Healthcare applications can be exploited with disastrous consequences if not adequately secured.
Healthcare apps keep sensitive medical records of patients. Though different types of healthcare applications are exposed to different sets of threats, there’s a pattern to threats they face.
This articel discusses some of the exposures that healthcare applications face. >> More ....
Friday, December 28, 2007
Top Ten Information Security Risks of 2008
This list which in fact covers Threats, Vulnerabilities, Impacts, Risks and Controls assembled by the CISSP Forum and the ISO 27K Implementers' Forum. The list of course includes threats and risks to Critical Information Infrastructure.
Those who are still confused with the definition and differences of Threat, Vulnerabilityu, Impact, Risk and Control, this article does list and discuss the brief definitions and the actual lists of the above will illustrate the definition further.
This is a must read for all involved in security. >> More...
Those who are still confused with the definition and differences of Threat, Vulnerabilityu, Impact, Risk and Control, this article does list and discuss the brief definitions and the actual lists of the above will illustrate the definition further.
This is a must read for all involved in security. >> More...
Monday, December 3, 2007
Catch me if you can star offers IT security advice
Frank Abagnale started off on the wrong side of the law by deceit and forgery to earn large amounts of money but was later caught. This was in the 60s when he was a teenager. His forgery talents did not go unnoticed and he was offered a job with the FBI in lieu of the rest of his jail sentence. His job is ... of course ... to pin down on forgery crimes.
His adventures were told in a book and a subsequent movie called "Catch me if you can".
This article is an interview with him where amongst other things he explained that:
1. It is way easier to commit forgery today than 40 years ago
2. We can have all the sophisticated security systems but the weakest link is still the human link.
3. Some laws passed recently are plain stupid.
4. Ethics must be reintroduced in education and must be a part of corporate culture.
5. We must be thinking out of the box when addressing security.
6. Simple solutions should be preferred than sophisticated ones.
While the above points appear obvious, it is certainly refreshing from a person who has been on both sides of the law. His thoughts and views are certainly key pointers for any entity managing critical infrastructures to gain a lesson or two from the perspective of security.
His adventures were told in a book and a subsequent movie called "Catch me if you can".
This article is an interview with him where amongst other things he explained that:
1. It is way easier to commit forgery today than 40 years ago
2. We can have all the sophisticated security systems but the weakest link is still the human link.
3. Some laws passed recently are plain stupid.
4. Ethics must be reintroduced in education and must be a part of corporate culture.
5. We must be thinking out of the box when addressing security.
6. Simple solutions should be preferred than sophisticated ones.
While the above points appear obvious, it is certainly refreshing from a person who has been on both sides of the law. His thoughts and views are certainly key pointers for any entity managing critical infrastructures to gain a lesson or two from the perspective of security.
Top 5 Worst IT Security Mishaps of 2007
Even though 2007 is not over, there are more than sufficient contenders for the top 5 position of the worst IT Security Mishaps of 2007. Though most of the mishaps relate to substantial data leakage, the examples are enough to raise alarm and concern about security breaches in the most trivial of cicumstances. >> More ..
World on Brink of Cyber Cold War
A "cyber cold war" waged over the world's computers threatens to become one of the biggest threats to security in the next decade, according to a report published on Thursday.
About 120 countries are developing ways to use the internet as a weapon to target financial markets, government computer systems and utilities, internet security company McAfee said in an annual report. >> More ..
In yet another article titled "US warned of 'aggressive' Chinese cyberspying, it was mentioned that Chinese espionage poses "the single greatest risk" to US technology, a congressional advisory panel said on Thursday. The panel also called for efforts to protect industrial secrets and computer networks. >> More ..
About 120 countries are developing ways to use the internet as a weapon to target financial markets, government computer systems and utilities, internet security company McAfee said in an annual report. >> More ..
In yet another article titled "US warned of 'aggressive' Chinese cyberspying, it was mentioned that Chinese espionage poses "the single greatest risk" to US technology, a congressional advisory panel said on Thursday. The panel also called for efforts to protect industrial secrets and computer networks. >> More ..
Tuesday, November 20, 2007
Did NSA Put a Secret Backdoor in New Encryption Standard?
In a recent article, Bruce Schneier, a renowned expert on cryptology and security highlighted that a new random-number standard (for encryption) includes an algorithm that is slow, badly designed and just might contain a backdoor for the US National Security Agency.
The standard is found in NIST Special Publication 800-90.
The article may be quite technical but is enough to raise concerns that backdoors may exist in a puportedly secure software component.
This leads to the conclusion and emphasis that it is imperative for nations to have their own indigeneous technologies inkey security areas in order to minimise exposure to shortcomings or backdoors that leave the system vulnerable to attacks or intrusions. >> More ..
The standard is found in NIST Special Publication 800-90.
The article may be quite technical but is enough to raise concerns that backdoors may exist in a puportedly secure software component.
This leads to the conclusion and emphasis that it is imperative for nations to have their own indigeneous technologies inkey security areas in order to minimise exposure to shortcomings or backdoors that leave the system vulnerable to attacks or intrusions. >> More ..
Monday, November 19, 2007
2006 OS Vulnerability Summary
This report analyses and discuss about the OS Vulnerabilities. >> More..
Wednesday, November 14, 2007
Make No Assumptions. Security Begins With the Basics. YOU
There have been previous news about vendors releasing software with viruses, security vendor sites being compromised and similar incidents.
The mishaps continue ...
