Saturday, April 11, 2009

Quote of The Day: Robert Graham

"There's no coordinated conspiracy here, but there are a lot of government officials who stand to gain by this attempt at drastically increasing government control over the Internet."

- Robert Graham, CEO of Errata Security, regarding the numerous assertions that the U.S. electrical grid has been penetrated by foreign "spies".

Thursday, April 09, 2009

Quote of The Day: Michael Tanji

"Red-necks with a backhoes, or a jerk with an ax, have done more damage to the nation's information infrastructure than the MSS or FSB ever has."

- Michael Tanji

UK: Police e-Crime Unit Teams With Banks For First Arrest

Leo King writes on Computerworld UK:

Nine suspects in a banking Trojan case have been arrested by specialist cybercops from the UK's newly formed £7.4 million Police Central E-crime Unit (PCeU).

The PCeU teamed with a special taskforce set up with a number of banks to make its first arrest.

The sting took place yesterday in south east London, using 50 police officers who targeted a range of addresses.

The five men and four women arrested are suspected of computer misuse, money laundering and conspiracy to defraud. They used a Trojan virus to access bank accounts, and sent out the virus from servers in different European locations, it is alleged. All were under 30 years old, and the youngest suspect was 18.

Two of the group have been charged this morning. Azim Rahmanov, 23, and Azamat Rhamanov, 25, both nationals of Uzbekistan living in the same address in Deptford, have been charged with conspiracy to defraud, possession of articles for use in fraud, and money laundering.

More here.

Hannaford Data Breach Case Ruling Coming

Linda McGlasson writes on

A U.S. District Court judge will decide in the next few days whether the Hannaford Bros. data breach class action suit will go to trial.

Judge D. Brock Hornby heard final arguments on April 1 in the U.S. District Court, Portland, ME on the class action suit brought against the supermarket chain that had a data breach exposing more than 4 million credit and debit cards last March.

Hornby's pending ruling will decide if parts or all of the case will go to trial. Hannaford's attorneys asked the judge to dismiss the lawsuit, filed days after the breach was made public on March 17, 2008. Plaintiffs' attorneys requested Hornby certify the case as a class-action suit and go to trial.

The class action lawsuit poses questions as to the level of merchant responsibility to secure electronic data that is processed with every credit or debit card purchase. It also asks what should the consequences be when the data is taken by hackers.

More here.

Fiber Cuts Slash Silicon Valley's Internet Arteries

Stephen Lawson writes on PC World:

Cuts in fiber-optic lines early Thursday at two locations near Silicon Valley shut down two IBM facilities and affected an organization in charge of Internet domain names.

The cuts, in San Carlos and San Jose, California, also disrupted wired and wireless telecommunications services for thousands of users in the region. AT&T, which owns the main affected fibers, expected service to be restored by Thursday evening. Police suspect vandals did the damage, which would have involved removing manhole covers and using cutting tools to sever thick cables that each contain many strands of fiber. AT&T, Verizon and Sprint Nextel users were affected.

The main cut took place in the southern part of San Jose, just a few miles from the IBM Silicon Valley Lab, a research center for cloud computing and other technologies. That lab was effectively shut down by the outage, as was an IBM manufacturing facility on Hellyer Avenue, near the site of the cut. Apart from small maintenance crews, employees were told to work from home, IBM spokeswoman Jenny Hunter said. Though IBM demonstrates some of its cloud systems at the Silicon Valley Lab, it doesn't host public cloud services there.

In addition, at least one server was affected at the Internet Assigned Numbers Authority (IANA), which translates between domain names and Internet addresses. The outage cut off one of IANA's public test systems for DNSSEC (Domain Name System Security Extensions), an emerging protocol designed for more secure domain-name lookup, according to an official notice on a DNSSEC mailing list.

More here.

Job Cuts Leaving IT Systems Open to Attack

Matt Hines writes on the eWeek "Security Watch" Blog:

A security team's biggest fear is an attack carried out by a knowledgeable insider, and with the economy driving job cuts within many organizations, those worries are being realized in the form of discharged workers who retain access to their former employers' IT systems, according to a new survey.

