SCADA, or Supervisory Control And Data Acquisition, security breaches are not often heard about. At least, not at the same level of other sorts of computer crimes. But SCADA has the potential to impact the physical environment, physical security, and personal safety of all of us, so such incidents should not be taken lightly.

For those who are unfamiliar with SCADA, it’s basically about computer systems and networks that monitor and control industrial, infrastructure, or facility-based processes. For example, SCADA systems are used to manage and operate power generation plants or water treatment plants. In buildings, SCADA can be behind the operation of electrical systems, elevator controls, air-conditioning systems, etc.

SCADA was not built with very much security at the beginning. This is not unlike how our various Internet protocols weren’t very secure either in the early ages of the Internet. Much of SCADA security used to depend on its physical interconnections being “physically secure”. The scary thing is that SCADA systems are now often linked, or are converged, with computer data networks, and you know how that makes it so much more convenient for the bad guys to penetrate and disrupt SCADA systems.

While in the past, the logic controls of various processes were often hard-wired into the devices and control systems themselves, nowadays much of the monitoring and control are centralized and remotely managed through SCADA.

Let me illustrate with an example. An old failover air-con system might be designed with hard-wired electrical or mechanical controls. If the main air-con fails to maintain room temperature, a thermostat will start up a standby air-con once the temperature breaches a certain threshold. This is old school. With intelligent building controls, sensors deliver data to a central computer system which decides, and then, sends out a command signal to start the standby air-con. This sounds quite uninteresting, and perhaps you don’t see how it can lead to serious safety problems. But, imagine, if this hard-wired mechanism were, instead, a safety system that opens a release valve of a chamber when its internal pressure breaches a certain threshold. Let’s say it’s now replaced by a SCADA network, managed by a remote computer system. A malicious hacker gets in and alters the control program or sabotages the computer so that it never sends the command to open the safety valve. If pressure builds up and there’s no way to relief it, then eventually the chamber will break and explode.

I’m surprised that the blackout at Marina Bay Sands had to do with misuse of SCADA systems. An insider had, while accessing the system remotely, caused the blackout. More interesting is how the people on-site could not rectify the problem, and that the police had to be called to compel that person to cooperate, before the blackout was rectified. Although this incident was a big embarrassment to Marina Bay Sands, it didn’t really have any real threat to people’s safety.

But considering what SCADA system can be used for, it is worrying how, when, and what the next SCADA breach might result in. It’s high time for SCADA users to seriously rethink how their systems are used, and to ensure appropriate safeguards and fail-proof capabilities and built in.

Related posts:

1. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
2. Security Cannot Be Slapped On Many people are still not getting it. IT security has...
3. ESET Endpoint Security Solutions Let me guess. You might have heard of ESET, but...

I attended their blogger engagement event a couple of days ago. They were announcing their new flagship product ESET Endpoint Solutions for enterprise customers. They also shared the imminent availability of ESET Mobile Security for Android.

ESET isn’t a new anti-virus company. They have been in business since 1992. Their anti-virus product, NOD32, was created by two of their founders prior to that in 1987. That’s some 20 years and 25 years ago respectively. ESET is pretty proud to lay claim to be the only company to win an unbroken string of 47 Virus Bulletin’s VB100 awards, and their overall win of 71 VB100 awards is more than any other company. They have also received a variety of certifications from AV-Test, TUV, and West Coast Labs.

ESET’s Endpoint Solutions for enterprise customers come as two products: Endpoint Security and Endpoint Antivirus. Both products build upon their NOD32 anti-virus scanning technology to deliver a proactive approach to detect current and new malware and other Internet threats. They offer whitelisting of “safe files” that are cross-checked against their reputation database for optimized performance. As an enterprise solution, these products also feature enhanced ESET Remote Administrator, a control panel for centrally managing clients.

The Endpoint Security product offers additional features over Endpoint Antivirus, such as a firewall, web-control and spam-filter.

ESET’s enterprise-friendly licensing focuses on seat-count, regardless of the type of device being protected. If you are faced with an environment comprising Windows, Mac OS X and Linux operating systems, you just need to buy licenses for that number of devices without having to work out how many of each type of operating systems you have, or worry about how that mix of operating systems might change in future.

