CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."

hack the planet

[trdtaylor]

knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

Re:hack the planet

[Chrisq]

knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.

Re:hack the planet

[Quixadhal]

How's that old saying go? Security through obscurity is not security at all?

Re:hack the planet

[pla]

knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

This. A discussion about viable "cyberwar" doesn't depend on knowing the latest and greatest weakness in Flash player. It depends on well-documented systemic weaknesses in commonly used PLCs, in protocols like ModBus; and where a practical attacker cares about "consumer" OSs, they care about exploiting the 30 year old unpatched packet drivers for NE2000 compatible cards running under MS-DOS 6.2 (it would amaze you how many "embedded" devices run DOS).

And the focus of such a serious discussion has nothing to do with glory or PII or money, but rather, "crippling infrastructure 101: Electric, water, and traffic control systems 101".

The only reason to censor this as a "threat" comes from the underlying mindset of looking for subtle systemic weaknesses rather than trying to find the digital version of "fly a plane into a building". Think how subtly Israel fucked Iran's nuclear program with Stuxnet, and you have the right idea.

Re:hack the planet

[captainpanic]

Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.

Re:hack the planet

[DarkOx]

The corollary however is "loose lips sink ships".

I generally come down on the side of disclosure because when it comes to keeping secrets humans are not very good.

First some engineer has a few beers with his cousin, and starts a story out "the boss said don't tell anyone but..." and lets it slip it would possible to enable the thermal cleaning operation of some pressure probe on a gas line without first shutting off the gas, and things could get exciting and you could totally do this without authentication if could just get a connection to signaling bus. Then the cousin repeats this story somewhere for whatever reason and pretty soon the wrong guys hear about it. So just trying to keep it under wraps does not work.

The trick is making sure enough of the right kind of people know about it so the issue gets attention and fixed.

Re:hack the planet

[tsqr]

How's that old saying go? Security through obscurity is not security at all?

As usual, generalizations aren't woth a damn.

Should the Imperial Navy gave told the US Navy they were coming in 1941? Should Ike have let Adolf know it was going to be Normandy? Maybe the Brits should have told the Germans about Bletchley Park?

Sometimes obscurity is all you have to begin with. Sometimes it's all you'll ever have.

Re:hack the planet

[Cenan]

Bullshit. Why do people like you always assume that the fabled terrorist doesn't already know about these holes? Or are actively searching for them? If you've been following security for any length of time, you would know that in most cases the "bad guys" are many steps ahead of the researchers, if not on a whole other playing field. This renders the standard security by obscurity irrelevant, if not straight up dangerous.

But, suppose an imaginary terrorist group has decided that they wish to conduct some good old fashioned cyber-terrorism, what the fuck do you think they're going to do? Wait for a talk at some random conference? Or start utilizing the expertise they have on hand? The massive security holes in the digital infrastructure do not magically appear once a researcher publishes a paper on them, they were there all along. If you're a terrorist and itching for some mayhem, you're not going to sit idly by, twiddling your thumbs and waiting for the next research paper.

By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

Stupid terrorists go in the front door with guns blazing, and get gunned down in the courtyard. Smart terrorists exploit holes nobody is aware of to maximize their payoff.

* In this reply, the term terrorist is used as a stand-in for <insert scapegoat of choice>, a good choice could be the guys who did this, or this guy, or maybe these guys.

There are so many of them it's not even funny anymore, it has become easier to count the institutions with a grasp on their own security, then those without. So please good sir, wake the fuck up.

Re:hack the planet

[wonkey_monkey]

Should the Imperial Navy gave told the US Navy they were coming in 1941?

Well, kinda, yeah.

Re:hack the planet

[jbmartin6]

The fabled terrorist has had decades to exploit these weaknesses. And judging from the suppression of this research, he will have decades more after this. Where is he? So-called 'terrorist' attacks are very rare despite the huge number of airports, malls, sporting events, weddings, schools, subway trains, busy shipping ports, train stations, popular landmarks, etc etc etc. Yes there is a threat, just like any other sort of crime. But you are right, let's not imagine there are 'terrorists' sitting out there thinking 'gee I wish someone would give me a good idea on what to attack'

Re:hack the planet

[Cenan]

My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.

