There’s been a lot of light and heat in the last week when it comes to the U.S. government and cyber security. After all, President Obama just released his Executive Order on cyber security, which puts an emphasis on identifying and protecting critical infrastructure and, just maybe, pushes the sprawling federal bureaucracy towards better security practices. But a just-released report from the Government Accountability Office (GAO) makes clear that, in the big scheme of things, the Executive Order is just window dressing on the mess that is the Federal Government’s handling of cyber security. The report, GAO-13-187 (PDF), is a round-up and updating of previous reports that studied aspects of federal cyber security as they affect a wide range of federal agencies. The GAO’s conclusion? Uncle Sam has made negligible progress towards improving the security of its information systems, and has little to show in key areas such as responding to […]
SCADA – ICS
UPDATE: Vulnerability In EAS To Blame For Fake Zombie Apocalypse Warning?
Editor’s Note: Updated to include information on the brand of EAS device that was compromised. – PFR 2/14/2013 OK – the good news is that the dead aren’t rising from their graves and the Zombie Apocalypse hasn’t begun (yet…). The bad news: a phony EAS (Emergency Alerting System) warning about just such a cataclysm earlier this week may have been the result of a hack of what one security researcher says are known vulnerabilities in the hardware and software that is used to distribute emergency broadcasts to the public in the U.S. The warning from Mike Davis, a Principal Research Scientist at the firm IOActive, comes just days after unknown hackers compromised EAS systems at television stations in the U.S. and broadcast a bogus emergency alert claiming that the “dead were rising from their graves” and attacking people. Published reports say that at least four television stations were the victims […]
Obama CyberSecurity Order Puts Infrastructure Owners On Notice
President Barack Obama issued a long-anticipated Executive Order for improving the nation’s cyber security late Tuesday. The Order, released on the same evening as President Obama addressed both chambers of Congress with his State of the Union Address called cyber attacks “one of the most serious national security challenges we must confront,” and put public and private owners of critical infrastructure in the U.S. on notice that they would need to work closely with the government to reduce the risk of crippling cyber attacks. President Obama issued the Order after Congress failed, in its last session, to agree on comprehensive cyber security legislation. Negotiations over the bill broke down over Republican amendments to a Democratic sponsored bill and concerns from the business community about the cost of complying with some of the more controversial provisions. Among those: a requirement that the Department of Homeland Security be able to audit […]
For Industrial, Medical Systems: Bugs Run In The Family
On the surface, the kinds of industrial control systems that run a power plant or factory floor are very different from, say, a drug infusion pump sitting bedside in a hospital intensive care unit. But two security researchers say that many of these systems have two important things in common: they’re manufactured by the same company, and contain many of the same critical software security problems. In a presentation at gathering of industrial control security experts in Florida, researchers Billy Rios and Terry McCorkle said an informal audit of medical devices from major manufacturers, including Philips showed that medical devices have many of the same kinds of software security holes found in industrial control system (ICS) software from the same firms. The research suggests that lax coding practices may be institutionalized within the firms, amplifying their effects. Rios (@xssniper), a security researcher at Google, and McCorkle (@0psys), the CTO of SpearPoint […]
In Iran, New Data Wiping Malware on the Loose
Iran’s Computer Emergency Response Team (IR-CERT) issued a warning on Sunday about a newly discovered malicious program that is erasing hard drives on infected systems in that country – just the latest data-destroying malware to appear there. IR-CERT said that an investigation by its Maher center found that the malware “wipes files on different drives in various predefined times,” including disk partitions and user profiles. However, the malware isn’t widespread and doesn’t appear linked to “other sophisticated targeted attacks,” the alert said – in a possible reference to the Stuxnet and Flame malware, both of which targeted Iranian critical infrastructure. Subsequent analysis by independent security firms confirmed most of the details of the IR-CERT warning. Writing on Monday, Jamie Blasco of the firm Alien Vault said the malware was “just another wiping malware” and “very simple,” and could have been delivered in a variety of ways – from USB drive […]
