Arming Attackers?
Matt Franz in a recent post at his blog noted, in a very tongue in cheek manner, that some of Digital Bond’s recent Scadapedia articles serve to “arm attackers”. As security through obscurity does not exist it is important to understand that the dissemination of information in and of itself is not bad. Information is a tool, its goodness/badness determined by its use. As the main instigator of two edged articles I think it worthwhile to address this topic.
As there is a huge overlap of techniques used by the bad-guys and the good-guys in performing code assessments, fuzzing, on site assessments (hacking in the bad-guy’s case) etc. it is impossible to educate the good-guys without empowering the bad-guys. We use the same techniques; reconnaissance, discover, enumerate, penetrate, escalate, communicate, cover up and clean up. We use the same tools; Nmap, Metasploit, various debuggers and decompilers, Wireshark, Etercap, etc. And lately, to some degree we are examining the same [control] systems. The hacker community is ever becoming more aware of control systems, and as our nation specifically employs teams discover vulnerabilities so that they can be fixed under the auspices of infrastructure protection, there is a certainty that other nations are looking for similar vulnerabilities, with perhaps not as benign motives.
The only difference between black hat and white hat (bad-guys/good-guys) is the application of the knowledge, techniques and tools that they possess.
To expect the bad-guys to not be able to discern the application of tools to control system environments, to not be able to track down known control system services and their associated ports, to not fuzz and try to develop exploits for control systems if sheer folly. To hope that by not discussing the application of known techniques and tools to control systems the bad-guys will not learn of them, madness akin to putting your head in the sand and hoping that the whole issue will merely disappear.
It is an “arms race” with the only solution in sight being to educate the good-guys, better and faster than the bad-guys and to propagate mitigations at a rate faster than the bad-guys can exploit vulnerabilities. As the “state of the art” in control systems seems to be stuck in the 90’s the above is easier said than done.
Having said my piece on “arming attackers” check out my latest Scadapedia articles:
gateway identification through ARP Backscatter.
Author: Kevin Lackey
Posted: August 13th, 2008 under Big Picture.
Comments: 2
Comments
Comment from Matthew Franz
Time: August 13, 2008, 11:35 am
Kevin,
You lose points for security cliches like “security through obscurity.” You should have another one while at it “false sense of security” 
Security through obscurity it is real, man, believe!
It protects you from some % of perhaps the noisiest, clumsiest, attackers.
Because Modbus and other protocols are perceived as obscure and have received much less attention the bar is so much lower for freely available tools. Hence we stuff like ModScan at Defcon. There are dozens of HTTP/FTP fuzzers out there, but how many Modbus fuzzers are there? Sulley? How else (but obscurity) can you explain that?
And tell me how this does not lower the risk?
Comment from Ralph Langner
Time: August 13, 2008, 5:19 pm
I can hardly believe that any attacker who deserves attention would benefit from Scadapedia. We should not waste our time bothering with incompetent attackers who just figured out Modbus or DNP port numbers, or with organizations which need protection against the most dumbest types of attacks.
Write a comment