February 20, 2010 | Posted by Dave Earlier this week I hosted a webinar entitled “Inside the Mind of a Hacker”. During this hour long broadcast we discussed; How a Hacker thinks, What are a Hackers goal, and the tools of a Hacker. We concluded the Webinar with a demo of a Trojan.
The webinar can be found on Parameter’s website or by Click Here.
Categories: Original, Viruses, compliance | 
Tags: chronister, trojans, webinar | 
No Comments »
November 12, 2009 | Posted by Dave I apologize for delays in new post, business has been well keeping me busy. 2010 I hope to update more regularly. Until here is an article I wrote for security magazine in 2008. I hope you enjoy.
by Dave Chronister
April 1, 2008
Technology’s ever-growing importance is a mixed blessing.
On one hand, it keeps me employed, but many times I will find myself talking about “new threats” that aren’t really new, they are just finally coming to the public’s attention.
The issue “de jour” is identity theft, and, according to the general public, this never happened until the TJ Maxx break in. Am I the only one who watched Sandra Bullock in “The Net?” Granted this movie was a little far-fetched — I mean, come on, ordering a pizza online? But there we were in the mid-1990s watching a movie about a recluse woman whose identity was stolen in order to cover up a major conspiracy. Now, 13 years later, we live in a world where it seems the only data leak to worry about is consumer information.
Doesn’t a company with revolutionary ideas worry about corporate espionage and loss of trade secrets? Shouldn’t a publicly traded company need to ensure its financials are not released prematurely?
In reality, security professionals have to deal with data of different levels of security, much of which is unknown to even them. So while the rest of the world is focused on the little old ladies’ Social Security numbers, let’s look at the best strategies on keeping our sensitive information in our castle’s keep and maybe even use the identity theft hysteria to our advantage.
The decentralization of a company’s data stores and multiple facets of data retrieval have rendered the security strategy of building a bigger outside wall obsolete. A silver-bullet solution will eventually become an Achilles’ tendon. Instead, you want to go for layers, defense in depth. Structure your security solutions to identify threats, guard against automated scans, and slow down and report possible intrusions. In the event of a successful attack, ensure containment and, if possible, identify the offenders of the data loss.
Let’s take a look at a few weapons that you may want to put in your arsenal.
First, there are network traffic analyzers — and we are not talking about your network administrator’s wire shark system. These analyzers will examine the content and determine if sensitive data may have been sent out to unauthorized recipients. Many traffic analyzers will even determine if information is being sent to correct destinations but over incorrect channels, say instant messaging or IM, or to the public network unencrypted.
The obvious concern with this technology would be the potential bottleneck that you would face even on a small network. Global Velocity, one of the newer companies in this realm, is about to release a hardware-based content analyzer that it claims can process 10gbps. The potential is a godsend, but it isn’t without limitations. It can only analyze clear text. Someone sending out binaries, say screen prints, or encrypted traffic, such as a virtual private network or VPN stream, would not be analyzed. It also only handles traffic heading out of your network to other networks either public or private.
This doesn’t address other avenues of “data escape,” such as mobile devices and USB keys. There are multiple solutions to this problem, from physical USB locks to software solutions, such as Devicewall’s Centennial, which can block various types of USB devices, such as MP3 players or PDAs, and provide a complete audit trail. Microsoft shops could even use network policies to lock USB ports.
Speaking of policies, let’s take a quick look at your greatest weapon and your worst enemy: The User.
Sometimes it may seem a better idea to give flamethrowers to your local Cub Scout troop than to depend on John Q. User to ensure the integrity of your data. No matter how much you secure your sensitive data, the simple fact is your employee will be retrieving and writing this data on a daily basis. You need to ensure your security awareness program prepares them to handle the various aspects of social engineering as well as prevent accidental data leaks. After all, hackers are targeting the secretaries, not the Certified Information Systems Security Professionals or CISSPs. Computer-based training and posters should be part of your program, not the entire program.