In a recent news article in Network World Asia titled "Seagate ships virus-laden hard drives", it was reported that:
"If you bought one of Seagate's Maxtor Basics consumer hard drives recently, check it for viruses. Especially if you're a gamer.
Seagate is warning that a "small number" of its Maxtor Basics Personal Storage 3200 hard drives recently shipped with the Virus.Win32.AutoRun.ah virus, malicious software that "searches for passwords for online games and sends them to a server located in China," according to a note posted on the Seagate Web site. Only drives purchased since August 2007 are affected, Seagate said." >> More ..
This time it is gaming software players who are the targets. Could it be anything else next time like bank accounts or access to corporate sites .... the possibility is so broad.
In yet another article in Network World Asia titled "Indian news site dispensing malware", it was mentioned that:
"The Web site of IndiaTimes, the online news site of the Times Group, one of India's large news and entertainment groups, exposed visitors to malware, according to an advisory Friday by ScanSafe Inc.
ScanSafe first detected and blocked malware on the site on October 25. ScanSafe is still investigating the reach of this attack, but given the popularity of the site and the amount of malware involved, the company is urging caution, it said in its advisory Friday. Only certain pages of the Indiatimes.com are infected, the advisory added." >> More ..
The above news basically pass the message that all users should not make any assumptions about any hardware or software they acquire or install and any website that they access as the malware can be embedded in just about anywhere and in the most unlikely of all places.
Hence defence against the consequences of such incidents requires users to be sufficiently aware, educated and acculturated about good computing practices including:
1. Having good anti-malware protection that is installed and running
2. Access to credible sites only and avoid strange or unusual sites
3. Ensure that any devices plugged in especially the usb devices are scanned for viruses before use.
4. Reminding peers about good computing practices.
A good defence for both personal and organisational or corporate use begins with YOU.
It may be that through your simple negligence, the whole corporate network that you are using and critical systems can be affected.
The mishaps continue ...
In a recent news article in Network World Asia titled "Seagate ships virus-laden hard drives", it was reported that:
"If you bought one of Seagate's Maxtor Basics consumer hard drives recently, check it for viruses. Especially if you're a gamer.
Seagate is warning that a "small number" of its Maxtor Basics Personal Storage 3200 hard drives recently shipped with the Virus.Win32.AutoRun.ah virus, malicious software that "searches for passwords for online games and sends them to a server located in China," according to a note posted on the Seagate Web site. Only drives purchased since August 2007 are affected, Seagate said." >> More ..
This time it is gaming software players who are the targets. Could it be anything else next time like bank accounts or access to corporate sites .... the possibility is so broad.
In yet another article in Network World Asia titled "Indian news site dispensing malware", it was mentioned that:
"The Web site of IndiaTimes, the online news site of the Times Group, one of India's large news and entertainment groups, exposed visitors to malware, according to an advisory Friday by ScanSafe Inc.
ScanSafe first detected and blocked malware on the site on October 25. ScanSafe is still investigating the reach of this attack, but given the popularity of the site and the amount of malware involved, the company is urging caution, it said in its advisory Friday. Only certain pages of the Indiatimes.com are infected, the advisory added." >> More ..
The above news basically pass the message that all users should not make any assumptions about any hardware or software they acquire or install and any website that they access as the malware can be embedded in just about anywhere and in the most unlikely of all places.
Hence defence against the consequences of such incidents requires users to be sufficiently aware, educated and acculturated about good computing practices including:
1. Having good anti-malware protection that is installed and running
2. Access to credible sites only and avoid strange or unusual sites
3. Ensure that any devices plugged in especially the usb devices are scanned for viruses before use.
4. Reminding peers about good computing practices.
A good defence for both personal and organisational or corporate use begins with YOU.
It may be that through your simple negligence, the whole corporate network that you are using and critical systems can be affected.
Monday, November 12, 2007
Pentagon: Our new robot army will be controlled by malware
This article emphasises the importance of developing indigeneous technologies rather than outsource the critical elements.
A US defence department advisory board has warned of the danger that American war robots scheduled for delivery within a decade might be riddled with malicious code. The kill machines will use software largely written overseas, and it is feared that sinister forces might meddle with it in production, thus gaining control of the future mechanoid military.
The most eye-catching of the equipment mentioned is the lineup of the US Army's Future Combat Systems (FCS) programme. FCS was originally supposed to include a wide range of deadly unmanned systems, including a small, possibly rocket-firing flying Dalek, a heavily armed autonomous helicopter gunship, and a robot tank packing guided missiles and cannon. There would also be intelligent sensor minefields, droid-mule transport systems and loads of other stuff; and all of it is supposed to be linked together by a data network. >> More..
A US defence department advisory board has warned of the danger that American war robots scheduled for delivery within a decade might be riddled with malicious code. The kill machines will use software largely written overseas, and it is feared that sinister forces might meddle with it in production, thus gaining control of the future mechanoid military.
The most eye-catching of the equipment mentioned is the lineup of the US Army's Future Combat Systems (FCS) programme. FCS was originally supposed to include a wide range of deadly unmanned systems, including a small, possibly rocket-firing flying Dalek, a heavily armed autonomous helicopter gunship, and a robot tank packing guided missiles and cannon. There would also be intelligent sensor minefields, droid-mule transport systems and loads of other stuff; and all of it is supposed to be linked together by a data network. >> More..
Israel suspected of 'hacking' Syrian air defences
Questions are mounting over how Israeli planes were able to sneak past Syria's defences and bomb a "strategic target" in the country in September 2007
Israeli F-15s and F-16s bombed a military construction site on 6 September. Earlier reports of the attack were confirmed this week when Israeli Army radio said Israeli planes had attacked a military target "deep inside Syria", quoting the military censor.
