Critical Information Infrastructure Protection and Security

Latest Version Of Cybersecurity Act Lessens Presidential Power

2010-03-20T02:09:00.001+08:00

The Senate Wednesday re-introduced a cybersecurity bill it considered last year, minus a provision that would have allowed the president to shut down the Internet in the event of a major cyber attack.

The Cybersecurity Act, S. 773, co-sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), is aimed at protecting critical U.S. network infrastructure against cybersecurity threats by fostering collaboration between the federal government and the private sectors that maintain that infrastructure... More >>

Copy Machines Can Store Your Private Info

2010-03-20T02:04:00.001+08:00

The dangers of identity theft are well-publicized. We've all been warned to shred our documents, be on the lookout for fishing scams and check our credit report regularly.

But there is a new potential threat to our identity lurking in warehouses across the country. We're talking about copy machines.

"Copy machines today are just like computers," explained Boston security expert Robert Siciliano. "They have hard drives and can store data that can be extracted." .. More >>

Cyber attacks shift to the cloud, too

2010-03-20T02:00:00.001+08:00

Cyber warfare against enterprises grows more brutal by the year, but now carriers are getting caught in the crossfire as more organizations move sensitive data into operators' clouds, according to a survey sponsored by telecom network security vendor Arbor Networks. Cloud security is a telecom issue as much as it is an enterprise issue. .. More >>

China Schools Seen Behind Cyberattacks on Google

2010-03-20T01:57:00.001+08:00

Cyberattacks on Google and other US companies came from two Chinese schools—including one with ties to the country’s military, sources close to the investigation tell the New York Times. .. More>>

Government and infrastructure tops hacking league

2010-03-20T01:49:00.001+08:00

Cybercriminals are now aggressively targeting government and critical infrastructure companies, a review of malware and attack patterns over the last year has found. .. More >>

Cloud Computing Security Guidance

2009-12-22T03:51:00.002+08:00

The Cloud Security Alliance has released its latest guide titled "Security Guidance for Critical Areas of Focus in Cloud Computing V2.1" which can be found here.

Hackers Intercepted Drone Spy Videos

2009-12-22T03:46:00.001+08:00

Insurgents in Iraq have hacked into live video feeds from Predator drones, a key weapon in a Pentagon spy system that serves as the military's eyes in the sky for surveillance and intelligence collection.

Though militants could see the video, there is no evidence they were able to jam the electronic signals from the unmanned aerial craft or take control of the vehicles, a senior defense official said Thursday, speaking on condition of anonymity to discuss sensitive intelligence issues.

Obtaining the video feeds can provide insurgents with critical information about what the military may be targeting, including buildings, roads and other facilities.

Shiite fighters in Iraq used off-the-shelf software programs such as SkyGrabber -- available for as little as $25.95 on the Internet -- to regularly capture drone video feeds, the Wall Street Journal reported Thursday. The hacking was possible because the remotely flown planes have an unprotected communications Relevant Products/Services link. .. More >>

FAA glitch causes widespread US air travel delays

2009-12-22T03:40:00.002+08:00

ATLANTA – Air travelers nationwide scrambled to revise their plans Thursday after an FAA computer glitch caused widespread cancellations and delays for the second time in 15 months. TheFederal Aviation Administration said the problem, which lasted about four hours, was fixed around 9 a.m., but it was unclear how long flights would be affected.

It started when a single circuit board in a piece of networking equipment at a computer center in Salt Lake City failed around 5 a.m., the FAA said in a statement.

That failure prevented air traffic control computers in different parts of the country from talking to each other. Air traffic controllers were forced to type in complicated flight plans themselves because they could not be transferred automatically from computers in one region of the country to computers in another, slowing down the whole system. .. More >>

Hackers Plan to Clobber the Cloud, Spy on Blackberries

2009-10-25T20:34:00.004+08:00

October 05, 2009 — IDG News Service — A new era of computing is on the rise and viruses, spies and malware developers are tagging along for the ride.

The new playground for hackers is "the cloud," the term for computer applications and services hosted on the Internet. Some of the devices making the cloud more popular these days are BlackBerries and other smartphones.

"The focus [of security] is definitely moving towards 'the cloud' and to the security of embedded devices (Android, iPhone) to more advanced client-side attacks which leverage on Web 2.0 technologies, such as attacks on Facebook, Twitter and other popular sites," said Dhillon Andrew Kannabhiran, host and organizer of the Hack In The Box (HITB) security conference in Kuala Lumpur, Malaysia this week.

HITB is one of the most prominent security conferences in Asia and now runs twice a year. The big show is in Malaysia, while the newer, yet smaller HITB is held in Dubai. The conference brings together leading security experts and draws self-proclaimed hackers, but Kannabhiran says it's not a wild hacker party. It offers knowledgeable presentations by leading experts in an informal setting, where people can ask questions and meet presenters at events throughout the week.

"Clobbering the Cloud" and "Spying on BlackBerry Users for Fun" are actually titles of two presentations slated for the HITB conference on Wednesday. Other interesting titles include "How to Own the World - One Desktop at a Time" and "Offensive Cloud Computing With Hadoop and Backtrack." .. More >>

SKorea to train 3,000 'cyber sheriffs': report

2009-09-14T20:05:00.001+08:00

SEOUL — South Korea plans to train 3,000 "cyber sheriffs" by next year to protect businesses after a spate of attacks on state and private websites, a report said Sunday.

The "cyber sheriffs" would be tasked with "protecting corporate information and preventing the leaks of industrial secrets," Yonhap news agency said.

In the event of cyber attacks, the National Intelligence Service, the country's main spy agency, would set up a taskforce including civilian and government experts to counter the online threats, it added. ... More >>

Government Is Falling Behind on Cybersecurity, Report Finds

2009-08-01T11:21:00.003+08:00

"Cyber In-Security" says the federal government is falling behind in the race to keep its computer operations safe because the workforce has too few well-trained cybersecurity experts.

"Critical government and private sector computer networks are under constant attack from foreign nations, criminal groups, hackers, virus writers and terrorist organizations," says the study, published by the Partnership for Public Service and Booz Allen Hamilton. .. More >>

Insider May Have Breached More Than 10,000 Patient Records At Johns Hopkins

2009-06-09T11:08:00.004+08:00

An employee at Johns Hopkins Hospital may have leaked the personal information of more than 10,000 patients in an identity fraud scam.

According to a report filed to the administrator of the state of Maryland's Identity Theft Program (PDF), some 31 individuals with connections to Johns Hopkins have reported identity thefts since Jan. 20. Law enforcement agencies suspect the thefts might be part of a fraudulent driver's license scheme discovered in neighboring Virginia.

In researching the thefts, members of the Johns Hopkins security department discovered that a single employee who worked in patient registration may have used her access privileges to review data on more than 10,000 patients while working at the hospital. The now-former employee is expected to be indicted for stealing the data, the report states.

The hospital emphasizes that the breach was not a hacking incident, but that the employee had access to the records as part of her job... More >>

Hackers Arrested In China After Feud Causes Major Outage

2009-06-09T11:03:00.003+08:00

DDoS feud between underground gaming services allegedly caused temporary Internet outage across more than 20 provinces .. More >>

Thousands of Vulnerabilities Detected In FAA's Air Traffic Control Apps

2009-05-10T02:15:00.002+08:00

A government audit (PDF) has pinpointed more than 3,800 vulnerabilities -- 763 of which are high-risk -- in the Federal Aviation Administration's Web-based air traffic control system applications, including some that could potentially put air travel at risk.

The U.S. Department of Transportation report, with the help of auditors from KPMG, determined that the ATC's Web-based applications aren't secured from attacks or unauthorized access, and that the FAA hasn't set up the necessary intrusion-detection functions to catch security incidents at ATC locations.

And the FAA's Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, "including critical incidents in which hackers may have taken over control of ATO computers," the report says.

