The Facebook data team released some interesting data a few days ago focusing on the connectedness of their social graph, taking six degrees of Kevin Bacon and looking at how many connections away from each other any two people on the network are. From their research it seems like more than 90% of people on the network are seperated by only four degrees, meaning that any person A has a friend that knows a friend of Person B.
Last week I had the opportunity to attend the first public planning/brainstorming session for the DHS seeded Open Information Security Foundation and their next generation IDS project. Lots of good discussion, with the first couple hours focusing on the foundation itself, and the rest of the day was spent discussing various features that would be required by the IDS and roughly prioritising them into “version 1″ or “later” categories. For those of you who aren’t familiar with OISF, they were created primarily to build this next generation ids, and license it under GPLv2, but also allowing less restrictive licensing to vendors who don’t want to reveal/publish proprietary additions/plugins, and providing a safeguard against taking a source tree private/commercial.
Following up my last post on fuzzing an unknown proprietary protocol, we’ve now got a collection of packet captures to start ripping through to get some semblance of a fuzzer going to send packets to our target. Theres a few routes we can go, something as simple as flipping bits and putting garbage data into the stream all the way up to building a network model. I’m not big on either of the extremes.
Thanks to the near constant stream of “the sky is falling, these protocols aren’t secure” presentations at security conferences around the globe, everyone is familiar with mainstream ICS protocols, Ethernet IP, DNP3, and of course Modbus, amongst others. And of course it is important to make sure that these protocols are implemented correctly to assure that the devices supporting them function reliably. Generally, these protocols aren’t on the “front lines”, they’re going to be behind at least a couple of firewalls, probably a dmz, and if someone was interested in causing trouble then by the time they’ve gotten access to the parts of the network that these protocols live on, they’re able to do anything they want.
To a lot of you, this is post isn’t going to tell you anything you don’t already know, but for others I think it needs to be said again. MAC and IP addresses are easily changeable and are useless for authentication. Far too often when we’re on site we see security measures that rely heavily on them, and its something that we need to move away from in control systems. We need to decouple connectivity and authentication.