Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: The Test. Bringing down a network. Need advice.

  1. #11
    Junior Member DeadlyFoez's Avatar
    Join Date
    Jul 2009
    Posts
    42

    Default

    I probably should have titled this thread a little better.

    It's kind of scary to think that if you gain physical access or remote access how easily a network can be brought down.

    "millions in damages", "someone could get killed". Yikes.

    Too bad I dont have a safe environment to try out things like this and try to figure out how to prevent it from happening. My home/office network is all I got. The only other thing I can do is set up a load of virtual machines and then try an attack like that on my network.

    I've seen it bring my network down to it's knees with only 8 devices and very little communication going on form those devices. I could imagine 50 or more machine and actually sending data around. Wow.
    If at first you don't succeed, keep sucking until you do suck seed. --Curly

  2. #12
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by DeadlyFoez View Post
    I probably should have titled this thread a little better.

    It's kind of scary to think that if you gain physical access or remote access how easily a network can be brought down.

    "millions in damages", "someone could get killed". Yikes.

    Too bad I dont have a safe environment to try out things like this and try to figure out how to prevent it from happening. My home/office network is all I got. The only other thing I can do is set up a load of virtual machines and then try an attack like that on my network.

    I've seen it bring my network down to it's knees with only 8 devices and very little communication going on form those devices. I could imagine 50 or more machine and actually sending data around. Wow.
    When you're dealing with what's known as 'Control Networks', they not the same kind of animal as regular networks. The devices on those networks many times can be 20 to 25 years old and have very little memory and very little processing power.

    I have PLC's here that only have 32K of RAM, so there isn't a whole lot of space to load the full TCP/IP stack, they also don't have powerful processors. Nmap scans can bring these things down almost instantly, and doing that kind of thing in an unknown environment can be disastrous. You have no way of knowing how these devices are going to fail. If the PLC programming isn't written correctly, it could fail to a very dangerous state. Equipment could start or stop without warning, it could run things to the wrong speed, a plethora of bad things could happen.

    Plus, it is not expected that the company's IT department should know much about the control network. IT is generally not in charge of running the control networks, many times those things are setup by System Integrators that have trained Process Control Engineers. The systems are configured and then left to run. People that don't know their configuration shouldn't be mucking around in them.

    There is a current movement to have IT and PC work together and cross train so IT understands process control and PC understands information technology. It is not unusual for IT to not know what the control network is doing. It is also not unusual for management to tell IT that they need access to the control network to get metrics and whatever else management needs to fill their time. This normally leads to bad things happening.

    I had a person on site that was from a system integrator, he attempted to do a portscan of my control network. Fortunately, my system caught the attempt and killed it before he had a chance to execute it. But if he had, he probably would have taken down 9 PLC's and the entire plant. I told him to leave immediately and I did not want to see him at my site again. He was then fired from his job just for the potential of causing damage.

    One more point, if you see a fancy display that indicates really cool controls of really big machinery. Never think for an instant that they have state of the art equipment. The attached devices out there are probably old, the current cycle for control hardware is around 20 to 30 years, whereas IT lifetime cycles is 3 to 5 years.

    Never ever mess around inside a control network unless you're personally are ready to deal with the extreme consequences of millions of dollars lost, hours of lost work time, and the potential of injuring or killing someone.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #13
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by streaker69 View Post
    I had a person on site that was from a system integrator, he attempted to do a portscan of my control network. Fortunately, my system caught the attempt and killed it before he had a chance to execute it. But if he had, he probably would have taken down 9 PLC's and the entire plant. I told him to leave immediately and I did not want to see him at my site again. He was then fired from his job just for the potential of causing damage.
    The extereme fragiliy of these networks brings up some very interesting security and liability issues. (Or perhaps scary security and liability issues is a better term)

    Do you guys have controls in place to prevent idiocy (as described above) spreading from the normal network to the control network? Specifically, things such as firewall separation, IDS/IPS systems to detect/block bad traffic going from one network to the next, induction training of staff telling them not to touch that other network, etc? With the potential for someone to die if the control network is messed with I would say that the company has a potential liability around duty of care if they fail to take adequate precautions to prevent inappropriate access to that network.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #14
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by lupin View Post
    The extereme fragiliy of these networks brings up some very interesting security and liability issues. (Or perhaps scary security and liability issues is a better term)

    Do you guys have controls in place to prevent idiocy (as described above) spreading from the normal network to the control network? Specifically, things such as firewall separation, IDS/IPS systems to detect/block bad traffic going from one network to the next, induction training of staff telling them not to touch that other network, etc? With the potential for someone to die if the control network is messed with I would say that the company has a potential liability around duty of care if they fail to take adequate precautions to prevent inappropriate access to that network.
    There's currently a movement to start implementing these kinds of controls. Traditionally SCADA systems were disconnected from everything else, but more and more they're getting connected, and many times that cannot be helped.