With jobs walking out the door, along with larger numbers of remote workers, many organizations have yet to account for tightening their defenses to address the ongoing trends, claims the report, published by security and password management specialists Cloakware.

Based on a survey of over 12,500 U.S. IT security workers, the report claims that among those organizations represented in the research, a minimum of 1,312,500 laid-off or fired employees retain access to company systems in total.

Overall, the report contends that roughly 14 percent of all recently discharged workers still have access to proprietary data and organizational information, "revealing critical deficiencies of corporate security policies," Cloakware said. At least 21 percent of respondents admitted that they hadn't changed employees' passwords after they were terminated.

In other efforts to save money by moving more staffers out of the office, while some 90 percent of companies that responded said they employ remote workers and 41 percent said they have increased their use of the model over the last year, most of the organizations said that they hadn't altered their authentication policies to account for the shift.

More here.

Digital Pearl Harbor, Cyber 9/11, and E-Qaeda

Brian Krebs writes on Security Fix:

I mention this because at any one time, computers at dozens of power companies throughout the United States are compromised by bot programs. And this has been so for years. In 2007, I wrote about penny-stock spam being blasted out of computers at American Electric Power that was confirmed to be the result of a bot infection there.

If you simply examine the list of Internet addresses flagged by anti-spam groups as blastiing junk e-mail, you can find dozens of systems that currently are or very recently were infected with bots and backdoors.

To illustrate this concept, I took a few minutes to peruse the Composite Block List as published by (the CBL lists Internet addresses that appear to be acting as open relays for other Internet traffic, or infected with a spam Trojan or some other security compromise).

All I did was sort the CBL list by U.S.-based Internet addresses, and then have a look through them for those assigned to American power companies. One caveat: It is not possible just from looking at this list to say how many -- if any -- of these backdoored systems have access to critical power control networks. Still, this is just from one public source. What's more, these are mostly opportunistic infections, caused by attacks that are random in nature. Now, just imagine the access that a determined adversary could gain.

More here.

Wednesday, April 08, 2009

Extremist Web Sites Are Using U.S. Hosts

Joby Warrick and Candace Rondeaux write on The Washington Post:

On March 25, a Taliban Web site claiming to be the voice of the "Islamic Emirate of Afghanistan" boasted of a deadly new attack on coalition forces in that country. Four soldiers were killed in an ambush, the site claimed, and the "mujahideen took the weapons and ammunition as booty."

Most remarkable about the message was how it was delivered. The words were the Taliban's, but they were flashed around the globe by an American-owned firm located in a leafy corner of downtown Houston.

The Texas company, a Web-hosting outfit called ThePlanet, says it simply rented cyberspace to the group and had no clue about its Taliban connections. For more than a year, the militant group used the site to rally its followers and keep a running tally of suicide bombings, rocket attacks and raids against U.S. and allied troops. The cost of the service: roughly $70 a month, payable by credit card.

More here.

Mark Fiore: The Notice-Me-Now Rocket

More Mark Fiore brilliance.

Via The San Francisco Chronicle


- ferg

Company Caught in Texas Data Center Raid Sues and Loses

Kim Zetter writes on Threat Level:

A company whose servers were seized in a recent FBI raid on Texas data centers applied for a temporary restraining order to force the agency to return its servers, but was denied by a U.S. district court last week.

The company, Liquid Motors, provides inventory management and marketing services to national automobile dealers, such as AutoNation. It was one of about 50 companies put out of business last week when the FBI raided Core IP Networks, one of two data centers and co-location facilities raided by the FBI's Dallas office in the last month for an investigation into VoIP fraud.

Although Liquid Motors was not a target of the investigation, the FBI seized all of the company's servers and backup tapes in the raid.

More here.

