Lost in the Noise (Archive)

Please note that this weblog will not be updated anymore from this location. You can find the new weblog at :

http://www.van-manen.info/weblog

a Paris-based company that serves nuclear, wind, and fossil-fuel power companies - is warning customers to upgrade a key piece of energy management software following the discovery of security bugs that leaves it vulnerable to hijacking.

The vulnerabilities affect multiple versions of Areva's e-terrahabitat package, which allows operators in power plants to monitor gas and electric levels, adjust transmission and distribution devices, and automate other core functions. Areva markets itself as one of the top three global players in the transmission and distribution of energy.

A swarm of buffer overflow and denial-of-service bugs makes versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering, the US Computer Emergency Readiness Team warns here. Customers using earlier versions need to upgrade as well.

"An unauthenticated attacker may be able to gain access with the privileges of the e-terrahabitat account or an administrator account and execute arbitrary commands, or cause a vulnerable system to crash," CERT's advisory states. Users should apply the patch immediately, it adds.

The warning is the latest to affect so-called SCADA, or supervisory control and data acquisition, software used to control valves and switches at manufacturing plants, power generators, and gasoline refineries throughout the world. In theory, such bug shouldn't pose much risk, because SCADA systems and other critical industrial controls should never be exposed to the internet.

Indeed, a spokesman at Areva's Maryland outpost suggested Thursday that the vulnerabilities like the ones included in the advisory didn't amount to much of a threat.

"Computers used at nuclear power plants are not connected to the internet and therefore they're not vulnerable to viruses of any kind," he said.

But in the real world, there's plenty of ways vulnerable SCADA systems could be exploited. As plants struggle to cut costs, they frequently turn to SCADA to manage systems remotely, over telephone lines or private networks. Corporations also connect SCADA systems to their data networks to collect data, and those networks are sometimes connected to the internet, some security experts have said.

CERT used the advisory as an opportunity to remind administrators about the benefits of using network perimeter access controls to reduce their exposure to attacks. Among the resources available: signatures based on the Snort network intrusion detection system offered by the Department of Homeland Security and available through Areva.

Areva credited Eyal Udassin and Jonathan Afek of C4 Security with discovering some of the vulnerabilities. Idaho National Labs and the Department of Homeland Security's Control Systems Security Program were also cited. ®

A legally blind Massachusetts phone hacker admitted this week to federal computer intrusion and witness intimidation charges that could put him away for as long as 13 years.

Matthew Weigman, 18, pleaded guilty to two felonies before U.S. Magistrate Judge Paul D. Stickney in Dallas on Tuesday. Known in the telephone party-line scene as "Li'l Hacker," Weigman is widely considered one of the best phone hackers alive.

Relying on an ironclad memory and detailed knowledge of the phone system, the teenager is known for using social engineering to manipulate phone company workers and others into divulging confidential information, and into entering commands into computers and telephone switching equipment on his behalf. The FBI had been chasing Weigman since he was 15 years old, at times courting him as an informant. He was finally arrested last May, less than two months after celebrating his 18th birthday.

"I've been interested in phones since I've been about 8," Weigman said in a 2007 interview with Wired.com. "I talked to technicians when they came down here to do things on my phone."

In his plea deal with prosecutors, Weigman, who was born blind, admitted to a long criminal resume (.pdf). Among other things, he confessed to conspiring with other telephone hooligans who made hundreds of false calls to police that sent armed SWAT teams bursting into the homes of their party-line enemies.

In a new revelation, Weigman also admitted eavesdropping on customer service calls to Sprint, by dialing into a phone line used by Sprint supervisors to monitor their employees. Weigman parked on the spy line to overhear customers giving out their credit card numbers, which he memorized and passed to accomplices. Weigman and his friends used the numbers to purchase computers and other electronics.

The FBI began investigating Weigman after he staged a 2005 hostage hoax that sent police to the Colorado home of Richard Gasper, a TSA screener whose daughter refused phone sex with Weigman. When the FBI caught up with him more than a year later, cybercrime agent Allyn Lynd offered to make him a confidential informant, but called off the deal when AT&T discovered that Weigman was still manipulating the phone company.

Lynd later told a police detective that Weigman couldn't stop hacking for more than 72 hours.

Weigman's current troubles began in April, the month he reached adulthood. William Smith, a Verizon security investigator who'd been monitoring Weigman's hacking and phoning in updates to the FBI, noticed that Weigman had used the name and identifying information of a Texas woman to turn on phone service at the East Boston apartment he shared with his mother and siblings.

