The night before the start of this week's Black Hat hacker conference here in Las Vegas, security researcher Dillon Beresford gave a demonstration to a small audience in his room at Caesar's Palace. The topic: how a hacker could take over the Siemens S7 computers that are used to control engines, machines and turbines in tens of thousands of industrial facilities.
It was a preview of the talk he was set to give Wednesday, and Beresford seemed both nervous and relieved to be finally talking to the handful of reporters and industry and government officials in the room. A few months ago it wasn't clear when or if he'd ever be able to go public with his research. Concerned that his research could be misused, he pulled out of an earlier conference to give Siemens more time to fix the problems he'd uncovered. Even now, after months of work with Siemens and the U.S. Department of Homeland Security, coordinating patch after patch for many of the bugs he's found, Beresford can't say everything he knows.
But clearly, he knows quite a lot. The question is, how much will he make public?
A look at the Siemens S7 PLCs that NSS Labs' Dillon Beresford hacked.
The NSS Labs researcher said he's found ways to bypass the S7's security measures and read and write data into the computer's memory -- even when the system has password protection enabled. He can steal sensitive information from the systems, he said. And on one model, the S7 300, he found a command shell, apparently left in the system's firmware by Siemens engineers, that he can connect to and use to run commands on the system.
After poking around for a bit he discovered a hard-coded username and password that allowed him access to a Unix-like shell program on the systems, where he can run his own commands: Username: basisk; password: basisk.
This shell is a "back door" to the system that could be misused by an attacker, Beresford said.
He also discovered dancing monkeys. This goofy graphic of four dancing monkeys was apparently an Easter egg -- a software developer's version of graffiti, left for other geeks to discover -- stuck in the S7 300's firmware.
NSS Labs researcher found this image in the firmware of a Siemens S7 300 PLC. It reads, 'Not hearing, not working, just...'
The demo wasn't much to look at. The S7s are like futuristic grey shoeboxes with green LED lights on them. Smoking a cigarette, Beresford would type into his laptop and one by one, the machines would turn off. But considering that each one of those machines could be running a nuclear centrifuge or an elevator, the demonstration held everyone's attention.
The government official in the room Tuesday night -- a contractor from the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team -- didn't want to be quoted. Neither did Tim Roxey, a staffer with the North American Electric Reliability Corp., the nonprofit corporation chartered with helping to keep the U.S. supply of electricity online.
Clearly both groups are interested in Beresford's work. The S7 300 systems on which Beresford found the back door and dancing monkeys are the same computers that were targeted by the Stuxnet worm, thought to have destroyed centrifuges at Iran's Natanz nuclear reactor.
For decades, makers of these industrial computer systems -- companies such as Siemens, Rockwell Automation and Honeywell International -- lived in a bubble. They built computer systems that were adapted by electrical engineers for the factory floor. It used to be that these systems operated entirely on their own, disconnected from the rest of the networked world, but gradually they've been networked with Windows computers. They are supposed to be run on networks that are physically separate from the rest of the world, but these networks can have misconfigured routers, and every time a consultant plugs a laptop into them, it's another opportunity for a virus to spread.
The problem is that these industrial systems were not built with security in mind, according to Dale Peterson, CEO of security consultancy Digital Bond. Industrial systems security experts like Peterson have known for at least 10 years that these kind of problems were coming, but not enough has been done. "We've made progress in a lot of areas, but we haven't made progress on these field devices," Peterson said.
He and other security experts say Siemens is hardly alone; that all industrial control systems suffer from the kinds of bugs that Beresford discovered.
The industry could add strong authentication control to machines like the Siemens S7, so they only run code that's given to them by trusted sources. But in a world where rebooting a computer means taking a power plant offline for a day, that's not easily done. "No one in the industry wanted to do this because of the possible consequences," Peterson said.
On the other hand, as Stuxnet has shown, the risks of a cyber-attack on these industrial systems are very real. And malicious programs wind up on factory floors all the time.
