“we are not winning. i do not think we are winning · “we are not winning. i do not think we...

“We are not winning. I do not think we are winning

globally, and I think this nature of crime is rising

exponentially”.

Commissioner Leppard, City of London Police (2014)

Insider Threat (2): Righteous?

Understanding the Threats

Tutorial on the Cybersecurity of Safety-Critical Systems

Prof. Chris Johnson,

School of Computing Science, University of Glasgow, Scotland.

http://www.dcs.gla.ac.uk/~johnson

http://www.dcs.gla.ac.uk/~johnson

Schedule

First Briefing


Detailed patterns of attack.

Second Briefing

What can be done?

Protection, forensics and recovery.

Third Briefing

More detailed case studies…

Securing space-based assets.

Sanity Check…

• This is only an initial overview…

Previously…

Consultant with ANSPs in Austria, Belgium, China, Croatia,

Cyprus, Denmark, Estonia, Germany, Hungary, Ireland, Israel,

Luxembourg, Malta, Norway, Portugal, Slovakia, Slovenia,

Spain, Switzerland, Turkey, UK etc.

SESAR, EASA and the Future of Aviation?

Cybersecuirty Expert for UN CBRN Inspectors

Cybersecurity Consultant to EDF

Cybersecurity Consultant to SESAR JU

Overview

• Nature of the Threats:

– Insider attacks;

– Crowdsourcing and Hacktivism;

– Social Attacks and Spear Phishing;

– Certification attacks; Configuration Attacks;

– Command and Control Servers,

– Stuxnet; Sniffers…

• Next: What Can We Do?

Aim is to Provoke Discussion...

• Recent trends in ATM Engineering.

• Increasing complexity in software networks:

– Leads to more complex failure modes.

• Increasing use of COTS products:

– Leads to new security threats.

• Increasing use of sub-contractors.

Copyright C.W. Johnson, 2014

The Future: SESAR Delivery Manager

Is SESAR A Threat to Cybersecurity?

Aging, Complex Critical Infrastructures...

http://www.iaa.ie/files/2008/news/docs/20080919020223_ATM_Report_Final.pdf

The Real Impact

• "The problem here is that you have

an autonomous semi-state

monopoly which doesn't care about

its customers or the disruption to

passengers,"

Michael O'Leary, CEO Ryanair

http://en.wikipedia.org/wiki/File:Michaeloleary.jpg

The Real Impact

• "The problem here is that you have

an autonomous semi-state

monopoly which doesn't care about

its customers or the disruption to

passengers,"

• "Send the buggers to Shannon, if it

was a commercial company they

would have done so”



The Real Impact

• “They're not on top of the job.

We're talking about 25 arrivals and

departures per hour. The air traffic

controllers should be capable of

handling this volume of flights”.


http://www.herald.ie/news/oleary-more-disruption-if-iaa-doesnt-clean-up-act-1431408.html


Need ATM Engineering Incident Exchange

• Fault stems from Salt Lake City:

– hardware fault on router circuit board;

– Network interface affects comms with Atlanta;

– Network owned/operated by Harris Corp...

– “We are working with the FAA to diagnose problem

and explain the failure of backup systems...”

• Sen. Charles Schumer:

“The country’s aviation system is in shambles,

the FAA needs to upgrade the system, these

technical glitches cause cascading chaos are

too regular an occurrence...’”

25

NextGen: En Route Automation Modernization

• $2.1 Billion upgrade..

• Faults lead to ‘missing’ flight plans;

– Other aircraft change identity in flight;

– Again cannot transfer flight data to Atlanta etc.

– Undermines ATCO confidence in system;

– ‘fallback’ original 20 year old IBM system

– IBM contract expired, uses Jovial – rarely used.

• Test deployment to Salt Lake City:

– FAA spend $14 million, still not working.

– Salt Lake City simple compared to Chicago...

26

Testing can prove the presence

of errors, but not their absence.


Edsger W Dijkstra (1930-2002)

keylogger:

Predator and Reaper GCS

Creech Airforce Base

Aim is to Provoke Discussion...

• Common software components into ATM:

– networks, Linux, VOIP, SBAS...

• Safety concerns everywhere:

– Huge problems of competence – incl regulators;

– Many conflicts between safety and security;

– Inconsistent, inapplicable rules (lack of HF input);

– Consistent, known violation of policies.

.


Paranoia?

