Privacy concerns are growing regarding the use of Carrier IQ software in many mobile phones. Numerous sources such as Computerworld are reporting that AT&T and Sprint use the software on handsets. Here's an excerpt:

  "Amid what's snowballing into a major privacy controversy, AT&T, Sprint, HTC and Samsung today confirmed that that their mobile phones integrate a controversial piece of tracking software from a company called Carrier IQ.

Both wireless carriers AT&T and Sprint insisted that the software is being used solely to improve wireless network performance while phone makers HTC and Samsung said they were integrating the software into their handsets only because their carrier customers were asking for it."

 The article goes on to demonstrate a video that shows security researcher Trevor Eckhart's claims that tracking software from Carrier IQ can collect data from a mobile phone without the user's knowledge.

 CNET.com asks: What does Carrier IQ do on my phone--and should I care? (FAQ) 

  That excellent coverage of this topic begins:  

    "A 25-year-old systems administrator in Connecticut set off a media firestorm after discovering mysterious software on his Android that appeared to be recording his activities. Software maker Carrier IQ says the software is designed to give carriers usage and other stats so they can improve the network and service. But the researcher argues that the software represents a serious privacy threat because sensitive data is being logged without user permission."

   This hot story is sure to have legs, so stayed tuned for more or begin your Google search now.

   Any thoughts on this topic?

It’s that time of year again. Cyber Monday has arrived, and recent survey results say that 50% of Americans do some holiday shopping from work.  (This number is actually down from 52% last year.)

This topic is not new, and I find it interesting to look back at the (brief) history of Cyber Monday in America. Four years ago, Government Technology Magazine asked what government organizations should do about Grinch.exe? The five suggestions are still fairly relevant; however, new advice is offered elsewhere around smartphones.

 Back in 2006, I wrote that Christmas gifts can bring security woes. This is still true. Here’s a blog excerpt:

This has been going on for years. Toys that are opened on Christmas morning soon find their way into work. Historically, PDAs, cellphones, new software, even games and movies, have caused us problems. One colleague told me that January was always his worst month for security problems because of these Christmas presents.

A year later, I wrote this blog at CSO.com on the Cyber Monday topic and concluded by writing:

So my question to readers is what is your organization doing about this trend, besides issuing policies?
In Michigan, we send reminder e-mails to staff reminding them regarding holiday e-cards and shopping online hazards. We also monitor the traffic and behaviors of our employees.

We try our best to do each of the things recommended by the Center for Digital Government – with many controls in place, but we're certainly not perfect. Can you share any experiences?

This closing still seems appropriate to me in 2011.  While our Michigan government acceptable use policy clearly states that computer network use is for official business, we allow local supervisors to use discretion in applying the rules. Our central cyber team only flags blatant violations of acceptable use, and we provide that information to the HR teams in each business area, as appropriate, for follow-up actions.  

By the way, I've already received several emails for special "deals" on Cyber Monday, so I fully expect employees to be tempted to click to go after "one-off" deals during this week and the holiday season. 

So I ask again, can you share any Cyber Monday experiences (from this year or from the past)?

  The Department of Homeland Security (DHS) announced that the Illinois water system in Springfield was not hacked.

 According to Reuters:

 "Federal investigators have concluded that a burned out pump at an Illinois water treatment facility was not caused by foreign hacking, the Department of Homeland Security said Tuesday.

DHS and the FBI were working with the Curran-Gardner Public Water District in Springfield, Illinois, to try to determine why the pump burned out earlier this month.

'DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported,' DHS spokesman Chris Ortman said in an emailed statement."

 Meanwhile, other reports, such as the BBC, chose to focus on the "FBI plays down claim that hackers damaged US water pump."

 "The FBI and the Department of Homeland Security said they had 'found no evidence of a cyber intrusion'.

The Illinois Statewide Terrorism and Intelligence Center (STIC) previously claimed a hacker with a Russian IP address caused a pump to burn out.

A security expert, who flagged up the story, said he was concerned about the conflicting claims."

  On Monday of this week, I published the blog: Hacking Illinois Water: Seven Questions and Six Answers. In that piece, I included this question and answer:

Question 2) Are we sure that the pump failed as a result of a cyber attack?

Answer: No, but it looks likely. The Daily Mail (UK) reported:  “The Department of Homeland Security confirmed that a water plant in Springfield, Illinois, had been damaged.

However spokesman Peter Boogaard said officials had yet to confirm that the pump failure was the result of a cyber-attack.”

It now appears as if this Illinois situation was a false alarm in regards to a foreign cyber attack. At the very least, the facts revealed cannot prove a cyber attack.

 If there is a lesson for the entire security and government technology communities, it may be this: Be careful what information and claims are released and when. Still, I believe that question seven in my original blog is still very relevant.

Any thoughts on this case?  Will a cyber attack on critical US infrastructure be coming soon?  

The top technology story at the end of last week involved multiple news sources reporting a cyber attack that penetrated a US public water system in Illinois. Here’s what we know, and what we don’t.

Question 1) What happened to prompt the concern?

