Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Siemens SCADA Hacking Talk Pulled From TakeDownCon

timothy posted more than 3 years ago | from the but-motel-6-keeps-the-lights-on dept.

Security 104

alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."

cancel ×

104 comments

Sorry! There are no comments related to the filter you selected.

Security through obscurity (4, Insightful)

Anonymous Coward | more than 3 years ago | (#36183782)

Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.

As the Iranians found out the hard way... (1)

Lead Butthead (321013) | more than 3 years ago | (#36183866)

As the Iranians found out the hard way, it's difficult to keep an intruder out despite the obscure nature of PLC (most people probably don't even know what that is.)

Re:As the Iranians found out the hard way... (2)

gellenburg (61212) | more than 3 years ago | (#36184092)

As the Iranians found out the hard way, it's difficult to keep an intruder out despite the obscure nature of PLC (most people probably don't even know what that is.)

Programmable Logic Controllers.

I prefer Allen-Bradley PLCs myself.

Re:As the Iranians found out the hard way... (1)

ilikejam (762039) | more than 3 years ago | (#36185022)

They still making PCLs? I thought they ran out of prefamulated amulite years ago.

Re:As the Iranians found out the hard way... (1)

inasity_rules (1110095) | more than 3 years ago | (#36189020)

For those who missed this one, look up the Turbo Encabulator on youtube. Too many to link to any specific one. A very long running and hilarious joke..

Re:As the Iranians found out the hard way... (2)

Svartalf (2997) | more than 3 years ago | (#36185038)

Yeah, they're a bit cleaner. The big problem is that it's not just a Siemens problem. It's endemic throughout the industry in varying ways.

Networks that're claimed to be air-gapped- but aren't because of "ease of use" concerns.
Networks that shouldn't have a single Windows box because of that risk that do.
And, so on and so forth.

Re:As the Iranians found out the hard way... (2)

datapharmer (1099455) | more than 3 years ago | (#36185254)

The Iranians didn't find out about the obscure nature of PLC, they found out it isn't a good idea to buy your infrastructure from foreign countries... See in the U.S. we are careful to only use... oh nevermind.

Re:As the Iranians found out the hard way... (1)

camperslo (704715) | more than 3 years ago | (#36194092)

The high ticket projects all attract multinational corporations. Those corporations aren't shy about buying smaller-scale operations with technology they want. Even if you do use technology developed only in your own country, it is not sold elsewhere? Are there vulnerable systems anywhere within the local technology entity? Even if they've got 10 vulnerabilities instead of 100,000+ they're still vulnerable.

I've seen one region that didn't have any kind of electronic or software vulnerability whatsoever. Unfortunately the island people there will be driven off by rising oceans.

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36183876)

What is truly mindblowing is the fact how US is going around yelling how vulnerable they are to such sabotage and how cyberwar is going on, and then they're themself caught sabotaging Iran power plants. Hypocrisy at its best.

Re:Security through obscurity (2)

ThunderBird89 (1293256) | more than 3 years ago | (#36184080)

To the best of my knowledge, they never did prove that the US created Stuxnet. In fact, I've seen Israel blamed far more, based on vague references in the code.

Re:Security through obscurity (1)

camperslo (704715) | more than 3 years ago | (#36194352)

At this point it doesn't really matter so much who developed it. Regardless, we're still potentially collateral damage or potential targets of a fully disassembled/reverse-engineered/built-fresh-with-a new-twist version as well as whatever the original authors might unleash. Whoever made it was shortsighted if they felt that even versions attempting to be very specific wouldn't be analyzed and modified or cause some collateral damage as-is. Pruning target-filtering code seems it would be a relatively trivial task.

Some say Israel had people bragging about it.
http://www.net-security.org/secworld.php?id=10596 [net-security.org]

Collateral damage adding to some other bad event? You decide.
  I don't think the victims had a clue.

http://www.publicradio.org/columns/kpcc/kpccnewsinbrief/2008/11/officials-unveil-why-yorba-lin.html [publicradio.org]
http://articles.latimes.com/keyword/yorba-linda-ca [latimes.com]
http://www.ylwd.com/fireupdate/pdf/Freeway%20Complex%20Fire%20Report.pdf [ylwd.com]

Re:Security through obscurity (1)

gnick (1211984) | more than 3 years ago | (#36184184)

Iran was just a test case so that we could demonstrate just how vulnerable these things are and secure proper funding to lock ours down.

Security dude: "Some hostile country could sneak somebody in and sabotage our power plants with nothing more than malicious software!"
Congress critter: "OK, I don't really get what you're saying, but let's assume that you're right in theory. We've never seen an attack like that any where in the world - Why worry? Besides I want to put in a giant duck pond and name it after myself - There isn't money for both."
A couple of months later with Security dude working furiously...
Security dude: "See what happened in Iran!?! It could happen here too! And if it does, the terrorists win!"
Congress critter: "ZOMG! Then my duck pond wouldn't be lit! I'll sponsor a bill to fix this tomorrow!"

Re:Security through obscurity (1, Interesting)

jd (1658) | more than 3 years ago | (#36184210)

That's not the bit that scares me the most. The bit that scares me the most is that anyone with an ounce of skill in reverse engineering can identify the security flaws used, and anyone with an ounce of skill in assembly can disassemble Stuxnet, alter what it targets, and launch the new variant.

By banning the talk, the DHS is preventing US industries from protecting themselves against economic warfare. Plenty of nations (China and Russia especially) are investing in cyber-warfare. There's plenty of amateurs out there with axes (albeit often as delusionary as the DHS') to grind. It is simply not excusable for the US to be placed in this kind of danger.

For what purpose? Siemans can't get a worse rep than to be accused of having worked with virus writers. The consumers can't exactly switch from SCADA to Infiniband or other rival networking technologies. The exploit is public knowledge.

Who, then, is going to be protected?

