Posts Tagged ‘DHS’

Wall Street batters defenses in make-believe cybercrisis

Friday, July 19th, 2013

Wall Street played its own version of war games on Thursday, testing its defenses against simulated cyberattacks bent on taking down U.S. stock exchanges.

A total of 500 people took part in the exercise, called Quantum Dawn 2, in offices across 50 financial institutions and government agencies.

“The exercise was completed successfully with robust engagement from all participants,” the Securities Industry and Financial Markets Association (SIFMA) said in a statement.

Participants included banks, insurance companies, brokers, hedge funds and exchanges. The Department of Homeland Security (DHS), the Treasury Department, the Securities and Exchange Commission (SEC) and the Federal Bureau of Investigation (FBI) also participated.

At stake is the preparedness of Wall Street to fend off cyberattackers hoping to disrupt the nation’s economy by taking down U.S. markets. The exercise tested the players’ crisis response plans and mitigation techniques, as well as electronic and telephone communications between institutions and coordination with government agencies.

The simulation included distributed denial of service (DDoS) attacks aimed at online banking sites. The players also had to counter a malware infection that threatened to take down trading operations, according to David Kennedy, founder and principal security consultant at TrustedSec. Kennedy spoke with representatives of banks participating in the tests.

The exercise was helpful to test participants’ collective effort to defend against attacks, but fell short of simulating a real-world assault, Kennedy said.

“Personally, what I’ve heard is it’s been a bit cheesy — not a real-world type scenario,” he said. “That’s hard to do in a simulated environment.”

The banks’ participation was part public relations to ease concerns customers may have about security in their financial institutions, Kennedy said.

“I actually think this is to create more of an outward-facing PR spin,” he said.

Customer confidence was shaken last year during several waves of DDoS attacks that disrupted online banking operations of some major financial institutions. A self-proclaimed Islamic hactivist group took credit for the assaults, which government officials believe originated from Iran.

No production systems were used in the exercises. Instead, separate software simulated three major attacks that attempted over a “multi-day period” to take down stock markets and banking operations.

Further attack details were not disclosed. SIFMA plans to release next month a report that will include recommendations on improving Wall Street’s response to a cybercrisis.

Financial institutions were expected to find holes in their defenses as a result of the tests, which supporters say is a good reason for having these types of simulations regularly.

“Cybersecurity as a whole is an arms race,” said Rich Bolstridge, chief strategist for financial services at Akamai Technologies. “The attackers are constantly evolving their techniques, so the defenses have to be [continuously] raised, coordinated and put in place.”

Akamai, which did not participate in the tests, provides security services to many financial institutions.

In 2011, the first Quantum Dawn exercise had a handful of participants, Kennedy said. The fact that the latest test had more than double the number of players indicates the importance of appearing secure in the financial sector.

“This is a show of force to say, ‘Hey, we’re taking it seriously,'” Kennedy said.


Recent reports of DHS-themed ransomware

Monday, March 25th, 2013

US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware falsely claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division.

Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or perform a clean reinstallation of their OS after formatting their computer’s hard drive.

US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages and take the following preventive measures to protect themselves from phishing scams and malware campaigns that attempt to frighten and deceive a recipient for the purpose of illegal gain.

  • Do not click on or submit any information to webpages.
  • Do not follow unsolicited web links in email messages.
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments.
  • Maintain up-to-date antivirus software.
  • Users who are infected should change all passwords AFTER removing the malware from their system.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Source:  US-CERT

Telecom seeks critical infrastructure status for IT vendors

Friday, March 8th, 2013

Experts say it doesn’t matter if IT is classified because requirements will be passed on to them by the utility, telecom or defense manufacturer

The Obama administration excluded the information technology (IT) industry from its definition of the nation’s critical infrastructure, giving them immunity from security-related requirements unless changed by Congress.

While this is good for tech companies, the telecom industry is crying foul, saying IT businesses should share any regulatory burden.

The tech industry’s exclusion, the result of lobbying by the Software & Information Industry Association, was included in President Barack Obama’s executive order, issued last month.

In directing the Department of Homeland Security (DHS) to identify critical infrastructure, the order said DHS “shall not identify any commercial information technology products or consumer information technology services under this section.”

The executive order is meant as a framework for protecting power plants, telecommunication networks, water filtration systems, manufacturers and financial systems from cyberattacks by terrorists or hostile governments.

