Sunday, November 11, 2012

Beer, Glorious Freaking Beer

In order to bribe, err, encourage more consistent attendance at the DC423 meetings, I am back into monthly homebrews and will be giving them away.  I have 1 liter ez flip cap bottles that I will be filling with my finest, all I ask is:

  • You reserve your bottle at:  www.dc423brew.eventbrite.com
  • You return the bottle (they are expense)
  • You consider making a donation for supplies (not necessary, but appreciated)
  • You enjoy your brew and provide honest feedback (help me improve)

Are you a homebrew geek?  Want to learn?  Head over to /make for the recipe and results of the brew.

Enjoy!

Wednesday, November 7, 2012

RFCat - I Can Haz Megahurtz?

***props again to @tothehilt / all info below is his


The RFCat is a neat piece of kit from atlas 0f d00000000000000m that is a custom flashed Texas Instruments C1111 with python code.  Please reference @at1as information [here]  This USB dongle allows you to play with the sub-GHZ range of RF (think car keyfobs, baby monitors, smart meters, etc)

But enough with the background, how do we get this thing to work?


RFcat Setup:

Plug in RFcat
Make sure your firmware is correct:  

  sudo lsusb

Output should include OpenMoko

  Bus 002 Device 007: ID 1d50:6048 OpenMoko, Inc.

See that on the CC1111 and you are good.
Now unplug dongle, and don't plug in until you get rfcat running.  If you don't you may need to talk to atlas on freenode #rfcat

Complete the rest as follows:

  sudo apt-get install mercurial
  hg clone https://code.google.com/p/rfcat/
  sudo add-apt-repository ppa:pyside #(for specan)
  sudo apt-get update
  apt-get install python-pyside.qtgui #(for specan)
  cd rfcat
  sudo python ./setup.py build
  sudo python ./setup.py install
  rfcat -r


Now plug in your dongle, and enjoy :)

d.specan showing us activity ~908mhzcommand->  d.specan(908e6,25000,51)




Refrences:

http://www.hackfromacave.com/articles_and_adventures/ubertooth_bt5.html (specan)
http://code.google.com/p/rfcat/

Sunday, October 28, 2012

Dependency Hell is Still Warm - Broadcom WiFi DoS

**** props to @tothehilt (on da twitters)

So the cool dudes at corelabs released a vuln announce and some PoC code this week that kills 2 broadcom WiFi chips:  BCM4235 and BCM4329.  Cut from the site (http://www.coresecurity.com/content/broadcom-input-validation-BCM4325-BCM4329)


Products containing BCM4325 and BCM4329 chipsets:
BCM4325
           Apple iPhone 3GS
           Apple iPod 2G
           HTC Touch Pro 2
           HTC Droid Incredible
           Samsung Spica
           Acer Liquid
           Motorola Devour
           Ford Edge (yes, it's a car)

BCM4329
           Apple iPhone 4
           Apple iPhone 4 Verizon
           Apple iPod 3G
           Apple iPad Wi-Fi
           Apple iPad 3G
           Apple iPad 2
           Apple Tv 2G
           Motorola Xoom
           Motorola Droid X2
           Motorola Atrix
           Samsung Galaxy Tab
           Samsung Galaxy S 4G
           Samsung Nexus S
           Samsung Stratosphere
           Samsung Fascinate
           HTC Nexus One
           HTC Evo 4G
           HTC ThunderBolt
           HTC Droid Incredible 2
           LG Revolution
           Sony Ericsson Xperia Play
           Pantech Breakout
           Nokia Lumina 800
           Kyocera Echo
           Asus Transformer Prime
           Malata ZPad

Nice list of kit there.  The POC code is on the site as well, that's the easy part.  Hard part was getting the dependencies: Lorcon2 | PyLorcon2 installed properly as to pick up your wifi card.  Following the instructions on the corelabs referenced links is #FAIL.  After figuring this out, @tothehilt produced this tried/true/tested list of steps in order to make the lulz happen.
Step One: Lorcon2
      # git clone https://code.google.com/p/lorcon/ lorcon
    # cd lorcon
    # ./configure --prefix=/usr
    # make depend
    # make
    # make install

Build PyLorcon2

          # apt-get install libpcap-dev libnl-dev python-dev
    # cd ..
    # svn checkout http://pylorcon2.googlecode.com/svn/trunk/ pylorcon2
    # cd pylorcon2
    # python setup.py build
    # python setup.py install


Test PyLorcon2


# python
        Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56)
        [GCC 4.4.3] on linux2
        Type "help", "copyright", "credits" or "license" for more information.
        >>>
        >>> import PyLorcon2
        >>>
        >>> PyLorcon2.get_version()
        20091101
        >>> for driver in PyLorcon2.list_drivers():
        ...     print driver
        ...
        ('madwifing', 'Linux madwifi-ng drivers, deprecated by ath5k and ath9k')
        ('tuntap', 'Linux tuntap virtual interface drivers')
        ('mac80211', 'Linux mac80211 kernel drivers, includes all in-kernel
drivers on modern systems')
        >>>

Use Proof of Concept Code

# python poc.py wlan0


Have fun dropping peoples wifi!

MISC Fun Stuff Noted:
  • Some devices require restart to reconnect to wifi after script is killed
  • PoC code creates a SSID 'buggy' that contains the RSN/TKIP overflow magic
  • Other devices not on the list act 'weird'.  Exploit works if the user goes to the wireless setting screen (on phone) or wifi taskbar on laptops to look for other networks.  Laptops and phones dropping due to this POC, more testing required



Saturday, January 28, 2012

Intro to SG Regulation Entanglement


Introduction:
Wrote this post for the arrasmartgrid forums, that never really took off. (big surprise).  It is an attempt to demystify the NIST/NERC/whatever controls, and to show how if you have a solid program, you'll be 'compliant' with whatever comes down the pipe.