Re:Security through obscurity (1)

Sulphur (1548251) | more than 3 years ago | (#36184734)

That's not the bit that scares me the most. The bit that scares me the most is that anyone with an ounce of skill in reverse engineering can identify the security flaws used, and anyone with an ounce of skill in assembly can disassemble Stuxnet, alter what it targets, and launch the new variant.

By banning the talk, the DHS is preventing US industries from protecting themselves against economic warfare. Plenty of nations (China and Russia especially) are investing in cyber-warfare. There's plenty of amateurs out there with axes (albeit often as delusionary as the DHS') to grind. It is simply not excusable for the US to be placed in this kind of danger.

That is why Stuxnet needs to be classified.

Re:Security through obscurity (1)

coolgeek (140561) | more than 3 years ago | (#36183882)

Perhaps the intent is insecurity through obscurity. Can't sabotage your enemy's systems if you tell them where all the holes are.

Re:Security through obscurity (1)

Sinthet (2081954) | more than 3 years ago | (#36183886)

Which is exactly why I really hope these researchers will present their findings to Siemens engineers so that the problems can be patched, and then give a talk about it. The stakes are pretty high with these systems, so hopefully a real fix will augment security via obscurity in this case.

Re:Security through obscurity (2)

Hatta (162192) | more than 3 years ago | (#36183984)

Why would Siemens bother fixing holes nobody knows about?

Re:Security through obscurity (1)

chemicaldave (1776600) | more than 3 years ago | (#36184016)

If they don't, their competitors will.

Re:Security through obscurity (1)

poity (465672) | more than 3 years ago | (#36184188)

Now that people know the holes exist, the race is on. They can't afford not to.

Re:Security through obscurity (1)

Hatta (162192) | more than 3 years ago | (#36184444)

Everyone knows holes exist. Every non-trivial piece of software has holes in it.

Re:Security through obscurity (1)

Sinthet (2081954) | more than 3 years ago | (#36185120)

Because if these researchers acting in a more or less intellectual manner found them, it is safe to assume that individuals without such a noble goal in mind will find and possibly exploit them. Releasing the information to Siemens first would hopefully prolong the search for the "bad guys", by getting rid of some potential vulnerabilities.

Re:Security through obscurity (1)

inasity_rules (1110095) | more than 3 years ago | (#36189054)

The whole industry is riddled with massive holes because we're all tied to legacy OPC which relies on that massive dogs breakfast called DCOM. The slow adoption of OPC UA and even OPC WCF keeps the whole industry in a situation where it is easier to disable all security than deal with DCOM. Which makes the siemens issue too easy to exploit. Every single bloody version of windows has a different way of being configured, so no one bothers to do it right...

Siemens needs to fix their issues. So does everyone else. The siemens issues are however bigger than most. This is not one obscure little hole, this is a bloody great big massive one with more huge holes next to it that anybody who has worked 5 minutes in the industrial automation industry is constantly and painfully aware of.

Re:Security through obscurity (5, Informative)

chemicaldave (1776600) | more than 3 years ago | (#36184090)

Did you RTFA? That's exactly why they decided not to give the talk, because Siemens hasn't fixed the problems. As NSS Ceo Rick Moy points out:

"The vendor had proposed a fix that turned out not to work, and we felt it would be potentially very negative to the public if information was put out without mitigation being available." ... In the past, technology companies have threatened legal action against researchers, but Moy said that in this case the lawyers were not involved. "It's a temporary hold on the information; it's not that it's being buried," he said. "We just don't want to release it without mitigation being out there for the owners and operators of the SCADA equipment."

Re:Security through obscurity (1)

SilentStaid (1474575) | more than 3 years ago | (#36184250)

That's a surprisingly refreshing course of action isn't it? To me, that's how things should work. As long as Siemens follows through, and the talk is allowed to proceed I'd be happy.

Re:Security through obscurity (2)

Svartalf (2997) | more than 3 years ago | (#36185056)

Heh... If they think that those patches will get deployed in a timeframe measured in anything other than months or years, they're kidding themselves...

SCADA systems typically don't get patched- and when they do or get upgraded, it's a "big thing".

Re:Security through obscurity (1)

inasity_rules (1110095) | more than 3 years ago | (#36189070)

Mod parent up. Mostly when you patch or upgrade your scada everything breaks causing a massive headache. So most people would really rather not.

Re:Security through obscurity (0)

whathappenedtomonday (581634) | more than 3 years ago | (#36184138)

Yes, we can always hope [nytimes.com] that flaws of critical systems will be treated responsibly. Kinda off topic, I know.

Re:Security through obscurity (3, Informative)

LunaticTippy (872397) | more than 3 years ago | (#36184064)

At my workplace, all our PLCs are on a process control network. It is isolated from the business network and internet completely. We assume that the PLCs are not secure and they are business critical. We can't take any chance a malware outbreak or hacker causes actual physical things to happen.

It makes doing work more difficult, and there are still some attack vectors.

Re:Security through obscurity (1)

Anonymous Coward | more than 3 years ago | (#36184140)

Fuck you.

--skynet

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36184288)

It only takes on(c)e.

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36184602)

The Iranian controllers were also isolated from the outside networks. It just made the intrusion a little slower.

Re:Security through obscurity (1)

Manfred Maccx (1365933) | more than 3 years ago | (#36184848)

This was perfectly viable 10-15 years ago. Nowaday, the requirement for data archiving, process data historian, plant floor management, etc... make it almost impossible to have a true, complete isolated process network. You always end up having a dual-homing computer or firewall somewhere on that network. Therefore, a potential hole.

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36185086)

VRFs with IPSEC, 802.1x and all ports in shutdown until new addition comes online.

You look at the potential damage, and if it's great enough you can justify the cost and PITA factor...

just my .02

Re:Security through obscurity (1)

Svartalf (2997) | more than 3 years ago | (#36185088)

Depends on the design. Properly designed setups will have an air-gap and only data transfer via sneakernet in the form of a hard-disk or similar coming from the SCADA to the corporate systems. Real-time's desirable- but for some networks, having the hole's too much of a risk- especially if you've got a Windows based HMI system or similar in the mix. Seriously.

