Author: brandonworkentin

Another Example of Why Prescriptive Regulations Fail

Last week, the Department of Homeland Security’s ICS-CERT released an advisory for the Advantech WebAccess product. The advisory detailed 15 different vulnerabilities, reported by at least seven different security researchers. They said that the vulnerabilities could be exploited remotely, and that an attacker with “low skill” would be able to eploit the vulnerabilities.

Patrick Coyle pointed out that the release notes and press release for this update, released by Advantech in late December, don’t have any indication that the update has any security-related patches. This, despite having 15 different vulnerabilities being fixed!

For people who are lucky enough to live in the NERC CIP world, this creates an interesting situation. Organizations are required to monitor a “patch source” for cyber security patches. This is likely to be the vendor, in this case Advantech. (Note: I don’t want it to sound like I’m picking on Advantech. The same situation happens with other vendors, too.) If the patch isn’t security-related, then the organization is not required to apply the patch. If the patch is security-related, then they either need to apply the patch or else create a mitigation plan for how they will prevent the vulnerability from being exploited.

Since the Advantech release notes didn’t say anything about this patch being security-related, the organization would have stopped there. Now, a month later, ICS-CERT releases their advisory and we found out, “Oh, that patch was security-related.” Here’s the kicker, though: The organization isn’t required to scour the Internet looking for vulnerability reports. They aren’t required to monitor ICS-CERT, they’re not required to monitor Full Disclosure, nothing. They did what they were required to do when they checked Advantech’s release notes and didn’t find anything that said it was security-related.

So now, we’re in a situation where the organization has a system with at least 15 publicly disclosed vulnerabilities. For the CIP patch management process, they did what they were supposed to do. The compliance people checked to make sure that they evaluated the Advantech patch. The operations people have a product they’re using, and if it’s working, they aren’t going to want to apply an update. The security people may or may not exist, and if they do exist, they may or may not be monitoring ICS-CERT (although I hope they would be).

The bottom line is, you have an entity which is fully compliant with the NERC CIP regulations, which have regulations in place requiring you to apply security patches, yet this security patch hasn’t been applied.

Automatically Open All Reading List Items

As part of my job, I write a weekly newsletter, and as part of that I need to keep up with the current news, read articles, and write summaries of them. I use daily emails from a few sources (such as the CyberWire and Politico’s Morning Cybersecurity) and a RSS reader to collect possible stories. A lot of time, I use my phone when I have a few spare moments and mark articles that might be worth reading more in-depth, and I use Safari’s Reading List to do that.Reading List has some problems, though. You can’t easily open every article in the Reading List. Since I generally clear it out every day, there might be anywhere from just a couple articles up to about 15-20 at the most. I wanted to be able to open every article and then clear the list, so that I can process the articles while I’m at work. Apple doesn’t provide a good way to do this, though, so I used a combination of AppleScript and Keyboard Maestro to automate it.

I chose AppleScript to open the articles. Apple doesn’t provide easy access to your Reading List. Instead, it’s saved as part of your Safari Bookmarks file. I used this post by Jacques Rioux as a template, and modified it a bit to just get the URLs of articles in the Reading List.

-- Sets tfile to look at Safari's bookmarks file, which contains the Reading List
set tfile to (path to library folder from user domain as text) & "Safari:bookmarks.plist"

-- Creats a blank list, which will later have Reading List items added to it.
set theURLs to {}

tell application "System Events"

    -- Check each item in the Safari bookmarks file 
    repeat with i in (property list items of property list item "Children" of property list file tfile)
        tell i to try

            -- Check the item to see if it is a part of the Reading List
            if value of property list item "Title" = "com.apple.ReadingList" then
                repeat with thisDict in (get value of property list item "Children")

                    -- Add item to list of URLs to open
                    tell thisDict to set end of theURLs to its URLString
                end repeat
                exit repeat
            end if
        end try
    end repeat
end tell

This created a list of URLs from my Reading List. Then, I used some more AppleScript to take that list of URLs and open them in Safari. First, this checks if the Reading List is empty. If there’s no articles in it, then the script stops. Otherwise, I take the first URL and open it in a new window, then I take each subsequent URL and open it in a new tab. This section of the script is based off of this answer on Stack Overflow.

tell application "Safari"
    -- If there are no items in the Reading List then do not open Safari
    -- TODO change this to pop up a notifcation that the Reading List is empty
    if theURLs = {} then
        return
    else

