Windows 10 Lean – Microsoft’s essential step (back) to the future?

29 April 2018

The report “Windows 10 Lean: Latest build offers first glimpse of Microsoft’s new cut-down OS” (1) published by Liam Tung on 24 April 2018 at ZDNet made me really curios.

Why is the industry in desperate need of a cut-down Windows OS? To answer this question we need to dig into the history of computing.

Tandberg TDV 1200 Terminal. Picture Credits (2)

Tandberg TDV 1200 (2)

In the nineteen sixties and seventies IT business was largely based on host-based computing. Usually the end-user devices were character based terminals with very restricted functionality. Business reports or letters were a real challenge on a Tandberg terminal with IBM ISPF. Individual changes to the user interface were usually limited to the change of the highlight colors and the function key assignment.

Apollo Domain DN330 Workstation

Apollo Domain DN330 (3)

The introduction of server-based computing in the nineteen seventies was a significant benefit for the end users. Graphics-based workstations, often diskless, opened up new fields of application, e.g. desktop publishing, CAD or CAPE. Here, too, the users had only limited options to customize the user interface or to install applications.

With the introduction of Windows NT AS 3.1 in 1993 everything changed. For the first time an operating system had an easy to use graphical user interface, was easy to operate through this GUI , and had easy to use inbuilt peer-to-peer networking capabilities. This was the Wild West for the users.

Unfortunately, very often the Wild West ended up in chaos. With Windows 2000 everything was under control again. Server-based computing was the standard again, peer-to-peer networking capabilities were hardly used.

SAAS, e.g. O365, OneDrive, Sharepoint Online, Box for Business or Google’s G Suite, takes us eventually back to host-based computing: The cloud is the new host.

Once the industry has adopted SAAS every interaction with the cloud is based on the HTTPS protocol. SMB and all the client-server and peer-to-peer networking capabilities of Windows are no longer needed. Even for printing the IPP protocol can substitute SMB.

Thus it is time to eliminate these networking capabilities from the OS. And with this, we eliminate all this EternalBlue, EternalRomance, WannaCry and NotPetya stuff because lateral movement depends heavily on the Windows Peer-to-Peer networking capabilities.

Chrome OS is Google’s answer to this trend. Will Microsoft follow with Windows 10 Lean?

From Liam Tung’s report we learn:

“Windows 10 Lean was revealed on Twitter by Windows enthusiast Lucan, who noted the heavily cut-down OS has no wallpaper and is missing apps like Registry Editor and Microsoft Management Console, as well as drivers for CD and DVD drives.”

From my point of view that’s not enough to deal with the IT security challenges the industry faces today.

Have a great week.


  1. Tung L. Windows 10 Lean: Latest build offers first glimpse of Microsoft’s new cut-down OS [Internet]. ZDNet. 2018 [cited 2018 Apr 24]. Available from: https://www.zdnet.com/article/windows-10-lean-latest-build-offers-first-glimpse-of-microsofts-new-cut-down-os/

  2. Picture credits: Telemuseet, Wikipedia, https://digitaltmuseum.no/011025208286/datautstyr

  3. Picture credits: Jim Rees, Wikipedia, https://commons.wikimedia.org/wiki/File:Dn330.jpg

Advertisements

US Gas Pipelines Hit by Cyber-Attack

15 April 2018

The report “US Gas Pipelines Hit by Cyber-Attack” (1), published on April 13, 2018 in Infosecurity Magazine, sounds more dramatic than it actually is. The attackers compromised a system for “electronic data interchange” (EDI) to some of the largest US energy providers. No impact on critical infrastructures, at least until now.

Bloomberg Technology (2) reports that at least four US pipeline companies were affected by the attack.

What surprised me was that Jim Guinn, managing director and global cyber security leader for energy, utilities, chemicals and mining at Accenture Plc, said (2):

 

“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious. All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting.”

I cannot support this. The EDI system contains the access details to the systems used in the customer networks for data exchange. These details are the free admission ticket to the customer networks for the cyber-criminals.

Thus, it is very important that at least the access data to customer systems are changed directly after an attack is detected. In addition, the customers should check their networks for suspicious data transfers and indicators for lateral movement.