Re:Security through obscurity (3, Informative)

imsabbel (611519) | more than 3 years ago | (#36185666)

And stuxnet was transmitted via USB sticks doing the sneakernet stuff...

Re:Security through obscurity (1)

Puff_Of_Hot_Air (995689) | more than 3 years ago | (#36187816)

...Properly designed setups will have an air-gap...

Very very few industrial site have the "air-gap" any more. I suppose all the rest are improperly designed?

Real-time's desirable- but for some networks, having the hole's too much of a risk- .

For whom is it too much of a risk? Power stations? Mines? Water Treatment? None of the sites I work with have an air-gap any more.

especially if you've got a Windows based HMI system or similar in the mix. Seriously.

I'd say that the vast majority of SCADA/HMI systems run on Windows. In critical infrastructure. Without an air gap.

I sure as hell hope there are other ways of securing a network

Re:Security through obscurity (1)

ColaMan (37550) | more than 3 years ago | (#36190256)

I work on a PLC system that has a single ethernet TX pair to the rest of our network. It transmits stats blindly (with the help of a static entry in its ARP table) to a PC on the outside where a small program listens and collates data. I've heard of similar things with serial, fiber and radio modems,etc.

Re:Security through obscurity (1)

Svartalf (2997) | more than 3 years ago | (#36185074)

Do you audit it often to make sure it's still air-gapped like you think it is? Many of the audits at power utilities where they had the same thinking had pro-sumer routers or switches tying the networks together that were done in a pinch for some ease of deployment thing or ease of use thing and then got forgotten.

Re:Security through obscurity (1)

camperslo (704715) | more than 3 years ago | (#36193750)

Certainly audits are a good thing, but we mustn't forget that we're talking about something that gets in and hides itself well, even deleting itself from some hardware along the way. An audit of hardware still only gives a snapshot in time. That laptop that was briefly plugged in, or machine that briefly had a USB key plugged in, may be long gone. Intrusion detection can help, but with things like traffic to a PLC using the normal ports, it may take deep inspection of every packet to see what's going on, and by the time something is seen, you've already been hit.

Mitigating this is tough. Corporate types are so easily led to believe that their firewalls, VPNs, anti-virus packages, intrusion detection.... will keep them secure. But if human or entity lives depend on security, for it is a fallacy to expect to achieve zero vulnerability networks. Telling upper managers that their only access will be through video cameras pointed at displays, and fax machines, won't go over well. But if it keeps something from going boom, can anything else be trusted? And what of systems that don't really have a full "off" state. Even when not fully functioning, there may be considerable complexity and some danger in pulling the plug on all vulnerable technology at once (pieces may talk to each other).

There are some huge hardware issues that are routinely ignored in not only PLCs, but in nearly every system we use. It's not just insane that a PLC make lack a physical hardware write-disable switch to prevent rogue code from being loaded, but what about all of our PCs? Is there anyone here that has an installation with no writable BIOS/EFI on motherboards, no flash upgradable optical or hard drives? Every damn thing like that should have a physical write-disable switch that is normally off. If we haven't even dealt with those things we're not even trying.

And what of the behavior of governments? Like some insane variation of the arms races, we can bet that every one of them has stockpiled collections of vulnerabilities and tools to exploit them, so they can DEFEAT security. From the massive unsolved problems that consumers, businesses, and institutions/infrastructure are facing, it would appear as if some those responsible for our security have actually put more resources into defeating it. I mean... how far have we really gotten? How many businesses and consumers are actually secure? The answer shows the massive fail.

I believe that all of the governments and larger entities that we have reason to fear already know enough to be a threat. Less information would likely slow some down, but I think that even for this, there are different classes of potential attackers. Let's pray that whatever it takes to secure things that go boom has been done. Restricting information at this point probably does more to sidestep the same segment of people that would extort money from banks.

Looking at a NTSB copy of control operator transcripts at one utility company and seeing talk of a bonkers PLC, every valve wide open, SCADA displays that didn't match what was going on, and people saying "we're screwed, we're screwed" in the hour before a pipeline blew doesn't instill much confidence in the utility's ability to manage their other much bigger impact operation. In the region of potential impact, where the power plant repeatedly has hired reporters from the only full power tv station as spokespeople, those hearings got a 20 second mention while Charlie Sheen got 3 minutes. I haven't been aware of any media that paid attention and saw there was much more to the pipeline story than crappy welds. Although not reported along with a governors latest mistress, it doesn't take that much observation and digging for those here to realize the impact of the control system threat has been more than a theoretical one for several years.

Re:Security through obscurity (1)

thegarbz (1787294) | more than 3 years ago | (#36185968)

As it should be. But isolation does not require a complete elimination of remote monitoring. Our Process Control Network has a Server on it, which via a hardware firewall pumps data one way to another machine outside which emulates the view of the process network. This basically gives us complete remote monitoring without the ability to send data back to the network.

It makes it easy and there are few if any attack vectors, and when malware spreads around the business network (frequent) it so far has never managed to breach to the PCN. Mind you a few good physical practices such as no USB sticks and more importantly no USB ports help too, but a oneway network design is a great start.

Unfortunately this is expensive.

Re:Security through obscurity (1)

LunaticTippy (872397) | more than 3 years ago | (#36192354)

That is a good idea. I don't see why it has to be expensive, though.

Re:Security through obscurity (1)

thegarbz (1787294) | more than 3 years ago | (#36197826)

Ture, not necessarily expensive in absolutes. Just more expensive than the alternative. You'd be amazed at what some people come up with when "value engineering".

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36186950)

In that case the attack vector is the Windows PC running the SCADA system. That would most likely be Wonderwear.