For me, an important feature, but one that is often not talked about, is performance. ESET’s use of assembly language delivers the tightest performance with low CPU overheads, memory overheads and disk utilization. Anti-virus protection is important, but you wouldn’t want that to impact the performance of your computer.

The next thing is their Android product, ESET Mobile Security for Android. It’s set to become available in the Google Play store on 2 May 2012. Here’s a preview of their feature list:

• Remote Lock
• Remote Wipe
• GPS Localization
• SIM Matching
• Trusted Friend
• Call Blocking
• Uninstall Protection
• SMS/MMS Anti-spam
• Real-time Protection
• Security Audit
• On-access Scanning
• On-demand Scanning

A nice thing about the remote features (such as Remote Lock, Remote Wipe and GPS Localization) is that they are accessed and managed via SMS. There is no central server like MobileMe or iCloud in the case of Apple’s iOS.

I’m still quite undecided if I need anti-virus on my mobile phone. But if you’re the type who feel you can’t be too careful with security, checkout ESET Mobile Security for Android when it becomes available on Wednesday.

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. PCs and Viruses Sometimes, I think we’re doomed. Our IT, our cyberspace, they...
3. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...

If hackers can capture the traffic between your device and Facebook servers, they could easily obtain your Facebook session key and, subsequently, use it to hijack your Facebook session.

There is another important factor, of course. Does the Facebook App communicate with Facebook servers using HTTP or HTTPS (i.e. encrypted with SSL)?

The trainer said it was HTTP. Oops. I’ve thought about the question before, but I’ve always assumed Facebook would not build such a crappy app. Facebook seems to be reasonably mindful about security, so I assumed the app would use HTTPS. Assumptions, of course, are no good.

I don’t normally use Wifi on my smartphone. So on the one hand, this does not really concern me, but it still did, because I didn’t know if it was HTTP or HTTPS, and it’s always possible that one day I would wrongly assume that my using the Facebook App on an open Wifi network would be “okay”. Actually, I don’t even have to actively use the Facebook App, since it could well connect to Facebook servers in the background to check for notifications. So if one fine day I wanted to use a free Wifi network for whatever reason, my Facebook App could be leaking my session ID without my knowledge.

So, curiosity got the better of me. Today, I had to check it out. I configured my phone to use Wifi, and then snooped on the outgoing traffic to the Internet. Here’s a snippet from tcpdump.

12:05:43.858472 IP 137.132.84.14.50622 > 69.171.234.98.https: S 2381719600:2381719600(0) win 14600 <mss 1380,sackOK,timestamp 12717020 0,nop,wscale 2>

So basically that means the Facebook App uses HTTPS. This is version 1.8.4 of the Facebook for Android app. I can’t guarantee it will be HTTPS for you. If you are as concerned as I am, you probably should check it out yourself too!

Having thought about the whole situation, I think the safest bet is to avoid using Wifi, particularly open Wifi networks. Some crappy applications could, in the background, connect insecurely and send secrets out in plaintext. It’s too easy for drive-by hackers to collect credentials and other personal information.

Although the real problem is with applications communicating insecurely, using 3G data sort of helps a little bit because, well, you are less exposed. The telco, ISP, or other network infrastructure that carries your traffic could still snoop your traffic, but well, we hope those people are not bad people. At the very least, by ensuring you only use 3G for your data connectivity, you’ve locked out drive-by hackers who prey on Wifi.

I don’t usually connect to Wifi since 3G is available everywhere and there’s no way I can ordinarily use up my monthly bandwidth quota. But I’ve not really thought about Wifi being bad. Now I do. This will be a good reason to remind myself not to turn on Wifi on my smartphone.

Related posts:

1. The Day Facebook Banned Me for 24 Hours It happened to me. “Your account is temporarily unavailable due...
2. Blog Integration With Facebook It hasn’t really been a long time since my last...
3. Mobile Phone and PDA Setup More people than ever are carrying around smart phones these...

“What is the first thing we should check when we turn on our computer?”

I don’t know, what are we supposed to check? That the computer looks to be working, so that I can go on to do whatever it is I want to do?

The correct answer: “Of course having a look at your anti-virus application is the place to start.  Is it running?  Are the databases current?”

Oh. To think that I’m a certified CISSP. *oops*

I think we’ve all come to take things very much for granted. Mac OS X is my primary work environment. I know, viruses can hit Macs too. But the reality is that most Mac users get by without any anti-virus protection and they do fine.