In February 2011, the two-year-old Conficker worm infected systems at a Brazilian power plant, according to Marcelo Branquinho, executive director with TI Safe, the consulting company that has been working on fixing the problem these past few months. Engineers would clean up the infection only to find it reappear on the network, most likely spread there by an infected machine that they had missed. "This is not the first Conficker infection we've seen in Brazilian automation plants," he said in an e-mail interview.
Branquinho wouldn't name the power plant, but the infection was clearly disrupting operations. The plant's management systems were freezing up and not displaying data from the field. This forced operators to control their systems the same way they did before computers -- using radios to communicate with each other.
If those infected Conficker machines had contained the type of software that Beresford has written, things would have been much worse.
This isn't the first time that researchers have released code relating to industrial systems, but past releases have focused on the Windows-based management consoles that these systems use -- not the control systems themselves. And the fact that Beresford has hacked the S7 300 -- widely used in the energy sector -- puts his work in a category by itself.
In fact, Beresford isn't sure when he's going to make the software he's written public. There are 15 modules, small programs he's written for the open-source Metasploit hacking toolkit, but he wants to give Siemens' customers time to patch their systems before he releases the code. He said that six months might be an appropriate window.
Once his code is available, anyone could use it. But Beresford believes that he's only making public what others have secretly known for a long time.
Digital Bond's Peterson says that releasing the code might be what it takes to push the industry to finally fix its security problems. "At this point, I'm like, let's give it a shot," he said. "I don't think he's telling the nasty people anything they don't already know."
Ralph Langner, one of the researchers who helped crack the Stuxnet mystery, thinks that Beresford should never release his code. "Dillon did not ask me for advice," he said. "But the advice I would give him is, 'Don't ever release the Metasploit code, because this is dynamite.'"
The Metasploit modules would make it easy for a less-skilled hacker to build software that could disrupt a power plant. And even if Siemens has addressed all of the underlying issues, it will be years before the patches are installed. One day of downtime at a power plant can easily cost the operator US$1 million, Langner said. "Don't assume that a power plant operator will say, 'I will shut my plant down for a day to install the damned patch,'" he said.
It turns out that Langner is the guy who inspired Beresford to look into Siemens systems in the first place. Because of the apparent reconnaissance work and sophisticated PLC programming involved in Stuxnet, Langner believes that only a few organizations have the technical know-how to pull something like this off.
Beresford wanted to prove that industrial hacking could be done on the cheap too. His company kicked in $20,000 to buy the Siemens systems, but Beresford did most of the work from his bedroom in a couple of weeks. "It's not just the spooks who have these capabilities," he said when he finally gave this Black Hat presentation. "Average guys sitting in their basements can pull this off."
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com
Sanford Wallace
Saturdays Fredericks.
The country's regulator, the Korea Communications Commission, said in an official statement that SK Telecom had traced the attack to IP addresses in China, and involved the theft of phone numbers, e-mail addresses, and encrypted data such as passwords and 'resident registration' numbers of users of the service. 
It’s an exciting time for the wearable-computing industry. Venture capitalist Marc Andreessen declared in a recent interview that wearable computers were the next big thing for Silicon Valley, and the past few months have seen a flurry of new product announcements in the arena.
WIMM's prototype Android watchFor instance, WIMM Labs announced just this week a new line of Android-powered devices small enough to fit on your wrist but powerful enough to help you keep track of your calendar, the weather, and more. As our own Ed Oswald was quick to point out, however, we’ve had the technology for these kinds of devices for years. Microsoft’s similar SPOT watch launched way back in 2003.
Jawbone's new Up health monitor
The Nike+ sensorThe Nike+ system is just the tip of the iceberg for the wearable-health industry. For several years, companies such as BodyMedia, with its $180 FIT armband, and Apex Fitness, with the $200 BodyBugg system, have offered devices that can monitor how many calories you burn during the day and, with the help of an online food journal, help you lose weight.