If you run standard ordinary intrusion testing tools on a Wonderwear PC I won't be responsible for your coronary.

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36190056)

In my work I provide the higher level control systems that communicate with and control the PLCs. On almost all systems, the PLCs control conveyors and cranes etc. on a dedicated network for performance reasons - but the network is not really isolated. Our system tells the PLCs where to send stuff, and has to report back inventory levels etc. and receive orders from even higher level systems. And for us to sort out issues remotely, we have VPN access over the internet to our system.

So the PLCs are accessible over the internet to at least a limited degree. And I don't think we're an unusual case.

Re:Security through obscurity (1)

0xG (712423) | more than 3 years ago | (#36192160)

At my workplace, all our PLCs are on a process control network. It is isolated from the business network and internet completely.

You are utterly kidding yourself if you think that your PLC network is "isolated". Does anyone ever request data from it? How do you transfer the data...with a USB key maybe? How are the controllers programmed? With a workstation that is plugged into which network...and never the internet? I would strongly suggest that you read up a bit on stuxnet. The details may blow your mind...

Reponsible Disclosure (4, Insightful)

betterunixthanunix (980855) | more than 3 years ago | (#36184146)

There is a notion in security engineering of responsible disclosure, which is letting a company know about a vulnerability long enough before you present it so as to allow the company to fix it and deploy the fix. I believe that what happened here was that the company complained that they did not have enough time to fix the problem and deploy the fix, and that DHS and the researcher agreed with that conclusion. I do not think this is terribly far fetched, and I doubt that there is a conspiracy to leave vulnerabilities in industrial equipment used here in America, not when the Iranians want to get back at the US and Israel for Stuxnet.

Re:Reponsible Disclosure (0)

Anonymous Coward | more than 3 years ago | (#36188008)

You touch on a point that I think a lot of people seem to miss.

People, and their actions, make the world. We all know this. The above given situation, is a perfect example of where the people directly involved, shape the very security that so many people strive to maintain. We joke here about security through obscurity, and how closed systems can be a dangerous venture when the customer is out of the loop, but this situation highlights the fact that there is a balance that can be met between industry manufacturers, government agencies, and the researchers who highlight such vulnerabilities.

I don't think the 'security' for their systems, and security at a global totality measure w/ regard to these systems, would be increased by the release of this information. It would inherently make life slightly less secure. Yes the information would be out, but then what? The article highlights the fact that Siemens can't implement a fix in a timely manner that would negate the sudden release of this information.

Like I said, there's a balance that can be met. Closed source systems will always exist, and with high profile systems such as this, the intersection of government, industry, and researchers should do what's best for all involved, including the general populace. As we're seeing here, it's not always about protecting the bottom line. Some times, it's about protecting everything else and the bottom line.

Re:Reponsible Disclosure (0)

Anonymous Coward | more than 3 years ago | (#36189332)

Even if Siemens fixed the issues on the spot, the millions of deployed vulnerable systems cannot be upgraded any time soon, if ever - sometimes the cost of the upgrade including the risk to production would be higher than replacing the machine entirely.

Ain't going to happen, unfortunately. On the other hand, people who have these things on regular networks with everything else - office PCs, internet access, etc. should be tarred, feathered and ideally shot. That is a catastrophe waiting to happen :(

Re:Reponsible Disclosure (0)

Anonymous Coward | more than 3 years ago | (#36189436)

Assuming that the developers at Siemens have the needed expertise to fix the issue... *Looks around office. Shrugs. Goes back to work and TIA Portal Component...*

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36184172)

Here's the thing though, _not_ providing this information to the public didn't _increase_ their adversaries. Had they given out the vulnerabilities to the public before a good fix had been issued, their number of adversaries would grow exponentially as they sit by and watch their worlds crumble without a fix in sight. Yes, security through obscurity is bad practice; however, giving out your weaknesses to every hacker on Earth when there isn't a fix available is suicide.

Re:Security through obscurity (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36184394)

Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.

I'll be at work for a few more hours. In my living room at home there is a suitcase with a lot of cash in it. I didn't lock my front door, I didn't even close it. I won't tell you where I live. Security through obscurity.

Re:Security through obscurity (1)

glenn.ramsey (1668759) | more than 3 years ago | (#36184864)

You live in LA. Took me all of five minutes to figure that out. As soon as hackers know there's an attack vector and there's something worthwhile to obtain, you can be sure they'll figure it out pretty quickly.

Re:Security through obscurity (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36184952)

You live in LA. Took me all of five minutes to figure that out.

As soon as hackers know there's an attack vector and there's something worthwhile to obtain, you can be sure they'll figure it out pretty quickly.

You're looking in a ginormously huge, and wrong, city.

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36185530)

Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.

I'll be at work for a few more hours. In my living room at home there is a suitcase with a lot of cash in it. I didn't lock my front door, I didn't even close it. I won't tell you where I live. Security through obscurity.

Admins at /. have your IP address, they may try to bribe the admins at your ISP to get your street address. How much cash is in the suitcase?

Re:Security through obscurity (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36185614)

Admins at /. have your IP address, they may try to bribe the admins at your ISP to get your street address. How much cash is in the suitcase?

I said I'm at work. I also said you only have hours to get it. What you don't know is still preventing you from getting the cash.

Re:Security through obscurity (1)

martin-boundary (547041) | more than 3 years ago | (#36185872)

That's still a bad analogy.

1) it doesn't matter what secret *I* don't know about the location of the suitcase, what matters is whether *you've* been under surveillance for the last couple of weeks. If so, your suitcase is already gone by the time you go back home.

Not everybody gets hacked, but if it's a juicy target the attack is going to be properly organized and when a vulnerability window appears for a few hours, it will get used.

2) even if I don't know the location of your suitcase full of money, I can break into all my neighbours' places and steal their suitcases full of money.

If a vulnerability exists on one person's computer, then that vulnerability exists on all the computers throughout the world which use the same OS and relevant settings. The bad guys don't need to hack *your* computer, they only need to hack *some* computer.

In the real world, security through obscurity is no security.

Re:Security through obscurity (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#36186104)

1) it doesn't matter what secret *I* don't know about the location of the suitcase...

Yes it does. You need information in order to actually pull it off.

Not everybody gets hacked, but if it's a juicy target the attack is going to be properly organized and when a vulnerability window appears for a few hours, it will get used.

All you are really saying here is that there is no such thing as security because nothing can be protected against an attack by an entity with infinite energy and resources.

2) even if I don't know the location of your suitcase full of money, I can break into all my neighbours' places and steal their suitcases full of money

Right, my obscured info is protecting me.

If a vulnerability exists on one person's computer, then that vulnerability exists on all the computers throughout the world which use the same OS and relevant settings. The bad guys don't need to hack *your* computer, they only need to hack *some* computer.

Sure. However, here's another way of saying it: If they know you have a vulnerability, they can get in. You are right, though, in that they are saved the trip over there to find out about it.

In the real world, security through obscurity is no security.

No, it's a Slashdot meme that puts the word "Insightful" next to people's posts. In the examples you just gave, it's actually helping out nicely. Here's something you should consider: Every day new vulnerabilities are found in virtually any browser or OS or whatever we use on a daily basis. The thing is, that vulnerability didn't just appear, it was there the whole time. The only reason it hasn't been exploited is that it hasn't been discovered.

Security through obscurity is still security. What you really mean to say is: "Once they overcome an obstacle, you have nothing left to protect you." And you know what? That's a perfectly reasonable thing to say. It's weaker than say putting it in a bank vault. But right now what you're saying is: "Your money is already gone."

The phrase 'security through obscurity' has been parroted so many times here that the meaning has been skewed.

Re:Security through obscurity (1)

martin-boundary (547041) | more than 3 years ago | (#36187810)

All you are really saying here is that there is no such thing as security because nothing can be protected against an attack by an entity with infinite energy and resources.

Correct in a sense. The analogy I'd use is the lottery: Pick any one person you like, and their chance of winning is zero. But the chance that someone will win is close to 1. It's correct for a single person to assume they will not win, but it's incorrect for the lottery organisers to assume that they will not have to pay out the jackpot.

When we're arguing about vulnerabilities in code, we're in the position of the lottery organisers. You're arguing from the position of one lottery player.

Security through obscurity is still security. What you really mean to say is: "Once they overcome an obstacle, you have nothing left to protect you." And you know what? That's a perfectly reasonable thing to say. It's weaker than say putting it in a bank vault. But right now what you're saying is: "Your money is already gone."

Right now what I'm saying is "somebody's money is already gone", but what I'm arguing is that your (particular) security isn't due primarily to the difficulty of exploiting a flaw, it's due to the statistical likelihood that you (in particular) aren't targeted.

You're safe because you're obscure: not clearly seen or easily distinguished for attack. That's what security through obscurity implies. But in the typical slashdot discussion of software houses and their responsibility to the users, it's the wrong thing to focus on, because someone still gets hacked. That's the meaning of the phrase security through obscurity is no security (ie for the population as a whole).

Re:Security through obscurity (0)

Anonymous Coward | more than 3 years ago | (#36191186)

Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.

I'll be at work for a few more hours. In my living room at home there is a suitcase with a lot of cash in it. I didn't lock my front door, I didn't even close it. I won't tell you where I live. Security through obscurity.

Exactly the Mantra of "don't rely on security through obscurity" is a mis-conception. The proper phrase is do not rely only on obscurity. The danger is that someone who does manage to stumble upon it can wreak havoc. But in many common situations obscurity is a very beneficial layer to a security model.

Secrecy (1, Insightful)

grcumb (781340) | more than 3 years ago | (#36183856)

The argument that some knowledge is too dangerous to know is specious and flawed. But I can't tell you how or why for fear of undermining our existing regime of ignorance and ineptitude.

Re:Secrecy (5, Insightful)

chemicaldave (1776600) | more than 3 years ago | (#36184130)

Did you RTFA? They're waiting for Siemens to fix the issues first, a common practice in security research. Siemens and DHS didn't force them to pull the talk and didn't even get lawyers involved. So please stop with your accusations. You clearly lack an understanding of the situation at hand.

Re:Secrecy (1)

Anonymous Coward | more than 3 years ago | (#36184256)

How many times in this topic are you going to ask people if they RTFA?

This is /., we already know they didn't.

Not what is being argued (1)

betterunixthanunix (980855) | more than 3 years ago | (#36184234)

What is being argued is that Siemens did not have enough time to patch this vulnerability and deploy that patch in major installations of these systems. I do not doubt it; the real question is whether or not they are busy deploying a fix, and I would not doubt that they are. Stuxnet is out there being studied by people who would use it to attack US factories, if they could, and I would bet that the US government is putting pressure on Siemens to fix the problem. If within a year, the talk is still being suppressed, we can start talking about conspiracies to control knowledge, but for now I would say it is more an issue of responsible disclosure.

Re:Secrecy (1)

Jack9 (11421) | more than 3 years ago | (#36186678)

> The argument that some knowledge is too dangerous to know is specious and flawed.

That's not the reasoning given. The knowledge IS known. Some knowledge is dangerous to disseminate. This is a sad fact of humanity, but a fact. Given opportunity and knowledge of vulnerability, you will get attempts to use and abuse knowledge with similar results. People are eager to exercise their imagination and reluctant to exercise restraint or critical thought. I can understand their position.

Re:Secrecy (1)

grcumb (781340) | more than 3 years ago | (#36187992)

> The argument that some knowledge is too dangerous to know is specious and flawed.

That's not the reasoning given. The knowledge IS known. Some knowledge is dangerous to disseminate. This is a sad fact of humanity, but a fact. Given opportunity and knowledge of vulnerability, you will get attempts to use and abuse knowledge with similar results. People are eager to exercise their imagination and reluctant to exercise restraint or critical thought. I can understand their position.