• Many policies only exist on paper.

• Huge problem with complacency.

• “FAA ineffective in all critical areas including

operational systems information security,

future systems modernization security,

management structure, policy

implementation”.

• US Government Auditors Office


DoT Review of FAA CyberSecurity

DoT "unless effective action is taken quickly, it

is likely to be a matter of when, not if, ATC

systems encounter attacks that do serious

harm to ATC operations."

“Attackers can take advantage of software

vulnerabilities in commercial IP products to

exploit ATC systems, which is especially

worrisome at a time when the Nation is facing

increased threats from sophisticated nation-

state-sponsored cyber attacks"


Conflict Between Security and Safety


• Existing safety standards eg ED153

– Focus on verification and validation;

– In proportion to SWAL/criticality.

• Anti-viral systems violate ED-153:

– Updated every 24-48 hours;

– could themselves bring down ACC;

– Cannot test anti-virus definiitons;

– Without increasing security exposure.

• Do you want safety or security:

– Can have both eg banking approach.

Vulnerabilities

• ‘Mass market’ viruses.

• You cannot disconnect the Internet.

– Virtual channels from USB sticks.

• Contractors violate security policies:

– My students take the systems to pieces…

• SESAR and NextGen scare me:

– increasing traffic loads\systems integration


The Insider Threat (1): Malicious

• NIST’s US SCADA sewage system:

– 46 radio orders release 800,000l raw sewage.

• Arrested, PC with Motorola M120 radio;

– Serial numbers ordered by the company;

– PDS Compact 500 computer control device;

– Mimicked pumping station to test commands.

• Sub-contractor – disguised his attacks…


Insider Threat (2): Righteous?

Insider Threat (3): Negligent

• Negligent violations (eg passwords):

– They were told GOOD rules but ignored them;

– Lack of audit or regular training;

– Management implicit support?

• Justified(?) violations:

– They were told BAD rules and had to ignore them;

– Rules couldn’t be applied (no software etc);

– Rules applicable but threaten profit/safety etc…

• Routine vs exceptional violations.

Some Recent Attacks

• Never underestimate the power of evil.

– Chinese hospital Shenzhen province:

– Insiders leave backdoor;

– Remote access to electronic patient record.

• How much harm can this do?

• European General Data Protection Regs:

– Fines 2% of global annual turnover in 24 hours;

– Into force this year (Replaces 95/46/EC).

Some Recent Attacks

• Extortion attack .

• Sub-contractor:

– Lack of background checks;

– Corrupted the backups (not secure);

– Waited 4 months then deleted primary copy.

• Bank asked for €2.5 million.

Some Recent Attacks….

• ANSP label on13 switches from eBay:

– Flash memory for configuration data;

– Not erased prior to sale;

– ANSP have external disposal contract but…

• Used by sub-contractor at ACC:

– Supervisor login for VLAN;

– Upstream switch addresses/configs;

– VTP trunk info and password;

– SNMP community strings…

Some Recent Attacks…

• Regulator receives airprox radar data.

• ANSP and regulator use same player.

• ANSP ROM contains conficker.

• Regulator warns ANSP:

– They claim player is obsolete anyway…

– `no further investigation’ at this time?

Estonia, April-May 2007

• June 1940, Soviets annex Estonia.

• After independence:

– Ethnic Russians lose Estonian citizenship;

– Dispute over moves to Bronze Soldier of Tallinn;

– Riots kill one and injur more than 150 people.

• Two phase attack:

– Emotional ‘crowdsourcing’ (download scripts);

– focused attacks using criminal infrastructures.


Estonia and Paranoia?

Chatham House report:

“The severity of the attacks on one of

NATO’s most electronically connected

members put the alliance on guard.

If a highly wired small state could be

brought to its knees then what type of

havoc could be wrought upon larger states

with more heterogeneous systems and

critical infrastructure open to attack?”


Estonia, April-May 2007

• DDoS on e-banking:

– Hansapank’s 2 hours on 9-10th May;

– Eesti Ühispank’s online bank 3 hours on 15th May.

• US Computer Emergency Readiness Team:

– ‘watershed’ attack but not revolutionary.


Georgia, August 2008

• Armed conflict between Georgia & Russia:

– 1922 North Ossetia in Russia, South in Georgia;

– 1990 S. Ossetia gains de facto independence..

• Cyber-attacks prior to armed conflict:

– ICMP floods/HTTP ‘GET’ requests in July.

