Join this free summit to hear industry experts and experienced practitioners share how your business can profit from the mobile phenomenon without being exposed to threats such as data leakage, malware attacks and unauthorised data access.

FIND 8 thought leadership webinars

LEARN about the latest industry trends

SHARE the knowledge

To register for free and view the full lineup go tohttp://www.brighttalk.com/r/rmC

MOBILE SECURITY ONLINE SUMMITLIVE 11th JULY

Multi-Platform Support for

enquiries@titania.comT: +44 (0)845 652 0621

Device Auditing Scanners Nipper Studio

Audit without Network Traffic

Authentication Configuration Authorization Configuration Accounting/Logging Configuration Intrusion Detection/Prevention Configuration Password Encryption Settings Timeout Configuration Physical Port Audit Routing Configuration VLAN Configuration Network Address Translation

Network Protocols Device Specific Options Time Synchronization Warning Messages (Banners) * Network Administration Services * Network Service Analysis * Password Strength Assessment * Software Vulnerability Analysis * Network Filtering (ACL) Audit * Wireless Networking * VPN Configuration **Limitationsandconstraintswillpreventadetailedaudit

It was refreshing to discover Nipper and to find that it supported so many devices that Cisco produces. Nipper enables Cisco to test these devices in a fraction of the time it would normally take to perform a manual audit. For many devices, it has eliminated the need for a manual audit to be undertaken altogether.

Cisco

Business Benefits to Cisco

Nipperquicklyproduces•detailedreports,includingknownvulnerabilities.

ByusingNipper,manual•testinghasbeenaltogethereliminatedforparticularCiscodevices.

scanning isn’t enough

for free at

www.titania.com

Nipper Studio reduces manual auditing time by quickly producing a consistent, clear and detailed report. This report will;

Summarize your network’s security1.

Highlight vulnerabilities in your device configurations2.

Rate vulnerabilities by potential system impact and ease of exploitation 3. (using CVSSv2 or the established Nipper Rating System)

Provide an easy to action mitigation plan based on customizable settings 4. that reflect your organizations systems and concerns.

Allow you to add previous reports and enable change tracking functionality. 5. You can then easily view the progress of your network security.

Cyber Security Auditing Software

• Device information remains confidential

• Settings that allow you to hide sensitive information in the report

• Low cost, scalable licensing

• Point and click GUI or CLI scripting

• Audit without network traffic

Page 4 http://pentestmag.com06/2012 (6)

CONTENTSEditor’s notE

TEAMManaging Editor: Tymoteusz Kubiktymoteusz.kubik@software.com.pl

Associate Editor: Aby Raoabyrao@gmail.com

Betatesters / Proofreaders: Jeff Weaver, Robert Keeler, Daniel Wood, Scott Christie, Rishi Narang, Dennis Distler, Massimo Buso, Hussein Rajabali,Johan Snyman, Michael Munty, Aidan Carty, Jonathan Ringler

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Dudzicewa.dudzic@software.com.pl

Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.plDTP: Ireneusz Pogroszewski

Production Director: Andrzej Kuca andrzej.kuca@software.com.pl

Marketing Director: Ewa Dudzicewa.dudzic@software.com.pl

Publisher: Software Media Sp. z o.o.ul. Bokserska 1, 02-682 WarszawaPhone: +48 22 427 36 56www.pentestmag.com

Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage.All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them.To create graphs and diagrams we used program by

Mathematical formulas created by Design Science MathType™

DISCLAIMER!The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

dear readersSome say „it’s all about the benjamins”. True or not it is hard not to agree that business is the reason people do things. SCADA – data monitoring and collecting system is a multipurpose system that can be used in different type of businsesses. Our experts believe that well planned data monitoring systems form the lifeline of industries these days. In the July issue we will try to answer at least some questions that may appear to you when thinking of SCADA.

Did you know that the first step towards securing SCADA sys-tems was Reagan’s 1984 Executive Order 12472? In short, some of the more important NS/EP requirements include: enhanced priority treatment for voice and data services, secure networks, restorabil-ity, international connectivity, interoperability, mobility, nationwide coverage, survivability, voice band service in support of presidential communications, and scaleable bandwidth. Read the whole piece by Daniel Wood.

Next we have our main guest – Pierluigi Paganini – once again giving us the best mix of his knowledge and experience. From his text you can learn why the security requirements in the design of SCADA systems are so important.

We have also managed to interview Mike Loginov – british ex-pert on cyber security. He had to answer all the questions on our topic of the issue by Aby Rao. What are the findings? It is definitely a must-read.

It is not the end of SCADA in the new issue. Stefano Maccaglia – PenTest magazine columnist and Timothy Nolan are both discov-ering for you the intricacies of pentesting a SCADA system.

I am also happy to give you an insight into the world of hacking. Our american friend Doug Steelman Chief Information Security Of-ficer at Dell Secureworks is sharing his thoughts on the economics of hacking. Do you think does cyber crime pay?

At the end of the magazine you can find two very useful articles. First Steven Wierckx will show you how to avoid someone reading your emails. This article will describe how to discover if anyone is spying on a company by abusing the fact someone might send a mail to a company while making a typo in the domain name. We will demonstrate the URLCrazy tool and show how to use it to discover potential spying.

