Author: Dave Lewis
August 29, 2008 at 7:35 am · Filed under News
Ah, Friday before a long weekend. So happy that the weekend is here. And yet, I find myself looking forward to Tuesday. A new(ish) project that I’ve been working on may finally be coming to fruition. Fun and games. At any rate I hope everyone has a great weekend!
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- Bank of NY Mellon says data breach now affects 12M | CNN
- Database of children is delayed | BBC News
- IDs of 13,000 retired officers exposed | Dayton Daily News
- Microsoft Updates IE Patch Due to VML Flaw | Redmond
- British computer hacker faces extradition to US after court appeal fails | The Guardian
- Best Western Security Breach Hack Fright Turns Murkier | Security Pro Portal
- BackTrack Version 3 is here | Search Security
- Reformed hacker Kevin Mitnick on his tell-all book | CBC
Tags: News, Daily Links, Security Blog, Information Security, Security News
Author: Myrcurial
August 28, 2008 at 10:31 am · Filed under Dumbass, SCADA Security, Vulnerability
Yet again, it seems that the Keystone Kops are running the show in Washington.
A little bit of wandering about the tubes leads to the Water-ISAC site exposing FOUO government files…
Hrm… wonder what’s in that PDF. Looks juicy…
Hrm. There’s some interesting reading…
What’s a Boreas?
For Official Use Only
Boreas Vulnerability Checklist
A vulnerability has been identified and verified within the firmware upgrade process used in industrial control systems. Successfully exploiting this vulnerability could cause components within the control system to malfunction or shut down, potentially damaging the equipment and/or process. To identify whether a component is susceptible to this vulnerability, please review and answer the following questions.
Questions:
* Do control system components (controllers, processors, etc.) contain reprogrammable firmware?
* Is the process of reprogramming firmware potentially accomplished remotely across a network?
* Does the process of reprogramming firmware lack an authentication mechanism or is it accomplished with publicly available authentication credentials?
* Are firmware image files stored in an unencrypted format anywhere on the system?
If you answered “yes” to more than one of these questions, you are potentially susceptible to this identified vulnerability. Development and implementation of a mitigation plan is needed to protect the installed customer base and the process used in industrial control systems of the nation.
Boreas Vulnerability Mitigation Steps
* Short Term
o Disable the capability to perform remote firmware upgrade.
o Block network firmware upgrades with appropriate firewall rules.
o Use local (direct physical device access) methods to upgrade firmware.
* Long Term
o Physically secure and encrypt firmware upgrade files during development, storage, transmission and use.
o Utilize authentication techniques in next generation control system networks.
o Secure the control system network using defense-in-depth techniques.
Questions should be directed to cssp@dhs.gov, the Department of Homeland Security’s National Cyber Security Division.
Warning: This document is UNCLASSIFIED/FOR OFFICIAL USE ONLY (U/FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid “need-to-know” without prior approval of an authorized DHS official.
For Official Use Only
The greek god of the north wind sure sounds like an awfully generalized discussion of bad firmware update practices.
This isn’t so much a technical vulnerability as it is:
- Truly excremental design on the part of the device manufacturer
- Facile and immature thinking on the part of the integrator/operator
- A security advisory which would be more usefully titled “Basic IT Operations for DUMMIES”
- About the most useless problem space description and mitigating actions discussion available on the topic
- Yet another example of the fact that no actual hackers or criminals are interested in disrupting these systems as it is childs-play to DOS the entire system
And yet another case which proves the point that I made at DEFCON. When you fuzz or “break” a SCADA system, generally it just stops. And in stopping, it’s up to the safety systems to keep things safe. Losing control of the cookie plant does not cause the cookie plant to start manufacturing cookies that kill you. It just makes a big mess.
Tags: WaterISAC, FOUO, DHS, security advisory, boreas
Author: Dave Lewis
August 28, 2008 at 9:35 am · Filed under Humour
Some amusement for your Thursday. (thx quine)
Due to the fact there are only so many hours in the day the news updates will be up after lunch.
cheers
Author: Dave Lewis
August 27, 2008 at 7:41 am · Filed under Critical Infrastructure
“The horse is dead Jim.”