Have a good weekend.


1. Muncaster P. US Gas Pipelines Targeted in Cyber-Attack [Internet]. Infosecurity Magazine. 2018 [cited 2018 Apr 13]. Available from: https://www.infosecurity-magazine.com:443/news/us-gas-pipelines-hit-by-cyberattack/

2. Malik NS, Collins R, Vamburkar M. Cyberattack Pings Data Systems of At Least Four Gas Networks. Bloomberg.com [Internet]. 2018 Apr 3 [cited 2018 Apr 15]; Available from: https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-data-system-shuts

RYZENFALL, MASTERKEY, FALLOUT, CHIMERA – Don’t Panic!

3 April 2018

CTS-Labs publication (1) of new branded security flaws in AMD’s latest Ryzen and EPYC processors attracted much media attention.

Much Ado About Nothing

Much Ado About Nothing. Made with WortArt.com.

Two facts on RYZENFALL, MASTERKEY, FALLOUT and CHIMERA:

  • In all cases the attacker requires administrative access to exploit the processor flaws.
  • For exploitation of MASTERKEY the attacker needs to re-flash the bios.

For a good overview see post ‘AMD Flaws’ (2) in the Trail of Bits blog.

To put it succinctly:: An attacker managed to fully compromise a system based on an AMD Ryzen or EPYC processor and to stay undetected. Then he starts exploiting Masterkey, flashes the BIOS and reboots the system. As a result he gets directly detected.

That makes no sense. Once I fully compromised a system I have plenty opportunities to run a deep dive into the victim’s network and, to stay undetected. The risk of getting detected when exploiting e.g. MASTERKEY is just too high.

The world of threat actors can be divided in two classes: Non-Nation State Actors and Nation State Actors. In particular MASTERKEY fits perfectly in the cyber weapon arsenal of the latter because only they have the resources to compromise the processors where it is most convenient, in the supply chain.

I don’t like branded vulnerabilities because they keep us from dealing with really important security issues.

Have a great week!


  1. CTS-Labs. Severe Security Advisory on AMD Processors [Internet]. AMDFLAWS. 2018 [cited 2018 Apr 3]. Available from: https://safefirmware.com/amdflaws_whitepaper.pdf

  2. Guido D. “AMD Flaws” Technical Summary [Internet]. Trail of Bits Blog. 2018 [cited 2018 Apr 3]. Available from: https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/

Triton: Dangerous and Puzzling – Part III

18 March 2018

The reports published on Triton so far give no hint on how the attack was started. With Occam’s razor in mind I concluded in part II of this post series that it is very likely, that the attacker compromised the Engineering Service Providers (ESP) network and the systems used for developing the SIS software. Since the next software update is sure to come, it is only a matter of time until the SIS installation in the production network gets compromised.

In this part I will talk about how to prevent and protect against such attacks.

Part III: Prevention and Protection

To protect against such kind of attacks data integrity must be ensured across the entire supply chain.

Ensure Integrity Across the Supply Chain

Ensure Integrity Across the Supply Chain

Engineering Service Provider’s responsibilities

Build: The ESP must make sure that the project data and software cannot be compromised in his facilities during software design and build.

Transfer: The ESP must secure the data against manipulation during transport.

Plant Operator’s responsibilities

Validate: After handover, the operator must check that the software and project data fulfil only the intended functions, before the SIS or DCS is updated. This must be governed by a Standard Operating Procedures (SOP) with formal approvals.

Install: The operator must follow a SOP for secure update of SIS and DCS software.

In the following section I will give some best practice to achieve data integrity across the supply chain. Anti-malware solutions are not listed because they are industry standard. Nevertheless, it is important to note that in Triton like cases pattern based anti-malware solutions will not prevent or protect against the attack. Pattern based anti-malware solutions protect only against malware “in the wild”. That’s not the case here, thus we have to apply other means to ensure integrity.