Are you a wordpress user? Virscent team is giving you their monthly tutorial with some basic knowledge – short and specific tips on how to pentest your wordpress.

Seems like a good amount of quality articles to follow, isn’t it?We all hope you will like it.Feel free to send us your comments, tips, questions... Anything

important that will pop up to you. My email is tymoteusz.kubik@wordpress.com

Tymoteusz Kubik& PenTest Team

Page 5 http://pentestmag.com06/2012 (6)

CONTENTS

SCADAThe Importance of security require-ments in the design of SCADA sys-temsby Pierluigi PaganiniOver the last several years, countries have discovered their critical infrastructures too vulnerable to cyber-at-tacks due the increasing attention in cyber security mat-ters and successfull attacks to SCADA systems world-wide. Events such as the spread of the Stuxnet virus have alerted the international security community on the risks related to cyber-attacks and the relative disastrous con-sequences; we have learned how powerful a cyber-weap-on can truly be, and the real involvement of governments in cyber warfare.

SCADA Security for Critical Infra-structureby Daniel WoodThe first step towards securing SCADA systems (aside from JFK’s 1963 memorandum establishing the Nation-al Communications System (NCS)), was Reagan’s 1984 Executive Order 12472, Assignment of National Security and Emergency Preparedness (NS/EP) Telecommunica-tions Functions. In short, some of the more important NS/EP requirements include: enhanced priority treatment for voice and data services, secure networks, restorability, international connectivity, interoperability, mobility, na-tionwide coverage, survivability, voice band service in support of presidential communications, and scaleable bandwidth.

The Box holes. Pen Testing a SCADA platformby Stefano MaccagliaIn the last decade SCADA systems have moved from pro-prietary, closed, networks to open source solutions and TCP/IP enabled networks. Their original “security through obscurity” approach, in terms of protection against unau-thorized access, has fallen, together with their intercon-nection limits. This has made them open to communicate with the rest of the world, but vulnerable, as our tradition-al computer networks.

Testing Industrial by Timothy NolanI had heard a story told and retold in security circles for many years about a vulnerability scan in a manufacturing production environment that caused loss and disruption. As a scan was conducted in an area where production control systems were network connected, some service on the equipment was intolerant of the vulnerability scan

06

and normal production controls failed. Unfortunately, the client whose network was scanned was a manufacturer, a baker of cookies, and the production controls controlled the temperature of the ovens baking the cookies and the movement of cookies through the ovens.

HACKINGDoes cybercrime pay? The econom-ics of hackingby Doug SteelmanThe world of cyber crime is awash in numbers. Pundits, professors and politicians alike often comment on the costs imposed by the ever growing underground of cy-ber criminals, citing estimates from the millions to the billions. This number reached new heights in May, 2009 when President Obama (quoting an industry figure) pro-claimed that at least a trillion dollars was being sucked from economies worldwide from cyber attacks.

Email spying – URL CRAZYby Steven WierckxThere are many ways that attackers can try to read your emails. One of them is rarely part of traditional penetra-tion tests. This article will describe how to discover if any-one is spying on a company by abusing the fact someone might send a mail to a company while making a typo in the domain name. We will demonstrate the URLCrazy tool and show how to use it to discover potential spying.

PenTesting from the scratchby VirscentWordpress is the most popular used CMS (Web applica-tion to manage the websites easily, mostly using drag and drop features and an easy to use web interface) for blogging. Every minute a new website is created and if it is a blog then most probably it is Wordpress.

SCADA INTERVIEWInterview with Mike Loginovby Aby Rao

10

28

34

36

16

24

32

SCADA

Page 6 http://pentestmag.com06/2012(6)

Over the last several years, countries have dis-covered their critical infrastructures too vulner-able to cyber-attacks due the increasing atten-

tion in cyber security matters and successfull attacks to SCADA systems worldwide. Events such as the spread of the Stuxnet virus have alerted the international secu-rity community on the risks related to cyber-attacks and the relative disastrous consequences; we have learned how powerful a cyber-weapon can truly be, and the real involvement of governments in cyber warfare.

SCADA (Supervisory Control and Data Acquisition) is an industrial control system (ICS) used for the con-trol and monitoring of industrial processes. It is typical-ly present in all critical infrastructure or utility facilities and is potential target of a cyber-attack. Being related to industrial processes, we find this family of devices ev-erywhere; manufacturing, production, power generation and many times they are implemented to control the activities of critical systems such as water treatment, electrical power transmission and distribution, as well as large communication systems.

Components such as these are targets for cyber-at-tacks. An example of this is Stuxnet, which is possibly behind the decommissioning of 1,000 centrifuges at the Natanz nuclear site during the offensive cyber-attack against Iran and its nuclear program. Western countries have been the first to explore the possibility of a cyber-offensive weapon such as a malware. The operation of

the Olympic Games demonstrates the high attention of the US government in cyber operations and the strong commitment provided by the Bush administration, as well as the Obama administration.