Thank you for replying instead of simply down-modding an argument you don't agree with. Others seem to prefer retaliation to debate.

Let's look at this from another perspective. Everyone knows there are problems with Siemens' PLCs. That's been known since Stuxnet got reverse engineered. While there's no problem whatsoever with sharing the information about specific vulnerabilities with Siemens - indeed, making sure they're the among the first to know - what additional danger would be presented by sharing that knowledge with the people tasked with protecting entire systems of which Siemens PLCs are a small but crucial part? (Bear in mind, this isn't in the scope of script kiddy/phishing activity. In other words, we're not talking about a generalised threat.)

This sort of openness doesn't do Siemens any favours; I'll grant you that. (Unless you count the added pressure to fix their equipment as being cruel to be kind.) But it does render a service to the community, who can now refactor their overall systems to compensate for the weakness of this component. I mean seriously, Even if it's just putting a guard at the door to the controller room for the time being, there are measures that site security staff could be taking if they were properly informed of the scope and nature of the threat.

Conversely, if people are not made aware of the nature of the threat, how can they know whether their short-term mitigation strategies are correct and sufficient?

So my point stands: The system is flawed (i.e. based on fundamentally invalid premises) if we're not considering what's best for the overall system. Rather than focusing on limiting the liability of a single actor, we should in this case be willing to accept that sharing the details will help the community of affected organisations protect itself better.

Ostriches (0)

deweyhewson (1323623) | more than 3 years ago | (#36183872)

And then they all stuck their heads back safely in the sand and slept soundly that night.

So human... (0)

Anonymous Coward | more than 3 years ago | (#36183954)

And then they all stuck their heads back safely in the sand and slept soundly that night.

Actually, they stuck their heads back up their asses. Only Ostriches stuck their head in the sand.

In other words (2)

Attila Dimedici (1036002) | more than 3 years ago | (#36183874)

In other words, if your systems rely on PLC systems from Siemens, you had better hope that no attacker can get through your firewall.

Re:In other words (4, Interesting)

Charliemopps (1157495) | more than 3 years ago | (#36184228)

I used to work in provisioning in a telco and it entirely depends on who's managing the plant. We'd install circuits in some power plants that were so strict that they insisted on fiber use only. We'd run copper to an access point outside their security perimeter then have a mux convert it to fiber to run across the perimeter into the facility where it would terminate in an outer building. Their security plan did not allow ANY outside network connections to the plant itself. They had networked equipment but it was all housed in an outer building with no connection to the main plant or control systems. They refused to allow copper on the premises because it's relatively easy to splice into and carry elsewhere. Fiber would be much more difficult to splice and bring in.

Other facilities were less secure. I remember getting a panicked call from someone shouting "The Damns gonna bust!!!" They had a single "Circuit" they paid about $20 a month for that was nothing more that a single copper that ran from some building to the local damn. They'd apply +5 volts to the line to open the damn, and -5volts and it would close. They'd reacted too slowly to rising waters and it had flooded the copper pair they used to control the damn. They wanted us to send a phone tech into their overflowing damn to repair the circuit so they could open it from the safety of their administrative building. They had a hard time understanding my near hysterical laughter.

Re:In other words (0)

Anonymous Coward | more than 3 years ago | (#36184300)

I remember getting a panicked call from someone shouting "The Damns gonna bust!!!" They had a single "Circuit" they paid about $20 a month for that was nothing more that a single copper that ran from some building to the local damn. They'd apply +5 volts to the line to open the damn, and -5volts and it would close. They'd reacted too slowly to rising waters and it had flooded the copper pair they used to control the damn. They wanted us to send a phone tech into their overflowing damn to repair the circuit so they could open it from the safety of their administrative building. They had a hard time understanding my near hysterical laughter.

Well... I'll be damn'd :)

Re:In other words (1)

demonbug (309515) | more than 3 years ago | (#36184500)

We usually use dams to hold back water, not damns. Sure, sometimes the damn dam breaks, but that's no reason to damn it from the beginning.

Re:In other words (1)

Svartalf (2997) | more than 3 years ago | (#36185124)

Fiber would be much more difficult to splice and bring in.

Heh... All it takes is a bit more effort- but it'd be a bit more obvious to pop a passive tap in a fiber run since they're not small. Sadly, it's not sound thinking all the same. The attackers are as likely to attack the end-nodes of the system where the security is much, much weaker and there's copper to be compromised before it gets to the fiber loops. You can do as much or more damage by dinking with a substation's setup as with the generation plants themselves. :-D

Re:In other words (0)

Anonymous Coward | more than 3 years ago | (#36185724)

Who is to say that the substations don't have the same level of security? Also, I highly doubt that a plant so concerned with security that they mandate fiber over copper would neglect all security as soon as the signal leaves the premises. I find it likely that any important data being sent over the line would be encrypted.

Also, when a copper line leaves a building it's either 20 feet in the air or 6 feet underground. That's a lot harder to splice into without being noticed than it is inside a building where the line is run through various closets and open conduits within easy reach.

Re:In other words (1)

Charliemopps (1157495) | more than 3 years ago | (#36188246)

You guys are way over thinking this. There is no connection to the outside world by the control equipment. The fiber that came in terminated in buildings outside what would be considered the power plant. I'm not sure what they used it for... likely they could measure data there or something. What the fiber was supposed to prevent was local staff getting bored and running their own bootleg connection into the building so they could watch porn on their critical workstations inside. Anyone on slashdot could pick up a pool of wire at the hardware store and drag that connection anywhere we wanted inside the facility with nothing more than a pocketknife. Fiber on the other hand, would take a whole new level of sophistication. Just getting the cable would require a specialty dealer, and the equipment used to splice it is prohibitively expensive.

Re:In other words (1)

Anonymous Coward | more than 3 years ago | (#36184366)

It's not fair to pick on Siemens, there isn't a secure PLC out there.

