Control Systems and IT Security

Troubleshooting hydraulics is like debugging software and networking protocols.

Page last edited: 2019-06-01.

[2019-06-01] Sizzle @ hackthebox – Unintended: Getting a Logon Smartcard for the Domain Admin! My writeup of how I owned this box by issuing myself a logon hardware crypto token on behalf of the Administrator – abusing a misconfiguration of certificate templates! I joined a box to the domain, used Kali Linux and Windows in parallel, and ran a fake DNS server with locator records for Active Directory. A software certificate would not have been sufficient – I needed the /smartcard options of net use and runas.

[2019-05-08] Echo Unreadable Hex Characters in Windows: forfiles. How to write any file on a locked-down Windows box, and when all you can do is pasting readable characters into a simple shell?

[2019-03-19] Ethereal @ hackthebox: Certificate-Related Rabbit Holes. Ethereal was a box classified as ‘insane’ at hackthebox, a platform for learning to pentest and “playing capture-the-flag”. You got command execution over DNS, and you had to use openssl telnet-style to get a reverse shell. To own system you need to sign an MSI with a CA cert/key file you found on the box.

[2019-02-18] Certificates and PKI. The Prequel. Nostalgic post – how it began, in the late 1990s: Sending faxes to US-based CA companies to prove the legitimate status of a company whose name was one dot over the X.509 common name character limit. Bonus: Accidental Google hacking for discovering webservers running on >20 year old platforms.

[2019-01-18] Modbus Server on Raspberry Pi as Babelfish for UVR16x2. How to log basically anything with CMI / UVR16x2. The pymodbus library makes running your own Modbus server straight-forward. You can forward any value read off from other loggers or serve up any result of a calculation as a Modbus register value.

[2018-12-15] Unintended 2nd Order SQL Injection. I have accepted a benign version of 2nd order SQL injection as a fact of life. But then interesting things happened when a parcel was (not) delivered.

[2018-11-18] A Color Box. Lost in Translation. The control system was turned upset down again and the Data Kraken was looking at its entangled tentacles, utterly confused.

[2018-10-14] Cyber Something. Is it called Cyber Security or IT Security? Or should I use ‘Infosec’? I asked Google Trends – and got some surprising results!

[2018-08-05] Hacking. Sort of an Away Note – elkement gone hacking: I discovered the pentesting platform hackthebox and spend all my online time there! It’s all new, yet familiar as I feel I have always reverse engineered anything in some sense.

[2018-06-25] Cloudy Troubleshooting (2) Write-up of a hacking challenge ;-) When some network infrastructure loses packets, but seemingly only for one site / cloud app … so that it takes you a while to realize that it’s not an issue with this cloud app.

[2018-06-10] Infinite Loop: Theory and Practice Revisited. An introspective meta posting about learning about physics, computer science, and engineering.

[2018-05-28] Where Are the Files? [Winsol – UVR16x2] A little bit of reverse engineering to find out where log files (retrieved from the data logger CMI) may be stored. The question was more interesting than expected – I learned something about Windows security!

[2018-05-13] Cloudy Troubleshooting. Tales from the field – presented as a drama featuring Cloud, Client, Telco and elkement – going down the rabbit hole of debugging, network sniffing, and mind-numbing tests.

[2018-04-24] Logging Fun with UVR16x2: Photovoltaic Generator – Modbus – CAN Bus. Playing with Modbus inputs on the Control and Monitoring Interface of the UVR16x2 controller (and corresponding settings at the Fronius Symo inverter) – step-by-step description.

[2018-03-18] Let Your Hyperlinks Live Forever! Against linkrot! Joel Spolsky went to great lengths to prevent linkrot, but no excuses if you are not famous: I did it too.

[2017-12-05] Reverse Engineering Fun. Recently I read a lot about reverse engineering – in relation to malware research. I for one simply wanted to get ancient and hardly documented engineering software to work. Write-up of an analysis I found very interesting!

[2017-11-28] Simulating Life-Forms (2): Cooling Energy. Thoughts of the ‘simulation department’ triggered by a detailed research report by the Australian government. It confirms my reluctance to ‘predict’ cooling energy as usage of air conditioning depends strongly on life-style choices.