Attacks on SCADA systems such as nuclear power plants and other critical infrastructure can be extreme-ly alarming, and the nightmare of every government. Similar incidents can undermine the safety of millions of individuals and can compromise the homeland se-curity of every country. Thousands of installations all over the world are potentially vulnerable to attack from anywhere on the planet. Cyberspace is known as the fourth dimension of offensive options, which can lead to the loss of many human lives due to cyber-offensive operations against SCADA systems and critical infra-structure.

Nuclear power plants are not necessarily the most foremost target, we should also be looking at the im-pact of an attack on the processes inside a chemical plant or other facilities such as water treatment plants. The main problem of SCADA systems is that there are a vast quantity and variety of systems amongst each industrial, with many of them are exposed on internet without proper protection.

Which is the typical structure of a SCADA system?SCADA systems consist of the following components:

The Importance of security requirements in the design of SCADA systems

This article exposes the main issues related to the use of SCADA systems in critical infrastructures, providing a careful analysis of the relative level of security on a global scale. It discusses the main vulnerabilities of critical systems exploitable by cyber-attacks and possible solutions to implement to ensure their safety.

SCADA

Page 10 http://pentestmag.com06/2012(6)

SCADA is not new, however, due to recent events such as the emergence of Stuxnet, SCADA has been thrust into the limelight of building automa-

tion and security for critical infrastructure.SCADA architectures can be classified into three cat-

egories:

• Monolithic (1st gen SCADA) • Distributed (2nd gen SCADA) • Networked (3rd gen SCADA)

Networked SCADA architecture is what most of the systems today are running as; which is where the con-cern about security comes from. With SCADA/CI sys-tems having been developed using a networked SCA-DA architecture, systems within pipelines, national power grids, water control systems, transit systems and more are constantly being exposed to different threats and attacks.

The first step towards securing SCADA systems (aside from JFK’s 1963 memorandum establishing the

SCADA Security for Critical Infrastructure

Within the past two years, the term SCADA has begun to be thrown around as a common occurrence; however, SCADA has been around for 50 years or so, since the 1960’s.

Figure 1. ICS-CERT Incident Response Summary Report 2009-2011

Page 11 http://pentestmag.com06/2012(6)

The field data interface devices are essentially the ‘eyes and ears’ of a SCADA system. In order to make sense of the data being gathered by these devic-es, remote telemetry units (RTU’s) are used to pro-vide an interface between the field data interface de-vices (think water flow meters, alarm states, valve po-sitions, etc) and the SCADA system. HMI/MMI soft-ware allows workers to monitor the devices in the field and provides dashboard like interfaces or command-line methods of doing so. This is where a malicious at-tacker can conduct surveillance on critical infrastruc-ture, or even alter the field devices by changing config-urations or launching attacks against them. The most recent and well-known SCADA attack/threats are of course the Stuxnet/Flame occurrences; with the ma-jority of infected machines over in the middle-east, more specifically Iran’s nuclear program computer sys-tems.

Notable SCADA Attacks

• Mariposa botnet• Stuxnet/Flame• Night Dragon• Nitro

ResponseThe U.S. Department of Homeland Security has re-leased the National Infrastructure Protection Plan of 2009 (NIPP) is a framework that provides guidelines on the protection of America’s Critical Infrastructure and Key Resources (CI/KR). Within this document, DHS includes SCADA systems as a part of the cyber infra-structure that is to be protected. CI/KR consists of as-sets such as the national power grid, water treatment plants, pipelines, and more. Homeland Security Pres-idential Directive-7 (HSPD-7) was created to address CI/KR security needs and requires certain agencies and organizations to submit annual reports related to the protection and security of CI/KR.

National Communications System (NCS)), was Rea-gan’s 1984 Executive Order 12472, Assignment of Na-tional Security and Emergency Preparedness (NS/EP) Telecommunications Functions. In short, some of the more important NS/EP requirements include: enhanced priority treatment for voice and data services, secure networks, restorability, international connectivity, in-teroperability, mobility, nationwide coverage, survivabil-ity, voice band service in support of presidential com-munications, and scaleable bandwidth.

SCADA systems usually consist of the following:

• Field data interface devices (RTU’s, PLC’s), which interface to field sensing devices and local control switchboxes and valve actuators.

• Comm systems (radio, cable, satellite, etc) used to transfer the data between the field data interface devices and control units and the computers within the SCADA central host.

• Central host computer server(s) (sometimes called a SCADA Center, master station, or Master Termi-nal Unit (MTU)

• A collection of standard and/or custom software (sometimes called Human Machine Interface (HMI) software or Man Machine Interface (MMI) software) systems used to provide the SCADA central host and operator terminal application, support the com-munications system, and monitor and control re-motely located field data interface devices.

Popular Industrial Control System (ICS) Vendors

• Honeywell• Schneider Electric (Citect)• Siemens• Emerson (DeltaV)• Rockwell Automation• General Electric

Figure 2. 2011 ICS-CERT data for Sectors under attackFigure 3. Authentication for a city Water System controller being sent unencrytped

SCADA

Page 12 http://pentestmag.com06/2012(6)

The U.S. Department of Homeland Security, ICS-CERT releases reports regarding Industrial Control Sys-tems, incidents, and the threats currently being waged against them. In 2011, there were 198 reported incident response tickets opened, with 7 of them that were cause for the deployment of onsite incident response teams. In comparison: 2010 only had a reported 41 tickets opened with 8 onsites, while in 2009 there were only 9 reported IR tickets with 2 onsites. That’s a staggering increase in identified incidents that have occured to the U.S. control systems associated with critical infrastructure (Figure 1).

