What the heck is ISO-TSAP?

This great blog post criticizes this grossly incompetent advisory by the US DHS CERT. Both mention “ISO-TSAP”? What is “ISO-TSAP"?

Just TCP, the same protocol that carries Internet traffic.

That’s what makes the DHS advisory incompetent, because it blames TCP’s lack of encryption for the problems in the Siemens industrial controllers. But a protocol like TCP isn’t supposed to encrypt data, it’s just supposed to carry traffic between two end-points. If you want encryption (like SSL), you are supposed to layer that on top of TCP.

So if ISO-TSAP is just TCP, why is it called by a different name?

That answer is a bit more political. The Internet as we know it wasn’t the Internet the government designed. Instead, they designed a competing Internet known as either “OSI” or “ISO”.

The government first created a blueprint, called the “OSI Model”. That model defines seven layers, where each layer is responsible for a specific task. Layer 1 defines how bits are sent onto the nearest wire. Layer 2 defines how packets are sent only as far as the next hop (to the other end of the wire). Layer 3 defines how packets go hop to hop across the world wide network to the destination computer. Layer 4 defines how the packets reach the destination application on that target computer, whether it be the web browser, iTunes, Skype, etc.

TCP fits in layer 4, but not precisely as OSI defines it. Mostly, it’s a terminology difference. For example, the OSI/ISO standard might say “disconnect” the connection, but TCP/IP might say “close” the connection. The ISO-TSAP standard is mostly just a translation between this terminology, showing how if somebody writes code that conforms with the OSI/ISO Layer 4 standard, how it will work when run over the TCP/IP standard.

There is one important difference. TCP/IP sends data as a “stream”. Yes, even though the underlying IP sends packets, the TCP on top reassembles this back into a stream of bytes, so that applications see no boundaries between packets.

But the OSI/ISO Layer 4 standard defines a boundary between packets. Therefore, the ISO-TSAP standard adds 4 bytes to each TCP packet to include a “length” field, so that applications can discover the original packet boundaries that are hidden by TCP. Therefore, if you were to ask about the precise protocol differences between ISO-TSAP and TCP, it would be the addition of the following header to each packet:

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |      vrsn     |    reserved   |          packet length        |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

So this OSI stuff has been obsolete for over 20 years, why the heck is the Siemens controller still using it?

Well, that’s the problem with industrial-control/SCADA systems: they are 20 years out of date. It’s the way that industry works. They expect to install a piece of equipment and have it run unchanged for decades.

And that, not “lack of encryption in ISO-TSAP”, is the cause of the Siemens vulnerabilities. The system was created using cybersecurity concepts that are 20 years old, that haven’t caught up with the radical change in cybersecurity that we’ve seen in the last 10 years.

Indeed, the reported Siemens vulnerabilities are just the tip of the iceberg. If a system is using ISO-TSAP instead of raw TCP, it’s probably using all the other dumb stuff from ISO/OSI. The most egregious is something called ASN.1, which is a way of abstractly defining fields in packet. When you “concretely” define fields in packet, the lengths tend to be fixed. For example, you might have a username field that is precisely 16 bytes long. When you “abstractly” define fields, they can be any length. A programmer might make a “safe” assumption that a username couldn’t possibly longer than 1000 character, and might reserve a buffer in memory of that length. But, of course, a malicious hacker can exceed that, and provide a username 2000 bytes long, overflow that buffer, overwrite other parts of memory in such a way that allows the hacker to break into the system. Such “buffer-overflows” are significantly less common on today’s networks -- except in those places that are still behind the times using things like ASN.1.

I know of at least one vendor’s implementation of ICCP (Inter Control Center Communications Protocol) that also runs on ISO-TSAP and uses ASN.1 that if full of such buffer overflows.

It is this problem of being 20 years behind the times that it likely the cause of the grossly incompetent DHS advisory. It was probably written with input from the Siemens engineers who explained the problems, and the Siemens engineers are working with 20 year old concepts. The DHS employees probably did little of their own analysis, and certainly, they never talked to the guy who discovered the problems.

Conclusion

The grossly incompetent DHS advisory is just a reflection of the fact that the industrial-control/SCADA systems are grossly out of date. This is demonstrated by the fact that I have to roll back the clock to a time before many readers of this post were born (RFC 1006) in order to explain what the heck is going on.

Catastrophic failure for certifications of the APD

There was an interesting news story about the City of Atlanta police officer certification scandal that's happening now in Atlanta. About 200 police officers have lapsed or incorrect certifications, affecting cases that go as far back as 20 years. A police officer cannot make lawful arrests or collect evidence without this certification. The "seven deadly" convictions such as murder, rape, and arson are particularly likely to be thrown out now because of the especially high importance the arrest warrant has in those cases.