The auditors tested 70 of the FAA's ATC Web applications, including ones that provide information to the general public, as well as to pilots and controllers, and some internal apps. Of the vulnerabilities they discovered, nearly 2,600 were considered low-risk threats, such as unprotected folders of sensitive data and weak passwords... More >>

Researchers Find Massive Botnet On Nearly 2 Million Infected Consumer, Business, Government PCs

2009-04-28T18:13:00.002+08:00

Researchers have discovered a major botnet operating out of the Ukraine that has infected 1.9 million machines, including large corporate and government PCs mainly in the U.S.

The botnet, which appears to be larger than the infamous Storm botnet was in its heyday, has infected machines from some 77 government-owned domains -- 51 of which are U.S. government ones, according to Ophir Shalitin, marketing director of Finjan, which recently found the botnet. Shalitin says the botnet is controlled by six individuals and is hosted in Ukraine. .. More >>

Computer Spies Breach Fighter-Jet Project

2009-04-26T06:48:00.003+08:00

WASHINGTON -- Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project -- the Defense Department's costliest weapons program ever -- according to current and former government officials familiar with the attacks.

Similar incidents have also breached the Air Force's air-traffic-control system in recent months, these people say. In the case of the fighter-jet program, the intruders were able to copy and siphon off several terabytes of data related to design and electronics systems, officials say, potentially making it easier to defend against the craft. .. More >>

Conficker worm hits University of Utah computers

2009-04-18T19:52:00.005+08:00

SALT LAKE CITY (AP) — University of Utah officials say a computer virus has infected more than 700 campus computers, including those at the school's three hospitals.

University health sciences spokesman Chris Nelson said the outbreak of the Conficker worm, which can slow computers and steal personal information, was first detected Thursday. By Friday, the virus had infiltrated computers at the hospitals, medical school, and colleges of nursing, pharmacy and health.

Nelson says patient data and medical records have not been compromised.

"That's secured in a much deeper way because of the implications," he said.

Nelson said the virus is mainly attacking personal computers and could be siphoning login and password data, credit card numbers and banking information.

Directions for purging the virus from personal computers and equipment like thumb drives, digital cameras and smart phones has been distributed to staff and students.

Information technology staff shut of Internet access for up to six hours at some campus locations Friday so they could isolate the virus. They were expected to work through the weekend to eradicate it from the system. .. More >>

Some articles on penetration testing

2009-04-12T11:06:00.003+08:00

Six hours to hack the FBI

5 free penetration testing tools

Cost effective penetration testing

Core Impact penetration testing tool (not free)

Electric Power Grid Vulnerabilities

2009-04-12T05:21:00.004+08:00

The following is a collection of news articles (non-exhaustive) on the vulnerabilities of the power grid and alleged penetration. Click the titles of the articles below for further information.

Simulated attack points to vulnerable power infrastructure (Sept 28,2007)

Critical infrastructure often under attack (Nov 11, 2008)

Power grid is found susceptible to cyberattack (March 21, 2009)

Electric Grid in US Penetrated by Spies (April 8, 2009)

China denies attack on US power grid (April 9, 2009)

Senate bill would give feds bigger cybersecurity role in private sector

2009-04-11T18:36:00.001+08:00

Legislation calls for new security standards for government and critical infrastructure systems
By Jaikumar Vijayan

April 1, 2009 (Computerworld) Two U.S. senators are proposing legislation that would give federal officials significant new authority to create and enforce data security standards both for government agencies and key parts of the private sector.

The Cybersecurity Act of 2009, which was introduced by Sens. Olympia Snowe (R-Maine) and Jay Rockefeller (D-W.Va.), would empower the National Institute of Standards and Technology (NIST) to establish "measurable and auditable" security standards for all networks and systems run by federal agencies, government contractors and businesses that support critical infrastructure services. In addition, NIST would be charged with developing a standard for testing and accrediting software built by or for those groups.

The bill also calls for the creation of a national cybersecurity adviser's office within the Executive Office of the President. Under the proposal, the new operation would be modeled after the Office of the U.S. Trade Representative and have the power to compel federal agencies to comply with government security mandates.

According to a statement posted on Snowe's Web site Wednesday, the new legislation is aimed at reinforcing ongoing cybersecurity efforts within the government while also ensuring that proper safeguards are implemented for critical infrastructure targets within the private sector, such as banking and power systems. .. More >>

Conficker/Downadup Evolves To Defend Itself

2009-03-25T15:15:00.001+08:00

The enigmatic Conficker worm has evolved, adopting new capabilities that make it more difficult than ever to find and eradicate, security researchers say.

In a blog published late last week, researchers at Symantec said they found "a completely new variant" of Conficker, sometimes called Downadup, that is being pushed out to machines previously infected with earlier versions of the worm.

The new variant, which Symantec calls W32.Downadup.C, appears to have defensive capabilities that weren't present in earlier versions. While it spreads in the same manner, "Conficker.C" can disable some of the tools used to detect and eradicate it, including antivirus and other antimalware detection tools.

W32.Downadup C also can switch domains at a much greater rate, Symantec said. "The Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm," the researchers reported. "The new domain generation algorithm also uses one of a possible 116 domain suffixes." .. More >>

'The Analyzer' Hack Probe Widens; $10 Million Allegedly Stolen From U.S. Banks

2009-03-25T15:08:00.001+08:00

Ehud Tenenbaum, an Israeli hacker arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks, also allegedly hacked two U.S. banks, a credit and debit card distribution company and a payment processor in what U.S. authorities are calling a global "cashout" conspiracy.

The U.S. hacks have resulted in at least $10 million in losses, according to court records obtained by Threat Level, and are just part of a larger international conspiracy to hack financial institutions in the United States and abroad. .. More >>

Expert: Hackers Penetrating Control Systems

2009-03-25T15:04:00.001+08:00

The networks powering industrial control systems have been breached more than 125 times in the past decade, with one resulting in U.S. deaths, a control systems expert said Thursday.

Joseph Weiss, managing partner of control systems security consultancy Applied Control Solutions, didn't detail the breach that caused deaths during his testimony before a U.S. Senate committee, but he did say he's been able to find evidence of more than 125 control systems breaches involving systems in nuclear power plants, hydroelectric plants, water utilities, the oil industry and agribusiness.

"The impacts have ranged from trivial to significant environmental damage to significant equipment damage to deaths," he told the Senate Commerce, Science and Transportation Committee. "We've already had a cyber incident in the United States that has killed people." .. More >>

Industrial Control Systems Killed Once and Will Again, Experts Warn

2009-03-25T15:01:00.001+08:00

On June 10th, 1999 a 16-inch diameter steel pipeline operated by the now-defunct Olympic Pipeline Co. ruptured near Bellingham, Washington, flooding two local creeks with 237,000 gallons of gasoline. The gas ignited into a mile-and-a-half river of fire that claimed the lives of two 10-year-old boys and an 18-year-old man, and injured eight others.

Wednesday, computer-security experts who recently re-examined the Bellingham incident called its victims the first verified human causalities of a control-system computer incident. They argue that government cybersecurity standards currently under debate might have prevented the tragedy. ... More >>

French fighter planes grounded by computer virus

2009-02-23T07:54:00.004+08:00

French fighter planes were unable to take off after military computers were infected by a computer virus, an intelligence magazine claims.

The aircraft were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand.

At one point French naval staff were also instructed not to even open their computers.

Microsoft had warned that the "Conficker" virus, transmitted through Windows, was attacking computer systems in October last year, but according to reports the French military ignored the warning and failed to install the necessary security measures. >> More ..

Trojan Virus affects thousands of pirated copies of Apple’s iWork ‘09 Suite - Botnets attack websites

2009-02-07T11:23:00.001+08:00

Malware masquerading as part of Apple’s iWork ‘09 suite has targeted unsuspecting Mac users foolish enough to illegally download and install the pirated version of the software commonly found on warez sites around the Web.

