News from infosecnews.org

World's power grids infested with (more) SCADA bugs

Godert Jan van Manen — Fri, 06 Feb 2009 13:04:00 GMT

a Paris-based company that serves nuclear, wind, and fossil-fuel power companies - is warning customers to upgrade a key piece of energy management software following the discovery of security bugs that leaves it vulnerable to hijacking.

The vulnerabilities affect multiple versions of Areva's e-terrahabitat package, which allows operators in power plants to monitor gas and electric levels, adjust transmission and distribution devices, and automate other core functions. Areva markets itself as one of the top three global players in the transmission and distribution of energy.

A swarm of buffer overflow and denial-of-service bugs makes versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering, the US Computer Emergency Readiness Team warns here. Customers using earlier versions need to upgrade as well.

"An unauthenticated attacker may be able to gain access with the privileges of the e-terrahabitat account or an administrator account and execute arbitrary commands, or cause a vulnerable system to crash," CERT's advisory states. Users should apply the patch immediately, it adds.

The warning is the latest to affect so-called SCADA, or supervisory control and data acquisition, software used to control valves and switches at manufacturing plants, power generators, and gasoline refineries throughout the world. In theory, such bug shouldn't pose much risk, because SCADA systems and other critical industrial controls should never be exposed to the internet.

Indeed, a spokesman at Areva's Maryland outpost suggested Thursday that the vulnerabilities like the ones included in the advisory didn't amount to much of a threat.

"Computers used at nuclear power plants are not connected to the internet and therefore they're not vulnerable to viruses of any kind," he said.

But in the real world, there's plenty of ways vulnerable SCADA systems could be exploited. As plants struggle to cut costs, they frequently turn to SCADA to manage systems remotely, over telephone lines or private networks. Corporations also connect SCADA systems to their data networks to collect data, and those networks are sometimes connected to the internet, some security experts have said.

CERT used the advisory as an opportunity to remind administrators about the benefits of using network perimeter access controls to reduce their exposure to attacks. Among the resources available: signatures based on the Snort network intrusion detection system offered by the Department of Homeland Security and available through Areva.

Areva credited Eyal Udassin and Jonathan Afek of C4 Security with discovering some of the vulnerabilities. Idaho National Labs and the Department of Homeland Security's Control Systems Security Program were also cited. ®

Guilty Plea: Blind Hacker Admits Harassment, Eavesdropping, Fraud

Godert Jan van Manen — Mon, 02 Feb 2009 10:17:00 GMT

A legally blind Massachusetts phone hacker admitted this week to federal computer intrusion and witness intimidation charges that could put him away for as long as 13 years.

Matthew Weigman, 18, pleaded guilty to two felonies before U.S. Magistrate Judge Paul D. Stickney in Dallas on Tuesday. Known in the telephone party-line scene as "Li'l Hacker," Weigman is widely considered one of the best phone hackers alive.

Relying on an ironclad memory and detailed knowledge of the phone system, the teenager is known for using social engineering to manipulate phone company workers and others into divulging confidential information, and into entering commands into computers and telephone switching equipment on his behalf. The FBI had been chasing Weigman since he was 15 years old, at times courting him as an informant. He was finally arrested last May, less than two months after celebrating his 18th birthday.

"I've been interested in phones since I've been about 8," Weigman said in a 2007 interview with Wired.com. "I talked to technicians when they came down here to do things on my phone."

In his plea deal with prosecutors, Weigman, who was born blind, admitted to a long criminal resume (.pdf). Among other things, he confessed to conspiring with other telephone hooligans who made hundreds of false calls to police that sent armed SWAT teams bursting into the homes of their party-line enemies.

In a new revelation, Weigman also admitted eavesdropping on customer service calls to Sprint, by dialing into a phone line used by Sprint supervisors to monitor their employees. Weigman parked on the spy line to overhear customers giving out their credit card numbers, which he memorized and passed to accomplices. Weigman and his friends used the numbers to purchase computers and other electronics.

The FBI began investigating Weigman after he staged a 2005 hostage hoax that sent police to the Colorado home of Richard Gasper, a TSA screener whose daughter refused phone sex with Weigman. When the FBI caught up with him more than a year later, cybercrime agent Allyn Lynd offered to make him a confidential informant, but called off the deal when AT&T discovered that Weigman was still manipulating the phone company.

Lynd later told a police detective that Weigman couldn't stop hacking for more than 72 hours.