I don’t have anti-virus protection on my Mac. I use a lot of Unix as well, including both Linux and Solaris. I don’t have anti-virus protection in those environments either. I seem to be setting a very bad example. I can try to get away with the defense that “viruses are a Windows problem”, but the reality is that viruses can hit Mac, Linux, and Solaris environments well. Why are we not concerned?

That’s a very good question, and I don’t have a very good answer. I have lousy answers about how Unix environments are different, that they are inherently more secure, etc. But well, so what. There are viruses and trojans designed for Unix environments.

[While writing this, I reconsidered my need for anti-virus protection on my Mac. After reviewing several anti-virus applications available for Mac OS X, I ended up still not taking any action. More about this later.]

Just to do my bit to spread the educational message, the ISC2 post preaches several things that you should do:

1. Check that your anti-virus application is running and that its database is up-to-date (less than 24 hours old).
2. Check that you have installed all relevant patches and updates for your operating system and other applications.
3. Check that you have a firewall between your computer and the Internet. For example, connect your computer through a broadband router before your broadband Internet connection.
4. Some other advice about online shopping, details I’ll omit because they aren’t directly relevant to what I want to focus on.

Do you do any of the above 1 – 3? I’m embarrassed to say I don’t.

I assume my Mac OS X will take care of automatically installing all relevant updates. I do have a broadband router at home, and perhaps the corporate firewall at work counts when I’m in office. But I don’t suppose my smartphone counts as a firewall when I’m tethering its 3G connection. I presume the author did not consider the firewall built into the operating system as sufficient.

I am, perhaps, guilty of having taken security for granted.

But, really, am I supposed to do all that? If I own multiple computers, am I suppose to repeat that for each one of them? What about my other smart devices? Like smartphones and tablets and music players. We all assume magic happens on those devices, right?

I think the idea of having to check anti-virus status, operating system updates, and application software updates should be a thing of the past. Modern smart devices should just work for the user. If the smart device doesn’t work, it should be banished, and its reputation should be forever tainted. At least until it can proof to users that it is a dependable device.

Compare these with other sorts of household appliance or “systems” in your life. Your car, for example. You buy the car, and you expect the car should just work. If there is a fatal flaw discovered with your car, the manufacturer should recall it and get it repaired. You don’t keep checking in with the manufacturer or car dealership to see if there is something that you should be aware of.

Alright, maybe cars aren’t the best analogy. Afterall, you are supposed to bring in the car for regular servicing. But I might argue that this is akin to “tuning up” your computer once a while – such as by defragmenting your hard disk, clearing out unneeded data, etc.

Let’s try another analogy. The microwave oven. It should just work. The microwave oven does not need regular checkups or servicing. You don’t have to check in with the manufacturer about product defects. If there is some safety issue about the microwave oven, the manufacturer should tell you and fix it for you.

If the microwave oven manufacturer fails to live up to your expectation of having delivered at least a reasonably good, working, and safe product, you are likely not ever going to buy anything from them again. You’re also going to complain about them to all your friends and encourage them to boycott this manufacturer.

Computers, nowadays, aren’t those same computers we’ve been tinkering with over the last couple of decades. They have become blackbox appliances. In fact, things have gotten very blurry nowadays, since some traditional appliances have also become little computers. Tell me, are you actually going to check if your car’s Engine Control Unit (ECU), which is a sort of a computer, has had latest security updates installed? How about your set-top box? Your smart TV?

On the two dominant mobile platforms, Android and iOS, updates to both operating system and applications are automatic. It’s not like you really have to care about them. Of course you could do a “go check for updates now” procedure if the system is not picking up an important update fast enough. But conversely, if there is a security problem and the manufacturer does not want to fix it, you don’t really have a reasonably straight-forward option to fix it yourself.

So, I think the practice of “safe computing” nowadays has evolved. Checking and installing security updates is a routine and mundane task that should be automated by the computer. That’s what computers are good at doing. If your smart device cannot get this done correctly, then condemn it and move on to something else better.

Humans should focus on high-level things. Fuzzy things. Things that computers might not be so smart at doing. Like figuring out and identifying phishing attacks. Defending against social engineering attacks. Humans are smart. Maybe they still need some training and awareness education, but these are things they can handle.