Once iWork ‘09 is downloaded and installed, the trojan horse named OSX.Trojan.iServices.A, obtains unrestrained root access, which it immediately uses to connect to a remote server over the Internet. A secondary download installs malware that makes victims part of a botnet army that is said to be attacking undisclosed websites. According to Mac antivirus software maker Intego, this is the latest reminder of the growing popularity of Apple’s OS X and virus & malware developers. Over the past year, a mix of trojans and exploits have been targeting OS X at increasing rates. >> More ..

Electronics Firm Faces FTC Lawsuit Following Multiple Hacks

2009-02-07T09:33:00.003+08:00

Warning to security professionals: If you don't do your job right, then it might not only be a firing offense -- it might be a federal offense.

Case in point: An online seller of computer supplies and other consumer electronics today agreed to settle Federal Trade Commission (FTC) charges that it violated federal law by failing to provide reasonable security to protect sensitive customer data. The FTC is charging that the company didn't do enough to prevent SQL injection attacks that compromised customer data. >> More ..

Four Threats For '09 That You've Probably Never Heard Of (Or Thought About)

2009-02-01T12:46:00.001+08:00

The 2009 potential threats are ... mainly large-scale Internet threats that could trickle down to your organization. We're talking Internet network infrastructure attacks, radical extremist hackers, Web attacks that adversely affect online ad revenue, and even the unthinkable -- human casualties as a result of a cyberattack. >> More ..

Insider plot to take down Fannie Mae's (a mortgage lender) servers thwarted

2009-01-31T16:04:00.004+08:00

Washington (DC) - On October 29, 2008, a vigilant senior Unix engineer happened across a "logic bomb" that was allegedly planted by a contractor, Rajendrasinh Babubhai Makwana, who had worked in their Urbana, MD facility until October 24, 2008 when his contract was terminated. The script was set to activate on January 31, 2009 and would completely wipe all of Fannie Mae's 4,000 servers. According to engineers, had it done so it would've caused "millions of dollars in damage, and possibly shut down operations for a week." ..>> More ..

Israel hacks Arab TV station - Cyberspace becomes battleground in Gaza conflict

2009-01-13T03:51:00.003+08:00

Israeli military forces have reportedly hacked into a Hamas-run TV station to broadcast propaganda. >> More ..

2008: A year of cowboys in IT security

2009-01-13T03:44:00.001+08:00

Security pundits are fond are characterising personalties in information security with reference to Westerns - hence hackers wear either a "black hat" or a "white hat" like their cowboy counterparts.

Probably the biggest security story of the year was the take-down of infamous cybercrime hosting outfit McColo. The rogue ISP hosted the command and control systems for three botnets - Srizbi, Rustock and Mega-D. Junk mail levels temporarily fell to a third their normal level following the takedown of McColo in November. >> More ..

US cybersecurity defences fail to thwart mock cyberattack

2009-01-13T03:39:00.002+08:00

Critical US electronic systems have failed to withstand a simulated cyberattack.

Participants in a recent cyber-warfare exercise told Reuters that the exercise highlighted problems in leadership, communications and readiness. The two-day exercise brought together 230 government agencies, private firms and other participants. Participants were split into two groups - attackers and defenders - before each developed tactics for attacking and defending critical infrastructure systems, such as those controlling banking, telecommunications and utilities. >> More ..

London Hospital back online after computer virus shutdown

2009-01-13T03:36:00.001+08:00

Computer systems at three major London hospitals are largely back online on Friday morning, three days after a major computer virus outbreak forced staff to disconnect the network.

IT systems at St Bartholomew's (Barts), the Royal London Hospital in Whitechapel and the London Chest Hospital in Bethnal Green were taken down on Tuesday following infection by the Mytob worm. The three hospitals make up the Barts and the London NHS Trust. >> More ..

DDoS attack floors Georgia prez website

2009-01-13T03:32:00.001+08:00

A denial of service attack hit government websites in the former Soviet republic of Georgia over the weekend amid growing diplomatic tensions between the country and Russia.

The DDoS assault on the website of Georgian President Mikhail Saakashvili rendered it unavailable over the weekend. The attack was run via botnet networks of compromised PCs. Shadowserver charts the command and control servers used in the attack, in an analysis here. >> More ..

Hack Turns Application Code Against Itself ... New attack uses application flaws to force good code to go rogue

2008-11-01T21:33:00.001+08:00

Turns out you don't need malware to exploit a security flaw in an application: A pair of researchers has found a way to automatically make good code do bad things.

Researchers from the University of California at San Diego (UCSD) have devised a technique that basically lets an attacker bypass built-in system defenses aimed at blocking malware, and then execute instructions from inside the application. The process uses an application's vulnerability to turn it against the system on which it runs.

An attacker could take advantage of a flaw in a Web browser, for instance, to force the browser to spam the user's address book using only the browser's own code, according to the researchers. .. More >>

Auditors rap IRS for weak information security

2008-11-01T21:29:00.001+08:00

The Internal Revenue Service has failed to secure sensitive electronic taxpayer information properly, increasing the potential for identity theft, according to an audit report released on Thursday.

The inspector general review of three computer systems at the IRS Office of Research, Analysis and Statistics showed several weaknesses in control over access to applications containing sensitive information.

"Managers and system administrators had not placed sufficient emphasis on maintaining the security and privacy of the taxpayer data they are charged with protecting," the report stated. Furthermore, officials failed to provide guidance or monitor compliance with IRS information security policies, and did not supply software to scan for security weaknesses, the IG found. .. More >>

IRS finds unauthorized Web servers connected to its networks

2008-11-01T21:25:00.001+08:00

The Internal Revenue Service found more than 1,000 unauthorized Web servers connected to its networks, leaving the agency's systems open to hackers, according to a report released on Thursday by the IRS inspector general.

In September 2007, the IRS Computer Security Incident Response Center scanned the agency's Web servers and identified 2,093 that had at least one security vulnerability. When the center matched those servers to the IRS database of registered Web sites and servers, an inventory of systems that the agency uses to perform security maintenance and apply patches, it found 1,811, or 87 percent, were not listed in the database.

Of the unregistered servers, the IRS identified 661 that were used for legitimate agency business, leaving 1,150 servers being used for potentially unauthorized activity, according to the report. .. More ..

Revealed: The Internet's Biggest Security Hole

2008-09-21T09:28:00.000+08:00

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness. .. More ..

European companies forced to own up to data losses

2008-09-21T09:24:00.002+08:00

European companies will be forced to tell customers if their personal data has been lost or stolen, as part of a new EC directive.

The data breach notification provision is part of the ePrivacy Directive that is currently being debated by the EU. ... More ..

Hacked Texas National Guard site serves up malware

2008-09-21T09:15:00.000+08:00

Attackers have hacked the Web site of the Texas National Guard and are using it to serve up offers of fake security software and plant rootkits on unpatched PCs. .. More..

GAO Report Slams US Cybersecurity, US-CERT, and DHS

2008-09-21T09:06:00.001+08:00

The U.S. Government Accountability Office (GAO) is finalizing its report on the country's capability to protect and defend itself from cyber-attack, and its words are not kind. The primary responsibility for monitoring and securing the country's networks and digital assets falls to the United States Computer Emergency Readiness Team, or US-CERT, a partnership organization between the Department of Homeland Security (DHS) and both the public and private sectors. Founded in September 2003, US-CERT was responsible for the 2004 Einstein initiative, meant to detect and collect information on attacks at government agencies, and is currently backing the expanded (and hopefully more widely deployed) Einstein 2 program. .. More..

Hacker Shuts Down Government Computers

2008-05-28T20:19:00.001+08:00

AN EXPERT hacker allegedly shut down the Northern Territory Government computer system and deleted thousands of employees' identities, a Darwin court heard yesterday.

And the court heard the Government could still be at risk of another cyber attack.

David Anthony McIntosh, 27, allegedly hacked in and shut down several NT Government databases on May 5, including servers for the Health Department, Royal Darwin Hospital, Berrimah Prison and Supreme Court using his laptop at a Palmerston home. >> More ..

