Simulated Cyber War | TechSNAP 36

Big Oil the next big target for cyber attacks?

• The IT Manager for Royal Dutch Shell told the World Petroleum Conference that their company has been receiving an ever increasing number of cyber attacks against its infrastructure.
• The attacks are said to be motivated by commercial interest, as well as political and criminal interests.
• If attackers managed to gain access to critical control systems, they would be able to manipulate valves and pumps, and cause unimaginable damage, physical, monetary and environmental.
• British Petroleum said they had seen a large increase in cyber attacks after the US Golf Oil Spill disaster.
• This is only further evidence that industrial control systems need to be completely isolated from the internet, not protected by just a firewall, but entirely isolated. Even then, threats such as stuxnet or duqu can be introduced by portable media such as USB flash drives. Physical and System security needs to be taken much more seriously.

Olympic Control Center prepares for simulated Cyber Attacks

• The new Olympic Control Center in Canary Wharf that will provide support and management for the IT infrastructure of the 2012 Olympics in London is preparing for a variety of Simulated Cyber Attacks in order to improve their preparedness for the Olympic games.
• The simulated attacks will include a Denial of Service attack, which they plan to mitigate by using a distributed website, and viruses and other malware getting in to the organizers’ computers.
• The computer network is used to store and record scores from the games and feed information to the public and the media.
• The operations Center has a staff of 180 permanent employees.
• “Another key principle is to keep mission-critical games systems quite isolated from anything web-facing. So very much partitioned and separated, thus making it hard for an external attack to succeed.”
• The company running the Operations Center is Atos, a very large multinational IT services company. However Atos has had issues of its own.
• In the autumn of 2008, Atos Origin was the subject of a government enquiry after a memory stick with passwords and user names for an important government computer system was found in a car park. BBC Coverage

War Story

Allan’s rm -rf / war story (Sovereign)

When I was in high school and college, I ran an IRC shell provider. It started out as one little home brew server on a 128kbit colocation, and grew to its peak of 9 dedicated servers in 4 data centers. As you can imagine, there were plenty of times where people tries to attack, hack or root my servers. It always made me laugh when they tried the latest Redhat exploit against my FreeBSD 4.x machine.

One such exploit involved a symbolic link to / with a obfuscated name (If I recall correctly, it was dot space space and then some unicode characters). As part of the cleanup, I went to remove the offending symlink. Because of the special characters etc in the name, I used the shell’s tab complete feature. Out of admittedly bad habit I used rm -rf rather than just rm, and either the shell or I put a trailing / on the symlink, so rather than removing the symlink, the shell resolved the symlink and started to execute the equivalent of rm -rf /. I knew something was wrong after a second or two when the command prompt did not return, and before I could figure out what was going on, I saw error messages about how /bin/tcsh could not be removed because it was in use, and that the kernel would not be deleted because it was flagged ‘system immutable’. I felt the blood drain out of my face and I quickly broke out in a cold sweat. I immediately hit control+c to prevent any further damage, but things were pretty far gone. /etc and /bin were gone, save for my shell because it was in use. So, without even ls, it was a little difficult to even tell what was left. This server had about 100 customers on it, and a decent uptime (175 days or so if I recall correctly).

Luckily, because of proper disaster planning on my part, daily Bacula backups of that server existed on our central backup server. A few commands to the bacula console and I was restoring /etc, /boot and /bin. Then I did a verify/compare operation to determine what other files may have been deleted, and restored them as well. Amazingly, all of this was pulled off without a reboot, and without a single complaint from a customer. Total time from disaster to recovery was less than 1 hour, and I managed to maintain the uptime.

Feedback

Q: (Matt) I listened to TechSnap – 28 and 34 about the ZFS Server Build. Now I’m a little confused, How is Allan’s ZFS server configured? If ZFS will do all the RAID stuff and he’s using RAID Z2 for the RAID–6 option then why are his drives on an Adaptec RAID controller and how is the Adaptec configured? Are you using a big RAID–0?

A: We’ve gotten this question quite a bit, because using a RAID controller is contrary to what I said during the TechSNAP 28 ZFS episode. In this case, I did not have a choice, I needed a controller that was supported under BSD, so I went with the Adaptec. The motherboard’s onboard Intel controller only has 6 ports, and 2 of those are used for the dedicated OS drives, which are mirrored in FreeBSD software using GEOM. The adaptec had the added advantage to their unique solution for battery backup. I have configured the Adaptec to pass-thru each drive directly to ZFS without any RAID, and then ZFS deals with the drives individually, making the RAID Z2 array. As I said during the initial episode, you don’t want to back your ZFS with a RAID device, because you lose control, and some ZFS features, like the ability to swap a device out. If I had done a big RAID–0 device exposed to ZFS, I could not have created the RAID Z2 array, because it requires at least 3 devices. Also, if one drive in a RAID–0 dies, the entire array is lost, so that would not be very good either.
*

Q: (Graham) I am looking to do a Raid set up but I would like to know if need two hard drives to be the same make or model or can they be two hard drives of the same size?

A: While the two drives do not have to be the same model, size, or even manufacturer, it is best if they are. Then you are striping or mirroring, the performance is mostly dictated by the slower of the two drives, so identical drives means that one drive is not constantly waiting for the other. There are also be issues with timing when the drives have drastically different performance. However, depending on your configuration, sometimes it is possible to make use of the additional performance of one of the drives. The FreeBSD software RAID driver GEOM’s mirroring mode supports different balancing methods, including: load, prefer, round-robin and split.
*

Q: (Bill) Currently I am designing/developing a client/server communications platform. I would love to make the project Open Source when I start developing the code but I am concerned about potential security implications. The plan is to use a user auth system so users can easily contact each other. This is making my security senses tingle because if you have the code for the auth system you could it break down easily. I would love to hear your opinions about this as there are ways it could be done but they could kill ease of use.

A: If you rely on nothing more than the fact that no one knows how your security system works (called Security Through Obscurity), then it is not really security at all. Rather than writing your own authentication system, it might be best to use an existing library, depending on what exactly you are trying to authenticate against. Standard libraries for cryptography like AES, SHA and Blowfish, and authenticity libraries like GPG and SSL/TLS. In the end, being open source allows other developers to spot any mistakes you make, and either notify you about them, or contribute patches to resolve them.

Round-Up:

• Howard L. Berman, author of SOPA : SOPA
• Exclusive: Iran hijacked US drone, says Iranian engineer
• Google Wallet leaves sensitive data unencrypted and accessible, says security firm
• Google gives £550k to Bletchley Park
• iBahn, the hotel ISP, denies data breach by Chinese hackers
• Universal Music Group has podcast pulled from YouTube just because they do not like it

Holiday Reading:

[asa default]0307269930[/asa]
[asa default]0765323117[/asa]