Security Watch
The Dumb Security Ideas Edition
Some real stupid events in IT security have come out of hiding and back onto your systems.
This week I thought I'd have a look at some of the dumb ideas in security.
Bringing the Grid Down
If you're a security writer looking to make a fool of yourself, just write a story combining Supervisory Control and Data Acquisition (SCADA) with vulnerability. You'll prove to be about as good at IT security reporting as Martha Stewart might be at covering NASCAR.
Sure, there is a company who makes software for SCADA, and yes, it turns out they don't do an adequate job of parsing packets that systems might receive on a TCP port used for connecting to SQL servers. It's also true that some SCADA systems are integrated with networks that have Internet access, and some Internet-accessible networks have bots and/or criminals on them.
That doesn't mean criminals are going to bring down national power grids or muck about with sewage.
Why announce this at all? The only reason I can think of is to get dumb reporters to write stupid stories that put your name in the news ... or so you'd think. Typically, vulnerability research is published to garner public attention -- specifically, to try and get people who might not otherwise realize they've got insecure software, to update something. Unfortunately, this falls way short of that mark. Do you really think some electric power company is going to rely on information from some lesser-known research organization over whatever they might get directly from their vendors? Do you think they might modify their network because of some vulnerability scenario that's miles from plausible on their networks? I doubt it.
If you've got a SCADA implementation and happen to be reading this, keep paying attention to your vendor announcements.
Firefox 3 Flaw Reaches Tipping Point
You gotta love it when a vulnerability research company announces a flaw hours after the release of a product. Granted, TippingPoint probably can't insist -- only suggest -- on when vulnerabilities are released to vendors. Still, it's just another example of how research and production don't necessarily work hand-in-hand, and how some researchers care more about “street cred” than straight truth.
Burned Coffee All Over Your Internet
Do you realize that a criminal can burn down your house by turning on your stove? That was a comment made by the researcher who discovered that diagnostic software, installed on his PC in order to allow data from his Jura F90 coffee maker to be sent to the manufacturer, could be exploited to run code of a criminal's choice on his PC. Talk about stretching to make a point -- in an interview, the researcher suggested that since Internet-connected devices are the wave of the future, discovering and reporting on vulnerabilities in them was reasonable.
May I beg to differ? If you want a sure fire way to convince people to tune out security information, just show them how dumb some testing is.
Go Ahead, Hit Our Servers
If there's been a dumber idea lately, I can't think of what it might be besides this: Ypigsfly claims to be testing a new DDoS defense system. They have offered anyone $50 if you can take them off line for 15 minutes. All you have to do to collect is tell them one day in advance what time you're going to attack, give them your name and address, and just do it.
Are they nuts, or is it me? Do they simply want to waste as much bandwidth, from as many ISPs as possible? Would you like to be hosted by their ISP? Imagine the havoc such a stunt is likely to cause all over the world. And to what end? I think the company name tells it all.
Ho-Hum, Another Storm Brewing
"US-CERT has received reports of new Storm Worm related activity." Now, how many times have you seen that sentence before? Has there ever been a time when there hasn't been new storm worm variant? Aren't they tired of crying wolf constantly, and don't they realize that the worm continues to spread and find victims because they're simply not reaching them? Just imagine what your weather forecast would look like if they predicted every individual raindrop or gust of wind.
Hacking the Earthquake
As if hacking for dollars wasn't bad enough, when hackers do their criminal acts for no apparent reason, with no consideration of the effects, well … that's down-right dumb. At the end of May 2008, a Chinese province's seismology Web site was hacked. The criminal modified the site to report that a magnitude 9 or higher quake was expected in the region. Did he think that people wouldn't panic, given the massive quake in another province just a few weeks earlier? Stop the insanity, already.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.