Tuesday, April 07, 2009

U.S. Electrical Grid Penetrated By Foreign Cyber Spies

Siobhan Gorman writes in The Wall Street Journal:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

The espionage appeared pervasive across the U.S. and doesn't target a particular company or region, said a former Department of Homeland Security official. "There are intrusions, and they are growing," the former official said, referring to electrical systems. "There were a lot last year."

More here.

Industry Group Calls For Public-Private Cyber Security Standards

Jill R. Aitoro writes on NextGov:

The federal government should establish minimum standards of cybersecurity for both public and private organizations, rather than focus primarily on requirements for protecting government computer networks, according to recommendations from an association of intelligence and security professionals.

A comprehensive cybersecurity plan, coordinated by the White House, should include a common set of standards defining the level of cyber defense that private sector organizations use for their computer systems and networks based upon the sensitivity of information, and providing guidelines for assessing cyber preparedness, concluded a report [.pdf] from the Arlington, Va.-based Intelligence and National Security Alliance. INSA formed a task force with representatives from 26 companies to provide recommendations for a national cybersecurity plan to Melissa Hathaway, senior director for cyberspace for the administration's national security and homeland security councils. Hathaway is nearing the end of a 60-day review of federal cybersecurity initiatives the Obama administration ordered.

Private sector organizations typically oversee their own network security, or follow industry standards for protecting information. Common standards for the public and private sectors would ensure a base level of security across all industries, said Frank Blanco, INSA's executive vice president. He added that the federal government could encourage compliance by soliciting input from industry on effective minimum standards.

"There's always the danger" that government recommendations will face pushback from industry, Blanco said. "But if industry and government are in a room together, talking about what the minimum standards should include and what that would mean for everyone involved, industry would be more receptive."

More here.

DoD: Cyber Security is Each User's Responsibility

David Perera writes on

Securing the Defense Department's networks from attacks will require wide ranging changes to military culture, conduct and capabilities, said Air Force Gen. Kevin Chilton, commander of the Strategic Command.

The users of the networks "are making it too easy for our adversaries" to exploit weaknesses, he said before a conference on cybersecurity sponsored by Armed Forces Communications Electronics Association International.

“We know we don’t have the answers and oftentimes don’t even know what the right questions are to ask,” he said.

The military still does not have a good grasp of which machines are connected to the Secret Internet Protocol Router Network, a classified DOD intranet, Chilton said. There’s no comprehensive situational awareness of network status and incident response requires more real-time automatic intervention than exists today, he added. A culture of treating information technology as a convenience rather than an essential platform persists, despite the fact that local vulnerabilities can create global effects.

“People think that the rules don’t apply to them, for whatever reason," he said. "There are adversaries today out there who are taking advantage of that misbehavior and that lack of discipline.”

More here.

Pentagon Bill To Fix Cyber Attacks: $100M

An AP newswire article, via CBS News, reports that:

The Pentagon spent more than $100 million in the last six months responding to and repairing damage from cyber attacks and other computer network problems, military leaders said Tuesday.

Air Force Gen. Kevin Chilton, who heads U.S. Strategic Command, said the military is only beginning to track the costs, which are triggered by constant daily attacks against military networks ranging from the Pentagon to bases around the country.

"The important thing is that we recognize that we are under assault from the least sophisticated - what I would say the bored teenager - all the way up to the sophisticated nation-state, with some pretty criminal elements sandwiched in-between," said Chilton, adding that the motivations include everything from vandalism to espionage. "This is indeed our big challenge, as we think about how to defend it."

According to Army Brig. Gen. John Davis, deputy commander for network operations, the money was spent on manpower, computer technology and contractors hired to clean up after both external probes and internal mistakes. Strategic Command is responsible for protecting and monitoring the military's information grid, as well as coordinating any offensive cyber warfare on behalf of the U.S.

More here.

Hat-tip: Elinor Mills

FBI Defends Disruptive Raids on Texas Data Centers

Kim Zetter writes on Threat Level:

The FBI on Tuesday defended its raids on at least two data centers in Texas, in which agents carted out equipment and disrupted service to hundreds of businesses.

