Blog

now browsing by category

 

[Series 01] Indian SCADA Systems – Current Status?

SCADA i.e., Supervisory Control And Data Acquisition is a real time industrial process control systems used to centrally monitor and control remote or local industrial equipment such as motors, valves, pumps, relays etc. SCADA is used to control:

  • chemical plant processes,
  • oil and gas pipelines,
  • electrical generation and transmission equipment,
  • manufacturing facilities,
  • water purification and distribution infrastructures etc.
On 31 July, 2012 a news broke relating to the blackout in 20 states of India due to Northern Electricity Grid Failure which subsequently led to the failure of Eastern and North Eastern Electricity Grid Failure. 

Although all the political parties and the news channels kept broadcasting the news that this was caused due to the excessive drawing of electrical power from few states but being an independent cyber security researcher and working in SCADA security, my intuition isn’t ready to accept the statements given by India’s Power Grid Corporation as: 
“There was overdrawing of power as the demand peaked. 
As a result, two to three grids tripped simultaneously.”
My query is:
In summer season (in 2012), there was a time when the demand for power supply was so high that most of the parts of cities in Northern India were not able to get the electricity for 8-10 hours a day (my personal experience). In such a critical demand time nothing happened! 
There was only load-shedding but no failure of any electricity grid. 
Why So?
Wasn’t the current blamed states by the Central Government 
were drawing the electricity in excess at that time? 
If Yes, then why the Power Grid failure didn’t occurred at that time?

to be continued…


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

Browser Forensic Tool (BFT) – A Benign Tool or Malign Tool??

Someone referred me to the UNREMOTE link where an interesting article was posted about a tool named as “Browser Forensic Tool (BFT)”. The link is given below:

About BFT:

According to the above given link, BFT is a software that will search in all kind of browser history (even archived) in few seconds. It will retrieve URLs and Title with chosen keywords of all matching search. One can use default example profiles or create a new one, with thematic search.

At first hand since never heard something like this, hence, it was obvious for me to take BFT for a test ride and to know whether it is worth using or not.

Additionally, the website BrotherSoft‘s Publisher also gives the following comment on BFT as:

You wan’t to search very quickly in the History of all common browsers
even archived ones by keywords list (manageable) ?

This software is made for you, for companies, anti cyber criminal companies,
 for particular this software will simplify your life and save hours of manual researching.
you can free download Browser Forensic Tool 1.0 now.

Hence, I installed it in a Virtual Machine having an Operating System of Microsoft Windows 7 Professional Version with all the necessary Security Tools installed viz. Anti-Virus, Intrusion Detection System (IDS), Wireshark etc.

On the first hand, the given link for downloading installs a file given below:


File Name: BrowserForensicTool_downloader_by_BrowserForensicTool.exe
CRC32: 461b63c5
MD5: 0e409b01ef99c9e6d65bdbb94d9e5592
SHA-1: b85f13c7255a6d52597860fd51a14b499729d583
File Size: 154.5 KB


The icon used by the above installer is: 

When the file’s properties were checked following information was observed:
It was interesting to find that this tool is having a digital signature signed by COMODO too:

After executing the file with a double click, it installs another executable named as “BetterInstaller.exe“. This file silently gets extracted in the following directory path:

C:UsersAppDataLocalTempDir

The Icon Image of the application is:

Further information about Better Installer is given below:

File Name: BetterInstaller.exe
CRC: 65f69cd7
MD5: d79b88bab3231ebebd3c6505ab68ce56
SHA-1: 3222e8dab740ba1d640cc66a9cd36070969deb80
Size: 207 KB
File Properties:



Once the user clicks on the above installer, it will show that it is preparing the Browser Forensic Tool (BFT) to initiate the process.

Since Endpoint Protection was installed in the Virtual Machine, following message was displayed:

As it can be seen from the above image, it was trying to connect to installer.filebulldog.com having remote IP address 78.138.98.55 which is based in Germany and is assigned to MESH GmbH. The IP Address route map is given below:

I had tried to connect to this IP via the above application numerous times but no installation continued. Instead it always showed that this file is in the mode of preparing BFT for installation to continue further installation.

From this point onwards, it was a matter of concern for me that why even having an internet connection of 4Mbps and other files still getting downloaded from other websites this file isn’t able to download anything!
Something is suspicious and probably malicious in nature!! Probably it is connecting to the remote location and extracting the user’s data and transferring it to the above mentioned IP Address. Possessing a Digital Signature was giving a signal that it is a benign file but the way it was working was looking like it is otherwise. Hence, it was decided to carry out the cyber investigation further.

