A recent cyber attack on a city water utility in Illinois may have destroyed a pump and appears to be part of a larger intrusion at a U.S. software provider, new information suggests. The incident is the latest to raise alarms about the security protecting  so-called supervisory control and data acquisition system, or “SCADA” networks — increasingly Internet-connected systems designed to monitor and control complex industrial networks.

CNN is reporting that federal officials are investigating the attack, but quoted a Department of Homeland Security official downplaying the incident. Wired.com says the focus of the attack may be the Curran-Gardner Public Water District near Springfield, Ill. The Register quotes DHS’s Peter Boogaard saying the agency and the FBI are gathering facts surrounding the report of a water pump failure, but that “at this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The incident was first reported in a state cyber fusion notice dated Nov. 10, and soon was summarized on the blog by Joe Weiss, managing partner of Applied Control Solutions, a SCADA systems security firm. Weiss criticized the lack of response and alerting by the US-CERT, Department of Homeland Security, and the information sharing and analysis center (ISAC) run by the water industry.

Weiss read KrebsOnSecurity sections of the report, which traced the origin of the attack to Russian Internet addresses.

“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia.”

The alert also indicates that this attack may be linked to a SCADA provider that also serves other industries, in addition to the water sector. From the alert:

“The SCADA system that was used by the water district was produced by a software company based in the US. It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district systems.”

The intrusions apparently took place over several months, during which time the attackers remotely logged into the water district’s SCADA networks and toggled systems off and on, eventually causing the failure of a water pump at the facility.

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

The notice also stated that the method of attack appears to be similar to the recent compromise of servers at the Massachusetts Institute of Technology (MIT), which involved security weaknesses around phpMyAdmin, a popular Web-based database administration tool.

“This network intrusion is the same method of attack recently used against the MIT Server,” the water district alert stated. “The water district’s attack and the MIT attack both had references to PHPMyAdmin in the log files of the computer systems. It is unknown at this time the number of SCADA usernames and passwords acquired from the software company’s database, and if any additional systems have been attacked as a result of this theft.”

Michael Assante, president and CEO of the National Board of Information Security Examiners and a former chief security officer for the North American Electric Reliability Corporation (NERC), said the attack highlights the potential pitfalls of utilities increasingly turning to off-the-shelf commercial solutions and remote access to trim costs in an era of tight state and local budgets.

“In smaller districts, you’re not going to have big network architectures [that allows you] to have restricted routing and VPN architecture,” Assante said. “But when we get to smaller water districts, the less infrastructure they can have to do their work, the cheaper it is. And with these current budget restraints for municipalities, Web remote access seems to be the way they want to do business.”

Assante said it was too early to assess the broader implications of this incident, and noted that the initial reporting on cyber-related SCADA incidents often turns out to be inaccurate. But he said that if most of the information in the original report is correct, then there are significant lessons to be learned from this incident.

“You have compromises occurring over remote access, and over months this had effects on the system that were anomalous or never coordinated to a cyber event,” Assante said. “If what really happened here turns out to be 80 percent close to what’s in the original reports, it will be very important to know what we can learn from this.”

The wait-and-see response from the DHS and FBI appears to have encouraged hackers to highlight similar vulnerabilities in other water districts. Several sites now are reporting on a claim by a hacker named “pr0f” who posted a series of images that appear to  demonstrate remote access to a SCADA system that is responsible for the water supply in the City of South Houston, Nevada. It’s not clear whether the image noted here is supposed to be for a Texas or Nevada facility, but Fred Gonzalez, superintendent of the City of South Houston, Texas water and sewer division said his organization was still analyzing the information to determine its veracity.

A screen shot posted online today, allegedly from remote access to SCADA systems for the City of South Houston.

Law enforcement officials in Romania and the United States have arrested and charged more than 100 individuals in connection with an organized fraud ring that used phony online auctions for cars, boats and other high-priced items to bilk consumers out of at least $10 million.

According to a statement from the Justice Department, the scams run by this ring followed a familiar script. Conspirators located in Romania would post items for sale such as cars, motorcycles and boats on Internet auction and online websites. They would instruct interested buyers to wire transfer the purchase money to a fictitious name they claimed to be an employee of an escrow company. Once the victim wired the funds, the co-conspirators in Romania would text information about the wire transfer to co-conspirators in the United States known as “arrows” to enable them to retrieve the wired funds. They would also provide the arrows with instructions as to where to send the funds after retrieval.

