Tuesday, November 11, 2008
Computer systems that run the world's critical infrastructure are not as secure as they should be and insiders are feeling angry.
That's according to a new survey released Monday that asked management, network engineers and administrators in nine infrastructure industries about the state of cyber security in the US, Canada, and Europe.
Insiders felt that all of these industries, save financial services, were unprepared for cyberattacks. These unready industries included: water, utilities, oil and gas, telecommunications, transportation, emergency services, chemical and the shipping industry.
And that's bad news because more than half of them said that their companies had already been hit with some sort of cyber incident, data leak, or insider attack. Another 14 percent said they were expecting something like this to happen in the next year.
"None of them thought that they were very prepared for either insider threats or data leakage," said Elan Winkler, director of critical infrastructure solutions with Secure Computing.
About 90 percent of the survey's 199 respondents were directly employed in infrastructure industry with the other 10 percent listed some other occupation such as academic or consultant. Winkler's company paid for the study, which was produced by IDC's Energy Insights. IDC is owned by the IDG News Service's parent company, International Data Group.
Although there have been scattered reports of computer compromises affecting critical infrastructure, most companies keep this kind of information secret because it is considered to be potentially embarrassing.
That's not the case in the IT security industry, which often prides itself on the open disclosure of information, and there is often a culture clash between IT security folks who push to make security information public, and more conservative utility security workers, who worry that this kind of knowledge could be misused.
The Energy Insights survey found that many insiders are dissatisfied with the lack of preparedness within their own industries. About three quarters of respondents said they were "annoyed, angry or frustrated" with the state of critical infrastructure security, Winkler said.
"These are the people who actually know what's going on and they're unhappy," she said. "That, to me was a real surprise"
Some industries are farther along than others, Winkler said. Financial, energy and telecommunications are the most prepared, she said. While the water industry, shipping, and transportation industries were rated least-ready.
However, the Energy sector was considered the most in need of improved security because it is the biggest, most vulnerable and easiest to breach, respondents said.
Cost was ranked as the biggest impediment to security, Winkler said.
Industries that have already seen how a major disaster can affect their bottom line are more likely to have a serious risk analysis models that take things like cybersecurity into account, said Eric Byres,] chief technology officer with Byres security, a critical infrastructure security consultancy.
"What I'm seeing is that there is a real mix," he said. "Some companies are really on the ball... and then I see other companies that are very much in the dark, who don't get it."
The companies that are prepared for the next cyber attack are the ones that have buy-in from the bosses, Byres said. "It really gets driven from the upper management," he said.
Spammers are turning a profit despite only getting one response for every 12.5m e-mails they send, finds a study.
By hijacking a working spam network, US researchers have uncovered some of the economics of being a junk mailer.
The analysis suggests that such a tiny response rate means a big spam operation can turn over millions of pounds in profit every year.
It also suggests that spammers may be susceptible to attacks that make it more costly to send junk mail.
Slim pickings
The spam study was carried out in early 2008 by computer scientists from University of California, Berkeley and UC, San Diego (UCSD).
For their month-long study the seven-strong team of computer scientists infiltrated the Storm network that uses hijacked home computers as relays for junk mail.
At its height Storm was believed to have more than one million machines under its control.
The team, led by Assistant Professor Stefan Savage from UCSD, took over a chunk of the Storm network to make it easier to run their study.
"The best way to measure spam is to be a spammer," wrote the researchers in a paper describing their work.
They created several so-called "proxy bots" that acted as conduits of information between the command and control system for Storm and the hijacked home PCs that actually send out junk mail.
The team used these machines to control a total of 75,869 hijacked machines and routed their own fake spam campaigns through them.
Fake pharmacy website, UCSD/UC Berkeley
The research team created a legitimate looking pharmacy site.
Two types of fake spam campaign were run through these machines. One mimicked the way Storm spreads using viruses and the other tried to tempt people to visit a fake pharmacy site and buy a herbal remedy to boost their libido.
The fake pharmacy site was made to resemble those run by Storm's real owners but always returned an error message when potential buyers clicked a button to submit their credit card details.
While running their spam campaigns the researchers sent about 469 million junk e-mail messages. The vast majority of these were for the fake pharmacy campaign.
"After 26 days, and almost 350 million e-mail messages, only 28 sales resulted," wrote the researchers.
The response rate for this campaign was less than 0.00001%. This is far below the average of 2.15% reported by legitimate direct mail organisations.
"Taken together, these conversions would have resulted in revenues of $2,731.88—a bit over $100 a day for the measurement period," said the researchers.
Scaling this up to the full Storm network the researchers estimate that the controllers of the vast system are netting about $7,000 (£4,430) a day or more than $2m (£1.28m) per year.
While this was a good return, said the researchers, it did suggest that spammers were not making the vast sums of money that some people have predicted in the past.
They suggest that the tight costs might also open up new avenues of attack on spammers.
The researchers concluded: "The profit margin for spam may be meager enough that spammers must be sensitive to the details of how their campaigns are run and are economically susceptible to new defenses."
