STE WILLIAMS

The later-discovered earlier iteration of Stuxnet was a far more aggressive, stealthy, and sophisticated attack that could have ultimately caused catastrophic physical damage in Iran’s Natanz facility, the expert who deciphered how Stuxnet targeted the Siemens PLCs says after reverse-engineering the code and further studying the attacks.

Ralph Langner, head of The Langner Group and a renowned ICS/SCADA expert, today published a new analysis of Stuxnet that shines new light on the game-changing cyber weapon, concluding among other things that the attackers moved from a more destructive and stealthy payload to a weaker and more easily detected one, and that conventional wisdom that it would take a nation-state to use Stuxnet as a blueprint for attacks against U.S. and its allies’ critical infrastructure is incorrect.

One big takeaway from Langner’s new analysis is how the Stuxnet attackers so dramatically shifted gears from a dangerous, aggressive, and hidden attack strategy that wasn’t discovered for at least five years to a louder, more noticeable and detectable one that burnt multiple zero-day vulnerabilities and used stolen digital certificates. “What you see today is in that analysis is that the first attack was more complex, stealthy and more aggressive than the second. That is counterintuitive,” Langer told Dark Reading. “So why did the attackers go from the ultimate in stealth and aggression to something that’s much more simple and comes with a much higher risk of detection?”

The first attack was never meant to be detected, nor was it until Symantec found its malware clue tucked among it Stuxnet samples. It was a component that didn’t fit with the malware, according to Liam O Murchu, manager of North American operations for Symantec Security Technology Response, who in February detailed Symantec’s discovery of what it nicknamed “Stuxnet 0.5” that dates back to 2005, five years before later and better-known version of the malware that was discovered in 2010.

[Symantec finds ‘missing link’ in infamous Stuxnet malware that sabotages another piece of equipment in Iranian nuclear facility. See Stuxnet, The Prequel: Earlier Version Of Cyberweapon Discovered.]

Langner says he’s still baffled by why the Stuxnet attackers left behind the dormant payload, which over-pressurized the centrifuge rotors in the Natanz plant. The malware, like its better-known successor, was written to inflict damage on the centrifuge rotors. The main difference between the two attacks is in just how they did so: the early attack over-pressurized the centrifuges, which could have led to a more catastrophic physical attack. It infected the Siemens S7-417 controllers that control the valve and pressure sensors of the so-called Cascade Protection System, groups of gas centrifuges for uranium enrichment. The second version of the Stuxnet malware attack sped up the spinning of the centrifuges at various intervals to eventually disable them, targeting the Siemens S7-315 controller.

“If the idea was catastrophic destruction, one would simply have to sit and wait. But causing a solidification of process gas would have resulted in simultaneous destruction of hundreds of centrifuges per infected controller,” he wrote in his new Stuxnet paper. “While at first glance this may sound like a goal worthwhile achieving, it would also have blown cover since its cause would have been detected fairly easily by Iranian engineers in post mortem analysis. The implementation of the attack with its extremely close monitoring of pressures and centrifuge status suggests that the attackers instead took great care to avoid catastrophic damage. The intent of the overpressure attack was more likely to increase rotor stress, thereby causing rotors to break early – but not necessarily during the attack run.”

Langner told Dark Reading that the early version of Stuxnet would not have been detected if the attackers had taken more pains to cover their tracks. “It was only detected given the knowledge of the later version” of Stuxnet, he says. If they had removed that payload, it would likely never have been discovered at all and we would not have learned of the first more deadly attack, he says.

“But with the full story, we have a better idea of how bad things can get: malware flies under the radar of all antivirus and intrusion detection systems and you have no chance to discover it just by looking at it. And it attacks the most sensitive components in any big industrial facility, the protection and safety systems. That’s a nightmare for engineers,” he says. “That’s one thing you put trust in, those systems that are designed and installed to [alert] that if something goes wrong for whatever reason, still, disaster won’t hit you.”

Langner says the earlier Stuxnet payload is a wake-up call that attackers can and will go after ICS/SCADA equipment, and can cause major physical damage.