The raids were part of an investigation prompted by complaints from AT&T and Verizon about unpaid bills allegedly owed by some data center customers, according to court records. One data center owner charges that the telecoms are using the FBI to collect debts that should be resolved in civil court. But on Tuesday, an FBI spokesman disputed that charge.

"We wouldn’t be looking at it if it was a civil matter," says Mark White, spokesman for the FBI's Dallas office. "And a judge wouldn’t sign a federal search warrant if there wasn’t probable cause to believe that a fraud took place and that the equipment we asked to seize had evidence pertaining to the criminal violation."

In interviews with Threat Level, companies affected by the raids say they've lost millions of dollars in equipment and business after the FBI hauled off gear belonging to phone and VoIP providers, a credit card processing company and other businesses that housed equipment at the centers. Nobody has been charged in the FBI's investigation.

More here.

Monday, April 06, 2009

Virginia Universities 'Hotbeds of Terrorist Activity'? Give Me a Break


A recently published “terrorism threat assessment” from a Virginia fusion center says the state’s universities and colleges are “nodes for radicalization” and encourages law enforcement to monitor First Amendment-protected activities of educational and religious foundations as terrorism threats. The document, which drew concern today from the American Civil Liberties Union over its constitutional implications, also characterizes the “diversity” surrounding a Virginia military base and the state’s “historically black” colleges as possible threats. The March 2009 document, which claims there are currently at least fifty active “terrorist and extremist” groups in Virginia, is posted on the website

The federal government has facilitated the growth of a network of fusion centers since 9/11 to expand information collection and sharing practices among law enforcement agencies, the private sector and the intelligence community. There are currently 70 fusion centers in the United States.

“If we are to believe this exaggerated threat assessment, Virginia’s learning and religious institutions must be hotbeds of terrorist activity,” said Caroline Fredrickson, Director of the ACLU Washington Legislative Office. “This document and its authors have displayed a fundamental disregard for our constitutional rights of free expression and association. Unfortunately, it’s not the first time we’ve seen such an indifference to these basic rights from local fusion centers. Congress must take the necessary steps to institute real and thorough oversight mechanisms at fusion centers before we reach a point where we are all considered potential suspects.”

The Virginia threat assessment comes on the heels of two recently publicized and troubling documents from Texas and Missouri fusion centers. From directing local police to investigate non-violent political activists and religious groups in Texas to advocating surveillance of third-party presidential candidate supporters in Missouri, there have been repeated and persistent disclosures of troubling memos and reports from local fusions centers. Last week, the ACLU sent five letters to the Department of Homeland Security (DHS) Office of Civil Rights and Civil Liberties urging investigations into five troubling incidents, several of which have stemmed from DHS-funded fusion centers.

More here.

Crypto-Politics Creep Into DNSSEC

Brenden Kuerbis writes on the Internet Governance Project Blog:

While the fight over using cryptography to protect personal communications was allegedly "won" during the late 1990s, the battle over using it to protect critical Internet resources is just heating up. News from the recent IETF in San Francisco and RANS conference in Moscow suggests that national crypto laws are now complicating efforts to secure the DNS.

Specifically, supporters of .ru have noted that while they are interested in deploying DNSSEC, there are legal and operational constraints surrounding the current crypto specs in the standard (i.e., RSA signature and SHA digest algorithms) that could make it difficult for Russian based organizations to deploy the protocol. There are now efforts being made to introduce the Russian developed GOST family of algorithms into the protocol.

In developing DNSSEC, the DNSEXT Working Group recognized the need and designed the protocol to support different algorithms simultaneously. Nonetheless, the protocol documents have mostly made a habit of recommending the use of the RSA signing and SHA hashing algorithms. To some extent this simply reflects the fact that RSA has been incorporated into protocols worldwide (e.g., SSL) and has broad market acceptance. But arguably it is also an artifact of the relatively small social network of authors and mostly American organizations involved in publishing DNSEXT RFCs to date.

More here.

Sunday, April 05, 2009

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Sunday, April 5, 2009, at least 4,266 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,425 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

As of Sunday, April 5, 2009, at least 601 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Thursday at 10 a.m. EDT.

Of those, the military reports 444 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

SCADA Watch: NIST Ramps Up Work on Standards for Smart Grid

William Jackson writes on

Spurred by economic stimulus spending that will support the development of a nationwide Smart Grid for intelligent energy distribution, the National Institute of Standards and Technology is stepping up efforts to identify or create interoperability and security standards for the new infrastructure.

In March, NIST established a full-time position to lead Smart Grid activities and hopes to recommend a suite of standards by the end of the year, said George Arnold, NIST deputy director of technical services, who is leading the effort.

“We’re doing this on a very fast track,” Arnold said. “This is doable.” Industry already has done a lot of the work, and much of NIST’s job will be to prioritize needs and identify existing standards that meet them.

More here.

Classic xkcd: Security Question

Click for larger image.

We love xkcd.

- ferg

Humans Prove Weak Link in Japanese Warning Network

Martyn Williams writes on NetworkWorld:

If there's one thing the Japanese government learned on Saturday -- the first of a five-day launch period for a North Korean rocket -- it's that the government's emergency information network works.

At 12:16 p.m. local time, terminals at government agencies, municipalities and media organizations across Japan flashed news from the government: "North Korea appears to have launched a projectile." Almost immediately TV stations broke into programming to deliver the news and soon after it flashed around the world.

Too bad North Korea hadn't actually launched anything. Five minutes later the same network was used to retract the warning.

The error was blamed on a misunderstanding between military staff. A radar station near Tokyo had detected something over the Sea of Japan, which separates the two countries and over which the rocket was expected to fly, and this was relayed to Japan's Air Defense Command. But there, according to local media reports, it was mistaken for data from a U.S. early warning satellite and passed on to the Defense Agency and central government and the alert was issued.

More here.

NORAD: N. Korean Rocket Launch a Failure

An AP newswire article, via The Army Times, reports that:

North Korea claims the rocket it sent up Sunday put an experimental communications satellite into space and that it is transmitting data and patriotic songs. The U.S. military says whatever left the launch pad ended up at the bottom of the sea.

North Korea has a history of hyperbole. In creating a cult of personality for its leader, Kim Jong Il, its media rewrote the story of his birth along biblical lines and once said that when he took up golf, he was firing holes-in-one with regularity.

The North’s official Korean Central News Agency said the three-stage rocket “accurately” put a satellite into orbit nine minutes and two seconds after launch. It provided details on an elliptical orbit that it said was taking the satellite around the Earth every 104 minutes and 12 seconds.

“The satellite is transmitting the melodies of the immortal revolutionary paeans ‘Song of Gen. Kim Il Sung’ and ‘Song of Gen. Kim Jong Il’ as well as measurement data back to Earth,” KCNA said, referring to the country’s late founder and his son, the current leader.

More here.

Report Says Interior Dept. Failed to Secure Network

Brian Krebs writes on The Washington Post:

Years after the Interior Department was warned that its computer network was dangerously exposed to hackers and was ordered by a federal judge to fix the problem, the vulnerabilities remained, to the point that the department probably could not tell if outsiders had gained access to its data, according to a newly disclosed internal report.

The report was written last spring by Interior's then-inspector general, Earl A. Devaney, but it became public only Wednesday, when it was filed with a federal appeals court as part of a decade-old, multibillion-dollar lawsuit by Native Americans against the federal government.

"It is unfathomable anyone could give assurance the Department's network is secure," Devaney wrote, adding that the department had "persistently failed to meet minimum standards in information security."

"According to the Department's own analysis, nearly 70% of the network traffic leaving the Department through a single one of its Internet gateways during the month of January 2008 was bound for known hostile countries and the Department lacked the capability to even determine what the traffic was," the report reads.

The report by Devaney appears to challenge statements Interior officials made last summer in federal court that the department's computer network security had been sufficiently improved.

More here.