ISGroup

ScadaExposure on the press: SonntagsZeitung and Le Matin Dimanche articles!

Florian Imbach, journalist from the investigative team of SonntagsZeitung and Le Matin Dimanche in Berne, published a really interesting article featuring ScadaExposure.

The text is about the current state of SCADA/ICS security in Switzerland and contains various meaningful examples of actual vulnerable/exposed devices. A French version is also available on the Le Matin Dimanche newspaper.

You can read an extract of the articles on the links below:

SonntagsZeitung http://www.sonntagszeitung.ch/fokus/artikel-detailseite/?newsid=268454

Le Matin Dimanche http://www.lematin.ch/suisse/suisse-installations-merci-hackers/story/22376581

ScadaExposure is the first observatory on the exposure of SCADA devices on public networks. Our methodology and data can be freely accessed and we are always looking for improvements and suggestions, feel free to contact me on LinkedIn (Francesco Ongaro <ongaro.f@gmail.com>) or Twitter (https://twitter.com/ISGroupSRL). Your feedback is greatly appreciated!

Standard
ISGroup, Security Research

Scada Exposure released! Scada Internet Exposure 2013-11

ScadaExposure is the first attempt to create a permanent observatory on the presence of overexposed scada gears. The project is a collaborative effort of Francesco Ongaro and Gianluca Pericoli, aimed to build an open framework for SCADA exposure benchmarking. Knowing the updated index of exposed ICS devices allows to answer many questions of public interest.

Get the Scada Internet Exposure 2013-11 report

Our goal is to obtain fresh data (exposed/vulnerable devices) from public search engines like Shodan and Google and categorize it around three main dimensions: the Temporal axis, the Geographical axis and our Taxonomy.

Temporal axis

Each dataset belongs to a release that refer to a specific time. Our first release is the November 2013 one.

  • Is SCADA exposure higher or lower than before?
  • Is the current awareness and effort level effective in order to secure private and critical infrastructures?

Geographical axis

Results are separated by country. The first release includes Switzerland, Italy and World.

  • Is a country more exposed than another?
  • How is a country relatively exposed? (Indexed devices VS Scada devices)
  • How is a country relatively exposed compared to the world? (Country Scada devices VS World Scada devices)
  • How is a country relatively exposed compared to another country?

Taxonomy

ScadaExposure’s taxonomy is a hierarchy of Vendors, Products and Product versions. Every search query (“dork“) is linked to a Product Version, Product, Vendor or can be generic. Products belong to two categories: Systems and Devices, as described by the Glossary.

  • What is the most exposed vendor?
  • What is the most exposed product?
  • What is the most exposed system type or device class?

 

We would love to know you reaction (scadaexposure@isgroup.it)!.

The project is sponsored by the security company ISGroup SRL.

Standard
ISGroup

Fastweb, la peggiore esperienza commerciale possibile

Estate 2013, Verona pieno Centro Storico, vicino l’ufficio installano un tombino Fastweb con il relativo armadio (circa 100 metri di distanza). Da tempo sul sito sembrava esservi copertura FW Fibra ma quello era un chiaro segnale… Maledetto tombino. Decido quindi di chiamare il centralino e di verificare se effettivamente è possibile usufruire di questa tecnologia.

Dopo innumerevoli rassicurazioni a domande più che esplicite (“Siamo sicuri che è FW Fibra?”, oppure “Non vogliamo l’ADSL, abbiamo già una linea Telecom”, o ancora “Non ci interessa l’ADSL e poi la fibra, attiviamo solo se c’è la fibra da subito”) mi convinco e ordino. Grazie ad una buona dose di prudenza, dettata dal fatto che in ufficio la connettività è fondamentale, chiedo l’attivazione di una nuova linea, separata da Telecom, evitando il disastro.

Puntualmente viene attivata una normalissima linea ADSL, del tutto inutile per i nostri scopi, con meno banda e più latenza di Telecom.

Ecco il risultato:

No Fastweb, non vogliamo pagare una linea ADSL 25€ al mese (per inciso, più di quanto paghiamo adesso) per 12 mesi, anziché 45,37€ per poi sperare che nel giro di sei mesi venga convertita a fibra e ammortizzare i tuoi costi.

Troppa voglia di vendere, offerte poco chiare (evidentemente anche per partner commerciali e chi lavora all’interno dell’azienda) e diritto di recesso inesistente.

Forse é successo solo a noi, forse siamo stati fortunati, ad oggi nessuna risposta da Fastweb che si aggiudica la peggior esperienza di sempre con un fornitore di connettività.