So why the changeup to a less powerful payload for Stuxnet? “The only explanation is a change in policy, strategy. And most likely, a change in stakeholders,” Langner says of the attackers.

The attackers behind Stuxnet reportedly were U.S. intelligence and military officials, including the National Security Agency, according to published reports quoting Obama unnamed administration officials.

The earlier version of Stuxnet was less about information security capabilities. “It didn’t require and use stolen digital certificates. There must be a reason for that. The one thing I believe that is pretty much obvious is for the second and later version, we see stuff you know is something the NSA has,” Langner says.

Despite a common conclusion that Stuxnet could not be repurposed for other attacks on ICS/SCADA systems, Langner contends that Stuxnet indeed could be used in copycat attacks. For one thing, Stuxnet relied heavily on the weakest link in the facility — its contractors, he says.

Langner argues that simultaneous attacks against multiple facilities with similar equipment could occur. That “scalability” of an attack would supersede the need for a nation-state or other sophisticated attacker, and could indeed cause power failure, for example. “These [attack] tactics can be copied—it’s doesn’t require nation-state capabilities,” Langner says.

Targeting a facility’s contractors, for instance, as a way to secretly install the malware, is a tactic any savvy attacker could employ. And code can be repurposed, Langner notes in his paper: “One of the toughest challenges is the fact that exploit code can be packaged into software tools. The genius mastermind is needed only for identifying vulnerabilities and designing exploits … At some level of software maturity, such exploit components can be made available in user-friendly point-and-click software applications, just like it is now for boilerplate malware development. The skill set for those who assemble and deploy a specific sample of cyber-physical attack code will then drop dramatically.”

Meanwhile, Langner says his new analysis on Stuxnet is his last. “I don’t plan to publish anything further. It sucked up too many of my resources. There was no external budget for this; I did it all on my own,” he says.

Langner’s full and detailed report, “To Kill A Centrifuge,” which includes analysis of photos from inside the Natanz plant floor, is available here (PDF) for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/stuxnets-earlier-version-much-more-power/240164120

SALT LAKE CITY – Nov. 20, 2013 – LANDesk Software, the global leader in delivering User-Oriented IT to organizations that solves systems, security, mobility and ITSM management challenges, today announced powerful enhancements to its password reset capabilities. A feature of LANDesk Service Desk, Password Central, utilizes innovative software from ISV partner Avatier. It empowers users to independently reset and synchronize their own passwords across multiple business applications and services without service desk technician involvement. This greatly reduces the number of password reset request calls to the service desk and increases end-user productivity. With online, touch-tone phone PIN code, voice recognition and biometric access options, Password Central offers users the ultimate flexibility in selecting a secure access reset mechanism. It transfers the power of self-service password management to the user with a simple reset capability.

“As the demand for organizations to implement tougher policies to protect their IT data increases, forgotten passwords and service desk calls for reset requests are on the rise,” says Ian Aitchison, Director of Product Management for LANDesk Software. “A 2012 HDI study shows that over 30% of all service desk calls deal with password complexities and resets. With LANDesk Password Central, users take ownership in their own password reset, but it’s done in a way where IT does not lose control over the enforcement of password rules. This leads to a decline in service desk call volumes and improvement in service levels. Users become empowered through IT thereby increasing productivity. At its core Password Central is User-Oriented IT.”

Password Central is built upon software from Avatier that integrates tightly with LANDesk Service Desk to automatically record and ticket password resets, with zero touch from a service desk analyst.

“Avatier is trusted by the world’s top brands for password management technology. We share in the vision of User-Oriented IT so partnering with LANDesk on Password Central was a natural fit and win for customers,” commented Nelson Cicchitto, Chairman and CEO of Avatier. “This partnership

meets not only the changing needs of IT departments and users, but also meets the needs of the business through an immediate and measurable return on time and money.”

