Hacking & Security
Digital Substation Takeover, presented by iGRIDS, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system.
What it's all about
A special high voltage (500 kV) substation model had been developed for the contest. It included switches, time servers, protective relays that are used in modern high voltage electric networks to ensure protection in emergency situations and incidents (in case of a short circuit, faults in a power transmission line etc.).
Several scenarios were offered, each of them corresponding to unauthorized access to switches: circuit breaker opening, earthing switch closing despite operation blocking. The contest's organizers suggested that the most difficult task—that is to cause an emergency on the site—would be followed by fireworks of burning wires of the model overhead power line set nearby.
This year's format combined various competitions with capture the flag contests. CTF teams along with the rest of the forum's participants were able to take part in them (see our article on our blog). About 50 PHDays attendees and several CTF teams took part in Digital Substation Takeover.
The model used the following equipment:
- Siemens SICAM PAS v. 7.0,
- common protective relays and switches,
- GPS and GLONASS time servers,
- industrial switches.
The course of the contest
Since the contest was held for the first time at PHDays and due to its specific nature, participants spent the first day studying power-system protection, switches, and operation blocking. They had to analyze large amounts of information found on special forums, vendors' sites etc.
The contest comprised several tasks of different difficulty levels:
- temporal destruction to the substation's information infrastructure (was performed six times);
- time server reprogramming (was performed once);
- unauthorized disconnection of consumers (twice);
- detecting an unknown vulnerability (once).
The most difficult task was to take control over primary devices and issue a command bypassing blocking. No one managed to solve this task (though one team got quite close).
Sergey Sidorov took first place, Alexander Kalinin came second. RDot and ReallyNonamesFor gained some points for hacking the substation.
Not quite at ease
During the contest, representatives of power supply companies, such as the Federal Grid Company of Unified Energy System (FGC UES), were watching the process closely.
"To tell the truth, when I saw those people lounging in beanbags and hacking industrial control and protection systems for some virtual profit, I felt uncomfortable," said Mikhail Seleznev in an interview [ru] with Digital Substation, an online magazine. Mikhail is the head of the ICS and metrology division of the relay protection department at FGC UES. "No one can guarantee that a group of such creative individuals won't gather together and use the knowledge their obtained during this contest to crack real infrastructure—just for the fun of it. Are they aware of the weight of possible consequences of such actions?"
However, Mikhail doubts that it's IEC 61850 that should undergo any changes: "The standard should continue to develop for the benefit of the purposes it was designed for. Information security should be the subject of other standards. There has been much talk about ICS protection recently. In fact, it is important to engage representatives of power supply companies in such discussions—and in putting new methods into practice."
iGRIDS, the organizers of the contest, registered everything that occurred on the stand. By the middle of the contest, it became obvious that the range of threats was broader than they had expected. The developers assure that they will take into account new attack variations when developing subsequent versions of protection systems. And they’ve already got an invitation to take part in PHDays VI!
In a rare press release issued Wednesday morning, Hacking Team, the embattled Italian surveillance software vendor, reiterated that it did not and does not have a "backdoor" into its clients’ installations of the Remote Control System, or RCS. But new analysis of its leaked source code seems to directly contradict this claim.
Hacking team said:
There have been reports that our software contained some sort of "backdoor" that permitted Hacking Team insight into the operations of our clients or the ability to disable their software. This is not true. No such backdoors were ever present, and clients have been permitted to examine the source code to reassure themselves of this fact.
According to new research by Joseph Greenwood, a UK-based researcher with 4Armed who has been examining the leaked RCS source code in detail, this is a distinction without a difference.
A bug in the latest version of Apple's OS X gives attackers the ability to obtain unfettered root user privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware.
The privilege-escalation bug, which was reported in a blog post published Tuesday by security researcher Stefan Esser, is the type of security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications. Hacking Team, the Italian malware-as-a-service provider that catered to governments around the world, recently exploited similar elevation-of-privileges bugs in Microsoft Windows. When combined with a zero-day exploit targeting Adobe's Flash media player, Hacking Team was able to pierce security protections built into Google Chrome, widely regarded as the Internet's most secure browser by default.
According to Esser, the OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that allows attackers to open or create files with root privileges that can reside anywhere in the OS X file system.
Several sources in the financial industry say they are seeing a spike in fraud on customer cards used at ATMs in Mexico. The reason behind that apparent increase hopefully will be fodder for another story. In this post, we’ll take a closer look at a pair of ATM skimming devices that were found this month attached to a cash machine in Puerto Vallarta — a popular tourist destination on Mexico’s Pacific coast.
On Saturday, July 18, 2015, municipal police in Puerto Vallara arrested a man who had just replaced the battery in a pair of skimming devices he or an associate had installed at an ATM in a busy spot of the town. This skimming kit targeted certain models of cash machines made by Korean ATM manufacturer Hyosung, and included a card skimming device as well as a hidden camera to record the victim’s ATM card PIN.
Here’s a look at the hidden camera installed over the compromised card reader. Would you have noticed anything amiss here?