        -- Get first item of list so that it can be used to create a new window, while the rest of the list are used to create new tabs..
        set {firstURL, restURLs} to {item 1 of theURLs, rest of theURLs}
    end if

    -- Make new window with the first URL in the Reading List
    make new document at end of documents with properties {URL:firstURL}

    -- Make new tabs with each of the other URLs in the Reading List
    tell window 1
        repeat with theURL in restURLs
            make new tab at end of tabs with properties {URL:theURL}
        end repeat
    end tell
end tell

I then used Keyboard Maestro in order to run this script. This let me launch it from a hotkey shortcut, or what I’ve been doing more often, using the Keyboard Maestro menubar icon to run it. After the AppleScript is executed, then I activate Safari and use Keyboard Maestro’s ability to choose menu items to open a new tab.

blog_openReadingList_1

Since my new tabs open with the Reading List visible in the side bar, then I can just right-click an article on the sidebar and clear my Reading List.

blog_openReadingList_2

In the future, I’d like to automate the clearing of items in the Reading List. Apple doesn’t provide an easy way to do so programmatically, and so I think I might have to do it by using Keyboard Maestro’s GUI scripting. I don’t like to do that because the scripts aren’t very resilient, and often break when anything is updated. I’ll have to see how annoyed I am by having to right-click in order to clear the Reading List, and my level of annoyance at that will determine whether I put the time in to try to automate that part of the process.

White House Petition on Encryption

White House Petition on Encryption

The White House is soliciting comments on the “encryption debate” which is happening. I would encourage everybody to submit comments. The higher the volume of comments made, the more that lawmakers will realize that this is an important issue that people care about. To submit your own comments, go to https://www.whitehouse.gov/webform/share-your-thoughts-onstrong-encryption.

The President needs to state, strongly and unequivocally, that he supports the use of strong encryption, which protects American businesses, American Internet users, as well as democratic activists the world over.

A who’s-who of the leading cryptographers in this country have repeatedly written and spoken about the fact that creating an exceptional access program which is still secure is not technically feasible. Some politicians and law enforcement officials have chosen to ignore that, implying that the cryptographic community is either lying about this (for God knows what reason), or that they just haven’t tried hard enough. It’s important to note that the cryptographic community’s argument isn’t that it is hard to create a secure exceptional access program, but that it is mathematically impossible. To suggest that an entire community of leading cryptographers is lying about the problems involved in an exceptional access program is disturbing.

It is also important for the President, and other lawmakers, to understand that the United States’ policies in this area serve as an example to other countries. If the USA decides that encryption backdoors should be mandated, then other countries, which are more authoritarian and have a more problematic human rights record, will be embolded to attempt to require the same thing. In order to lead the world in attempts to keep the Internet safe and secure, it is important for the USA to be on the right side of this decision.

Ted Koppel’s Lights Out is Ridiculous

Ted Koppel’s Lights Out is Ridiculous

Ted Koppel released a book, “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” A couple weeks ago. The book was not received all that well by the electric industry. I haven’t read the book yet, mainly because I don’t want to add money to the sales figures. I’m sure I could find it somewhere online on that Deep, Dark Web, but I generally don’t pirate things just on principle.

He has given several interviews as part of his book tour, though. Among them, one was on the Diane Rehm Show, which has the transcript available here, another was with Hugh Hewitt, with the transcript here, and one with CSO Online available here.

Koppel (from Rehm Show): as great as the tragedy of Paris is, it’s still a conventional form of terrorism that tragically we have grown accustomed to over the years. And what worries me far more is if a group like ISIS, which already has a cyber war capability, and is already probing on the cyber front, they will have the capacity to reach out from wherever they are in the world.

Right at the start, I have to question his terminology. ISIS has not shown any “cyber war” capabilities. This grossly hyperbolizes what ISIS has done. While their propaganda machine uses technology is has been successful, that does not mean that they have a “cyber war capability.”

Koppel (from Rehm Show): There is no way – I mean, the notion that we can keep out terrorists when the terrorists end up being 19 and 20 years old and if you ran into them in the street, you know, unless you can look into their hearts and minds and see what’s going on there, how can you tell?

This is one point where he does make sense. One of the problems with the “War on Terror” idea is that the U.S. tried to fight a war against an idea by using physical troops and weapons. Unless you’re willing to simply exterminate everybody who holds, or likely might hold, the view you disagree with, that isn’t going to work.