Congress is considering proposed legislation to require the sharing of attack information between government and companies that own or operate critical infrastructure. The Obama administration wants to include some security regulations.

Because additional regulations are possible, telecommunication companies such as Verizon Communications and AT&T want the IT industry to share the burden. They argue that some IT companies should be considered critical infrastructure, since the products and services they provide are a crucial part of communication networks and are usually the targets of hackers.

While not naming which companies, candidates could include Microsoft, Google, IBM, Cisco and other leading tech companies.

“Network security must go beyond what is traditionally considered critical infrastructure,” a Verizon spokesman said on Thursday. “The Internet ecosystem is far more interconnected and dependent on a host of players than it was even five years ago.”

Tech companies contacted by CSO Online either declined comment or did not respond.

Cybersecurity experts believe it doesn’t matter whether IT vendors are considered critical infrastructure, since whatever security requirements are handed down by the government will be passed on to them by the utility, telecom company or defense manufacturer.

“As a practical matter, commercial products won’t escape secondary regulation,” said Stewart Baker, a partner at the law firm Steptoe & Johnson and a former assistant secretary for policy at DHS.

Letting critical infrastructure owners and operators hand off security requirements also avoids having to decide which of a vendor’s products need to be regulated, Jacob Olcott, principal consultant for cybersecurity at Good Harbor Consulting, said.

Many IT vendors have products and services that span consumer, business and government markets. “Rather than apply the same security rules across the board, it is better to have the requirements fit the needs of the environment,” Olcott said.

Not all experts agreed. Paul Rosenzweig, founder of the homeland security consulting firm Red Branch Consulting, said if the government is going to impose more regulations, then it should do so for each industry that plays a part in running critical infrastructure.

However, Rosenzweig believes the government’s approach through frameworks and legislation is wrong. He favors a non-regulatory strategy that would include information sharing, creation of a civil liability regime, better education, more international engagement and a methodology for certifying hardware components.

“For me, the government shouldn’t be responsible for creating the framework,” said Rosenzweig, who is also a visiting fellow at The Heritage Foundation, a conservative think tank.

Instead, Rosenzweig favors a private sector institution building a framework that is based on common law and is a “product of the market, not of a government fiat.”


Twitter also hacked this week, up to 250,000 accounts may have been compromised

Monday, February 4th, 2013

It’s been a rough week for security breaches, and Twitter has just announced it was a victim of attacks this week as well. In a blog post, the company states that during this past week it detected “unusual access patterns” that led it to uncover unauthorized attempts to access user’s data. Twitter even discovered one attack as it was happening, and was able to shut it down shortly thereafter. However, Twitter’s post-mortem revealed that the perpetrators of the attack may have had access to account information for approximately 250,000 different users. According to the company, “usernames, email addresses, session tokens and encrypted/salted versions of passwords” would have been available.

Twitter has reset the passwords and revoked session tokens for all such accounts; affected users should be receiving emails notifying them of the reset shortly. Users wil be required to create new passwords from scratch.

While no explanation is given for how the vulnerability occurred, Twitter’s post does take a moment to “echo” the recent advisory given by the Department of Homeland Security for computer users to disable Java on their systems for optimal security.

This comes as just the latest in a series of high-profile security breachers that have been revealed this week. Both the Wall Street Journal and the New York Times revealed this week that they had been hacked, identifying hackers from China as the likely culprits. While Twitter does not directly make similar accusations, it does warn that “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Twitter’s Director of Information Security, Bob Lord, writes in the company’s post. “For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

Update: We just spoke with a Twitter representative that stressed that the company doesn’t have definitive evidence that the accounts were in fact compromised at this time, and that the steps being taken today are a preventative measure. Twitter’s investigation is ongoing.


Obama signs order outlining emergency Internet control

Thursday, July 12th, 2012

A new executive order addresses how the country deals with the Internet during natural disasters and security emergencies, but it also puts a lot of power in the government’s hands.

President Barack Obama signed an executive order last week that could give the U.S. government control over the Internet.

With the wordy title “Assignment of National Security and Emergency Preparedness Communications Functions,” this order was designed to empower certain governmental agencies with control over telecommunications and the Web during natural disasters and security emergencies.

Here’s the rationale behind the order:

The Federal Government must have the ability to communicate at all times and under all circumstances to carry out its most critical and time sensitive missions. Survivable, resilient, enduring, and effective communications, both domestic and international, are essential to enable the executive branch to communicate within itself and with: the legislative and judicial branches; State, local, territorial, and tribal governments; private sector entities; and the public, allies, and other nations. Such communications must be possible under all circumstances to ensure national security, effectively manage emergencies, and improve national resilience.