In 2009, the majority of incidents occured in the En-ergy and Water sectors, 33% and 35% accordingly. In 2010, 44% of the incidents were Energy related, with 12% being Nuclear, 10% Water, 7% chemical and 5% related to the critical manufacturing of the nation. Re-viewing the 198 incidents that were reported (post Stux-net), 41% of the incidents reported were Water targets, 15% Energy, 6% Government facilities, 5% Chemical and 5% nuclear.

Remediation Of Scada VulnerabilitiesDue to the nature of SCADA, and the focus on avail-ability (especially for things such as Nuclear Reactors), security has not been something that SCADA device manufacturers, designers and implementers have con-sidered until very recently. A recent report by the U.S. Government Accountability Office (U.S. GAO), titled, Critical Infrastructure Protection: DHS Could Better Manage Security Surveys and Vulnerability Assess-ments (May 2012), pointed out several failing by the U.S. DHS in maintaining consistent and accurate da-tabases of security surveys and vulnerability assess-ments on CI/KR resources. The U.S. GAO also discov-ered that DHS itself was late in sharing the results of the surveys and assessments with the asset owners within 30 days, 60 percent of the time, and within a 60-day window, 84 percent of the time. If the SCADA watchdog isn’t able to meet the requirements it has set for itself, what does this say?

The first step in protecting SCADA, ICS, and CI is to educate the vendors of ICS as well as the end-users. By educating them about best practices when it comes to both the development of such devices, as well as the implementation of them, it will help prevent many of the vulnerabilities and problems the industry is cur-rently facing. Unfortunately this won’t solve all the prob-lems though; vendors will need to develop smarter sys-tems, companies and organizations will have to create and enforce stricter security policies such as no inter-net connections to critical SCADA systems, no personal email at work and so on.

ICS-CERT identified three major categories of insuf-ficiencies while conducting analysis on over 150 onsite assessments using the Cyber Security Evaluation Tool (CSET).

• People• Process• Technology

While these identified cyber security gaps may seem obvious, practically every organization in the world has these problems. The trick to securing a SCADA/ICS environment is being able to successfully address these categories.

People require proper and in-depth security aware-ness training and how security can impact their job du-ties. Situational awareness is both a personal and a technical skill that everyone should develop and har-ness. The most often method used in identified and re-ported incidents has been through the use of targeted spear phishing of employees with malicious links and/or attachments. By training employees on proper security awareness AND situational awareness, this will greatly reduce the effectiveness of this attack vector.

Processes are almost always inadequate or cater to the needs and usually the wants of end users within

Figure 4. SCADA login page with a saved default identifier, making brute-forcing much easier Figure 5. Access to Figure 4’s router, default credentials are used

Page 13 http://pentestmag.com06/2012(6)

organizations, as organizations are afraid to say no to their employees and usually have lackadaisical security policies and processes in place because of this. By im-plementing and enforcing stringent security processes, organizations can pre-emptively address many security issues before they become a security issue.

Technology security gaps can be addressed by ensur-ing that critical systems are air-gapped from the rest of the network and especially the public internet. Control systems should not need to have access to Facebook, Twitter, GMail, and so on (see Processes). By ensuring that network hardware and software is adequately main-tained and patched, organizations can ensure that they are maintaining their network hardware at an elevated level of protection. BY not patching your system(s) you are inviting hackers into your systems. Remember, reg-ular patching is important, however, there are some ICS systems such as Nuclear Reactors that cannot be taken down twice or even once a month to be patched. This is why it is important that for systems such as these, they do not have a physical and virtual connection to the

public Internet or networks that do. On May 25, 2012, ICS-CERT published ICS-TIP-12-146-01, a technical information paper on Targeted Cyber Intrusion Detec-tion and Mitigation Strategies. This TIP touches on:

• Maintaining forensic data• Credential Management• Increase logging capabilities• DNS Logging • Network Segmentation• Network auditing of hosts for suspicious files• Strict Role-Based Access Control (RBAC)• Application Whitelisting

The second step to securing SCADA systems and CI is for vendors to ensure that they are conducting proper security research throughout their SDLC while working on products. These vendors are at the epi-center of whether there are vulnerabilities contained within SCADA systems; they should be following a strict development process that includes security

Figure 6. Schneider Electric’s ClearSCADA with information leakage problems

Figure 7. Ability to view Lists and data without authentication in ClearSCADA

Figure 8. No authentication required here, access to local files on remote systems Memory Card

Figure 9. Improper SSL certificates is a problem everywhere, not just within SCADA systems

SCADA

Page 14 http://pentestmag.com06/2012(6)

testing of their products prior to going to market with them. Much like the National Institute of Science and Technology (NIST) requires vendors to become FIPS 140-2 validated for cryptographic modules, I believe that there should be some sort of regulatory system setup that forces SCADA vendors and CI sectors to adhere by some sort of validation program. NIST is already three-quarters of the way there when NIST SP 800-82 was finalized in June of 2011.