Homeland Security reveals threats and the plans to counter the threats and attacks

2008-05-11T21:56:00.004+08:00

The US Department of Homeland Security had a security summit where the Assistant Secretary of Cybersecurity and Communications, Greg Garcia, provided some remarks about the current challenges and threats and the need for all critical infrastructure entities to work together to share information to face the threats that are not merely increasing but alos has gone to another level of sophistication. More details can be found here .. >> More ..

India Cites Ongoing Chinese Cyber Attacks

2008-05-11T21:51:00.001+08:00

A year and a half of electronic warfare against public and private network resources in India has been traced back to a variety of attacks and antagonists in China.

Botnets, keyloggers, and network mapping all plague India on a regular basis, as its gigantic rival in Asia seeks weaknesses within the country's information infrastructure. >> More ..

CNN Site Hit by China Attack

2008-04-23T13:17:00.007+08:00

In the recent unrest between China and Tibet, the CNN site has been attacked.

At its peak, the attack has sucked up 100MB/S in bandwidth, enough to slow the news Web site for some visitors. >> More ..

Hackers find a way to crack popular smartcard in minutes

2008-03-20T16:42:00.001+08:00

People are starting to wake up to the fact that RFID-enabled smartcards now can be far more easily, and cheaply, cracked than ever before, as a trio of young computer experts recently showed.

These are a particular type of processor-embedded cards, and are different from credit cards. The actual decryption work by the researchers was done on the widely deployed Mifare Classic wireless smartcard, now manufactured by a Philips spinoff, NXP Semiconductors. Decrypted, the cards can be counterfeited, and users' personal and bank data is exposed. >> More ..

US Law makers voice concerns over cybersecurity plan

2008-03-20T16:34:00.001+08:00

Members of the House of Representative sought details, on Thursday, of a $30 billion plan to secure federal government systems and upgrade network defenses to ward off attacks from foreign nations and online criminals.

Known as the Cyber Initiative, the Bush Administration project would dramatically reduce the number of interconnections between federal government networks and the Internet and put more advanced network security in place to monitor data traffic for signs of malicious attacks. While the 5- to 7-year project could dramatically improve the network defenses of government agencies, law makers questioned whether the initiative will be too little, too late, and whether the resulting network monitoring could undermine privacy.

"It's hard to believe that this Administration now believes it has the answers to secure our federal networks and critical infrastructure," Representative Bennie Thompson (D-MS), chairman of the House Committee on Homeland Security, said in prepared remarks at the opening of the hearing on Thursday. "I believe cybersecurity is a serious problem -- maybe the most complicated national security issue in terms of threat and jurisdiction. This problem will be with us for decades to come." >> More ...

Trend Micro Hit by Massive Web Hack

2008-03-20T16:25:00.002+08:00

Security vendor Trend Micro has fallen victim to a widespread Web attack that splashed malicious software onto hundreds of legitimate Web sites in recent days.

A Trend Micro spokesman confirmed that the company’s site had been hacked Thursday, saying that the attack took place earlier in the week. "A portion of our site -- some pages were attacked," said Mike Sweeny, a Trend Micro spokesman. "We took the pages down overnight Tuesday night -- and took corrective action." >> More ..

Chinese hackers: No site is safe

2008-03-11T11:01:00.001+08:00

ZHOUSHAN, China (CNN) -- They operate from a bare apartment on a Chinese island. They are intelligent 20-somethings who seem harmless. But they are hard-core hackers who claim to have gained access to the world's most sensitive sites, including the Pentagon.

In fact, they say they are sometimes paid secretly by the Chinese government -- a claim the Beijing government denies.

"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness," says Xiao Chen, the leader of this group. >> More ..

Cyber Preparedness Symposium Leaves Unanswered Questions

2008-03-11T10:17:00.001+08:00

WASHINGTON -- National Symposium on Unifying Cyber Preparedness Efforts -- Leaders of industry and academia today agreed that they need to work better together to prepare for cyber security threats. They just didn’t seem sure how to do it, or exactly what the threats are.

In a microcosm of the cross-industry, cross-disciplinary problems that it was called to help resolve, the symposium demonstrated a desire among some sectors to improve the security situation in the U.S., but few concrete ideas on how to coordinate the so-called “silos of excellence” that remain disconnected across the country.

Indeed, the panelists and participants showed little agreement on what “cyber preparedness” really means -- the half-day discussion meandered from defending against attacks on the nation’s government and infrastructure to resolving specific vulnerabilities on end-user PCs.

The idea was to discuss how government, industry, critical infrastructure providers, Congress, and academia can work together to build a cross-disciplinary effort to prepare for cyber threats.
>> More ..

Forgotten IT chores may have led to bank meltdown

2008-03-01T17:04:00.005+08:00

While the protection of CII may often be focused on protection from external threats and internal threats, some of the simple and basic practices pertaining to security must be followed to ensure that there are no loopholes in the system that can be exploited. Employees should generally be trusted (if not you have a big problem in your organisation). However segregation of responsibilities and implementing management controls are still important practices that must be enforced.

In January 2008, a French Bank incurred huge losses due to poor enforcement of internal controls and segregation of responsibilities. The losses were result of an employee ... who was doing his job!!.

The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure but rather to poor management of those systems, analysts say.

The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around €4.9 billion (US$7.3 billion).

Kerviel achieved this by, among other things, misappropriating computer passwords, the bank said. It has revealed few other technical details of what caused the losses.

Management of passwords, including rescinding the old passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.

"It's dull and routine 99 percent of the time, but a vital backstop," said Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he said.

In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, said Ian Walden, professor of information and communications law at Queen Mary, University of London.

Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden said. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."

To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.

IT departments and business managers have yet to find a way to wrap security into business processes so it is not an impediment, Walden said. >> More..

Half of 2006 vulnerabilities still unpatched

2008-03-01T16:57:00.003+08:00

It is important that when vendors send patch updates, these are implemented to prevent weaknesses from being exploited and depending on the system set up, can cause major interruptions to infrastructure. Despite its importance organisations still lack the diligence to keep up in updating the patches.

More than 3600 vulnerabilities discovered last year remain unpatched, according to a study.

The IBM Internet Security Systems (ISS) X-Force report for 2007 found of the 6437 vulnerabilities discovered, 20 percent of those targeting Microsoft, Apple, Oracle, IBM and Cisco were still in the wild up to 12 months later.

More than 50 percent of remaining 6200 flaws targeting other solutions remain currently unpatched. >> More....

Idaho National Laboratory - Research on National Security

2008-02-17T07:40:00.002+08:00

The Idaho National Laporatory's (INL) National and Homeland Security Division is one of serveral organisations inthe USA involved in CNII protection research.

The National and Homeland Security Division conducts sustainable programs focused in Global Security, Homeland Security, National Defense, Energy Security, and Special Programs.

Hackers Gone Wild ... Hacks on a massive scale

2008-02-17T07:28:00.003+08:00

While previously hacks may be one off incidents posing threats to a small segment. Today the scenario is different.

We're looking at massive, well-organized plans to take over vast portions of the Net. Case in point: The SQL Injection exploit that infected more 70,000 sites .. more.

US plans to 'fight the net' revealed

2008-02-17T07:24:00.004+08:00

A newly declassified document gives a fascinating glimpse into the US military's plans for "information operations" - from psychological operations, to attacks on hostile computer networks.

Should nations care and worry about this as a threat to their CNII, we dont really know. But apart from the US, it is possible that some other nations or organised entities have similar aspirations, if not plans. .. more..

Cut cable disrupts Internet in Middle East

2008-02-17T07:13:00.004+08:00

Two underwater cables in the Mediterranean Sea were damaged in January 2008, dragging Internet connections throughout the Middle East and in parts of Asia to a crawl. This is a classic example of massive interruptions to CNII, though the scenario if one for which most would not have incorporated in the list of probabilities .. more..

Further questions are raised about the said vulnerability, possible but deemed improbable. more

The 5 Coolest Hacks of 2007

2008-01-03T01:11:00.000+08:00

Hackers are creative folk, for sure. But some researchers are more imaginative and crafty than others. We're talking the kind of guys who aren't content with finding the next bug in Windows or a Cisco router. Instead, they go after the everyday things we take for granted even more than our PCs -- our cars, our wireless connections, and (gulp) the electronic financial trading systems that record our stock purchases and other online transactions. >> More ..