Koppel (from Rehm Show): And what ISIS is successfully doing is imbuing in us a sense of fear and suspicion of all Muslims, which is just going to be devastating to the Muslim community, but also devastating to us.

Koppel has talked and been around politics for a long time. When he’s talking about that, he actually seems to be making sense. This is one of the problems with the “Keep all Muslims out of the US” idea.

Koppel (from Rehm Show): We have become now so dependent upon so many different aspects of the internet, that we fail to see that the internet has now become a weapon mass destruction.

And now he starts to go off the rails. To compare the Internet to a WMD is ridiculous.

Koppel (from Rehm Show): They have plans for every possible natural disaster, but the plan is get yourself a two to three supply of food, make sure you have a radio with adequate batteries. Make sure you have flashlights. Make sure you have water and enough medicine to take care of you for two or three days.

I’ve been to presentations by disaster recovery and emergency preparedness professionals. This does not describe what they do. The problem is, the level of follow-through by people in the public is not that great. They give smaller advice like this because they know that if they have this level of advice, people might follow throug on some of it. If you tell them to have a month’s worth of food ready, most people aren’t going to do anything because they don’t know where to start for a problem of that scale.

Koppel (from Rehm Show): the chamber of commerce has done such an effective job of blocking cyber regulation because there are concerns the power industry is deregulated. On one level, that’s good for all of us because it brings the price of electricity down. But that deregulation means it’s not subject to, as the term implies, it’s not subject to very much federal regulation.

This is disingenuous, at best. Koppel’s book is about the Bulk Electric System (BES) going down, not just an outage at some municipal power company or something. And the BES does have cybersecurity regulations, as well as reliability regulations. There may be some debate over how good they are, but it is regulated.

Koppel (from Rehm Show): the deputy director of FEMA is a former vice admiral in the Coast Guard – a very nice man and couldn’t have been more gracious to me – but he said, Ted, I just think you’re wrong. I don’t think this is going to happen. I don’t think we’re vulnerable to this kind of an attack.

…taking out, let’s say, the City of New York? What would you do? Well, he said, I’d have to evacuate.

The next day, I went to see his boss, the administrator of FEMA. Yes, he said, he is absolutely convinced that this can happen and very likely will happen. Well, I said, what happens if the attack targets New York City? Do you evacuate? Oh, no, he said. You can’t evacuate New York City. Too many people. Where are you going to put them? Now, here are the two top people at FEMA in total disagreement, A, about whether it can happen and, B, about what you would do if it does.

This is completely believable (and I’m not being sarcastic). Isn’t bueracracy great?

Rehm: But isn’t NERC the National Electric Regulatory Commission?

Koppel (from Rehm Show): No, NERC is actually the industry body.

I don’t think most people in industry would take this view. The short version is, NERC (the North American Electric Reliability Corporation) is tasked by FERC (Federal Energy Regulatory Commission) with writing and enforcing the rules. Whenever NERC writes the rules, though, they have to be approved by FERC before going into effect.

Koppel (from Rehm Show): But in the final analysis what journalism ought to be about is alerting the public to potential danger.

This is the problem with journalism. Journalism should be about informing and educating. When you view your job as reporting on every threat and every possible danger is when people get an unrealistic view of what dangers they actually face in life. It’s why more people are scared to fly in a plane than ride in a car, even though airplane travel is demonstrably safer.

Koppel (from Rehm Show): There are 3,200 companies out there and several hundred of them are not that big, they’re small. They’re not that wealthy. They don’t have the money to spend on cybersecurity. And if you can get into one of those – and that’s pretty easy – then nations like the Chinese and the Russians have learned how to trace it all the way back into the central SCADA systems.

I’m not even sure what he means by this. Is he saying that if an attacker gets a small rural cooperative distribution company, they can then get easy access to controlling the largest high-voltage lines? Because that’s ridiculous.

Hewitt: I go back to the Durkovich interview. I went and looked her up after I read Lights Out, and I’m sure she’s very competent. She graduated from Duke University in 1994, and she’s done a lot of interesting things. But the military people you talk with who are more my age, 59, or have been out of command for a couple of years versus the youngsters, they’re just much more sober about this, realistic about this.

I don’t think that being older leads to a better understanding of the cybersecurity field. Realistically, I don’t think that matters a bit, other than to say that people who are retired, formerly high-level government workers aren’t necessarily who I’d be asking for a current assessment of how things are.