Francesco Ongaro,
ISGroup SRL

Aggiornamento dell’8 Ottobre 2013: All’indirizzo http://comp[..]matori/ si legge “Il Regolamento prevede che, prima di rivolgersi alla giustizia ordinaria, l’utente faccia un tentativo obbligatorio di conciliazione nei confronti dell’operatore.”. Potete anche scaricare il PDF del protocollo d’intesa all’indirizzo http://www.fas[..]ne.pdf. Abbiamo contattato l’Unione Nazionale Dei Consumatori (http://www.consumatori.it/) tramite form online e l’AECI (https://www.faceb[..]Lazio) tramite Facebook ed altre associazioni. Aggiorneremo la lista man mano otteniamo risposta.

Aggiornamento del 9 Ottobre 2013: Vengo ricontattato dall’assistenza clienti che mi comunica che una voce (quella relativa all'”Importo per dismissione servizi FASTWEB” da 78,60 Euro) della fattura non è corretta, dato che ci siamo avvalsi del diritto di recesso, ed è stata imputata per errore (!?). La centralinista afferma di non essere in contatto con l’ufficio legale, tanto meno di poter prendere decisioni caso per caso, mi chiedo quindi perché la voce fosse presente in primo luogo. Quanti altri l’abbiano pagata senza battere ciglio, magari nella stessa nostra situazione, è impossibile da sapersi. Si tratta sicuramente di un errore isolato.

L’importo per “Addebito costo attivazione per recesso anticipato” di 119.00 invece é secondo Fasweb legittimo, in quanto ho disdetto prima dei 24 mesi (due anni!). Mi chiedo come un utente possa avvalersi del diritto di recesso entro 10 giorni ma successivamente ad un periodo di 24 mesi (la logica sembra dimenticata).

Chiedo il numero dell’ufficio legale ma “non può”, “non vuole” e poi “non sa” darmelo, é onere delle associazioni dei consumatori e del mio avvocato scoprirlo.

Il modem non é restituibile secondo il supporto telefonico, peccato che Fastweb mi abbia inviato un SMS che dice il contrario. Non potendoci fidare di alcuna informazione fornitaci proveremo a restituire il modem (chissà come andrà a finire!).

fastweb-modem

Fastweb non vogliamo sconti, vogliamo poter recedere senza spese da un servizio che non abbiamo mai richiesto, del quale i tuoi operatori ci hanno dato errata comunicazione (sara’ tutta colpa loro?). La mia intenzione è quella di aggiornarvi su questa vicenda e farvi partecipi di quanto tempo e denaro per le spese legali sia necessario per ristabilire i propri diritti di consumatore nei confronti di Fastweb.

Standard
Conferences

Sniffing the innocent (HackItaly outcome #2)

Hack the hacker is fair game at conferences, especially when some ethic and a formative objective is mixed in. If you red the last post you know “who”, “when”, “where” and “why”. Now it’s time for “what”.

This post is about developers who will code the applications of tomorrow, full of bugs of yesterday, injections and logical bugs, wide open to attacks. This is a post about users, who will fill such application’s backends with any sort of personal information. In the meantime somebody enjoyed exploiting the developers of today with last century attack vectors in order to save the unaware users of tomorrow’s available applications. Perhaps.

Standard
Conferences

Aruba networks log parser (HackItaly outcome #1)

Before escaping an high pressure itsec routine with a week of vacation in Mallorca, on 19-21 July I went to a nice meeting in Venice, called HackItaly, on Walter Franchetti’s suggestion. More than an hacking conference it’s a meeting of young Web-2.0/Mobile-App developers. Words apart (and Words matter) there was some nice human capital and I met people who would perfectly fit in a Security Research Team as juniors, if only they were not tying to build a future pulling pants to investors. An you know, especially in the myopic Italy, investors are those who pull pants down to young human material.

Anyway in this jungle of Facebook, API, Responsive CSS, Json and Non-Relational Databases I found somebody who was speaking a language more similar to me, the tech guy of H-Farm, Marco, who was fighting against the crowd to provide a decent service. In the end while everybody was busy developing for the day after contest we spent our night in front of 80×24 xterms, setting up some infrastructure machine, sniffing passwords (no SSL offence, there is still people who does clear-text  auths) and building a syslog server for the Aruba Network infrastructure.

So, here’s a little perl parser https://github.com/isgroup-srl/aruba-logparse for the ugly format sent by these expensive devices to our rsyslogd. It could be easily extended with some “action” callbacks (maybe using ah hash of anonymous functions?). If you ask, i have no idea why Parse::Syslog was not working well with File::Tail, so we had to surrender and use a regexpr (at last  not a POSIX one, thanks Perl/PCRE!).