The motives for the strike, much less what was hit and what damage was caused, remain unclear. One theory is that a fledgling nuclear research centre, the fruits of alleged collaboration between Syria and North Korea, may have been hit. Others speculate that a store of arms shipments bound for the Lebanese militant group Hezbollah might have been targeted. A test against Syria's air defences has also being suggested in some quarters. None of these theories appear to be much better than educated guesswork.
Bombers carrying out the raid are believed to have entered Syrian airspace from the Mediterranean Sea. Unmarked fuel drop tanks were later found on Turkish soil near the Syrian border, providing evidence of a possible escape route. Witnesses said the Israeli jets were engaged by Syrian air defences in Tall al-Abyad, near the border with Turkey.
This location is deep within Turkey, prompting questions about how the fighters avoided detection until so long into their mission. Neither F-15s nor F-16s used by the Israeli air force in the raids are fitted with stealth technology. >> More..
Israeli F-15s and F-16s bombed a military construction site on 6 September. Earlier reports of the attack were confirmed this week when Israeli Army radio said Israeli planes had attacked a military target "deep inside Syria", quoting the military censor.
The motives for the strike, much less what was hit and what damage was caused, remain unclear. One theory is that a fledgling nuclear research centre, the fruits of alleged collaboration between Syria and North Korea, may have been hit. Others speculate that a store of arms shipments bound for the Lebanese militant group Hezbollah might have been targeted. A test against Syria's air defences has also being suggested in some quarters. None of these theories appear to be much better than educated guesswork.
Bombers carrying out the raid are believed to have entered Syrian airspace from the Mediterranean Sea. Unmarked fuel drop tanks were later found on Turkish soil near the Syrian border, providing evidence of a possible escape route. Witnesses said the Israeli jets were engaged by Syrian air defences in Tall al-Abyad, near the border with Turkey.
This location is deep within Turkey, prompting questions about how the fighters avoided detection until so long into their mission. Neither F-15s nor F-16s used by the Israeli air force in the raids are fitted with stealth technology. >> More..
Two charged with hacking PeopleSoft to fix grades
Two Cal State-Fresno students face up to 20 years in prison and fines up to $250,000 for hacking into the school's PeopleSoft system to change their grades. >> More..
US regional bank hacked
Hackers infiltrated the systems of Commerce Bank and accessed the records of 20 customers, the US regional bank said in October 2007.
The attack by persons unknown was partially thwarted - but not before a database of 3,000 records was hacked into and the data of 20 exposed. Compromised data included personal information such as names, addresses, Social Security numbers, phone numbers and, in a few cases, Commerce Bank account numbers, the Columbia Business Journal reports
Security staff shut down the attack and called in police to investigate after uncovering the breach a week ago. The FBI is investigating.
The method used in the attack is unclear, and something the bank will be keen that it stays unclear, to avoid the possibility of copycat attacks. There are many avenues of assault, of which one common tactic is to exploit web application vulnerabilities by using SQL injection attacksto access information of back-end databases. >> More ..
The attack by persons unknown was partially thwarted - but not before a database of 3,000 records was hacked into and the data of 20 exposed. Compromised data included personal information such as names, addresses, Social Security numbers, phone numbers and, in a few cases, Commerce Bank account numbers, the Columbia Business Journal reports
Security staff shut down the attack and called in police to investigate after uncovering the breach a week ago. The FBI is investigating.
The method used in the attack is unclear, and something the bank will be keen that it stays unclear, to avoid the possibility of copycat attacks. There are many avenues of assault, of which one common tactic is to exploit web application vulnerabilities by using SQL injection attacksto access information of back-end databases. >> More ..
Online trading site was left wide open
The conventional wisdom that banking organisations are more diligent with security was skewered in a presentation at the RSA conference this week.
Security consultancy Comsec outlined how they discovered that an online stock trading website they were asked to test was riddled with security holes. A rush job meant that basic security measures, such as the use of a secure login, were absent from the multimillion dollar system. >> More ..
Security consultancy Comsec outlined how they discovered that an online stock trading website they were asked to test was riddled with security holes. A rush job meant that basic security measures, such as the use of a secure login, were absent from the multimillion dollar system. >> More ..
More security education needed to avoid a cybersecurity disaster, experts warn
The United States is more prepared than ever for a major cybersecurity attack, but a panel of prominent security experts warned Tuesday that more needs to be done to increase awareness about cybersecurity issues and better educate future IT pros.
"We need to provide resources for future problems," said Eugene Spafford, the executive director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS). "Patching the latest problem isn't getting us anywhere."
Spafford joined well known security experts Howard Schmidt, president and CEO of H&L Security Consulting and security luminary Bruce Schneier at the Information Security Decisions conference in Chicago for a discussion about cyber threats in 2008 and beyond. The panelists agreed that it would likely take a major cybersecurity event before the public becomes motivated enough to demand better security.
The panelists agreed that growing backdoor Trojan horse programs and herds of bots continue to be a problem moving forward, but it's unclear if they'll by used by cybercriminals to take down the electronic infrastructure of entire nations or in isolated targeted incidents for financial gain. >> More ..
"We need to provide resources for future problems," said Eugene Spafford, the executive director of Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS). "Patching the latest problem isn't getting us anywhere."
Spafford joined well known security experts Howard Schmidt, president and CEO of H&L Security Consulting and security luminary Bruce Schneier at the Information Security Decisions conference in Chicago for a discussion about cyber threats in 2008 and beyond. The panelists agreed that it would likely take a major cybersecurity event before the public becomes motivated enough to demand better security.