CISCO's 2007 Annual Security Report

2008-01-03T00:51:00.000+08:00

CISCO has released its 2007 Annual Security Report which provides an overview of the combined security intelligence of the entire CISCO organisation. The report encompasses threat information and trends collected between January and September 2007, and provides a snapshot of the state of security for that period. The report provides recommendations from CISCO security experts and predictions of how identified trends will continue to unfold in 2008.

Security trends and recommendations are organized into seven major risk categories:

- Vulnerability
- Physical
- Legal
- Trust
- Identity
- Human
- Geopolitical

The report also provides a high-level perspective on the issues currently shaping the security space, as well as insights into how security professionals and businesses can expect the industry to change over the next several years. The report can be downloaded here.

Antivirus Protection Worse Than a Year Ago

2008-01-03T00:38:00.000+08:00

The effectiveness of antivirus software has fallen off, and more and more pests can now slip past these barriers. This is the sobering conclusion the german computer magazine c't comes to in issue 1/08 with a test on 17 antivirus solutions. For the first time, c't also tested the behavioural blocking system they use. >> More ..

LOGIIC – Linking the Oil and Gas Industry to Improve Cyber Security

2008-01-03T00:18:00.000+08:00

LOGIIC is a unique collaborative forum (initiated by the US Department of Homeland Security) where government and industry are focusing on cyber security issues for the oil and gas industry that are best addressed collaboratively. The needs of the infrastructure owners and operators are driving the formation of projects, supported by government and independent experts. The forms for future collaboration are currently being established, and new projects will be forthcoming.

One such project was the the LOGIIC 2005-2006 Correlation Project.

The LOGIIC Correlation Project was a 12-month technology integration and demonstration project jointly supported by industry partners and the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T). The project demonstrated an opportunity to reduce vulnerabilities of oil and gas process control environments by sensing, correlating and analyzing abnormal events to identify and prevent cyber security threats.

A detailed description of the LOGIIC Correlation Project can be downloaded from here.

This collaboration model between Government and industry can be similarly applied to other industry sectors.

SCADA Security and CNII - Digital Bond

2008-01-03T00:07:00.000+08:00

This Digital Bond site is a site that has articles and blogs on SCADA security with a focus on CNII issues. There are several blog categories that discusses a wide range of related topics. Have a look at the site to get some key information and knowlegde about SCADA security. >> More ..

SCADA and Control System Security - Views From An Expert

2008-01-02T23:37:00.000+08:00

Joseph Weiss is one of the leading experts in control system security. He provides some interesting insights about control systems and including SCADA, DCS and PLC and the security issues surrounding these in an interview found here.

He explains among other things that "A control system has several unique attributes. Number one, a control system must be absolutely highly reliable. It can't shut down very often. So, unlike a business system where you can shut it down over the weekend, the system that controls the power plant must have almost 100 percent reliability or some form of backup to maintain the 100 percent reliability. It is extremely important." This characteristic brings in itself a very unique perspective about security implementation related to control systems.

In a later part of the interview he has this to say about control systems getting hit: "My very, very, very strong feeling is, if and when we get hit, we will never know why we were hit. All we will know is breakers are opening, valves are closing, certain things are happening. But we won't have a clue as to why."

The interview contains a lot of other interesting insights and examples of incidents and lessons learnt that would be useful for anybody interested in CNII and control systems in particular. >> More ..

ICT Security Education and Awareness for Students

2008-01-02T23:11:00.000+08:00

Learning to use the Internet safely should begin at a young age in school so that the generation of youth has the basic knowledge to practice and infuse or inculcate safe Internet use when they join the workforce. Some students have the ability to explore and find out the best practices themselves while yet the majority of others need to be taught or guided. The Hacker Highschool site is one of several websites that provides easy to follow materials on safe Internet use for school children.

The Hacker Highschool project is the development of license-free, security and privacy awareness teaching materials and back-end support for teachers.

Today's kids and teens are in a world with major communication and productivity channels open to them and they don't have the knowledge to defend themselves against the fraud, identity theft, privacy leaks and other attacks made against them just for using the Internet. This is the reason for Hacker Highschool.

In HHS, you will find lessons on utilizing Internet resources safely such as web privacy, chat protection, viruses and trojans (malware), and the over-all focus on how to recognize security problems on your computer. HHS is a great supplement to student course work or as part of after-school and club activities.The HHS program is developed by ISECOM, a non-profit, open-source research group focused on security awareness and professional security development and accreditation. >> More ..

Insecurities in Healthcare Applications

2007-12-28T15:43:00.000+08:00

Healthcare applications can be exploited with disastrous consequences if not adequately secured.

Healthcare apps keep sensitive medical records of patients. Though different types of healthcare applications are exposed to different sets of threats, there’s a pattern to threats they face.
This articel discusses some of the exposures that healthcare applications face. >> More ....

Top Ten Information Security Risks of 2008

2007-12-28T15:27:00.000+08:00

This list which in fact covers Threats, Vulnerabilities, Impacts, Risks and Controls assembled by the CISSP Forum and the ISO 27K Implementers' Forum. The list of course includes threats and risks to Critical Information Infrastructure.

Those who are still confused with the definition and differences of Threat, Vulnerabilityu, Impact, Risk and Control, this article does list and discuss the brief definitions and the actual lists of the above will illustrate the definition further.

This is a must read for all involved in security. >> More...

Catch me if you can star offers IT security advice

2007-12-03T10:30:00.000+08:00

Frank Abagnale started off on the wrong side of the law by deceit and forgery to earn large amounts of money but was later caught. This was in the 60s when he was a teenager. His forgery talents did not go unnoticed and he was offered a job with the FBI in lieu of the rest of his jail sentence. His job is ... of course ... to pin down on forgery crimes.

His adventures were told in a book and a subsequent movie called "Catch me if you can".

This article is an interview with him where amongst other things he explained that:
1. It is way easier to commit forgery today than 40 years ago
2. We can have all the sophisticated security systems but the weakest link is still the human link.
3. Some laws passed recently are plain stupid.
4. Ethics must be reintroduced in education and must be a part of corporate culture.
5. We must be thinking out of the box when addressing security.
6. Simple solutions should be preferred than sophisticated ones.

While the above points appear obvious, it is certainly refreshing from a person who has been on both sides of the law. His thoughts and views are certainly key pointers for any entity managing critical infrastructures to gain a lesson or two from the perspective of security.

Top 5 Worst IT Security Mishaps of 2007

2007-12-03T07:28:00.000+08:00

Even though 2007 is not over, there are more than sufficient contenders for the top 5 position of the worst IT Security Mishaps of 2007. Though most of the mishaps relate to substantial data leakage, the examples are enough to raise alarm and concern about security breaches in the most trivial of cicumstances. >> More ..

World on Brink of Cyber Cold War

2007-12-03T07:14:00.000+08:00

A "cyber cold war" waged over the world's computers threatens to become one of the biggest threats to security in the next decade, according to a report published on Thursday.

About 120 countries are developing ways to use the internet as a weapon to target financial markets, government computer systems and utilities, internet security company McAfee said in an annual report. >> More ..

In yet another article titled "US warned of 'aggressive' Chinese cyberspying, it was mentioned that Chinese espionage poses "the single greatest risk" to US technology, a congressional advisory panel said on Thursday. The panel also called for efforts to protect industrial secrets and computer networks. >> More ..

Did NSA Put a Secret Backdoor in New Encryption Standard?

2007-11-20T07:07:00.000+08:00

In a recent article, Bruce Schneier, a renowned expert on cryptology and security highlighted that a new random-number standard (for encryption) includes an algorithm that is slow, badly designed and just might contain a backdoor for the US National Security Agency.

The standard is found in NIST Special Publication 800-90.

The article may be quite technical but is enough to raise concerns that backdoors may exist in a puportedly secure software component.

This leads to the conclusion and emphasis that it is imperative for nations to have their own indigeneous technologies inkey security areas in order to minimise exposure to shortcomings or backdoors that leave the system vulnerable to attacks or intrusions. >> More ..

2006 OS Vulnerability Summary

2007-11-19T05:22:00.000+08:00

This report analyses and discuss about the OS Vulnerabilities. >> More..

Make No Assumptions. Security Begins With the Basics. YOU

2007-11-14T07:28:00.001+08:00

There have been previous news about vendors releasing software with viruses, security vendor sites being compromised and similar incidents.

The mishaps continue ...

In a recent news article in Network World Asia titled "Seagate ships virus-laden hard drives", it was reported that:

"If you bought one of Seagate's Maxtor Basics consumer hard drives recently, check it for viruses. Especially if you're a gamer.

Seagate is warning that a "small number" of its Maxtor Basics Personal Storage 3200 hard drives recently shipped with the Virus.Win32.AutoRun.ah virus, malicious software that "searches for passwords for online games and sends them to a server located in China," according to a note posted on the Seagate Web site. Only drives purchased since August 2007 are affected, Seagate said." >> More ..

This time it is gaming software players who are the targets. Could it be anything else next time like bank accounts or access to corporate sites .... the possibility is so broad.

In yet another article in Network World Asia titled "Indian news site dispensing malware", it was mentioned that:

"The Web site of IndiaTimes, the online news site of the Times Group, one of India's large news and entertainment groups, exposed visitors to malware, according to an advisory Friday by ScanSafe Inc.

ScanSafe first detected and blocked malware on the site on October 25. ScanSafe is still investigating the reach of this attack, but given the popularity of the site and the amount of malware involved, the company is urging caution, it said in its advisory Friday. Only certain pages of the Indiatimes.com are infected, the advisory added." >> More ..

The above news basically pass the message that all users should not make any assumptions about any hardware or software they acquire or install and any website that they access as the malware can be embedded in just about anywhere and in the most unlikely of all places.

Hence defence against the consequences of such incidents requires users to be sufficiently aware, educated and acculturated about good computing practices including:

1. Having good anti-malware protection that is installed and running
2. Access to credible sites only and avoid strange or unusual sites
3. Ensure that any devices plugged in especially the usb devices are scanned for viruses before use.
4. Reminding peers about good computing practices.

A good defence for both personal and organisational or corporate use begins with YOU.
It may be that through your simple negligence, the whole corporate network that you are using and critical systems can be affected.

Pentagon: Our new robot army will be controlled by malware

2007-11-12T13:03:00.000+08:00

This article emphasises the importance of developing indigeneous technologies rather than outsource the critical elements.

A US defence department advisory board has warned of the danger that American war robots scheduled for delivery within a decade might be riddled with malicious code. The kill machines will use software largely written overseas, and it is feared that sinister forces might meddle with it in production, thus gaining control of the future mechanoid military.

The most eye-catching of the equipment mentioned is the lineup of the US Army's Future Combat Systems (FCS) programme. FCS was originally supposed to include a wide range of deadly unmanned systems, including a small, possibly rocket-firing flying Dalek, a heavily armed autonomous helicopter gunship, and a robot tank packing guided missiles and cannon. There would also be intelligent sensor minefields, droid-mule transport systems and loads of other stuff; and all of it is supposed to be linked together by a data network. >> More..

Israel suspected of 'hacking' Syrian air defences

2007-11-12T12:55:00.000+08:00

Questions are mounting over how Israeli planes were able to sneak past Syria's defences and bomb a "strategic target" in the country in September 2007

Israeli F-15s and F-16s bombed a military construction site on 6 September. Earlier reports of the attack were confirmed this week when Israeli Army radio said Israeli planes had attacked a military target "deep inside Syria", quoting the military censor.

The motives for the strike, much less what was hit and what damage was caused, remain unclear. One theory is that a fledgling nuclear research centre, the fruits of alleged collaboration between Syria and North Korea, may have been hit. Others speculate that a store of arms shipments bound for the Lebanese militant group Hezbollah might have been targeted. A test against Syria's air defences has also being suggested in some quarters. None of these theories appear to be much better than educated guesswork.

Bombers carrying out the raid are believed to have entered Syrian airspace from the Mediterranean Sea. Unmarked fuel drop tanks were later found on Turkish soil near the Syrian border, providing evidence of a possible escape route. Witnesses said the Israeli jets were engaged by Syrian air defences in Tall al-Abyad, near the border with Turkey.

This location is deep within Turkey, prompting questions about how the fighters avoided detection until so long into their mission. Neither F-15s nor F-16s used by the Israeli air force in the raids are fitted with stealth technology. >> More..

Two charged with hacking PeopleSoft to fix grades

2007-11-12T12:51:00.000+08:00

Two Cal State-Fresno students face up to 20 years in prison and fines up to $250,000 for hacking into the school's PeopleSoft system to change their grades. >> More..

US regional bank hacked

2007-11-12T12:44:00.000+08:00

Hackers infiltrated the systems of Commerce Bank and accessed the records of 20 customers, the US regional bank said in October 2007.

The attack by persons unknown was partially thwarted - but not before a database of 3,000 records was hacked into and the data of 20 exposed. Compromised data included personal information such as names, addresses, Social Security numbers, phone numbers and, in a few cases, Commerce Bank account numbers, the Columbia Business Journal reports

Security staff shut down the attack and called in police to investigate after uncovering the breach a week ago. The FBI is investigating.

The method used in the attack is unclear, and something the bank will be keen that it stays unclear, to avoid the possibility of copycat attacks. There are many avenues of assault, of which one common tactic is to exploit web application vulnerabilities by using SQL injection attacksto access information of back-end databases. >> More ..

Online trading site was left wide open

2007-11-12T12:39:00.000+08:00

The conventional wisdom that banking organisations are more diligent with security was skewered in a presentation at the RSA conference this week.

Security consultancy Comsec outlined how they discovered that an online stock trading website they were asked to test was riddled with security holes. A rush job meant that basic security measures, such as the use of a secure login, were absent from the multimillion dollar system. >> More ..

More security education needed to avoid a cybersecurity disaster, experts warn

2007-11-12T12:33:00.000+08:00

The United States is more prepared than ever for a major cybersecurity attack, but a panel of prominent security experts warned Tuesday that more needs to be done to increase awareness about cybersecurity issues and better educate future IT pros.

"We need to provide resources for future problems," said Eugene Spafford, the executive director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS). "Patching the latest problem isn't getting us anywhere."

Spafford joined well known security experts Howard Schmidt, president and CEO of H&L Security Consulting and security luminary Bruce Schneier at the Information Security Decisions conference in Chicago for a discussion about cyber threats in 2008 and beyond. The panelists agreed that it would likely take a major cybersecurity event before the public becomes motivated enough to demand better security.

The panelists agreed that growing backdoor Trojan horse programs and herds of bots continue to be a problem moving forward, but it's unclear if they'll by used by cybercriminals to take down the electronic infrastructure of entire nations or in isolated targeted incidents for financial gain. >> More ..

Secure Program Coding

2007-11-12T12:19:00.000+08:00

It has often be questioned as to whether software developers are doing enough and knowledgable enough to code their applications with security in mind.

This article discusses this issue.

A new certification called the GIAC Secure Software Programmer (GSSP) program, teaches programmers how to write secure code. This can be taught or incorporated in the software curriculum in institutions of higher learning so that software developers can graduate ready with secure software development in mind. >> More ..

Website for Computer Security Experts Hacked

2007-11-11T18:40:00.001+08:00

It can happen to anybody's website, including a security website..

First Forensic Forum - a UK based association of computer security professionals - has been hacked.

F3.org's website was defaced with a message poking fun at the association of computer forensic experts. The timing of the defacement on Thursday was fortuitous (or well planned) since the organisation is coming to the end of a two day conference.
document.