The arrows in the United States would then visit wire transfer services such as Western Union or MoneyGram, provide false documents including passports and drivers’ licenses in the name of the recipient of the wire transfer, and grab the cash. They would subsequently wire the funds overseas, typically to individuals in Romania, minus a percentage kept for commissions. The victims would not receive the items they believed they were purchasing. In some cases, co-conspirators in Romania also directed arrows to provide bank accounts in the United States where larger amounts of funds could be wired by victims of the fraud.

Since February 2011, FBI agents and U.S. Justice Department authorities in Florida, Pennsylvania and Texas have arrested or charged at least 21 Romanians and Moldovans in the U.S. who were allegedly members of the ring. Thirteen of those charged have pleaded guilty, and three remain at large.

The Bucharest news agency Adevarul.ro has more details on the 90 Romanians arrested by authorities there in nine different cities. The Romanian authorities say the group stole almost $20 million, about twice as much as the Justice Department estimates.

Some of the Romanians arrested were from the town of Râmnicu Vâlcea, a location that has become synonymous with online auction fraud. In January, Wired published a fascinating and readable article on how this remote town of 120,000 residents has become cybercrime central, earning the town the nickname “hackerville.”

The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.

Sample network diagram of Coreflood, Source:FBI

The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.

Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.

By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.

On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.

ISC President Barry Greene said the government was wary of removing the bot software from infected machines.

“They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”

No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.

Andrew Fried, a botnet expert who runs Deteque, a security consultancy in Alexandria, Va., said the action was a long time coming, but he applauded the feds for making it happen. “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods,” Fried said.

Greene said the job now falls to ISPs, security firms, and Microsoft to help clean up the pool of PCs that remain infected with Coreflood. Microsoft this week shipped an update to remove Coreflood from Windows machines of users who take advantage of  the Malicious Software Removal Tool, an anti-malware tool offered through Windows Updates and Automatic Update that looks for and removes many families of infectious software.

Some readers may be alarmed by this news because they are wary of any government actions that involve access to individual computers. Wired.com’s Kim Zetter writes that the Electronic Frontier Foundation is uneasy with the government’s move, which called it “an extremely sketchy action to take.” However, as noted cybercrime expert Gary Warner points out in his blog, the government is offering computer users affected by the this week’s takedown the option to “opt out” of the terms of the temporary restraining order.

“The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood,” the FBI’s press release states. “Identified owners of infected computers will also be told how to ‘opt out’ from the TRO, if for some reason they want to keep Coreflood running on their computers.”

U.S. Justice Department press release

Coreflood Complaint (PDF)

Coreflood Seizure Warrant (PDF)

Coreflood Temporary Restraining Order (PDF)

The Nov. 2009 blackout that plunged millions of Brazilians into darkness for up to six hours was not the result of cyber saboteurs, but instead an unusual confluence of independent factors that conspired to cause a cascading power failure, according to a classified cable from the U.S. embassy in Brazil.

The communication, one of roughly 250,000 to be published by Wikileaks.org, provides perhaps the most detailed explanation yet of what may have caused the widespread outage, which severed power to 18 of Brazil’s 27 states, cutting electricity for up to 60 million Brazilians for periods ranging from 20 minutes to six hours. The Nov. 2009 outage was notable because it came just three days after a CBS news magazine 60 Minutes report about a much more severe two-day outage in 2007 that cited unnamed sources claiming that the blackout was triggered by hackers targeting electric control systems.

Reports from Wired.com and other news publications quickly challenged that 60 Minutes segment, pointing to previous investigations that suggested a variety of factors contributed to the 2007 incident, including poorly-maintained electrical insulators. But when another outage hit Brazil three days after the CBS report, the coincidence led to more speculation about whether hackers were once again involved.

The cable relates information shared by executives and engineers from Brazil’s National Operator of the Interconnected Power System (ONS), which “further ruled out the possibility of hackers because, following some acknowledged interferences in past years, [the Government of Brazil] has closed the system to only a small group of authorized operators, separated the transmission control system from other systems, and installed filters.” From the cable:

“Coimbra confirmed that the ONS system is a CLAN network [classified local area network] using its own wires carried above the electricity wires. Oliveira pointed out that even if someone had managed to gain access to the system, a voice command is required to disrupt transmission. Coimbra said that while sabotage could have caused the outages, this type of disruption would have been deadly, and investigators would have found physical evidence, including the body of the perpetrator. He also noted that any internal attempts by system employees to disrupt the system would have been easily BRASILIA 00001383 003 OF 005 traceable, a fact known to anyone with access to the system.”