Re:In other words (1)

alittle158 (695561) | more than 3 years ago | (#36184466)

It's not fair to pick on Siemens, there isn't a secure PLC out there.

That's correct. PLCs do exactly what they're told...no matter who is telling them

Re:In other words (1)

thegarbz (1787294) | more than 3 years ago | (#36186012)

No in other words you better hope you have good network design.

At our workplace an attacker would need to get through a firewall, ... another firewall, ... and another firewall as they work their way through the business network, the information network, down to the process control network. That last firewall is a doozy too, one way communication between 2 computers only.

"pointed out the possible scope of the problem" (0)

crow_t_robot (528562) | more than 3 years ago | (#36184022)

But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."

Don't you mean the DHS told them not to do it or they would get a thorough anal probing in the airport security check on their way out of town. I'm pretty sure they understood the "scope of the problem" before they started doing the research (which was also probably the motivation for the research).

Re:"pointed out the possible scope of the problem" (2, Informative)

ArcCoyote (634356) | more than 3 years ago | (#36184470)

Idiot.

First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic? Same thing with prison-rape jokes. I'm about as much a fan of those jokes as I am of the acts.

Didn't you read the part where the DHS CERT (a part of US-CERT, which falls under DHS but has nothing to do with the TSA...) told NSS something like, "Um, guys, the patch Siemens released doesn't work, and there are thousands of these devices deployed all over the place, including the power plants in this here city.."

NSS decided to play it safe, they weren't forced to do anything. It's called responsible disclosure, and when Siemens gets their products fixed, it will be released.

But I know your type. You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies. Ironic, considering you love to rant about how those same agencies assume everyone brown is a terrorist.

Bar none, the libertarian, open-source evangelizing, Apple/Microsoft bashing, EFF supporting types are some of the most bigoted, narrow-minded, reactionary, paranoid individuals I've ever met.

Re:"pointed out the possible scope of the problem" (0)

Anonymous Coward | more than 3 years ago | (#36184970)

Idiot.

I'm about as much a fan of those jokes as I am of the acts.

Which is to say, he LOVES the jokes.

Re:"pointed out the possible scope of the problem" (0)

Anonymous Coward | more than 3 years ago | (#36186384)

Im sorry sir, you appear to be hypersensitive, unfortunately I will need to give you an anal probe to find out the extent of your condition.

Re:"pointed out the possible scope of the problem" (2)

russotto (537200) | more than 3 years ago | (#36186544)

First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic?

Nonsense; it's a reference to bodily violation which works no matter what your gender and orientation. Just because a man is gay doesn't mean he wants the TSA up his ass.

NSS decided to play it safe, they weren't forced to do anything. It's called responsible disclosure, and when Siemens gets their products fixed, it will be released.

Disclosure delayed is disclosure which doesn't happen.

You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies.

When you have the kind of power they have, coercion IS how everything gets done. When they "ask", refusal always has serious negative consequences whether express or implied.

Re:"probes" (0)

Anonymous Coward | more than 3 years ago | (#36186636)

First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic? Same thing with prison-rape jokes. I'm about as much a fan of those jokes as I am of the acts.

It's bad practice to say that being afraid of somebody's hobbies makes you afraid of them because it infers that you have to do those hobbies with them. I'm not saying the jokes are classy. I'm saying somebody's hobbies are their own personal business and due to common courtesy. I'm also saying that somebody can be scared to death of homosexuality, suck it up, and profit immensely by being civil to the people around him/her.

Re:"pointed out the possible scope of the problem" (0)

Anonymous Coward | more than 3 years ago | (#36190292)

Do you use a scoring system, or is your list an all-or-none prospect? I just ask because I'm:
  • not libertarian
  • an open-source geek
  • like Apple, dislike Microsoft
  • a huge fan of EFF
  • agree that GP's post had homophobic tones.
  • am posting anonymously... how trollish is *THAT*?!

For QA, I:

  • am bigoted (against dumbasses, conspiracy theorists and the religious right)
  • am generally not narrow-minded
  • am definitely not a reactionary
  • am only posting anonymously because slashcode, passpack and Firefox NoScript seem to have conspired to ignore a perfectly-good UID/PWD (and a few once-allowed HTML formatting tags) despite about 20 'preview' attempts,
  • and don't live too paranoidly because I've seen corporate and governmental bureaucracy at their best.

I've decided that if THEY ever come to get me, it'll be because of some Python-esque screwup, not Kafka-esque cruelty. Assange needs to worry. But me? Evil just can't find sufficient competent henchmen to bother with li'l ol' me, or these SCADA researchers and my war-protesting friends and that black-helicopter dude that writes in to my newspaper, too.

Re:"pointed out the possible scope of the problem" (1)

crow_t_robot (528562) | more than 3 years ago | (#36190398)

You, my familial-basement-dwelling troll, assume coercion and conspiracy is how everything gets done by three-letter agencies.

I didn't assume it. I learned it by reading the memos from the U.S. government that were leaked.

First of all, don't you realize every time you make a joke about "anal probes" at the airport, you're being not-so-subtly homophobic?

Why do you assume that every gay likes a government agent to stick his gloved hand up his ass? Way to stereotype......

Ummmm.... (1, Insightful)

jd (1658) | more than 3 years ago | (#36184054)

...doesn't the existance of a virus that can attack such devices make this a zero-day flaw? The hack is public, since anyone can disassemble the virus that's in the wild and see how it works.

And, frankly, I don't see it being awfully difficult for any Black Hat with a mind to to rip out the prior payload and install one that can attack a wider range of devices. Surely it is in the interests of security for corporations to understand what they can do to mitigate the risk of this.

