Absurdity, thy name is Microsoft. I have heard of some dumbass patents over the years but, this one is an example that the US Patent Office really needs to undergo an extensive review.
From ZDNet:
The software giant applied for the patent in 2005, and was granted it on August 19, 2008. US patent number 7,415,666 describes “a method and system in a document viewer for scrolling a substantially exact increment in a document, such as one page, regardless of whether the zoom is such that some, all or one page is currently being viewed”.
The patent’s listed ‘inventors’ are Timothy Sellers, Heather Grantham and Joshua Dersch. However, Page Up and Page Down keyboard buttons have been in existence for at least quarter of a century, as evidenced by this image of a 1981 IBM PC keyboard.
Yes folks, that would be “previous art”. Hell, I still have one of those keyboards in my closet.
I’m going to bed. That’s where I get to be a Viking.
Security is an interesting thing. Some people get it. Others just have no idea. A few days ago Myrcurial found that a DHS document had been erroneously posted on the Water ISAC site. Mistakes happen lets be fair. But, rather than say “Yup, we goofed. It won’t happen again and here’s why” the rather apt description of the Keystone fellas reared its head, again.
An email was sent out on the SCADA security mailing list instructing folks to cease talking about this issue (thx to anonymous for the copy).
So, being a curious sort I went to the publicly accessible archive to view the message thread so I could catch up on the story.
Only to discover that any message relating to the document posting was now deleted. Guess they might have forgotten that every subscriber on the list also has a copy.
How can one ever hope to have a frank and open discussion about security in the critical infrastructure space when the default action is to close your eyes and bury your head in the sand?
Anyway. So, I decided to go have a look at the archived document on Google. Nope, not there anymore. Guess someone had Google take the link down. Well, that showed me.
Or did it?
Oh right, there are other search engines besides Google. You might of heard of some of them like say a small little site called Yahoo?
Yup, they have an archived copy as well. As will the rest of the search engines out there.
What’s the moral of the story? Once the genie is out of the bottle on the internet there really is no way to get that sucker back in. As our readership from the various three lettered agencies can attest.
WaterISAC and other organizations that have critical infrastructure roles really need to review their document classifications and how things get published to the web. Seriously, this isn’t rocket science. Be a little more careful next time folks.
Oh, and WaterISAC, please turn off directory browsing on your web server.
Tags: WaterISAC, FOUO, DHS, security advisory, boreas
Ah, Friday before a long weekend. So happy that the weekend is here. And yet, I find myself looking forward to Tuesday. A new(ish) project that I’ve been working on may finally be coming to fruition. Fun and games. At any rate I hope everyone has a great weekend!
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- Bank of NY Mellon says data breach now affects 12M | CNN
- Database of children is delayed | BBC News
- IDs of 13,000 retired officers exposed | Dayton Daily News
- Microsoft Updates IE Patch Due to VML Flaw | Redmond
- British computer hacker faces extradition to US after court appeal fails | The Guardian
- Best Western Security Breach Hack Fright Turns Murkier | Security Pro Portal
- BackTrack Version 3 is here | Search Security
- Reformed hacker Kevin Mitnick on his tell-all book | CBC
Tags: News, Daily Links, Security Blog, Information Security, Security News
Yet again, it seems that the Keystone Kops are running the show in Washington.
A little bit of wandering about the tubes leads to the Water-ISAC site exposing FOUO government files…
Hrm… wonder what’s in that PDF. Looks juicy…
Hrm. There’s some interesting reading…
What’s a Boreas?
For Official Use Only
Boreas Vulnerability Checklist
A vulnerability has been identified and verified within the firmware upgrade process used in industrial control systems. Successfully exploiting this vulnerability could cause components within the control system to malfunction or shut down, potentially damaging the equipment and/or process. To identify whether a component is susceptible to this vulnerability, please review and answer the following questions.
Questions:
* Do control system components (controllers, processors, etc.) contain reprogrammable firmware?
* Is the process of reprogramming firmware potentially accomplished remotely across a network?
* Does the process of reprogramming firmware lack an authentication mechanism or is it accomplished with publicly available authentication credentials?
* Are firmware image files stored in an unencrypted format anywhere on the system?
If you answered “yes” to more than one of these questions, you are potentially susceptible to this identified vulnerability. Development and implementation of a mitigation plan is needed to protect the installed customer base and the process used in industrial control systems of the nation.
Boreas Vulnerability Mitigation Steps
* Short Term
o Disable the capability to perform remote firmware upgrade.
o Block network firmware upgrades with appropriate firewall rules.
o Use local (direct physical device access) methods to upgrade firmware.
* Long Term
o Physically secure and encrypt firmware upgrade files during development, storage, transmission and use.
o Utilize authentication techniques in next generation control system networks.
o Secure the control system network using defense-in-depth techniques.Questions should be directed to cssp@dhs.gov, the Department of Homeland Security’s National Cyber Security Division.
Warning: This document is UNCLASSIFIED/FOR OFFICIAL USE ONLY (U/FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid “need-to-know” without prior approval of an authorized DHS official.
For Official Use Only
The greek god of the north wind sure sounds like an awfully generalized discussion of bad firmware update practices.