Further information about this file BetterInstaller.exe was obtained after using the malware analysis tool – IDA Pro:

1 VERSIONINFO
FILEVERSION 1,0,0,0
PRODUCTVERSION 1,0,0,0
FILEOS 0x4
FILETYPE 0x1
{
BLOCK “StringFileInfo”
{
BLOCK “000004e4”
{
VALUE “CompanyName”, “Somoto Ltd.”
VALUE “CompanyWebsite”, “www.FileBulldog.com”
VALUE “FileDescription”, “”
VALUE “FileVersion”, “1.0”
VALUE “LegalCopyright”, “”
VALUE “ProductName”, “Better Installer”
VALUE “ProductVersion”, “1.0”
}
}


BLOCK “VarFileInfo”
{
VALUE “Translation”, 0x0000 0x04E4
}
}

Information in XML format is:


Registry Details obtained was:



HKCR
{
NoRemove AppID
{
‘%APPID%’ = s ‘BetterInstaller’
‘BetterInstaller.EXE’
{
val AppID = s ‘%APPID%’
}
}
}


Furthermore it was found that on WOT (Web Of Trust), some users had posted it as Malicious Content, and blocked by ESET. Screenshot is attached for the same:

The comments and further information can be read from here: 

As the above comment shows a website link of scumware, as soon as I reached there it was more than sufficient to decide whether the Browser Forensic Tool is benign in nature or malign in nature. One can find this information right from the given link:

From the above website, following snapshot was taken:

The above image clearly shows that its’ a TrojanIn addition to this, after performing malware analysis on my virtual machine I had found that it is trying to inject an HTML Script in the browser which may read the installed cookies in the system.


By the way, MalwareBytes’ AntiMalware installed in the virtual machine showed following:


In nutshell, this tool does nothing as stated in the BrotherSoft website, hence, anything that sounds too good to be true must come under radar of suspicion and should not be allowed to go through after reading anything on the Software Download Provider’s websites. It can be deadly for your privacy, integrity of data, confidentiality of critical data as well as your computer system’s health.

Watch before taking another step in the cyberspace….


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

A Research Survey on “Faith / Trust / Confidence of Public on Indian Police”


Rajbala Malik

I was watching a popular News Channel “AAJ TAK” yesterday evening at my home when a news flashed that Ms. Rajbala Malik, 51-year-old and a supporter of Swami Ramdev, lost the battle between life and death after 110 days living in ICU (Intensive Care Unit). She died due to the Lathi Charge done by Delhi Police that took place on the unfortunate night of 4 June 2011 at Ramlila Maidan. 


Leader of the Opposition in Lok Sabha Sushma Swaraj said on Twitter as “After oscillating between life and death for 15 weeks, Rajbala died. It is a sad commentary on our police functioning… I demand that a murder case be registered against Delhi Police and the guilty must be punished”.

See this news link: http://bit.ly/aajtak-rajbala (in Hindi) OR http://bit.ly/rajbala-english (in English)

Amarjeet Chadha was shot
 dead by Head Constable
Then I switched to another News Channel where another news was being aired by the reporter of the callousness shown by a Delhi Police Head Constable. A 60-year-old dry fruits trader was shot dead and a mobile phone store owner injured in Lahori Gate Area. Head Constable of Delhi Police fired three rounds at businessman Amarjeet Singh Chaddha in an attempt to rob him of his gold chains and cash around 21:00 hours on Saturday, 27 September, 2011. Just today, few hours ago, another news flashed in the news channel that the man who tried to save the trader, the mobile phone store owner, is also dead now as the bullet (it too was fired by the same shooter) had crossed piercing his neck. For more information on this news, click here: http://bit.ly/delhitraderdead


Then, I switched to “NDTV India” News Channel, which was showing another news on Indian Police. This time it was flashing the news as “Truck Driver refuses to pay Bribe, Beaten to Death“. Another news showing the insensitivity of our Indian Police. This time this event took place in Chandauli, Uttar Pradesh (UP). See this video link: http://bit.ly/ndtvindia-truckdriverdead

Click here to read the news: http://bit.ly/zeenews-truckdriverdead

These all news are just samples of the one side of coin of the working of our Indian Police. I don’t say that the Indian Police is always like this. There are many brave and honest Policemen too in the uniform who are working for giving a better environment for the society and they are doing their best. 

One such person to whom I am well aware of his way of working, his conduct was Dr. Ajay Kumar, IPS officer of 1986 batch, Jamshedpur, Jharkhand.  He was posted in Jamshedpur from 1994 – 1996 and this is the tenure which is termed as the Golden period for this very place. 