It’s sad that this alarm bell is still ringing but, for whatever reason it doesn’t seem to have much effect. Now in the witless relocation program, I have been watching the the critical infrastructure world from the comfort of my armchair. And from everything I hear from around North America there is still a disconnect with respects to the “Us vs Them” tedious battle that rages between control operators and IT folks.
From The Register:
A UK government minister has warned that cyber-terrorists were attempting to take out the national grid.
Security Minister Lord West of Spithead also said that state-sponsored hackers are attempting to infiltrate corporate networks to steal commercial secrets. Much of this could have been said at any time over the last four or five years, if not longer. But a number of more recent factors spice up the stew, including targeted Trojan attacks, vulnerabilities in the (now) internet-connected SCADA control systems that control power plants and recent high-profile cyber-attacks against Georgia and Estonia.
First off I will have to deduct the standard 10 points for the excessive use of the word “cyber”. That being said, targeted attacks against infrastructure are real. But, the home team is making it a little too easy at times for the baddies. Many SCADA organizations have a tendency to use insecure software and are often slow to patch. This isn’t something new. It just is.
There are bright spots on the horizon in North America at least. NERC recently announced that they had hired on Michael Assante to be their CSO. An excellent move by all accounts. And not a moment too soon when you can find things like this on Google. (hint: third link down the page & no SSL). Granted it isn’t a North American site but trust me, they are out there.
Article Link
Author: Dave Lewis
August 27, 2008 at 7:12 am · Filed under Crime, Hacker
Love struck halfwit hacker gets an all expenses paid vacation to prison.
From The Greenville News:
A man who prosecutors allege hacked the Six Flags Amusement park computer system while living in the Greenville area pleaded guilty on Tuesday to a federal charge of intentionally causing damage to a computer system.
According to prosecutors, Mark Daniel Kahn, 27, inserted malicious computer code into Six Flags’ online job application forms in 2004. Kahn, prosecutors alleged, “inundated” the system with hundreds of bogus applications, some bragging he had hacked the site. Among the hacks was a message of love for his girlfriend, prosecutors said.
Not the sharpest knife in the drawer. For his troubles he could get 10 years.
Article Link
Author: Dave Lewis
August 27, 2008 at 6:55 am · Filed under Mobile
This is really kinda sad. Telus signed up folks for unlimited data plans for EV-DO aircards and now they want a “do-over”. Sadly, they are apparently going out of their way to piss off their customer base by canceling their accounts outright for alleged violations.
From /.
They were purchased by a lot of rural Canadians who had no other choice except dialup. Now TELUS is forcing everyone to switch from a $75 Unlimited plan to a $65 1GB plan, and canceling those who won’t switch
So, from unlimited to 1GB with a barrel pressed against the temple. Not so nice. For the full piece and discussion read on.
Article Link
Author: Dave Lewis
August 26, 2008 at 6:45 am · Filed under Vendor News
From Market Watch:
“Cyber-Ark is excited to be a part of the McAfee Security Innovation Alliance program,” said Udi Mokady, president and chief executive officer of Cyber-Ark Software. “McAfee is a dynamic leader in this industry and has a clear understanding of the value of integrating valuable partner technology into the overall enterprise solution to achieve a more complete security offering for customers.”
No word on whether or not they will get matching spandex as a part of the “alliance”.
Yes, its early and the coffee hasn’t kicked in yet. Let me have my fun. In all fairness the Cyber Ark folks have a good product offering for managing passwords in an enterprise.
Article Link
Author: Dave Lewis
August 26, 2008 at 6:35 am · Filed under Exploit
The underground economy is alive and well.
From The Inquirer Philippines:
According to IBM’s X-Force midyear report, more than 90 percent of browser-related exploits detected during the first six months of this year have occurred within 24 hours after these vulnerabilities were disclosed.
More significantly, IBM noted hackers are adopting new techniques and strategies in order to better exploit “zero-day” vulnerabilities, or simply before users are even aware they need to install patches or updates.
As long as there is money to be made this will continue. So basically, zero days aren’t going anywhere for the time being. No great revelation there I’m sure.
Be aware and patch your systems.
Article Link
[Note]: To the Hackaday readers, thanks for stopping by! 
Next entries »
