“we are not winning. i do not think we are winning · “we are not winning. i do not think we...
TRANSCRIPT
“We are not winning. I do not think we are winning
globally, and I think this nature of crime is rising
exponentially”.
Commissioner Leppard, City of London Police (2014)
Insider Threat (2): Righteous?
Understanding the Threats
Tutorial on the Cybersecurity of Safety-Critical Systems
Prof. Chris Johnson,
School of Computing Science, University of Glasgow, Scotland.
http://www.dcs.gla.ac.uk/~johnson
Schedule
First Briefing
Understanding the Threats
Detailed patterns of attack.
Second Briefing
What can be done?
Protection, forensics and recovery.
Third Briefing
More detailed case studies…
Securing space-based assets.
Sanity Check…
• This is only an initial overview…
Previously…
Consultant with ANSPs in Austria, Belgium, China, Croatia,
Cyprus, Denmark, Estonia, Germany, Hungary, Ireland, Israel,
Luxembourg, Malta, Norway, Portugal, Slovakia, Slovenia,
Spain, Switzerland, Turkey, UK etc.
SESAR, EASA and the Future of Aviation?
Cybersecuirty Expert for UN CBRN Inspectors
Cybersecurity Consultant to EDF
Cybersecurity Consultant to SESAR JU
Overview
• Nature of the Threats:
– Insider attacks;
– Crowdsourcing and Hacktivism;
– Social Attacks and Spear Phishing;
– Certification attacks; Configuration Attacks;
– Command and Control Servers,
– Stuxnet; Sniffers…
• Next: What Can We Do?
Aim is to Provoke Discussion...
• Recent trends in ATM Engineering.
• Increasing complexity in software networks:
– Leads to more complex failure modes.
• Increasing use of COTS products:
– Leads to new security threats.
• Increasing use of sub-contractors.
Copyright C.W. Johnson, 2014
The Future: SESAR Delivery Manager
Is SESAR A Threat to Cybersecurity?
Aging, Complex Critical Infrastructures...
http://www.iaa.ie/files/2008/news/docs/20080919020223_ATM_Report_Final.pdf
The Real Impact
• "The problem here is that you have
an autonomous semi-state
monopoly which doesn't care about
its customers or the disruption to
passengers,"
Michael O'Leary, CEO Ryanair
The Real Impact
• "The problem here is that you have
an autonomous semi-state
monopoly which doesn't care about
its customers or the disruption to
passengers,"
• "Send the buggers to Shannon, if it
was a commercial company they
would have done so”
Michael O'Leary, CEO Ryanair
The Real Impact
• “They're not on top of the job.
We're talking about 25 arrivals and
departures per hour. The air traffic
controllers should be capable of
handling this volume of flights”.
Michael O'Leary, CEO Ryanair
http://www.herald.ie/news/oleary-more-disruption-if-iaa-doesnt-clean-up-act-1431408.html
Need ATM Engineering Incident Exchange
• Fault stems from Salt Lake City:
– hardware fault on router circuit board;
– Network interface affects comms with Atlanta;
– Network owned/operated by Harris Corp...
– “We are working with the FAA to diagnose problem
and explain the failure of backup systems...”
• Sen. Charles Schumer:
“The country’s aviation system is in shambles,
the FAA needs to upgrade the system, these
technical glitches cause cascading chaos are
too regular an occurrence...’”
25
NextGen: En Route Automation Modernization
• $2.1 Billion upgrade..
• Faults lead to ‘missing’ flight plans;
– Other aircraft change identity in flight;
– Again cannot transfer flight data to Atlanta etc.
– Undermines ATCO confidence in system;
– ‘fallback’ original 20 year old IBM system
– IBM contract expired, uses Jovial – rarely used.
• Test deployment to Salt Lake City:
– FAA spend $14 million, still not working.
– Salt Lake City simple compared to Chicago...
26
Testing can prove the presence
of errors, but not their absence.
Copyright C.W. Johnson, 2013
Edsger W Dijkstra (1930-2002)
keylogger:
Predator and Reaper GCS
Creech Airforce Base
Aim is to Provoke Discussion...
• Common software components into ATM:
– networks, Linux, VOIP, SBAS...
• Safety concerns everywhere:
– Huge problems of competence – incl regulators;
– Many conflicts between safety and security;
– Inconsistent, inapplicable rules (lack of HF input);
– Consistent, known violation of policies.
.
Copyright C.W. Johnson, 2014
Paranoia?
• Many policies only exist on paper.
• Huge problem with complacency.
• “FAA ineffective in all critical areas including
operational systems information security,
future systems modernization security,
management structure, policy
implementation”.