[2017-10-21] The Orphaned Internet Domain Risk. If you abandon a domain, malvertizers may re-use it – using even your former content available on public archives … taking advantage of your former reputation. Think twice before ‘decluttering’ your digital possessions.

[2017-10-12] Data for the Heat Pump System: Heating Season 2016-2017. I am updating the PDF documentation of consolidated output provided by my Data Kraken – performance, energy used / stored / exchanged, temperatures, ice, passive cooling.

[2017-09-29] Computers, Science, and History Thereof. I am catching up on all things computing and software. Here are a lot of words about three sublime, yet free, online resources.

[2017-08-17] Simulations: Levels of Consciousness. Simulating ‘control logic’ is one of three ‘levels’ in the hierarchy of factors to be taken into account – in simulations of our heat pump system, or heating systems in general. I consider the control logic level sandwiched between ‘physics’ and ‘user behaviour’.

[2017-07-14] Heat Transport: What I Wrote So Far. ‘IT’ has become ‘just a tool’ again – I went back to where I started from. This is a list of all my blog posts about simulations and data analysis related to heat transfer and energy storage. I enjoy data crunching as much as ‘pen-and-paper’ analytical solutions.

[2017-06-06] Other People Have a Life – I Have Domains. New domain names and HTTPS everywhere.

[2017-02-05] Earth, Air, Water, and Ice. Data Kraken in action: Analyzing data for the heating season 2014/15, in terms of two different energy balances: 1) The net energy ‘in the tank’ (allowing for calculating the contribution of ground) and 2) the three heat exchangers that are connected in series in the brine circuit.

[2016-12-22] My Data Kraken – a Shapeshifter. Answer to the question: How do you analyze and consolidate your logging data? What is the biggest challenge? It’s the ongoing change of the ‘database schema’: New sensors, shuffled columns in log files, new calculated values…

[2016-11-20] Give the ‘Thing’ a Subnet of Its Own! A brief report ‘from the workbench’: How recent Internet of Thing hacks reminded me of the often overlooked ‘routing feature’ in Windows… which was helpful in quickly giving control units’ data loggers access to the internet.

[2016-09-30] Internet of Things. Yet Another Gloomy Post. Some thoughts about recent DDoS attacks – and why I think the discussion about manufacturers locking down their printers is somewhat related.

[2016-08-24] Hacking My Heat Pump – Part 2: Logging Energy Values: Querying the heat pump’s CAN bus for temperature and energy values, plus: network traces and details of CAN frames sent and received by open source tool can_scan.

[2016-08-03] Hacking My Heat Pump – Part 1: CAN Bus Testing with UVR1611. Extending logging infrastructure – automating reading off our heat pump’s internal energy meter by using Raspberry Pi as monitoring device. Before connecting to the heat pump hardware and software is set up and tested with a CAN bus I am familiar with.

[2016-06-22] First Year of Rooftop Solar Power and Heat Pump: Re-Visiting Economics. Consolidated data from PV inverter’s logger, smart meter(s) and heat pump monitoring and control. 30% of yearly consumption has been directly supplied by PV panels but in winter the demand exceeds available PV energy by far.

[2016-06-10] Have I Seen the End of E-Mail? I have been impressed by a targeted ransomware attack on very small Austrian businesses.

[2016-06-01] Photovoltaic Generator and Heat Pump: Daily Power Generation and Consumption. Comparing detailed time curves – from three different logging sources: PV output, input energy for the heat pump’s compressor, and the home’s total smart meter balance.

[2016-05-19] Everything as a Service. Trying to predict the not-to-distant future of heating for consumers – following the ‘as a service’ philosophy introduced to software products long ago: Heating will be turned into monthly subscriptions bundled with internet access and bank accounts, and home owners will host aesthetically pleasing black-boxes operated by ‘platforms’.

[2016-04-17] Alien Energy. An update to the previous two articles in this category. Our PV generator and power metering infrastructure is now operational for nearly a year, and I am analyzing the most peculiar day. In February, the peak power was close to the generator’s rated power for half an hour.

[2015-12-07] Half a Year of Solar Power and Smart Metering. Combining data harvested by three different loggers: 1) UVR1611: Ambient temperature, heat pump compressor’s energy, 2) Fronius Symo Datamanager: PV output energy, 3) Smart Meter B-Control EM-210: Energy consumed and fed into the grid.