According to The Verge, critics of the order are concerned with Section 5.2, which is a lengthy part outlining how telecommunications and the Internet are controlled. It states that the Secretary of Homeland Security will “oversee the development, testing, implementation, and sustainment” of national security and emergency preparedness measures on all systems, including private “non-military communications networks.” According to The Verge, critics say this gives Obama the on/off switch to the Web.

Presidential powers over the Internet and telecommunications were laid out in a U.S. Senate bill in 2009, which proposed handing the White House the power to disconnect private-sector computers from the Internet. But that legislation was not included in the Cybersecurity Act of 2012 earlier this year.

After being published by the Federal Register, executive orders take 30 days to become law. However, the president can amend, withdraw, or issue an overriding order at any time.

Source:  CNET

DHS: Gas pipeline industry under significant ongoing cyberattack

Tuesday, May 8th, 2012

ICS-CERT takes unusual step of issuing public warning to raise awareness

SAVANNAH, Ga. – There is now an ongoing and massive cyberattack targeting the American gas-pipeline industry, aimed at giving the attacker a way to gather sensitive information by compromising business systems and possibly even subverting industrial control systems. The Department of Homeland Security’s investigative division, called the ICS-CERT, says it’s taking the somewhat unusual step of issuing an alert and speaking publicly about it to heighten awareness of a dangerous situation.

ICS-CERT, whose job at DHS is to interact with the nation’s utilities and manufacturing firms that use industrial control systems and help them assess possible cyberattacks, is referring to it as the “Gas Pipeline Cyber Intrusion Campaign.” In speaking briefly about it today at a conference here, Kevin Hemsley, a leader in the ICS-CERT, said a “sophisticated threat actor” is going after the national gas pipeline operators, mostly through spear-phishing, and has in some cases been able to compromise them.

The investigation into incidents so far suggests the attacks against the gas-pipeline industry started as early as December of last year, said Hemsley. “In the past two weeks, ICS-CERT has had multiple briefings in multiple locations,” some of them classified with those in the pipeline industry with security clearances, to explain what is known about the attacks to date. ICS-CERT expects to put out more information publicly within the week, if possible, he said.

As to whether the “threat actor” alluded to happens to be a nation-state, Hemsley didn’t discount that from the realm of possibilities but wouldn’t comment further.

He said the government, which is getting cooperation from organizations impacted in the gas pipeline industry, is monitoring some of the IP traffic associated with successful targets that were spear-phished by the attackers.

At the ICSJWG 2012 Spring Conference here where Hemsley briefly discussed the cyberattacks on the gas pipeline sector, others also addressed cybersecurity issues that have arisen in the past few months.

One is the mistake that was made by the Curran-Gardner Townships Public Water District in Springfield, Ill., in reporting in November 2011 to authorities involved in gathering intelligence on terrorism and criminal attacks on public utilities that there had been a cyber-intrusion from Russia that impacted a water pump operation.

That information, which was summarized in an Illinois Statewide and Intelligence Center (STIC) report in November and sent on to DHS for review, was leaked to the media by a privileged source who had the report.

It sent off a firestorm of controversy, but ICS-CERT and FBI officials, who flew out to the Springfield water facility, which is rather small, said their investigation showed that this was a mistake made by Curran-Gardener. The suspected cyberattack from Russia was simply a known contractor who logged in from Russia during vacation, and the pump failure was just a coincidence.

Though some faulted the ICS-CERT and FBI response as too slow in investigating the suspected incident, especially given the many news stories that what would have been the first major cyberattack to impact U.S. industrial control systems had been reported, FBI and ICS-CERT representatives responsible for investigating said they worked as quickly as they could at the time.

Christopher Trifiletti, the FBI agent whose job is was to help determine what had actually happened, said Curran-Gardener “welcomed us at every opportunity.”

Trifiletti, speaking today, said it “was a Russian IP address in a server log,” that was the source of the misconception by Curran-Gardener staff. He said, noting the FBI spoke with the company’s contractor, Jim Mimlitz, who acknowledged what he had done in terms of remote access from Russia during his vacation, adding he was also at Germany during that trip as well. “It was a non-incident,” said Trifiletti.