The real threat is not some religious nut job in a cave somewhere, its the ingenious people who spend months or years researching an attack vector, setting up the heist and making off with millions. You just need to switch out the "profit/greed" motivator with a "chaos" motivator to see why those guys are much more dangerous than any "terrorist" we've seen to date.

Sure, bombs have a direct and altogether final consequence for the people nearby, but the blatant ignorance we display with regard to our digital infrastructure has a much larger potential for large scale harm.

Re:hack the planet

[tsqr]

Should the Imperial Navy gave told the US Navy they were coming in 1941?

Well, kinda, yeah.

Kinda, sorta... well, not really. The notification that the Japanese ambassador was supposed to deliver 30 minutes before the attack, but didn't deliver until after the attack had started, wasn't a declaration of war, or a warning that Hawaii was going to be attacked; it was a formal notification that negotiations were being broken off.

There is no denying that there were breakdowns in communication within US government and military that lessened the chances that we would figure out that an attack was imminent, and there were some moves by the Army (particularly the failure to disperse aircraft on the ground) that in hindsight look really boneheaded, but in the end, the Japanese successfully obscured their intentions and the attack was a complete surprise.

Re:hack the planet

[CanHasDIY]

Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.

By giving the information to a government, they are helping the terrorists.

Re:hack the planet

[CanHasDIY]

My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.

That's not terrorism, it's larceny.

Terrorism is defined, at least by Google, as "the use of violence and intimidation in the pursuit of political aims."

Stealing credit card info isn't violent, nor intimidating. Let's stop conflating "terrorist" with "petty criminal," since doing so only makes it easier for governments around the globe to whittle away at our civil liberties.

Re:hack the planet

[Pope]

Since when does Google define anything? It's a search engine.

Re:hack the planet

[Fnord666]

By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

Security by obscurity does not work. I believe that we can all agree on that. On the other hand, responsible disclosure means talking to the people who can do something about a discovered issue should be the first step. Once the issue has been addressed, then a wider disclosure is reasonable.

Re:hack the planet

Having spent some time in the industrial controls space recently, it's not that simple. There is no such thing as a "quick patch". The ICS vendors frequently have little security experience (even now), there are no limited or no contractual clauses to enforce security updates and refresh periods for ICS system can be in the >15 year timelines.

It's getting better. Buyers are getting smarter and mandating this stuff for new installations, but if a vendor won't certify a patch for the system that operates your billion dollar water injection plant, or gas separation facility, as the operator you're out to dry.

Things like ping of death went away years ago in most business and consumer environments. That type of problem is still a critical issue for some industrial control environments where a malformed packet is enough to cause a failure.

I'm not advocating security through obscurity but some of these systems are remarkably fragile.

Re:hack the planet

[ColdWetDog]

Your mom is calling. Dinner is ready.

Re:hack the planet

[CanHasDIY]

Since when does Google define anything? It's a search engine.

Well, I would have said, "Terrorism is defined, at least by the website Google references," but for some reason they stopped putting the referenced site's name or URL with the definitions. I presume Dictionary.com is still the favored source.

oh dear

[cascadingstylesheet]

He acted like a human? We can't have that.

Re:oh dear

[Vitriol+Angst]

I think acting like a human and making course corrections is why "some" of my fellow Americans have issues with the French. They mistrust and fear that thing called empathy and reflection.

The world is safe.

[Thanshin]

withdrew his scheduled talk

That was a close one. Fortunately he withdrew his scheduled talk. Now it's impossible that anyone will ever have that information ever.

Since his lab is under supervision of the French government, he was required to review his findings with authorities.

So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.

No problem. Governments only hire people immune to corruption.

Re:The world is safe.

[DMUTPeregrine]

And, you know, no terrorist organization/malicious foreign government/etc has ever built a lab and done research once they know something can be done...

