Patriot Act – ‘The Market’ Doesn’t Like It


, , , , ,

It seems the Patriot Act revision, which allows warrantless access to anything people store at a data centre in the United States, is already putting US-based cloud service providers at a disadvantage. Some European providers are using it as a selling point. Their potential clients can’t be accused of any misunderstanding over the Patriot Act, as protections against any unauthorised access to their data should always be a core demand.
I don’t see the situation changing anytime soon. It’s something most SaaS providers and their customers didn’t anticipate when negotiating SLAs, so the firms actually running the data centres have little obligation to challenge the government.

There are two further arguments here, which leads us to a rather tricky conundrum. Some, like myself, believe security, privacy and free expression are paramount, and must be protected by solid technical measures. Others believe law enforcement agencies should have ready access to anyone’s data, in the interests of fighting crime and terrorism.

Stephen Biggs, from the University of Wales Newport, takes the latter position and puts forward a reasonable argument for it. At least 70% of electronic crime is related to indecent images (and videos) of children, and potentially many criminals are utilising the cloud. In truth, we don’t know the actual extent of this problem, because any incriminating data is hard to access, hard to attribute, and even harder to pass off as reliable evidence. But should that argument be applied to the Patriot Act and undefined ‘terrorists’? Who exactly are the terrorists, and how many of them really are using the cloud?

Although I take a much different position to Biggs here, he pointed out in a recent conversation something most of us never thought of: Everyone’s being encouraged to outsource the storage and management of their information assets to third parties, but cloud computing isn’t mature enough for this. A decade ago, nobody was discussing the security issues related to it either. In other words, maybe we’re entirely wrong to assume confidentiality can be guaranteed with cloud computing.

Paradoxically, too little trust is given for the cloud computing industry to reach its full market potential. Any organisation can be compromised, and that risk is multiplied when another third party also has access to the data. Normally the SaaS and PaaS companies already have access to it, and now so does the US government. A compromise could happen through any of those entities.
Combined with the earlier point, I reckon it’s just a matter of time before a major provider and its corporate clients are compromised. Others are aware of that risk, and aren’t prepared to take it, especially with intellectual property theft and industrial espionage allegedly on the rise.

Told You So


, , , , , ,

First off, I’d like to offer my condolences to Joe Weiss, the SCADA ‘cyber war expert’ who made an ass of himself over the water pump incident last month.

Basically the scare story about Russian hackers compromising a US water facility was based entirely on an IP address, not that any of us were told what it was. An IP address on its own is never reliable indication of where an attack originated.
So a report, which wasn’t open to scrutiny, investigation or analysis by any of us, found its way to Weiss who called ‘cyber war’. I called bullshit, because it had the signs of a hoax. There was no investigation, no reliable evidence, and my money was on the simplest and therefore most likely explaination – hardware failure. The only worrying thing here was the apparent lack of fault finding, incident handling and reporting procedures.

The facts have just been revealed by Wired’s Threat Level blog after an interview with the engineer (Jim Mimlitz) who set up the Curran Gardner Public Water District’s control system.

It turns out the engineer logged into the system while on holiday in Russia. After the water pump’s failure five months later, someone noticed the address in the logs and notified the Statewide Terrorism and Intelligence Center without the engineer being contacted, even though his username was listed next to that address. It was just assumed hacker(s) spent five months messing about with the system.

SCADA and Critical Thinking


, , , , , , ,

It’s the SCADAPOCALYPSE story they’ve all been waiting for – two water utility systems in the US were apparently hacked. Countless reporters were quick to remind us of STUXNET and to point out the alleged attack was traced to a server in Russia. There were the predictable ‘Why the hell was SCADA connected to the Internet?’ comments after every article.

Few of us really understand SCADA technology, beyond the fact it’s related to critical infrastructure. My own experience is limited to messing about with PLCs, HMIs and small-scale offline industrial systems, so I’m no expert either. But anyone in the information security business will develop a bullshit detector, and for me the indicators are a) unverifiable claims, b) liberal uses of the word ‘cyber’, and c) the absence of specific details.

The story is some hacker(s) acquired login details from a software firm’s database and used them to mess with a water facility, eventually breaking one of the pumps. Whether the attack was traced to a proxy in Russia is irrelevant, especially since we aren’t told the actual IP address.
Nobody’s asking the most important questions here: Which software firm was supposedly compromised? When was it compromised? Are its other clients at risk, and have they been informed? Why did it take months to figure out the system was being interfered with? How many other factors contributed to the incident?

The lack of any real information here can mean one of two things – this is a hoax, or there’s indeed something potentially serious the infosec community aren’t being told about.
Neither is this strictly a SCADA issue. If company bosses put systems online because it’s cheaper and more convenient, that kind of thinking will be applied elsewhere. And it was, if there’s any truth to the story – the water facility was compromised because the login details were pulled from another company’s database. Even a relatively secure SCADA system can be compromised because of shit key management, because of social engineering, because nothing’s been audited, or a host of other reasons within the infosec realm.

Joe Weiss, referenced as an expert on control systems, claims to have read a one page intelligence report which doesn’t name the company that was hacked, can’t be seen by the public, and therefore can’t be verified. Weiss goes on to say: ‘We don’t have cyber forensics, so when they see (issues) they don’t think it’s a cyber problem’. But the FBI has ‘cyber forensics’, they investigated, and said they couldn’t find evidence.

Someone going by the name Pr0f claimed to have hacked into the second facility, and released screenshots to prove it. Nowhere, in his PasteBin entries or several interviews with him, does he indicate any inside knowledge of the systems, although his second PasteBin entry is dead right on several things, especially this:

”Cyberwar’ is unlikely to happen, in my opinion. I’ve met enough .mil types to know that they’re pretty grounded in reality; blame spokespeople for the irritating craze of adding “cyber-” to everything. Even the concept of cyberwar is ridiculous; war is a meatspace occurence and simply couldn’t have a digital equivalent.’

What does the US government make of all this? For a start, the Illinois and Texas local authorities haven’t published anything on their sites, and seem quite unaware of the incident. The ICS-CERT/FBI issued a joint statement denying there was any evidence of an attack. What I find interesting is that people actually believed Weiss and Pr0f more than the government.

I looked a little bit deeper, and did a quick search for Curran-Gardner Township Water District, which was named by The results showed the company was making patches and modifications to its system for several years now, and encountered a few problems along the way. I’d say it’s more likely something just broke. The spokesman for that company told a local paper: ‘Whether the burnout of that pump was related to this what might or might not have been a hacking, we don’t know’.