[2015-11-13] The Impact of Ambient Temperature on the Output Power of Solar Panels. Verfied by analyzing our monitoring data – combining logging from our heat pump’s control unit (UVR1611) and the PV inverter’s logging.

[2015-10-29] Random Things I Have Learned from My Web Development Project. The first half is about technology and HTTP redirects, the second half can be ignored by geeks.

[2015-09-18] My Flat-File Database. My new websites’ database is equivalent to a bunch of text files. I am going to use standard SQL queries to retrieve content and meta-data from the file contents and the file name.

[2015-08-17] Interrupting Regularly Scheduled Programming … I am going to re-do my websites from scratch.

[2015-06-17] Solar Power: Some Data for the First Month. Figures and numbers from our PV generator’s logging: Combining daily energy balances with data from our power meter, and tracking intermittent short and very high power spikes by parsing the inverter logger’s website.

[2015-05-07] Watching TV Is Dangerous. Data logger BL-NET is silenced by an IP-TV in the same LAN; solution: Put the logger in its private subnet.

[2015-04-29] Finally Mobile-Friendly! (How I Made Googlebot Happy) Not this blog of course – it had been responsive already. But I gave in to Google’s nagging and did not ignore messages in Google Webmaster Tools any longer.

[2015-03-18] Data Logging with UVR1611 – FAQ. These days I am mainly interesting in IT security in relation to gadgets connected to heating systems, control units, and other ‘things’ (as in IoT).

[2015-01-23] All My Theories Have Been Wrong. Fortunately! I apologize to Google. They still like my blog. This blog’s numbers plummeted as per Webmaster Tools, here and here you find everything you never wanted to know about it. I finally figured

[2015-01-09] Looking for Patterns. Some details about the hack of my non-Wordpress website. A self-sabotaging post written by a so-called IT security expert.

[2014-12-20] Waging a Battle against Sinister Algorithms. My website was hacked, but worse: Google seems to consider me a link scammer and my page impressions plummeted by a factor of 100.

[2014-11-15] Google and Heating Systems (2). How things (in the Internet of Things phone home and/or are accessed directly from the internet. I still prefer the portal (rendezvous server) based solutions to port-forwarding.

[2014-08-05] When I Did Social Engineering without Recognizing It. Title says it all.

[2014-07-18] 5 Years Anniversary: When My Phone Got Hacked.This post has some technical information it is more of a personal rant. Now I can laugh about it. I am not a phone phreaker so any input is welcome!

[2014-07-03] What Learning about Feynman’s Path Integrals Was Good for. On the complexity of PKI.

[2014-06-08] Network Sniffing for Everyone – Getting to Know Your Things (As in Internet of Things) Not specifically about certificates – but about what is often required to troubleshoot validation of certificates: Sniffing.

[2014-05-11] Diffusion of iTechnology in Corporations (or: Certificates for iPhones): Experimenting with a new format of technical posts – by dividing them into two distinct parts 1) Hopefully accessible ‘pop-sci’ / ‘business’ / ‘philosophical’ introduction, followed by 2) hardcore technical details the non-geek reader could skip.

[2014-03-12] The Strange World of Public Key Infrastructure and Certificates: Exactly what the title says. Some issues from my text file presented in more pop-sci way to your typical geek.

[2014-02-13] What I Never Wanted to Know about Security but Found Extremely Entertaining to Read: A review of Peter Gutmann’s terrific book Engineering Security, and some of my related encounters.

[2013-05-13] Cyber Security Satire? Not exactly zoomed in on PKI – but the overall message is in line with the next two posts. This post also includes the only hilarious aspect of my master thesis on smart metering and security.

[2013-02-18] My Google Searches Might Heat Your Home. Sorry, but this is not about Search Term Poetry! Rather the contrary: Imagine your search terms could be utilized for something down-to-earth, for something useful.

[2013-01-22] Trading in Heat Pumps for IT Security? Seriously? A personal essay on an important career transition – one I don’t consider so off-base and oh-this-is-now-something-totally-different. Actually, I am still trying to do both as per end of 2014 – supporting some of my long-term PKI clients.