This is a brittle and inflexible system where if one part of the process breaks down it becomes a catastrophic failure. We need our legal system to be absolute and unmalleable so that there is justice and equality, but that doesn't lend itself to having a backup plan. Here the symptom of the brittle system is that they rely entirely on the certification to validate the system. If the certification process is broken then the system fails and deadly criminals go free. The article says "There is no excuse to have officers who are not trained. That is a danger to the citizens and it is a danger to police officers," meaning that uncertified cops are dangerous. But the reality is that a substantial amount of the 200 officers that made arrests while not certified did the right thing and took deadly criminals off the street. We want those criminals to stay behind bars. In order to keep these criminals behind bars the city must acknowledge that the certification does not create the good cop, and a cop can practice good law and order without taking a test. Therefore the test is not absolutely necessary. This is in direct conflict with the nature of law to be absolute and without exceptions. So, in order to protect justice, the arrests will be rendered invalid, deadly criminals will go free, and the system will suffer a catastrophic failure.

Does Information Security have a similar vulnerability to failure based on its similar relationship to certifications? Certifications such as CISSP are not required by law, but many companies won't hire without one. By supporting certifications, a customer is saying they believe the certification is the difference between a "good" security professional and a "bad" or even "dangerous" security professional. So the question is, just like in the case of the Atlanta Police turning over their arrests, if the Security Professional loses their certification, would the customer then suddenly render all of the future work invalid? If they found out the Sec Pro didn't have a certification afterall, would they throw out the test and have it done over?

The lapse in certification provides an opportunity for the customer to dispute the validity of the work if they don't like how it makes them look. On the Errata blog, we've talked before about how the deliverables of a pentest can be more like a negotiation than a fact-finding mission. Companies spend just as much energy explaining why the test is wrong as they do remediating the findings. Having a certification to call into question is another opportunity to do this, because in a security assessment, the customer is both "the convicted criminal looking for a loophole" and "the victim."

If the certification is good at accurately distinguishing a competent security professional, then the Industry should do as the City of Atlanta is doing, and protect it by throwing out the work of security professionals who's status has lapsed. But, as Robert Graham wrote in an Errata blog post, certifications like the CISSP are actually ethically dubious and certify unqualified people, so it would be better if no company supported them in the first place and security professionals were judged on the merits of their work/portfolio instead. This would help to minimize one path of failure in Information Security.

Validity of most-common-password lists

As this tweet asks: what's the validity of the various lists of the most common passwords people choose, such as this one http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time.

The answer is: it depends. If you dump the passwords at the average website, you'll see these as common passwords.

But they may not reflect passwords chosen for important sites, like corporations or banking. The less important a site, the poorer the passwords. People will choose poor passwords for something like Sony Playstation gaming than they would for their corporate account. This is especially true when your corporate account enforces rules for password complexity and reset.

Comments about the $200,000 BlueHat prize

Microsoft is now offering a reward for certain cybersecurity technologies, as described here. It’s offering a reward of $200,000 (and a second place reward of $50,000) for the best solution to memory corruption bugs.

As expected, there are ravings from Linux geeks in response to anything Microsoft does. Those ravings are so egregious I thought I’d clarify them.

We already know you are a sellout, we are just negotiating price

The NSA (the real spies) are going to DefCon (the world's largest hacking convention) to recruit hackers. This post urges you hackers not to sell out:

Training oneself to become a hacker and then working for the NSA is like graduating law school with an emphasis in environmental law and then working for BP.

Except you hackers are already sellouts. Hackers complain that the United States does bad things in order to ensure a smooth oil supply, but then they fly or drive to Las Vegas for DefCon. In the hacker's mind, they are not to blame for burning oil, companies like BP are to blame for selling them the oil. While at DefCon, hackers consume vast amounts of electricity and water -- in the middle of a barren desert. Even the cheapest Vegas hotels are more luxurious than "nice" hotels in the third world. Hackers enjoy all the benefits of a peaceful, prosperous society created by our government and corporations, while complaining about how those benefits are obtained.

White-hats are on the side of law, but not order

This post to a "white-hat hacker" mailing lists asks for volunteers in training law enforcement officers. The author of the post is under the misapprehension that just because white-hats are on the side of law that they are on the side of law enforcement. That's not true.

The issue is not "law" but "order". Police believe their job is not just to enforce the law but also to maintain order. White-hats are disruptive. While they are on the same side of the "law", they are on opposite sides of "order".