Cyber Storm III: US Cyber-Security Preparedness Drill Starts Today

Today the Department of Homeland Security kicks off a three to four day simulated cyber attack drill. 

One of the most impressive sounding drills to date, the test will include not only US government, and private sector participants, but also foreign governments.

According to the DHS Cyber Storm III FactSheet:

The Cyber Storm series simulates large-scale cyber events and attacks on the government and the nation’s critical infrastructure and key resources (CIKR)—so that collective cyber preparedness and response capabilities can be measured against realistic and credible national-level events.

DHS’s National Cybersecurity Division (NCSD) is sponsoring the latest installment of the series—Cyber Storm III, which will include thousands of players across government and industry and more than 1,500 injects of data to keep participants on their toes.

This will also be the first test of the new National Cybersecurity and Communications Integration Center (NCCIC). The NCCIC is a 24-hour, DHS-led coordinated watch and warning center that will improve national efforts to address threats and incidents affecting the nation’s critical information technology and cyber infrastructure.

11 states will be involved in the test, as will 60 private sector companies. Foreign government participates include Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom.

With Stuxnet making headlines news now, I cannot think of a better time to run a drill designed to test our country’s response to attacks on critical utilities.

Iran Admits Stuxnet Malware Affected Bushehr Nuclear Power Plant

Stuxnet, possibly one of the true “cyber weapons” has affected the personal computers of the Bushehr nuclear power plant staff according to a Foxnews report:

The project manager at the Bushehr nuclear plant, Mahmoud Jafari, said a team is trying to remove the malware from several affected computers, though it “has not caused any damage to major systems of the plant,” the IRNA news agency reported.

Iranian news claims that “an electronic war has been launched against Iran” but that they have the attack well in hand.

Iranian information technology officials have confirmed that some Iranian industrial systems have been targeted by a cyber attack, but added that Iranian engineers are capable of rooting out the problem.

The director of the Information Technology Council of the Industries and Mines Ministry has announced that the IP addresses of 30,000 industrial computer systems infected by this malware have been detected, the Mehr New Agency reported on Saturday.

A report from the Christian Science Monitor claims that this is the first “cyber weapon” specifically created to attack physical equipment. In this case SCADA command and control of a nuclear facility. German cyber-security expert Ralph Langner, told the Monitor that “Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.”

Well, it seems pretty clear what the target is. Israel has stated time and time again that political negotiations are not working out and that they would strike. Everyone expected an aerial assault, as Israel bombed Syria and Iraq nuclear plants in the past. But with diminishing support for a physical strike, especially from the White House, it would appear that Israel took the high tech route.

Just how effective would a cyber attack against a nuclear facility be? In a simulated power plant cyber attack back in 2007, would be hackers were able to destroy a power turbine. This would have had dire consequences if it happened in real life. Just a note of caution to the people near the Bushehr plant, it may be time to move. 

Facebook Outage Not a Hack, But Self Inflicted Wound

With rumors flying that Facebook was hacked yesterday, Facebook releases a statement explaining the 2.5 hour outage. It would appear that they were not hacked, but internal complications in responding to an error condition brought them down:

… Today we made a change to the persistent copy of a configuration value that was interpreted as invalid. This meant that every single client saw the invalid value and attempted to fix it. Because the fix involves making a query to a cluster of databases, that cluster was quickly overwhelmed by hundreds of thousands of queries a second. 

To make matters worse, every time a client got an error attempting to query one of the databases it interpreted it as an invalid value, and deleted the corresponding cache key. This meant that even after the original problem had been fixed, the stream of queries continued. As long as the databases failed to service some of the requests, they were causing even more requests to themselves. We had entered a feedback loop that didn’t allow the databases to recover. 

The way to stop the feedback cycle was quite painful – we had to stop all traffic to this database cluster, which meant turning off the site. Once the databases had recovered and the root cause had been fixed, we slowly allowed more people back onto the site…

Continued on Facebook.com.

Adobe Reader PDF 9.3.4 “Cooltype Sing” Zero Day Exploit

Yeah, I know, another Adobe exploit. And this one came out a few weeks ago. What is crazy though, is that Adobe has known about it for a couple weeks and has not released a patch for it yet. According to Security Focus, Adobe is not even planning on patching this until next month!

Currently we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com. The vendor plans to release updates to address this and other issues during the week of October 4, 2010.

Just wanted to give everyone a heads up on this. This exploit is readily available and I have tested it against a fully patched Windows 7 machine with the latest Adobe Reader version and it worked flawlessly. If you run an infected PDF, it WILL give the attacker a FULL ACCESS remote shell to your computer.

The only clue you will get that something is not right is that Adobe will open the file and then just sit there. I have heard some Anti-Virus companies are starting to block this, but not all of them.

So, what can we do? Well, until Adobe decides to patch it, do not click on any unknown or unexpected PDF links in e-mails, and do not open a PDF file on a website that you are not familiar with. I am stunned that in essence, if they do not patch it until October, this exploit will have been left unpatched for a whole month!