Water supply system reportedly hacked, with physical damage

Posted by on November 19, 2011Leave a Comment

Bellovin comments on Krebs blog post about CNN’s report on water supply system breach.

According to press reports, a water utility’s SCADA network was hacked. The attacker turned a pump on and off too much, resulting in physical damage to the pump. This is an extremmely significant incident, for three reasons:

 

  • The attack actually happened.
  • Ordinary, off-the-shelf hacking tools were used, rather than something custom like Stuxnet
  • Physical damage resulted
This is the scenario that security people and the Dept of Homeland Security have been predicting for years. Sophisticated methods with 0-day vulnerabilities were not needed. When the FBI investigates, will the Curran-Gardner Public Water District (near Springfield, IL) be called out for lax security practices as was Nasdaq?

 

 

 

Filed Under: blog Tagged With: ,

FBI says lax security at Nasdaq helped hackers

Posted by on November 18, 2011Leave a Comment

Exclusive: Lax security at Nasdaq helped hackers | Reuters.

A federal investigation into last year’s cyber attack on Nasdaq OMX Group found surprisingly lax security practices that made the exchange operator an easy target for hackers, people with knowledge of the probe said. The sources did not want to be identified because the matter is classified.

The ongoing probe by the Federal Bureau of Investigation is focused on Nasdaq’s Directors Desk collaboration software for corporate boards, where the breach occurred. The Web-based software is used by directors to share confidential information and to collaborate on projects.

…investigators were surprised to find some computers with out-of-date software, misconfigured firewalls and uninstalled security patches that could have fixed known “bugs” that hackers could exploit. Versions of Microsoft Corp’s Windows 2003 Server operating system, for example, had not been properly updated.

This story is interesting on several fronts. First, we find out that when the FBI is brought into a criminal breach investigation, it evaluates the victim organization’s information security posture, i.e. is the organization following best practices? While this may be obvious, one might want to know what the FBI’s definition of best practices is.

Second, this leak could have a chilling effect on organizations’ willingness to report cybercrimes to the FBI. On the other hand, the breach laws in most states will most likely still compel organizations to report breaches.

Overall though, I believe the compounded loss of reputation from disclosing a breach and the disclosure of lax information security practices will increase organizations’ motivation to strengthen the latter to reduce the risk of the former.

Filed Under: blog Tagged With: , , ,

Zurich seeking immunity from covering Sony over breach – SC Magazine US

Posted by on July 26, 2011Leave a Comment

Zurich seeking immunity from covering Sony over breach – SC Magazine US.

Zurich American Insurance, Sony’s general liability insurance carrier, is contesting any obligation for costs related to the 58 class-action lawsuits against Sony related to the 100 million user breach of Sony’s PlayStation Network.

Zurich argues that it is not liable to indemnify Sony for these costs because its policy with the company only covers claims for bodily injury, property damage or personal and advertising injury. Sony’s policy contains “certain exclusions” related to “class-action complaints and miscellaneous claims,” according to the complaint, filed Wednesday.

Maybe this is why companies like Sony do not seem to address their information security responsibilities.

Filed Under: blog Tagged With: , ,

Freakonomics » Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum

Posted by on July 24, 2011Leave a Comment

Freakonomics » Why Has There Been So Much Hacking Lately? Or Is It Just Reported More? A Freakonomics Quorum.

The short answer, yes and yes.

Stephen Dubner gathers opinions from Bruce Schneier, Tal Be’ery (Imperva), Henry Harrison (BAE Systems Detica), Julie Conroy McNellery (Aite Group), and David Jevans (IronKey).

McNellery seems to think that PCI has been a success and has reduced the number of breaches. While the number of credit card breaches has dropped, it appears that it’s because so much credit card data has been stolen that the price for credit card data has been driven down so low that cyber criminals are focusing on other types of digital information to steal.

Just ask Josh Corman.

Filed Under: blog Tagged With: ,

Massive Breach at Epsilon Compromises Customer Lists of Major Brands | SecurityWeek.Com

Posted by on April 3, 2011Leave a Comment

Massive Breach at Epsilon Compromises Customer Lists of Major Brands | SecurityWeek.Com.

Epsilon’s breach is the latest in a string of breaches at Email Service Providers. The ESPs respond by saying it’s only email addresses. However, RSA’s latest update on its SecureID breach said it was started with a spear phishing attack.

 

Filed Under: blog Tagged With: , , , ,

RSA breach and APT – Detection Controls and Access Control

Posted by on March 19, 2011Leave a Comment

I would like to comment on RSA’s use of the term Advanced Persistent Threat (APT) in their Open Letter to RSA Customers. From my perspective, any company’s trade secrets are subject to APTs from someone. There is always some competitor or government that can benefit from your trade secrets. All APT means is that someone is willing to focus on your organization with resources of approximately the value of a penetration test plus the cost of acquiring a 0-day attack.