• US Government Auditors Office
Copyright C.W. Johnson, 2014
DoT Review of FAA CyberSecurity
DoT "unless effective action is taken quickly, it
is likely to be a matter of when, not if, ATC
systems encounter attacks that do serious
harm to ATC operations."
“Attackers can take advantage of software
vulnerabilities in commercial IP products to
exploit ATC systems, which is especially
worrisome at a time when the Nation is facing
increased threats from sophisticated nation-
state-sponsored cyber attacks"
Copyright C.W. Johnson, 2014
Conflict Between Security and Safety
Copyright C.W. Johnson, 2014
• Existing safety standards eg ED153
– Focus on verification and validation;
– In proportion to SWAL/criticality.
• Anti-viral systems violate ED-153:
– Updated every 24-48 hours;
– could themselves bring down ACC;
– Cannot test anti-virus definiitons;
– Without increasing security exposure.
• Do you want safety or security:
– Can have both eg banking approach.
Vulnerabilities
• ‘Mass market’ viruses.
• You cannot disconnect the Internet.
– Virtual channels from USB sticks.
• Contractors violate security policies:
– My students take the systems to pieces…
• SESAR and NextGen scare me:
– increasing traffic loads\systems integration
Copyright C.W. Johnson, 2014
The Insider Threat (1): Malicious
• NIST’s US SCADA sewage system:
– 46 radio orders release 800,000l raw sewage.
• Arrested, PC with Motorola M120 radio;
– Serial numbers ordered by the company;
– PDS Compact 500 computer control device;
– Mimicked pumping station to test commands.
• Sub-contractor – disguised his attacks…
Copyright C.W. Johnson, 2012
Insider Threat (2): Righteous?
Insider Threat (3): Negligent
• Negligent violations (eg passwords):
– They were told GOOD rules but ignored them;
– Lack of audit or regular training;
– Management implicit support?
• Justified(?) violations:
– They were told BAD rules and had to ignore them;
– Rules couldn’t be applied (no software etc);
– Rules applicable but threaten profit/safety etc…
• Routine vs exceptional violations.
Some Recent Attacks
• Never underestimate the power of evil.
– Chinese hospital Shenzhen province:
– Insiders leave backdoor;
– Remote access to electronic patient record.
• How much harm can this do?
• European General Data Protection Regs:
– Fines 2% of global annual turnover in 24 hours;
– Into force this year (Replaces 95/46/EC).
Some Recent Attacks
• Extortion attack .
• Sub-contractor:
– Lack of background checks;
– Corrupted the backups (not secure);
– Waited 4 months then deleted primary copy.
• Bank asked for €2.5 million.
Some Recent Attacks….
• ANSP label on13 switches from eBay:
– Flash memory for configuration data;
– Not erased prior to sale;
– ANSP have external disposal contract but…
• Used by sub-contractor at ACC:
– Supervisor login for VLAN;
– Upstream switch addresses/configs;
– VTP trunk info and password;
– SNMP community strings…
Some Recent Attacks…
• Regulator receives airprox radar data.
• ANSP and regulator use same player.
• ANSP ROM contains conficker.
• Regulator warns ANSP:
– They claim player is obsolete anyway…
– `no further investigation’ at this time?
Estonia, April-May 2007
• June 1940, Soviets annex Estonia.
• After independence:
– Ethnic Russians lose Estonian citizenship;
– Dispute over moves to Bronze Soldier of Tallinn;
– Riots kill one and injur more than 150 people.
• Two phase attack:
– Emotional ‘crowdsourcing’ (download scripts);
– focused attacks using criminal infrastructures.
Copyright C.W. Johnson, 2012
Estonia and Paranoia?
Chatham House report:
“The severity of the attacks on one of
NATO’s most electronically connected
members put the alliance on guard.
If a highly wired small state could be
brought to its knees then what type of
havoc could be wrought upon larger states
with more heterogeneous systems and
critical infrastructure open to attack?”
Copyright C.W. Johnson, 2012
Estonia, April-May 2007
• DDoS on e-banking:
– Hansapank’s 2 hours on 9-10th May;
– Eesti Ühispank’s online bank 3 hours on 15th May.
• US Computer Emergency Readiness Team:
– ‘watershed’ attack but not revolutionary.
Copyright C.W. Johnson, 2012
Georgia, August 2008
• Armed conflict between Georgia & Russia:
– 1922 North Ossetia in Russia, South in Georgia;
– 1990 S. Ossetia gains de facto independence..
• Cyber-attacks prior to armed conflict:
– ICMP floods/HTTP ‘GET’ requests in July.