“Ochsner Health Systems is the state of Louisiana’s largest private employer. With a large network of hospitals and health care centers, we need to ensure our IT operations are not only streamlined but follow a strict set of security and compliance policies,” says Willy Schley, Director of Technology, Ochsner Health Systems. “We selected Password Central to support our automated password expirations. Password Central’s self-service system both improves customer satisfaction and conserves valuable service desk resources while ensuring that passwords are changed under set rules that meet compliance requirements. With support from LANDesk and Avatier, Password Central has been quick and easy to implement.”

For more information on how Password Central can virtually eliminate all service desk password reset calls, visit http://landesk.com/products/password-central/.

Tweet this: @LANDesk sets standard for self-service password management capabilities by unleashing Password Central http://bit.ly/1866ZyY

About Avatier

Avatier is the identity management company designed for business users. Avatier automates and unifies enterprise operations by standardizing business processes with an IT store. Avatier’s IT service catalog creates a single system of record for access requests and IT audit.

Avatier’s easily extensible identity management system lowers operational costs and provides corporate governance visibility. Avatier automates workflow and compliance reviews to reduce IT security risks.

Founded in 1997, Avatier is headquartered in the San Francisco Bay Area with offices in Chicago, Dallas, New York, Washington DC, London, Munich, Singapore, Dublin and Sydney. Our products operate globally for customers like Marriott, DHL, ESPN, Halliburton, Starbucks and hundreds more. For more information, please visit www.avatier.com and follow @Avatier on Twitter.

About LANDesk Software

LANDesk Software is a leading provider of systems lifecycle management, endpoint security, and IT service management solutions for desktops, servers and mobile devices across the enterprise. LANDesk enables IT to deliver business value by gaining control of end-user computing with a single console, light infrastructure, and ITIL solutions that deliver significant ROI for thousands of customers worldwide. LANDesk is headquartered in Salt Lake City, Utah, with offices located in the Americas, Europe and Asia Pacific, and can be found at www.landesk.com.

Article source: http://www.darkreading.com/privacy/landesk-software-unleashes-enhanced-self/240164126

EINDHOVEN, The Netherlands, November 20, 2013 – Intrinsic-ID today announced the availability of Saturnus for Dropbox users. This new application enables enterprises to easily and securely protect digital assets stored and shared in the cloud. Saturnus brings a professional level of security to enterprise users via software and a USB token. With Saturnus, enterprises and governments can apply the necessary data protection to be compliant with laws and regulations more easily and cost-effectively. Plus, Saturnus keeps data in the cloud safe from prying eyes as there are no security backdoors in the system.

“With a billion files synched every day via Dropbox, the industry is clearly moving to a “sync and share” model, which provides greater flexibility and ease of use but also presents bigger security risks,” said Pim Tuyls, CEO of Intrinsic-ID. “Our announcement today takes this working paradigm to a new level by making security a seamless part of the equation. With our solution, users can easily ‘secure, synch and share’ their data and enterprises can be confident that the data is safe.”

Saturnus is a cloud security solution that combines hardware and software to enable secure data access anytime, anywhere. Saturnus is available to professional and enterprise users to protect data stored and shared via Dropbox today. With Saturnus, files are encrypted before they leave the device and are uploaded to the cloud. The encryption keys are generated and managed inside a (USB) hardware security token plugged into the user device. What differentiates the Saturnus solution is that the security is in the control of the end user and anchored both in the hardware and the software by means of private and local keys.

Saturnus is ideal for enterprises as it makes secure data access easy to manage and implement. The USB tokens can be handed out to employees, just like a badge to enter the building. Saturnus allows file-by-file encryption and sharing, so users can select the specific data they want to secure. Cloud storage and sharing is easy, intuitive, fast and now additionally safe. Files are synchronized automatically and security runs transparently in the background.

The Saturnus Promotion Bundle is available immediately for enterprises via resellers and can be ordered from the Intrinsic-ID corporate website www.intrinsic-id.com for 59,99 Euro (excl. VAT). The bundle includes one USB token and a three-year license of Saturnus software. Currently both Android 4.x and Windows XP/7 devices are supported. The company is actively building its distribution channel so interested resellers should contact the company.

An Extra Layer of Protection

Saturnus leverages the Hardware Intrinsic Securitytrade technology (HIS) developed and patented by Intrinsic-ID. HIS technology protects the secret keys used by Saturnus and adds an extra layer of protection. Instead of keeping keys in software only, security is anchored in the hardware. Secret keys are extracted from the hardware properties of the smartcard chip in the USB token, like an `electronic fingerprint’ used to anchor the cloud data with the physical device. Since the keys are not present when the device is switched off, a very high security level is achieved. HIS technology comes with reference credentials and a proven track record in the smartcard, government, automotive, networking and telecom industries.

About Intrinsic-ID

Intrinsic-ID (www.intrinsic-id.com) is the world leader in security IP cores and applications based on patented HIS technology, which offers a total protection of sensitive private and corporate data on mobile devices, embedded systems and in the cloud. Intrinsic-ID is headquartered in Eindhoven, The Netherlands, and has sales offices in San Jose, Tokyo and Seoul.

Article source: http://www.darkreading.com/management/intrinsic-id-brings-new-level-of-data-se/240164134

HOLLYWOOD, FL – (November 20, 2013) – Prolexic, the global leader in Distributed Denial of Service (DDoS) protection services, announced today the results of a survey of global e-Commerce companies who were asked about DDoS protection and the effectiveness of different types of DDoS mitigation services. The industry report, DDoS Protection Services: What Really Matters to e-Commerce Companies, is available at www.prolexic.com/ecommerce-report.

A cross-section of retail companies with e-Commerce websites participated in the survey, spanning many business sectors, including consumer electronics, healthcare, online payment processing, fashion and apparel, toys and gifts, heating and plumbing, and software-as-a-service. The respondents, a statistically significant subset of Prolexic customers, included online retailers from the United States, Europe and Asia.

“There was a nearly unanimous belief among respondents that their company websites are at mid-to-high risk of being targeted by DDoS attacks over the next 12 months,” said Stuart Scholly, president at Prolexic. “Moreover, the majority of respondents indicated DDoS mitigation services from ISPs and content delivery networks were ineffective in providing the preferred level of protection e-Commerce companies require and expect.”

Key findings

Survey responses show that online retailers:

Find content delivery networks (CDNs) and Internet service providers (ISPs) to be the least effective of DDoS protection services, and especially ineffective against direct-to-origin DDoS attacks and application-layer attacks.

o ISPs were ranked least effective for mitigating DDoS attacks by 42% of respondents, while 8% ranked ISPs as most effective.

o CDNs were ranked least effective for mitigating DDoS attacks by 58% of respondents. No respondents ranked CDNs as most effective.

o On-site DDoS mitigation appliances were ranked least effective by 33% of respondents. No respondents ranked appliances as most effective.

Prefer a mature, pure-play DDoS mitigation service provider with proven competence and capabilities that can scale to stop the largest DDoS attacks on the Internet, with low false positives, and the fastest mitigation backed by a service level agreement (SLA). They also want a mitigation provider with a proven track record of ensuring the client’s site availability and business continuity during a DDoS attack.

Seek a total DDoS protection solution that only a specialist in DDoS mitigation services can provide. e-Commerce companies want network protection for all IPs with a single DDoS mitigation solution, not add-on services from multiple ISPs or CDNs. They want a total-protection provider that sits in front of all IPs and carriers and provides routed protection against all avenues of attacks.

A complimentary copy of Prolexic’s report, DDoS Protection Services: What Really Matters to e-Commerce Companies, can be downloaded from prolexic.com/ecommerce-report.

Prolexic has also made available an e-commerce white paper, Safeguarding e-Commerce Revenues from DDoS Attacks in Q4, and an e-Commerce DDoS protection infographic.

About Prolexic

Prolexic is the world’s largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission-critical Internet-facing infrastructures for global enterprises and government agencies within minutes. Ten of the world’s largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming, energy and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world’s first in-the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida, and has scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit www.prolexic.com, follow us on LinkedIn, Facebook, Google+, YouTube, and @Prolexic on Twitter.