The perpetrator of the attack posted a message taunting the organisation. "The F3 For Security Hacked. What's Happened In The world. Thay Are No Security Or What," S4udi-S3curity-T3rror writes. >> More ..

Task Force Aims to improve US Cybersecurity

2007-11-11T18:30:00.000+08:00

A blue-ribbon panel of three dozen security experts hopes to craft a strategy to improve the United States' cybersecurity by the time the next president takes office, the Center for Strategic and International Studies (CSIS), and the task force's Congressional sponsors, announced on Tuesday.

The bipartisan Commission on Cyber Security for the 44th Presidency will be tasked with creating a plan to secure the nation's computers and critical infrastructure and presenting that plan to the next president. >> More ...

Security Companies also Vulnerable to Attacks

2007-11-03T07:39:00.000+08:00

Nobody is perfect and no company is perfect. But all try their best to protect themselves from attacks. The lesson learnt as always, is that security is an ongoing process and not a destination. And the process has to be alert to both internal measures that has to be diligently kept updated as well as to be aware of new threats and attack vectors.

The following link provides a list of security companies and organisations including CERTS whose web presence have been compromised in one way or another. There are other interesting information as well. Read on ..

Open Group Security Forum and ABA’s Cyberspace Law Committee issue whitepaper on information-centric security governance

2007-10-24T03:29:00.000+08:00

The Open Group, a vendor- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, today announced the general availability of a new whitepaper about information security strategy. Co-written by The Open Group Security Forum and the American Bar Association’s Cyberspace Law Committee, the whitepaper presents a strategic framework for information-centric security governance. Additionally, the paper offers a methodology for security compliance both within and beyond the perimeter of the enterprise, and recommends further standards to support information security in a boundary-less environment.

Previously, securing ownership of proprietary information security was accomplished mainly through securing a physical ‘perimeter’ via network hardware and software technologies. The new realities of information access and use, based now on distributed relationships within and between enterprises that use a mix of proprietary and non proprietary information, require securing information and infrastructure access and flows beyond the perimeter. This new paradigm requires dynamic interaction of technologists, legal advisors, and business policy makers alike. The whitepaper is available for free download here.

How To Take Down The Power Grid

2007-10-17T03:26:00.000+08:00

Ira Wrinkler, who performs espionage or terrorist simulations (or mundanely known as penetration tests) wrote:

"The first time I broke into our country’s electrical power grid was a decade or so ago. Hacking into the control systems set up by utility companies wasn’t surprising then, and it isn’t surprising now. While people find this shocking, it really isn’t. When you think about how insecure computer infrastructures are, why would you think that the power grid would be any more secure? Frankly, the power grid is even less secure than most other computer networks. I wrote about it many times, including some details in my recent book, Spies Among Us." >> More ..

(Text in bold are my emphasis.)

US National Strategy for Homeland Security - October 2007

2007-10-16T11:33:00.000+08:00

The US has released the latest document on the National Strategy for Homeland Security this month which has added emphasis on cyber security. The document can be found here.

A quote from the sidebar of that document is as follows:

"Cyber Security: A Special Consideration

Many of the Nation’s essential and emergency
services, as well as our critical infrastructure, rely
on the uninterrupted use of the Internet and the
communications systems, data, monitoring, and
control systems that comprise our cyber infra-
structure. A cyber attack could be debilitating to
our highly interdependent CI/KR and ultimately to
our economy and national security.

A variety of actors threaten the security of our
cyber infrastructure. Terrorists increasingly exploit
the Internet to communicate, proselytize, recruit,
raise funds, and conduct training and operational
planning. Hostile foreign governments have the
technical and financial resources to support
advanced network exploitation and launch attacks
on the informational and physical elements of our
cyber infrastructure. Criminal hackers threaten
our Nation’s economy and the personal informa-
tion of our citizens, and they also could pose a
threat if wittingly or unwittingly recruited by foreign
intelligence or terrorist groups. Our cyber net-
works also remain vulnerable to natural disasters.

In order to secure our cyber infrastructure against
these man-made and natural threats, our Federal,
State, and local governments, along with the pri-
vate sector, are working together to prevent dam-
age to, and the unauthorized use and exploitation
of, our cyber systems. We also are enhancing our
ability and procedures to respond in the event of
an attack or major cyber incident. The National
Strategy to Secure Cyberspace and the NIPP’s
Cross-Sector Cyber Security plan are guiding our
efforts. "

Hole Found in Protocol Handling Vital National Infrastructure

2007-10-15T17:43:00.000+08:00

Researchers on March 21 announced that the systems which control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could be used to cause a denial of service or a system takeover.

The flaw, reported by Neutralbit , is the first remotely exploitable SCADA security vulnerability, according to the security services provider.

Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It's used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information. >> More ..

Those who want more technical details on the vulnerabilities can find them here.

Serious Security Breach in KLIA

2007-10-15T15:31:00.000+08:00

The New Straits Times today reported in a news article titled "Red faces over 'phantom' stowaway" that KLIA had a security breach on Thursday 11 Oct 2007 when a man managed to stow away inside the front nose wheel chamber aboard a Singapore Airlines flight from KL to Singapore. The editorial discussed the matter in a bit more detail.

What was even more interesting is that the stowaway did not turn up on any CCTV recordings in KLIA.

So what has this got to do with CIIP? Well the transportation sector is one of the Critical National Information Infrastructure. Physical security is about the most visible of all security measures that anybody can enforce and where there would usually be traceability. If an entity is not able to handle physical security well and is unable to trace back how it happened from their own records, its left to the imagination as to what can happen if cyber breaches of the KLIA systems does occur, since comparatively, cyber intrusions and breaches are harder to detect.

We are not drawing any conclusions but the incident does raise some fundamental questions about the overall security and surveillance measures in such an important infrastructure entity, be it physical security or cyber security.

Cyber Security Standards for Electric Power Systems

2007-10-12T21:36:00.000+08:00

The North American Reliability Corporation or NERC has produced standards for Cyber Security for the power systems industry. Further details can be found here but a summary is described below. The standards are part of a full set of Reliability Standards including Emergency Preparedness and Operations and the full list of standards is listed and can be downloaded here.

NERC Cyber Security

The purpose of NERC's new cyber security standards is to ensure that all entities responsible for the reliability of the bulk electric systems of North America identify and protect critical cyber assets that control or could impact the reliability of the bulk electric systems. An urgent action cyber security standard was initially adopted in August 2003 and renewed for a second year in August 2004. NERC adopted permanent cyber security standards on May 2, 2006. On June 4, 2007 compliance with approved NERC Reliability Standards becomes mandatory and enforceable in the United States.

NERC CIP-002 to CIP-009

NERC's new cyber security standard was originally called NERC 1300, but this has changed to 8 separate standards, CIP-002 to CIP-009. As summarized in the table below, these standards contain definitions, policies, reporting requirements, and issues related to personnel security, electronics (or network) security, and physical security (such as access).

New Std #	Topic
CIP-002-1	Critical Cyber Assets
CIP-003-1	Security Management Controls
CIP-004-1	Personnel and Training
CIP-005-1	Electronic Security
CIP-006-1	Physical Security
CIP-007-1	Systems Security Management
CIP-008-1	Incident Reporting and Response Planning
CIP-009-1	Recovery Plans

Number of Hackers Targeting Utilities Increases 90 Percent According to SecureWorks' Data

2007-10-12T20:43:00.000+08:00

SecureWorks, one of the industry’s leading managed security services providers protecting over 1,800 clients and 100 utilities, has seen a 90 percent increase in the number of hackers attempting to attack its utility clients this year. From January through April, SecureWorks blocked an average of 49 attackers per utility client per day. Whereas, from May through September, it saw an average of 93 hackers attempt attacks on each of its utility clients per day.

“When researching these new statistics, we found that Web Browser attacks represented a large number of the attacks attempted against our clients, including our utility customers,” said Wayne Haber, director of development at SecureWorks.

Computer users can become victims of browser attacks by visiting Web sites, which unbeknownst to them is hosting malware, or by clicking on a malicious link in an email or instant message. >>More..

How to Trace a DDOS Attack

2007-10-12T07:10:00.000+08:00

DDOS attacks can cripple an organization's website or portal.

ISPs consider DDOS attacks -- where an attacker floods network connections, Websites, or systems with packets -- one of their biggest threats. Most of these attacks are being waged by botnets -- some as large as tens of thousands of bot machines, according to a recent survey of ISPs by Arbor Networks.

Arbor found an average of 1,200 DDOS attacks each day across 38 ISP networks. On 220 of the last 365 days, there has been at least one DDOS attack of one million packets per second, says Danny McPherson, chief research officer for Arbor Networks.

What is more alarming is that despite reports that some ISPs have experienced fewer DDOS attacks overall during the last six months, there is a DDOS attack underway somewhere on the Internet. It's a matter of quality, not quantity: "When DDOSes do occur, they are done with much greater purpose than they used to be".

Read the full article here which includes the tracing indicators and steps to stop the DDOS attacks. It is not that easy though as it involves investigative work by the ISP and worldwide cooperation among ISPs.

Ooops: DC Feds Delete CA.Gov In Response to Hackers

2007-10-12T04:20:00.000+08:00

When an organisation does not have a proper response plan to incidents, a bad incident can get worse.

"Case in point: A hacker's diversion of traffic from a California county government Web site to a porn purveyor spiraled into IT chaos yesterday after a countermeasure applied from Washington essentially "deleted the ca.gov domain."

The original story can be found here.

OWASP Preps Framework for Website Security Certification

2007-10-12T01:02:00.000+08:00

The Open Web Application Security Project (OWASP) is working on a potential framework for evaluating and certifying Websites as secure, including the criteria that would entail. The project is still in progress and not quite ready for prime time, but the goal is to provide a framework for certifying the security of a site's apps, which entails much more than just the usual vulnerability scan.

"A black box scan doesn't mean a site is secure," says Dinis Cruz, OWASP's technology evangelist and project coordinator for the so-called Web Security Application Certification Framework Project.

Several commercial certifications already exist, including ScanAlert's Hacker Safe, and ControlScan, which indicate that a site has been vulnerability-scanned. And the Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, helps verify that a site is legitimate. (See Are 'Sealed' Websites Any Safer?).

But security experts say today's Good Housekeeping-style seal-of-approvals aren't enough. "The fact is that in this day and age, the VeriSign logo and the lock icon in your browser just don't cut it," says Caleb Sima, CTO of SPI Dynamics. >> More ..

Australia's Critical Infrastructure Protection

2007-10-11T15:22:00.000+08:00

Information on Australia's Critical Infrastructure Protection issues and initiatives can be found here. This of course includes Critical Information Infrastructure.

Click here to view the then Attorney-General’s press announcement on protecting the National Information Infrastructure

NIST Guide to Industrial Control Systems Security (SCADA)

2007-10-09T11:46:00.000+08:00

The second draft of the above document which deals with security for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC) has been released for public comment on 28 Sep 2007.

The draft can be downloaded here.

The document is 157 pages and information on what other organisations are doing in this area can be found in Appendix C of the document. This Appendix C provides useful information to those who are doing further research or comparative studies or implementation alternatives on SCADA security.

NIST Publications on ICT Security

2007-10-09T10:36:00.000+08:00

The USA Department of Commerce's National Institute of Standards and Technology or NIST produces various standards and guidelines documents on ICT implementation and ICT Security.

The list of documents on ICT Security can be found and downloaded here but a more general introduction page on the publications category types is here.

The list is summarized also in the following documents which should be useful as a big picture reference:
1. Guide to NIST Information Security Documents
2. Roadmap to NIST Information Security Documents.

There are hundreds of documents in the whole set and a selection of the relevant topic clusters is listed below (each topic cluster has a list of relevant documents):

Audit & Accountability
Authentication
Awareness & Training
Certification & Accreditation (C&A)
Communications & Wireless
Contingency Planning
General IT Security
Incident Response
Maintenance
Planning
Risk Assessment
Viruses & Malware

On the topic of Critical Infrastructure Protection, the documents relevant to the Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection are:

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 Security Controls for Federal Information Systems
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-37 Guide for Security Certiication and Accreditation of Federal Information Systems
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
SP 800-59 Guideline for Identifying an Information System as a National Security System
SP 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security

New security standards to strengthen SCADA

2007-10-08T22:20:00.000+08:00

This 2004 Computerworld article says that "The security of critical-infrastructure processes, long festering as a thorny issue in securing everything from food and water to energy and transportation, will be getting a boost from proposed standards for industrial controls. The National Institute of Standards and Technology (NIST) fostered the creation of the Process Control Security Requirements Forum in 2001. The group issued the first draft of its System Protection Profile for Industrial Control Systems (SPP ICS) in October." >More...

Knowledge is Greatest Threat to Critical Infrastructure

2007-10-07T17:03:00.000+08:00

Australia's critical infrastructure is still under threat due to a shortage of educational resources, according to researchers and security experts.

The major concern is security of Supervisory Control and Data Acquisition (SCADA) systems -- the central nervous system for sensors, alarms and switches that provide automated control and monitoring functions for utilities such as water, gas and electricity, as well as large manufacturers. More ..

ISA99 cyber security guidelines provide full user resources

2007-10-07T16:14:00.000+08:00

Manufacturers concerned about cyber security as it relates to plant equipment and factory automation systems should look at the new ‘ISA-99 Security Guidelines and User Resources for Industrial Automation and Control Systems’ CD-ROM.

There are two technical reports: ANSI/ISA-TR99.00.01-2004, ‘Security Technologies for Manufacturing and Control Systems’, and ANSI/ISA-TR99.00.02-2004, ‘Integrating Electronic Security into the Manufacturing and Control Systems Environment’.

The former provides an evaluation and assessment of current types of electronic security technologies and tools that apply to the manufacturing and control systems environment, including development, implementation, operations and maintenance.

The latter provides a framework for developing an electronic security programme and provides a recommended organisation and structure for the security plan. The information provides detailed information about the minimum elements to include.

The original article can be found here.

Hackers Step Up SCADA Attacks

2007-10-07T16:11:00.000+08:00

This 2004 article says that "A majority of cyber attacks on industrial control systems now come from the outside, reversing earlier assumptions, according to research at the British Columbia Institute of Technology."

The full article can be found here.

Control Systems, Instrumentation Systems and Automation Security

2007-10-07T15:45:00.000+08:00

A number of articles relating to Control Systems, Instrumentation Systems and Automation security can be found from the Instrumentation Systems and Automation site here.

Amongst the relavant articles are:
1. Making Cyber Security Work in the Refinery
2. Uncovering Cyber Flaws
3. SP99 Counterattacks
4. Securing the Power Grid . This article also has a good chronological chart on the 2003 power blackout in OHIO that crippled a part of the nation.
5. ISA99, Manufacturing and Control Systems Security ISA99 is a new standard for Manufacturing and Control Systems Security. The current edition covers only security technologies and their strengths/weaknesses in the manufacturing environment. Eventually this would be expanded to include traditional strengths and weaknesses of the different types of control systems (DCS, PLC, SCADA, HMI, etc). The end of the article contain a list of materials in the development of ISA99 by the ISA SP-99 Committee.

America's Hackable Backbone

2007-10-07T12:34:00.001+08:00

This article is a MUST READ article. It highlights the vulnerability of SCADA systems.

SCADA systems are used around the country to control infrastructure like water filtration and
distribution, trains and subways, natural gas and oil pipelines, and practically every kind of industrial manufacturing. And as some security professionals are pointing out, those weaknesses are increasingly connected to the Internet, leaving large parts of America's critical infrastructure exposed to anyone with moderate information technology training and a laptop.

The full article can be found here.

However those who want a pictorial rundown of the story can find it here. The pictorial story covers incidents and potential vulnerabilities of SCADA systems controlling power plants, oil and gas pipelines, transportation, dams, manufacturing, water distribution.