Infrastructure Systems of three US Cities Hacked

Earlier this month at the Flemings Cyber Security conference, Michael Welch, the Deputy Assistant Director of the FBI’s Cyber Division acknowledged that there were 3 public utilities in different cities that have been hacked:

“We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city.”

He also admitted that the hackers could have caused significant damage by manipulating the SCADA systems that they had compromised:

Essentially it was an ego trip for the hacker because he had control of that city’s system and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things.”

He did not say if these three included the two water plants that made news last month. It also sounded like the FBI cyber security team is somewhat limited in manpower and resources as he said they currently run on a 9-5 schedule and are not a 24 hour operation.

The Deputy Assistant Director statements inadvertently answered one of my questions asked in a previous post, as to why federal agents are not using the same search tools to find and help lock down these systems. If they only have the staff to work a 9-5 operation, they simply do not have the manpower needed to do so.

According to GCN, hackers are using “readily available and generally free search tools“, most likely Shodan, to find and gain access to these systems.

In response, the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) asked city workers to carefully audit their systems to prevent further incidents. They also provided a free security tool to aid the utility operators called the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool.

In addition, the DHS recommends the following steps be taken:

Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.

• Locate control system networks and devices behind firewalls and isolate them from the business network.

• If remote access is required, use secure methods such as virtual private networks, recognizing that VPNs are only as secure as the connected devices.

• Remove, disable or rename any default system accounts wherever possible.

• Create account lockout policies to reduce the risk from brute forcing attempts.

• Create policies requiring the use of strong passwords.

• Monitor the creation of administrator level accounts by third-party vendors.

Windows Phone Denial-of-Service Attack Disables Messaging

A specially crafted SMS text or Facebook chat message can disable the Windows Phone Messaging Hub according to Winrumors.com:

“The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts. We have tested the attack on a range of Windows Phone devices, including HTC’s TITAN and Samsung’s Focus Flash. Some devices were running the 7740 version of Windows Phone 7.5, others were on Mango RTM build 7720.

The attack is not device specific and appears to be an issue with the way the Windows Phone messaging hub handles messages. The bug is also triggered if a user sends a Facebook chat message or Windows Live Messenger message to a recipient.”

The malicious text message causes the Windows Phone to reboot, and then when it is back up, the Messaging Hub is no longer accessible. The vulnerability has been reported to Microsoft, but as of now there is no fix for the problem other than hard resetting and wiping the phone.

Fun, fun – Who’s idea was it to make our cell phones into computers? Didn’t they realize that with the benefits of computers also come the pitfalls?

Analyzing Passwords for Patterns and Complexity

Digininja’s site has an interesting password analyzing program called “Pipal“. The program takes a list of passwords and returns the top passwords used, a graph showing password lengths, dates used and a ton of other information.

In this demonstration, I used a list of leaked sanitized passwords (a password dump from a real site with account names and e-mail addresses removed) from SkullSecurity.

Simply download Pipal, provide it a password list and sit back and watch it go. This list of about 9,000 Hotmail passwords took only a few seconds. Larger lists could take significantly longer, one Diginija analyzed with millions of passwords took about 24 hours!

Let’s look at some of the more interesting data returned from Pipal. Here is a list of the top ten base words:

Top 10 base words
angel = 10 (0.11%)
beto = 9 (0.1%)
diciembre = 7 (0.08%)
abril = 6 (0.07%)
amor = 5 (0.06%)
acuario = 5 (0.06%)
junio = 5 (0.06%)
daniel = 5 (0.06%)
alex = 5 (0.06%)
beatriz = 5 (0.06%)

This is obviously a dump from a Spanish speaking country, but you will notice  the prefix “angel” was used 10 times, and a lot of user’s passwords started with a name or a month.

How long was the average password?