The DHS, IMHO, is acting in a manner that directly threatens US interests and US corporations by preventing those at risk from knowing as much as those who pose a risk. This argument has been had out before, with regards to CERT and when it should post alerts. It was accepted that there would be a reasonable pause to allow a fix. The virus was first discovered in July 15 2010. So the vulnerabilities have been zero-day for 10 months now.

Ok, bad guys... (1)

Kamiza Ikioi (893310) | more than 3 years ago | (#36184058)

... stick your fingers in your ears and repeat after me, "La-la-la-la-la-la-la..."

Asking people not to listen (such as the US government telling college students, of all people, not to read ANYTHING about Wikileaks) makes as much sense as telling the speakers not to speak.

"shh, don't tell" is pointless (1)

bl8n8r (649187) | more than 3 years ago | (#36184198)

The people you don't want to know about this stuff, already know. The only reason Siemens or others don't want the info made public is to save face.

National Security Through Obscurity (0)

Anonymous Coward | more than 3 years ago | (#36184296)

somebody make a WWII style propaganda poster with that, plz.

Hallelujah, Siemens gets it (5, Informative)

Hierarch (466609) | more than 3 years ago | (#36184316)

A lot of people seem to want to scream about censorship, but they're missing the point. This is one of the best case scenarios I've seen in relations between companies and security researchers.

For those who can't be bothered to RTFA, here's a summary.

Researchers found a serious flaw. The company developed a fix. It turned out that the fix was flawed. The company told the researchers about the potential impact of giving the talk before the flaw was fixed, and the researchers voluntarily postponed the talk while a better fix is built.

That's it, and it looks like everybody did the best thing they could. Isn't this what we'd want Siemens to do? "You've got a right to give your talk, but we'd like you to postpone it. Here's why. Your call."

Re:Hallelujah, Siemens gets it (0)

Anonymous Coward | more than 3 years ago | (#36185158)

Your logic has the flaw, that you assume those researchers were the only one with access to that information, and nobody else could find it out by himself or acquire it otherwise.

Just so you know: It's already out there anyway. Just that now, only if you obey Siemens' totalitarian information control, will you know how to do anything about that.

Good luck dying out with your blind belief, sheeple.

Re:Hallelujah, Siemens gets it (1)

Opportunist (166417) | more than 3 years ago | (#36185734)

The info exists. The info is valuable to people who want to do something bad. Valuable information will find a supplyer, provided the demand (and pay) is high enough.

People who want information for nefarious reasons don't care about legal troubles connected with the acquisition of said information. People who want information to prevent said nefarious actions usually cannot ignore the law when trying to get it.

Question for 100: Who will now that this talk is not being held have the information, and who will not have it?

Re:Hallelujah, Siemens gets it (1)

Sepodati (746220) | more than 3 years ago | (#36186002)

Question for 100: Who will now that this talk is not being held have the information, and who will not have it?

The same (good and bad) people have it without the talk, but the rest of the world does not. Although the risk level is still there, it's not increased. If TFA is correct and Siemens is working on a fix, then what's wrong with giving them the time they need and/or working with them?

Re:Hallelujah, Siemens gets it (2)

Mr. Freeman (933986) | more than 3 years ago | (#36185818)

I have a hard time believing that it took siemens this long to develop a fix. The fact that stuxnet was designed to compromise siemens PLCs and how it accomplished this has been known for several months now. There's no excuse not to push out a (working) patch within a few months of a huge 0-day being discovered. To have not fixed this by now, especially given the critical applications some PLCs are used in, suggests negligence.

Responsible disclosure says that you should give the responsible party a reasonable amount of time to fix the problem before disclosing it. Responsible disclosure is NOT keeping your mouth shut indefinitely so as to allow the responsible party to ignore the problem for as long as possible.

Siemens (0)

Anonymous Coward | more than 3 years ago | (#36184506)

Stuxnet virus developed by Musad/CIA attacks Siemens controllers. Uploaded via jump drive during regular maintenance cycles. Fukushima. Nuff said.

Just so I get that straight (1)

Opportunist (166417) | more than 3 years ago | (#36185702)

So it would decrease security to give that information to people who pay for a sec talk, people who are most likely sent there by companies, companies possibly that use the technology in question?

Let's think for a while: Someone who wants to blow up a dam or nuke a power plant probably doesn't really care too much about "virtual trespassing", aka hacking and the legal implications thereof, and neither would he bother to second guess spending some 1000 bucks on someone who would provide this information, while a law abiding CISO or CSO at a company using those systems (who might instead go to sec cons to hear about them) cannot take these venues to receive the information.

Is it me or is the reasoning for suppressing the talk a tad bit backwards?

Re:Just so I get that straight (1)

Sepodati (746220) | more than 3 years ago | (#36186056)

By not conducting the talk, the risk level is not increased, at least. It's still there, obviously. The companies that would have attended this talk should already be working on isolating SCADA and similar systems as much as possible, with or without the specifics of the talk. I doubt companies are going to be patching SCADA systems themselves without help from Siemens or their vendor. If Siemens is indeed honestly working on a solution, then _delaying_ the talk is entirely reasonable.

Some clear this up for me... (0)

Anonymous Coward | more than 3 years ago | (#36187762)

Why are these things internet accessible in the first place?

I mean why don't they just add a "blow everything up" or "emit random signals that will probably destroy the attached equipment" button and save everybody the trouble?

The big picture. (1)

AftanGustur (7715) | more than 3 years ago | (#36190226)

If the US intelligence services and Siemens had worked together in the past to exploit SCADA vulnerabilities in systems owned by unfriendly nations.

Why would they want to increase awareness of SCADA problems?

Industrial viruses - a new competitive weapon? (0)

Anonymous Coward | more than 3 years ago | (#36190356)

This and the recent Stuxnet virus story show the potential for viruses to start hitting infrastructure and equipment - providing an opportunity for both corporates and governments to do some really serious damage... a new book that considers the potential here is 'A joy to serve the company' http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Ddigital-text&field-keywords=a+joy+to+serve+the+company&x=0&y=0

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>