How Smart is Your Grid?

My latest post over at Liquidmatrix Security Digest:

So in an utter disregard for buzzwords, CNN Homeland Security Correspondent Jeanne Meserve has dwelled into James' land of cyberdouchery. The article entitled "Smart Grid may be vulnerable to hackers" briefly discusses the United States and it's respective power companies anxiously deploying a high-tech power grid while simultaneously raping the words "cyber" and "smart".

Power companies are installing new automated meters at an astonishing rate which seems to be the first step in the roll out. The eventual goal is to improve electricity efficiency and reliability using sensors on your home meters that talk back to the power grid. President Obama is on board dishing out $4.5 billion towards all this.

So where does the problem lie?

Well some interesting quotes throughout the article define the issue very clearly. One of our friends at InGuardians, Ed Skoudis chimed in stating,

"I think we are putting the cart before the horse here to get this stuff rolled out very fast."

Also, Matt Spaur, a product marketing analyst added my favorite tidbit,

"Any network can be hacked."

All in all, this is obviously a huge security issue and if you even remotely (no pun intended) glanced at Live Free or Die Hard you'd get the picture. Electric grids are all ready "hackable" you just have to not be afraid of heights and be a huge fan of rubber. The automation wouldn't necessarily create many new vulnerabilities, it would most definitely increase the risk by increasing the likelihood and severity of exploitation.

With this system in place there really is no room for "roll it out and patch it later." We can all hope that the money makers take their time on this one and do it right.

Article Link

Comcast

My latest post over at Liquidmatrix Security Digest:

Earlier this week it was reported that a list of Comcast customers usernames and passwords, 8,000 entries long, was exposed on a public website for at least two months. A man by the name of Kevin Andreyo who works as a professor at Wilkes University came across the list while performing a search for his own personal e-mail address. The search dug up a website called Scribd which is a document sharing site that housed the list of 8,000 user names and passwords including Mr. Andreyo's.

Reportedly the list had been viewed "over 345 times and downloaded 27 times." This in it of itself is a relatively small number but means that the list is still out there and can be shared again or even added to.

A spokesperson for Comcast commented stating that the list contained only 700 active accounts and that the rest were either dead or not Comcast customers. She also stated she does not believe the breach came from within the company because the manner in which the list was created was sloppy.

Comcast can downplay this as much as they'd like but it sounds to me like, at least, 345 people got their hands on a seriously dangerous resource. At the safest end of the spectrum of what could happen with this, people can add to their lists of known usernames and more importantly list of known passwords. I've seen what a wordlist compiled of actual passwords can do and 8,000 attempts would fly by in less than 3 or 4 seconds.

Also if only a fraction of items on the list were Comcast customers, what were the other items customers of? Chase? Bank of America? AIG executives?

I guess it’s just a good thing that it was only up for two months, as far as we know, even though that is two months too long.

Artcile Link

Google Rains on Cloud Users..

My latest post over at Liquidmatrix Security Digest:

I came across some interesting stories about the all mighty Google cloud features in the past couple of days. The first was about Gdrive, a specific example of a broader idea of online storage space. This idea is growing ever more popular now that the "cloud" is becoming a buzz word in the community and Google is taking another step towards being the all mighty one. This is an old idea done a new way with most likely lots of Google flare such as booting from an online hard drive and automated backups.

Very interesting ideas that of course people are very excited about but leave it to the security people to kill the hype.

If done right this would be a great service just as network share drives with group or personal permission folders are great on closed networks. But an interesting point was discussed on a recent episode of Diggnation when Kevin Rose spoke of a certain targeting problem. In general the everyday user of this service would most likely be left alone but what about people more under a public spotlight. Kevin referred specifically to him or his co-host Alex putting up personal photos that some hacker savvy fan would love to get their hands on. Even without the ability to gain access to the drive a MITM attack would be very feasible as demonstrated on Gmail with The Middler at Shmoocon .

As for the confidence in Google and its ability to protect your privacy, I stumbled across another article about a Google Docs sharing bug. Google has sent a letter to users who have been effected by this bug explaining that some of their documents were shared with previous collaborators without you knowing it.

Alice: "Honey, who is this Eve woman and why are we working on a list of gifts for her?"

Bob: "..."

Actual letter sent by Google:

Dear Google Docs user,

We wanted to let you know about a recent issue with your Google Docs account. We’ve identified and fixed a bug which may have caused you to share some of your documents without your knowledge. This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document. The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets.

To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually. For your reference, we’ve listed below the documents identified as being affected.

We apologize for the inconvenience that this issue may have caused. We want to assure you that we are treating this issue with the highest priority.

The Google Docs Team

It has been reported to have effected around .05% of Google Doc users which could still be a pretty large number but isn't a major leak. This still raises a few questions especially when it comes to your confidence in upcoming services such as Gdrive and other people's ability to access your data.

Just some food for thought!

-Matt Johansen

Google Docs Article

Gdrive Article

Tuesday Bloody Tuesday

My latest post over at Liquidmatrix Security Digest:

Tuesday March 10th and it's once again Patch Tuesday for all you Microsoft users. Yesterday's release was a very straightforward and light load of fixes but spanned all supported versions of Windows. Some specific updates pushed out are MS09-006, MS09-007, and MS09-008. MS09-006 is a update for the Windows kernel vulnerability that is labeled critical for Windows 2000 SP4 all the way up to Vista SP1. The other two updates fix vulnerabilities in SChannel and DNS/WINS Server respectively and is important for Windows 2000 SP4 up to XP SP3 and Server 2003. Other than that the only things to look out for are the ordinary Malicious Software Removal Tool and Windows Mail spam filter. Full write up.

Possibly more interesting than that is the fact that Symantec and Adobe released updates on the same day under unusual circumstances. George Hulme has a good write up of the situation the he posted this afternoon. To sum it up Adobe has been working on a fix for their recent zero-day and announced it would be released March 11th. They decided to release it yesterday, March 10th, which happened to be Patch Tuesday which can be commended for getting it out early but for most working in the trenches that are operations probably wasn't appreciated.

On top of that Symantec released a patch with the filename PIFTS.exe, which looks up the Symantec product and version on a system and reports it back. Well this report back happened to not be signed because of human error and sent up some firewall flares for most users. This must have been a Help Desk nightmare along with the Adobe issue on Patch Tuesday. Not only a Help Desk problem, if the users decided to search what PIFTS.exe was on their own it is reported that malicious sites recognized this and made their sites appear at the top of those searches. Good write up on the PIFTS.exe and malicious site issue on SC Magazine found here.

This onslaught of patches and patch mishaps must have really affected a lot of companies big and small as they had their time allotted for the Microsoft patches to be pushed. Anybody who works in operations and is part of the team responsible for patch management knows the trials of Patch Tuesday when that is the only issue to deal with. The fact that Adobe pushed their release up and Symantec had an inexcusable mistake all on the same day can really bring things down. Not only can this cause a headache for the people on the team responsible for pushing these patches but if the team required more than one patch in the same day at 3 separate times you are going to have some angry users who aren't going to restart their machines for you. Heat will be felt all along the food chain and $DIETY forbid if somebody clicked on a site taking advantage of the PIFTS.exe curiosity. Productivity won't be the only issue that companies will have to deal with this Patch Tuesday or for the rest of the week for that matter.

[tags]microsoft, security, patch tuesday, ms09-006, ms09-007, ms09-008, symantec, adobe, pifts.exe, patch hell[/tags]