Recently in Event Monitoring Category

This morning I posted a link on our twitter site about an article from Ross Anderson and Shailendra Fuloria on issues concerning the Governance and Security of Smart Meters.
"Who controls the off switch?" This article was referenced in one of the major Scada Security List Services.

The article does point out the concerns about Cyber attacks by international criminal organizations, military initiatives of foreign nations causing massive black outs and some ways of mitigating those risks.

The article does point out another interesting point about the use of cryptography and key management. How will the keys be managed in Smart Meter technology on hundreds of millions of smart meters with pre-shared secrets or PKI infrastucture?
How will new keys be added for new energy companies? How will the keys be changed?

There is some new work being done by the Oasis Group on key management
The OASIS KMIP Key Management project may be one of the center pieces for offering interoperability across a "Trans-Smart Grid". A 2009 presentation by the University of Colorado also lists KMIP as key to interoperability. The Colorado University presentation by Dr. Edward Chow goes on to show the complexity in monitoring attacks from the trust relationships of various parts of the infrastructure including "Fake ID Hijack Station","Jamming Wormhole Attacks", "Meter Database Tampering" from Insider Attacks to External Attacks and the correlation of events moving through these trust relationships.

The Second paper from Ross Anderson and Shailendra Fuloria also referenced in the
paper Who controls the off switch is On the security economics of electricity metering .
This is an excellent paper that not only provides insight to the history of distributed power but also points out the complexities in providing modern day Smart Grid technologies not only from a technological perspective but from competitive analysis on the struggle for dominance within the distribution system both nationally and internationally and a warning on the comparisons of what happened with Enron when governance is not properly applied.

Not so long ago, I remember that talking about information security management brought a lot of eyebrowse up, something of a black art, kind of like UNIX Administration.
But in today's world, Cyber Security has gotten enough attention recently from the White House, Congress, Military, and Law Enforcement not only in the U.S. but across the globe that discussing the need for Cyber Security and Information Security Management in the public and private sectors is no longer considered a foreign topic or a dark black art. The discussion of Risk Management and Information Security Management are now an interwoven fabric within IT Frameworks for COBIT and ITIL.

At the NJTC meeting yesterday at the Forsgate Country Club, we had a diverse number of parties interested in our solutions to support their Information Security Management Program - from Audit and Financial executives to IT Management. Our solutions will provide a means to help IT and Data Owners identify the threats, and risks to their business processes in these times of round-the-clock international electronic business transactions. Situational awareness of today's highly complex distributed IT Service environments is no longer simply a nice to have but a necessity to survival of digital business transactions against a world of distributed Botnets and pre-zero day vulnerabilities.

I would like to thank the NJTC for giving us the ability to reach out to so many different businesses operating in across the State of New Jersey and those that stopped by to simply hear what our solutions have to offer to their Business Services.

HP Software Universe 2009

Image via Wikipedia

Last day here at HP Universe in Hamburg, talking about integrating Information Security Management more closely into the enterprise architecture and the system development life cycle. Enterprise Frameworks including the new NIST guideline for Special Publication 800-37 Rev. 1 and six step Risk Management Framework, highlights ITIL V3 and COBIT 4.1 frameworks call for information security to be closely aligned with the enterprise for effective Risk Management.

We have been talking about the new Standards and Guidelines concerning the harmonization of IT and Information Security Governance. With netForensics Sim One, information security management enterprise software, HP uCMDB, and HP Operations Manager Software integration, we can provide the proof that IT Operations Management and Information Security Management are working on the same vision of Domain Services for continual monitoring of enterprise services providing IT Operations and Information Security the ability to monitor the effectiveness of the control environment, promoting near real-time risk management.

If your looking for solutions to help you manage risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, we already have it.

Image by Angus Kingston via Flickr

Oct 24, 2008 - Futures halted as trading enters `panic mode` The Financial Post

Neil deGasse Tyson once said, "To a discoverer all data is valuable even bad data." When looking at data individually, you may believe that the data is not valuable and does not tell you anything. But, when combined with other types of information that are within a relevant time frame, the information becomes very valuablle and the more layers of information being presented more useful.

Some of the most valuable data that you get does not even come within the realm of logical data gathering. It is the information from outside of logical analysis of data which brings to mind Sam Walton's expression "I know what I know but tell me what you know." According to Kevin Mitnick, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. In information security, knowing what is of value, where is it located, who has access to it, and what are the trust zones and controls that allow access to it is core to aligning information security with business goals.

Monitoring perimeter scans for known intruders and bogons is information that we all need, but knowing how trust zone can be compromised to gain access to valuable or confidential data is critical. It's the continual discovery process and breaking through the silos of knowledge and control that will help provide additional layers needed in developing an effective information security program.

Why is my executive office printer using https and ftp outbound traffic to a Home ISP DHCP range or using Goto My PC?

A Vietnam based security organization, Bkis Internet Security, is a member of APCERT (Asia Pacific Computer Emergency Response Team) was asked by the Korean CERT Team KrCERT to investigate the recent July 2009 DDOS Botnet attacks. Bkis Internet Security analyzed what it received from KrCERT, located 8 command and control centers, and obtained access to two of the command centers. After analyzing the traffic, Bkis reported that the original estimates of 20,000 to 50,000 infected systems involved in the Botnet was really more in the line of 166,909 zombies from 74 countries.

The U.S. Cert Teams and the Korean Cert Teams continue to investigate these incidents in the hopes of identifying the source of the attacks.