Without knowing what the vulnerabilities are the users can't take steps to protect themselves other than researching to find the vulnerabilities. Attackers will be researching the vulnerabilities anyway. Censorship like this makes people less safe.

Re:The world is safe.

[Tom]

So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.

No problem. Governments only hire people immune to corruption.

There's an important difference. Yes, this information can be obtained by a determined adversary with considerable resources. Making it public, however, would mean every blabbering fool in a cave with an Internet connection has it.

That is quite a difference. We're all constantly going on about how we realize that there's no 100% security - this is just such a case. Making critical information hard to obtain is precisely what security is all about.

Still Don't Get It?

[some+old+guy]

All of this stuff about security, privacy, and accountability is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.

The oligarchs who control our governments, security forces, and political parties, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.

Seriously.

Can we just drop all the faux political drama and talk about, I don't know, programming or something?

Re:It's not bad security.

[Chrisq]

The government officials have forwarded the information to the appropriate security people.

Information like that is obviously not for the general public.

No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

Self-censored?

[Bogtha]

Since his lab is under supervision of the French government, he was required to review his findings with authorities. [...] They told me that this presentation was unsuitable for being public [...] Filiol said his research is now classified.

I know he says that pulling out was the moral thing to do, but describing this as "self censorship" is a bit of a misrepresentation. He showed every tiing ahead with it until the French government got involved, and if he had wanted to go ahead with it, the French government would have stopped him.

Have we become so pre-programmed ?

[Taco+Cowboy]

Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.

When I read what you wrote a feeling of sadness suddenly surged ...
 
Have we become so pre-programmed by TPTB that we start having second thoughts of our own liberties ?

Look around us ... The American journalists are doing exactly the same.

Instead of reporting what needs to be reported, however bad/ugly the news be, they begin to modify the story in such a way that it can "easier be consumed" and/or "not rocking the boat" and/or "not jeopardizing the country", and so on, and so forth.

So much so that Snowden had to share what he had with someone from UK instead of those from the US of A.

Back to the lecture and the so-called "subject" ... Why should he pulled back on what he was going to say just because someone told him that what he said could be used by the terrorists ?

The keyword is "could", which means, it's not certain at all that
A. The terrorists would have the technological know how to carry out the sabotage
B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks
C. The terrorists never suspect that what he said is after all, a "honeypot"

As all of us start to pulling in a little bit of ourselves, and as we continue to pull ourselves in, bit by bit, the big brother doesn't even need to lift his little pinky to achieve total control over our lives.

We are the nerds. We are the engineers. We are the one who build and engineer and find faults within the systems.

And if we start to NOT do what we are born to do - that is, to find faults to the existing systems, then we might just as well never been born.

Re:Have we become so pre-programmed ?

[plover]

Why should he hold back from publishing? You doubted three specific claims:

A. The terrorists would have the technological know how to carry out the sabotage

People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis. There are real attacks on automation systems today, and there are dedicated, well-funded organizations backing these attackers.

B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks

With the nature of automation, an attacker does not need to know that "Manhattan Pumping Station #12" at 127.0.0.1 has a login page susceptible to buffer overflow of exactly 1028 bytes. All they have to do is try a 1028 byte overflow on every SCADA system they find, and maybe a few dozen or a few thousand are similarly unprotected. Even if Manhattan's pumping station fixes their login problem, that doesn't help protect the water pumping systems in Peoria, Illinois, or Nome, Alaska. It's important to remember that a terrorist doesn't have to "call his shots" in advance in order to achieve his objectives of spreading fear or panic.

C. The terrorists never suspect that what he said is after all, a "honeypot"

A honeypot is completely ineffective at determining the identity of an attacker. Sounding an alarm that an attacker is present simply means the attacker will disconnect, and move on to the next potential target. A honeypot is only useful for studying the moves of an attacker, and of potentially diverting them away from your own valuable systems. It can't catch them.

