What should I call this? Public Information Services or Ignorance?

The story began when this afternoon I meet two great hackers, Aat Shadewa and Adi Nugroho. Actually, we already arrange for a meeting to have some discussion about my book. This is the first time I meet Aat, I knew him from his book which most of them talking about hacking stuff. Short the stories, from book we move to another topic, about hacking scada system. Yes, we start the discussion with our concern about the security of most scada system in Indonesia, especially the one which used at PLN’s infrastructure. Honestly, I’m not quite knew about this stuff. I learn about scada security around 1 year ago, but since I never learn it anymore. Well, back to the meeting, all of us agree that most of scada infrastructure in Indonesia had a poor security system. And that’s quite disturbing.

After having some interesting discussion, me and Aat agree to make a book which take scada security as the topic, and Aat said we need some real scada system to test on, so it would make everyone who live in scada world, especially in Indonesia, get aware about how critical the security was. Well, since I don’t have anough information about which system using scada, I ask Aat about which system we could research on. His answer  quite make shock at that time, he said Jawa-Bali PLN’ Scada Infrastucture, wow, Isn’t hard to test on? He said no, since PLN “sent” his scada system running around on Internet. WTF?

Yes, Aat said that PLN has bring up their scada system online and send so many information on the public area. Well, this really got me shock at that time. If that in case, then I’m agree with him, we really need to tell PLN about how danger it is and they really need to stop their activity, by sending around their scada information around the public area. After get back into my home, I still thinking about finishing my book. After having Isya pray, I continue writing my book, finish some chapter, until the clock has running about 7 hours. My brain get stuck, I could not continue writing the book, event one word.Then at that time, I remember what Aat said about  the PLN’ scada infrastructure. I tried looking for some information about that project in google, and there come the address.

http://scada.pln-jawa-bali.co.id

At first I thought this only an information website about the scada project, but when I tried to open it. WTF, it’s an online system, connected with the scada system and continually updated their data from the scada database… oh my God. I’m not a security expert or something like that, but on my n00b opinion this could be a big problem at the end. Well, as a newbie (a n00b’s instinct ), I then, tried to do some information gathering around the scada system. Then I found more shocking stuff, even with google, I could download the scada manual, including with the design scheme (also the networking stuff).
I tried to check the site. Looks like it was made with PHP and read the database from the scada’s databse system.I tried with the database utility, called DB 500. The menu throws me into another page.

http://scada.pln-jawa-bali.co.id/dbchar0.php?script=http://scada.pln-jawa-bali.co.id/dbchar0.php&lihat_gi=0CWAN7

Well, from the page link, I could guess that this could be a big problem. they had a “request page” style page queries.OK, I tried with a simple “breakpoint”, by using a ” ‘ “char.

http://scada.pln-jawa-bali.co.id/dbchar0.php?script=http://scada.pln-jawa-bali.co.id/dbchar0.php&lihat_gi=’0CWAN7

there, I put right after the “=”, and let see what we get here

Karakteristik Telemetering



Warning: ociparse() [function.ociparse]: ORA-01756: quoted string not properly terminated in /home4/scada/htdocs/dbchar0.php on line 133


Warning: ociexecute() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 135


Warning: ocifetchstatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 137

Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 185


Daftar Bays di JCC



Warning: ociparse() [function.ociparse]: ORA-01756: quoted string not properly terminated in /home4/scada/htdocs/dbchar0.php on line 230


Warning: ociexecute() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 232


Warning: ocifetchstatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 234

Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 282


Warning: ociparse() [function.ociparse]: ORA-01756: quoted string not properly terminated in /home4/scada/htdocs/dbchar0.php on line 312


Warning: ociexecute() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 314


Warning: ocifetchstatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 316

Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in /home4/scada/htdocs/dbchar0.php on line 364

Oh my… this really disturbing… well, now I became more interesting with this web based interfacing, for your note, this is the second time I change from newbie into dummies, maybe this time I become an idiot. I then check the error message , where it said  

Warning: ociparse() [function.ociparse]: ORA-0175

Warning: ocifreestatement() expects parameter 1 to be resource, boolean given in

Warning: ociexecute() expects parameter 1 to be resource, boolean given in

 From what I knew, all of these command are used for making a connection into an Oracle database. Well, now I have a valuable information, this system using oracle as it back-end system. With, some tricks, I tried to query the database banner, to have some information around it.

Oracle9i Enterprise Edition Release 9.2.0.1.0 – Production

PL/SQL Release 9.2.0.1.0 – Production

CORE 9.2.0.1.0 Production

TNS for 32-bit Windows: Version 9.2.0.1.0 – Production

NLSRTL Version 9.2.0.1.0 – Production

As I thought before, the system using oracle as the back-end system. And the worse thing is that the system runs on a Windows machine. As like most scada runs on. Now, I tried to “fish” another information from the system, what kind of server it’s runs? still, using the link I tried to make it error, and hopefully, it will send some banner on the page.

http://scada.pln-jawa-bali.co.id/dbchar0.php&lihat_gi=’0CWAN7 

and the result

Forbidden

You don’t have permission to access /dbchar0.php&lihat_gi=’0CWAN7 on this server.


Apache/1.3.41 Server at scada.pln-jawa-bali.co.id Port 80 

WTF! they even using an old Apache server, running on a Windows machine? and worse, the version’s of the apache… I could not talking anymore

Anyone.. just anyone out there, if you think you know the people who runs or responsible with this system, please, I’m begging you, tell them, how their system would be a boomerang for them self. They don;t need to publish all this stuff through the net. Most of the society don’t need the information about the scada system, all they know is paid the bill every month.

Well, maybe it’s only me who to concern and worried about this all things, meanwhile, it’s all only a bunch of data and no need to worried about.I really hope It is only a bunch of garbage data, no more than that. As your bonus I’d like o give some extra information: (yes, for you sir, the one who has responsibility with the scada system)

your local ip for the oracle db is 10.x.x.70

your db name is XXXX , yes only 5 char same with the Adminitrator username, only using 5 char

I knew all your system’s user 

I could get into you db, I could play around inside your Windows system. Please remember this, I’m ONLY A NEWBIE, there are a thousand SMART people out there, some are good and some are bad, which some of the bad guys would happy to play around with your system.

How if , I hack into your windows system, put some backdoor in there, “breed” my rootkit, hack the local network system, get into you scada system, and make some change in there? (if possible, since I don’t have knowledge at all about this stuff).. but the bottom line is, what do you think about all that stuff?

We, who live in security world, also had some information about scada, some of them are “allowable” to hack, using a simple buffer over flow stuff, lets say

DATAC RealWin SCADA 1.06 

or

CitectSCADA ODBC Server

which might happen to your system also.

Please, I’m begging you, If you think this information is classified, PROTECT IT, but if you think this information just a bunch of garbage, you may leave it.

————————————————————————————————————
Dapat konfirmasi dari yang jaga sistem scada pln jawa bali : (Per tanggal 24 November 2010 Jam 4.30 Sore)
Sistem scada tidak terhubung langsung dengan database oracle dan web server. Oleh karena itu informasi yang ada di web tidak menjadi ancaman bagi sistem scada yang berjalan

Syukurlah jika begitu…
————————————————————————————————————
I’ve just got information from the people behind the scada system, that the scada systems are not directly connected with the oracle database and the web server. So there is nothing to worried about.

Thanks God…
————————————————————————————————————