how soon a critical mass of ISPs and companies elsewhere will follow suit.

Van Hauser, consultant for German security firm N.Runs and a well-known hacker who has been releasing free security testing tools for more than a decade, noted a number of operating systems already have IPv6 built-in, including Linux and BSD. Windows Vista, the next version of the Microsoft operating system, has had IPv6 built into several beta versions of the operating system, though the latest build does not include it.

This is significant, van Hauser said, because a lot of security software (and end-users of these systems) fail to properly firewall IPv6 traffic, a shortcoming that the bad guys have apparently been exploiting to hide Web traffic generated by data stealing malware they plant once they have compromised a system.

IPv6 also offers the promise of greater data security than IPv4 based networks, mainly through the use of "IP Security" (IPsec), which relies on encryption to ensure that Internet traffic between two online hosts cannot be intercepted and read by an unauthorized third party. The trouble is that very few companies bother to implement IPsec, mainly because it can be expensive and time-consuming to implement and manage. As a result, van Hauser said, anyone on a local IPv6 network can intercept or redirect network traffic.

By Brian Krebs  |  April 10, 2006; 6:00 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Multi-OS Virus Emerges
Next: The Skinny on April's Batch of Microsoft Patches


It is a pity modular software systems and components is more a concept than a reality. I can't help but think too much software is just made to work in some arbitary fashion rather than designed to integrate within specifications. I regularly update Windows XP and other software functions like protection, printer, scanner software works without any issue as I would expect any properly designed software to do. Makes one wonder what some so called software companies are about if their product cannot stand OS security updates. One wonders why people do business with them in the first place.

Posted by: Anonymous | April 10, 2006 8:07 AM | Report abuse

The coninue link for the article no longer works.

Posted by: Anonymous | April 10, 2006 9:01 AM | Report abuse

These types of stories make me feel good about genetic engineering programs. If we can't successfully understand, manage, and modify systems that we create, what are the chances of doing it successfully for those we don't?

Posted by: gary | April 10, 2006 9:18 AM | Report abuse

IPv4 to IPv6 = this is progress?

Posted by: Pete from Arlington | April 10, 2006 9:56 AM | Report abuse

Continue link now working. Apologies for delay...

Posted by: editors | April 10, 2006 10:04 AM | Report abuse

"Makes one wonder what some so called software companies are about if their product cannot stand OS security updates."

I believe the reason that software is not supported for OS upgrades is a result of dixciplined behavior to keep costs lowest. VOIP communications are dominated by a rush to get the cheapest connection at the sacrifice of everything else. A technically superior solution would be more expensive to evryone, which will necessarily increase end customer prices. And until there's some clearly perceived benefit of using safer, "better" software, the end customer - corporate and private equally - is only interested in getting the service for cheapest.

Posted by: 20850 | April 10, 2006 10:43 AM | Report abuse

re: VOIP providers run their servers without OS patches or service packs

If a "black hat" intruder manages to get inside a VOIP company, he could record inbound traffic to certain 800 numbers, i.e. the ones for financial institutions and brokerages, and pick up account numbers and PIN's.

Posted by: Ken L | April 10, 2006 11:39 AM | Report abuse

IPv6 also offers the promise of greater data security than IPv4 based networks, mainly through the use of "IP Security" [...]

Cf. IPv6 Task Force, Technical and Economic Assessment of Internet Protocol, Version 6 (IPv6), U.S. Department of Commerce, January 2006. Section 3: Security Implications of IPv6.

A number of commenters contend that IPv6 will provide a greater level of security than is available under IPv4. [...]

[A]lthough IPsec support is mandatory in IPv6, IPsec use is not. In fact, many current IPv6 implementations do not include IPsec. On the other hand, though optional, IPsec is being widely deployed in IPv4. There appear to be no appreciable technical differences in the way that IPsec is implemented in either protocol, and several commenters state that there are no significant functional differences in the performance of IPsec in IPv6 and IPv4 networks. [...]

Posted by: nedu | April 10, 2006 11:42 AM | Report abuse

(& P.S.: Brian, could your blog here please allow some minimal markup, and implement a preview button. Unless, of course, you're actively trying to discourage links to, and quotes from, relevant documents...)

Posted by: nedu | April 10, 2006 11:51 AM | Report abuse

"Byres told of one U.S. pharmaceutical manufacturing company he worked with that was running its SCADA networks over Windows 95 machines. The company said that that if it tried to patch the machines or upgrade to a newer operating system, the Food and Drug Administration would have forced it to re-certify the SCADA setup at a cost of more than $200,000."

The $200,000 cost of recertifying the upgraded and hardened SCADA system could be paid easily out of the multimillon dollar advertising budget that most pharmaceutical companies spend every year. $200K is a drop in the bucket, and listening to this kind of whine from these companies about the small cost releative to their profits and other spending priorities of critical infastructure upgrades makes me sick.

Posted by: Bryant | April 10, 2006 12:18 PM | Report abuse

Your RSS feed is somewhat borked. The paragraph breaks from your original articles don't come through (there are no line breaks in the XML), so when some viewers attempt to render this, they get a massive blob of text that is all crammed into a single line.

This produces things like...

"miles away from the nearest technician.)IPv6 WorriesAnother presentation highlighted the security problems brought on by the..."

It's _nasty_. Can somebody... fix that?


Posted by: Matthew Murphy | April 10, 2006 3:12 PM | Report abuse

Fix Nico's lastname ;-) It's Fischbach.

Posted by: Danny | April 11, 2006 3:14 AM | Report abuse

"Time to Market" drives new technology. Period. And VoIP networks vendors, be they providers or services or manufactures, are no different.

"So who can I point my finger at then!?" When you point your finger at a VoIP vendor three fingers are pointing back at you. You the customer and you the shareholder.

"So what can I do?" Run the SiVuS (SIP Vulnerability Security" tool (in a QA enviroment) against your devices. Its easy! Remember, three fingers are on you! Run SiVuS. www -dot - vopsecurity -dot- org

Ask your VoIP vendors if for documentation on testing they've performed. Ask if they have a methodology for testing? Ask to see the results. Three fingers are on you.

Posted by: Guy H@dsall | April 11, 2006 11:09 AM | Report abuse

Interesting! All of my SCADA systems from the early 1980's up through the mid 1990's all run on VMS or OpenVMS. They are all still running and have never been hacked. To the best of my knowledge, OpenVMS still have NEVER BEEN HACKED. And you people continue to take an "office" operating system approach to mission critical applications. Just go back to the VMS world and all you problems will go away.

Simple isn't it!!!

Posted by: Craig | April 12, 2006 4:38 AM | Report abuse

OpenVMS isn't bulletproof either. It's just so obscure nowadays that no one is using modern ideas to find bugs in it. OpenVMS is probably a treasure trove of easily exploitable bugs.

Posted by: Sean | April 18, 2006 6:02 AM | Report abuse

You can't be 25267 serious?!?

Posted by: Mary Box | August 4, 2006 12:59 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company