Article source: http://www.darkreading.com/management/survey-results-for-ddos-protection-servi/240164127

SAN LUIS OBISPO — With the establishment of a Cybersecurity Center, the opening of a new cyber lab and the development of cybersecurity curriculum, Cal Poly is poised to become a leading supplier of cyber-ready experts, professionals and innovators.

Spearheaded by the College of Engineering, the major new educational initiative encompasses a comprehensive and collaborative program that spans the polytechnic university and partners with public and private organizations. The goals of the program include educating thousands of students in cybersecurity awareness and readiness; producing experts in cyber technologies and systems, including many professionals who will serve the military and defense industry; and graduating cyber innovators who are prepared for advanced study and applied research in emerging cyber issues.

The Cal Poly Cybersecurity Center serves as the nexus for a wide range of activities that involve faculty and students collaborating with experts from other academic institutions, private companies, defense industries and government agencies, and research labs. A nationwide search for a founding director of the Cybersecurity Center is now underway.

Part of the cybersecurity initiative, the Cal Poly – Northrop Grumman Cyber Lab is set to open for classes in January 2014. The undergraduate and graduate teaching facility — the first of its kind in the nation — was made possible by support from the Northrop Grumman Foundation.

With 32 workstations, projectors, presentation center and expansive whiteboard space, the lab will enable student and faculty experimentation in network security and cyber defense, exploitation, attack, research and development, analytics and visualization. The lab’s associated server center offers a robust research environment, including all of the elements of an enterprise-scale information technology operation.

Not only did the Northrop Grumman Foundation provide funding for hardware and software, but the company helped design the facility and sent Dale Griffiths, chief scientist in the Northrop Grumman Intelligence System Division in McLean, Va., to set up and configure the lab.

A unique aspect of the Cal Poly – Northrop Grumman cyber collaboration includes access via network connection to the Northrop Grumman Virtual Cyber Lab, thereby expanding educational and research capabilities for Cal Poly students and faculty.

“Our shared investment in the cyber lab will be the foundation for a meaningful cyber partnership between Northrop Grumman and Cal Poly,” said Ron Smith, Northrop Grumman Information Systems sector vice president for programs and engineering.

Cal Poly’s momentum in cybersecurity education builds upon an already-established focus in the area, including a two-year-old cybersecurity project lab established with funding from Raytheon. The company also sponsors White Hat, the Cal Poly student club dedicated to making the internet a safer place by protecting personal computers, private data and information systems.

The addition of Zachary Peterson to the faculty in fall 2013 ensures expansion of cybersecurity research and curriculum from entry-level to advanced, specialized topics. An expert in secure storage systems, applied cryptography, and law and policy, Peterson has received funding from the National Science Foundation for research in cybersecurity education. Cal Poly is now searching for another faculty member with expertise in secure infrastructure.

Future course offerings in cybersecurity may include cryptography engineering, study of cutting-edge malware research and analysis, and examination of the major controversies affecting today’s Internet resulting from the interplay of policy, law and technology.

“Whether you’re a private citizen, private company or government agency, cyber threats are a real and growing concern,” said Debra Larson, dean of Cal Poly Engineering. “Our cyber facilities and education offer every student the opportunity to learn about the risks associated with the use of cyber technology.

“More importantly, through Learn by Doing instruction, Cal Poly will educate the Day One-ready cyber experts who know how to defend, secure, tactically engage and restore the cyber-space. By partnering with businesses and government, we are creating a framework of education, applied research and public service that will benefit the nation.”

Article source: http://www.darkreading.com/management/cal-poly-announces-major-new-initiative/240164128

The EU Agency ENISA launches its new report “Detect, SHARE, Protection: Improving Threat Data Exchange among CERTs” on how to make data threat exchange easier and better between the “digital fire brigades” (i.e. Computer Emergency Response Teams (CERT)s.) The Agency concludes that improving information sharing must build on existing solutions and standardisation efforts in data exchange formats, so as to make them interoperable.

Despite fruitful cooperation, CERTs still face obstacles when it comes to the smooth exchange and sharing of security information. Legal and technical barriers as well as lack of interest from cybersecurity stakeholders regarding the sharing of information represent the key problems for the effective exchange of information.