The tiny pinhole camera was hidden in a molded plastic fascia designed to fit over top of the area directly above the PIN pad. The only clue that something is wrong here is a gap of about one millimeter between the PIN capture device and the actual ATM. Check out the backside of the false front:
The left side of the false fascia (as seen from the front, installed) contains the battery units that power the video camera:
The device used to record data from the magnetic stripe as the customer inserts his ATM card into the machine is nothing special, but it does blend in pretty well as we can see here:
Have a gander at the electronics that power this badboy:
According to a local news clipping about the skimming incident, the fraudster caught red-handed was found in possession of a Carte Vitale card, a health insurance card of the national health care system in France.
The man gave his name as Dominique Mardokh, the same name on the insurance card. Also, the picture on the insurance card matched his appearance in real life; here’s a picture of Mardokh in the back of a police car.
According to the news site Noticiaspv.com, the suspect was apprehended by police as he fled the scene in a vehicle with license plates from Quintana Roo, a state nearly 2,500 km away on the Atlantic side of Mexico that is the home of another very popular tourist destination: Cancún.
Ironically, the healthcare card that identified this skimmer scammer is far more secure than the bank cards he was allegedly stealing with the help of the skimming devices. That’s because the healthcare card stores data about its owner on a small computer chip which makes the card difficult for thieves to duplicate.
Virtually all European banks and most non-US financial institutions issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), but unfortunately chip cards have been slow to catch on in the United States. Most US-based cards still store account data in plain text on a magnetic stripe, which can be easily copied by skimming devices and encoded onto new cards.
For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.
This skimmers found in Mexico (where most credit cards also are identified by microchip) abuse that same dynamic: Undoubtedly, the thieves in this scheme compromised ATMs at popular tourist destinations because they knew these places were overrun with American tourists.
In October 2015, U.S. merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards. While most experts believe it may be years after that deadline before most merchants have switched entirely to chip-based card readers (and many U.S. banks are only now thinking about issuing chip-based cards to customers). Unfortunately, that liability shift doesn’t apply to ATMs in the U.S. until October 2017.
Whether or not your card has a chip in it, one way to defeat skimmers that rely on hidden cameras (and that’s most of them) is to simply cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).
Are you as fascinated by ATM skimmers as I am? Check out my series on this topic, All About Skimmers.
Update, July 28, 8:54 a.m. ET: ATM maker NCR has just released an advisory also warning about a spike in ATM skimming tied to Mexico. See the alert here (PDF).
US government officials are nearly certain that the Chinese government was involved in the theft of sensitive personal information about millions of government employees, members of the US military, and employees of government contractors requiring background checks or security clearances from the systems of the Office of Personnel Management. But according to a report by the Washington Post, the Obama administration has decided to not publicly and officially call out China for the attack—in part because it might require the administration to reveal some of the US' hacking of China to make the case, and expose other information intelligence and warfare capabilities of the National Security Agency, Department of Homeland Security, and FBI.
Ellen Nakashima, the Post's national security reporter, citied anonymous conversations with officials involved with the White House's decision-making process surrounding the OPM, and reported that the administration "has not ruled out economic sanctions or other punitive measures" for the theft of data from OPM. But US officials, including Director of National Intelligence James Clapper, have "even expressed grudging admiration for the OPM hack, saying US spy agencies would do the same against other governments," she reported.
Part of the calculus that went into the decision, one official told Nakashima, was that “we don’t see enough benefit in doing the attribution at this point to outweigh whatever loss we might [experience] in terms of intelligence-collection capabilities.” Another official said that the White House might opt to simply put sanctions in place under other justifications, and then privately communicate to the Chinese government that the sanctions were in fact in retaliation for the OPM hack.
Chris Camejo, Director of Assessment Services for NTT Com Security (formerly Integralis), comes from a technical assessment background, having personally coordinated and conducted numerous large-scale, multi-discipline penetration tests spanning multiple countries for global clients. As part of NTT Com Security’s threat intelligence capabilities, he follows the latest tactics and techniques of attackers and have conducted […]
The post Interview: Chris Camejo, Director of Assessment Services for NTT Com Security appeared first on InfoSec Institute.
Po phishingové vlně z minulého týdne, která mířila na elektronické bankovnictví Komerční banky, jsme dnes zaznamenali téměř totožný e-mail určený pro klienty GE Money Bank. Uživatele tento podvodný e-mail navádí k aktualizaci certifikátů, a to z důvodu nově nalezené zranitelnosti. Po kliknutí na odkaz v e-mailu je uživatel přesměrován na falešnou stránku GE Money Bank, která vyžaduje zadání přihlašovacích údajů do elektronického bankovnictví.
Ukázka phishingové zprávy:
Introduction: NodeJS is an extremely powerful and lightweight technology, which is being widely adopted. Just like any other technology sometimes developers make mistakes during the development process, which may lead to serious vulnerabilities. In this series of articles, we discuss various NodeJS specific and traditional vulnerabilities that we may come across when dealing with NodeJS […]