Zero-Day Exploit Targets IE

Explorer.exe is not IE, it's the desktop environment thingie.
IE is iexplore.exe, and lives under "\program files" someplace.
If you want to get rid of it, you have to go after its mirror in
\winnt\system32\dllcache\iexplore.exe first, so windoze can't
quietly replace it as soon as you delete it. And that only gets
rid of the front end application, of course; all the sub-pieces and
DLLs that much of the UI runs on are probably where the major vulns
live but if you've installed something else and made it your default
browser, that's progress.
.
_H*

 

Sorry I was typing quickly, that is what I meant: iexplore.exe. Trying to kill explorer.exe can cause problems, not recommended.

The IT folks at work are NOT impressed though. Mr. Chieu's first comment to me was "oh great, another Microsoft f*** up!" And he normally doesn't use language like that.

I think Chieu put in a LOT of extra time last evening trying to figure out a workaround. He asked me to try my workstation first thing this morning and the exploit that Patrick mentioned no longer works.

We have really been worried about remote exploits on industrial networks for the past 4-5 years now. Most remote sites use SCADA and the front end is usually a Windows workstation. The backend equipment - RTD's, PLC's, ORP's, positioners, etc - run highly secure embedded systems, so I don't worry about them.

However, once you compromise the Windows frontend, it's easy to at least get a view to the process. Since the workstation is also used to change process parameters, it's easy to spoof a control system into believing the legitimate user is making the change. Like the following example:

http://www.securityscada.com/pages/scadarole.html

It really has helped our productivity endlessly chasing bugs and security exploits. If anybody thinks I'm mean by not allowing plant control rooms access to the Internet, think again.

 

Yeah, but that's MSFT's fault too...

:lol:

 

:lol:

We had a guy just like you when I worked in IT, all that did was drive us to figure out a way around so we could screw off at night and surf.

We were successful within a very short period of time, and he never got wind of it until maybe a year later...


h34r:

 

Around a year ago at a chemical plant, an operator figured out a workaround to my ban on external Internet access from the control system workstation. He was close enough to a wi-fi hotspot that he simply brought along his wi-fi from home and plugged it in.

He also picked up a worm that shut down the entire frontend control network, causing an HCL spill that resulted in fairly heft fines. Naturally we were blamed for it.

Fortunately, that chemical plant had good security, including hidden cameras. We were able to prove he hooked up the wireless router to surf, which was in strict violation of company rules.

Thanks to the huge chemical spill, and the security video, he was fired.

I don't have a problem with somebody bringing their personal notebook computer to work, assuming they don't try to access confidential files to steal. They can use their personal notebook and a wi-fi card to surf to their hearts content. But don't try the same stunt with a critical control system.

 

That's exactly the sort of propaganda story employers would relate to keep employees "in-line".

I would imagine, if it were THAT important, you'd have the system buttoned-down tight in the first place to exclude the "human error/intervention" component. I mean c'mon, such "lax" security whereas one of the potential resultants is a "chemical spill"? I'd say whomever engineered the infrastructure is to blame far more than he was.

 

I blame it 100% on the IT Managers. They are often too afraid to upgrade and that's often due to them not knowing the next releases as well as they know their current version.

 

Since you claim you are/were in IT (Let me guess, you got fired?), all I can suggest is that you tour the control rooms of a few chemical plants and refineries. In every control room, access to the Internet is strictly forbidden.

I will agree that the twin requirements of ease-of-install and security are contradictory. Many companies are extremely pressed to reduce IT expendiatures, so the vendors have products that are mostly plug-and-play of some sort.

Due to the ease of installation, it was very easy for the operator - who was later fired - to plug a wifi router into the internal LAN. The system naturally assumes the device added truly does belong.

The vendors have come a long way in locking down their systems, while ensuring the system still works as intended. We're a long way from the Nirvana of any off-the-shelf computer being able to act as a frontend to run a critical process, and I'm the first to admit it.