Within this validation program, vendors should have to demonstrate that they have adequately conducted security testing on their products and provide the arti-facts from these tests as evidence to NIST for review and follow-up. Organizations identified to be within the NCI should also be required to use only validated prod-ucts. Regulating private industry is one thing; however, ensuring that critical infrastructure is safe from attack from nation states and malicious hackers is what I con-sider a requirement.

Real-World Examples of Inadequate SCADA SecurityWithout hacking or compromising systems, it is easy for one to find open and vulnerable SCADA systems facing the public Internet. By conducting targeted searches in

your search engine of choice, you are able to discov-er these systems quite easily. For the purposes of this article, I have redacted sensitive information for these systems.

Unfortunately, vendors don’t realize that sending passwords in clear text to the Water System controller is a bad idea (Figure 3).

This SCADA login page has a default user name saved within the login box, making brute-forcing or password guessing all the much easier (Figure 4).

By just changing the port from 80 to 8080, I am able to access the router configuration window – default cre-dentials (Figure 5).

Schneider Electric ClearSCADA that contains some information leakage problems and doesn’t require login to see some information (Figure 6 and Figure 7).

No authentication required here, I wonder what’s on the memory card (Figure 8)?

Another prominent issue within organizations, certifi-cate expirations or even self-signed certificates. With-out the ability to verify the identity of a website, any in-formation being sent/retrieved via the website could be susceptible to an attack (Figure 9).

Through a search engine, I was even able to access by default the Microsoft Unified Access Gateway (UAG) of a SCADA system and possibly execute on the local machine (Figure 10).

Daniel WooD Daniel Wood, GPEN, CISSP Lead Asso-ciate and Sr. Cyber Security Engineer at Phase One Consulting Group, has been working in information security for the past six years, and has over twelve years of experience in web application devel-opment, application security experience and penetration testing. He currently supports the U.S. Government in secur-

ing their network infrastructure and web applications.Figure 10. Remote access to a SCADA systems Microsoft UAG device

Informative Resources• National Infrastructure Protection Plan: http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf• Executive Order 12472: http://www.ncs.gov/library/policy_docs/eo_12472.html• ICS-CERT Incident Response Summary Report 2009−2011: http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Incident_Re-

sponse_Summary_Report_09_11.pdf• ICS-CERT TIP 12-146-01: http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01.pdf• U.S. GAO Reports: http://www.gao.gov/search?q=DHS+SCADA• Sandia National Laboratories: http://energy.sandia.gov/?page_id=859• NIST SP 800-82: http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf• Luigi Auriemma SCADA ADvisories and Research: http://aluigi.altervista.org/adv.htm• Metasploit Modules for SCADA Vulnerabilities: http://scadahacker.com/resources/msf-scada.html• Shodan Search Engine: http://www.shodanhq.com/

Keep up to date on the latest developments in the world of digital forensics

/ Training and Certfication/ Management issues/ Tools and Techniques/ eDiscovery/eInvestigation/ Incident Response/First Response/ Hardware and Software/ Network Forensics / Cyber Forensics/ and much more...

Visit digitalforensicsmagazine.comfor the latest news and views from the digitalforensic community with special

articles for registered users.

NEXT ISSUE OUT SOON

Prospective authors should contact editorial@digitalforensicsmagazine.com for information on submissions.

SUBSCRIBE NOW

Read Feature Articles on:

Apple Autopsy:/ A Digital Forensics look at all things Apple

From the Lab:/ In depth technical articles on products and techniques

Legal Section:/ In-depth articles on legal matters affecting Digital Forensics along with the latest legal news from around the world

DFM_flyer_2012.indd 1 03/05/2012 12:37

SCADA

Page 16 http://pentestmag.com06/2012(6)

The voice erupts from a badly regulated radio speak-er…

“I don’t know Raman!...”, says Abderrahim quickly moving his wheeled chair between two segment of the main panel in the control room.

Looking to the side panel Abderrahim found two minor alarms… “what’s wrong?” abruptly says…

The alarms have been activated by two unauthorized attempts to access the terminal remotely…

“Hey Abder… the fan hasn’t started to lower water temperature level… what’s wrong?” Raman voice in-creases his intensity.

“Buzzer begins to signal core overheating! You must do something quickly!…”… a slight sense of panic be-tray Raman words. A panic that Abderrahim founds ap-propriate for the situation.

Ok. Let’s try our manual start procedure… but what means this new panel alarm? What’s on the console?...

A yellow message over a black screen on other side of the panel says “Smile u been pwnd… your coffee pot should blow up your ass!”

Damn Kids! The manual start doesn’t work…“Raman! You hear me? The manual restart of core

injectors doesn’t work from here… you must do some-thing down there! Quickly!...”

SCADA platform introductionNobody wanna be in such condition isn’t it?

In the last decade SCADA (Supervisory Control and Data Acquisition) systems have moved from proprietary, closed, networks to open source solutions and TCP/IP enabled networks. Their original “security through ob-scurity” approach, in terms of protection against unau-thorized access, has fallen, together with their intercon-nection limits.