• But Georgian infrastructure vulnerable:
– half of 13 interconnections through Russia;
– Only 5 ISPs, 75% use Caucasus Network Tbilisi;
– Prior to war, began building link via Bulgaria…
Copyright C.W. Johnson, 2012
Georgia, August 2008
• Attacks lasted 2 hours up to 6 hours
– HTTP-based botnet (sign of Russian herders).
• 5 Stage crowdsourcing similar to Estonia:
1. Encouragement to get involved in cyber war;
2. Publishing target list of Georgian government Web
sites which have been tested for access;
3. Selecting types of malware against target Web site;
4. Launching the attack and optionally,
5. Evaluating the results and iterating previous stages
Copyright C.W. Johnson, 2012
“Go But You Will Never Work Here Again…”
Copyright C.W. Johnson, 2012
China, GhostNet and Shadow, March 2009
• Active defence and the attribution problem…
– No definitive proof of Chinese state involvement
• Use of social media and Gmail:
– Use of TOR annonymity server…
• Infection of Dalai Lama’s office:
– Tailor email so recipient opens attachment;
– Trojan horse onto victim’s machine;
– Information forwarded to control servers.
– Use genuine document on compromised machine?
Copyright C.W. Johnson, 2012
W32.STUXNET, March 2010
• W32.Stuxnet multi-component malware
– Attacks Programmable Logic Controllers (PLCs);
• Stuxnet has up to 4 zero-day exploits:
– ATM very vulnerable to this…
– Unusual range of languages (C/C++) team?
– Used 2 legit Taiwanese digital signatures…
• Command & control servers identified:
– Located in Malaysia and Denmark;
– 155 countries, 40,000 IP addresses.
Copyright C.W. Johnson, 2012
W32.STUXNET, March 2010
• Monitors frequency of attached
– attacks systems operating 807-1210 Hz.
• Triggers a state machine to hide ‘sabotage’;
1. Wait13 days;
2. Set maximum frequency to 1410 Hz;
3. Wait 27 days
4. Set maximum frequency to 2 Hz;
5. Set maximum frequency to 1064 Hz;
6. Go to 1.
• Comparison with Dublin Airport.
Copyright C.W. Johnson, 2012
W32.STUXNET, March 2010
• Symantec:
– Need 5-30 people for 6 months;
– Elite hactivist group? State lab or agency?
– Social networking with state encouragement?
• But STUXNET didn’t work…
– around 900 centrifuges damaged;
– replaced in months not years.
• Iranian Technology Council worried:
– New anti-virus software was also infected..
Copyright C.W. Johnson, 2012
W32.Duqu
• Written by the same ‘team’ as STUXNET?
– Or by a team with access to the source code.
• Remote Access Trojan (RAT).
– Industrial infrastructure and manufacturers;
– Playing a similar role to Siemens and Step-7;
– Intelligence gathering for attack on 3rd parties;
• Email Word document, 0-day kernel exploit;
– Contains an installer and uses process injection.
W32.Duqu: C&C Breaking Firewalls
Corporate
Network
Operational
Network
W32.Duqu
• Duqu will inject malware into:
– Internet Explorer; Firefox;
– Trend Micro PC-cillin AntiVirus Real-time Monitor.
• Checks for anti-viral products:
– avp.exe, Mcshield.exe, avguard.exe, bdagent.exe,
UmxCfg.exe, fsdfwd.exe, rtvscan.exe,
ccSvcHst.exe, ekrn.exe, tmproxy.exe,
RavMonD.exe.
• Extends Stuxnet to deal with Kaspersky…
W32.Duqu: C&C Linux Server Deletion
Operation Black Tulip
• DigiNotar, digital certificate authority (CA):
– cyber-attack eventually led to bankruptcy;
– false certificates to 100s of websites Google & Skype.
• Did not report incident to CERT etc:
– for 2 months there were false DigiNotar certificates;
– used to eavesdrop on email and web browsing in Iran.
• Once incident made public:
– Dutch government & browser vendors limit impact.
Overview
• Now: Background:
– Is it a bug or an attack? Dijkstra…
• Now: Nature of the Threats:
– Crowdsourcing and Hacktivism;
– Social Attacks and Spear Phishing;
– Certification attacks; Configuration Attacks;
– Command and Control Servers,
– Stuxnet; Sniffers…
• Next: What Can We Do?
What Can Be Done: Cyber Exercises…
What Can Be Done Cyber Execises…
What Can Be Done: Simplified Attack
The Stuxnet Scenario
Schedule
First Briefing
Understanding the Threats
Detailed patterns of attack.
Second Briefing
What can be done?
Protection, forensics and recovery.
Third Briefing
More detailed case studies…
Securing space-based assets.
Any Questions?
Copyright C.W. Johnson, 2014