Friday, October 22, 2010

Siemens Stuxnet Patch Does Not Provide Sufficient Protection

Via The H Online.

The Siemens SIMATIC Security Update for protecting WinCC systems against Stuxnet infections doesn't close the actual hole in the SQL server configuration. It only prevents the known Stuxnet variants from working. As IT forensics expert Oliver Sucker demonstrates (German language link) in a video, only a few steps are required to bypass the protection and regain full remote access to a WinCC system,.

The issue is based around the hard-coded access data for the WinCC system's Microsoft SQL database. The Stuxnet worm uses this data to log into further systems from another infected system. There, it uses the integrated xp_cmdshell command shell to access the underlying Windows operating system at system privilege level from the database.

The SIMATIC update prevents the database from executing commands via xp_cmdshell by switching the pertaining configuration option from 1 to 0. According to Sucker, however, the privileges of the hard-coded WinCCAdmin database user are so comprehensive that an attacker can use a few trivial SQL commands to switch the setting back from 0 to 1 after logging in. This will re-enable the execution of commands via the command shell. Sucker has so far not disclosed the exact SQL commands required.

When asked by The H's associates at heise Security, Siemens refused to comment on the issue. Siemens spokesman Gerhard Stauss said in an email, "Our (latest) official statement to the effect that we are investigating ways of tightening authentication procedures remains in place". Until Siemens decides to improve its authentication by allowing the definition of custom access credentials, users can only hope that there will be no further Stuxnet variants or hacker attacks.

More here.

Thursday, October 21, 2010

Mark Fiore: G.I. L.G.B.T P.D.Q.

More Mark Fiore Brilliance.

Via The San Francisco Chronicle.

- ferg

Feds Experiencing Critical Cybersecurity Staff Shortage

William Jackson writes on Defense Systems:

The Homeland Security Department is focused on recruiting and hiring cybersecurity personnel. It tripled the number of professionals working in the National Cybersecurity Division in fiscal 2009 and doubled it again last year.

But that still brings the number of cybersecurity professionals working in the division to only 220.

“We just don’t have enough people yet,” Philip Reitinger, deputy undersecretary in the National Protection and Programs Directorate, said Thursday at a forum on workforce development hosted in Washington by Deloitte. “This is going to be a continuing challenge for us.”

DHS has been recruiting from other agencies as well as from the private sector, but Reitinger called that a “zero sum game,” because there are not enough trained professionals coming into the field to meet demand. “There are not enough people to go around.”

More here.

Wednesday, October 20, 2010

UK: Every eMail and Website to be Stored

Tom Whitehead writes on the

Moves to make every communications provider store details for at least a year will be unveiled later this year sparking fresh fears over a return of the surveillance state.

The plans were shelved by the Labour Government last December but the Home Office is now ready to revive them.

It comes despite the Coalition Agreement promised to "end the storage of internet and email records without good reason".

Any suggestion of a central "super database" has been ruled out but the plans are expected to involve service providers storing all users details for a set period of time.

That will allow the security and police authorities to track every phone call, email, text message and website visit made by the public if they argue it is needed to tackle crime or terrorism.

More here.

Tuesday, October 19, 2010

Two Russians Convicted as Money Mules

Dan Goodin writes on The Register:

Two Russian men have been convicted for their roles as money mules who tried to siphon funds out of US bank accounts and send it to ringleaders in Ukraine.

Dmitry Vladislavovich Krivosheev, 25, and Maxim Valeryevich Illarionov, 24, who were living in Miami, last week were convicted of one count each of wire fraud and conspiracy to commit wire fraud by a federal jury in Oklahoma. The men set up bank accounts that received funds stolen from a Bank of America account belonging to Oklahoma City-based Powell Aircraft Title Services, according to court papers [.pdf]filed in April.

According to prosecutors, the company's bank account came under control of unknown individuals in Ukraine who used malware to make fraudulent wired transfers. At least $1.3m has been fraudulently diverted from bank accounts using the scheme, they said.

A third man accused of being recruiting the mules, Alexy Olegovich Petrov, was acquitted in the trial. According to court papers, he directed both mules to open the accounts and personally drove them various branches so they could make withdrawals and got a split of their proceeds.

Krivosheev and Illarionov face a maximum sentence of 20 years in federal prison and fines of $250,000. A sentencing hearing will be sent in about 90 days, prosecutors said.

More here.

Monday, October 18, 2010

U.S. Pushes to Ease Technical Obstacles to Wiretapping

Charlie Savage writes on The New York Times:

Law enforcement and counterterrorism officials, citing lapses in compliance with surveillance orders, are pushing to overhaul a federal law that requires phone and broadband carriers to ensure that their networks can be wiretapped, federal officials say.

The officials say tougher legislation is needed because some telecommunications companies in recent years have begun new services and made system upgrades that create technical obstacles to surveillance. They want to increase legal incentives and penalties aimed at pushing carriers like Verizon, AT&T, and Comcast to ensure that any network changes will not disrupt their ability to conduct wiretaps.

An Obama administration task force that includes officials from the Justice and Commerce Departments, the F.B.I. and other agencies recently began working on draft legislation to strengthen and expand a 1994 law requiring carriers to make sure their systems can be wiretapped. There is not yet agreement over the details, according to officials familiar with the deliberations, but they said the administration intends to submit a package to Congress next year.

Albert Gidari Jr., a lawyer who represents telecommunications firms, said corporations were likely to object to increased government intervention in the design or launch of services. Such a change, he said, could have major repercussions for industry innovation, costs and competitiveness.

More here.

Australia: MI6 Officers Apply for Canberra Spy Jobs

David Leppard writes on The Australian:

According to insiders, the strong interest among middle-ranking officers in jobs at the Australian Secret Intelligence Service (ASIS) reflects a crisis in morale at MI6.

There has been growing uncertainty among the agency's 2600 staff who have been unsettled by looming budget cuts, inquiries into alleged complicity in the torture of terrorism suspects and moves to keep operatives behind computer screens in London rather than sending them on overseas missions.

The changes are being overseen by Sir John Sawers, the MI6 chief, who achieved unexpected fame - and ridicule - last year when his wife Shelley inadvertently breached security by posting pictures of him on Facebook. He was shown wearing Speedos - nicknamed "budgie smugglers" in Australia - on the open section of a Facebook page.

The attraction of Australia for Sawers's officers is enhanced by the contrast with a three-year Whitehall-wide pay freeze. Forced to retire at 55, insiders say they face limited promotion prospects as executive jobs are cut.

More here.

UK Arrests Man Accused of Organizing Money 'Mules'

Jeremy Kirk writes on ComputerWorld:

U.K. police arrested a 34-year-old man on Monday on suspicion of creating counterfeit credit cards and organizing a network of people involved in money laundering, officials said.

Authorities from the Metropolitan Police's .Central e-crime Unit also seized data and equipment believed to be used to created fraudulent payment cards, including blank dummy cards with magnetic strips, during a raid Monday morning in east London.

The man, whose name was not made public, is also accused of organizing money "mules" -- people recruited to accept stolen funds and transfer them to other bank accounts for a small share of the amount.

The latest action follows a spate of arrests in the U.K., U.S. and Ukraine in one of the largest coordinated computer crime actions by law enforcement.

More here.