This has made them open to communicate with the rest of the world, but vulnerable, as our traditional com-puter networks.

As a result, some highly publicised successful intru-sions has been told by the press, but many other at-tacks against energy, transportation and other industrial fields have gone unnoticed or untold.

One thing to keep in mind is that SCADA systems manage many critical infrastructures of our life, from power grids to railways, from aqueducts to airports and vulnerabilities discovered on such systems could have a deep impact on the overall security of the country.

Rest to be noted that, despite security testing has included corporate networks, systems, and software, since the advent of ICT Security, SCADA systems have been relatively new as a target for Vulnerability Assess-ment and Penetration Tests due to the above-men-tioned historic reasons.

Testing SCADA systems is not a usual task, in terms of complexity and strategy.

The Box holes Pen Testing a SCADA platform

Midnight.It is hot and humid down here… Temperature is at 36 Celsius.The temperature processor should start computing the increased level and begin to compensate.The core is up to 84 Celsius, but in less than a minute the injectors should start their work.Unless some problems… “I have not heard the fan starting Abder… what’s wrong?”

SCADA

Page 24 http://pentestmag.com06/2012(6)

P rogrammable Logic Controllers (PLC’s) operate using „ladder logic”, which is a simple program-ming language analogous to a diagram of a cir-

cuit and of relay logic hardware. Programs created in this language are operating in a series of perhaps hun-dreds or thousands of steps, and logical connections analogous to open and closed relays in the circuits. Ladder logic creates rules, and each rung in the ladder represents a rule. When the ladder logic executes at a rung in the ladder, various relays and electromechanical devices will operate, and different rules may be execut-ing at the same time.

Sensors make measurements, and logical deci-sions are made as processes step through interac-tions designed to operate the valves, relays, sole-noids, motors, pumps, and other similar equipment controlled by the system. For example, one simple logical process might measure the pressure in a gas pipeline. If the gas pressure detected by sensors is too low, the process logic might actuate pumps to in-crease output, increasing the pressure in the pipe-line. If the pressure detected by sensors is too high, adjustments are made to decrease the output and pressure in a pump.

Explosions On The Trans Siberian PipelineIn fact, in one story related to industrial controls and the actions of intelligence agencies tells where just

such a process was subverted, causing an enormous breach of a natural gas pipeline. The story is told in the book „At the Abyss: An Insider’s History of the Cold War” by National Security Council staffer Thomas C. Reed. Supposedly information was acquired by the CIA, describing intentions of the government of So-viet Russia to steal control system plans for use on the Trans-Siberian Pipeline. Seeking to derail their efforts the CIA reportedly began an initiative to pro-vide the Soviets control system plans that were de-liberately flawed. With these flawed process controls the systems that ran the pumps, turbines, and valves were programmed to malfunction. They regulated the pump speeds and set the valve settings to produce pressures well in excess of the capacity of the welds and joints of the pipeline. This reportedly eventually re-sulted in an explosion with the power of three kilotons of TNT, an explosion that was so massive that it was detected by U.S. early warning satellites that are used to detect missile launches http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage#cite_note-Reed-1.

Scada Systems Can Control Dangerous ProcessesThe moral of this story is that industrial control sys-tems are often used in processes that, if improperly operated, can have dangerous and catastrophic con-sequences. In this instance, an enormous explosion

Testing Industrial Control Systems Security: Potentially Dangerous Targets

SCADA systems (industrial control systems), are used in many different industries to control the process of manufacturing and processing of goods, of energy (electricity, natural gas, oil, refined petroleum), water, sewer, and many different portions of critical national infrastructure and of a nations industrial economy.

hacking

Page 28 http://pentestmag.com06/2012(6)

While the true direct cost of cyber crime may be open to debate, there is little doubt that profits are being made by stealthy, motivat-

ed and organized hackers, while law-abiding “cyber citi-zens” continue to be on the losing end. Bank and credit fraud continue unabated, and while the public has got-ten somewhat smarter about refusing the age-old bait that exposes them to attack, cyber crime has grown to epic if not epidemic proportions, prompting agencies like the FBI to give it top billing as a national threat. Money continues to be siphoned from banks at a dis-heartening rate as indicated by the American Bankers Association. The most recent Account Takeover Survey sees the number rising steadily, with 314 accounts re-ported hacked in the first half of 2011.

Yet the question remains, just how much money is be-ing gained by these hackers, the ones who directly tar-get online capital? Are they really growing wealthy from these illicit gains, or are they getting by on what might be considered, in the end, a “working man’s” wage? Are the risks worth the reward for these criminals, or do they spend their days in constant worry that their next hack or black market identity sale may be their last?