The Executive Director of ENISA, Professor Udo Helmbrecht commented: “The increasing complexity of cyber-attacks requires more effective cross-border information sharing among Computer Emergency Response Teams. Effective information sharing saves time and effort in incident response and post-mortem analysis. It also increases synergies and aligns the best practices among the CERTs.”

Local detection, accompanied by trusted forms of information exchange, leads to the global prevention of cyber-attacks. It is thus very beneficial for the successful identification and subsequent handling of an incident, if it has already been detected by CERTs sharing this information, and this information is shared. Moreover, much progress has been made recently in establishing national/governmental (n/g) CERTs in Europe to coordinate responses to cyber-attacks. As cyber-attacks are often global, it is crucial that incident responses are coordinated not only within national boundaries, but also on an international level. Therefore, secure and effective exchange of information concerning such incidents must take place. The report identifies the emerging tools and standards that would help CERTs with the efficient sharing of strategic incident information. ENISA has identified a set of recommendations for the CERT community and other security actors for better data exchange practices:

Facilitating adoption, interoperability and enhancing functionalities of Essential Tools for the CERT Community

Promoting the stability and continuity of incident feeds, which are often changed without prior notice

Promoting the use of standards for data exchange

Enhancing the functionality of existing tools regarding:

o Interoperability

o Automated incident correlation analysis

o Improved threat intelligence

o Advanced analytics and visualisation for massive numbers of incidents

The European Union, including ENISA, helps (n/g) CERTs in the process to facilitate the exchange among them of information on incidents. In 2014, ENISA will actively engage in supporting community driven projects helping CERTs to collaborate more efficiently.

For full report; Detect, SHARE, Protect

Article source: http://www.darkreading.com/management/eu-cyber-security-agency-enisa-calls-for/240164135

If you’re an avid iDevice user, you’ve probably already received Apple’s fourth bug-fix release of iOS 7, unsurprisingly named 7.0.4.

At an average of one update every two weeks since iOS 7 launched in September 2013, you might view this a sign that Apple’s code quality has gone down, following the argument that more vulnerabilities needing patching must mean worse code.

We often hear this argument trotted out against other software vendors, with a count of known vulnerabilities used an an inverse measure of security.

On the other hand, you might view it as a sign that Apple is becoming more responsive to security issues by pushing out updates quickly, rather than waiting to bundle multiple fixes into a single patch.

Obviously, well-written software without security holes will never need updates, and will therefore rack up zero patches.

But it doesn’t work the other way around.

You can’t make poorly-written software secure by neglecting, or even refusing, to publish patches for it, so a low patch count can’t be used as a quality metric on its own.

And don’t forget that exploit-finding is now worth money, sometimes big money, so vulnerability counts are likely to rise, all other things – including software quality – being equal.

A lot of the coverage for the iOS 7.0.4 update has focused on a non-security bug fix in FaceTime, but there’s also an officially-listed security patch:

App and In-App purchases may be completed with insufficient authorization.

Description: A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization.

As far as we can tell, this flaw doesn’t mean that you can buy stuff on someone else’s dime without knowing their password.

But it could allow purchases on your device to be approved unexpectedly (or unscrupulously), so it’s good to have it fixed.

Many users probably already have the update, or will want to grab it promptly.

The only users left in uncertainty here are those who are hoping to jailbreak their iOS 7 devices some time in the future.

The irony, of course, is that jailbreaking relies on experts finding an exploitable vulnerability that can be used to liberate your iPhone or iPad from Apple’s strict lockdown.

Word on the street seems to be that a jailbreak for iOS 7 is likely soon, and will probably work against versions up to iOS 7.0.3.

But Apple might quietly have found the same hole that the jailbreakers are working away at, and have fixed it in iOS 7.0.4.

Once you upgrade, you can’t – or you’re not supposed to be able to – downgrade, which is Apple’s way of stopping you jailbreaking newer iOSes by reverting to the buggy ways of older versions.