Answer:  An Illinois water system pump was (reportedly) turned on and off repeatedly until it failed.

According to the Breitbart article: Foreign cyber attack hits US Infrastructure: expert

“The Illinois Statewide Terrorism and Intelligence Center disclosed the cyber assault on a public water facility outside the city of Springfield last week but attackers gained access to the system months earlier according to Joseph Weiss (managing partner from Applied Control Solutions).

The network breach was exposed after cyber intruders burned out a pump.

‘No one realized the hackers were in there until they started turning on and off the pump,’ according to Weiss.”

 Question 2) Are we sure that the pump failed as a result of a cyber attack?

Answer: No, but it looks likely. The Daily Mail (UK) reported:  “The Department of Homeland Security confirmed that a water plant in Springfield, Illinois, had been damaged.

However spokesman Peter Boogaard said officials had yet to confirm that the pump failure was the result of a cyber-attack.”

Question 3) How did the hackers gain enough access to bring down the water pump?

Answer: According to a report from the Illinois Terrorism and Intelligence Fusion Center, cyber attackers broke into a software company’s database and got hold of user names and passwords of various control systems that run water plant computer equipment.

Computerworld reported:

“The attackers are thought to have obtained the usernames and passwords to the system by first breaking into a computer belonging to the utility's SCADA software vendor. SCADA vendors often maintain a list of usernames and passwords for accessing systems at customer locations for support purposes. Anyone with those credentials can gain access to the customer system, which is what appears to have happened here.”

Question 4) Was anyone harmed or did customers lose water service?

Answer: No. Other pumps and/or systems maintained service during the pump failures.

Question 5) Why is this such a big deal? Why is this a top story around the world if no one was hurt?

Answer: The potential ramifications of having a confirmed (successful) cyber attack against (any) critical infrastructure are enormous. Besides the implications for our water, there are fears of attack against transportation, electricity or other important infrastructure sectors. Yes, each sector has plans for defense.  

There are vulnerable critical infrastructure components, and there are many programs that attempt to protect these systems from a cyber or other attack.  NERC and other organizations have spent millions of dollars to start building the smart grid, which may also be susceptible to a cyber attack.

If this failure is confirmed as a cyber attack, the sense of urgency will only increase. Many experts believe that a 21^st Century “cyber war” is coming and will be like the previous “cold war” of the 20^th Century.

Movies like Live Free or Die Hard (“Die Hard 4”) demonstrate a worst-case cyber attack scenario against critical infrastructure – but remember this is fiction which is overdone to entertain. 

Question 6) Are there any other water systems or other utilities that were compromised by the same cyber incident?

Answer: This is still being investigated right now. Several sources believe that other systems may have been compromised. Either way, the implications to the wider Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) community are huge.

If you need help, each sector has plans and programs, but you can start with this Critical Infrastructure Protection (CIP) website at DHS.

Question 7) Was this a cyber “test” by the bad guys? Is this the beginning of a dangerous hacker trend?

Answer: You decide. Time will give us the answer, but we’d better plan for the worst while we hope for the best. Nevertheless, this should be a cyber wake-up call for America. 

The new Duqu malware is a sophisticated Trojan that appears to be similar to the more well known Stuxnet code. Headlines over the weekend were telling stories about both the effects in Iran, as well as offering reports that the malware was now “under control.”

According to Kaspersky Lab, the hacker group behind the Duqu Trojan may have been working on the code for more than four years. The article describes the stages of attack and actions at each stage. Here’s an excerpt, but the entire article is worth reading:

“Our main achievement has been in the investigation of the incident deemed No.#1, described in my second post about Duqu. We managed to not only locate all the previously undiscovered files of this variant of Duqu, but also to find both the source of the infection and the file dropper that contains the vulnerability exploit in win32k.sys (CVE-2011-3402).

Comparing the data we uncovered with that obtained by other researchers and antivirus companies, we’ve elicited various common traits that have revealed the approximate timeline and overall methods used by Duqu’s authors.”

Computerworld ran this piece as their headline story, and summarized the malware’s history to date. Here’s part of that Computerworld article:

“Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver -- specifically "W32k.sys," and its TrueType font parsing engine -- to gain rights on the compromised PC sufficient to install the malware.

Although Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves.”

The Duqu Trojan, which is also known as “son of Stuxnet,” was discovered just two months ago and is getting headlines for the sense of humor that its creators have revealed in the code.

“According to Kaspersky's Alexander Gostev, the Duqu infection vector is customized for each target, and its code contains a joking reference to "Dexter," the long-running Showtime TV series about a morally ambiguous serial killer.”

MSNBC wrote, “Perhaps most ominously, there are enough differences among the known variants of Duqu to lead Gostev to suspect that the Trojan's creators are carefully tailoring the malware package for each specific target as needed, if the compilation dates on the main Trojan component are accurate….

… Such fine-tuning would make Duqu and its creators more sophisticated and persistent that the so-called "advanced persistent threat" attacks — widely assumed to be coming from China — that have penetrated Western companies over the past few years.

In those cases, spear-phishing emails also provide the infection vector, but the installed malware does not vary from one target to the next.”