'Stop fooling yourself' and assume you are compromised, Black Hat crowd told
Persistent exploits reframe the challenge of cybersecurity infrastructure
- By William Jackson
- Aug 08, 2011
The cyber threat landscape again has shifted. The drumbeat of high-profile breaches over the past year has demonstrated that no one, regardless of their sophistication, is immune from being exploited.
“There is an assumption now that you are compromised,” Jeff Moss, founder of the Black Hat Briefings, said while opening last week’s conference in Las Vegas. “Stop fooling yourself.”
“If someone really has you in their sights, they’ve got you,” said Tim Roxey, director of risk assessment at the North American Electric Reliability Corp. NERC announced that it had issued two alerts to power distributors as a result of research presented at the conference.
Energy grid operators warned of vulnerabilities that could give up control
How to avoid a Stuxnet of your own
Systems operators no longer can focus on preventing exploits from penetrating perimeters but must also be prepared to respond to exploits when — and not if — they are discovered on the inside. This demands increased cooperation between the researcher/hacker community that discovers vulnerabilities and exploits, and the vendors and users who must counter them. This year’s Black Hat demonstrated how that cooperation can work.
“Hacker” has become a bad name, synonymous with online criminal, and there always has been tension between these characters and those charged with providing IT security. That tension has played out at Black Hat more than once over the years, as vendors have threatened legal action or sued to prevent presentation of vulnerabilities in products.
There was a near brush with such a confrontation this year, Moss said, over demonstrations of vulnerabilities in common Supervisory Control and Data Acquisition systems. But rather than resort to restraining orders, Siemens, which makes SCADA systems, produced patches for the problems and the presentations went as scheduled.
On Aug. 2, the evening before the demonstrations, NERC issued two alerts to more than 1,000 bulk power distributors to warn them of the issues discovered. One alert remains confidential, but the other warns of a vulnerability from cellular text messaging.
“Some microprocessors in use within selected Bulk Power System control networks or physical security perimeter control networks today may have cellular signal reception capability but do not have adequate application space or CPU speeds to assure message confidentiality, integrity, or guarantee of origin,” the alert warns. “For this reason, attackers can inject malicious commands towards unsecured endpoints.”
The alert gives mitigations for the issue, and NERC is planning a webinar with more detailed instructions.
This type of cooperation between researchers and industry is not new. A common model for dealing with vulnerability information has emerged over the past five years in which vendors are given an opportunity to deal with a discovered problem before it is made public. But too often, the first response of vendors still has been to deny and resist rather than respond to discovered problems.
The fact is, researchers and hackers are not (necessarily) the bad guys. If they discover problems, the odds are good that the real bad guys already know about it or soon will. The only way to eliminate the threat of zero-day vulnerabilities is to have the good guys discover the problem first.
Venues such as Black Hat and its sister conference Defcon can be effective tools for cooperation. They provide incentives for researchers, a means for disseminating information, and forums for vendors and hackers to communicate and cooperate. This is the way to ensure that the good guys know as much as the bad guys about the weaknesses of our information systems.