So what did cause the blackout? The cable suggests there were a range of contributing factors and some very bad timing:

“Geraldes described the events of November 10 as unusual, not in the interruption of the system, but in the confluence of events that led to the overall catastrophic scale of the blackout. He said that a similar disruption taking out the same line had occurred in the past but the system had been operating in such a way that the flow was redistributed with very little disruption. In the November 10 case, reservoirs were full due to recent abundant rainfalls and the thermal plants, which are often tapped to augment flow, were not operating. The interlinked system which allows electricity from any part of the country to be distributed to any other part was exporting power from the primary hydroplants in the South to the Sao Paulo/Rio region. According to Geraldes, in prior instances, the situation was reversed, with flow exported from Sao Paulo to the south during periods of less plentiful rainfall and the disruption had very little effect on the overall supply.

Grudtner said international standards generally call for a system to have capacity allowing unimpeded operation with one transmission line inoperable. At the time of the incident, the Brazilian system was operating at a capacity of unimpeded operations with two lines down, but the incident took out all three lines feeding into Sao Paulo. Additionally Coimbra pointed out, each of the lines which were disabled have recovery times of ten seconds, but the short circuits occurred within milliseconds of one another, disabling the transmission system with automatic shutdowns before the lines were able to recover. Geraldes called it the worst possible configuration of factors that led to a cascade effect.”

The cable concludes with an acknowledgment that while cyber vulnerabilities may not have been to blame, that shouldn’t prevent anyone from capitalizing on the threat of a cyber attack on the power infrastructure.

“This would be an excellent occasion to encourage the military to military Communication and Information Security Memorandum of Agreement (CISMOA), noting that although this incident does not appear to have been the result of an attack on the system, such an event is possible and signing this agreement would permit cooperation were one to occur. We could also consider a cybersecurity working group.”

As a rule, I tend to avoid writing about reports and studies unless they offer truly valuable and actionable insights: Too often, reports have preconceived findings that merely serve to increase hype and drum up business for the companies that commission them. But I always make an exception for the annual data breach report issued by the Verizon Business RISK team, which is consistently so chock full of hype-slaying useful data and conclusions that it is often hard to know what not to write about from its contents.

Once again, some of the best stuff is buried deep in this year’s report and is likely to be missed in the mainstream coverage. But let’s get the headline-grabbing findings out of the way first:

-Verizon’s report on 2009 breaches for the first time includes data from the U.S. Secret Service. Yet, the report tracks a sharp decline in the total number of compromised records (143 million compromised records vs.  285 million in 2008).

-85 percent of records last year were compromised by organized criminal groups (this is virtually unchanged from the previous report).

-94 percent of compromised records were the result of breaches at companies in the financial services industry.

-45 percent of breaches were from external sources only, while 27 percent were solely perpetrated from the inside by trusted employees.

Among the most counter-intuitive findings in the report?

There wasn’t a single confirmed intrusion that exploited a patchable vulnerability. Rather, 85 percent of the breaches involved common configuration errors or weaknesses that led to things like SQL database injection attacks, and did not require the exploitation of a flaw that could be fixed with a software patch. In most cases, the breaches were caused by weaknesses that could be picked up by a free Web vulnerability scanner:

“Organizations exert a great deal of effort around the testing and deployment of patches — and well they should. Vulnerability management is a critical aspect of any security program. However, based on evidence collected over the last six years, we have to wonder if we’re going about it in the most efficient and effective manner. Many organizations treat patching as if it were all they had to do to be secure. We’ve observed multiple companies that were hell-bent on getting patch X deployed by week’s end but hadn’t even glanced at their log files in months.”

Speaking of log files, one of the most interesting sections of the 66-page report comes in a sidebar titled “Of Needles and Haystacks,” which states that 86 percent of all breaches last year could have been prevented if victim companies had simply looked for unusual patterns in the log files created by their Web servers.