Weigman's current troubles began in April, the month he reached adulthood. William Smith, a Verizon security investigator who'd been monitoring Weigman's hacking and phoning in updates to the FBI, noticed that Weigman had used the name and identifying information of a Texas woman to turn on phone service at the East Boston apartment he shared with his mother and siblings.

When Smith disconnected the fraudulent account, Weigman turned it back on again. Then Weigman began making harassing phone calls to Smith at his house. To trick the security worker into picking up the phone, the hacker socially engineered phone company employees into sharing Smith's billing records in near-real time, then used Caller ID spoofing to make Smith think someone was returning his own calls, according to court records.

"For example, Smith would call a travel agency to arrange for a flight," the FBI's Lynd wrote in an affidavit. "A few minutes later, he would receive a phone call which appeared to be coming from the travel agency that he had just booked a flight through. When Smith answered the phone, Weigman would begin harassing him again."

Then on May 18, Weigman showed up at Smith's New Hampshire home with his burly older brother. Smith felt intimidated and called the police, who arrested the hacker.

Weigman is set for sentencing on April 24. Under the terms of his plea agreement, he can withdraw his guilty plea if sentencing judge Barbara M. G. Lynn gives him more than 13 years in prison.

Microsoft sues CEO of Ancora for spying

Godert Jan van Manen — Mon, 02 Feb 2009 10:14:00 GMT

Microsoft Corp. is suing a former employee, claiming that he applied for a job at the company under false pretenses and then used his role at Microsoft to gain access to confidential data related to patent litigation he is now waging.

Miki Mullor was hired by Microsoft in November 2005, after stating in his job application he was a former employee at Ancora Technologies, a Sammamish software development company that he said had gone out of business.

But, according to Microsoft, Ancora had not gone out of business and Mullor was still chief executive.

While at Microsoft, Mullor downloaded confidential documents to his company-issued laptop, according to the complaint, which was filed Jan. 22 in King County Superior Court.

Those documents, Microsoft said, were related to the subject matter of a patent complaint Ancora later filed in June 2008 against Dell Inc., Hewlett-Packard Co. and Toshiba America Information Systems Inc., stating that their use of certain Microsoft technology violated an Ancora patent. Microsoft is now also a party in that case.

"The documents downloaded by Mullor relate directly to the subject matter of Ancora's Patent Action," Microsoft said in the complaint. "These documents had no bearing on Mullor's work at Microsoft at the time."

Microsoft fired Mullor in September 2008.

On Ancora's Web site, Mullor is listed as chairman and founder. His biography notes that he previously worked at Microsoft.

The Web site also highlights the patent litigation:

"To secure each copy of (Windows), without burdening the honest user, (PC makers) use a technology known as System Locked Pre-Installation (SLP) to protect Windows against piracy.

"SLP is Ancora's technology and is covered by our pioneer patent, US Patent 6,411,941.

"This lawsuit is about protecting our patent rights from being infringed by HP, Dell and Toshiba. This is not David vs. Goliath. This is David vs. three Goliaths."

In an interview, Mark Cantor, an attorney for Mullor in that case, described the Microsoft complaint as "simply a retaliatory lawsuit by Microsoft to get the patent case transferred to Seattle."

The patent case is scheduled for trial in a Los Angeles federal court on Jan. 26, 2010.

Microsoft is seeking a court order barring Mullor from any involvement in the patent claim, including assisting Ancora with prosecuting the suit or providing trade-secret information he improperly acquired.

Mullor, reached at his home in Sammamish, referred all calls to Cantor, who said a lawyer hasn't been retained in the Seattle case.

DOD launches site to develop open-source software

Godert Jan van Manen — Mon, 02 Feb 2009 10:08:00 GMT

The Forge.mil site is based on SourceForge.net, a public site that hosts thousands of open-source projects.

Defense Department officials have launched a new Web site where developers can work on open-source software projects specifically for DOD, David Mihelcic, the chief technology officer for the Defense Information Systems Agency (DISA), said today.

The new site, named Forge.mil, is based on the public site SourceForge.net which hosts thousands of open-source projects, Mihelcic said at an AFCEA Washington chapter lunch in Arlington, Va.

“It is really is SourceForge.net upgraded to meet DOD security requirements,” Mihelcic said.

Forge.mil users must use a common access card for authentication. Smart cards also help control access to sensitive information.

Work on Forge.mil started in October 2008, and Mihelcic approved limited operation of the site on Jan. 23, he said.