According to a recent report, cyber crime (as a whole) comprises a 12.5 billion dollar business worldwide, and the preponderance of the industry resides in Eastern Eu-ropean countries. The report, released by Group-IB, a leading Russian cyber crime investigation unit, says that

of the total market, Russians and Russian speakers make up nearly one half. Where once these criminals were scat-tered and dispersed, largely working solo, they have pur-portedly consolidated into organized groups, and generate their funds primarily through online fraud, spam and “C2” (cybercrime to cybercrime) services. By deploying crime-ware such as the Zeus or SpyEye Trojans, these hack-ers are not only able to directly access automated clear-ing houses, bank accounts and point of sale systems, but also make their money by hijacking computers worldwide to surreptitiously host bots and serve as spamming and attack machines. These criminals have found numerous ways to monetize their “services” to other hacker groups, and like any industry, are constantly seeking new exploits and Trojan variants to better their market share.

While this Russian-speaking element may be respon-sible for a large segment of cyber crime, they are by no means the only group of focus. There is a wide variety of other electronic criminals using different techniques, some of which involve elaborate physical mechanisms such as fake ATM card readers. China as well as the U.S. has found multiple means of electronically stealing and monetizing personal data.

Banking fraud is a particularly insidious problem in that it often targets small to mid-sized businesses, which, unlike consumer banking customers, are not in-sured and must absorb the cost of these attacks. In a September, 2011 statement to the House Financial Ser-

How Does Cyber Crime Pay? The Economics of Hacking

The world of cyber crime is awash in numbers. Pundits, professors and politicians alike often comment on the costs imposed by the ever growing underground of cyber criminals, citing estimates from the millions to the billions. This number reached new heights in May, 2009 when President Obama (quoting an industry figure) proclaimed that at least a trillion dollars was being sucked from economies worldwide from cyber attacks.

CYBER CRIME LAWYERS

Pannone are one of the first UK firms to recognise the need for specialist cyber crime advice. We can both defend and prosecute matters on behalf of private individuals and corporate bodies.

We are able to examine material or secure evidence in-situ and will then represent your needs at every step of the way. 

Our team has a wealth of experience in this growing area and are able to give discrete, specialist advice.

www.pannone.com

Please contact David Cook on

0161 909 3000

for a discussion in confidence or email

david.cook@pannone.co.uk

hacking

Page 32 http://pentestmag.com06/2012(6)

There are many ways that attackers can try to read your emails. One of them is rarely part of tradition-al penetration tests. This article will describe how

to discover if anyone is spying on a company by abusing the fact someone might send a mail to a company while making a typo in the domain name. A pen tester could of course use the techniques described here to help in a so-cial engineering attack in order to make his spear phish-ing attacks more realistic. We can do this by making use of the DNS system, we will try to see if there are MX (mail server) records in the DNS entries for domain names that look a lot like the one(s) of the company being tested. This can be done manually using the “dig” command but that is very time consuming. The steps would be as follows:

• Generate a list of domain names that look like the domain you want to test

• Generate a list of all possible extensions for these domains (e.g. com, biz, org, eu)

• For each item in the list of domain names add all the top level domain extensions

• Using the dig command, investigate the MX re-cords for each of these

Luckily for us Andrew Horton, a security consultant from Stratsec has written a tool that we can use for this and made it public through his personal website www.morningstarsecurity.com.

The tool is URLCrazy. This tool will generate a num-ber of domain names that are typos for a base domain name. For each of these generated typo domain names the tool will try to find the A record and the MX records in (practically) all tld’s. Before we jump to the practical part, this is how the espionage works:

Step 1A spy will register a domain name that looks very similar to yours (e.g. if your company is called “google.com” they will register “goggle.com” or “goolge.com”) or the same name but in a different tld (e.g. “google.com.pl” or “google.org”).

Step 2The spy will now set up an email server to receive emails on this domain, he will configure the server to catch all emails and never send back a “could not de-liver” message.

Step 3The spy now only needs to wait until someone trying to mail xyz@google.com makes a typo and sends a mail to xyz@goolge.com, the sender of the email will become aware that his email was never received be-cause he is not getting a reply, he might check his send items and wonder why he never got an error but he will not investigate further in most cases (if he investigates anything at all).

Corporate Espionage,how to discover if someone tries to spy on your email?

There are many ways that attackers can try to read your emails. One of them is rarely part of traditional penetration tests. This article will describe how to discover if anyone is spying on a company by abusing the fact someone might send a mail to a company while making a typo in the domain name. We will demonstrate the URLCrazy tool and show how to use it to discover potential spying.

hacking

Page 34 http://pentestmag.com06/2012(6)

In this article we are going to find out the answer to this question by discussing in brief about some pen-etration testing tools to perform a vulnerability as-

sessment of your favourite blog. Wordpress is the most popular used CMS (Web application to manage the websites easily, mostly using drag and drop features and an easy to use web interface) for blogging.

Every minute a new website is created and if it is a blog then most probably it is Wordpress. Wordpress is free and open source which contributes to its popular-ity, moreover it is easy to use and doesn’t need much technical expertise, you just have to click ,click ,click and the blog is up and once the blog is up SECURITY is a very big deal as it is has always been an big issue with wordpress.