“In 86 percent of these breaches, the victim didn’t need forensic tools or fancy intrusion detection devices to figure out what happened, because they could read the entire event out of their logs,” said Bryan Sartin, one of the multiple authors of the Verizon report. “Forensic tools are great for recreating events that aren’t logged, but in most of the cases last year, the data was all there, they just weren’t looking at it.”

Sartin said a common complaint he hears about log files is that they are generally so huge that trying to find signs that someone has broken in by looking at your logs is akin to finding a needle in a haystack. But Sartin notes that — viewed another way — the reality is quite the opposite.

“If you take a 500 gigabyte log of a Web server and scroll down through it real fast, you’re going to see a pattern of the same old request over and over again. Suddenly, you hit one that’s formatted completely differently, and instead of being 3 lines it’s 33 lines long and it contains data that’s going the other way in the form of error codes. So these are extremely obvious and noisy attacks that you could mitigate simply by looking for them. But for some reason, many organizations still think they have to go out and buy intrusion-detection devices and more things that produce logs, when their underlying problem was that they weren’t looking effectively at the logs in the first place, and now they’ve just made the problem worse.”

A key finding in this year’s report is that most companies suffering breaches missed obvious signs of employee misconduct – breaches that were either initiated or aided by employees. Sartin said in almost every case where a breach investigation zeroed in on an employee as the culprit, investigators found ample evidence that the employee had long been flouting the company’s computer security and acceptable use policies that prohibit certain behaviors, such as surfing porn or gambling Web sites on company time and/or on corporate-issued laptops.

The study found a strong correlation between ‘minor’ policy violations and more serious abuse. From the report: “Based on case data, the presence of illegal content, such as pornography, on user systems (or other inappropriate behavior) is a reasonable indicator of a future breach. Actively searching for such violations rather than just handling them as they pop up may prove even more effective.”

The Verizon study also takes aim at the hype surrounding the “advanced persistent threat,” or APT — a politically and emotionally charged term that has become virtually synonymous with the term “cyber war”. The concept of APT — which describes attackers who are motivated, skilled, well-funded and patiently directed at compromising a specific target — is not new, but it came into vogue earlier this year with Google’s public disclosure that its intellectual property had been stolen in a targeted attack originating from China.

“Maybe 28 times just in the U.S. alone last year — we had some company in the oil and gas or other critical infrastructure industry come to us…[having found] the most rudimentary, nonthreatening virus on their Web server and instantly jumping to the conclusion that some government behind a certain Asian country was hacking into their company to steal their resources,” Sartin said. “And more often than not, we were being brought in to prove that it didn’t happen, when it turns out they were sounding the alarm for all the wrong reasons. We called it out in the report and said, ‘Hey guys, thanks for the business, but don’t believe the hype.’”

Anyone seriously interested in understanding what APT is — and more importantly isn’t — should read the July cover story of Information Security Magazine, a thoughtful and incisive analysis by blogger Richard Bejtlich.

Another gem in the report is an appendix compiled by the Secret Service that includes a tale about how one of the most notorious cyber thieves ever arrested was lured to a meeting in Turkey in 2007 where he was arrested by local authorities. Wired.com’s Kim Zetter delves into this revelation in more detail here.

The full Verizon breach report is available from this link (PDF).

Google has reportedly stopped censoring Chinese search results for its Google.cn property, in response to what it said earlier this week were targeted attacks against its corporate infrastructure aimed at Chinese dissident groups. But a security research firm claims the attack that hit Google was part of a larger, unusually sophisticated assault aimed at stealing source code from Google and at least 30 other Silicon Valley firms, banks and defense contractors.

Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.

In a report released shortly after Google’s disclosure Tuesday evening, Sterling, Va. based iDefense cited two independent, anonymous sources in the defense contracting and intelligence consulting community as saying that Google traced the attack back to a “drop server” used as a repository for stolen files, where Google discovered its own data as well as proprietary data suggesting that at least 33 additional companies had been hit.

iDefense said the attack bears “significant resemblance” to a July 2009 attack in which assailants launched targeted e-mail campaigns against approximately 100 IT-focused companies. That attack employed a PDF file that exploited a then-undocumented vulnerability in Adobe Reader, and that a similar leveraging booby-trapped PDFs-as-attachments was used in the attack against Google, the report notes.

Kim Zetter at Wired.com’s Threat Level blog has a great deal more information in her thorough story on this.