A computer specialist, laid off Wednesday, Nov. 5, from a mutual fund company, was arrested Monday by federal agents at his home in Old Bridge after allegedly threatening to use hackers in Belarus to vandalize the company's computer system.
Viktor Savtyrev, 29, was charged with attempting to extort money from New York-based Third Avenue Management to get a better severance package.
Savtyrev, a Russian national, appeared in U.S. District Court, Newark before Magistrate Judge Patty Shwartz. She ordered Savtyrev held until a bail hearing, tentatively scheduled for Thursday, Nov. 13.
His attorney, Robert Stahl of Westfield, said Savtyrev did not intend to damage the company's system.
"At the end of the day this is someone who was under a great deal of financial stress who said some inappropriate things but did not have the intention or the ability to carry anything out," Stahl said.
A spokeswoman for Third Avenue Management said the company's systems have been checked for any problems and deemed safe.
Authorities said the company, which runs Third Avenue Mutual Funds, laid off 10 people including Savtyrev, a systems analyst.
On Thursday morning, Nov. 6, Savtyrev sent an e-mail to the general counsel and three employees of the company, telling them he was unhappy with the terms of the severance package he received, according to a criminal complaint filed Friday, Nov. 7.
In the e-mail, Savtyrev demanded more money, extended medical benefits and "excellent references," according to the complaint.
Savtyrev's e-mail also contained a threat, according to an affidavit by FBI Special Agent Gerald Cotellesse.
"My comrades for a small fee are able to help me out with bridging firewall security and carry out data destruction and virus outbreak," it read, according to the affidavit.
He continued, according to Cotellesse: "I located the names and e-mail addresses of the editors of Wall Street Journal, Newsweek and the Daily News and all of them should be very interested in getting an article about a mutual fund (losing) data because some "Crazy Russian' (this is the name of the article which I wrote last night), was fired after 5 years of loyal service."
Authorities said one of the employees acted as a cooperating witness and recorded a telephone call with Savtyrev during which he repeated his demands for better severance package and claimed he was going to get friends from Belarus, well-known hackers, to assist in damaging the system.
He later claimed he had "back doors" into the company's system that it would not find out about for months.
"This is a regrettable situation involving a former employee," said Bridget Smith, spokeswoman for Third Avenue Management. "We contacted the FBI immediately."
Smith said an independent data security and computer forensics firm was brought in to assess the company's system.
"There has been no breach of security in any of our systems," Smith said. "Despite that we've taken further security precautions to enhance our systems."
The Homeland Security Department is putting sensitive information at risk by security weaknesses in its computer systems at Los Angeles International Airport, according to a new report from DHS Inspector General Richard Skinner.
U.S. Customs and Border Protection and three other DHS agencies that operate at the airport are lax on their information technology security for servers, routers, and switches operating at the airport, the report issued Nov. 7 said.
The report identifies the other agencies falling short as the Coast Guard, Immigration and Customs Enforcement and the Transportation Security Administration.
The information technology security controls implemented at this site have deficiencies that, if exploited, could result in the loss of confidentiality, integrity and availability of their information technology systems,” the GAO report states. “Specifically, these components need to improve their physical security operational controls for telecommunications equipment and servers.”
The federal agencies’ IT systems are put at risk by problems with operational, technical and management controls, GAO said.
For example, in November 2006, CBP installed a wireless network at the airport, but it was not tested once it was connected to the CBP’s network. During the time of the IG's visit in December 2007, CBP staff members were unable to operate the networks because of technical problems, the report said.
Other problems identified included improper access controls, unsecured server storage rooms, and the storage of IT systems in rooms that were too warm and possibly subjected the systems to damage.
The GAO made 23 recommendations for improvements; the DHS agencies agreed with most of the findings, with several exceptions.
More than six months after the discovery of security flaws in the Internet's core addressing system, many Domain Name System (DNS) servers are still open to attack, according to a study published today.
According to
a report on DNS trends published by Infoblox and the Measurement Factory, approximately one in four DNS servers still does not perform source port randomization, the chief patch for the so-called "Kaminsky vulnerability" that was discovered by researcher Dan Kaminsky in the first half of last year and
fully disclosed at the Black Hat conference in August.
"A surprising number have not been upgraded and are very vulnerable to cache poisoning," the report states.
The study, which took a sample of 5 percent of the Internet's IPv4 address space -- about 80 million addresses -- also showed that more than 40 percent of Internet name servers allow recursive queries, which is one of the design flaws that might enable attackers to abuse Internet address spaces for their own purposes. About 30 percent allow zone transfers to arbitrary requestors, another flaw that could lead to vulnerabilities such as those discovered by Kaminsky.
Only 0.002 percent of DNS zones in the test were found to support DNSSEC, which is widely viewed as a possible "next step" in reducing the effects of DNS security flaws. "Administrators have not been convinced of its importance -- perhaps intimidated by its complexity -- but new mandates could mean a significant change in the near future," the study says.
The researchers found that 90 percent of DNS server operators are running the most current version of BIND, and that reliance on the vulnerable Microsoft DNS Server has dropped to 0.17 percent. Adoption of IPv6, which is designed to provide greater security, continues to be slow, the study says.