Forbes is running an interesting article right now about the weaknesses in many of the critical points in our countries infrastructure.
“The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant’s owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM’s Internet Security Systems, found otherwise.”
“It turned out to be one of the easiest penetration tests I’d ever done,” he says. “By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, ‘Gosh. This is a big problem.’”
It’s a dangerous combination. Unpatched and outdated control software, plus a poor understanding of needed security and a splash of good old fashioned US ego(tm). The Achilles heal in many of these cases is the Supervisory Control and Data Acquisition software, or SCADA. With more and more of our infrastructure connected to the internet along with vendors making it difficult or impossible to patch SCADA software, it puts key locations within our infrastructure at serious risk.
This article covers the problem but doesn’t go into talking about solutions. Security is, or at least should be a multi-layered approach. For the incident in the article it seems the nuclear power plant was incredibly vulnerable. I imagine the security put in place was far below what most of us would consider adequate for a mid to large sized company, more less a nuclear power plant. Hopefully articles like this will open the eyes more about how vulnerable we really are. Whether it be a terrorist attack, Russian mafia, or just another nasty worm like Slammer, we need to start looking at ways to seal these small holes huge gaps in security, in a consistent and secure manor, esp when it comes to critical pieces of our countries infrastructure.
Kevin Blanchard national security, research
Just a heads up to my readers. Old posts are randomly showing up on Live Journal today (via the rss syndication feature). I don’t know if it’s on Live Journal’s side or a problem with Blogger. I am looking into it. My apologies if it causes any of you any confusion. In the next couple days, if you see any posts that seem like they are out dated, they probably are. But if you are a new reader, then take this chance to catch up on some of my old posts from my archive making a mysterious reappearance.
Kevin Blanchard site maintenance
For many of you reading this, the Cyberspeak Podcast is a regular addition to your iPod podcast play list. For those of you just getting into infosec, you may not have heard of these guys. From their official description, “Hosted by two former federal agents who investigated computer crime, this is a technology Podcast covering Computer Security, Computer Crime and Computer Forensics Topics.” A friend and peer of mine back home in DC turned me onto this podcast back in 2005. I have been hooked ever since. These two guys really know their stuff quite well, and present it in an easily digestible format for a wide range of listeners. Whether you are working in the infosec trenches day to day or just picked up your first CISSP book hoping to move from another area of IT, I think you will find the podcast both enjoyable and educational.
To subscribe to the CyberSpeak podcast via iTunes you can use this link, CyberSpeak Podcast.
Kevin Blanchard Cyberspeak, iTunes, podcast
Pretty much anyone who has ever been unemployed in the past 10 years, probably has set up an account on Monster.com at one time or another. Symantec is reporting they found a new Trojan called Infostealer.Monstres. It’s sole purpose seems to use compromised employer accounts to harvest personal information of anyone who has a visible job profile on Monster. At the time of discovery by Symantec, the remote server collecting the hacked information had already collected 1.6 million entries with personal information belonging to several hundred thousand people.
I have included a link to the full article if you are interested in reading all the details. I will leave you with a great bit of knowledge from the article, which I can not emphasize the importance of enough.
“To protect your identity when using recruitment sites, or at least limit your exposure to identity theft, you should limit the contact information you post on these sites, use a separate disposable email address and never disclose sensitive details such as your Social Security number, passport or driver’s license numbers, bank account information, etc to prospective employers until you have established they are legitimate.”
Full Article Link
Kevin Blanchard hackers, identity theft, Monster, trojan
I know the blog has been neglected a tad. I am still in the trenches working on security issues but in an Operations environment now. A much different environment to the Engineering and R&D environments I had been doing my security work in during the past several years. I hope to be able to at least do weekly posts in here sharing or discussing current security related issues with my readers.
Kevin Blanchard site maintenance
For those of you living under a rock, this is a reminder that the new adjusted (earlier) DST goes into effect this year. In fact, tomorrow to be exact. In the IT industry this has felt like Y2K all over again, except far less preparation seemed to have gone into patching systems for the new DST then in the months (years in some cases) put into patching and testing for Y2K. Hopefully, to anyone who reads my blog, you will not feel any headaches from the adjusted DST kicking in tomorrow. I have a bad feeling the lack of forethought by many vendors will bite them in the booty come tomorrow. Though I am not mentioning any names.