The panelists agreed that growing backdoor Trojan horse programs and herds of bots continue to be a problem moving forward, but it's unclear if they'll by used by cybercriminals to take down the electronic infrastructure of entire nations or in isolated targeted incidents for financial gain. >> More ..
Secure Program Coding
It has often be questioned as to whether software developers are doing enough and knowledgable enough to code their applications with security in mind.
This article discusses this issue.
A new certification called the GIAC Secure Software Programmer (GSSP) program, teaches programmers how to write secure code. This can be taught or incorporated in the software curriculum in institutions of higher learning so that software developers can graduate ready with secure software development in mind. >> More ..
This article discusses this issue.
A new certification called the GIAC Secure Software Programmer (GSSP) program, teaches programmers how to write secure code. This can be taught or incorporated in the software curriculum in institutions of higher learning so that software developers can graduate ready with secure software development in mind. >> More ..
Sunday, November 11, 2007
Website for Computer Security Experts Hacked
It can happen to anybody's website, including a security website..
First Forensic Forum - a UK based association of computer security professionals - has been hacked.
F3.org's website was defaced with a message poking fun at the association of computer forensic experts. The timing of the defacement on Thursday was fortuitous (or well planned) since the organisation is coming to the end of a two day conference.
document.
The perpetrator of the attack posted a message taunting the organisation. "The F3 For Security Hacked. What's Happened In The world. Thay Are No Security Or What," S4udi-S3curity-T3rror writes. >> More ..
First Forensic Forum - a UK based association of computer security professionals - has been hacked.
F3.org's website was defaced with a message poking fun at the association of computer forensic experts. The timing of the defacement on Thursday was fortuitous (or well planned) since the organisation is coming to the end of a two day conference.
document.
The perpetrator of the attack posted a message taunting the organisation. "The F3 For Security Hacked. What's Happened In The world. Thay Are No Security Or What," S4udi-S3curity-T3rror writes. >> More ..
Task Force Aims to improve US Cybersecurity
A blue-ribbon panel of three dozen security experts hopes to craft a strategy to improve the United States' cybersecurity by the time the next president takes office, the Center for Strategic and International Studies (CSIS), and the task force's Congressional sponsors, announced on Tuesday.
The bipartisan Commission on Cyber Security for the 44th Presidency will be tasked with creating a plan to secure the nation's computers and critical infrastructure and presenting that plan to the next president. >> More ...
The bipartisan Commission on Cyber Security for the 44th Presidency will be tasked with creating a plan to secure the nation's computers and critical infrastructure and presenting that plan to the next president. >> More ...
Saturday, November 3, 2007
Security Companies also Vulnerable to Attacks
Nobody is perfect and no company is perfect. But all try their best to protect themselves from attacks. The lesson learnt as always, is that security is an ongoing process and not a destination. And the process has to be alert to both internal measures that has to be diligently kept updated as well as to be aware of new threats and attack vectors.
The following link provides a list of security companies and organisations including CERTS whose web presence have been compromised in one way or another. There are other interesting information as well. Read on ..
The following link provides a list of security companies and organisations including CERTS whose web presence have been compromised in one way or another. There are other interesting information as well. Read on ..
Wednesday, October 24, 2007
Open Group Security Forum and ABA’s Cyberspace Law Committee issue whitepaper on information-centric security governance
The Open Group, a vendor- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, today announced the general availability of a new whitepaper about information security strategy. Co-written by The Open Group Security Forum and the American Bar Association’s Cyberspace Law Committee, the whitepaper presents a strategic framework for information-centric security governance. Additionally, the paper offers a methodology for security compliance both within and beyond the perimeter of the enterprise, and recommends further standards to support information security in a boundary-less environment.
Previously, securing ownership of proprietary information security was accomplished mainly through securing a physical ‘perimeter’ via network hardware and software technologies. The new realities of information access and use, based now on distributed relationships within and between enterprises that use a mix of proprietary and non proprietary information, require securing information and infrastructure access and flows beyond the perimeter. This new paradigm requires dynamic interaction of technologists, legal advisors, and business policy makers alike. The whitepaper is available for free download here.
Wednesday, October 17, 2007
How To Take Down The Power Grid
Ira Wrinkler, who performs espionage or terrorist simulations (or mundanely known as penetration tests) wrote:
"The first time I broke into our country’s electrical power grid was a decade or so ago. Hacking into the control systems set up by utility companies wasn’t surprising then, and it isn’t surprising now. While people find this shocking, it really isn’t. When you think about how insecure computer infrastructures are, why would you think that the power grid would be any more secure? Frankly, the power grid is even less secure than most other computer networks. I wrote about it many times, including some details in my recent book, Spies Among Us." >> More ..
(Text in bold are my emphasis.)
"The first time I broke into our country’s electrical power grid was a decade or so ago. Hacking into the control systems set up by utility companies wasn’t surprising then, and it isn’t surprising now. While people find this shocking, it really isn’t. When you think about how insecure computer infrastructures are, why would you think that the power grid would be any more secure? Frankly, the power grid is even less secure than most other computer networks. I wrote about it many times, including some details in my recent book, Spies Among Us." >> More ..
(Text in bold are my emphasis.)
Tuesday, October 16, 2007
US National Strategy for Homeland Security - October 2007
The US has released the latest document on the National Strategy for Homeland Security this month which has added emphasis on cyber security. The document can be found here.