Some hackers are saying “not to worry,” because the changes in 7.0.4 are minor enough that they shouldn’t make any difference to the current progress towards iOS 7 “freedom.”

Until they’re sure iOS 7.0.4 is jailbreak-safe, though, some avid jailbreakers are likely to wait.

It’s a pity that Apple won’t embrace the jailbreaking community: Naked Security readers certainly seem to think they should.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zzdCALp8N6A/

A US court has given the government 30 days to come up with a decent reason not to disclose its plan for a so-called internet kill switch.

The Electronic Privacy Information Center (EPIC) has been trying to wrangle documents concerning the kill switch – officially known as Standard Operating Procedure 303 – from the tight grip of the Department of Homeland Security (DHS) since filing a Freedom of Information Act (FOIA) in July 2012.

Standard Operating Procedure 303 describes a shutdown and restoration process for wireless networks in the event of a national crisis that would prevent, among other things, the remote triggering of radio-activated explosives.

First, DHS said it couldn’t find any records on the kill switch.

EPIC appealed.

Next, the agency managed to locate the protocol, but it redacted nearly all of it.

DHS argued that the protocol is exempt from public disclosure because it discloses “techniques and procedures for law enforcement investigations or prosecutions” or could “reasonably be expected to endanger the life or physical safety of any individual.”

In the case of disclosing SOP 303, the government argued that “any individual” means anybody anywhere near an unexploded bomb.

The United States District Court for the District of Columbia rejected the agency’s arguments.

In its memorandum, the court wrote that the government’s interpretation of the law was a teensy bit broad, given that it could apply to everybody on the planet:

Indeed, if the Government’s interpretation were to hold, there is no limiting principle to prevent “any individual” from expanding beyond the roughly 300 million inhabitants of the United States, as the Government proposes here, to the seven billion inhabitants of the earth in other cases.

The court ordered DHS to release the records in 30 days but left the door open for the agency to appeal the ruling, given what it said was the potential impact on national security of releasing the protocol.

Civil libertarians are understandably unnerved by the idea of an internet kill switch.

After all, where does a government draw the line with defensive measures? Would the US government shut down only the government systems affected by an attack – be they systems running the traffic lights, or perhaps electrical and/or other power grids, for example – or would it shut down the whole internet?

And as Sophos’s Chester Wisniewski argued in a podcast a couple of years ago, Chet Chat #49, if we’re under attack over the internet, and that attack is disrupting essential systems, turning off the whole darn thing wouldn’t disrupt the problem.

It would just keep us all from accessing those very systems.

And as far as internet censorship goes, the Arab Spring showed the world how governments can use law, technology and violence to control what gets posted on and disseminated through the internet, as the people of Egypt, Libya and Syria saw their access shut down.

In Tunisia, the government didn’t shut down the internet – rather, it compromised its citizens’ Facebook and other social media accounts.

Which is worse? To know that access has been cut off, or to have credentials intercepted so governments can secretly spy on us?

Unfortunately, it’s not an either/or situation. We have both. We’re living in a world where both the internet kill switch and government surveillance co-exist.

Or are we?

Unless DHS appeals the decision, we should know, in 30 days, how real this internet kill switch is.

Follow @LisaVaas

Follow @NakedSecurity

Image of big red button courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Xpy_sDIfWnM/

According to its own website, vBulletin is “the world’s leading community software,” and many forums, message boards and social networking sites use it.

From time to time, vulnerabilities in vBulletin make the headlines because they catch out vBulletin customers who haven’t patched in time (or who are unlucky enough to be the first victims of a new security hole).

For example, the Ubuntu Forums website was taken over back in July 2013, and popular Apple-related site Macrumors was breached just last week.

Both of those sites, it seems, were vBulletin users.

Another high-profile vBulletin user, of course, is vBulletin itself…

…and you can probably guess where this is going.

You wouldn’t know anything was amiss from vBulletin’s main page, but a visit to vBulletin’s own forum reveals the sort of message that every forum operator hopes never to have to write:

Important Message Regarding Your Account

Often, what comes up when you click through to the message itself is the sort of platitude that call centres use when they claim “your call is important.” (So important that it has just been placed in a lengthy queue rather than actually answered.)