Finally, getting upper management’s buy-in to the cost of data protection in money and manhours can be a daunting task. The horror stories of other data breeches as well as the projected cost to a business for identity theft can be used as a case study during your presentation. If that doesn’t work, maybe you can bust out your VCR and hope Bullock’s stellar performance in “The Net” does.
http://www.securitymagazine.com/Articles/Feature_Article/BNP_GUID_9-5-2006_A_10000000000000298345
Categories: Best Practices, Original, compliance | Tags: business professionals, cyber security, identity theft, security awareness training | 1 Comment »
May 8, 2009 | Posted by Dave Note from Dave: Soon I hope to start writing some more original content, until then I will continue to post hacker related news on here. The reason I am post these articles is simple, Cyber Security is not an option. Many businesses get it, others not so much. If the FAA and the Pentagon can be successfully hacked, how safe do you think you really are? Better to understand your weaknesses and try to mitigate those vulnerabilities than to put you head back in the sand.
Dave
Hackers have broken into the air traffic control mission-support systems of the U.S. Federal Aviation Administration several times in recent years, according to an Inspector General report sent to the FAA this week.
In February, hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, on 48,000 current and former FAA employees, the report said.
Last year, hackers took control of FAA critical network servers and could have shut them down, which would have seriously disrupted the agency’s mission-support network, the report said. Hackers took over FAA computers in Alaska, becoming “insiders,” according to the report dated Monday.
Then, taking advantage of interconnected networks, hackers later stole an administrator’s password in Oklahoma, installed “malicious codes” with the stolen password and compromised the FAA domain controller in the Western Pacific Region, giving them the access to more than 40,000 FAA user IDs, passwords, and other data used to control a portion of the mission-support network, the report said.
And in 2006, a virus spread to the air traffic control (ATC) systems, forcing the FAA to shut down a portion of its systems in Alaska, according to the report.
The attacks so far have primarily disrupted mission-support functions, but attacks could spread over network connections from those areas to the operational networks where real-time surveillance, communications and flight information is processed, the report warned.
“In our opinion, unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations,” the report concluded.
An audit of the FAA’s air traffic control cybersecurity protection measures finds them lacking and says there have been several breaches by hackers and a virus.
(Credit: U.S. Department of Transportation, Office of Inspector General)
The breaches were possible because Web applications that support the air traffic control system operations are not properly secured to prevent unauthorized access and network intrusion-detection software is not adequately being used to monitor and detect cyberattacks, the report concluded.
The FAA’s increasing use of commercial software and Internet Protocol-based technologies as part of an effort to modernize the air traffic control systems poses a higher security risk to the systems than when they relied primarily on proprietary software, the report said.
“Now, attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, which is especially worrisome at a time when the Nation is facing increased threats from sophisticated nation-state-sponsored cyber attacks,” the report said.
In general, the nation’s critical infrastructure is increasingly at risk as previously isolated and closed systems are moved to the Internet and commercial software, like Windows, is used, security experts have said.
The air traffic control system auditors said they discovered more than 760 high-risk vulnerabilities in the Web applications tested, including holes that provided “front-door access” to the systems and could allow attackers to inject malicious code onto FAA user computers. Web applications were not adequately configured and the applications with known vulnerabilities were not patched in a timely manner, auditors found.
Meanwhile, intrusion detection systems (IDS) are deployed at only 11 of hundreds of air traffic control facilities and none of the IDS sensors is installed to monitor operational systems at those sites, the report said. Cyber incidents are not effectively monitored or fixed quickly, the report concluded.
In 2008, more than 870 cyber incident alerts were issued to the organization responsible for air traffic control operations and by the end of the year 17 percent (more than 150 incidents) had not been remediated, “including critical incidents in which hackers may have taken over control” of operations computers, the report said.
The FAA is “identifying and fixing weaknesses,” FAA spokeswoman Laura Brown told The Wall Street Journal. “We are working on developing security architecture for that whole system.”
