America's Hackable Backbone

Forbes is running an interesting article right now about the weaknesses in many of the critical points in our countries infrastructure.

"The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise."

"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.'"

It's a dangerous combination. Unpatched and outdated control software, plus a poor understanding of needed security and a splash of good old fashioned US ego(tm). The Achilles heal in many of these cases is the Supervisory Control and Data Acquisition software, or SCADA. With more and more of our infrastructure connected to the internet along with vendors making it difficult or impossible to patch SCADA software, it puts key locations within our infrastructure at serious risk.

This article covers the problem but doesn't go into talking about solutions. Security is, or at least should be a multi-layered approach. For the incident in the article it seems the nuclear power plant was incredibly vulnerable. I imagine the security put in place was far below what most of us would consider adequate for a mid to large sized company, more less a nuclear power plant. Hopefully articles like this will open the eyes more about how vulnerable we really are. Whether it be a terrorist attack, Russian mafia, or just another nasty worm like Slammer, we need to start looking at ways to seal these small holes huge gaps in security, in a consistent and secure manor, esp when it comes to critical pieces of our countries infrastructure.

Syndication issues

Just a heads up to my readers. Old posts are randomly showing up on Live Journal today (via the rss syndication feature). I don't know if it's on Live Journal's side or a problem with Blogger. I am looking into it. My apologies if it causes any of you any confusion. In the next couple days, if you see any posts that seem like they are out dated, they probably are. But if you are a new reader, then take this chance to catch up on some of my old posts from my archive making a mysterious reappearance.

CyberSpeak Podcast

For many of you reading this, the Cyberspeak Podcast is a regular addition to your ipod podcast play list. For those of you just getting into infosec, you may not have heard of these guys. From their official description, "Hosted by two former federal agents who investigated computer crime, this is a technology Podcast covering Computer Security, Computer Crime and Computer Forensics Topics." A friend and peer of mine back home in DC turned me onto this podcast back in 2005. I have been hooked ever since. These two guys really know their stuff quite well, and present it in an easily digestible format for a wide range of listeners. Whether you are working in the infosec trenches day to day or just picked up your first CISSP book hoping to move from another area of IT, I think you will find the podcast both enjoyable and educational.

To subscribe to the CyberSpeak podcast via iTunes you can use this link, CyberSpeak Podcast.

Monster gets hacked

Pretty much anyone who has ever been unemployed in the past 10 years, probably has set up an account on Monster.com at one time or another. Symantec is reporting they found a new Trojan called Infostealer.Monstres. It's sole purpose seems to use compromised employer accounts to harvest personal information of anyone who has a visible job profile on Monster. At the time of discovery by Symantec, the remote server collecting the hacked information had already collected 1.6 million entries with personal information belonging to several hundred thousand people.

I have included a link to the full article if you are interested in reading all the details. I will leave you with a great bit of knowledge from the article, which I can not emphasize the importance of enough.

"To protect your identity when using recruitment sites, or at least limit your exposure to identity theft, you should limit the contact information you post on these sites, use a separate disposable email address and never disclose sensitive details such as your Social Security number, passport or driver’s license numbers, bank account information, etc to prospective employers until you have established they are legitimate."

Full Article Link

I blew the dust off and found a blog here

I know the blog has been neglected a tad. I am still in the trenches working on security issues but in an Operations environment now. A much different environment to the Engineering and R&D environments I had been doing my security work in during the past several years. I hope to be able to at least do weekly posts in here sharing or discussing current security related issues with my readers.