A quote from the sidebar of that document is as follows:
"Cyber Security: A Special Consideration
Many of the Nation’s essential and emergency
services, as well as our critical infrastructure, rely
on the uninterrupted use of the Internet and the
communications systems, data, monitoring, and
control systems that comprise our cyber infra-
structure. A cyber attack could be debilitating to
our highly interdependent CI/KR and ultimately to
our economy and national security.
A variety of actors threaten the security of our
cyber infrastructure. Terrorists increasingly exploit
the Internet to communicate, proselytize, recruit,
raise funds, and conduct training and operational
planning. Hostile foreign governments have the
technical and financial resources to support
advanced network exploitation and launch attacks
on the informational and physical elements of our
cyber infrastructure. Criminal hackers threaten
our Nation’s economy and the personal informa-
tion of our citizens, and they also could pose a
threat if wittingly or unwittingly recruited by foreign
intelligence or terrorist groups. Our cyber net-
works also remain vulnerable to natural disasters.
In order to secure our cyber infrastructure against
these man-made and natural threats, our Federal,
State, and local governments, along with the pri-
vate sector, are working together to prevent dam-
age to, and the unauthorized use and exploitation
of, our cyber systems. We also are enhancing our
ability and procedures to respond in the event of
an attack or major cyber incident. The National
Strategy to Secure Cyberspace and the NIPP’s
Cross-Sector Cyber Security plan are guiding our
efforts. "
A quote from the sidebar of that document is as follows:
"Cyber Security: A Special Consideration
Many of the Nation’s essential and emergency
services, as well as our critical infrastructure, rely
on the uninterrupted use of the Internet and the
communications systems, data, monitoring, and
control systems that comprise our cyber infra-
structure. A cyber attack could be debilitating to
our highly interdependent CI/KR and ultimately to
our economy and national security.
A variety of actors threaten the security of our
cyber infrastructure. Terrorists increasingly exploit
the Internet to communicate, proselytize, recruit,
raise funds, and conduct training and operational
planning. Hostile foreign governments have the
technical and financial resources to support
advanced network exploitation and launch attacks
on the informational and physical elements of our
cyber infrastructure. Criminal hackers threaten
our Nation’s economy and the personal informa-
tion of our citizens, and they also could pose a
threat if wittingly or unwittingly recruited by foreign
intelligence or terrorist groups. Our cyber net-
works also remain vulnerable to natural disasters.
In order to secure our cyber infrastructure against
these man-made and natural threats, our Federal,
State, and local governments, along with the pri-
vate sector, are working together to prevent dam-
age to, and the unauthorized use and exploitation
of, our cyber systems. We also are enhancing our
ability and procedures to respond in the event of
an attack or major cyber incident. The National
Strategy to Secure Cyberspace and the NIPP’s
Cross-Sector Cyber Security plan are guiding our
efforts. "
Monday, October 15, 2007
Hole Found in Protocol Handling Vital National Infrastructure
Researchers on March 21 announced that the systems which control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could be used to cause a denial of service or a system takeover.
The flaw, reported by Neutralbit , is the first remotely exploitable SCADA security vulnerability, according to the security services provider.
Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It's used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information. >> More ..
Those who want more technical details on the vulnerabilities can find them here.
The flaw, reported by Neutralbit , is the first remotely exploitable SCADA security vulnerability, according to the security services provider.
Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It's used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information. >> More ..
Those who want more technical details on the vulnerabilities can find them here.
Serious Security Breach in KLIA
The New Straits Times today reported in a news article titled "Red faces over 'phantom' stowaway" that KLIA had a security breach on Thursday 11 Oct 2007 when a man managed to stow away inside the front nose wheel chamber aboard a Singapore Airlines flight from KL to Singapore. The editorial discussed the matter in a bit more detail.
What was even more interesting is that the stowaway did not turn up on any CCTV recordings in KLIA.
So what has this got to do with CIIP? Well the transportation sector is one of the Critical National Information Infrastructure. Physical security is about the most visible of all security measures that anybody can enforce and where there would usually be traceability. If an entity is not able to handle physical security well and is unable to trace back how it happened from their own records, its left to the imagination as to what can happen if cyber breaches of the KLIA systems does occur, since comparatively, cyber intrusions and breaches are harder to detect.
We are not drawing any conclusions but the incident does raise some fundamental questions about the overall security and surveillance measures in such an important infrastructure entity, be it physical security or cyber security.
What was even more interesting is that the stowaway did not turn up on any CCTV recordings in KLIA.
So what has this got to do with CIIP? Well the transportation sector is one of the Critical National Information Infrastructure. Physical security is about the most visible of all security measures that anybody can enforce and where there would usually be traceability. If an entity is not able to handle physical security well and is unable to trace back how it happened from their own records, its left to the imagination as to what can happen if cyber breaches of the KLIA systems does occur, since comparatively, cyber intrusions and breaches are harder to detect.
We are not drawing any conclusions but the incident does raise some fundamental questions about the overall security and surveillance measures in such an important infrastructure entity, be it physical security or cyber security.
Friday, October 12, 2007
Cyber Security Standards for Electric Power Systems
The North American Reliability Corporation or NERC has produced standards for Cyber Security for the power systems industry. Further details can be found here but a summary is described below. The standards are part of a full set of Reliability Standards including Emergency Preparedness and Operations and the full list of standards is listed and can be downloaded here.