NIST Overview:
NIST stands for the National Institute of Standards and Technology, and is an agency within the US Department of Commerce.  NIST as a larger organization, develops standards for everyone industry from Bioscience to Energy, Math and Physics to IT.

Information Technology, as it relates to Smart Grid, is the most relevant NIST subject area to smart grid.  The NIST Special Publications (SP) 800 series is a set of documents of general interest to the computer/network security community, which was established in 1990 and continues today.  The NIST SP 800 series is used as the basis for numerous federal agency security requirements, as well as the Department of Defense and Intelligences Agencies.  When folks speak of ‘industry best practices’ for computer security, more often than not they are referring to the SP 800s.

NIST Relationship to Smart Grid Guidelines
Much to the credit of the NIST organization, their guidelines and standards in the 800 series are the most utilized, plagiarized, and recognized documentation in all of cyber security.  Many organizations utilize the NIST SP 800-53a ‘Recommended Security Controls for Federal Information Systems and Organizations’ as a baseline for their own guidelines and controls, including NISTIR 7628, DHS, and even NERC CIP to a certain point.


Figure 1:  800-53 One Baseline to Rule Them All

To see the similarities, let’s take the very first standard in the 800-53a, Access Control Policy and Procedures, and compare it to the other guidelines:

NIST SP 800-53a ‘Recommended Security Controls for Federal Information Systems and Organizations’
AC-1 “Access Control Policy and Procedures”
Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:
a.   A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
b.   Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.

Department of Homeland Security:  “Catalog of Control Systems Security: Recommendations for Standards Developers”
2.15.1 Access Control Policy and Procedures
2.15.1.1 Requirement
The organization develops, disseminates, and periodically reviews and updates:
1.   A formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
2.  Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.

NISTIR 7628 “Guidelines for Smart Grid Cyber Security” Vol 1
SG.AC-1 Access Control Policy and Procedures
Category: Common Governance, Risk, and Compliance (GRC) Requirements
Requirement
1. The organization develops, implements, reviews, and updates on an organization-defined frequency—
a.   A documented access control security policy that addresses—
i. The objectives, roles, and responsibilities for the access control security program as it relates to protecting the organization’s personnel and assets; and
ii. The scope of the access control security program as it applies to all of the organizational staff, contractors, and third parties.
b.  Procedures to address the implementation of the access control security policy and associated access control protection requirements.
2. Management commitment ensures compliance with the organization’s security policy and other regulatory requirements; and
3. The organization ensures that the access control security policy and procedures comply with applicable federal, state, local, tribal, and territorial laws and regulations.

And finally, NERC CIP (although to a lesser extent):
CIP 003-4 “Cyber Security — Security Management Controls”
R5. Access Control —The Responsible Entity shall document and implement a program for managing access to protected Critical Cyber Asset information.
R5.1. The Responsible Entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information.
R5.1.1. Personnel shall be identified by name, title, and the information for which they are responsible for authorizing access.
R5.1.2. The list of personnel responsible for authorizing access to protected information shall be verified at least annually.

As you can see, the DHS Security Control Catalog is almost an exact copy/paste, with the NISTIR 7628 expanding upon the original requirement a bit.  NERC CIP, while worded differently and with a more regulatory tone, touches on the same overarching themes of an access control policy.  This collaboration reinforces the statement made in today’s webinar about building credibility into your organizations cyber security program by utilizing existing standards and guidelines.

NIST Requirement Example Administrative
I now want to briefly show how the NIST SP 800 series can provide the framework necessary to go from ‘Guideline’ to ‘Implementation’ with an administrative control.  I often use the example of a common requirement to have an ‘Incident Response Plan’ in your overall cyber program, that is present in the NISIR 7628, the DHS Catalog, and the NERC CIPs.

The 800-53 control for a Incident Response Plan references the NIST SP 800-61 “Computer Security Incident Handling Guide”.  This guide contains a wealth of information about the creation of policies/plans/procedures as well as incident response team composition, and numerous sections on handling certain incident events.  Focusing on section 2.3 ‘Incident Response Policy, Plan, and Procedure Creation’, we find that the framework is given for meeting various requirements and compliance needs.  This is illustrated in Figure 2:

Figure 2:  One Standard to Rule Them All

800-61 provides the framework for writing or altering your own programs incident response plan!  All elements for meeting the 7628/DHS/NERC CIP requirements are listed and defined in the 800-61, tailoring and altering the framework to meet your organizations specific function needs, and regulatory requirements is all that is needed.  The NIST guidelines provide a starting off point, without needed to create from scratch policy/plans/procedures.

In addition to the 800-61, NIST provides a guide to integrating forensics into IR (800-86) and a guide on preventing and handling malware (800-83).  These guides can be used to further develop and mature your organization's incidence response program within cyber security.

Conclusion
While the NIST SP 800 series were conceived for ‘federal IT systems’ it is often the baseline for most cyber security guidelines and regulations in smart grid today.  A number of existing NIST guidelines define and specify what policy, plans, and procedures should contain and how those programs should be executed.  These ‘Guidelines for the Guidelines’ are excellent tools and references that can be used as the starting point for any new cyber security program, and as a comparison point for all existing programs.  As we see with the NISTIR 7628, and the new DoE Cyber Security Initiative, NIST, NERC, FERC, and others are collaborating on how the smart grid, and the grid in general, should be secured.  NIST has influenced other guidelines in the past, and I believe will continue to influence in the future.


Longer, stronger rants

twitter is great, but when I want to bloviate, it just didn't rate