• But Georgian infrastructure vulnerable:

– half of 13 interconnections through Russia;

– Only 5 ISPs, 75% use Caucasus Network Tbilisi;

– Prior to war, began building link via Bulgaria…


Georgia, August 2008

• Attacks lasted 2 hours up to 6 hours

– HTTP-based botnet (sign of Russian herders).

• 5 Stage crowdsourcing similar to Estonia:

1. Encouragement to get involved in cyber war;

2. Publishing target list of Georgian government Web

sites which have been tested for access;

3. Selecting types of malware against target Web site;

4. Launching the attack and optionally,

5. Evaluating the results and iterating previous stages


“Go But You Will Never Work Here Again…”


China, GhostNet and Shadow, March 2009

• Active defence and the attribution problem…

– No definitive proof of Chinese state involvement

• Use of social media and Gmail:

– Use of TOR annonymity server…

• Infection of Dalai Lama’s office:

– Tailor email so recipient opens attachment;

– Trojan horse onto victim’s machine;

– Information forwarded to control servers.

– Use genuine document on compromised machine?


W32.STUXNET, March 2010

• W32.Stuxnet multi-component malware

– Attacks Programmable Logic Controllers (PLCs);

• Stuxnet has up to 4 zero-day exploits:

– ATM very vulnerable to this…

– Unusual range of languages (C/C++) team?

– Used 2 legit Taiwanese digital signatures…

• Command & control servers identified:

– Located in Malaysia and Denmark;

– 155 countries, 40,000 IP addresses.



• Monitors frequency of attached

– attacks systems operating 807-1210 Hz.

• Triggers a state machine to hide ‘sabotage’;

1. Wait13 days;

2. Set maximum frequency to 1410 Hz;

3. Wait 27 days



6. Go to 1.

• Comparison with Dublin Airport.



• Symantec:

– Need 5-30 people for 6 months;

– Elite hactivist group? State lab or agency?

– Social networking with state encouragement?

• But STUXNET didn’t work…

– around 900 centrifuges damaged;

– replaced in months not years.

• Iranian Technology Council worried:

– New anti-virus software was also infected..


W32.Duqu

• Written by the same ‘team’ as STUXNET?

– Or by a team with access to the source code.

• Remote Access Trojan (RAT).

– Industrial infrastructure and manufacturers;

– Playing a similar role to Siemens and Step-7;

– Intelligence gathering for attack on 3rd parties;

• Email Word document, 0-day kernel exploit;

– Contains an installer and uses process injection.

W32.Duqu: C&C Breaking Firewalls

Corporate

Network

Operational

Network

W32.Duqu

• Duqu will inject malware into:

– Internet Explorer; Firefox;

– Trend Micro PC-cillin AntiVirus Real-time Monitor.

• Checks for anti-viral products:

– avp.exe, Mcshield.exe, avguard.exe, bdagent.exe,

UmxCfg.exe, fsdfwd.exe, rtvscan.exe,

ccSvcHst.exe, ekrn.exe, tmproxy.exe,

RavMonD.exe.

• Extends Stuxnet to deal with Kaspersky…

W32.Duqu: C&C Linux Server Deletion

Operation Black Tulip

• DigiNotar, digital certificate authority (CA):

– cyber-attack eventually led to bankruptcy;

– false certificates to 100s of websites Google & Skype.

• Did not report incident to CERT etc:

– for 2 months there were false DigiNotar certificates;

– used to eavesdrop on email and web browsing in Iran.

• Once incident made public:

– Dutch government & browser vendors limit impact.

Overview

• Now: Background:

– Is it a bug or an attack? Dijkstra…

• Now: Nature of the Threats:

– Crowdsourcing and Hacktivism;

– Social Attacks and Spear Phishing;

– Certification attacks; Configuration Attacks;

– Command and Control Servers,

– Stuxnet; Sniffers…

• Next: What Can We Do?

What Can Be Done: Cyber Exercises…

What Can Be Done Cyber Execises…

What Can Be Done: Simplified Attack

The Stuxnet Scenario

Schedule

First Briefing


Detailed patterns of attack.

Second Briefing

What can be done?

Protection, forensics and recovery.

Third Briefing

More detailed case studies…

Securing space-based assets.

Any Questions?


“we are not winning. i do not think we are winning · “we are not winning. i do not think we...

Documents