In the end, if you feel that this development world fall short, why don’t apply to join a security research team? We are USH, an ethical, non-commercial, no-bullshit, under-hype but definitely kick-ass group of individuals. We are the Jargon, we are the Manifesto, and we do hack.

Bye,
ascii
ascii@ush.it

Standard
Security Community

How to not do a live-hacking reportage

Today while reading ITSEC news (we publish only a fine selection of them on www.metasploit.it) an article caught our interest: it was a television reportage about a live-hacking session performed by a security company called Compass Security AG (http://www.csnc.ch/en/) for one of their SCADA customers. This type of marketing material is always entertainment but this was more entertainment than the average! The video is available at the URL http://media.hacking-lab.com/movies/10-vor-10-hacking-wasserkraftwerk/ and has already been broadcasted. Take a look at the following frame.

Nmap, as featured in TV

Noticed nothing? Err.. Is that public address space?

Well, it’s clearly not a wise move to publish a routable IP address, belonging to a customer infrastructure and probably the command center for their SCADA gears, together with it’s open port information (5900/tcp open VNC)! It seems a clear call to army for the random cracker who wants to burn some bits over his internet pipe! For the most careful watchers: surely you noticed the Siemens logo in a background browser window and below a “Servlet login” link.

The nmap terminal is a journalism classic, as seen in movies, unreadable green characters on a dark background, is able to make the ITSEC illiterate’s fantasies run wild. But a security company leaking data? In it’s own marketing video? Leaking data is a customer role!

$ whois 46.14.XXX.XX

% Information related to '46.14.0.0 - 46.14.255.255'
% Abuse contact for '46.14.0.0 - 46.14.255.255' is 'abuse.sme@swisscom.com'

inetnum: 46.14.0.0 - 46.14.255.255
netname: CH-CYBERNET-20100928
descr: Swisscom (Schweiz) AG
country: CH
org: ORG-CA5-RIPE
admin-c: SG7777-RIPE
admin-c: CHCN1-RIPE
tech-c: CHCN1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: SUNWEB-MNT
mnt-routes: SUNWEB-MNT
mnt-domains: SUNWEB-MNT
source: RIPE # Filtered

The IP belongs to a /16 netblock managed by Swisscom AG and a reverse tell us that they are static IP customers (perhaps single IP ADSLs?).

$ nmap 46.14.XXX.XX -p 5900-6000 -PN

Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-03 14:25 CEST
Nmap scan report for cust.static.46-14-XXX-XX.swisscomdata.ch (46.14.XXX.XX)
Host is up (0.091s latency).
Not shown: 100 filtered ports
PORT STATE SERVICE
5900/tcp open vnc

Nmap done: 1 IP address (1 host up) scanned in 3.60 seconds

The VNC service is still there, so now we have a better idea about the technique used to penetrate that SCADA dashboard.

$ vncviewer 46.14.XXX.XX
Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:

Better to stop here :)

Thanks for leaking our address space!

 Thanks for leaking our data!

We have no idea if that IP is of an actual customer or belongs to an honeypot.. In the first case the Penetration Test was not very successful as the customer did not follow the remediation plan by fixing it’s vulnerability correctly; exposing administrative interfaces, especially VNC services to the Internet is a really bad idea. In the second case we are happy to throw more data to the analyst!

Standard
Uncategorized

Ethical Hacking

Chi protegge la tua rete aziendale?
Molti non affrontano correttamente il problema della sicurezza. E tu?

ISGroup Srl è una struttura indipendente specializzata in IT Security in grado di offrire servizi e prodotti di sicurezza informatica di livello qualitativo elevato. ISGroup è il partner ideale per proteggere il tuo business gestendo i rischi legati all’accesso abusivo a sistemi informatici, dipendenti infedeli, concorrenti sleali.

“Conosci il tuo nemico, conosci te stesso”
Sun Tzu – L’arte della guerra

La nostra offerta si concentra su pochi ma ben definiti servizi di alto livello qualitativo.

Contattaci oggi per discutere delle tue necessità!

Il termine “cappello bianco” nel gergo di Internet si riferisce ad un hacker etico del computer, o un esperto di sicurezza informatica, specializzato in test di penetrazione e di altre metodologie di test per garantire la sicurezza dei sistemi informativi di un’organizzazione. Ethical hacking è un termine coniato da IBM per indicare una categoria più ampia di un semplice test di penetrazione. White-hat hacker può anche lavorare in team chiamati “sneakers”, “red team”, o “tiger team”.

The term “white hat” in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization’s information systems. Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing. White-hat hackers may also work in teams called “sneakers”, red teams, or tiger teams.

https://en.wikipedia.org/wiki/White_hat_(computer_security)

Standard