Tuesday, May 29, 2007

New mailing list on SCADA security and IT/infosec in relation to Critical Infrastructure

I've started a mailing list on SCADA security "cyber security" and IT/infosec in relation to Critical Infrastructure. It is already a number of good, initiated, members from academia, vendors, users, government agencies, etc.

Drop me a note at rom * romab * com if you are interested to participate.

An explicitly vulnerable linux

Someone pointed me to a new Linux distribution, http://www.damnvulnerablelinux.org. The distribution is a derivative of the Damn Small Linux suite. It is a tool for IT-Security & IT-Anti-Security and Attack & Defense. It was initiated for training tasks during university lessons.

On the Internet, this was just bound to happened....

Monday, May 28, 2007

A different aproach to wardrive Bluetooth security

The guys in the BlueBag project have done some interesting work with their trolley. Check out their article in the excellent IEEE Security & Privacy magazine. The same guys also did a presentation on the subject at Black Hat '06

Calendar with a comprehensive compilation of security conferences and seminars

I've compiled a iCal calendar with most known major IT security, infosec, network security and cryptograpy related conferences and events. I've made a public web version available here.

A known defect is that iCal doesn't provide a good URL field (to the conference) in the exported version. I will try to add these manually in the comment field in upcoming releases.


The Browns Ferry incident

The reactor of an Alabama Nuclear Power Plant, Browns Ferry, Unit 3, was shutdown on August 19, 2006 as a result of a failure of a device, a special type of PLC. Whats interesting with this shutdown, is that the report of the incident actually pinpoint IT related errors, i.e. network overload, as the root cause. The report state that there was an Ethernet network installed that was to blame. This is the really, really interesting part. In a Nuclear plant, there should not be a design or implementation that could fail like this.

The incident log here and a full report from the Nuclear Regulatory Commission, NRC is available here.

As a result of this incident, the Committee on Homeland Security Committee Chairman Bennie G. Thompson (D-MS) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin (D-RI) sent a letter to Dale E. Klein, Chairman of the U.S. Nuclear Regulatory Commission regarding the Cybersecurity at the nation’s nuclear power plants. One interesting excerpt of the letter is the following:

We have deep reservations about the NRC’s hesitation to conduct a special investigation into this incident. First, although NRC regulations only specify cyber requirements for safety systems, it is clear from the Notice that the disruption of a non-safety system can impact a plant’s safety systems. The manual scram by the operators was the only reason that the excessive network traffic in this incident did not trigger a scram by the plant’s safety systems. It is clear, therefore, that a nuclear plant’s safety systems are directly impacted by the security of its non-safety systems; a weakness or vulnerability in the non-safety network can disrupt operations and trigger a safety system shutdown.

The letter ends with seven important cybersecurity questions that the Comittee require the NRC is answering.

The details on this incident is still very scarce, with lot of interpretations by different journalists, experts, and others. We'll probably see over time what really was the source of the problem. The SCADA security bloggers at DigitalBond have several more interesting comments on the incident.

The attacks on Estonia

This post is to summarize the attacks last month on the digitaly interconnected parts of one of Sweden's neighboring country, Estonia.

The network attacks, different types of DoS and DDoS attacks, have spurred a flood of articles on newspapers and magazines. The attacks against Estonian Web sites started after the April 27 removal of a statue known as the Bronze Soldier, an old Soviet monument. The attacks have been seen to and from for close to a month.

Infoworld had an article on the subject of picking someone your own size In Washington Post they quote the Estonian defence minister saying: "We identified in the initial attacks IP numbers from the Russian governmental offices". If its true, that assault, and the way it was initially executed, is really bad politics.

There have been several longer articles on the recent events. The well known magazine The Economist pointed out in an article titled Newly nasty with subheading Defences against cyberwarfare are still rudimentary that:

For the first time, a state faced a frontal, anonymous attack that swamped the websites of banks, ministries, newspapers and broadcasters; that hobbled Estonia's efforts to make its case abroad.

Many accusations are pointing to Russia, but it is not very much (yet) in the news to give any clear indication on who, what or where the attacks are ultimately directed from. The head of the Estonian CERT, Hillar Aarelaid, made an estonian government web. Even the Estonian defense minister made some strong comments, according to the article Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks in The Sydney Morning Herald:

"The EU and NATO need to work out a common legal basis to deal with cyber attacks. For example, we have to agree on how to tackle different levels of criminal cyber-activities, depending on whether what we are dealing with is vandalism, cyber-terror or cyber-war," he [Hillar Aarelaid, head of CERT-EE] said.

The ariticle also notes that the NATO defence ministers will discuss cyber defence at a meeting in Brussels in June. It might be both good and bad to have the big players starting to have an interest in this area. Probably mostly bad since the questions will get out of hands of skilled people and into the hands of politicians.

On the positive side, there are two good articles on the subject from two Internet Guru's. Kurt-Erik "kurtis" Lindqvist has a very good writeup on the whole situation Real lessons learned from the attacks on Estonia. Patrik "paf" Fältstrom have a shorter, but more graphical overview of the situation. These statements can certainly show how much media manage to twist a media covered story to change from the original story.