Koppel (From Hewitt Show): And frankly, I’m not an expert on it today. I am simply, as I have been doing for most of my professional life, reporting what people who know more about a subject than I do tell me.

We’ll come back to this one. Just remember, it’s important to pay attention to who you decide to interview when you realize you don’t know about something and want to write a book on it.

Hewitt: There’s no more chilling anecdote than at the 2011 Black Hat conference, Ted Koppel, where you say someone stood up and gave out the password to all of the SCADA’s.

Koppel: Yup, that’s right.

I’m pretty sure he’s talking about this presentation by Dillon Beresford. This literally makes no sense, though. That Koppel would just agree with something as ridiculous as giving out the “the password to all of the SCADA’s” is almost beyond belief. I know he said he wasn’t an expert, but if you’re going to write a book on it, you need to at least realize that doesn’t make sense.

And then there’s the best interview response of them all.

CSO Online: Did you interview penetration testers who have experience in the electric generation/transmission sector for this book?

Koppel: No, I did not.

He writes an entire book, brags about spending a year-and-a-half on it and how many people he’s interviewed, and he didn’t bother to even ask one person who actually has experience in doing what he says is going to happen? If you want to be educated on hacking the power grid, maybe you should talk to somebody who actually knows how to hack SCADA systems.

Hewitt: I would say on Pages 96–99 is perhaps the most, an account of the most disturbing interview I’ve read in a long time. You’re sitting down, and all honor to Jeh Johnson, the Secretary of Homeland Defense, he’s a public servant and a good man, but when you sit down and you talk to him about the threats to the power grid, I quote here, “Johnson’s answer ran slightly more than 13 minutes, and he never addressed the question. It was,” you concluded a little later, “not an area in which he had any expertise.”

I think that last sentence could just as easily have been applied to Ted Koppel, himself.

Terrorism and Doom-Predictors

It seems like every time something bad happens, there are news stories which talk about the people who warned that the bad thing was going to happen. We saw this again after the Paris attacks. There’s the French judge who said in September that “France is the principal target of an army of terrorists with unlimited means [ISIS].” There were other reports that “Senior Iraqi intelligence officials” warned of “immminent assaults” by ISIS one day before the attack. The headline, “Iraq warned of attacks before Paris assault,” is undermined by its own story, where it says that a senior French security official said that they get this kind of warning “all the time” and “every day.” A warning which is repeated over and over, and eventually comes true, is not a sign of great insight. It’s a sign of fear-mongering.

The French judge, Marc Trevidic, has been prosecuting terrorism cases since at least 2000, and compared term limits causing him to leave his position in 2016, which he compares to Davy Crockett leaving the Alamo in the middle of the battle.

I predict that there will be another major terrorist attack in France. I also predict there will be a terrorist attack in the U.S. When those attacks eventually happen, they won’t prove that I’m a great prognosticator, with great intelligence sources. They’ll simply prove that we live in a dangerous world, where people have freedoms. Freedoms which are important, but can be, and will be, used by some bad actors to do bad things.

How Securing the Power Grid is like Teaching Middle Schoolers

Note: This post is based on a 5-minute “Lightning Talk” I gave at the 2015 TCIPG Sumer School. The Summer School is put on every other year, in the Chicago area, and I could not recommend it more. If you are a cybersecurity person wanting to learn more about the power grid, or an electrical/power engineer wanting to learn more about cybersecurity, then you should make a point of attending the next session. The grant money for “TCIPG” recently ran out earlier this year, but the organization is continuing under the Cyber Resilient Energy Delivery Consortium (CREDC) name.

1. Some people just won’t care what you have to say

And sometimes, the person who doesn’t care to listen is the most important person who should be listening. As a teacher, there were students who didn’t think they needed to be in school. I had an 8th-grader tell me, straight up, that he already knew everything he needed to know. He didn’t pay attention in class, didn’t do any work, and crucially, his parents didn’t think his lack of effort in school (failing every class, including PE) was a problem. The dad was a dropout who worked as a logger, and since “his life was fine,” his kid’s education wasn’t important. Despite a number of caring, hard-working teachers at that school, there could be no progress until the child’s (or possibly the parents’) attitude changed.

Similarly, securing our power grid is important. But, unless there is buy-in from corporate leadership, any efforts that a security professional does will likely be insufficient and “band-aid” style fixing of problems.

