Transcript SCADA Security, DNS Phishing - Texas Tech University Departments

SCADA Security, DNS Phishing
AVE S TA HOJ J AT I, CO MMUT ER S CI E NCE D E PA R T ME NT
A DVISO R D R A K B A R NA MI N
T E X A S T E CH U NI VER SI TY
What is SCADA?
• Supervisory Control And Data Acquisition, type of Industrial Control
System (ICS).
• Computer based
• Communication through IPv4 & IPv6
• Uses PLC (Programing Logic Controller)
as the main operator
Main Areas of Concern
• Security and authentication in the design, deployment and operation
of existing SCADA networks
• The premise that SCADA systems are secure because they use
specialized protocols and have proprietary interfaces
• The premise that SCADA networks are secure because they have
been physically secured
• The premise that SCADA networks are secure because they are not
exposed to the Internet
SCADA Vulnerabilities
• DoS (Denial of Service). Vulnerabilities found in FactoryTalk Services
Platform and RSLinx Enterprise
 November 2011: The cyber-security of the North American power grid is "in a state of near chaos," according to a report by a respected U.S. energy
consultancy monitoring the industry's transition to wireless digital technologies.
• Critical Remote Code Execution (CRCE). Vulnerabilities found in
Modbus Serial Driver, product by Schneider Electric
 September 2010: Iran admits that the Stuxnet worm had infected at least 30,000 computers in the country. The worm, which researchers have dubbed the
most sophisticated malware ever, targets Windows PCs that manage large-scale SCADA systems at manufacturing and utility companies.)
• Most SCADA protocols were never intended for use on publically
accessible networks, and in some cases, not even on IP networks.
MODBUS, a common SCADA protocol, was originally designed for
use only within simple process control Networks to enable low speed
serial communications between clients and servers
Point of Attack
CRCE Attack
CRCE Prevention
Securing SCADA Networks
• Patch host operating systems, applications and SCADA components
• Control application communications between SCADA networks and
other networks
• Control application communications within SCADA networks
• Control what and who are allowed to interact with SCADA networks
and systems
• Monitor all networks closely and react quickly to viruses and attacks
What is DNS?
• The DNS (Domain Name System)translates Internet domain and host
names to IP addresses. DNS automatically converts the names we
type in our Web browser address bar to the IP addresses of Web
servers hosting those sites. (wiki)
DNS Phishing (Fake HTTP request)
• Redirecting all incoming traffic to a fake server
Enables to launch additional attacks, or collect traffic logs that contain sensitive
information
• Capturing all in-bound email
Allows the attacker to send email on their behalf, using the
victim organization's domain and cashing-in on their positive
reputation
DNS Phishing (Fake HTTP request)
• Taking over the registration of a domain
Attackers take over the registration of a domain and change the authoritative DNS
servers
This was the type of attack used by the Syrian Electronic Army. They gained access to
the domain registration accounts operated by Melbourne IT, changed the
authoritative DNS servers to ns1.syrianelectronicarmy.com and
ns2.syrianarmyelectronicarmy.com.
• Cache poisoning
Attackers inject malicious DNS data into the recursive DNS servers operated by
Internet Service Providers (ISPs). The damage cause by this attack is localized to
specific users connecting to the compromised servers
DNS Phishing scenario
Demonstrating an attack using
BackTrack
Using ARP spoofing Technique
(Address Resolution Protocol)
Avoidance
• Good security practices such as strong passwords, IP acceptable client lists (ACLs)
and social engineering training will help guard against attack
• DNSSTOP( Domain Name Server STOP)
 A curses-based application that displays various tables of DNS statistics
• DSC (Domain Statistics Collector)
 DNS Statistics Collector is designed to collect and aggregate statistics from busy authoritative
servers, such as those used by TLD (Top-Level Domain) and root server operators.
• Traffic Gist
 A network traffic statistics collection tool. Gist can collect statistics about live traffic and do
postmortem packet capture analysis
Limiting Recursion to Authorized Clients
For DNS servers that are deployed within an organization or Internet Service Provider, the resolver
should be configured to perform recursive queries on behalf of authorized clients only.
These requests typically should only come from clients within the organization’s network address range.
We highly recommend that all server administrators restrict recursion to only clients on the organization’s
network.
BIND9
In the global options, include the following [10]:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { any; };
allow-recursion { corpnets; };
};
References
• http://www.fastandeasyhacking.com/ (Armitage)
• http://ettercap.github.io/ettercap/ (Ettercap)
• Siemens PLS Simulator (S7 Seriese)
Questions?