In its first week, Forge.mil is hosting three open-source projects, Mihelcic said. One project, named DOD Bastille, was started by a DISA intern, he said. DOD Bastille is based on publicly available software that automates the configuration of servers.

DOD Bastille integrates the specific security, technical and implementation guidelines required by DOD.

“Our intern had to stand up 50 Linux machines in a lab and he said, ‘Boy I don’t want to do this by hand; why can’t I use Bastille to do this for me?’” Mihelcic said. “He looked at Bastille and saw it couldn’t do all the things he needed, so he started an open-source project. He got folks like Red Hat to jump in and participate.”

Another project on Forge.mil is designed to manage request for proposals development. The third project automates the secure configuration of Solaris systems, Mihelcic said, adding that he hopes to have 20 projects on Forge.mil in the next six months.

Data export leaves firms vulnerable, says research

Godert Jan van Manen — Mon, 02 Feb 2009 10:06:00 GMT

The tendency of firms to distribute sensitive data to offices around the globe could be creating a new form of information vulnerability, a report has suggested.

Researched for sponsor McAfee, the 'Unsecured Economies: Protecting Vital Information' survey points to a range of security issues - some of them tied to the worsening economy - but the issue of how and where data such as customer information is distributed in enterprises is connected to longer-running themes such as worker outsourcing and globalisation.

The 1,000 CIO-level professionals surveyed for the report in the US, UK, Japan, China, India, Brazil and the Middle East, reported an average of $12 million (£8.3 million) of sensitive data resided abroad per firm, in addition to $17 million of intellectual property (IP).

How far this data dissemination trend had gone depended on country, with Japan showing the lowest at $8.2 million, with the UK the most exposed with $15.2 million. As to IP specifically, China was the most at risk, with $61 million in foreign hands.

A major reason companies have taken to moving information away from their home area is, predictably, cost. Whatever it costs to manage data at home, there is almost certainly a partner who will do the same function in another part of the world for considerably less.

The deeper motivation for moving data abroad depended on country. Western companies appear to be motivated not just by labour costs, but by the desire to avoid burdensome data regulations, while less developed nations such as China can actually move data abroad to make it more secure.

The average loss of IP from foreign sites was put at $4.6 million (£3.2 million), with the UK at low end of the spectrum with only $375,000, and China at the other end with $7.2 million.

Amidst a welter of statistics, however, three countries are clearly cited as being at the top of the watch list for posing the biggest threats to data protection - China, Pakistan and Russia, in roughly that order. These countries reputations for data security are so poor that many firms have purposely avoided allowing data to be stored in them.

"As China and Russia's economies soften, there will be even more pressure to 'appropriate' intellectual property as a means to continue economic growth. Organised crime and state-sponsored groups in both Russia and China will continuously seek out new and profitable targets. Pakistan looms as potentially the largest threat, with attackers motivated by ideology rather than economic gain," says the report.

Unsecured Economies: Protecting Vital Information, researched by Purdue University's Center for Education and Research in Information Assurance and Security on behalf of McAfee can be downloaded by registered users here.

Fannie Mae Logic Bomb Would Have Caused Weeklong Shutdown

Godert Jan van Manen — Fri, 30 Jan 2009 11:13:00 GMT

A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week, prosecutors say.

Unix engineer Rajendrasinh Babubha Makwana, 35, was indicted (.pdf) Tuesday in federal court in Maryland on a single count of computer sabotage for allegedly writing and planting the malicious code on Oct. 24, the day he was fired from his job. The malware had been set to detonate at 9:00 a.m. on Jan. 31, but was instead discovered by another engineer five days after it was planted, according to court records.

Makwana, an Indian national, was an employee of technology consulting firm OmniTech, but he worked full time on-site at Fannie Mae's massive data center in Urbana, Maryland, for three years.

On the afternoon of Oct. 24, he was told he was being fired because of a scripting error he'd made earlier in the month, but he was allowed to work through the end of the day, according to an FBI affidavit (.pdf) in the case. "Despite Makwana's termination, Makwana's computer access was not immediately terminated," wrote FBI agent Jessica Nye.

Five days later, another Unix engineer at the data center discovered the malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m. Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company's monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes.

"This would also destroy the backup software of the servers making the restoration of data more difficult because new operating systems would have to be installed on all servers before any restoration could begin," wrote Nye.

As a final measure, the logic bomb would have powered off the servers.

The trigger code was hidden at the end of the legitimate program, separated by a page of blank lines. Logs showed that Makwana had logged onto the server on which the logic bomb was created in his final hours on the job.