During the 1990s Jamshedpur was ruled by local “Goons”, and crime was at a peak in the city, when the chief minister of Bihar Lalu Prasad Yadav, on request of the Tata Steel MD J. J. Irani, sent Dr. Ajay Kumar, as the City SP in 1994. In a short time the SP was successful in controlling and decreasing the crime rate in Jamshedpur. 
Read more here: http://bit.ly/ndtvindia-ajaykumar. Do see this interesting post here.

This survey is created with an honest intention to see what the common man (i.e., Aam Aadmi) of India thinks and feels about the Indian Police and how much faith / trust / confidence the common man is having now. With these concepts and ideas in mind, the survey is formulated and made available to the public and its’ my request to all the Indians who surf the Internet that please do take this survey. The survey comprises of just ten (10) questions only which can be completed in 5-10 minutes. No personal information is required to submit. The only expectation is an honesty in giving this survey by only one time. For those Indian individuals for whom their Privacy is important, I had already given an option just after the title of my survey as “Please record my answers anonymously“. Just check it, and complete the survey!


About Neelabh Rai, the creator of this research survey:

If someone is interested to know about me, then feel free to contact me directly on my official email id with the subject: “Faith / Trust / Confidence of Public on Indian Police”. More information related to me can be obtained in cyberspace by just entering my name “Neelabh Rai”. For your ease, I am providing few website links that will allow you to know a brief about me:

1) http://www.cybercops.in/neelabhrai.php
2) http://bit.ly/csasinkeynote (redirected to SMi UK Website)
3) http://www.cybercops.in/about.php
4) http://masterofearth.info/aboutme.html
5) https://twitter.com/cybercopsindia (Twitter ID)
6) http://in.linkedin.com/in/neelabhrai (LinkedIn Professional Profile)
7) http://www.cybercops.in/news.php
8) http://cybercopsindia.blogspot.com/ (Corporate Blog)
9) http://www.aerospace19.com/profile-382
10) http://www.asclonline.com/blog/2009/09/01/student-of-the-month-september-2009/ (Asian School of Cyber Laws, Pune awarded Student of the Month award and published some hidden information w.r.t. me)
11) http://en.gravatar.com/cybercopsin
12) http://bit.ly/csasin10112011 (See the time slot of 09.50 and 11.00 ; Neelabh Rai is invited to speak and present his innovative ideas in Singapore this November, 2011)

Since I am an ‘Independent’ Cyber Security Researcher who is working only on Indian Cyberspace, your this very survey will help me in providing the best solution for securing our economic future.

At last, kindly help me by forwarding this very survey to all your friends, colleagues, relatives, family members… The link is: http://bit.ly/cybercopsindia-survey1


If any queries, feel free to connect with me @ http://www.cybercops.in/contactme.php

PS: Please do not change the subject line when sending any email to me. Keep the subject as “Faith / Trust / Confidence of Public on Indian Police”.


Thanks in advance for your time and efforts in making this survey have a more clear picture!



Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

More SCADA Vulnerabilities Discovered by Italian Researcher Luigi Auriemma in Industrial Systems – A Brief Overview

SCADA vulnerabilities continue to surge as Italian Security Researcher Luigi Auriemma found holes in six different systems. Companies suffering the vulnerabilities range from Rockwell Automation to Beckhoff


The vulnerabilities found in such companies’ products include:

  1. AzeoTech DAQFactory Stack Overflow
  2. Beckhoff TwinCAT ‘TCATSysSrv.exe’ Network Packet Denial of Service Vulnerability
  3. Cogent DataHub Multiple Vulnerabilities
  4. Measuresoft ScadaPro Multiple Vulnerabilities
  5. Progea Movicon Multiple Vulnerabilities
  6. Rockwell RSLogix Overflow Vulnerability

All vulnerabilities came with proof-of-concept (PoC) code which can exploit the vulnerabilities. These vulnerabilities range from denial of service (DoS), to information disclosure, to complete remote code execution. 


