[cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Eric Murray]

Food for thought and grounds for further research:


- Forwarded message from "Bernie, CTA" <[EMAIL PROTECTED]> -

Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Id: 
List-Post: 
List-Help: 
List-Unsubscribe: 
List-Subscribe: 
Delivered-To: mailing list [EMAIL PROTECTED]
Delivered-To: moderator for [EMAIL PROTECTED]
From: "Bernie, CTA" <[EMAIL PROTECTED]>
Organization: HCSIN
To: [EMAIL PROTECTED]
Date: Fri, 15 Aug 2003 14:09:12 -0400
Subject: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
Priority: normal
In-reply-to: <[EMAIL PROTECTED]>
X-mailer: Pegasus Mail for Windows (v4.11)

It is ridiculous to accept that a lightning strike could knock 
out the grid, or the transmission system is over stressed. There 
are many redundant fault, limit and Voltage-Surge Protection 
safeguards and related instrumentation and switchgear installed 
at the distribution centers and sub stations along the Power 
Grid that would have tripped to prevent or otherwise divert such 
a major outage. 

I believe that the outage was caused by the MSblaster, or its 
mutation, which was besieged upon the respective vulnerability 
in certain control and monitoring systems (SCADA and otherwise) 
running MS 2000 or XP, located different points along the Grid. 
Some of these systems are accessible via the Internet, while 
others are accessible by POTS dialup, or private Frame relay and 
dedicated connectivity.

Being an old PLC automation and control hack let me say that 
there is a very good plausibility that the recent East Coast 
power outage was due to an attack by an MBlaster variant on the 
SCADA system at the power plant master terminal, or more likely 
at several of the remote terminal units "RTU".  SCADA runs under 
Win2000 / XP and the telemetry to the RTU is accessible via the 
Internet.

>From what I recall SCADA based monitoring and control systems 
were installed at many water / sewer processing, gas and oil 
processing, and hydro-electric plants. 

I also believe that yesterdays flooding of a generator sub-
facility in Philadelphia was also due to an MBlaster variant 
attack on the SCADA or similarly Win 2000 / XP based system.  

To make things worst, the Web Interface is MS ActiveX. Now lets 
see, how can one craft an ActiveX vuln vector into the blaster?

Oh, and for the wardrivers, SCADA can be access via wireless 
connections on the road puts a new perspective on sniffing 
around sewer plants.

It is also reasonable to assume that we could have a similar 
security threat regarding those system (SCADA and otherwise 
based on MS 2000 or XP) involved in the control, data 
acquisition, and maintenance of other critical infrastructure, 
such as inter/intra state GAS Distribution, Nuclear Plant 
Monitoring, Water and Sewer Processing, and city Traffic 
Control. IMO

I think we will see a lot of finger pointing by government 
agencies, Utilities, and politicians for the Grid outage, until 
someone confess to the security dilemma and vulnerabilities in 
the systems which are involved in running this critical 
infrastructure.

Regardless of whether the Grid outage can be attributed to the 
blaster or its variant, this is not entirely a Microsoft 
problem, as it reeks of poor System Security Engineering 
practiced by the Utility Companies, and associated equipment and 
technology suppliers.

Nonetheless, the incident will cause lots of money to be 
earmarked by the US and Canadian Governments, to be spent in an 
attempt to solve the problem, or more specifically calm the 
public. 

This incident should be fully investigated, and regulations 
passed to ensure that the Utility companies and their suppliers 
develop and implement proper safeguards that will help prevent 
or at least significantly mitigate the effects of such a 
catastrophe. 

Conversely, I do not want to see our Government directly 
involved in yet another "business", which has such a controlling 
impact over our individual lives. 

-




On 14 Aug 2003 at 15:18, Geoff Shively wrote:

> Just flipped on CNN, watching the masses snake through the
> streets of Manhattan as correspondents state that this could be
> an affect of the blaster worm.
> 
> Interesting but I don't see how an worm of this magnitude
> (smaller than that of Slammer/Sapphire and others) could
> influence DCS and SCADA systems around the US, particularly just
> in the North East.
> 
> Thoughts?
> 
> 
> Cheers,
> 
> Geoff Shively, CHO
> PivX Solutions, LLC
> 
-

Bernie 
Chief Technology Architect
Chief Security Officer
[EMAIL PROTECTED]
Euclidean Systems, Inc.
***
// "There is no expedient to which a man will not go 
//to avoid the pure labor of honest thinking."   
// Honest thought, the real business capital.
//  

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Chris Kuethe]

On Fri, 15 Aug 2003, Harmon Seaver wrote:

> Somehow I have difficulty believing the these people could be so totally lame
> as to be running mission-critical stuff like this on windoze. Please say it
> isn't true.

it's scary just how much mission-critical stuff runs on windows. i'll
confess right now to being a unix zealot, so the thought of anything
mission critical (beyond hotmail and freecell) on windows is scary.

i know of some fairly large installations running control systems for power
generation on windows. these same sites then give the vendors access to the
system via vpn across the internet. sure there are firewalls, but i don't
have faith in the long-term maintenance of the vendor sites.

> Is the military also now dependant on windoze? Bizarre, absolutely
> bizarre. And here I thought it was probably caused by people with potato guns
> firing tennis balls filled with concrete, attached to coils of wire cable,
> dropping them across the power lines and transformer stations.

the power lines are certainly low-hanging fruit...

CK

-- 
 GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[John Young]

Are you suggesting the outage was caused by carbon filaments rocketed
across transmission lines? If that was done at several points in the grid it 
would account for the various finger-pointing to incidents which are claimed
to have started the usual-suspect "cascade" of the usual-suspect "antiquated" 
system that was "not supposed to fail but it did."

Perhaps a re-inventory of the USAF's storehouse of BLU-114s is needed to
double-check that story about lightning strike.


Harmon Seaver wrote:
>   Somehow I have difficulty believing the these people could be so
totally lame
>as to be running mission-critical stuff like this on windoze. Please say it
>isn't true. Is the military also now dependant on windoze? Bizarre,
absolutely
>bizarre. And here I thought it was probably caused by people with potato guns
>firing tennis balls filled with concrete, attached to coils of wire cable,
>dropping them across the power lines and transformer stations. 

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Harmon Seaver]

   Somehow I have difficulty believing the these people could be so totally lame
as to be running mission-critical stuff like this on windoze. Please say it
isn't true. Is the military also now dependant on windoze? Bizarre, absolutely
bizarre. And here I thought it was probably caused by people with potato guns
firing tennis balls filled with concrete, attached to coils of wire cable,
dropping them across the power lines and transformer stations. 


 -- 
Harmon Seaver   
CyberShamanix
http://www.cybershamanix.com

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Roy M. Silvernail]

On Friday 15 August 2003 22:29, Chris Kuethe wrote:
> On Fri, 15 Aug 2003, Harmon Seaver wrote:
> > Somehow I have difficulty believing the these people could be so totally
> > lame as to be running mission-critical stuff like this on windoze. Please
> > say it isn't true.
>
> it's scary just how much mission-critical stuff runs on windows. i'll
> confess right now to being a unix zealot, so the thought of anything
> mission critical (beyond hotmail and freecell) on windows is scary.

It's not just the reliance on Windows that's scary.  It's the mindset of the 
industrial controls industry, where the concept of security is percieved as a 
hassle for the end customer, and therefore something to be avoided.

10 years ago, I was developing a data collection and reporting program for the 
aircraft industry. The project suffered from creeping featurism, and one of 
the desired features was adding dialup data exchange, so the collection apps 
could send their data to a central location via modem.  When I asked how much 
security was wanted on the dialup port, I was told that none was necessary 
because no one would ever attack the system, and anyway, the data were not 
interesting to outside parties.  10 years ago, perhaps that was an 
understandable position, though certainly naive.  (I still put in a minimal 
challenge/response layer, if only to discourage the C-64 kids with 
wardiallers)

A few weeks ago, I sat in on a meeting to talk over design of a TCP/IP 
Ethernet interface for an existing control system.  When I asked what 
security provisions were envisioned for this interface, I was told that the 
system was not intended for deployment on publicly routed network segments, 
so there was no need for any security protocol.

> i know of some fairly large installations running control systems for power
> generation on windows. these same sites then give the vendors access to the
> system via vpn across the internet. sure there are firewalls, but i don't
> have faith in the long-term maintenance of the vendor sites.

I've just returned from an extensive training seminar on OPC controls 
technology.  The acronym stands for "OLE for Process Control", and it's a 
Microsoft-centric technology built on top of DCOM.  Agt the lower end, OPC 
would let you control a PLC from Excel.  Given the compressed schedule of the 
course (normally three weeks, it was compressed to two for our class) and my 
previous experiences, I didn't try to discuss security at all.  But I noticed 
no authentication layer at all.  Apparently, the security Microsoft natively 
provides for controlling DCOM traffic is all that such an application has 
available.  And as far as I can tell, that would be none.

I suppose I do get a bit of entertainment from the looks on the engineers' 
faces when I bring up threat models and attack scenarios.  Most of them are 
indifferent.  Some are confused.  Some are annoyed.  And one or two have 
understood the threat, but told me that I shouldn't talk to corporate about 
such things because it would make the sales force nervous.

The reactions of sales droids (and even management) has been either dismissive 
(there is no threat) or hostile (I'm the threat).  The most entertaining 
episode was back when UPS was first deploying their DIAD electronic 
clipboard, and I asked what steps were being taken to protect the signature 
data in transit. (There was no protection at all; the signature data were 
retained in the clear and could be dumped by any device that knew the 
protocol. I believe this is still the case.)  That eventually produced a 
regional manager who visited the small company where I was employed.  He was 
visibly irritated that anyone would even ask about such things, and answered 
every threat scenario I presented with "That would never happen!"  He stalked 
off in a huff after I asked him how he would feel if his digitized signature, 
obtained legitimately when he received a package, were to appear at the 
bottom of an incriminating document faxed to his general manager.

Ironically, several of my jobs have included IT duties along with my usual 
engineering tasks.  Those same sales droids and engineers that scoffed at the 
need for security in their industrial controls applications came running to 
me frantically when their workstations became infected with SirCam or Klez.

Security, as Schneier says, is a process.  It's also a mindset, and I think 
one either has the mindset or he doesn't.  And for those that don't have it, 
it is *very* difficult to impart.

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Thomas Shaddack]

On Fri, 15 Aug 2003, Harmon Seaver wrote:

>Somehow I have difficulty believing the these people could be so totally lame
> as to be running mission-critical stuff like this on windoze. Please say it
> isn't true.

The Microsoft salesmen know the coercive sales tactics. The clients'
well-being isn't in their interest; their interest is only a new sale.
Hence in their world Windows are suitable for just about everything. By
exploiting psychological tricks, they are able to convince less
technically capable personnel (eg, the management) about their system's
alleged superiority. Not that different from eg. car dealers.

A friend some time ago complained about having to ditch a Linux webserver
because his company managers did some special deal with Microsoft which
gave them substantially lower prices if they would run ALL systems
exclusively on Windows. But I forgot the details.

> Is the military also now dependant on windoze?

Some time ago there was a widely publicized incident with Windows NT
controlling a battleship. After a crash the ship had to be towed to the
port. From then it's known that NT is an acronym for Needs Towing.

> Bizarre, absolutely bizarre.

And somehow entirely unsurprising.

> And here I thought it was probably caused by people with potato guns
> firing tennis balls filled with concrete, attached to coils of wire cable,
> dropping them across the power lines and transformer stations.

The cable will vaporize at the moment the lightning from the power line
hits it, or it will be too heavy to be brought up by anything reasonable.
(You don't need even a full contact, getting it to the sparking distance
is enough.) That will trigger the breakers and switch the line off for few
seconds. But then the power will be switched on again. Then you need to
short it the second time. The wire you used will vaporize as well, but the
breakers won't switch back on for the second time, claim an error, and an
inspection of the power line is required to find the shortcut cause before
it can be switched back on, as the electronics then considers the short
circuit to be permanent. (I hope I am right here.) Also be aware about the
danger of the step voltage at the moment the lightning from the power line
hits the ground - you don't want to be anywhere too close, so you will
avoid the potato gun and resort to something safer, eg. a suitable rocket
engine.

In Colombia, the rebels routinely "dark" the cities by blowing up the high
voltage masts. If the mast is in a difficult-to-access place, it can take
days to build a replacement.

There are thousands of miles of power lines, good part of them in less
inhabited areas. It is extremely difficult to prevent this kind of attack.
To add insult to injury, the adversary can get ahold of the map of the
power transmission networks rather easily - they are in all kinds of
sources, from tourist maps to maps for pilots, and one can get fairly good
idea about the power feeds to a city by just driving around it with open
eyes. Underground lines exist, but are more expensive, so they are quite
unusual.

However, I'd bet that this affair was a plain old Murphy-based cascade
failure.


On another note, a nice reading about the world of energetics is Arthur
Hailey's "Overload".

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Sunder]

As you probably know by now, there was no lightnight strike and the
failure did not start at Nigara.

As for our city's reptile of a Mayor he claimed power would be back on in
queens by 11pm.  It wasn't on until 6am Friday.  On Friday night there
were still areas that were down in lower Manhattan.