2. Some people care too much

In teaching, these people are called “Helicopter Parents.” They are the ones who do their kid’s homework, believe that their child can do no wrong, and think that it’s their job as a parent to make sure their child is successful and doesn’t encounter any difficulties in life. I had one student whose mom was on the school board. He did very little work, and when the first report cards came out, he was failing the class. Mom didn’t like that. One teacher, who had taught at the school for over 30 years, said to just change the grade to a “D,” because it wasn’t worth the hassle to deal with the mother. He said he had done that several years prior with the student’s older brother, who Mom had also tried to “protect” in the same way. Another teacher told me that the same older brother was currently in jail on serious charges, after never having to deal with the consequences of his actions while growing up. By caring so much about short-term effects of something like a failing grade, the mom had set him up for failure in the long-term.

When it comes to the power grid, I think the people who care too much are those who think we can protect the electric system from 100% of the threats, 100% of the time. That’s just not a realistic goal, and ignores the “Best Practices” of risk management planning. A similar problem case are those who think that their issue is the only important issue. For example, Senator xxxxxx from Texas had his “pet issue” of electromagnetic pulse weapons. By wearing blinders and expecting industry to follow his ideas, it leads to things like him saying that the electric industry’s actions in the area of EMP weapons should be considered treason. That kind of hyperbole actually hurts your cause, because it leads to industry discounting any any legitimate concerns you have or points you do make.

3. Some people are doing really cool stuff with technology

Technology can make school more engaging for students. I’ve known students who the main reason they enjoyed school was because they were able to be a part of a robotics club. And there are teachers who use technology in their classrooms every day to make school more engaging for students. Likewise, there are some cool projects and tools which can be used by industry to help make organizations more secure. A lot of them, like OpenNSM, are even open source projects which are developed by volunteers, and can be implemented at little to no cost.

4. Money Helps

There’s a reason thousands of teachers are using things like [find name of the crowd source site I used to use] to raise money for their classrooms. It requires money to provide the art supplies which can inspire some kids to be better students, or to provide experiences which make learning more fun and hands-on, like the awesome Outdoor School program in Oregon. In the same way, some security projects just can’t get done without spending some money. For example, the Cyber Threat Alliance is a great project being done by some large security vendors. It requires the vendors to be willing not only to question their business model, but also to be willing to give their employees the leeway to spend time on a project with no direct impact on their bottom line.

5. But, Money Isn’t Everything.

There are some schools doing great things with almost no money. They exist in the inner city and the rural world. And they are proof that things can be accomplished with hard work and commitment, even when the funds might not be there. Likewise, it doesn’t necessarily take money to improve a security program. Maybe somebody will give up an hour of lunch to give a short talk to employees about how to be safe online, or how to make their home wifi network secure. There are little things that can be done, which cost little or no money, which can have a large, cumulative effect on security.

6. It Takes Teamwork

Every great teacher I’ve known has given credit to other people. Whether it’s a principal who creates a great culture at a school, aides who have the patience and skills to work with the hardest students and assist the teacher, previous teachers who have helped cultivate a love of learning in the students, or parents who provide a home environment conducive to learning, there is always someone who has helped to make it possible to connect and have a productive relationship with students.

A security department, working by itself, will not be able to ensure an organization is adequately protected. They will need to work with executives and normal users, work with their vendors, and, yes, even work with their regulators in order to be as successful as possible.

7. Most Important: Dedication is What Leads to Success

There’s a tradition at the Cedar Ridge Outdoor School that (some) leaders will lick banana slugs. I did it when my group was doing a post-activity question/quiz time, an a game called “Stump the Leader.” I said that if my group could beat the leaders at the game, then I would lick a slug. After one of the leaders threw the game, I had to pay up on my bet. It’s the kind of stunt that makes learning and playing an educational game fun for the students. And I wasn’t alone in it, either, as three of us teachers or leaders licked the same slug (I lucked out and got the middle section, I felt sorry for the lady who got the tail).

Dedication will help make a team, department, organization, or industry successful. By being dedicated enough to teach others about security, you can help make your peers more secure in their computing habits. By having the dedication to chase down that alert you think might be a false positive, but you’re just not sure, you can find the evidence which allows an adversary to be discovered. By coming in at 3:00am because all hell has broken loose, you can help make things right. And, by being dedicated enough to craft to be willing to learn, even on your own time (we all do it), you’re helping to build the capacity for your organization to respond to new challenges.

Click here to download the slides.