Re: east coast powergrid / SCADA [OT?]

["Geoff Shively" <gshively () pivx com>]

> I'd read thru the bugtraq archives on securityfocus.com so you can really
> get a sense of the kinda long standing trouble rpc has been causeing over
> the years, RPC has been a long standing issue, in fact, For the last few
> years, Most places have just started blocking rpc out to the internet and
> given up on securing the protocol. Its caused many a headache to samaba
> (were you can now guess passwords curtosy of rpc) and Windows. With all
the
> vunerabilities that windows goes through, alot of the particulars get lost
> in the grand river of crapulance that is windows security. Ths is the
first
> worm to spread Exclusivly on a RPC exploit. And this Is the worst rpc
> Exploit yet (hell probably the worst windows exploit yet) But by just the
> sheer numbers of Exploits that show up in windows, if the systems doing
> critical monitoring were open to all on the internet, shurly we would
heave
> been seeing outages like this before hand, there have been thousands of
> exploits agianst windows since the monitoring systems went into place.

Correct. We have been working on RPC stuff for as long as I can remember.
even
had a hand in the latest stuff before it became blaster. I was curious if
there was
any other small or medium scale worm that used this in the past few years. I
don't
think there has been, it would have had to been pretty far 'under the
radar'.

Point being its a new beast with new consequences. Slammer and 13k BoFA
ATMS,
flight control systems, etc etc. As these new machines come about new
consequences
are going to appear.

> Well my l33t hax0r ski11z lead me to watch CNN and draw on experience :)

Did u 0wnz0r1z3 yur TeeVee yet? =)


Cheers,

Geoff Shively, CHO
PivX Solutions, LLC

http://www.pivx.com

----- Original Message ----- 
From: "Stephen Clowater" <steve () stevesworld hopto org>
To: "Geoff Shively" <gshively () pivx com>
Cc: <full-disclosure () lists netsys com>
Sent: Saturday, August 16, 2003 12:34 PM
Subject: Re: [Full-disclosure] east coast powergrid / SCADA [OT?]


> ----- Original Message ----- 
> From: "Geoff Shively" <gshively () pivx com>
> To: "Stephen Clowater" <steve () stevesworld hopto org>
> Cc: <full-disclosure () lists netsys com>
> Sent: Saturday, August 16, 2003 3:33 AM
> Subject: Re: [Full-disclosure] east coast powergrid / SCADA [OT?]
>
>
> > > Please, if that
> > > were the case, why have none of hte other billons of windows
> > vulnerabilities
> > > ever affected the grid? more specifically, why havent any of the
> thousands
> > > of rpc vunerabilites ever effected the grid?
> >
> > This is one of the largest RPC worms released is it not? I am actually
> > asking,
> > because I cannot remember one that exploited the same conditions or
> mimicked
> > the activates of blaster.
>
> I'd read thru the bugtraq archives on securityfocus.com so you can really
> get a sense of the kinda long standing trouble rpc has been causeing over
> the years, RPC has been a long standing issue, in fact, For the last few
> years, Most places have just started blocking rpc out to the internet and
> given up on securing the protocol. Its caused many a headache to samaba
> (were you can now guess passwords curtosy of rpc) and Windows. With all
the
> vunerabilities that windows goes through, alot of the particulars get lost
> in the grand river of crapulance that is windows security. Ths is the
first
> worm to spread Exclusivly on a RPC exploit. And this Is the worst rpc
> Exploit yet (hell probably the worst windows exploit yet) But by just the
> sheer numbers of Exploits that show up in windows, if the systems doing
> critical monitoring were open to all on the internet, shurly we would
heave
> been seeing outages like this before hand, there have been thousands of
> exploits agianst windows since the monitoring systems went into place.
>
> > Also, you never know when a certain set of circumstances will permit one
> > thing from happening and not another. One of the nuances of multi-layers
> > technology.
> >
> > > Niagra somehow saw this coming and shut down all generators in time
> > > to stay on the grid, and as the failure expanded more failsafe kicked
in
> > to
> > > contain it.
> >
> > CNN also said that the entire cascading shutdown occurred in 9 seconds
> > total.
> >
> > This means that the Niagara plant was one of the first in this cascade
> > effect
>
> Well yes, But since all the plants around the loop were hit just as fast,
It
> also means the problem originated in that loop :)
>
> > and  would have had a fraction of that time to see a surge coming, and
> with the
> > speed
> > in which we all know electrical surges travel there would be little to
no
> > warning.
>
> True, I'm not sure how they saw it coming, I suspect that one of the
systems
> at Niagra picked it up and started an emergency shutdown of the
generators.
> How long it takes the plants to get back up really is just a function of
how
> fast the generators were running when the grid went down around it. To get
a
> sense of what happens to a generator when cut off from the grid, put your
> car into reverse and then drop clutch it :) Its something like that. So,
in
> order to prevent any problems at niagra, All they really had to do was to
> get the generators Mostly shut down by the time the surge tripped the
stuff
> up there. After that the surge probably bleed of into the surrounding
grid.
> Also, Niagra's Shut down and how fast they had to shut down just shows
that
> the problem probably originated in the loop that they were feeding into.
> More than likely what happend was as the surge began in the loop, it
tripped
> some alarms at niagra. Wich fits the theory that something began with the
> hardware in the power loop.
>
> > I am no power expert, I am just working with the facts provided to me,
and
> > my
> > uber leet math skills of adding and subtracting ;)
>
> Well my l33t hax0r ski11z lead me to watch CNN and draw on experience :)
But
> really all any of us are all doing is speculating, We will know for sure
> soon enough, there are to many burecrats involved here for some pie in the
> sky conspericey theory. For now we are just bouncing random theories
around
> the place.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html