I'm actually not disagreeing with you that we need sunshine in order to fix the problems. The bigger problem is that we have a huge, non-centralized infrastructure that can't be fixed all at once. If Nome, Alaska's pumping station is vulnerable, Nome, Alaska is solely responsible for fixing it. There is nothing about owning such a system that means the owners are up to date on all security issues or patches needed. We may think they should be, but it's academic: they're not patched, they are vulnerable, and the cost of publishing the vulnerabilities could mean the destruction of critical infrastructure.

Industry, government, and law enforcement groups have been trying to solve this problem for quite a while, but they're simply not there yet.

Re:It's not bad security.

[Goaway]

No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

That works for you chat program or web browser.

Doesn't quite work that way for your power grid infrastructure.

Re:Lol, sure

[Goaway]

Well, do tell. How would it make you more secure to let everyone now about them?

If it were your web browser, you could upgrade it to the latest patched version.

But how do you upgrade your local power station?

As if...

[sidnelson13]

'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).

Should we really believe that the so called terrorists don't already know what he's talking about? And why should we believe that, just because it hasn't been exploited on a large, TERRORIST, scale?

I mean, be them terrorists, but very likely, they're not stupid. If he in 4 months "discovered" this, I see nothing keeping some bright young hacker with a strong motive from finding this out too.

Ugh.

[azav]

Can we stop using the term, "cyber" to mean "on or over the internet"?

Re:Lol, sure

[CanHasDIY]

But how do you upgrade your local power station?

Over the WAN. Or Sneakernet, for air-gapped systems.

You do realize that power stations are quite often manned, and the ones that aren't (including substations) receive regular visits from utility workers, right?

Re:Lol, sure

[Goaway]

No, that was not the general "you". It was the specific you. What are you going to do with this knowledge? You can not act on it in any useful way.

Re:Lol, sure

[plover]

Wanna guess how long it would take utility companies to get going about fixing these problems if they started losing billions due to attacks?

The private utility companies would likely be in the best position. They already have security teams, they have upgrade paths, and they have incentive.

The city run utilities would be in the worst position. They typically engage an engineering company for a project to oversee the installation of systems, and train a few city workers to do basic monitoring and maintenance. Twenty years later the city still "owns and operates" the system, but they do not have anyone who understands it. Even if they recognize the need to patch it, their skint budgets are determined years in advance by city council members who are under pressure to fix the potholes, keep the police on the streets, and rein in taxes and spending. There is no budget this year or the next for overhauling the water systems infrastructure. These systems are a long way from being patched.

It could easily take several years to fix every system that needs fixing, even amidst the panic a world-wide hacking spree would induce. During those years, unpatched infrastructure installations around the globe would be hacked, with very negative consequences.

Re:Lol, sure

[CanHasDIY]

No, that was not the general "you". It was the specific you. What are you going to do with this knowledge? You can not act on it in any useful way.

That's presuming that NO ONE in the public at large works for a power company. Which, as we all know, is nonsense.

However, that's not the point - putting a vulnerability out in the open forces the people who use those systems to fix them ASAP, rather than just ignoring the problem until after someone exploits it. Not to mention, we've got a bunch of pretty smart people in the public-at-large, so maybe it wouldn't be a terrible idea to let some of them pore over the code to make sure there aren't any other problems these particular researchers happened to miss.

We're no safer for this, but...

[MiniMike]

We're no safer for his withdrawing the paper, but at least any attacks can't be traced back to info provided by him (even if it's accessible elsewhere). I'm guessing this is a CYA move. Hopefully he shares any info on security flaws with people from the relevant organizations.

Re:Lol, sure

[Goaway]

That's presuming that NO ONE in the public at large works for a power company. Which, as we all know, is nonsense.

You realise you can actually inform the power company without informing the public at large?

However, that's not the point - putting a vulnerability out in the open forces the people who use those systems to fix them ASAP, rather than just ignoring the problem until after someone exploits it.

The problem is, you can't just fix these things instantly. This isn't like your web browser, as I said. You don't just push out a quick bug fix and install it. These things run terrible ancient legacy code that you don't even know if anyone knows any more. Fixing them can be a very long process. During all that time, you'll be vulnerable, and can't do anything about it.