Cynics see all kinds of ulterior motives in Google’s announcement that it got hacked and the subsequent arm-twisting with the Chinese government. Foreign Policy‘s Evgeny Morozov has penned a pair of incisive and trenchant opinion pieces speculating that Google’s move was little more than a calculated PR and business bid to gain market share vis-a-vis China’s dominant Baidu search engine. Krebsonsecurity.com reader and fellow security blogger Gunnar Peterson pointed my attention to a piece by Motley Fool‘s Tim Hanson that echoes those sentiments.

In apparently related news, Google has switched to “always on” encryption for all Gmail users, not just for those who have gone out of their way to select the “always use https://” option. By default, Google has always forced users to transmit their credentials over an encrypted (https://) connection when logging in, but after that Gmail users were popped back into an unencrypted connection unless they had changed the default option in the Gmail user settings to encrypt all Gmail communications.

The danger is that there are now free tools that help attackers steal the session cookie that most Webmail providers use to indicate users have already authenticated.  Armed with these tools, anyone recording the traffic on the local network would be able to access your Gmail inbox by simply loading that cookie on their machine. While these tools assume the attacker is on the same network as the target, most users do not sign out of Web mail services, and any session cookies that keep users logged in to their Webmail will most likely be transmitted periodically when roving users connect to a wireless network, for example.

Alas, Google has many properties that still do not enjoy this always-encrypted setting. In mid-2009, a Who’s Who of more than three dozen high-tech and security experts from industry and academia urged Google to encrypt all Google services by default, noting that tens of millions of consumers now rely on Google for a wide array of services that include sensitive data, such as Google Adsense, Adwords, Google Health. Still, this is a welcome step that hopefully will be emulated by the likes of Microsoft and Yahoo!, the other two major Webmail providers.

A periodic pointer to some of the more interesting and newsworthy security news stories. In no particular order:

Proof-of-concept for Mac OS X systems Released
Possible Malicious Apps for Google’s Android Phone
Online Gaming Exec. Sentenced to 33 Months
‘Massive Cybercrime Conspiracy’

Read after the jump for summaries and links to more information.

–Dan Goodin from The Register writes that researchers have disclosed a critical vulnerability in the latest version of Mac OS X that they claim Apple has sat on for almost seven months without fixing. The Reg says the flaw “could be exploited by attackers to remotely execute malicious code, and virtually all Apple devices – including Mac computers and servers, iPhones, and even Apple TV – are susceptible.” Once again, full disclosure in the face of apparent vendor lethargy.

I exchanged e-mails about this threat last night with Dino Dai Zovi, probably one of the foremost experts on Mac security. Dai Zovi said while the flaw may be exploitable through a number of third-party applications that run on top of Mac OS X (Firefox, for example), it isn’t likely we’ll see this bug being exploited in the wild. “This vulnerability is more complex than much simpler vulnerabilities in Mac OS X that did not result in widespread exploitation,” Dai Zovi wrote in an email to KoS. ” There have yet to be any reports of Mac-based malware exploiting a browser vulnerability in order to install itself in the wild.  For that reason, I wouldn’t suggest that Mac users need to take action to protect themselves against this issue at this time.”

MITRE’s writeup on this vulnerability has a nice list of applications that may be a potential way to exploit this flaw.

–The blogs are abuzz with word of fraudulent apps being posted to the Android Market. The apps, reportedly created by an anonymous developer named “09Droid”, appear to be an attempt to snag online banking credentials from Android users. The F-Secure blog has a bit more on the nasty apps.

–The chief executive of an overseas, online gambling operation was sentenced by a U.S. judge to 33 months in prison after pleading guilty to racketeering, writes Wired.com’s Threat Level. The sentence, against David Carruthers, 52, a former executive at BetonSports, comes as U.S. lawmakers consider allowing Internet gambling, even as federal regulators step up enforcement of existing anti-online gaming laws.

–In other cyber justice news, a federal grand jury in Dallas last Friday indicted 19 people in what the government is calling a “massive cybercrime conspiracy” – a Web hosting scam that defrauded both customers and contractors, according to Dark Reading’s Tim Wilson. The accused alleged created a mess of shell companies purporting to be legitimate Web hosting and services providers, and used said companies to collect customer fees, obtain loans, and purchase good services. “In the end, many of the customers were left without Web servers, the loans were not repaid, and many contractors — including collocation service providers such as AT&T and Verizon — were never paid, the indictment says.”