    I do have some controls in place here to prevent such idiocy. The guy that attempted a port scan was stopped by my AV software detecting a rogue program attempting to run, which in turn sent me an email immediately of the issue. I have flood controls built into my switches to that constant packet flow cannot exceed a certain amount. If a port starts to flood, the switch turns blocking onto that port.

    My staff is very good here as well, they know that they are not to mess with anything because they know if something happens I will know what happened and I will be able to trace it back to them.

    IDS/IPS you have to be careful with. It has to be totally passive to the rest of the network, as any good system should be. I have been working on building a custom SCADA type IDS system.

    Whenever there are contractors on site, I'm there to monitor what they do, no one touches any piece of network equipment anywhere without my prior knowledge and consent. I'm one of the rarities in this field, I do both IT and PC, and try to apply the best practices of both worlds and mesh them together to form a robust functioning network.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #15
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    streaker has some scarier setups than my piddling little story, but one I am a favourite of is a little less lethal than his.

    Rather recently (past 6 months) I came across an open wifi network attached to a control network for one of the bigger wine companies in the area. Having a dig around as part of the test (being onsite to secure things that need securing rather than a full blown pentest) noticed some web pages, unsecured and unencrypted.

    Basically, these pages controlled the Vat's - including a wonderful button that said "Purge".

    Ok so I couldn't have killed anyone accidentally with this, but 12 of those vats had a few units of very high quality wine in them. One purge would have been enough to bankrupt that company. If I hadn't known what the systems were, and had just clicked the button...
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  6. #16
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Gitsnik View Post
    streaker has some scarier setups than my piddling little story, but one I am a favourite of is a little less lethal than his.

    Rather recently (past 6 months) I came across an open wifi network attached to a control network for one of the bigger wine companies in the area. Having a dig around as part of the test (being onsite to secure things that need securing rather than a full blown pentest) noticed some web pages, unsecured and unencrypted.

    Basically, these pages controlled the Vat's - including a wonderful button that said "Purge".

    Ok so I couldn't have killed anyone accidentally with this, but 12 of those vats had a few units of very high quality wine in them. One purge would have been enough to bankrupt that company. If I hadn't known what the systems were, and had just clicked the button...
    Sounds like you stumbled upon a WebHMI system. Which IMO is incredibly dangerous to have. We purchased WebHMI licenses for our software and I had it implemented for exactly 1 day before I killed it off. I couldn't verify that it was safe to use.

    You may have missed an important point though. You probably pointed out that it was dangerous for them to have those pages open, but did you also realize that chances are, there wasn't any verification if that function should run when pressed? Like "Are you sure you really want to purge the wine and lose your job?"

    I've found that many functions that are not necessarily dangerous, but financially troublesome don't have any verification if the function should run.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #17
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by streaker69 View Post
    You probably pointed out that it was dangerous for them to have those pages open, but did you also realize that chances are, there wasn't any verification if that function should run when pressed? Like "Are you sure you really want to purge the wine and lose your job?"
    I did notice this but didn't articulate it well enough in my post ("unsecured and unprotected").

    The main problem I come across when dealing with control systems is, as you would expect, the user. The average worker doesn't want to have to click yes every time so the feature is stripped out.

    From an old ticket I have here:
    I'm not f***ing stupid. If I click the god-damned button I want the thing to flaming work, not f**k me around
    I have said it before and I will say it again - Never underestimate the power of human stupidity. The scary thing is when the CEO gets on board - and what do you do about that.

    One more reason to be very careful before contracting oneself out for pentests, and another solid reason to never, ever, say yes to a DoS attack request.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  8. #18
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    Quote Originally Posted by Gitsnik View Post
    The average worker doesn't want to have to click yes every time so the feature is stripped out.
    I always click yes.

    Free security scan SURE!, I won some money from the president of Nigeria SWEET!, Accept this ssl certification NOT A PROBLEM!, You need me to install this application so i can access my gmail YOU GOT IT BUDDY!, Want me to give you my social so you can verify what version of windows im running OF COURSE!, Whats that, i need to disable my firewall so i can access icanhazrootnow.com DONE!
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  9. #19
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Gitsnik View Post
    The main problem I come across when dealing with control systems is, as you would expect, the user. The average worker doesn't want to have to click yes every time so the feature is stripped out.
    This is something that was discussed at a conference I was just at this week. We need to start changing the culture of the people that are working with the systems to make them more aware of security and safety issues. It's gonna be an uphill battle, but things will be better if we can start having people work more intelligently.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #20
    Junior Member DeadlyFoez's Avatar
    Join Date
    Jul 2009
    Posts
    42

    Default

    Out of curiosity, besides lost time and damage to PLC's, how else can a DoS cause so much money in damages?

    I would figure that the most that they would need to do is reset or restart all affected devices. Maybe a little lost data, but I can't see damages going into the millions of dollars.

    Please explain.
    If at first you don't succeed, keep sucking until you do suck seed. --Curly

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •