Jul 022013

Gothard Technology is relocating to the Mississippi Gulf Coast.

Effective July 15, 2013, our office will be located in Ocean Springs, MS.

We will continue to provide remote support to Alabama clients on a limited basis indefinitely and can schedule on site service through one of our recommended partners at your request.

We would like to thank all of our customers in the Birmingham area for your support, and know that we will be more than happy to assist you in any way possible, including transitioning to a new local provider.

Apr 182014

We have received reports by many readers about buggy tools to test for the heartbleed vulnerability. Today I want to show you how easy it is to check for this vulnerability using a reliable tool as nmap.

You just need to trigger a version scan (-sV) along with the script (ssl-heartbleed). The following example with show a command that will scan for this bug:

nmap -sV --script=ssl-heartbleed

This will be the output for a non-vulnerable website. As you can see, no warnings are shown:

ssl-heartbleed output

If you are vulnerable, you will get the following:

Vulnerable message for heartbleed

For vulnerability testing, always use reliable tools which won't contain malicious code infecting your computer and won't give you false positive messages.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apr 172014

Update: CloudFlare posted in their blog twice today claiming responsibility for the majority of this spike. Quoting: "If you assume that the global average price for bandwidth is around $10/Mbps, just supporting the traffic to deliver the CRL would have added $400,000USD to Globalsign's monthly bandwidth bill."

Update: We've also seen articles from ZDNet and WIRED today in response to the below insights, with further analysis therein.

It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug.

This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl

The spike is so large that we initially thought it was a mistake, but we have since confirmed that it's real! We're talking about over 50,000 unique revocations from a single CRL:

This is by an order of magnitude the largest spike in revocation activity seen in years, according to our current data.

I have set up a new page for everyone to monitor the activity as well as see how we are obtaining this data. The page can be found at https://isc.sans.edu/crls.html.

How will you use this page in your projects or general analysis? We'd love to hear some ideas.

If you know of other CRLs that we can add, please let us know in the comments! Additionally, if you would like to see an API call added so that you can automatically query us for this information, please let us know so that we are aware of the demand.

On a side note, we can see a clear upward trend in revocations over the past 3 or 4 years:

What do you attribute this consistent growth in revocations to? What do you think caused the previous spikes?

Alex Stanford - GIAC GWEB,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford | @alexstanford

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apr 172014

I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and it's the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system.

This standard has two specific objectives:

  • Help DNP3 outstation to determine beyond any reasonable doubt that it's communicating with an authorized user.
  • Help DNP3 master to determine beyound any reasonable doubt that it's communicating to the correct outstation.

This standard minimize the following risks:

  • Spoofing to outstation or master: Since the original specification includes only the DNP3 outstation address as the only way for identification, the new standard uses crypto keys to enforce the authentication to each end.
  • Modification: The standard includes the concept of Message Authentication Code (MAC) as shown in ISO/IEC 9798-4. This standard allows to determine if a message has been modified before arriving to the destination, ensuring integrity.
  • Replay attack: Valid traffic cannot be retransmitted anymore by any third party as authentication information would not be the same.
  • Eavesdropping: Crypto keys are securely exchanged. Data being transmitted goes still in clear-text, so confidentiality is not ensured. You need additional gear like crypto-boxes on each end of the communication link.

The following diagram shows the implementation architecture for this standard:

DNP Application Layer
DNP Secure Authentication
DNP Transport Function
DNP Data Link Layer
Serial Internet Protocol Suite


As seen, an additional level before application layer is added, providing the new security features.Unfortunately, there are two specific reasons that is preventing this standard for being widely deployed in the world:

  • ICS systems are still being planned to last from 10 to 20 years: Technology has arrived to that world and most ICS people have not noticed that yet. They still think that air gap is enough to protect the ICS systems and won't consider new investements to implement new security features. United States is one of the leaders in regulation for critical infrastructure. However, this does not happen in most countries and unless governments produce new laws for enforcing cybersecurity on critical infrastructure, adoption of such standards will keep slow.
  • DNP3 equipment manufacturers do not offer the same references and features in all countries of the world, and most of them even claim that this standard is not yet supported (for example, in south america).

Cybersecurity is not still mature in the ICS industry and has a long way to go. Information Security Professionals working with the ICS world has a really big challenge: We need to demonstrate that Information Security Controls like this standard will have a return of investment to the company and the risk of not having them, if operating a critical infrastructure to a Country, could be catastrophic and impacts incalculable. This standard works, won't put at risk any ICS facility and we all have a responsability of ensuring its implementation to our companies.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
%d bloggers like this: