Jack, Before reading any of your own text, you may want to view this PBS documentary. It is only 10 minutes long and even if you aren't a PBS fan it has good data and support everything I am saying.
http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/view/ I would hope most review presented data before forming an argument against it. > But your logic is so well... > it's so uh... uh... > it's uh... it's so lacking, dude. My logic or my data, or both? Please clarify. > Are you asking the question or making an assertion? > The answer is no, in most cases, they're not WiFi accessible. I was attempting to keep the subject short and concise. > Some have said, huh. Who are these authoritative folks? If they were as authoritative as your argument precedes, then I wouldn't have bothered asking the list about WiFi. Bernie, CTA [mailto:[EMAIL PROTECTED] had some good data from his days working with these systems, if you would like to contact him feel free. I have CC'd Bernie on this thread. Attached is the original email to the full-disclosure list. > Lots of talk, eh?? Gosh, I guess that makes it true, No? No but at the very least I have some data backing my logic, I see nothing but cynical comments and lacking data to support your theory that mine is false. Present some and then we can talk in what I hope is a tactful fashion. > The changes that you assert "could" have taken place? I would love to see one bit of evidence that isn't speculative at this point. Yes, this could have taken place, and to present it I used research data to form my verbiage. Is this not how you come about finding an answer? > "Very well penetrate" - what a convincing argument. In security, do we not asses risk and mitigate it as necessary? well before we can mitigate the risk here we have to present the case for how probable it is to get into one of these systems. > Thanks for your expert analysis and opinion, oops, you're not really > an expert are you? I don't claim to be and never have. This does not take a power expert to understand. Example, most know how a car works, but could they ever build one, no. I am simply putting pieces of a puzzle together based on experts I do speak with, as the members of our national media are not practicing responsible reporting, and listening to uneducated guesses about the system's architecture. > Oh, the industry may be pretty well prepared, Geoff. They may in fact > have created the problem themselves to get the government > (Oopps... I mean the taxpayers) to give them 50 or 60 billion dollars > to "upgrade" the grid (continuing to artificially reduce the supply of power and > then trade power at inflated rates at a huge profit) and make it easier for them > to rip off the nation like they have already ripped-off California. Oh my God, > maybe now I'm the crackpot who's gone "over the edge". Well, at least that will > lend YOU some credibility and make your marketing efforts > suddenly look legitimate. Don't say I never gave you anything! I have not made one reference to assumed information as I said before my information is based upon facts. Please, do describe what you mean by this marketing? > "could be" Could be anything, but facts will lead us to an answer. It really is that simple. > Holy crap!!! With a pile of documents as high as the sky, > how can you possibly be wrong? Facts are facts, I don't know what else to say. I could be wrong, and that is my biggest asset. I don't assert that this is definitely what happened. With that said, I would have preferred that such a tactless and cynical reply to what was intending as an informative and inquisitive post be handled off of the list. Oh well, live and learn. Cheers, Geoff Shively, CHO PivX Solutions, LLC Are You Secure? http://www.pivx.com ----- Original Message ----- From: "Jack Unger" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 15, 2003 5:04 PM Subject: Re: [SOCALWUG] Power outages related to DCOM Worm, WiFi accessible? > Nice marketing piece, Geoff... > > Hey - don't take this personally - I have no arguement > with you. But your logic is so well... > it's so uh... uh... > it's uh... it's so lacking, dude. > > Geoff Shively wrote: > > > Power outages related to DCOM Worm, are SCADA and DCS WiFi Accessible? > > Are you asking the question or making an assertion? > The answer is no, in most cases, they're not WiFi accessible. > > > Some > > have said that they are accessible via WiFi and a potential attacker could > > break protection mechanisms thus gaining access to control and acquired > > data. > > Some have said, huh. Who are these authoritative folks? > > > Is there any truth to this, any SCADA, DCS, or HMI experts on the > > list? > > Probably not. This is a wireless list. > > > > > Furthermore, there has been allot of talk on bugtraq, full disclosure, and > > dsheild about the latest American power crisis being caused by malicious > > computer activities or worm. > > Lots of talk, eh?? Gosh, I guess that makes it true, No? > > > > > A bit of background on the systems that control power facilities. > > Distributed control systems (DCS) and supervisory control and data > > acquisition (SCADA) systems are the key elements of facility control. remote > > terminal units "RTU". SCADA runs under Win2000 / XP and the telemetry to > > the RTU is accessible via the Internet. > > So these control systems are Internet accessible, huh? Got any convincing > proof of that? > > > > > SCADA (Supervisory Control And Data Acquisition) and DCS (Distributed > > Control Systems) are highly vulnerable to attack. > > Oh really, can't you be more specific? But wait, your just throwing a bunch of > acronyms around, huh? No real facts there... > > > An attacker could very > > well penetrate these systems to make