This morning (day before a long holiday weekend), news of a breach at Lockheed Martin was made public.

On March 18, NSS Labs issued an analysis brief on the RSA breach. At that time, we predicted that this was "a strategic move to grab the virtual keys to RSA’s customers – who are the most security conscious in the world. One or several RSA clients are likely the ultimate target of this attack. Military, financial, governmental, and other organizations with critical intellectual property, plans and finances are at risk… NSS Labs expects a string of breaches stemming from this event."

Since then, there have been malware and phishing campaigns in the wild seeking specific data linking RSA tokens to the end-user, leading us to believe that this attack was carried out by the original RSA attackers. Given the military targets, and that millions of compromised keys are in circulation, this is not over.

The original brief on the RSA Breach.

Supervisory Control and Data Acquisition (SCADA) systems are cornerstones of modern industrial society. SCADA systems enable humans to control, monitor and automate activities of connected physical systems, such as oil and gas pipeline valves, temperature monitoring and cooling systems, energy grids, traffic lights, etc, Programmable Logic Controllers (PLCs) are the purpose-built devices that communicate with and control the physical devices. For example, they enable human operators to define rules that automatically turn on water cooling pumps to a nuclear reactor when the temperature reaches a predefined threshold. They are in use in every country and in every industrial control system, and impact our lives every day in ways we might not realize.

Exploitation of vulnerabilities in systems can always have negative effects, such as loss of availability, productivity, data loss or compromise, and even result in identity theft and financial loss. However, unlike classic computer crime and exploitation, where data is remotely stolen or manipulated, attacks on industrial control systems can have devastating physical world implications such as loss of life and environmental impact. 

ICS vulnerabilities are an emerging threat to national cyber security of immense importance, and research into this area is just beginning. While there are relatively few known vulnerabilities in the ICS space, there are tens of thousands of ‘traditional’ computing vulnerabilities. NSS Labs researcher Dillon Beresford is one of the leaders in this nascent field. His work has been widely acknowledged by security companies, SCADA hardware and software vendors, and governmental CERTs, including US-CERT, ICS-CERT, and China CERT.

In the course of his research, significant additional vulnerabilities in industrial control systems have been identified, responsibly disclosed and validated by affected parties. Due to the serious physical, financial impact these issues could have on a worldwide basis, further details will be made available at the appropriate time. Legitimate owners/operators of leading SCADA PLCs may contact us for further information.

I’m pleased to report that, as of May 6, four out of five vendors have provided NSS Labs with fixes for the TCP Split Handshake issue. The fact that all but one vendor remedied its products in relatively short order (less than 3 months from the time we notified them), is a clear success. While there were some initial backlash against the report, we commend all of the vendors who took steps to protect their customers. Over the last few weeks, NSS Labs has been able to test and validate in our lab the following:

• Fortinet delivered a patch to their firewall.
• Juniper changed the default setting to enable protection.
• Palo Alto Networks delivered a patch to their firewall.
• SonicWALL delivered a patch to their firewall.
• Cisco has not issued a patch, but recommends a workaround using access control lists (ACLs), which provides protection in some but not all cases.

Note: We are only reporting that patches are available and have proven effective. Enabling this protection may have a negative impact on performance and/or break applications that are not using TCP properly.  NSS Labs recommends enterprises test the firewall configuration prior to deployment in order to ascertain the impact. 

Please consult our Network Firewall Group Test Report or the Firewall Remediation Guide for further details, or contact us for assistance.