Eric Cornelius, the technical specialist from ICS-CERT who was also involved in the investigation at Curran-Gardner in Springfield, said Curran-Gardner did maintain an extensive collection of logs, including control systems logs, but analysis was difficult because they weren’t set up to do this. The code base at the water utility was “very proprietary,” he said, and because it was written by a husband-and-wife team in their kitchen — and the wife wasn’t even professional coder — it was “rife with “typographical errors” Cornelius said.

The FBI and DHS ICS-CERT turned to their own methods, which included the Splunk tool, to figure out what they could. And they called the contractor who readily acknowledged what he had done from Russia. Cornelius said the “lesson learned” in this incident which wasn’t actually a cyberattack is that utilities need to put together a careful cyber-response plan and do better analysis before reporting a cyber-intrusion of serious consequences. It’s estimated the forensics and analysis provided by the government to Curran-Gardener amounted to over $100,000 of dedicated security assessment.

To date, ICS-CERT says there has not been a cyber-compromise of a water, energy or other utility sectors that has led to a successful cyberattack directly on industrial control systems, which might wreck havoc by ceasing normal operations that generate electricity, water and gas. But there have been several cyber-intrusions, especially through Microsoft Windows, that have compromised energy sector business systems in particular, apparently some for purposes of intelligence-gathering by sophisticated attacks that might be criminals or nation-states, that have spread into the networks involved in ICS maintenance.


U.S. water utility reportedly hacked last week, expert says

Friday, November 18th, 2011

Intruders compromised a water utility network last week and destroyed a pump, according to a state government report cited by a critical infrastructure security expert today.

It appears that hackers breached the network of a company that makes SCADA (supervisory control and data acquisition) and stole customer usernames and passwords, said Joe Weiss, managing partner of Applied Control Solutions. “There was damage–the SCADA system was powered on and off, burning out a water pump,” he wrote in a brief blog post.

The report did not identify the water utility attacked or the SCADA software vendor compromised, Weiss said in an interview with CNET. He declined to say where the utility is based because the report, released by a state terrorism information center, is marked “For Official Use Only.” However, a Department of Homeland Security representative indicated the facility was located in Springfield, Ill.

“It is unknown, at this time, the number of SCADA usernames and passwords acquired from the software company’s database and if any additional SCADA systems have been attacked as a result of this theft,” he said, reading from a report entitled “Public Water District Cyber Intrusion.” It was released November 10, two days after the water utility attack was discovered, he said.

“This is a really big deal,” said Weiss, an industry provocateur who pushes for stronger security practices and better disclosure in the industry. The incident has not been disclosed by the Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) or any other officials, he said, adding “What are we doing with disclosure?”

The DHS said in a statement to CNET that it was investigating the incident but declined to comment on whether a security breach had occurred.

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.,” DHS spokesman Peter Boogaard said in a statement. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

Weiss disputed this statement.

“The statement is inconsistent with the report from the Illinois Statewide Terrorism and Intelligence Center Daily Intelligence Notes dated November 10, 2011, titled ‘Public Water District Cyber Intrusion,'” he said.

The water utility had noticed minor glitches in the remote access to the SCADA system for two to three months before it was identified as a cyber attack, Weiss said. This is similar to the 2000 hacking (PDF) in Queensland, Australia, in which a wastewater treatment plant failed to notice dozens of attempts to access the system. Using wireless radio and stolen control software, a consultant on the project who was angry over not getting a job was eventually able to get in and release up to one million liters of sewage into the river and coastal areas, killing marine life and turning a creek black.

“We don’t have cyber forensics, so when they see (issues) they don’t think it’s a cyber problem. They just think it’s a glitch in the system,” Weiss said. “Why won’t we have a cyber Pearl Harbor? Because we won’t know it.”

Weiss could not say how the SCADA vendor was breached, but speculated that programmable logic controllers (PLCs) were involved in the attacks. “I would be surprised if it didn’t,” he said. “This is a water utility and they are very dependent on PLCs.”

The Stuxnet attack of last year, which is believed to have been the first computer attack targeting critical infrastructure systems, targeted PLCs from Siemens. PLCs are used to automate mechanical devices in utilities, power plants, and other industrial control environments. They are known to use hard-coded passwords that can not be easily changed in the event of a compromise.

Weiss also said the report indicated that the IP address used in the water utility attack was traced back to Russia. However, that doesn’t mean the attack was launched from there because tracks of hackers can so easily be hidden and made to look like they originated elsewhere.

Utilities and energy companies would be attractive targets for hackers wanting to cause damage to a community, but it’s unclear who is behind the attack.