Development network

  • Perform all project work in an isolated Development Network (D-NET) with a Development DMZ (D-DMZ).
  • Control remote access to the D-DMZ through a user proxy to allow access for authorized staff only. Two Factor Authentication is mandatory for access to the D-DMZ.
  • For remote user access to the D-NET use a jump station in the D-DMZ.
  • Terminate all connections from the Office Network to the D-NET in the D-DMZ.
  • Terminate all connections from the D-NET in the D-DMZ.
  • If an SIS or DCS is operated in the D-NET, it should be placed in an isolated in a network  zone (D-SIS) in the D-NET. Allow only incoming connections from the engineering station to the SIS or DCS. Terminate all outgoing connections from the D-SIS in the D-NET.

Data exchange

  • For data exchange with the Office network allow only outgoing connections from the D-DMZ to dedicated systems/ports in the Office network.
  • Don’t use the SMB protocol for exchange of data between the office network and the D-DMZ and D-NET.
  • Implement Network Access Control (NAC) in the D-DMZ and D-NET to block connections of untrusted devices.
  • Never connect mobile workstations used in the D-NET or D-DMZ to other networks and vice versa. Once such a workstation was connected to a network outside the D-NET or D-DMZ it is potentially compromised.

System hardening

  • Block all USB disk devices in the D-NET.
  • Block all internet access and e-mail in the D-DMZ and D-NET.
  • Lock down all workstations and servers in the D-NET and D-DMZ.
  • Perform regular integrity checks on all systems in the D-NET and D-DMZ.

Software development best practice

  • Set up software version control for all development work.
  • If contractually possible, handover only sources, makefiles and checksums to the operator.

  • Secure network transfer is the method of choice. Bundle all sources in an encrypted archive. Send the encryption key in a secure e-mail to the operator.
  • If transfer by USB devices is required use only USB devices with AES hardware encryption and key pad. Run a secure before the new software is copied.

  • Extract the software to a trusted development system in an isolated network zone of the operators network.
  • Validate the checksums of the sources and makefiles against the supplied checksum details.
  • Build the software.
  • Install the software on a test system and verify that only the intended functions are implemented.

  • Use a secure transfer method to move the new software and project data to the SIS or DCS  network.
  • Install the software with regards to the corresponding SOP.

Have a great week.

Triton: Dangerous and Puzzling – Part II

11 March 2017

Part II: Some thoughts on the access vector

For preparation of the attack the attacker had to gain in-depth knowledge about the victim’s network and SIS installation.

SIS installation

According to Schneider Electric such attack could only be successful for Triconex Tricon controllers configured with the model 3008 Main Processor and firmware versions 10.0 to 10.4.(1) Only this controller family seems to use PowerPC processors. Older Tricon controllers use National Semiconductor, newer systems use ARM processors.(2)

Since the binary malware components inject.bin and imain.bin were compiled in PowerPC byte code the attacker hat detailed knowledge about the installation, in particular the controller version. Without this knowledge about the controller version the attack would have failed because of a code mismatch.

Network

If the SIS controller and engineering station are operated in an isolated SIS network this attack is not possible. For remote control, the Remote Access Trojan (RAT) needs to open at least an outgoing connection to its Command and Control server (C&C) outside the production network.

Blocking incoming traffic to SIS network but allowing outgoing traffic from the SIS network to applications, e.g. a historian, in other production network partitions is industry standard (ISA-99). Unfortunately, the latter recommendation is often misunderstood. Instead of opening only connections to dedicated systems / ports in adjacent partitions the security devices are often opened for all outgoing network traffic, sometimes across partitions.

With this, once the RAT is installed on the engineering station a weak implemented industry standard fosters the connection with the attacker’s C&C server.

Attack vector: Compromised Supply Chain

At first sight this sounds like a bad thriller. But it gives some good answers to some important questions.

How did the attacker get the knowledge of the victim’s facilities?

  1. In-depth knowledge of the plant network and the SIS installation can be extracted from documentation stored on the plant operators computer systems or on the Engineering Service Providers (ESP) computer systems.
  2. An ESP network is in general less well protected against cyber-attacks than a highly secured production network.

Conclusion: It is very likely that the attacker compromised the ESP network and the systems used for developing the SIS software.