Certainly, I'd expect whatever FUD explanation to be most profitable to
the NeoCONS to be the eventual reason for the outage, so they can push
USPATRIOT V3.0.1 - the one where they add brown alert to the color scheme.


Of course CON-Ed would say "Blame Canada."  I expect nothing less.

Did anyone catch the Shrubbya interview? I think it was on CNNFN or MSNBC
or one of those neonews channels...  The one where he was busy sweating in
the sun's heat in his blue Armani dress shirt while, his face browned from
the sun, playing golf.  The one where he regurgitated what he had been
spoon fed by his PR guys?  At one instant he shrugged his shoulders as he
said it's an old grid, and it will need to be fixed, and then he went back
to golfing.  Showing how much he cares about the plight of the east coast.



More than likely I suspect the truth is that the grid is indeed outdated
and something simply couldn't handle the load.  Whenever politicians, and
bureaucrats are involved, the outcome is the same:


Chief Executive Asshole: "Why should we spend $X million to fix it?  It's
still running?"

Techie: "Because it's running at 95% capacity, and any small spike will
cause a big problem."

CEA: "But it's been fine for the last 20 years, I'd rather keep the cash
and give myself a bonus, and then lay off extraneous employees.  We can
outsource them to India."

Techie: "It's outdated, it will collapse."

CEA: "So what? When it does, if it does, we'll hit Uncle Sam for more
money, meanwhile I have another yacht to purchase.  In any case, it won't
likely collapse while I'm still here, and I'll retire soon enough, not my
problem... and don't let the door hit your ass on your way out.  I don't
want ass prints on my brand new gold plated door."





--Kaos-Keraunos-Kybernetos---
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
<--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.\|/
 + v + :   The look on Sadam's face - priceless!   
[EMAIL PROTECTED] http://www.sunder.net 

On Fri, 15 Aug 2003, John Young wrote:

> Are you suggesting the outage was caused by carbon filaments rocketed
> across transmission lines? If that was done at several points in the grid it 
> would account for the various finger-pointing to incidents which are claimed
> to have started the usual-suspect "cascade" of the usual-suspect "antiquated" 
> system that was "not supposed to fail but it did."

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Major Variola (ret)]

At 01:50 PM 8/17/03 -0400, Sunder wrote:
>Techie: "It's outdated, it will collapse."

Sometimes its easier to ask forgiveness after than to ask for permission
before.

Sometimes you have to let the system crash so others see its weakness.

Ca often runs within a few percent of available juice during the summer
too.
A fire under a transmission line, an unscheduled downage, we can play
dominoes
too.

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Ben Laurie]

Eric Murray wrote:
> Food for thought and grounds for further research:
> 
> - Forwarded message from "Bernie, CTA" <[EMAIL PROTECTED]> -
> 
> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
> Precedence: bulk
> List-Id: 
> List-Post: 
> List-Help: 
> List-Unsubscribe: 
> List-Subscribe: 
> Delivered-To: mailing list [EMAIL PROTECTED]
> Delivered-To: moderator for [EMAIL PROTECTED]
> From: "Bernie, CTA" <[EMAIL PROTECTED]>
> Organization: HCSIN
> To: [EMAIL PROTECTED]
> Date: Fri, 15 Aug 2003 14:09:12 -0400
> Subject: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet 
> Worm'
> Priority: normal
> In-reply-to: <[EMAIL PROTECTED]>
> X-mailer: Pegasus Mail for Windows (v4.11)
> 
> It is ridiculous to accept that a lightning strike could knock 
> out the grid, or the transmission system is over stressed. There 
> are many redundant fault, limit and Voltage-Surge Protection 
> safeguards and related instrumentation and switchgear installed 
> at the distribution centers and sub stations along the Power 
> Grid that would have tripped to prevent or otherwise divert such 
> a major outage. 

Yeah, ridiculous. So who remembers what caused the last major power
outage in NY? (Hint: it wasn't _one_ lightning strike).

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Re: [cta@hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

[Sunder]

Indeed:

http://www.villagevoice.com/issues/0334/barrett.php
http://www.villagevoice.com/issues/0334/mondo1.php
http://www.villagevoice.com/issues/0334/cotts.php


--Kaos-Keraunos-Kybernetos---
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
<--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.\|/
 + v + :   The look on Sadam's face - priceless!   
[EMAIL PROTECTED] http://www.sunder.net 

On Wed, 27 Aug 2003, Ben Laurie wrote:

> Yeah, ridiculous. So who remembers what caused the last major power
> outage in NY? (Hint: it wasn't _one_ lightning strike).