Kevin Blanchard DST
For any of you running a phpBB based setup, if there was one idea I could get across to you, underlined, bolded and with 17 exclamation marks is make sure you set register_globals to off.
Now that I have gotten that out of the way, Heise Security has a short article up discussing the matter in a bit more detail.
Kevin Blanchard PHP, phpBB, website security
Microsoft recently released an announcement about a zero-day vulnerability affecting several versions of Microsoft Word.
“Microsoft is investigating new public reports of limited ‘zero-day’ attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker.”
The kicker is the nugget of wisdom Microsoft passes along to us while they sort it all out, “Do not open or save Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.”
“…or that you receive unexpectedly from trusted sources”
So basically that limits me to documents I already have in my possession and Bob from down the hall giving me a solid heads up he’ll be emailing me a document later in the day *smirk*
Kevin Blanchard Microsoft, Microsoft Office, zero day
This is not entirely a security related matter in the traditional sense. Guerrilla Marketing is a less then honest form of online marketing. Guerrilla Marketing involves people creating many accounts and posting to online blogs, forums, websites, etc. from each of these accounts, acting as if they are in fact, different people. Many tech and non-tech people are unaware that this even exists. Some times it is a person or small group of people orchestrating the Guerrilla Marketing. Other times, massive efforts are fueled by PR firms. Much like when phishing[1] first hit the internet and caught many people off guard. To this day, some tech savvy people still get fooled as phishers become cleverer in their wording and targeting. In the way phishing relies on using a false identity to obtain information about the target. Guerrilla Marketing relies on many false identities to present information to targets to create the illusion that is has mass appeal or being shared with the community from a small group of “average users” who just are really excited about the new site/product/service.
I must note that not all Guerrilla Marketing is bad. From Wikipedia, Guerrilla Marketing is described as “an unconventional way of performing promotional activities on a very low budget. Such promotions are sometimes designed so that the target audience is left unaware they have been marketed to and may therefore be a form of undercover marketing (also called stealth marketing).” The basic premise of it is the same. Though many internet users still dislike the fact they are being tricked into thinking one thing and then realize they have been “marketed to”. Though Guerrilla Marketing in it self is not bad. Though how it is used and implemented can determine if it crosses any ethical lines.
This post on Penny Arcade was from earlier this year. It by no means is a new concept. I was reminded of it while having a discussion about digg.com[2] and looking over some scary posting trends on digg. Anyway, if the concept is new to you, it’s an interesting (short) read.
http://www.penny-arcade.com/news/show/21589
Foot Notes:
1. Phishing – In computing, phising is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an electronic communication. Phishing is typically carried out using email or an instant message, although phone contact has been used as well
2. Digg.com – (From Digg’s site) Digg is a user driven social content website. Ok, so what the heck does that mean? Well, everything on digg is submitted by the digg user community (that would be you). After you submit content, other digg users read your submission and digg what they like best. If your story rocks and receives enough diggs, it is promoted to the front page for the millions of digg visitors to see.
Kevin Blanchard Guerrilla Marketing
Pedro Bueno over at SANS ISC had some great advice to share. Something I have been preaching myself for quite a while.
During one of those past weekends I was installing and configuring some honeypots. I decided to try different Operating Systems to see which one would fit better for my needs.
As I already had a perfect NAT for one IP, nothing more natural that I already put the IP address on the OS during installation, right? Yep, WRONG! The reason is that if you install an internet facing OS (like my NAT was providing me), maybe there will be not enough time to apply the patches (even offline patches, from CDs or Pen Drivers).
So, my Tip of the Day, is for whatever OS that you are installing, if you can’t unplug physically the network, choose to not configure the NICs during installation. In this way, you will have enough time to check which Services will be running in your machine, and turn it down before someone explore your unpatched OS, because if you are installing a fresh OS, chances are that some applications/services are already outdated and you may be a victim of some bot of the day…
Kevin Blanchard system security