NERC Cyber Security
The purpose of NERC's new cyber security standards is to ensure that all entities responsible for the reliability of the bulk electric systems of
NERC CIP-002 to CIP-009
NERC's new cyber security standard was originally called NERC 1300, but this has changed to 8 separate standards, CIP-002 to CIP-009. As summarized in the table below, these standards contain definitions, policies, reporting requirements, and issues related to personnel security, electronics (or network) security, and physical security (such as access).
| New Std # | Topic |
| CIP-002-1 | Critical Cyber Assets |
| CIP-003-1 | Security Management Controls |
| CIP-004-1 | Personnel and Training |
| CIP-005-1 | Electronic Security |
| CIP-006-1 | Physical Security |
| CIP-007-1 | Systems Security Management |
| CIP-008-1 | Incident Reporting and Response Planning |
| CIP-009-1 | Recovery Plans |
Number of Hackers Targeting Utilities Increases 90 Percent According to SecureWorks' Data
SecureWorks, one of the industry’s leading managed security services providers protecting over 1,800 clients and 100 utilities, has seen a 90 percent increase in the number of hackers attempting to attack its utility clients this year. From January through April, SecureWorks blocked an average of 49 attackers per utility client per day. Whereas, from May through September, it saw an average of 93 hackers attempt attacks on each of its utility clients per day.
“When researching these new statistics, we found that Web Browser attacks represented a large number of the attacks attempted against our clients, including our utility customers,” said Wayne Haber, director of development at SecureWorks.
Computer users can become victims of browser attacks by visiting Web sites, which unbeknownst to them is hosting malware, or by clicking on a malicious link in an email or instant message. >>More..
How to Trace a DDOS Attack
DDOS attacks can cripple an organization's website or portal.
ISPs consider DDOS attacks -- where an attacker floods network connections, Websites, or systems with packets -- one of their biggest threats. Most of these attacks are being waged by botnets -- some as large as tens of thousands of bot machines, according to a recent survey of ISPs by Arbor Networks.
Arbor found an average of 1,200 DDOS attacks each day across 38 ISP networks. On 220 of the last 365 days, there has been at least one DDOS attack of one million packets per second, says Danny McPherson, chief research officer for Arbor Networks.
What is more alarming is that despite reports that some ISPs have experienced fewer DDOS attacks overall during the last six months, there is a DDOS attack underway somewhere on the Internet. It's a matter of quality, not quantity: "When DDOSes do occur, they are done with much greater purpose than they used to be".
Read the full article here which includes the tracing indicators and steps to stop the DDOS attacks. It is not that easy though as it involves investigative work by the ISP and worldwide cooperation among ISPs.
ISPs consider DDOS attacks -- where an attacker floods network connections, Websites, or systems with packets -- one of their biggest threats. Most of these attacks are being waged by botnets -- some as large as tens of thousands of bot machines, according to a recent survey of ISPs by Arbor Networks.
Arbor found an average of 1,200 DDOS attacks each day across 38 ISP networks. On 220 of the last 365 days, there has been at least one DDOS attack of one million packets per second, says Danny McPherson, chief research officer for Arbor Networks.
What is more alarming is that despite reports that some ISPs have experienced fewer DDOS attacks overall during the last six months, there is a DDOS attack underway somewhere on the Internet. It's a matter of quality, not quantity: "When DDOSes do occur, they are done with much greater purpose than they used to be".
Read the full article here which includes the tracing indicators and steps to stop the DDOS attacks. It is not that easy though as it involves investigative work by the ISP and worldwide cooperation among ISPs.
Ooops: DC Feds Delete CA.Gov In Response to Hackers
When an organisation does not have a proper response plan to incidents, a bad incident can get worse.
"Case in point: A hacker's diversion of traffic from a California county government Web site to a porn purveyor spiraled into IT chaos yesterday after a countermeasure applied from Washington essentially "deleted the ca.gov domain."
The original story can be found here.
"Case in point: A hacker's diversion of traffic from a California county government Web site to a porn purveyor spiraled into IT chaos yesterday after a countermeasure applied from Washington essentially "deleted the ca.gov domain."
The original story can be found here.
OWASP Preps Framework for Website Security Certification
The Open Web Application Security Project (OWASP) is working on a potential framework for evaluating and certifying Websites as secure, including the criteria that would entail. The project is still in progress and not quite ready for prime time, but the goal is to provide a framework for certifying the security of a site's apps, which entails much more than just the usual vulnerability scan.
"A black box scan doesn't mean a site is secure," says Dinis Cruz, OWASP's technology evangelist and project coordinator for the so-called Web Security Application Certification Framework Project.
Several commercial certifications already exist, including ScanAlert's Hacker Safe, and ControlScan, which indicate that a site has been vulnerability-scanned. And the Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, helps verify that a site is legitimate. (See Are 'Sealed' Websites Any Safer?).
But security experts say today's Good Housekeeping-style seal-of-approvals aren't enough. "The fact is that in this day and age, the VeriSign logo and the lock icon in your browser just don't cut it," says Caleb Sima, CTO of SPI Dynamics. >> More ..
Thursday, October 11, 2007
Australia's Critical Infrastructure Protection
Tuesday, October 9, 2007
NIST Guide to Industrial Control Systems Security (SCADA)
The second draft of the above document which deals with security for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC) has been released for public comment on 28 Sep 2007.
The draft can be downloaded here.
The document is 157 pages and information on what other organisations are doing in this area can be found in Appendix C of the document. This Appendix C provides useful information to those who are doing further research or comparative studies or implementation alternatives on SCADA security.
The draft can be downloaded here.
The document is 157 pages and information on what other organisations are doing in this area can be found in Appendix C of the document. This Appendix C provides useful information to those who are doing further research or comparative studies or implementation alternatives on SCADA security.