Password length (count ordered)
6 = 1823 (20.41%)
8 = 1769 (19.81%)
7 = 1306 (14.62%)
9 = 1098 (12.3%)
10 = 773 (8.66%)
11 = 565 (6.33%)
12 = 406 (4.55%)
13 = 285 (3.19%)
14 = 216 (2.42%)
16 = 178 (1.99%)
5 = 175 (1.96%)
15 = 158 (1.77%)
17 = 59 (0.66%)
4 = 37 (0.41%)
18 = 19 (0.21%)
20 = 16 (0.18%)
21 = 13 (0.15%)
22 = 9 (0.1%)
2 = 9 (0.1%)
19 = 8 (0.09%)
3 = 7 (0.08%)
1 = 5 (0.06%)
24 = 5 (0.06%)
23 = 4 (0.04%)
27 = 4 (0.04%)

Looks like 6 characters is the winner, followed closely by 8. I am actually surprised by the number of people who used 20+ character passwords. But as this is from a website password dump, it apparently didn’t do them any good…

Okay, how about complexity – how strong were the passwords:

Password Strength:
Only lowercase alpha = 3716 (41.61%)
Only uppercase alpha = 197 (2.21%)
Only alpha = 3913 (43.82%)
Only numeric = 1654 (18.52%)

First capital last symbol = 23 (0.26%)
First capital last number = 240 (2.69%)

Ouch, looks like a good chunk of them were simple passwords.

Okay, what about dates, did any of the passwords have a date in them?

Months
march = 2 (0.02%)
may = 18 (0.2%)
june = 1 (0.01%)
july = 1 (0.01%)
august = 1 (0.01%)
october = 1 (0.01%)

Days
None found

Months (Abreviated)
jan = 15 (0.17%)
feb = 8 (0.09%)
mar = 184 (2.06%)
apr = 8 (0.09%)
may = 18 (0.2%)
jun = 17 (0.19%)
jul = 19 (0.21%)
aug = 2 (0.02%)
sept = 4 (0.04%)
oct = 14 (0.16%)
nov = 21 (0.24%)
dec = 7 (0.08%)

Days (Abreviated)
mon = 61 (0.68%)
wed = 1 (0.01%)
fri = 14 (0.16%)
sat = 11 (0.12%)
sun = 13 (0.15%)

Years (Top 10)
2008 = 38 (0.43%)
1985 = 30 (0.34%)
2006 = 27 (0.3%)
1983 = 26 (0.29%)
1980 = 26 (0.29%)
2007 = 25 (0.28%)
1987 = 24 (0.27%)
1984 = 23 (0.26%)
1979 = 22 (0.25%)
1981 = 21 (0.24%)

Pipal provides a lot more information than what was provided here, but I think this gives you a good idea of what it can do.

I think this is a great tool to see the trends and patterns in password security. After so many years of users being warned about password security, it is very disheartening to see that the majority of users are still using short, simple passwords.

But what is more alarming is the number of password dumps that are available from compromised websites.

US Drone Displayed in Iran a Fake?

Interesting twist today to the story of Iran recovering a downed US RQ-170 stealth drone. As the battle rages back and forth as whether Iran’s report of it’s cyber army hacking the plane, electronic jamming or hardware malfunction brought the plane down this statement from the New York Times caught my eyes:

“American officials have acknowledged the loss of an RQ-170, a C.I.A. stealth drone made by Lockheed Martin and designed to fly covert missions and collect information in hostile territory, but have declined to confirm or deny that it is the plane that Iran says it recovered.”

They refuse to confirm or deny that the drone being displayed is the one the US is missing… What?

Why would they do that?

Could it be that the drone on display in Iran is a fake? Take a good look at the picture above from the video. Does this look like a $6 million dollar precision stealth drone or a parade float as military hardware expert John Pike at GlobalSecurity.org lovingly describes it:

“…it was highly unlikely the Iranians had the technology to wrest control of the drone’s navigation and bring it down so softly that it was left with barely a scratch.

“It looks like a parade float. For one thing, it looked remarkably intact for something that crashed, and the wings are drooping the wrong way.

“On the real thing, the wings go up at the end. This one’s wings droop down.”

If they are displaying a fake, why would they lie?

I believe to bring a halt to future intelligence gathering missions or possibly a reprieve from the “mystery” explosions that seem to be targeting Iran’s nuclear scientists and weapons specialists.

At best case, it could be a propaganda victory. Why show a mangled and battered drone that has all the electronics on-board destroyed, when you could create a mock up and make the US think they have all the hardware and programming intact?

One thing is for certain. With the CIA being involved in this, we are probably not going to see any more information released from the US side.

If the drone Iran has is legit and intact, the next question is who will end up with it, Russia or China?