While reports of utilities being hacked are rare, experts say the incidents that make the news are likely only the tip of the iceberg of what is really happening. For instance, Weiss said he came across news of a previously undisclosed SCADA system breach of a Southern California water department in a posting on LinkedIn in February.

Source:  CNET

DHS US-CERT security bulletin lists Microsoft, Adobe, Apple, Cisco, Google vulnerabilities as notable

Friday, October 15th, 2010

The Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) periodically releases comprehensive security risk updates for public review in an attempt to keep end-users as secure as possible.  The complete report can be found here, including links to updates, but notable – as designated by US-CERT – excerpts are listed below:

Microsoft released multiple updates in July.

  • Security Bulletin MS10-046 addressed a critical vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for shortcut files. By convincing a user to display a specially crafted shortcut file, a remote attacker may be able to execute arbitrary code.
  • Microsoft has released Security Advisory 2269637 indicating that it is aware of a remote attack vector for a class of vulnerabilities related to how applications load external dynamic link libraries (DLLs). See the Security Highlights section for further details.
  • The Microsoft Security Bulletin Summary for August 2010 addressed vulnerabilities in Microsoft Windows, Internet Explorer, Office, and Silverlight. These vulnerabilities may allow an attacker to execute arbitrary code or operate with elevated privileges.

Adobe released updates for Shockwave, Reader, and Acrobat.

  • Flash Player addressed multiple vulnerabilities that may allow an attacker to execute arbitrary code or cause a denial-of-service condition. This vulnerability also affects Adobe Air and earlier versions. Refer to Adobe Security Bulletin APSB10-16 and US-CERT Vulnerability Note VU#660993 for additional details.
  • Adobe Security Bulletin APSB10-17 addressed multiple vulnerabilities in Reader and Acrobat. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition or execute arbitrary code.
  • Adobe security bulletin APSB10-20 addressed multiple vulnerabilities affecting Shockwave Player and earlier versions. These vulnerabilities may allow an attacker to execute arbitrary code.

Apple released updates for QuickTime, iOS, and multiple applications.

  • QuickTime 7.6.7 for Windows addressed a vulnerability regarding a stack buffer overflow that exists in QuickTime error logging. By convincing a user to open a specially crafted movie file, a remote attacker could execute arbitrary code or cause a denial-of-service condition. Additional details are provided in Apple article HT4290.
  • Monthly Activity Summary – August 2010 3
  • iOS 4.0.2 for the iPhone and iPod touch and iOS 3.2.2 for the iPad addressed vulnerabilities in the FreeType and IOSurface packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code or gain system privileges. Additional information regarding the vulnerability affecting the FreeType package can be found in US-CERT Vulnerability Note VU#275247 and Apple article HT4291.
  • Apple security update 2010-005 addressed multiple vulnerabilities affecting the ATS, CFNetwork, ClamAV, CoreGraphics, libsecurity, PHP, and Samba applications. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, cause a denial-of-service condition, or impersonate hosts within a domain. Refer to Apple article HT4312 for details.

Cisco released multiple Security Advisories in August.

  • Security Advisory cisco-sa-20100804-fwsm addressed multiple vulnerabilities in the Cisco Firewall Services Module. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition.
  • Security Advisory cisco-sa-20100812-tcp addressed a vulnerability affecting IOS Software Release 15.1(2)T. This vulnerability may allow an attacker to cause a denial-of-service condition by sending a specially crafted packet through normal network traffic.
  • Security Advisory cisco-sa-20100827-bgp addressed a vulnerability in the Cisco IOS XR Software Border Gateway Protocol feature. Exploitation of this vulnerability may result in the continuous resetting of BGP peering sessions, which may cause a denial-of-service condition for affected networks.
  • Cisco released Security Advisory cisco-sa-20100825-cucm and Security Advisory cisco-sa-20100825-cup to address vulnerabilities in Cisco Unified Communications Manager and Cisco Unified Presence. These vulnerabilities affect the processing of Session Initiation Protocol (SIP) messages. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition, which could cause an interruption of voice services.

Google released two updates for Chrome.

  • Chrome 5.0.375.126 for Linux, Mac, and Windows contained an updated version of the Flash plugin, which addresses multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code.
  • Later in the month, Google released Chrome 5.0.375.127 for Windows, Mac, and Linux to address multiple vulnerabilities that may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or conduct spoofing attacks. Additional information can be found in the Google Chrome Releases blog entry.