NIST Publications on ICT Security
The USA Department of Commerce's National Institute of Standards and Technology or NIST produces various standards and guidelines documents on ICT implementation and ICT Security.
The list of documents on ICT Security can be found and downloaded here but a more general introduction page on the publications category types is here.
The list is summarized also in the following documents which should be useful as a big picture reference:
1. Guide to NIST Information Security Documents
2. Roadmap to NIST Information Security Documents.
There are hundreds of documents in the whole set and a selection of the relevant topic clusters is listed below (each topic cluster has a list of relevant documents):
Audit & Accountability
Authentication
Awareness & Training
Certification & Accreditation (C&A)
Communications & Wireless
Contingency Planning
General IT Security
Incident Response
Maintenance
Planning
Risk Assessment
Viruses & Malware
On the topic of Critical Infrastructure Protection, the documents relevant to the Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection are:
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 Security Controls for Federal Information Systems
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-37 Guide for Security Certiication and Accreditation of Federal Information Systems
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
SP 800-59 Guideline for Identifying an Information System as a National Security System
SP 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security
The list of documents on ICT Security can be found and downloaded here but a more general introduction page on the publications category types is here.
The list is summarized also in the following documents which should be useful as a big picture reference:
1. Guide to NIST Information Security Documents
2. Roadmap to NIST Information Security Documents.
There are hundreds of documents in the whole set and a selection of the relevant topic clusters is listed below (each topic cluster has a list of relevant documents):
Audit & Accountability
Authentication
Awareness & Training
Certification & Accreditation (C&A)
Communications & Wireless
Contingency Planning
General IT Security
Incident Response
Maintenance
Planning
Risk Assessment
Viruses & Malware
On the topic of Critical Infrastructure Protection, the documents relevant to the Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection are:
FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 Security Controls for Federal Information Systems
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-37 Guide for Security Certiication and Accreditation of Federal Information Systems
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
SP 800-59 Guideline for Identifying an Information System as a National Security System
SP 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security
Monday, October 8, 2007
New security standards to strengthen SCADA
This 2004 Computerworld article says that "The security of critical-infrastructure processes, long festering as a thorny issue in securing everything from food and water to energy and transportation, will be getting a boost from proposed standards for industrial controls. The National Institute of Standards and Technology (NIST) fostered the creation of the Process Control Security Requirements Forum in 2001. The group issued the first draft of its System Protection Profile for Industrial Control Systems (SPP ICS) in October." >More...
Sunday, October 7, 2007
Knowledge is Greatest Threat to Critical Infrastructure
Australia's critical infrastructure is still under threat due to a shortage of educational resources, according to researchers and security experts.
The major concern is security of Supervisory Control and Data Acquisition (SCADA) systems -- the central nervous system for sensors, alarms and switches that provide automated control and monitoring functions for utilities such as water, gas and electricity, as well as large manufacturers. More ..
The major concern is security of Supervisory Control and Data Acquisition (SCADA) systems -- the central nervous system for sensors, alarms and switches that provide automated control and monitoring functions for utilities such as water, gas and electricity, as well as large manufacturers. More ..
ISA99 cyber security guidelines provide full user resources
Manufacturers concerned about cyber security as it relates to plant equipment and factory automation systems should look at the new ‘ISA-99 Security Guidelines and User Resources for Industrial Automation and Control Systems’ CD-ROM.
There are two technical reports: ANSI/ISA-TR99.00.01-2004, ‘Security Technologies for Manufacturing and Control Systems’, and ANSI/ISA-TR99.00.02-2004, ‘Integrating Electronic Security into the Manufacturing and Control Systems Environment’.
The former provides an evaluation and assessment of current types of electronic security technologies and tools that apply to the manufacturing and control systems environment, including development, implementation, operations and maintenance.
The latter provides a framework for developing an electronic security programme and provides a recommended organisation and structure for the security plan. The information provides detailed information about the minimum elements to include.
The original article can be found here.
There are two technical reports: ANSI/ISA-TR99.00.01-2004, ‘Security Technologies for Manufacturing and Control Systems’, and ANSI/ISA-TR99.00.02-2004, ‘Integrating Electronic Security into the Manufacturing and Control Systems Environment’.
The former provides an evaluation and assessment of current types of electronic security technologies and tools that apply to the manufacturing and control systems environment, including development, implementation, operations and maintenance.
The latter provides a framework for developing an electronic security programme and provides a recommended organisation and structure for the security plan. The information provides detailed information about the minimum elements to include.
The original article can be found here.
Hackers Step Up SCADA Attacks
This 2004 article says that "A majority of cyber attacks on industrial control systems now come from the outside, reversing earlier assumptions, according to research at the British Columbia Institute of Technology."
The full article can be found here.
The full article can be found here.
Control Systems, Instrumentation Systems and Automation Security
A number of articles relating to Control Systems, Instrumentation Systems and Automation security can be found from the Instrumentation Systems and Automation site here.
Amongst the relavant articles are:
1. Making Cyber Security Work in the Refinery
2. Uncovering Cyber Flaws
3. SP99 Counterattacks
4. Securing the Power Grid . This article also has a good chronological chart on the 2003 power blackout in OHIO that crippled a part of the nation.
5. ISA99, Manufacturing and Control Systems Security ISA99 is a new standard for Manufacturing and Control Systems Security. The current edition covers only security technologies and their strengths/weaknesses in the manufacturing environment. Eventually this would be expanded to include traditional strengths and weaknesses of the different types of control systems (DCS, PLC, SCADA, HMI, etc). The end of the article contain a list of materials in the development of ISA99 by the ISA SP-99 Committee.
