Slashdot Mirror

← Back to Stories (view on slashdot.org)

CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

Posted by Unknown on from the security-through-obscurity dept.

msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."

14 of 66 comments (clear)

  1. hack the planet by trdtaylor · · Score: 4, Insightful

    knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

    1. Re:hack the planet by Chrisq · · Score: 3, Insightful

      knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

      Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.

    2. Re:hack the planet by Quixadhal · · Score: 2

      How's that old saying go? Security through obscurity is not security at all?

    3. Re:hack the planet by pla · · Score: 4, Insightful

      knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

      This. A discussion about viable "cyberwar" doesn't depend on knowing the latest and greatest weakness in Flash player. It depends on well-documented systemic weaknesses in commonly used PLCs, in protocols like ModBus; and where a practical attacker cares about "consumer" OSs, they care about exploiting the 30 year old unpatched packet drivers for NE2000 compatible cards running under MS-DOS 6.2 (it would amaze you how many "embedded" devices run DOS).

      And the focus of such a serious discussion has nothing to do with glory or PII or money, but rather, "crippling infrastructure 101: Electric, water, and traffic control systems 101".

      The only reason to censor this as a "threat" comes from the underlying mindset of looking for subtle systemic weaknesses rather than trying to find the digital version of "fly a plane into a building". Think how subtly Israel fucked Iran's nuclear program with Stuxnet, and you have the right idea.

    4. Re:hack the planet by Cenan · · Score: 2

      My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.

      The real threat is not some religious nut job in a cave somewhere, its the ingenious people who spend months or years researching an attack vector, setting up the heist and making off with millions. You just need to switch out the "profit/greed" motivator with a "chaos" motivator to see why those guys are much more dangerous than any "terrorist" we've seen to date.

      Sure, bombs have a direct and altogether final consequence for the people nearby, but the blatant ignorance we display with regard to our digital infrastructure has a much larger potential for large scale harm.

      --
      ... whatever ...
    5. Re:hack the planet by ColdWetDog · · Score: 2

      Your mom is calling. Dinner is ready.

      --
      Faster! Faster! Faster would be better!
  2. oh dear by cascadingstylesheet · · Score: 2

    He acted like a human? We can't have that.

  3. The world is safe. by Thanshin · · Score: 4, Insightful

    withdrew his scheduled talk

    That was a close one. Fortunately he withdrew his scheduled talk. Now it's impossible that anyone will ever have that information ever.

    Since his lab is under supervision of the French government, he was required to review his findings with authorities.

    So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.

    No problem. Governments only hire people immune to corruption.

    1. Re:The world is safe. by DMUTPeregrine · · Score: 2

      And, you know, no terrorist organization/malicious foreign government/etc has ever built a lab and done research once they know something can be done...

      Without knowing what the vulnerabilities are the users can't take steps to protect themselves other than researching to find the vulnerabilities. Attackers will be researching the vulnerabilities anyway. Censorship like this makes people less safe.

      --
      Not a sentence!
  4. Re:It's not bad security. by Chrisq · · Score: 3, Insightful

    The government officials have forwarded the information to the appropriate security people.

    Information like that is obviously not for the general public.

    No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

  5. Self-censored? by Bogtha · · Score: 5, Insightful

    Since his lab is under supervision of the French government, he was required to review his findings with authorities. [...] They told me that this presentation was unsuitable for being public [...] Filiol said his research is now classified.

    I know he says that pulling out was the moral thing to do, but describing this as "self censorship" is a bit of a misrepresentation. He showed every tiing ahead with it until the French government got involved, and if he had wanted to go ahead with it, the French government would have stopped him.

    --
    Bogtha Bogtha Bogtha
  6. Re:It's not bad security. by Goaway · · Score: 2

    No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

    That works for you chat program or web browser.

    Doesn't quite work that way for your power grid infrastructure.

  7. Re:Lol, sure by Goaway · · Score: 2

    Well, do tell. How would it make you more secure to let everyone now about them?

    If it were your web browser, you could upgrade it to the latest patched version.

    But how do you upgrade your local power station?

  8. Re:Have we become so pre-programmed ? by plover · · Score: 2

    Why should he hold back from publishing? You doubted three specific claims:

    A. The terrorists would have the technological know how to carry out the sabotage

    People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis. There are real attacks on automation systems today, and there are dedicated, well-funded organizations backing these attackers.

    B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks

    With the nature of automation, an attacker does not need to know that "Manhattan Pumping Station #12" at 127.0.0.1 has a login page susceptible to buffer overflow of exactly 1028 bytes. All they have to do is try a 1028 byte overflow on every SCADA system they find, and maybe a few dozen or a few thousand are similarly unprotected. Even if Manhattan's pumping station fixes their login problem, that doesn't help protect the water pumping systems in Peoria, Illinois, or Nome, Alaska. It's important to remember that a terrorist doesn't have to "call his shots" in advance in order to achieve his objectives of spreading fear or panic.

    C. The terrorists never suspect that what he said is after all, a "honeypot"

    A honeypot is completely ineffective at determining the identity of an attacker. Sounding an alarm that an attacker is present simply means the attacker will disconnect, and move on to the next potential target. A honeypot is only useful for studying the moves of an attacker, and of potentially diverting them away from your own valuable systems. It can't catch them.

    I'm actually not disagreeing with you that we need sunshine in order to fix the problems. The bigger problem is that we have a huge, non-centralized infrastructure that can't be fixed all at once. If Nome, Alaska's pumping station is vulnerable, Nome, Alaska is solely responsible for fixing it. There is nothing about owning such a system that means the owners are up to date on all security issues or patches needed. We may think they should be, but it's academic: they're not patched, they are vulnerable, and the cost of publishing the vulnerabilities could mean the destruction of critical infrastructure.

    Industry, government, and law enforcement groups have been trying to solve this problem for quite a while, but they're simply not there yet.

    --
    John