We wrap up our coverage of last week's Las Vegas conferences today with a few observations general and specific.
Building management system vulnerabilities.
During Def Con, McAfee researchers Douglas McKee and Mark Bereza detailed a critical vulnerability they discovered in building management systems made by Delta Controls. The flaw in Delta’s enteliBUS Manager (eBMGR) could allow for remote code execution leading to manipulation of physical processes.
The researchers used a fuzzing tool to find a buffer overflow vulnerability that crashed the system after they sent it exactly 97 malformed packets. Analyzing the core dump after the crash allowed them to track down the memory address where the crash occurred, which eventually led them to discover the specific function that could be overwritten to create a remote shell using Netcat.
McKee and Bereza then went to work observing all the normal functions of an eBMGR and used what they saw to write malware that performed the same functions. This approach could be used to take control of all the eBMGR’s functions remotely. While McAfee’s test case was carried out with physical access to the device, an attacker could perform all of this over the Internet starting with only the IP address of the targeted device.
The researchers emphasized that Delta Controls was commendably responsive to their disclosure, describing the company’s reaction as the “gold standard” of how an organization should conduct itself when presented with a vulnerability in one of its products. Delta actively worked with McAfee to develop a patch, which was released in June.
Although a fix is available, however, the researchers said that as of Saturday there were still around five hundred vulnerable machines connected to the Internet, and now it’s up to the owners of the products to apply the patch.
CISA and election security.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) put in an appearance at Def Con's Voting Village to describe how NCATS, CISA's National Cybersecurity Assessments and Technical Services is supporting election security. According to Infosecurity Magazine, NCATS offers its services free to eligible Federal, state, and local authorities. Those services include:
- The Cyber Hygiene service. This is an external vulnerability scan of an organization's permeter, conducted continuously and automatically.
- The Phishing Campaign Assessment. This six-week engagement sends a series of six different phishing emails to the organizations it supports, representing such familiar scams as the Nigerian prince scam, highly targeted spearphishing, and so on. It's a relatively light-handed way of assessing organizational gullibility and, more importantly, raising awareness about the risks of email social engineering.
- The Risk and Vulnerability Assessment, a two-week remote penetration test.
- The Critical Product Evaluation, which tests and validates equipment on behalf of the election officials it supports. The evaluations are conducted in partnership with several laboratories.
CISA is still a relatively young agency, and it's interesting to see the portfolio of services it's evolving.
Why cheap insurance may not be a good thing, in the long run.
Cyber insurance policies currently fetch a surprisingly low premium, as TechTarget notes from discussions it heard at Black Hat. The low cost is a supply-side phenomenon: a lot of insurers are working to get into the market, and they're competing on price. But the low premiums being charged probably mean that the underwriters are still working without the actuarial data and models they need to be fully comfortable with the risk they're accepting in transfer from their customers. Expect prices to change as the actuaries catch up with the consequences of cyber incidents.
Congratulations to the Plaid Parliament of Pwning.
Carnegie Mellon University's competitive hacking team took top honors for the fifth time in seven years at Def Con this year. Def Con's capture-the-flag is generally seen as the world cup of hacking. Congratulations to the Triple-P.
Notes on swag and booth diversions.
Socks continue to be a popular giveaway. If you left Black Hat barefoot, you did so by choice and not necessity. T-shirts remain another standby. CrowdStrike had a big line at their booth for shirts emblazoned with the company's cartoon representations of threat actors. And if you weren't able to get to Vegas, ask those colleagues who made the trip if they spent any time in Demisto's ball pit. (Trust us: admit it or not, they probably did.) Farewell to Las Vegas, until next year.