Makwana is free on a $100,000 signature bond. His lawyer didn't immediately return a phone call Thursday.

New guide launched for security managers

Godert Jan van Manen — Thu, 29 Jan 2009 13:37:00 GMT

IT certifications organisation the Information Systems Audit and Control Association (ISACA) today launched a guide designed to provide IT security chiefs with an independent framework to help manage their information security more effectively.

An Introduction to the Business Model for Information Security explains the new business model, which is independent of any particular technology.

The framework can be applied across all industries, countries and regulatory/legal systems, and covers information security, privacy, risk, physical security and compliance issues, according to ISACA. It includes advice on aligning IT security programme activities with organisational goals and priorities, and increasing the value of security activities to the enterprise.

"This is ISACA's first step in transforming the theoretical model into a practical tool that can be used by information security practitioners to unify security initiatives with the business mission," said Kent Anderson, a member of ISACA's Security Management Committee.

"The ISACA model is valuable guidance because it takes a strong business-oriented approach, focusing on people and processes rather than on technology."

ISACA will release a practitioners' guide and an executives' guide later in the year.

Former Energy Worker Admits Trying To Sell Nuclear Secrets

Godert Jan van Manen — Wed, 28 Jan 2009 10:23:00 GMT

Janitor pleads guilty to offering next-generation nuclear materials to France in exchange for $200,000

A former janitor at a U.S. Department of Energy (DOE) site yesterday pleaded guilty to stealing information and equipment for developing nuclear systems and attempting to sell it to a foreign government.

Just a day before his trial was set to begin, Roy Lynn Oakley, 67, changed his plea and pleaded guilty in a U.S. District Court in Knoxville, Tenn., to unlawful disclosure of restricted data under the Atomic Energy Act. Oakley admitted to offering classified data and equipment for producing highly enriched uranium to an FBI undercover officer who was posing as a French government agent. Oakley was asking $200,000 for the information.

According to the plea agreement, Oakley had been employed as a laborer and escort by Bechtel Jacobs at the East Tennessee Technology Park (ETTP) in Oak Ridge, Tenn. The ETTP, formerly known as Y-25, had previously been operated by the DOE as a facility to produce highly enriched uranium.

While employed at the ETTP in 2006 and 2007, Oakley had a security clearance that gave him access to classified and protected materials, including instruments, appliances, and information relating to the gaseous diffusion process for enriching uranium. Some of the materials and information to which Oakley had access were classified as "Restricted Data" under the Atomic Energy Act -- any disclosure of which was illegal, the plea agreement says. While he worked at the ETTP, Oakley had been instructed and informed that this Restricted Data could not be disclosed.

In January 2007, Oakley contacted the French Embassy and consulates in several U.S. cities to determine the country's interest in purchasing the nuclear data and equipment, according to the plea agreement. The French government contacted the FBI and set up a sting in which an FBI agent posed as a French government agent.

In recorded calls and during a face-to-face meeting with the FBI undercover agent, Oakley stated that he had taken certain parts of uranium enrichment fuel rods or tubes and other associated hardware items from the ETTP work site, and that he wanted to sell these materials for $200,000 to the foreign government. Once Oakley handed over the pieces of tubes and associated items to the undercover FBI agent and received $200,000 in cash, he was confronted by FBI agents and admitted to his efforts to sell the materials.

The materials Oakley had tried to sell to a foreign government were, in fact, pieces of equipment known as "barrier" and associated hardware items that play a crucial role in the production of highly enriched uranium -- a special nuclear material -- through the gaseous diffusion process. In his role as a janitor, Oakley was supposed to have broken up the barrier for disposal. But Oakley says he knew the gaseous diffusion process used in the U.S. is better than the methods currently used in France, and he therefore stole four of the barrier tubes and offered to sell them to French agents.

The maximum penalty for violation of the Atomic Energy Act by disclosing Restricted Data is a maximum of 10 years imprisonment and a criminal fine of $250,000. A sentencing hearing has been set for May 14. If the court accepts the plea agreement, Oakley will serve six years in prison and three years on supervised release.

"Today's guilty plea should serve as a strong warning to anyone who would consider selling restricted U.S. nuclear materials to foreign governments," says Matthew Olsen, Acting Assistant Attorney General for National Security. "The facts of this case demonstrate the importance of safeguarding America's atomic energy data and pursuing aggressive prosecutions against those who attempt to breach those safeguards."

