CYBEREYE

'Stop fooling yourself' and assume you are compromised, Black Hat crowd told

Persistent exploits reframe the challenge of cybersecurity infrastructure

The cyber threat landscape again has shifted. The drumbeat of high-profile breaches over the past year has demonstrated that no one, regardless of their sophistication, is immune from being exploited.

“There is an assumption now that you are compromised,” Jeff Moss, founder of the Black Hat Briefings, said while opening last week’s conference in Las Vegas. “Stop fooling yourself.”

“If someone really has you in their sights, they’ve got you,” said Tim Roxey, director of risk assessment at the North American Electric Reliability Corp. NERC announced that it had issued two alerts to power distributors as a result of research presented at the conference.


Related coverage:

Energy grid operators warned of vulnerabilities that could give up control

How to avoid a Stuxnet of your own


Systems operators no longer can focus on preventing exploits from penetrating perimeters but must also be prepared to respond to exploits when — and not if — they are discovered on the inside. This demands increased cooperation between the researcher/hacker community that discovers vulnerabilities and exploits, and the vendors and users who must counter them. This year’s Black Hat demonstrated how that cooperation can work.

“Hacker” has become a bad name, synonymous with online criminal, and there always has been tension between these characters and those charged with providing IT security. That tension has played out at Black Hat more than once over the years, as vendors have threatened legal action or sued to prevent presentation of vulnerabilities in products.

There was a near brush with such a confrontation this year, Moss said, over demonstrations of vulnerabilities in common Supervisory Control and Data Acquisition systems. But rather than resort to restraining orders, Siemens, which makes SCADA systems, produced patches for the problems and the presentations went as scheduled.

On Aug. 2, the evening before the demonstrations, NERC issued two alerts to more than 1,000 bulk power distributors to warn them of the issues discovered. One alert remains confidential, but the other warns of a vulnerability from cellular text messaging.

“Some microprocessors in use within selected Bulk Power System control networks or physical security perimeter control networks today may have cellular signal reception capability but do not have adequate application space or CPU speeds to assure message confidentiality, integrity, or guarantee of origin,” the alert warns. “For this reason, attackers can inject malicious commands towards unsecured endpoints.”

The alert gives mitigations for the issue, and NERC is planning a webinar with more detailed instructions.

This type of cooperation between researchers and industry is not new. A common model for dealing with vulnerability information has emerged over the past five years in which vendors are given an opportunity to deal with a discovered problem before it is made public. But too often, the first response of vendors still has been to deny and resist rather than respond to discovered problems.

The fact is, researchers and hackers are not (necessarily) the bad guys. If they discover problems, the odds are good that the real bad guys already know about it or soon will. The only way to eliminate the threat of zero-day vulnerabilities is to have the good guys discover the problem first.

Venues such as Black Hat and its sister conference Defcon can be effective tools for cooperation. They provide incentives for researchers, a means for disseminating information, and forums for vendors and hackers to communicate and cooperate. This is the way to ensure that the good guys know as much as the bad guys about the weaknesses of our information systems.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Tue, Aug 9, 2011 earth

There can be five stages of a paradigm shift, each with it’s own language markers, depending on “out of sight” and “out of touch”. Assuming, sight is longer than touch the first stage is when the competing paradigm is out of sight. The “powers that be” will deny its existence with statements like “it doesn’t exist”. Once in sight, existence can’t be denied, but truth can so the second stage is to deny the truth, “that’s not true”. The third stage comes with contact and truth can no longer be denied as elements of the subject paradigm are intrigued. The language here is “you aren’t from around here are you” being applied to internal elements when it is obvious they are. Security creates autoimmune diseases. The forth stage is breach and the fight for control. “You are either for us or again us”. The fight for paradigm stability turns “conservative” elements into raging attackers of anything even slightly different. Autoimmune diseases can become fatal. “Conservative” elements can become cancerous. The whole system suffers fevers and necrotic areas may appear as the conservative elements kill off even normal cells. Servers are shut down, programs unloaded, databases become unreachable. But sometimes, rarely, endosymbiosis occurs, the “invader” becomes a new part of the operational paradigm, crackers become hackers. And sometimes a hybrid paradigm develops that gives the new organization survival advantages. That’s evolution of a different type. The language at this point is “knew it all along”. Of course this requires the “conservatives” to be kept under control and “liberal” enough to accept “onward and upward”. Note the exchange of DNA between species of bacteria that has drug resistance. Organizations that live near the edge of chaos are typically the most viable and that typically requires an amoeba like walk between liberals staking out territory closer to the edge and conservatives shifting toward the more successful outposts. If conservatives are too strong then the paradigm gets bypassed like the Amish. Up or out. Evolve or die off.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above