Wednesday, January 30, 2008

All your critical infrastructure are belong to us!

The otherday during an application security 101 training course, I heard someone say that denial of service attacks are a thing of the past. I don't know the current statistics describing how many of these attacks take place today, and I'm also not quite sure of the context of the comment, but overall I would have to disagree. In fact, I also think DoS attacks will become more prevalent,
while the services that get disabled reach far beyond networks and web servers.

Maybe he was saying network based DoS attacks are on the decline - although I would still disagree. But in reality, Application Security vulnerabilities open doors when it comes to finding ways to deny users legiatmate use of a system. In many less packets then a SYN flood or other network based DoS, an attacker can exploit an SQL injection vulnerability to DROP TABLE's, rendering a database and application useless.

How long does it take to recover from dropped tables? That depends on a number of things. First, does the victim regularly back up data? Second, do they even realize what has happened? Third, when they realize what has happened, do they even know how many SQLi vectors exist in their application? And do they know how to fix them?

My above example still focuses on denying users the use of an application. What if the application controls a utility service - like your electricity, phone, or water? An article on Security Focus covers some interesting events disclosed by a CIA analyst: "In multiple incidents, unknown attackers breached the networks of utilities and disrupted the power to cities outside the United States. . ."

The devices and applications used to control systems such as power utilities, health care services, and other critical infrastructure are classified as Supervisory Controland Data Acquisition (SCADA) and Distributed Control System (DCS). Another Security Focus article talks about the debate between SCADA/DCS vendors and security researchers. While a researcher disclosing a popular OS flaw could bring havoc to some homes and businesses, the vendors complain that a researcher disclosing a security flaw in a SCADA/DCS system could lead to a break down of critical infrastructure.

Because of the work of independent security researchers, knowledge of SQL injection attacks has helped businesses learn to prevent them, respond to them, and fix them. This means that should your bank get hacked and tables dropped, they should be able to recover quickly. If security research is not done on SCADA/DCS systems, how do we, the general public, know that the vendors are aware of the their problems and are educated on how to respond and fix them?

I could live with my bank being down for a week (keep your money in your mattress!). But I'd be pretty pissed off if I had no electricity because the power utility was being extorted.

No comments: