Some Highlights from CanSecWest
In any sufficiently complex system -- be it a corporate computer network or the public telephone system -- figuring out how all the moving parts are supposed to work and keeping them functioning demands highly specialized knowledge as well as near real-time information on the system's overall health, stability and security.
But as companies rush to provide and embrace new -- and often hastily designed -- products and services designed to ride on top of core systems, the overall complexity often rises to a level that frequently is beyond the grasp of even those who originally designed its constituent parts.
This dynamic unfortunately feeds right into the hands of clever criminals who profit from exploiting system design flaws by causing a network to behave in manner that its designers never intended or even conceived. In such an environment, companies are placing an increasingly higher premium on timely intelligence about threats that could undermine the integrity of the networks and software they use to support their businesses.
Last week at the CanSecWest security conference in Vancouver, B.C., the attendees were mainly security experts who get paid to think like the bad guys and find the flaws and holes in complex communications systems and software before criminals can exploit them.
"The people speaking here are individuals who have taken a particular domain and exhaustively made sense of it to the point where they can subvert it in a variety of different ways," said Tim Keanini, chief technology officer for nCircle, a vulnerability management company in San Francisco. "In many respects, these guys understand the technology better than people who put it together."
Internet-based telephone networks, also known as "voice over IP" or VoIP for short, are a great example of how security often decreases as complexity increases.
Nico Fischbach, a senior manager in charge of network engineering security for the City of London Telecom (COLT), gave a talk about how most VoIP providers run their entire networks on Linux and Windows systems that have few, if any, security patches installed. The reason, he said, is many companies that make the software and hardware that COLT other VoIP providers use (some of the bigger VoIP hardware and software providers include Alcatel, Lucent, Cisco and Seimens) state that they will not support customers who deviate from the configuration that the products are designed to run on --- basically stock operating system installations with no patches, service packs or other security measures in place.
"I can't tell you how many times we've gone to a vendor to say we need you to fix the software so that we can harden the security of the systems that support it, and they just say if you do that you'll break it and we will no longer support you," Fischbach said.
Fischbach said many companies who are moving to VoIP find themselves in a similar situation when they figure out that they must poke all kinds of holes in their firewalls just to be able to make and receive Internet-based phone calls.
"When a customer calls and says their phones don't work, their setups are so complex that trying to find out exact where the problem might be located is a total nightmare," he said. In the end, the customer often winds up potentially exposing their VoIP systems to anyone on the network who wants to eavesdrop on or intercept internal communications.
It's not just consumer-oriented services like VoIP where these problems emerge. Few man-made technology systems are as complex and in need of securing than the nation's supervisory control and data acquisition (SCADA) systems, networks of hardware devices used to remotely control many of the world's most vital infrastructures, from the power grid to oil and gas refining and distribution, to water and waste systems to chemical processing and manufacturing systems.
SCADA systems have been in use for decades, but only fairly recently have they been hooked up to Windows PCs and to the public Internet. Like Fishbach's VoIP networks, SCADA systems are extremely difficult to patch or harden against certain types of attacks, and as such remain highly vulnerable to compromise or disruption, said Eric J. Byres, a research leader at the Critical Infrastructure Security Center at the British Columbia Institute of Technology.
Byres told of one U.S. pharmaceutical manufacturing company he worked with that was running its SCADA networks over Windows 95 machines. The company said that that if it tried to patch the machines or upgrade to a newer operating system, the Food and Drug Administration would have forced it to re-certify the SCADA setup at a cost of more than $200,000.
Byres and his team have been tracking cyber incidents related to SCADA systems going back to 1982. Between 1982 and 2001, they found that just 27 percent of the incidents were from external attacks -- usually from disgruntled employees. But in the 103 incidents recorded by 17 companies in 5 countries from 2001 to Oct. 2005, the majority were caused by external attacks, usually from automated threats such as network worms like "Blaster" and "Slammer."
"The first thing we're seeing is that regular cyber accidents [with SCADA systems] have flatlined while the external attacks have just taken off," Byres said. "The second thing is that the complexity of these SCADA systems after they have been given Internet connections has just exploded."
Controlling SCADA networks with systems that can take months or even years to update with security patches is bad enough, but a great many of the switches and devices that comprise a SCADA network can fail or shut down if they encounter Internet traffic that is somehow malformed or overwhelming, Byres said. He and his team led a demo in which they scanned a SCADA device with a common vulnerability and network traffic scanner, only to watch the thing crash after a few seconds (most SCADA devices that crash can be brought back to normal with a simple reboot, but SCADA networks such as those used in power generation and oil gas systems consist of thousands of devices that often are many hundreds of miles away from the nearest technician.)
Another presentation highlighted the security problems brought on by the complexity of networks and computer systems being built to support "Internet protocol version 6." IPv6, as it is more commonly known, is the next generation of the network standards designed primarily to vastly increase the number of free Internet address spaces.
IPv6 is expected to one day replace IPv4 (the current standard), and while some Internet service providers and companies have already built networks that run IPv6 -- primarily those in China, Japan and South Korea -- it remains unclear how soon a critical mass of ISPs and companies elsewhere will follow suit.
Van Hauser, consultant for German security firm N.Runs and a well-known hacker who has been releasing free security testing tools for more than a decade, noted a number of operating systems already have IPv6 built-in, including Linux and BSD. Windows Vista, the next version of the Microsoft operating system, has had IPv6 built into several beta versions of the operating system, though the latest build does not include it.
This is significant, van Hauser said, because a lot of security software (and end-users of these systems) fail to properly firewall IPv6 traffic, a shortcoming that the bad guys have apparently been exploiting to hide Web traffic generated by data stealing malware they plant once they have compromised a system.
IPv6 also offers the promise of greater data security than IPv4 based networks, mainly through the use of "IP Security" (IPsec), which relies on encryption to ensure that Internet traffic between two online hosts cannot be intercepted and read by an unauthorized third party. The trouble is that very few companies bother to implement IPsec, mainly because it can be expensive and time-consuming to implement and manage. As a result, van Hauser said, anyone on a local IPv6 network can intercept or redirect network traffic.
Posted by: Anonymous | April 10, 2006 8:07 AM | Report abuse
Posted by: Anonymous | April 10, 2006 9:01 AM | Report abuse
Posted by: gary | April 10, 2006 9:18 AM | Report abuse
Posted by: Pete from Arlington | April 10, 2006 9:56 AM | Report abuse
Posted by: washingtonpost.com editors | April 10, 2006 10:04 AM | Report abuse
Posted by: 20850 | April 10, 2006 10:43 AM | Report abuse
Posted by: Ken L | April 10, 2006 11:39 AM | Report abuse
Posted by: nedu | April 10, 2006 11:42 AM | Report abuse
Posted by: nedu | April 10, 2006 11:51 AM | Report abuse
Posted by: Bryant | April 10, 2006 12:18 PM | Report abuse
Posted by: Matthew Murphy | April 10, 2006 3:12 PM | Report abuse
Posted by: Danny | April 11, 2006 3:14 AM | Report abuse
Posted by: Guy H@dsall | April 11, 2006 11:09 AM | Report abuse
Posted by: Craig | April 12, 2006 4:38 AM | Report abuse
Posted by: Sean | April 18, 2006 6:02 AM | Report abuse
Posted by: Mary Box | August 4, 2006 12:59 PM | Report abuse
The comments to this entry are closed.