Links:
H-Online DDoS attacks on South Korea and U.S.
Bkis Internet Security - Korea and U.S. DDoS attacks

Green Dam is China's initiative to install censorware on every Windows PC purchased after July 1st. There has been over 7 million downloads of the software, schools and universities already have it running on their systems. This extends the national-level filtering system to the endpoints of each system. A blacklist of sites will be downloaded to the Green Dam client and users may add their banned sites to the application.
Dell as of June 8th is determining whether it will include the Green Dam software in it's
distribution.

Researchers at the University of Michigan published a paper on remotely-exploitable vulnerabilities in the Green Dam software. They sited programming errors in SurfGd.dll that allows for a buffer overflow that would allow the browser to download malware.
China has acknowledge this flaws and is expecting to release a patch.

The Wall Street Journal has reported that Solid Oak software Inc... said that it has found pieces of it's "Cybersitter" software embedded in the "Green Dam" software.

The Chinese Daily reported that the General Manager, Bryan Zhang, of Jinhui Computer System Engineering Company, the author of Green Dam said that, "It is not responsible to crack somebody's software and publish the details, which are commercial secrets."
He also denied that the software contained any theft of the "Cybersitter" code. But said the two did maintain a similar list of blacklisted porn websites.

Every country including the U.S. and Australia have been struggling with privacy rights over internet content. The U.S has the Children's Internet Protection Act HR4577 and Australia has plans to test the implementation of a nation wide content filter with an opt-out feature.

In the U.S. HR 2271: Global Online Freedom Act of 2009 is an act that is in committee that prevent any U.S. business from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance, to promote freedom of expression on the internet.

Links:

Analysis of the Green Dam Censorware System
OpenNet Initiative on Green Dam

Cybersitter and Green Dam

People's Daily Online

The Sydney Morning Herald - Web Censorship plan heads to dead end

Trendmicro Labs warns of this new highly distributable autorun worm.

Stealth technique used by malware is considered a core characteristic which has been developed, improved, redesigned, and reused. Michael Tants, Threat Researcher at Regional TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.

This worm may be downloaded from remote sites by other malware. It may also be downloaded unknowingly by a user when visiting malicious web sites.

It drops various files on the affected system, including a copy of itself. It creates and modifies registry entries as part of its installation routine.

When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR.

The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.

Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.

More Links:
WORM_AUTORUN.JFZ

Autorun-worm-invades-zip

Harry Waldon's Corporate IT Security Blog

There has been a lot of discussion about the internal struggle of the Indian intelligence community views of implementing Hauwei's Telecom products throughout India's core infrastructure and views of India's DOT and Government owned BNSL on the matter.

According to the Economic Times and Gulf Base.com , "The Indian communication ministry has warned state-owned telco BSNL that telecom networks supplied by Chinese equipment major Huawei must be tested for trapdoors, blackboxes, malwares, and also, if it is susceptible to remote hacking before they can be allowed to be operational."

"In fact, Huawei was also the sole company that was shortlisted for BSNL's 25 million lines in Western India, but the PSU now plans to award this contract, worth $1.5 billion, to French-Indian combine Alcatel-ITI. BSNL has identified this as an alternate solution as the telco cannot award this contract to Chinese equipment major Huawei on security grounds as the West zone shares sensitive boundaries with Pakistan."

India is very competitive in the design of telecom components but China remains the leader in bulk manufacturer of telecom equipment.

While Huawei is fastly becoming one of the world's largest Telecom providers to China, India, Africa, and Europe, there still remains this concern that the company is linked to Chinese supported cyber war initiatives funded by the Chinese military.

ZTE, China's second largest telecom provider and the world's 6th largest cell phone provider, is trying to grow its market in the EU. ZTE is now ready to provide China with its approved 3G Network. This year China is also coming up with its own 586 Billion Dollar stimulus package to help its economy. While Huawei is accused of being linked to cyber warfare or cyber intelligence gathering, ZTE has had its share of accusations. In 2007, ZTE was accused of being involved or linked in hacking to some German Government files, and there was trouble with a deal with the Philippine Government.

Its an interesting contrast being two of the world's fasting growing telecom providers implementing ADSL, WiMAX and LTE networks and 4G phones, or is it this embedded portal for the Chinese military for cyber intelligence gathering. I believe at one time Microsoft was accused of providing cryptology plugins for the NSA, or involved with the development of Vista and maybe that ZTE, Huawei, or any one else does not have any choice in the matter when it comes to the concerns of its government's national security issues. Perhaps maybe it is a 'Cyber Arms Race' having back doors into some of the world's largest networks is probably too tempting for any intelligence security agency.

These are some of risks that nations have to be concerned about when it comes to their own interests of national security and sovereignty when purchasing software or networking infrastructure. Who is your business partner and what risks are you willing to take? The reality is just like our economies - all the networks and software are interconnected.

netForensics' recent acquisition and debut of its Cinxi SIEM/Log Management Appliances was revealed at the RSA Security Conference in San Francisco. Cinxi's ability to jump start an Information Security Program was well received by attendees looking to meet Information Security Governance and Regulatory Compliance Requirements by getting their Security Event Management, Log Management, and Incident Response Management under control.

Cinxi's effective and efficient Security Analyst UI is built so that an IT Operations, NOC, or SOC can quickly start utilizing an intelligent workflow for identifying and managing incidents, while dynamically identifying and building Asset Management Information, Network Topology design, and the Security Control Environment that protects them. Cinxi provides a sensible and easy to use Log Management facility maintaining and securing all raw events for audit and compliance requirements.

Cinxi's full feature SIEM and Log Management software, superior sustainable EPS rates and sensible storage management for appliances, out performs all of its competitors in usability and performance while maintaining a price that its competitors cannot match.

To learn more about Cinxi, read here>