Vulnerability Assesment Tools:

• Wpscan• Plecost

WPscanWPscan or WordPressscan is a vulnerability assess-ment tool that provides a easy way to penetrate into your blog using blackbox techniques. The following in-formation about any wordpress blog can be retrieved using this tool:

• List of plug-ins• Name of theme• Directory listings• Version details• Possible vulnerabilities

It can also be used for:

• Brute forcing Weak Password for specific user• Brute force username

It comes pre-installed in BT5 (Backtrack5) and can be found at the following location:

Backtrack Vulnerability Assistant Web Application As-sessment CMCVulnerability Identification WPScan

Some basic commands and usage:

root@bt:/pentest/web/wpscan# ls

To view the files and folders in wpscan

./wpscan.rb –h

To see the help menu use the command.

Virscent TutorialPentest Your Wordpress Blog

Thinking of creating a blog??YesLooking for a CMS??YesWhich CMS to use??WordpressWhat about SECURITY??

SCADA INTERVIEW

Page 36 http://pentestmag.com06/2012(6)

PenTest: You’ve been in the information security field for several years now. What are some of the major changes you have seen in this field?Mike Loginov: Information Security has been evolving rapidly over the past decade and we still have a long way to go, in my view we are moving now beyond the ‘tick box’ reactive compliance phase of Information Security and evolving to a much more pragmatic and proactive Cyber Security approach to manage risk. As I see it the differ-ence between the two is in the culture and approach, In-foSec to date has been more closely aligned with science, with Cyber Security developing as more of an art. The prescriptive and transactional approach plays into the hands of the creative more artistic hacker mindset where the ability to exploit uniformity in the traditional well docu-mented open approach has proven to be only partially ef-fective as an organisational defence mechanism. I’m not saying stop that approach, I am saying, recognise it for what it is and seek better solutions – Get into the mind-set of the threat instigators not just the corporate auditors.

PenTest: Can you outline some of the top qualities desired in a CISO or a Security Program leader?ML: Despite the attempts of government and national security organisations it’s still widely accepted and doc-umented that Information and Cyber Security is still not taken seriously enough by the majority of boards. This coupled to the fact that there are still few corporate CI-SO’S or Chief Security Officer’s (CSO’s) across indus-try with organisations seemingly still hesitant to create this role. In an ISC2 Industry survey of senior security leaders only 27 percent hold the title of CISO with sig-nificantly fewer CSO’s (5 percent) thankfully this is a substantially higher number than five years ago when the designation would have been practically nonexis-tent in most organisations. Perhaps analogous to the CIO role that is now taken for granted in most mid to

large organisations and has taken 15 to 20 years to gain definition and presence. One of the challenges as I see it is that the majority of current CISO’s come from an IT back ground and in my role as Director of the IS-SA UK Security Leadership Academy I see this as one of the main challenges – I would like to see more indi-viduals with a background in corporate leadership take on senior security roles. Individuals that recognise and can articulate the scale of the risk to an organisation in terms that the executive team understand and buy into to the point where they take action. After all a company however large that has been compromised with its; In-tellectual Property, Design Plans, Commercial Informa-tion and strategy, Trade Secrets and pre issued patent applications all now in the hands of a foreign competi-tor may not be in the game for to much longer – and we know this has happened already. So the short answer to the question is that the role of the CISO at the very least needs to be positioned alongside the CIO in terms of corporate accountability and influence – to get there will require a skill set that goes well beyond technical ability.

PenTest: What are some of the glaring issues you have noticed in companies that have a weak Information Security program?ML: Complacency and lack of understanding at senior executive level, an over reliance on the implementation of ISO standards – “we have the certificate therefore we are protected” lack of ownership and accountability, im-mature security culture across the organisation.

PenTest: A solid security program can be costly, how does a security leader justify the cost?ML: In simple terms and for a commercial firm; one ap-proach I use is to collate, (roughly) estimate and doc-ument the value of all the organisations current and proposed information assets including; trade secrets, Intellectual property such as plans, strategies, designs,

Interview with

Mike Loginov – CEO ASCOT BARCLAY GROUP – A UK Based Cyber Security Research and

Advisory Service

In the next issue of

If you would like to contact PenTest team, just send an ema-il to maciej.kozuszek@software.com.pl or ewa.dudzic@softwa-re.com.pl . We will reply a.s.a.p.

PenTest Magazine has a rights to change the content of the next Magazine Edition.

PCIAvailable to download on August 13th

http://www.workbooks.com/

contact:team@charismathics.com

smart security interface©

the multiplatform security connector integrated with all major PKI applications and TMS platforms; it fully supports all wide spread smart cards and architectures for government, corporate and bank projects; it also interfaces with smart phones, pre-boot systems and TPM

iEnigma®

the software application that turns your smart phone into a PKI smart card; unparalleled convenience for digital identity management; unbeatable security thanks to the support of NFC chips and micro SD cards

plug´n´crypt®

the product line for logical and physical access control covering different form factors: USB token, smart card, micro SD card, soft token, also in combination with encrypted flash memory and the most common RFID technologies

CSTC®

PKI made simple and accessible to SMB: card initialization, management of PINs, certificates, keys and objects without having to necessarily invest on a TMS infrastructure

www.charismathics.com

Quality

Integrity

Sense of SecurityCompliance, Protection

and

info@senseofsecurity.com.auwww.senseofsecurity.com.au

Now Hiring

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally.

Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

Teamwork

Innovation

Passion