However, Brown dismissed the notion that hackers could get access to critical air traffic control operational systems.
The audit of the air traffic control systems was requested by the ranking minority members of the House Committee on Transportation and Infrastructure and its Aviation Subcommittee.
Categories: Recent News, compliance | Tags: cyber security, cyber threats, data breech, FAA, hacker, pentagon, spy, theft prevention | No Comments »
April 8, 2009 | Posted by Dave WASHINGTON — Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”
The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”
Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.
Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.”
Officials said water, sewage and other infrastructure systems also were at risk.
“Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts,” Director of National Intelligence Dennis Blair recently told lawmakers. “A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”
Officials cautioned that the motivation of the cyberspies wasn’t well understood, and they don’t see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt.
But protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.
Overseas examples show the potential havoc. In 2000, a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks, rivers and the grounds of a Hyatt hotel.
Last year, a senior Central Intelligence Agency official, Tom Donohue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.
The U.S. electrical grid comprises three separate electric networks, covering the East, the West and Texas. Each includes many thousands of miles of transmission lines, power plants and substations. The flow of power is controlled by local utilities or regional transmission organizations. The growing reliance of utilities on Internet-based communication has increased the vulnerability of control systems to spies and hackers, according to government reports.
![[Chart]](http://s.wsj.net/public/resources/images/P1-AP393_CYBER_NS_20090407224833.gif)
The sophistication of the U.S. intrusions — which extend beyond electric to other key infrastructure systems — suggests that China and Russia are mainly responsible, according to intelligence officials and cybersecurity specialists. While terrorist groups could develop the ability to penetrate U.S. infrastructure, they don’t appear to have yet mounted attacks, these officials say.
It is nearly impossible to know whether or not an attack is government-sponsored because of the difficulty in tracking true identities in cyberspace. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia.
Russian and Chinese officials have denied any wrongdoing. “These are pure speculations,” said Yevgeniy Khorishko, a spokesman at the Russian Embassy. “Russia has nothing to do with the cyberattacks on the U.S. infrastructure, or on any infrastructure in any other country in the world.”
A spokesman for the Chinese Embassy in Washington, Wang Baodong, said the Chinese government “resolutely oppose[s] any crime, including hacking, that destroys the Internet or computer network” and has laws barring the practice. China was ready to cooperate with other countries to counter such attacks, he said, and added that “some people overseas with Cold War mentality are indulged in fabricating the sheer lies of the so-called cyberspies in China.”
Utilities are reluctant to speak about the dangers. “Much of what we’ve done, we can’t talk about,” said Ray Dotter, a spokesman at PJM Interconnection LLC, which coordinates the movement of wholesale electricity in 13 states and the District of Columbia. He said the organization has beefed up its security, in conformance with federal standards.
In January 2008, the Federal Energy Regulatory Commission approved new protection measures that required improvements in the security of computer servers and better plans for handling attacks.
Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.
Specialists at the U.S. Cyber Consequences Unit, a nonprofit research institute, said attack programs search for openings in a network, much as a thief tests locks on doors. Once inside, these programs and their human controllers can acquire the same access and powers as a systems administrator.
The North American Electric Reliability Corporation on Tuesday warned its members that not all of them appear to be adhering to cybersecuirty requirements. Read the letter.
The White House review of cybersecurity programs is studying ways to shield the electrical grid from such attacks, said James Lewis, who directed a study for the Center for Strategic and International Studies and has met with White House reviewers.
The reliability of the grid is ultimately the responsibility of the North American Electric Reliability Corp., an independent standards-setting organization overseen by the Federal Energy Regulatory Commission.
The NERC set standards last year requiring companies to designate “critical cyber assets.” Companies, for example, must check the backgrounds of employees and install firewalls to separate administrative networks from those that control electricity flow. The group will begin auditing compliance in July.
—Rebecca Smith contributed to this article
Categories: Recent News, compliance | Tags: chinese, cyber strategies, cyber threats, pentagon, security, spy | No Comments »