Following is a breakdown on the individual vulnerabilities found in the above systems:

  1. AzeoTech DAQFactory Stack Overflow: There is one stack overflow vulnerability with PoC exploit code affecting AzeoTech DAQFactory, a SCADA/HMI Product. The vulnerability is exploitable via a service running on Port 20034/UDP, according to the report.
    DAQFactory is a SCADA and HMI software used in multiple industries including water, power, and manufacturing. DAQFactory installations are primarily located in the United States and Europe.
  2. Beckhoff TwinCAT ‘TCATSysSrv.exe’ Network Packet Denial of Service Vulnerability: There is a vulnerability with PoC exploit code affecting Beckhoff TwinCAT, a SCADA/HMI product. Services running on Port 48899UDP are vulnerable, according to the report.
    Beckhoff TwinCAT is a software system capable of controlling multiple PLCs in a system. This system sees use in industries including manufacturing, energy, water and wastewater, and building automation.
    Beckhoff’s headquarters is in Verl, Germany.
  3. Cogent DataHub Multiple Vulnerabilities: There are four vulnerabilities with PoC exploit code affecting Cogent DataHub. The vulnerabilities are remotely exploitable through the following ports: Stack Overflow, Remote – Ports 4052 and 4053; Integer Overflow, Remote – Port 80; Directory Traversal, Remote – Port 80; and Information Exposure, Remote – Port 80.Cogent DataHub is SCADA management software sees use in industries including manufacturing, energy, financial, and pharmaceuticals.
  4. Measuresoft ScadaPro Multiple Vulnerabilities: There are multiple vulnerabilities with PoC exploit code affecting Measuresoft ScadaPro. The vulnerabilities are remotely exploitable through Port 11234/UDP, according to the report.ScadaPro is a SCADA system used in power generation, oil and gas, pharmaceuticals, and manufacturing.Measuresoft Development Ltd. has headquarters in Louth, Ireland with an office in Missouri City, Texas.
  5. Progea Movicon Multiple Vulnerabilities: There are three vulnerabilities with PoC exploit code affecting Progea Movicon PowerHMI Version 11, a SCADA/HMI product.Movicon 11 is a HMI development system that uses a web-enabled architecture based on JAVA, including drivers for PLCs. PowerHMI Version 11 is based on SCADA HMI Movicon Version 11.
    Movicon see use primarily in Italy with a small percentage of installations in other European countries.
  6. Rockwell RSLogix Overflow Vulnerability: There is an overflow vulnerability with PoC exploit code affecting the Rockwell RSLogix 19. Services running on Port 4446 are vulnerable to a memory overflow, according to this report. Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries. The Rockwell RSLogix family is a group of ladder logic programming packages that operates on Microsoft Windows operating systems. RSLogix 5 supports the Allen-Bradley PLC-5 family of programmable controllers.

Note: All the full name of the abbreviations used above are given below for general user understanding.
  • PoC: Proof-of-Concept
  • SCADA: Supervisory Control and Data Acquisition
  • HMI: Human-Machine Interface
  • PLC: Programmable Logic Controller


      Neelabh Rai
      Cyber Entrepreneur
      Independent Cyber Security Researcher
      CYBER COPS India
      www.cybercops.in

      “Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

      WIPRO Limited’s Consumer Care and Lighting business division, North-West Switches hacked by a Pakistan-based Hacker Group “HITCHER”


      Cyber Crime is growing at an alarming rate. And unfortunately, the security experts aren’t able to match their speeds! Due to this, every now and then there is a news of cyber crime viz. advanced persistent threat, SCADA vulnerability found, ICS under threat, website hacked, phishing reported, XSS injection flaw discovered, identity theft, database hacked, stuxnet etc. Nowadays, there are more number of cases of the hacking of websites especially the corporate sectors. In technical terms, hacking of website isn’t a big deal. But if the market scenario is considered and especially when it is serving the customers, then it is indeed a big deal!!



      Few months back all the (news) media were busy in flashing only one news – Sony Hacked, PlayStation Hacked etc.. This very incident led to fall of a significant revenue in Sony. The Wired.com flashed a news on 23 May, 2011 as Sony Estimates $171 Million Loss From PSN Hack. This loss includes expenses for security improvements, “Welcome Back” packages and an estimate of the impact on future profits of the security breach and resultant outage. Sony says it has still not confirmed any reports of credit card fraud or identity theft, both of which could change the company’s estimated losses. In addition to this, shares in Sony have fallen 55 percent since the company revealed the hacking on April 27 (Reference: http://www.moneycontrol.com/news/wire-news/sony-recruits-information-security-boss-after-hacking_583156.html).


      However, there are many indirect harm too to the business which might not be visible right now to the company such as,  lowering consumer confidence, damaging reputation, hurting competitiveness etc.


      Due to all these hacking spree incidents/accidents/events {use the term whatever you like ;)}, finally Sony Corporation hired Philip Reitinger, a former Homeland Security Department official, to be its new CISO (Chief Information Security Officer) after surviving a massive hacking attacks. (Reference: http://fcw.com/blogs/circuit/2011/09/agg-sony-hiring-dhs.aspx).