I’m shocked to come across an incident at work this week involving a research staff having fallen prey to a dumb phishing email. It is so unbelievable that a research staff from a computing school could follow a phishing link, and supply his/her username and password to a very suspicious looking website. How could we expect an ordinary person to know better?

I hope that is just one single freak accident. I don’t have figures on the “success rate” or “hit rate” of phishing attacks, but obviously, any success or hit is bad enough. Some one or other will fall prey to such attacks. Anti-phishing software, like anti-spam software, aren’t perfect. This is where we need humans to use their common sense.

Earlier, I said I didn’t have any anti-virus software. I haven’t had one for some time. It sounds so “wrong” for an IT security person to say that. But I think the danger nowadays is a lot more than just about viruses and trojans. In fact, viruses and trojans probably aren’t a very significant part in the big picture anymore.

Consider that some of our smart devices are primarily web browsing platforms. Google’s Chrome OS, for example, is basically an operating system with a web browser. All your applications are web applications. In these sort of environment, your main threats are likely to be in the applications delivered through the web. It is probably easier to secure that single web browser system, than the traditional computer which runs too many native applications, against attacks of a “technical nature”.

The bigger danger is probably going to come from new attack vectors. Like applications within some other application ecosystem, such as Facebook applications. We need to watch out for new things.

The older attacks primarily wanted access to some computer or device that you have. New attacks, on the other hand, want access to some sort of identity or online account that you have. For example, your email account Facebook account, bank account, or credit card information. So it is not just access to physical devices that you should worry about, but also access to your identity, your account, and even just information about yourself.

Luckily I don’t have to teach kids about safe computing. I don’t know how to explain these things to children.

Related posts:

1. Horrors of Online Banking At the risk of sounding like I’m technophobic, distrustful of...
2. What’s Wrong with “Made in Thailand” What’s wrong with “Made in Thailand?” It’s funny that we...
3. Balloting for Your Browser European PC users are going to have to make a...

All these protection tools are nice. But ultimately, what’s most important is that the operating environment is secure, and that users are properly educated about IT security. I really don’t know how helpful this Google Safe Browsing really is. But quite clearly warnings about invalid SSL certificates are often routinely ignored by users. People want to visit their website. They don’t want to care about the technical hinderances.

Back to HardwareZone. I didn’t go find out where the malware is. I imagined it is probably something snuck in by a bad guy through a forum posting. In practice, these things are getting increasingly more troublesome to handle because of the interactivity of the web we use today. However, Google Safe Browsing Diagnostics say the problem is with sites.hardwarezone.com. A cursory glance just shows it mostly hosting advertisements, CSS files, images, etc. I wonder, what could be wrong with the site.

Related posts:

1. First Chrome, Now Stainless The browsers war is heating up again. It’s not Internet...
2. A Tale of Two Nexus S Phones I was quite intrigued to learn that the Nexus S...
3. Is Google or Yahoo More Popular? I’ve started running some web analytics on my web access...

Okay, I know, computer viruses are indeed rampant and everywhere. But if it is on your own computer, you don’t just give up and surrender, do you? I’m talking about IT professionals here.

Some time ago I was stunned by the remarks of the keynote speaker of a security conference, who apparently was resigned to sharing her notebook with a virus. It is just so bizarre that an IT security professional would say such a thing, and more so in an IT security conference.

So what happened? Well, to safeguard the anonymity of the person, system and circumstances involved (it’s a security system too, after all), let’s just say: System administrator didn’t actually consider the virus infection to be a significant event that had to be dealt with urgently. In fact, the said system administrator was, like the above keynote speaker, resigned to living with the virus.

I think we have a serious problem. Not that I don’t know already.

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. ESET Endpoint Security Solutions Let me guess. You might have heard of ESET, but...
3. What Do You Know About Safe Online Computing What do we really know about safe computing? I was...

Some people think IT security is like real world physical security. You can design and construct a building, then sort out details like the locks, the doors, and the perimeter fencing later. When you take this idea to build application systems, the idea is that you can figure out authentication, access controls and firewalls later. Unfortunately, things aren’t so simple.

The truth is that things aren’t so straight forward in the physical world either. It’s just that with the physical world, the flaws can be seen more obviously, so if you think more deeply, you can appreciate new angles that need to be tackled and deal with the risks as needed. For example, people understand that there can be threats like bombs, gate-crashing vehicles, fire, floods, etc, and if these need to be dealt with, they will do so. Obviously, some of these issues need to be thought out during the design phases of the building project.