When Smith disconnected the fraudulent account, Weigman turned it back on again. Then Weigman began making harassing phone calls to Smith at his house. To trick the security worker into picking up the phone, the hacker socially engineered phone company employees into sharing Smith's billing records in near-real time, then used Caller ID spoofing to make Smith think someone was returning his own calls, according to court records.

"For example, Smith would call a travel agency to arrange for a flight," the FBI's Lynd wrote in an affidavit. "A few minutes later, he would receive a phone call which appeared to be coming from the travel agency that he had just booked a flight through. When Smith answered the phone, Weigman would begin harassing him again."

Then on May 18, Weigman showed up at Smith's New Hampshire home with his burly older brother. Smith felt intimidated and called the police, who arrested the hacker.

Weigman is set for sentencing on April 24. Under the terms of his plea agreement, he can withdraw his guilty plea if sentencing judge Barbara M. G. Lynn gives him more than 13 years in prison.

Microsoft Corp. is suing a former employee, claiming that he applied for a job at the company under false pretenses and then used his role at Microsoft to gain access to confidential data related to patent litigation he is now waging.

Miki Mullor was hired by Microsoft in November 2005, after stating in his job application he was a former employee at Ancora Technologies, a Sammamish software development company that he said had gone out of business.

But, according to Microsoft, Ancora had not gone out of business and Mullor was still chief executive.

While at Microsoft, Mullor downloaded confidential documents to his company-issued laptop, according to the complaint, which was filed Jan. 22 in King County Superior Court.

Those documents, Microsoft said, were related to the subject matter of a patent complaint Ancora later filed in June 2008 against Dell Inc., Hewlett-Packard Co. and Toshiba America Information Systems Inc., stating that their use of certain Microsoft technology violated an Ancora patent. Microsoft is now also a party in that case.

"The documents downloaded by Mullor relate directly to the subject matter of Ancora's Patent Action," Microsoft said in the complaint. "These documents had no bearing on Mullor's work at Microsoft at the time."

Microsoft fired Mullor in September 2008.

On Ancora's Web site, Mullor is listed as chairman and founder. His biography notes that he previously worked at Microsoft.

The Web site also highlights the patent litigation:

"To secure each copy of (Windows), without burdening the honest user, (PC makers) use a technology known as System Locked Pre-Installation (SLP) to protect Windows against piracy.

"SLP is Ancora's technology and is covered by our pioneer patent, US Patent 6,411,941.

"This lawsuit is about protecting our patent rights from being infringed by HP, Dell and Toshiba. This is not David vs. Goliath. This is David vs. three Goliaths."

In an interview, Mark Cantor, an attorney for Mullor in that case, described the Microsoft complaint as "simply a retaliatory lawsuit by Microsoft to get the patent case transferred to Seattle."

The patent case is scheduled for trial in a Los Angeles federal court on Jan. 26, 2010.

Microsoft is seeking a court order barring Mullor from any involvement in the patent claim, including assisting Ancora with prosecuting the suit or providing trade-secret information he improperly acquired.

Mullor, reached at his home in Sammamish, referred all calls to Cantor, who said a lawyer hasn't been retained in the Seattle case.

The Forge.mil site is based on SourceForge.net, a public site that hosts thousands of open-source projects.

Defense Department officials have launched a new Web site where developers can work on open-source software projects specifically for DOD, David Mihelcic, the chief technology officer for the Defense Information Systems Agency (DISA), said today.

The new site, named Forge.mil, is based on the public site SourceForge.net which hosts thousands of open-source projects, Mihelcic said at an AFCEA Washington chapter lunch in Arlington, Va.

“It is really is SourceForge.net upgraded to meet DOD security requirements,” Mihelcic said.

Forge.mil users must use a common access card for authentication. Smart cards also help control access to sensitive information.

Work on Forge.mil started in October 2008, and Mihelcic approved limited operation of the site on Jan. 23, he said.

In its first week, Forge.mil is hosting three open-source projects, Mihelcic said. One project, named DOD Bastille, was started by a DISA intern, he said. DOD Bastille is based on publicly available software that automates the configuration of servers.

DOD Bastille integrates the specific security, technical and implementation guidelines required by DOD.

“Our intern had to stand up 50 Linux machines in a lab and he said, ‘Boy I don’t want to do this by hand; why can’t I use Bastille to do this for me?’” Mihelcic said. “He looked at Bastille and saw it couldn’t do all the things he needed, so he started an open-source project. He got folks like Red Hat to jump in and participate.”

Another project on Forge.mil is designed to manage request for proposals development. The third project automates the secure configuration of Solaris systems, Mihelcic said, adding that he hopes to have 20 projects on Forge.mil in the next six months.