And vBulletin fell into that verbiage trap:

We take your security and privacy very seriously.

A touch of customer-facing advice, if I may.

If you are about to apologise to your customers for having been bad at security, don’t start off by praising yourself for being good at it.

Start off by apologising for having been bad at it.

Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password.

You don’t need to use the word sophisticated.

It’s cold comfort to your customers, and all it really means is that you were less sophisticated than the crooks.

That doesn’t bode well for any claims you may make about defending successfully the next time there’s an attack.

Just say that you detected a breach, though sadly only after it had taken place.

Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems.

Avoid saying the passwords were encrypted if they were hashed.

The last company that admitted its stolen passwords were “encrypted” was Adobe, and that didn’t end well. (The passwords were encrypted, rather than hashed, all with the same key, and in such as way that repeated passwords produced repeated ciphertext.)

Also, tell your customers how you hashed their passwords so they can form their own opinion about how likely it is that a cracker might recover those passwords by trial and error.

For example, the Ubuntu Forums hacker claimed that the stolen passwords in that breach were “encrypted [sic] with the default vBulletin hashing algorithm (md5(md5($pass).$salt)”, which means just two single-block MD5 calculations for every password trial.

Modern password crackers costing no more than $20,000 can compute hundreds of billions of MD5s per second.

The breach notification ends like this:

Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose [sic] a password that you are not using on any other sites.

That’s good advice, and given that vBulletin has just apologised for poor security of its own, I can fully understand why the company wasn’t more forceful here.

However, I’ll be more forceful on vBulletin’s behalf:

Do not chose a password that you are using on any other site. ONE ACCOUNT, ONE PASSWORD.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/tPsXbV98W54/

Hackers aligning themselves with the Anonymous brand have been using a flaw in Adobe’s software to launch a year-long series of attacks on US government computers that the FBI believes is still ongoing, according to Reuters.

A memo sent out by the US Federal Bureau of Investigations (FBI) on Thursday described the attacks as “a widespread problem that should be addressed”, according to the news agency, which says that it’s seen the memo.

The FBI said that the hackers exploited a flaw in Adobe’s software to breach the US Army, Department of Energy, Department of Health and Human Services, and what ongoing investigations may reveal to be many more federal agencies.

The cyber break-ins began almost a year ago, in December 2012, and included the installation of “back doors” that would enable intruders to get back into the systems as recently as last month, the FBI said in the memo.

Officials linked the ongoing assault with Lauri Love, a British man who in October was charged with hacking into the computer systems of the US army, NASA, and many other federal agencies.

Investigators believe the attacks began when Love and others took advantage of a security flaw in Adobe’s ColdFusion web application development platform.

Reuters also referred to an internal email dated 10 October from Energy Secretary Ernest Moniz’s chief of staff, Kevin Knobloch.

The email described the breached data as including the personal information of at least 104,000 employees, contractors, family members and others associated with the Department of Energy, along with information on thousands of bank accounts.

Officials are reportedly “very concerned” that loss of the banking information could lead to attempts to swindle funds out of accounts.

Some of the breaches and pilfered data in this campaign have been publicized by self-proclaimed Anonymous members, as part of what the group calls “Operation Last Resort”.

Operation Last Resort purportedly demands that the US reform its computer crime law in the wake of Aaron Swartz‘s suicide.

Attacks carried out under the operation may have included the February 2013 hack of the US Federal Reserve during the Super Bowl, which might have also been enabled by ColdFusion vulnerabilities.

Other Operation Last Resort attacks, which began about a year ago, involved installing the Asteroids game on hacked sites belonging to US sentencing and probation agencies.

Besides such publicized intrusions, however, lies an undetermined number yet to be discovered, the FBI wrote in its memo:

The majority of the intrusions have not yet been made publicly known. It is unknown exactly how many systems have been compromised, but it is a widespread problem that should be addressed.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RhaBvFKWDqc/