Security News

[osiyo]

Chuckle,

Doing my morning reading of the news and ran across these.

Most everyone here is aware of this story about the Stuxnet worm which targeted certain Siemens industrial control systems.

http://www.computerworld.com/s/artic...strial_systems

But, of course, few really cared as it seemed to be a targeted attack against Iranian nuclear facilities.

Always in the news are folks like the Anonymous and LulaSec groups.

But McAfee notes that the two above groups are largely amateurish and relatively harmless in the larger scheme of things.

Of more interest and concern are things like this:

http://www.zdnet.com/blog/btl/has-th...l-harbor/53901

The above is a short synopsis of a McAfee report. The White Paper from McAfee is available on line.

Note that McAfee only mentions a SMALL number of the overall findings they made.

The interest here is that the intrusions appear to be planned, long term, and likely backed by someone (or some government) with plenty of cash and resources. And often times the victims don't even know they've been had.

Other interesting (to me) reports.

Scada systems:
http://news.cnet.com/8301-27080_3-20...?tag=mncol;txt

Is your car vulnerable?
http://news.cnet.com/8301-27080_3-20...?tag=mncol;txt

Do you have diabetes or wer a pace-maker?
http://news.yahoo.com/insulin-pumps-...100605899.html

However, in general recent articles suggest good news.

Attacks against Microsoft based systems are down, and those against Apple's IOS, Linux, and Android systems are up ... in a major way.

Ain't it a wonderful world?

LOL ...

As to how it directly concerns those of us in our line of work, I was just thinking that if someone were able to hack into my work laptop, and had any clue as to what they were doing, I have info on it that could allow access and control remotely of literally hundreds of buildings.

Not a lot of chance of that. For one, the targets presented are not particularly high value targets. Secondly, besides the security software always running on my laptop (kept undated) I also routinely do manual checks to see if anything is doing something I don't know about. I also avoid doing anything with the work laptop to increase its vulnerability like using it to look at unknown/untrusted sites, never open emails with it except for those related to business through our company secure email service, etc.

We recently, last year, made sure that NO sites we install or have installed in the past have the factory default passwords enabled.

[mathetes]

Ain't it a wonderful world?

LOL ...

Osiyo,

Have followed Stuxnet for a while so I read all of the links with interest. Anon & Lulz grabs the headlines, but for as much "damage" as they have been doing, they aren't the real players.

One of the articles (or one I clicked through to) talked about using Google to find SCADA systems - I spent about 2 minutes to figure out how, then proceeded to come up with Google results for dozens & dozens of Niagara log-ins.

I hope everyone else has sufficient understanding of how simple some of these exploits are, and how damaging (even if just to our reputations, let alone our customer's operations) the results could be.

Our policy has been to use strong passwords, especially for systems "in the open".

Yes, wonderful world indeed...

[digo]

Interesting TED video on the subject of viruses that touches on Stuxnet, very well presented (18 min):

http://www.ted.com/talks/mikko_hyppo...g_the_net.html

an no, he doesn't have a 5¼ in. floppy drive on his laptop... almost fooled me.

[mathetes]

Here's some more news relating to this topic:

http://www.cnn.com/2011/11/18/us/cyb...tml?hpt=hp_bn2

Seems like mischief at best and sabotage at worst is well on it's way. Batten down your hatches (read BAS systems!)

[osiyo]

Here's some more news relating to this topic:

http://www.cnn.com/2011/11/18/us/cyb...tml?hpt=hp_bn2

Seems like mischief at best and sabotage at worst is well on it's way. Batten down your hatches (read BAS systems!)

Yep, seen the article in another source besides CNN.

I kinda follow this sort of thing, as a matter of interest. Old HACKER here. Used to love hacking into systems. Just as a challenge. Tho I never did anything to damage someone else's system.

Well, depending upon what one calls "damaging".

i.e. Once hacked a government system, just so as to make it such that every time a particular person logged on he got the "one finger salute". (I didn't care for that fellow much, you may correctly assume)

Or the time I hacked a government system so as to allow me to control the computer that decided as to whether or not I should be allowed to make a long distance call at government expense. But only did that a couple times, just to prove I could do it.

A few times hacked into and modified a system belonging to an employer, a major international telecom, just to keep their IT folks on their toes. They kept announcing they'd made their system "bullet-proof". I kept pointing out that they were wrong. Wayyyyy wrong. It was so easy it was ridiculous.

But I didn't do anything except modify some log-in scripts those IT folks used to announce "You've been HAD." Then script went about business as usual.

The thing is, many ... MANY systems are really open and vulnerable. They haven't been "hit" solely because the average hacker just hasn't been trying. No reason to bother. Pretty uninteresting stuff to most.

That may change.

[MaxBurn]

Stuxnet still around.

http://blogs.wsj.com/cio/2012/11/08/...ns-it-network/

[MaxBurn]

Security firm finds SCADA software flaws; won't report them to vendors

http://www.computerworld.com/s/artic...hem_to_vendors

[orion242]

Security firm finds SCADA software flaws; won't report them to vendors

Of course not, these flaws are good money.

1. Hackers sell them.
2. Security companies can sell "protection" that no one else can offer.
3. New to the arena, governments can use them against each other.

If they get released and fixed, that kills the profit of #1 & 2, and costs #3 more money to find more flaws.

I wonder how much #3 is funding #1 & 2??

It's a sick game.