Amongst the relavant articles are:
1. Making Cyber Security Work in the Refinery
2. Uncovering Cyber Flaws
3. SP99 Counterattacks
4. Securing the Power Grid . This article also has a good chronological chart on the 2003 power blackout in OHIO that crippled a part of the nation.
5. ISA99, Manufacturing and Control Systems Security ISA99 is a new standard for Manufacturing and Control Systems Security. The current edition covers only security technologies and their strengths/weaknesses in the manufacturing environment. Eventually this would be expanded to include traditional strengths and weaknesses of the different types of control systems (DCS, PLC, SCADA, HMI, etc). The end of the article contain a list of materials in the development of ISA99 by the ISA SP-99 Committee.
America's Hackable Backbone
This article is a MUST READ article. It highlights the vulnerability of SCADA systems.
SCADA systems are used around the country to control infrastructure like water filtration and
distribution, trains and subways, natural gas and oil pipelines, and practically every kind of industrial manufacturing. And as some security professionals are pointing out, those weaknesses are increasingly connected to the Internet, leaving large parts of America's critical infrastructure exposed to anyone with moderate information technology training and a laptop.
The full article can be found here.
However those who want a pictorial rundown of the story can find it here. The pictorial story covers incidents and potential vulnerabilities of SCADA systems controlling power plants, oil and gas pipelines, transportation, dams, manufacturing, water distribution.
SCADA systems are used around the country to control infrastructure like water filtration and
distribution, trains and subways, natural gas and oil pipelines, and practically every kind of industrial manufacturing. And as some security professionals are pointing out, those weaknesses are increasingly connected to the Internet, leaving large parts of America's critical infrastructure exposed to anyone with moderate information technology training and a laptop.
The full article can be found here.
However those who want a pictorial rundown of the story can find it here. The pictorial story covers incidents and potential vulnerabilities of SCADA systems controlling power plants, oil and gas pipelines, transportation, dams, manufacturing, water distribution.
Bank of India site hacked, serves up 22 exploits
The Bank of India Web site was hacked sometime Wednesday night (U.S. time) and seeded with a wide, wild array of malware that infected any users running unpatched browsers, security researchers said Friday.
See this link for the full news.
See this link for the full news.
France Joins Chinese Hacking Row
France has become the fourth country to speak out against hackers in China following an attack on French government systems. More..
US blames China for Pentagon Hack
American officials are claiming that the Chinese military successfully hacked computers inside the Pentagon in June.
The Pentagon has told the Financial Times that it had to shut down computers used by Robert Gates, the current defence secretary and ex-head of the CIA, after hackers managed to crack the systems.
The officials said that they had a "very high level of confidence .... trending towards total certainty" that the attacks came from the People's Liberation Army [PLA]. More ..
The Pentagon has told the Financial Times that it had to shut down computers used by Robert Gates, the current defence secretary and ex-head of the CIA, after hackers managed to crack the systems.
The officials said that they had a "very high level of confidence .... trending towards total certainty" that the attacks came from the People's Liberation Army [PLA]. More ..
Hackers Build Black Economy as They Go Professional
A sophisticated underground economy, where hacking toolkits are on sale for as little as $1,000, has emerged to support computer crime gangs, a new report says.
See here for the full article.
See here for the full article.
Malicious Code Affects Chinese Security Site
Even security organizations are not spared from cyber attacks!!
The Web site of one of China's Internet security organizations has been laced with malicious code.
At least three pages on the Chinese Internet Security Response Team's (CISRT) Web site are rigged with a malicious "iframe," a hidden window on a Web page that can allow code such as JavaScript to run on a visitor's PC.
See here for the full news.
The Web site of one of China's Internet security organizations has been laced with malicious code.
At least three pages on the Chinese Internet Security Response Team's (CISRT) Web site are rigged with a malicious "iframe," a hidden window on a Web page that can allow code such as JavaScript to run on a visitor's PC.
See here for the full news.
Water Utility Computer System Susceptible to Cyber Attack
In a 2005 article, it was reported that computer-based monitoring and control systems installed by water utilities "may be susceptible to attacks" by cyberterrorists.
See here for the full article.
See here for the full article.
US Video Shows Hacker Hit on Power Grid
A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.
See here for the full story.
See here for the full story.
Cyber Attack Cripples Estonia
In April 2007, Estonia experienced a cyber attack that crippled the nation. As reported in a BBC article:
"Estonia, one of the most internet-savvy states in the European Union, has been under sustained attack from hackers since the ethnic Russian riots sparked in late April by its removal of a Soviet war memorial from Tallinn city centre.
Websites of the tiny Baltic state's government, political parties, media and business community have had to shut down temporarily after being hit by denial-of-service attacks, which swamp them with external requests."
See here for the full article.
There are many news reports on the incident, views and commentary which can be found via Google search with suggested keywords "Estonia cyber attack".
"Estonia, one of the most internet-savvy states in the European Union, has been under sustained attack from hackers since the ethnic Russian riots sparked in late April by its removal of a Soviet war memorial from Tallinn city centre.
Websites of the tiny Baltic state's government, political parties, media and business community have had to shut down temporarily after being hit by denial-of-service attacks, which swamp them with external requests."
See here for the full article.
There are many news reports on the incident, views and commentary which can be found via Google search with suggested keywords "Estonia cyber attack".
Subscribe to:
Comments (Atom)
Posts