changes or implement simple scripts to > > cause a legitimate operator to make unnecessary changes to a large scale > > power grid. > > "Very well penetrate" - what a convincing argument. > > > These changes could result in massive failure causing an > > international power crisis. > > The changes that you assert "could" have taken place? > > > > > Be it from a worm or home grown hack, these latest power failures were > > unlikely to have been caused by a physical failure that would have surfaced > > by now. > > Thanks for your expert analysis and opinion, oops, you're not really > an expert are you? > > > Power failures from the years past have brought about legislation > > and system changes that deal with most large scale issues as they arise to > > mitigate risk of large scale failure, whatever happened this time was a new > > problem the industry was not prepared for. > > Oh, the industry may be pretty well prepared, Geoff. They may in fact > have created the problem themselves to get the government > (Oopps... I mean the taxpayers) to give them 50 or 60 billion dollars > to "upgrade" the grid (continuing to artificially reduce the supply of power and > then trade power at inflated rates at a huge profit) and make it easier for them > to rip off the nation like they have already ripped-off California. Oh my God, > maybe now I'm the crackpot who's gone "over the edge". Well, at least that will > lend YOU some credibility and make your marketing efforts > suddenly look legitimate. Don't say I never gave you anything! > > > > > We know that SCADA and DCS systems are supplied by one of 5 major vendors > > and these system are advertised on the vendors websites to run Microsoft > > Windows versions 95, 2000 and NT. Also advertised is DCOM and RPC support > > within these systems, RPC/DCOM recently became famous as the Lovsan/Blaster > > worm exploited this protocol to spread across the internet. With this said > > it is likely > > It's very truly "likely", Geoff - because you said that it's likely.... > that makes it true, No? > > > that an infected system infected a SCADA or DCS, and could be > > "could be" > > > > > why we are seeing large scale outages across the country. This is not a > > Microsoft problem as many would like to say, though it is a problem with > > patch management. > > > > Below is documentation on the problem, the first one sums up the problem > > nicely (DCOM > > and SCADA white papers): > > Holy crap!!! With a pile of documents as high as the sky, > how can you possibly be wrong? > > > > > http://www.automationtechies.com/sitepages/pid641.php > > > > http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/view/ > > > > http://www.scada-system.com/scada-software-windows.htm > > > > http://www.data-acquisition-software.com/index.htm > > > > Cheers, > > Cheers, Geoff.... and thank you again for such a well-planted > marketing piece - opps I mean such an accurate, informative, > scientific and enlightening post. I'll look forward to your next > post where you'll tell us how to use WiFi to take over control > of cruise missiles. > jack > > > Geoff Shively, CHO > > PivX Solutions, LLC > > > > Are You Secure? > > http://www.pivx.com > > -- > Jack Unger - President, Wireless InfoNet Inc. > Author of the WISP Handbook - "Deploying License-Free Wireless WANs" > http://www.ask-wi.com/book.html > True Vendor-Neutral WISP Training-Troubleshooting-Consulting > http://www.ask-wi.com/services.html > Email: [EMAIL PROTECTED] Phone: (818)227-4220 > > >
-----Original Message----- From: Bernie, CTA [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 7:42 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] east coast powergrid / SCADA [OT?] On 14 Aug 2003 at 17:15, Andre Ludwig wrote: > It is my general feeling that the power failure could be SCADA > related. If it was an attack or an accident i do not know, nor > do i think the appropriate information will ever be released to > the public. Allot of SCADA systems from my research do RUN MS > software (from win95 all the way up to win2000), granted these > are not full fledge systems but stripped down machines with some > functionality disabled. I have found out that RPC is used on > several SCADA systems, to what extent i do not know, nor do i > know if they are vulnerable to the recent rash of RPC based > exploits. If someone with more knowledge on these systems can > please come forward i would greatly appreciate it. > > Did anyone watch the PBS cyber war series that was on months ago? > I remember Richard Clarke ranting about possible SCADA attacks > on the power grid. If anyone has more info please do come forward > as this is a rather interesting subject matter. > > Andre Ludwig, CISSP Being an old PLC automation and control hack let me say that there is a very good plausibility that the recent East Coast power outage was due to an attack by an MBlaster variant on the SCADA system at the power plant master terminal, or more likely at several of the remote terminal units "RTU". SCADA runs under Win2000 / XP and the telemetry to the RTU is accessible via TCP/IP / HTTP and the Internet. >From what I recall SCADA based monitoring and control systems were installed at many water / sewer processing, gas and oil processing, and hydro-electric plants. I also believe that yesterdays flooding of a generator sub facility here in Philadelphia was also due to an MBlaster variant attack on the SCADA system. I think we can expect more so-called flukes as this worm or its writers transmute. To make things worst, the Web Interface is MS ActiveX. Now lets see, how can one craft an ActiveX vuln vector into the blaster? Oh, and for you wardrivers, SCADA can be access on the road... a new perspective on sniffing around sewer plants.
