With the global excitement and opportunity of the Smart Grid, a lot of historically IT-focused companies, including Cisco, are entering the market. It’s important to note that there are unique characteristics of the grid when attempting to apply IT security solutions. In this post I’ll focus on the primary goal of power generation and delivery: reliability. In subsequent posts I’ll discuss other security requirements of the grid (such as integrity, authentication, and confidentiality), and how we can apply lessons learned from the IT sector.
To better understand the culture shift from securing IT systems, we need to clarify the focus of grid security. In the IT world, we often focus on protecting information. For example, in United States Department of Defense circles, security is usually referred to as Information Assurance. Smart Grid security (usually called “cyber security,” or just “cyber” by electric sector practitioners) however, concerns itself with making sure that systems continue to operate in the case of a security event. An equivalent term for the grid would be “Continuation Assurance.” The smart grid community considers the potential to affect system reliability a cyber security issue, from disgruntled insiders to operator error or a deliberate attack from the outside that affects any portion of the grid – substations, data centers, operations centers, neighborhood area networks, and eventually homes. The effectiveness of cyber security measures will be judged mainly on their contribution to keeping the systems running!
Why is reliability key to the grid?
Read More »
When I first started this series my goal was to remove any mystery around botnets. In fact, most botnets, like this one, are relatively simple. In this post we will explore the command-and-control (C&C) infrastructure, as well as the bot’s update mechanism.
A C&C interface is the primary user interface between the botmaster and the legion of infected hosts participating in the botnet. Since it is present in every botnet (although there are many different types of interfaces), it is one of the primary things we look for when attempting to determine if any machines have been compromised. From a botmaster’s perspective, it would seem that this is a key feature that must be carefully designed to avoid detection. But surprisingly, a very large percentage we see are very simple, just like this one. That said, at times it can be very much a cat-and-mouse game between botmasters and people in my industry.
Remotely controlling multiple machines is a basic principal that botmasters must address. You need to be able to command your nodes in a fairly efficient manner. If you have 10,000 nodes you do not want to issue a command 10,000 times. You want to issue it once and have all 10,000 nodes respond in a timely manner so that you know if the command was successful.
In this example the author decided to use internet relay chat (IRC). The use of IRC is very common among simple bots since it’s easy to understand and there are lots of implementations publicly available. There is a trade off though: because IRC is a well-documented protocol, it is extremely easy to detect and monitor. Infiltrating a Botnet that is IRC-based is a trivial task. Some botnets try to mitigate this issue by doing things like requiring server and channel passwords or even using SSL encryption, but none of those efforts are really effective. Passwords are easily sniffed off a network and anything being encrypted can be spied on with a debugger.
Read More »
Tags: botnets, security, security research
Privacy and information leakage has become one of my favorite topics on the Security blog. It seems that an enormous amount of information is being willingly plastered all over the Internet, from which significant value can be extracted (especially when combined with other public, or more likely private, datasets). The results are mind-boggling, and the implications are not fully comprehensible. Yet another example of this came to light recently from security professional Roger Thompson’s blog.
As we described in the Cyber Risk Report for the week of December 14, Thompson had a credit card suspended because of fraud concerns. As he called to reactivate the card and prove his identity to the fraud division at his bank, he was asked questions regarding his daughter-in-law that were not things that should have been tied to him in traditional security questions. His assumption is that the information was gleaned from a public source, such as a social networking site.
Read More »
During the course of security research we often acquire new malware samples. We typically first try to determine what we have acquired and if it is a new or otherwise unknown malware sample or if it is a mutation of something that we have already seen. There are several ways in which a sample can be tested, but the simplest way is to compare the MD5 checksum of the malware sample against other known checksums — several services exist where you can look up the hash of a sample, such as Malware Hash Registry by Team Cymru, VirusTotal, and MalwareHash. These services work by analyzing samples against antivirus products from several vendors (often thirty or forty different products). If the sample has previously been analyzed, the results will often tell what percentage of antivirus products detect the sample. Most of the time this method is sufficient on samples that are more than a few days old; however, on samples that are recent (perhaps discovered within the last twenty-four hours) the effectiveness of this method is marginal, illustrating the highly reactive nature of the industry.
Since antivirus products are often used as a cure for poor user discretion, I thought I would track the effectiveness of antivirus products on new malware samples that we received and test some of the samples a week later to note how the coverage improved. I think the results will show that new malware samples have a window of opportunity where end users are particularly vulnerable to the new malware strains.
Read More »
Social media security has been a major focus of the Cisco Security blog in the past several months. We believe so strongly in sharing the message of using social media in a secure way that it was also a prominent focus in the 2009 Cisco Annual Security Report. In the 2009 report, we discussed how criminals, like predators in the wild, migrate to where their victims can be found. Recently, that has been on social networking sites and services.
Now, Google has moved to include microblogging and other recent search index updates in their Real Time Search section (“Latest results for…”) of a standard search results page. Just as the existence of community lends trustworthiness to content found on social networks, the association with Google’s search results also lends validity to content.
Read More »
Tags: 2009 annual security report