FG approves computer forensics institute for Nigeria

Godert Jan van Manen — Wed, 28 Jan 2009 10:23:00 GMT

Nigeria may soon save some had currencies usually expended in acquiring foreign computer forensic experts each time they were needed, as the Federal Government last week approved the establishment of the Computer Forensics Institute, Nigeria (CFIN). CFIN is a professional body to provide a nationally recognized and unblemished certification in the area of digital and computer forensics.

The approval given by the Federal Ministry of Education and the Federal Ministry of Justice is expected to among other things enable CFIN to continually conduct research and development into new and emerging technologies and methods in the science of digital and computer forensics.

Announcing the approval to newsmen in Lagos, President and Chairman of the Certification Board of CFIN, Dr. Peter Olu Olayiwola said the principal certification offered by CFIN is the Chartered Computer Forensics Examiner. He noted that the certification was borne out of CFIN’s desire to increase the level of professionalism and advance the field and science of digital and computer forensics.

While explaining that the development will assist Nigeria save a lot of the foreign exchange that is expended in sourcing for digital and forensics experts from outside the country whenever their services are required, he assured that the CFIN Certification Board will maintain a fair, un-compromised process for certifying the competency of Computer Forensics Examiners and set high forensic and ethical standards for computer forensics examiners in Nigeria.

“I want to tell you that CFIN is dedicated to the advancement of the science of digital and forensic computer examination in Nigeria and that we are determined to raise more than enough computer forensics experts to combat all forms of digital and computer-related crimes in Nigeria.

“For the avoidance of doubt, we are determined to professionalize and advance the science of digital and computer forensics. We are also going to provide a fair, uncompromised process for certifying the competency of digital and computer forensics examiners, set high forensic and ethical standards for digital and computer forensics examiners, and be able to conduct research and development into new and emerging technologies and methods in the science of digital and computer forensics”, he said.

The motivating factors of computer crime have shifted over the years, but unsurprisingly one thing remains the same - the criminal mind takes the path of least resistance. Today this path is the Internet and local networks, software, hardware, database applications, because more than one million ways of manipulating the computer will continue to evolve.

And so, CFIN said it was out to raise thousands of professional digital and computer forensics examiners who will be able to properly and thoroughly investigate and give digital and computer forensics evidence on these crimes in court.

According to Dr. Olayiwola, “CFIN is not an exclusive field for information technology practitioners; the field is also open to lawyers, law-enforcement agents, regulatory agency officers and investigators, bankers, chartered secretaries and administrators, accountants and auditors, and others interested in pursuing this most interesting field of digital and computer forensics.”

According to him, “there is no granting of CFIN certification without being properly tested and evaluated by the certification Board. All intending members must meet the same certification requirements and must successfully pass through the certification process.

They must have no criminal record, must meet minimum experience and training requirements in computer forensics examinations, abide by the CFIN Code of Ethics and Professional Responsibility, register for the BOOT CAMP applicable to each level of the certification process, pass a certification examination; and successfully perform actual forensic examinations on three test media”.

He added, that “because of the sensitive nature of some methods and skills, CFIN may, at its discretion, bar persons suspected to be sponsoring terrorism and criminal activities from participation.”

Monster.com Reports Theft of User Data

Godert Jan van Manen — Mon, 26 Jan 2009 11:53:00 GMT

Monster.com is advising its users to change their passwords after data including e-mail addresses, names and phone numbers were stolen from its database.

The break-in comes just as the swelling ranks of the unemployed are turning to sites like Monster.com to look for work.

The company disclosed on its Web site that it recently learned its database had been illegally accessed. Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes.

Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.

USAJobs.com, the U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach.

Monster.com has been checking for misuse of the stolen information but hasn't yet found any, it said. It has made changes since discovering the break-in but won't discuss them because it doesn't discuss security procedures publicly and because it is still investigating the incident, Richardson said.

She also would not disclose the volume of data stolen, but said the company decided it would be prudent to alert all of its users via its Web site.

The company advised users to change their passwords and reminded them to ignore e-mails they may get that purport to be from the company and that ask for password information or instruct the user to download anything.

Monster.com was also hit by hackers in mid-2007. At that time the hackers obtained log-in credentials for companies seeking employees and used them to access Monster.com's database of job seekers. An automated Trojan then transmitted the personal information to a rogue server. Monster.com users were then targeted with scams via the stolen e-mail addresses.

In addition, the Monster.com site was the subject of an attack that same year that inserted malicious code onto certain pages of the site, automatically downloading a virus onto computers that visited the pages.