With application systems, the threats are not seen, and they are not properly appreciated. You can tell people about them, but many will still not give the entire matter of IT security due attention.

The worst of it is when people know a little, but think they know “enough”, will do something in-between to address the risks, then live in the false sense of security that all threats have been sufficiently neutralized. Knowing “a little” is often more dangerous than not knowing at all.

Security needs to be addressed holistically. You’ve probably heard the saying that the chain is only as strong as the weakest link. There is no point in fortifying a single component in the chain. If you make the front door of your house so difficult to break into, the burglar would just climb in through the window.

Another thing that I hear from time to time is about security through obscurity. In this day and age, some IT people still believe in this. It’s funny that I’m doing my reservist now, and it has something to do with security too. The army is very much a firm believer in security through secrecy. It doesn’t work. But the people who run it thinks it does. Oh well, maybe they really do know better, but things are just being implemented wrongly.

The 911 incident is probably about one of the most tech-savvy terrorist attacks to date. It’s not IT, no doubt. But they’ve moved on from making bombs to flying big planes. Just think what might be possible had terrorists turned to IT security vulnerabilities. I still cannot believe that one of the big take-home messages from a SCADA security talk I attended was to keep your Windows patches up-to-date.

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. SCADA Security Talk This would be my first visit to Nanyang Polytechnic. I...
3. Caring For End-Users’ Security In the past, most companies don’t care. They do sell...

But according to the Web Application Security Trend Report (Q1-Q2 2009) by Cenzic, the numbers do show Firefox taking the lead with vulnerability to 44% of 3100 exploits tracked. Microsoft Internet Explorer came in at 15%. Safari scored surprisingly badly too at 35%, but this was explained by the new inclusion of iPhone and iPod Touch web browsers under the category of Safari in this report. (In the previous report for Q3-Q4 2008, Safari came in at 8%, Firefox at 39% and Microsoft Internet Explorer at 43%).)

Now, I’d be thinking twice when Firefox says it’s the safest way to surf the web. I don’t know where Safari stands when the numbers for iPhones and iPod Touches are omitted, but it does seem ironical to be telling users now that Microsoft Internet Explorer is probably the way to go if you care about your security.

Related posts:

1. Balloting for Your Browser European PC users are going to have to make a...
2. Browser Wars The browser wars are heating up. As some of you...
3. The New Safari Apple recently released a new version of their Safari browser,...

That’s all happened in just half a week. It could have been worse, had it been some other operating system, and it’s not really all that bothersome if you consider that many of the updates happen automatically. “Automatically”, however, could typically be any time in a one week window, since automatic checks are often configured to happen at weekly intervals. Furthermore, that’s all assuming that you are using your computer and it is connected to the Internet at reasonable broadband speeds.

It’s just one computer, or just one device. Yet there are so many updates to talk about. Sometimes I’d think life would be so much easier had all the software been sufficiently tightly integrated so that users just need to know of one update. Perhaps moving all the apps to the web (or the “Internet”) will make this easier. You’d still need some basic operating system, a web browser, and device drivers to take care of, but I suppose this would be much easier to manage.

Update (13 Nov 2009): To add to the update week is WordPress 2.8.6, released today.

Related posts:

1. Long Wait for Nokia Phone Software Updates The Nokia N97 software v12.0.024 became available on 18 Aug...
2. Nokia Phone Software Updates Nokia phones, just like other phones, contain software (or sometimes...
3. Mac OS X vs Windows Updates Versioning Apple posts updates to their Mac OS X operating system...

I think I’m too pragmatic. I think about how difficult all this will be. Realistically, will we ever have a secure Internet? We may build better defenses, the bad guys will develop better attacks. Can we ever have an Internet police? Can we ever ever have an Internet passport? I had expected a lecture on concrete steps we can take towards better security on the Internet. These ideas are too distant.

Maybe I’m a bit to sarcastic. Where is Kaspersky in Gartner’s magic quadrant?

Related posts:

1. SecurityVision 2009 Lacks Security Vision In the past week, I attended an IDC conference SecurityVision...
2. Fighting With Microsoft Word It’s amazing how difficult it can be to use Microsoft...
3. Keeping WordPress Secure A hot topic going around in WordPress circles now is...