      Now, there is another news gaining ground on the Internet that an Indian IT company WIPRO Limited‘s website is hacked (Reference: http://securitybreaching.blogspot.com/2011/09/wipro-one-of-best-indian-it-company.html).

      The website link of hacked domain is http://north-west.wipro.com/ . Its’ a sub-domain of the Wipro Ltd.


      About Wipro Ltd. according to Wikipedia: 


      Wipro Limited (BSE: 507685, NSE: WIPRO, NYSE: WIT, NASDAQ: WIT) is a global information technology (IT) services company headquartered in Bangalore, India. According to the 2011 revenue, Wipro is the third largest IT services company in India and employs more than 219,429 people worldwide as of March 2011. Wipro is ranked 31 globally in 2011 in the list of IT service providers. It is 9th most valuable brand in India according to an annual survey conducted by Brand Finance and The Economic Times in 2010. Wipro provides outsourced research and development, infrastructure outsourcing, business process outsourcing (BPO) and business consulting services. The company operates in three segments: IT Services, IT Products, Consumer Care and Lighting.

      (Reference: http://en.wikipedia.org/wiki/Wipro)

      About the North-West Switches (north-west.wipro.com – the hacked website):

      “A part of the Consumer Care and Lighting business division of Wipro, North-West Switches offers a range of premium modular switches. The Consumer Care and Lighting Business Division of Wipro Ltd has acquired the North West Switches brand from North West Switchgear Ltd. North West Switchgear is a Delhi-based manufacturer of switches, sockets and MCBs.

      (References:

      The current screenshot of the hacked website of Wipro’s sub-domain (last checked on: 21 September, 2011; 21:30 hours IST)

      The Hacked Page of North-West Switches, a part of the Consumer Care and Lighting business division of Wipro.(Last Checked: 21 September, 2011; 21:30 hours IST)

      At the footer end, the marquee text contains the signature of the hackers which is given below:

      “Greets to | Jerry HASSAN | PCCS | Dr Trojan | URDU HACK| Pcf Master Mind |x Bad Boy x | XtreMist | MongoOse Pk | Trick Owns | Shadow008 | HexCoder| Chliz Aceh | Brilliant | Waheed Gul |Sharp Hacker| Ninjaa Kai |Pak Cyber Force|ZHC|Hackall.net|[ PAKISTAN ZINDABAD ]”

      This message as well as the hacked image’s colour signifies that the hackers were supposedly belongs from our neighbouring country, Pakistan.

      For those who still believes that the hacked domain isn’t a part of Wipro Ltd., then kindly see the given image below that was taken from Google Cache. According to the Google Cache, the website’s cache was last updated on 18 September 2011 21:26:10 GMT.

      North-West Wipro’s original website snapshot taken from Google’s Cache
      (last updated from Google:  19 September, 2011; 02:55 hours IST)
      (last checked:  21 September, 2011; 21:30 hours IST)

      For the readers’ knowledge, the information of hacking of this website was received by CYBER COPS India at 19 Sep 2011 21:30 hours IST. More than 48 Hours had passed since the news breakout, and still the website is in a hacked state. 


      After searching on Google for Wipro’s Security Solutions, it was found that Wipro had started in 2009 the services as “Enterprise Security Solutions”.

      Google Search Result for the query of “Wipro Security”
      (Snapshot last taken on 21 September, 2011; 21:15 hours IST)

      See the statement taken from the Wipro’s Enterprise Security Solutions webpage:

      Wipro’s Enterprise Security Solutions (ESS) practice delivers integrated end-to-end security and compliance solutions globally across a multitude of industry verticals. Wipro ESS addresses key challenges enterprises face with improving the agility of information security and compliance programs to cope up with ever-changing business and IT risks.
      Leveraging a large global pool of experienced security professionals and a Global Delivery Model, Wipro ESS assists customers in defining their security and compliance needs, best practice recommendations, technology evaluations, implementations and delivering managed and hosted security services.”


      (Reference: http://www.wipro.com/services/business-application-services/Pages/enterprise-security-services.aspx)

      Now the question that wonders is:


      In case of Sony Corporation, there was ‘no’ CISO but Wipro Ltd. is  a company with a pool of ‘experienced’ security professionals. Why then the company Wipro Ltd. isn’t able to take back their hacked website (http://north-west.wipro.com) when they are having a large pool of experienced security professionals?? 


      Neelabh Rai
      Cyber Entrepreneur
      Independent Cyber Security Researcher
      CYBER COPS India
      www.cybercops.in

      “Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

      ^