The development of Steve Mann's wearable computing devices
The Looxie 2 cameraToday the ability to record everything you see is available to the average consumer: The $200 Looxcie 2, a small camera about the size of a Bluetooth headset, fits over your ear and lets you record up to 10 hours of POV footage that you can download to your computer for a daily log of your activities.
The bureau indicated that IT jobs in healthcare are expected to grow by 20% annually through 2018, "much faster than average." There are currently 176,090 healthcare IT jobs, according to the agency.
In terms of sheer numbers of positions, developers lead the pack with more than 6,000 job listings, or a 65% increase since 2009, followed by system analysts with more than 2,000 jobs, or a 35% increase.
"These are salaried employees. They are going to be busy for quite some time, like the Bureau of Labor Statistics suggested with its 2018 timeframe," Marx said.
Just when it would seem things couldn't get more awkward between the two tech giants, another Microsoft employee decided to get in the fight.
That seems to be the point that Microsoft spokesman Shaw landed on. He directly challenged Drummond Thursday on Twitter alleging that Google didn't join in on the Nortel bid because they wanted to use the portfolio against someone else.
Yesterday, Google Chief Legal Officer David Drummond blogged about the patents arms race that has major tech companies building gigantic portfolios of pricey patents, then using them to launch lawsuits or extract licensing fees (or, sometimes, to defend themselves against other companies launching lawsuits or extracting licensing fees). He called his post "When patents attack Android," and accused Google competitors such as Apple and to buy patents and use them to damage Android in the marketplace.
The Ink-O-Dem ink-refilling system has been on my mind for some time. As PCWorld’s Serial Refiller, I’ve been trying refilled and remanufactured black and tricolor cartridges for my HP Photosmart e-All-in-One, assessing their ease of use, output quality, and page yield. So far, all have been somewhat to significantly cheaper than the printer vendor's own cartridges; none, however, have matched the originals in output quality and ease of use, although some have come close.
Based in McHenry, Illinois, Ink-O-Dem has installed on-site ink-refilling machines in thousands of stores nationwide, including Ace Hardware and Walgreens locations, as well as campus bookshops. You bring empty cartridges to the store, where an employee refills the tanks and returns them to you. (Contact the store first to confirm whether its machine supports your cartridges.) This is a step up from do-it-yourself refilling, letting someone else handle the messy part; trying Costco’s ink-refilling service, a similar procedure, was one of the easiest experiments of the seven I’ve done so far.
The store was quiet when Melissa visited, so she waited just 20 minutes for the refill. (In contrast, my refill at Costco took an hour.) When Melissa retrieved the cartridges, she noticed that each had been given a little clip-on printhead cover. The cartridges were inside a small zipper-lock bag.
I began printing. The printer's LCD screen posted the usual ominous warnings that accompany third-party ink refills, including 'Original HP ink depleted' and 'Alignment recommended'. The latter one puzzled me, as I had aligned the cartridges only minutes earlier. The prints looked normal, however, so I ignored the messages and soldiered on.
Apple shipped 20.3 million iPhones in the second quarter, ahead of Samsung, Nokia, RIM, HTC and others, in that order.
oid, IDC noted.
For security, meanwhile, the new Wi-Fi software uses the strongest authentication methodology known to exist for mesh networks, the group says. Specifically, in addition to Simultaneous Authentication of Equals (SAE) to protect against offline dictionary attacks, it also implements Authenticated Mesh Peering Exchange (AMPE), which enables multiple authenticated nodes to encrypt traffic among themselves.
Comscore said Google+ hit the 25 million visitor mark just shy of its one-month birthday.
"Facebook was the first truly mass market social network and, along with Myspace, was the pioneer," said olds. "They were mostly unknown and had to build up their brand from the ground up. Google+ comes into an environment where social networking has a lot of mindshare and users, and it has the Google name attached to it and Google resources behind it. Its hit count should grow pretty quickly."