This means that you must assume that you are or will be compromised and therefore you must invest in “detection controls.”  In other words, your security portfolio must include detection as well as prevention controls. Important detection controls include intrusion detection, behavior anomaly detection, botnet command & control communications detection, and Security Information & Event Management (SIEM). If you don’t have the resources to administer and monitor these controls then you need to hire a managed security services provider (MSSP).

Furthermore, organizations must take a close look at their internal access control systems. Are they operationally and cost effective? Are you compromising effectiveness due to budget constraints? Are you suffering from “role explosion?” A three thousand person company with 800 Active Directory Groups is difficult to manage, to say the least. Does your access control system impede your responsiveness to changes in business requirements? Have you effectively implemented Separation of Duties? Can you cost effectively audit authorization?

Filed Under: blog Tagged With: , , , , , , , ,

How concerned should you be about the RSA breach?

Posted by on March 19, 2011Leave a Comment

Ars Technica provides an excellent analysis of the potential threats to users of RSA Secure-ID tokens as a result of the breach RSA announced.

RSA’s announcement was not specific in the information it gave, so exactly what this means for SecurID isn’t clear. In the likely worst case, the seed values and their distribution among RSA’s 25,000 SecurID-using customers, may have been compromised. This would make it considerably easier for attackers to compromise systems dependent on SecurID: rather than having to acquire a suitable token, they would be required only to eavesdrop on a single authentication attempt (so that they could determine how far through the sequence a particular token was), and from then on would be able to generate numbers at their whim.

The article also covers more benign, more grave, and less likely possibilities. I would think that RSA customers are receiving more precise information.

While Secure-ID is probably the most popular two-factor authentication solution, it may be worth noting that there are many other choices available from RSA and its competitors.

 

Filed Under: blog Tagged With: , , , ,

The Top 10 Security Questions Your CEO Should Ask — CIOUpdate.com

Posted by on February 10, 2011Leave a Comment

The Top 10 Security Questions Your CEO Should Ask — CIOUpdate.com.

From PwC, here are the top 10 questions your CEO should be asking you:

  1. Who is accountable for protecting our critical information?
  2. How do we define our key security objectives to ensure they remain relevant?
  3. How do we evaluate the effectiveness of our security program?
  4. How do we monitor our systems and prevent breaches?
  5. What is our plan for responding to a security breach?
  6. How do we train employees to view security as their responsibility?
  7. How do we take advantage of cloud computing and still protect our information assets?
  8. Are we spending our money on the right things?
  9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner?
  10. How do we meet expectations regarding data privacy?

This article provides a paragraph or two on each one of these questions.

Filed Under: blog Tagged With: , , , ,

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security

Posted by on January 19, 2011Leave a Comment

Experi-Metal vs. Comerica Case Heads to Trial — Krebs on Security.

Detailed update on the upcoming Experi-Metal vs. Comerica trial. In brief, Experi-Metal is suing its bank, Comerica, for money ($560,000) it lost due to fraudulent wire transfers that resulted from a security breach.

The bank, Comerica, claims the fault of the lost money is entirely with Experi-Metal, while Experi-Metal claims that Comerica should have realized that a large number of wire transfer requests within a few hours was suspicious, especially considering it had only done two wire transfers in the two years prior to this incident.

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations will be held responsible for any losses due to phishing or account takeovers. But a rash of these attacks that has netted thieves more than $70 million over the last few years has caused some victim businesses and their lawyers to look for ways to hold banks more accountable, by pointing out ways in which the banks may not be living up to the somewhat nebulous state legal standards that govern commercial banking activities.

This case and other similar ones are putting pressure on small and mid-size banks, and the outsourcers who provide transaction processing services to them, to strengthen their security posture.

… more banks could and should offer the kind of technology employed by the major credit card networks, which try to build profiles of customer activity and then alert the customer or the issuing bank of any suspicious or unusual activity. But she said a large percentage of banks outsource the day-to-day customer transactions to third-party service providers, most of whom do not currently offer services that would conduct that transaction analysis.

When the costs of improving security posture are lower than the risk-weighted costs due to a breach, then these banks will move. I not mean to appear overly cynical here. It’s the banks’ fiduciary responsibility to move only when the risk analysis scale tips in favor of improving security. That’s what makes this trial so interesting.

Filed Under: blog Tagged With: ,

Recent Higher Education Security Incidents

Posted by on October 17, 2010Leave a Comment

Here are four recent security incidents which were serious enough to require public notification. Thanks to Adam Dodge at Educational Security Incidents.

University of Florida web site contains former student social security numbers

Four Ohio State University breaches in 2010 expose personal information

Virus at Oklahoma State health services center exposes patient information

High Point University misuses student credit card information

BTW, Cymbel is an approved Massachusetts Higher Education Consortium vendor.

Filed Under: Breach Tagged With: , ,