How could the attacker develop such mature code?

Once the attacker hijacked the ESP network he was able to develop and test his attack framework on a system very similar to the production SIS.

How was the SIS network / engineering station infected?

With the next project update the ESP transferred the compromised code, e.g. by USB stick, to the production network.

Have a great week.


  1. Hand A. Triton Gone Wild | Automation World [Internet]. Automation World. 2018 [cited 2018 Mar 3]. Available from: https://www.automationworld.com/triton-gone-wild
  2. Analyzing the TRITON industrial malware [Internet]. Midnight Blue Labs. 2018 [cited 2018 Mar 5]. Available from: https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Triton: Dangerous and Puzzling – Part I

4 March 2018

Jim Finkle’s report ‘Hackers halt plant operations in watershed cyber attack’ (1) published on December 14th, 2017 on Reuters made me curious and nervous at the same time.

The report deals with a cyber-attack on Safety Instrumented Systems (SIS). SIS work independently of the Process Control Systems (PCS). They guarantee that the industrial process, e.g. a reactor or a cracker, can be safely shutdown if the PCS can no longer control the process. Since compromising an SIS may cause significant negative effects on people and environment, the most important task in Production IT Security is to prevent cyber-attacks on SIS.

Although the attack was intensively discussed in the media and by security researchers many questions are still open. With this three-part blog series I like to examine some details more closely. A detailed attack analysis gives IT security strategists the chance to derive improved means for protection of SIS.

Part I: Some facts about the Triton attack

Malware naming

FireEye named the malware TRITON (2). Triton is an attack framework created to interact with Schneider Electric Triconex Safety Instrumented Systems. Other sources name the malware TRISIS (3) or HATMAN (4).

Indicators of Compromise

“In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system, then sought to reprogram controllers used to identify safety issues. Some controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.” (1)

From the FireEye report, we learn: “The attacker gained remote access to an SIS engineering station and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message.” (2)

With this, the IoC was: A production process was shutdown by the SIS although no indicators for a failure condition were signaled by the PCS.

Preconditions for a successful attack

At least the SIS Engineering Station must be accessible from the network. The FireEye (2) and Dragos (3) report confirmed that this was the case.

The Triconex memory protection key switch must be left in Program mode long enough to allow the attacker to run the attack. The FireEye (2) report confirmed that this was the case:

“The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts’ conditional checks, the attacker persisted with their efforts.”

The code is publicly available from GitHub. (5)

Threat Actor

From the FireEye (2) and Dragos (3) analysis it is clear, that this was a sophisticated attack. In-depth knowledge of Schneider Electric Triconex SIS and network intrusion technology is required to perform such kind of attack and stay undetected for a while. This indicates a state-sponsored threat actor.

What does this really mean?

Production Network Reference Architecture

Production Network Reference Architecture

The cyber attacker worked his way through the business DMZ, the business network, the production DMZ and the production partition 1 to the SIS engineering station in zone 2 of production partition 2, without being noticed by any security device, SIEM or endpoint protection. That is truly amazing.

It seems like some basic protective measures were either not fully in place or misconfigured or no one checked the logs regarding IoC and IoA.

 

From my point of view this sounds very unlikely and mysterious. I will present some alternative access scenarios in part II.

Have a good weekend.


  1. Finkle J. Hackers halt plant operations in watershed cyber attack. Reuters [Internet]. 2018 Dec 14 [cited 2018 Feb 4]; Available from: https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-shut-down-infrastructure-safety-system-in-attack-fireeye-idUSKBN1E8271

  2. Caban D, Krotofil M, Scali D, Brubacker N, Glyer C, Johnson B. Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure [Internet]. FireEye Threat Research Blog. 2017 [cited 2018 Feb 12]. Available from: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

  3. TRISIS-01.pdf [Internet]. [cited 2018 Mar 3]. Available from: https://dragos.com/blog/trisis/TRISIS-01.pdf

  4. MAR-17-352-01 HatMan—Safety System Targeted Malware_S508C.pdf [Internet]. [cited 2018 Mar 3]. Available from: https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf

  5. ICSrepo. TRISIS-TRITON-HATMAN: Repository containting original and decompiled files of TRISIS/TRITON/HATMAN malware [Internet]. 2018 [cited 2018 Feb 5]. Available from: https://github.com/ICSrepo/TRISIS-TRITON-HATMAN

Dutch banks hit by massive DDoS attacks – Blaming is difficult in the case of cyber-attacks

24 February 2018

Huib Modderkolk’s report ‘Dutch agencies provide crucial intel about Russia’s interference in US-elections’ [1] dated 25 February 2018 is one of the best spy stories I ever read. Hackers from the Dutch intelligence service AVID spied on the Russian hacker group Cozy Bear for some years. They watched them hacking the Democratic Party and manipulating the U.S. elections in 2016. [2]

Some days later Dutch banks and the Dutch Tax Agency [3] were hit by massive DDoS attacks with a peak volume of 40 Gbps. The alleged nation-state threat actor responsible behind these attacks was rapidly found because the timing of the attacks was just too coincidental. In addition, it is widely assumed that only nation-state actors have the resources to run attacks of this size. Janene Pieters reported on 29 January 2018 that according to ESET the attacks came from servers in Russia. [4]

But blaming is difficult in the case of cyber-attacks.

On 6 February 2017 Janene Pieters reported that an 18-year-old man from Oosterhout was arrested in connection with the DDoS attacks. [5] Tijs Hofmans report [6] in ComputerWeekly.com reveals some remarkable background details:

“In messages to the Tweakers systems administrator, Jelle S claimed to have bought a ready-made “stresser” DDoS package on the dark web for which he had paid €50 a week to send 50-100Gb/s of data to victims.”

Crazy world! A script kiddie misused a professional tool for running stress tests against web sites to do the DDoS attacks. And for a very reasonable price.

Blaming becomes a big issue when it comes to DDoS on critical infrastructures. According to the new U.S. nuclear strategy [7] such kind of attack on the U.S. homeland could, in the worst case, result in a counter strike with nuclear weapons.

Have a great weekend.


    1.  Modderkolk H. Dutch agencies provide crucial intel about Russia’s interference in US-elections – Tech – Voor nieuws, achtergronden en columns [Internet]. De Volkskrant. 2018 [cited 2018 Jan 30]. Available from: https://www.volkskrant.nl/tech/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/
    2.  Cluley G. How Dutch intelligence spied on the Russian hackers attacking the DNC [Internet]. Graham Cluley. 2018 [cited 2018 Jan 30]. Available from: https://www.grahamcluley.com/dutch-intelligence-spied-russia-hackers-attacking-dnc/
    3. Cimpanu C. Dutch Banks, Tax Agency Under DDoS Attacks a Week After Big Russian Hack Reveal [Internet]. BleepingComputer. 2018 [cited 2018 Feb 24]. Available from: https://www.bleepingcomputer.com/news/security/dutch-banks-tax-agency-under-ddos-attacks-a-week-after-big-russian-hack-reveal/
    4. Pieters J. Russian servers linked to DDoS attack on Netherlands financial network: Report [Internet]. NL Times. 2018 [cited 2018 Feb 24]. Available from: https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-financial-network-report
    5. Pieters J. Suspect arrested for cyber attacks on Dutch tax service; Bunq [Internet]. NL Times. 2018 [cited 2018 Feb 24]. Available from: https://nltimes.nl/2018/02/06/suspect-arrested-cyber-attacks-dutch-tax-service-bunq
    6. Hofmans T. Teenager suspected of crippling Dutch banks with DDoS attacks [Internet]. ComputerWeekly.com. 2018 [cited 2018 Feb 24]. Available from: http://www.computerweekly.com/news/252434665/Teenager-suspected-of-crippling-Dutch-banks-with-DDoS-attacks
    7. Sanger DE, Broad WJ. Pentagon Suggests Countering Devastating Cyberattacks With Nuclear Arms. The New York Times [Internet]. 2018 Jan 16 [cited 2018 Jan 30]; Available from: https://www.nytimes.com/2018/01/16/us/politics/pentagon-nuclear-review-cyberattack-trump.html