The vendors that support fully IEC-compliant Safety Instrumented System also require complete isolation from conventional Internet access to ensure plant and personnel safety. As an example:

http://www.easydeltav.com/keytechnologies/sis/index.asp

http://www.easydeltav.com/pd/PDS_ControlNetworkhardware.pdf

http://www.easydeltav.com/pd/PDS_deltav_operate.pdf

http://www.easydeltav.com/pd/WP_BestPrac_CyberSec.pdf

I strongly encourage you to look through the white papers, detailed product descriptions, and case studies to verify this for yourself.

I must admit I find your comments amusing and ironic. On the one hand, you boast of finding workarounds to your IT department's security protocols, like it was a big game. I suppose for you it WAS a big game.

On the other hand, you appear to blame me or my team in general for not designing "goof proof" hardware. So the operator who violated our client's Employee Policy was able to sneak an unauthorized router past security, eventually leading up to the HCL (Hydrochloric acid) spill.

We tried the "absolute" lockdown route for awhile and the clients screamed too much: every little change required us onsite, which had enormous costs associated. So we stick with fairly secure systems and the clients have strict Employee Policy wording about tampering and outside access.

If you are as qualified as you state you are, perhaps send me a PM with your Q.V. attached (Word or pdf, expected salary, etc). We're always on the lookout for new qualified talent, and depending on your skills and GPA (Minimum 3.7 in your core study, minimum 3.5 average) the contract will have a very high upset limit.

 

:lol:

1. I was never fired, as a matter of fact, I retain an excellent realtionship with that employer, besides, totally different field, no chemical spills to worry about.

2. I have zero interest in reading the white papers.

3. Unlike some of us, I have no need, want, urge, desire to "prove" my worth to a couple of id's on a message board, or anywhere else for that matter. Take that how you like, I really could care less. However, those that DO go out of their way to bolster their credibility (on a message board nonetheless) are usually the ones with the most "issues", particularly with respect to self confidence and esteem.

Finally, I just had to point this out:

Then if there's anyone to blame, it's your client. If you have something that volatile and important, you'll make it far more bullet proof than allow such easy compromise...

 

Whatever.

You were the one that appeared to suddenly know everything about process control, making it seem so easy.

 

No one claimed to. It doesn't take a genius to analyze problems on a macro scale. The details, now that a different story...

Thing is jayman I've come across soooo many people in my line of work throughout the years, who have claimed to be, and in many cases were, highly qualified for either this or that who have turned out to be total failures when called upon to make use of their supposedly vast knowledge. This is why I generally take what I read with a grain of salt. Further, it's been my experience those who go out of their way to showcase/bolster their abilities, are, in fact, the ones to scrutinize the hardest, which, in my case, triggers the "red light". There are plenty of highly educated idiots of there, as a matter of fact, it's almost a proverb.

 

What I can't understand is why the industry ever went down the path
of using microsoft boxes as control heads in the first place. Why
not Suns, or linux boxes, or anything else with a much better known
security piece that could do the necessary graphics? And as far as
control-room surfing -- would employees accept having the ability
to use the internet as long as it was kept STRICTLY air-gapped from
the control networks they do their jobs on?
.
All of these things seem so solvable with a little common sense..
.
_H*

 

I have learned the hard way, over 25 years, NOT to assume anything. Not the least of which is "common sense" on everybody's part. The situation usually degrades into a pissing contest between staff, management, IT, etc.

If the world ran off Common Sense, we'd all get along, and there would be no hunger.

 

I think a lot of "fear" to upgrading is the Unknown. When NT first became popular for control room use, IT folks would blindly install whatever update Microsoft provided, without production testing in-house. Some of those SP's were a disaster.

On average, we have to spend 2 weeks doing iteration testing to have a reasonable chance of ensuring the "update" doesn't break anything.

 

Yes, I am always in a "crisis mode" fixing other "experts" mistakes. As a matter of fact, I rarely have time to do good original design and coding anymore.

I have also encountered many "technicians" who claim vastly superior technical knowledge - in some cases perhaps true to a certain extent - but have such a Micro perspective they cannot fit their knowledge into the Macro requirement.

My "red flag" mode turns on when somebody claims something is very easy to implement and/or fix.