This isn’t so much a technical vulnerability as it is:
- Truly excremental design on the part of the device manufacturer
- Facile and immature thinking on the part of the integrator/operator
- A security advisory which would be more usefully titled “Basic IT Operations for DUMMIES”
- About the most useless problem space description and mitigating actions discussion available on the topic
- Yet another example of the fact that no actual hackers or criminals are interested in disrupting these systems as it is childs-play to DOS the entire system
And yet another case which proves the point that I made at DEFCON. When you fuzz or “break” a SCADA system, generally it just stops. And in stopping, it’s up to the safety systems to keep things safe. Losing control of the cookie plant does not cause the cookie plant to start manufacturing cookies that kill you. It just makes a big mess.
Tags: WaterISAC, FOUO, DHS, security advisory, boreas
Some amusement for your Thursday. (thx quine)
Due to the fact there are only so many hours in the day the news updates will be up after lunch.
cheers
Yesterday was rather productive. I really like that feeling at the end of the day where I’m tired but, in a good way. A sense of accomplishment. And to top it off I found Hack a Day had linked to us. A pleasant surprise. If you aren’t familiar with them I suggest giving their site a read.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- Taiwan cracks major hacking ring, data on president stolen | AFP
- Some U.S. airports back to normal after computer glitch | Reuters UK
- Sale of one million bank account details on eBay highlights data security threat | Smart Company
- “Shambolic” security behind Home Office data breach | Silicon
- When to Worry About Security Holes–and When Not To | Washington Post
- Mozilla garners praise over Firefox security feature | Network World
- Revealed: The Internet’s Biggest Security Hole
- I don’t think you thought your cunning plan all the way through… | Innismir
- iPhone passcode lock rendered useless | Zero Day
Tags: News, Daily Links, Security Blog, Information Security, Security News
“The horse is dead Jim.”
It’s sad that this alarm bell is still ringing but, for whatever reason it doesn’t seem to have much effect. Now in the witless relocation program, I have been watching the the critical infrastructure world from the comfort of my armchair. And from everything I hear from around North America there is still a disconnect with respects to the “Us vs Them” tedious battle that rages between control operators and IT folks.
From The Register:
A UK government minister has warned that cyber-terrorists were attempting to take out the national grid.
Security Minister Lord West of Spithead also said that state-sponsored hackers are attempting to infiltrate corporate networks to steal commercial secrets. Much of this could have been said at any time over the last four or five years, if not longer. But a number of more recent factors spice up the stew, including targeted Trojan attacks, vulnerabilities in the (now) internet-connected SCADA control systems that control power plants and recent high-profile cyber-attacks against Georgia and Estonia.
First off I will have to deduct the standard 10 points for the excessive use of the word “cyber”. That being said, targeted attacks against infrastructure are real. But, the home team is making it a little too easy at times for the baddies. Many SCADA organizations have a tendency to use insecure software and are often slow to patch. This isn’t something new. It just is.
There are bright spots on the horizon in North America at least. NERC recently announced that they had hired on Michael Assante to be their CSO. An excellent move by all accounts. And not a moment too soon when you can find things like this on Google. (hint: third link down the page & no SSL). Granted it isn’t a North American site but trust me, they are out there.
Love struck halfwit hacker gets an all expenses paid vacation to prison.
From The Greenville News:
A man who prosecutors allege hacked the Six Flags Amusement park computer system while living in the Greenville area pleaded guilty on Tuesday to a federal charge of intentionally causing damage to a computer system.
According to prosecutors, Mark Daniel Kahn, 27, inserted malicious computer code into Six Flags’ online job application forms in 2004. Kahn, prosecutors alleged, “inundated” the system with hundreds of bogus applications, some bragging he had hacked the site. Among the hacks was a message of love for his girlfriend, prosecutors said.
Not the sharpest knife in the drawer. For his troubles he could get 10 years.
This is really kinda sad. Telus signed up folks for unlimited data plans for EV-DO aircards and now they want a “do-over”. Sadly, they are apparently going out of their way to piss off their customer base by canceling their accounts outright for alleged violations.
From /.
They were purchased by a lot of rural Canadians who had no other choice except dialup. Now TELUS is forcing everyone to switch from a $75 Unlimited plan to a $65 1GB plan, and canceling those who won’t switch
So, from unlimited to 1GB with a barrel pressed against the temple. Not so nice. For the full piece and discussion read on.
So, my day yesterday was rather interesting. For some fool reason I was awake at 4 am today. I’m sure that not only will I hit the wall but, that wall will beat me about the head and neck with a frozen halibut.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- Hundreds of Dutch web sites hacked by Islamic hackers | Zero Day
- Security Researcher Warns of Vista Vulnerabilities | PC World
- Child protection database ‘will be used to prosecute young people’ | The Telegraph
- Public, private sectors at odds over cyber security | LA Times
- Should Companies Share Criminal Blame In ID Theft? | Slashdot
- Microsoft Readies Two Browser Privacy Tools | Digital Trends
- Students taught computer hacking | BBC News
- Ten Back to School Security Tips for Administrators | Enterprise IT Planet
Tags: News, Daily Links, Security Blog, Information Security, Security News
