Joe Strusz

OpenSSL has released a security advisory to address multiple vulnerabilities. These vulnerabilities may allow an attacker to cause a denial-of-service condition or bypass security restrictions in affected applications.

US-CERT encourages users and administrators to review the OpenSSL security advisory. Because OpenSSL is widely redistributed, users should check for updates from their operating system vendors and vendors of other products using OpenSSL. Users of OpenSSL from the original source distribution should upgrade to OpenSSL 0.9.8k.

Full Text Advisory Here: http://www.openssl.org/news/secadv_20090325.txt

Source: http://www.us-cert.gov

A recently proposed but little-noticed Senate bill would allow the federal government to shut down the Internet in times of declared emergency, and enables unprecedented federal oversight of private network administration.

The bill’s draft states that “the president may order a cybersecurity emergency and order the limitation or shutdown of Internet traffic” and would give the government ongoing access to “all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access.”

Authored by Democratic Sen. Jay Rockefeller of West Virginia and Republican Olympia Snowe of Maine, the Cybersecurity Act of 2009 seeks to create a Cybersecurity Czar to centralize power now held by the Pentagon, National Security Agency, Department of Commerce and the Department of Homeland Security.

While the White House has not officially endorsed the draft, it did have a hand in its language, according to The Washington Post.

Proponents of the measure stress the need to centralize cybersecurity of the private sector. “People say this is a military or intelligence concern,” says Rockefeller, “but it is a lot more than that. It suddenly gets into the realm of traffic lights and rail networks and water and electricity.”

Snowe added, “America’s vulnerability to massive cyber-crime, global cyber-espionage and cyber-attacks has emerged as one of the most urgent national security problems facing our country today. Importantly, this legislation loosely parallels the recommendations in the CSIS [Center for Strategic and International Studies] blue-ribbon panel report to President Obama and has been embraced by a number of industry and government thought leaders.”

Critics decry the broad language, and are watchful for amendments to the bill seeking to refine the provisions. According to opencongress.com, no amendments to the draft have been submitted.

Organizations like the Center for Democracy and Technology fear if passed in its current form, the proposal leaves too much discretion of just what defines critical infrastructure. The bill would also impose mandates for designated private networks and systems, including standardized security software, testing, licensing and certification of cyber-security professionals.

“I’d be very surprised if it doesn’t include communications systems, which are certainly critical infrastructure,” CDT General Counsel Greg Nojeim told eWEEK. “The president would decide not only what is critical infrastructure but also what is an emergency.”

Adds Jennifer Granick, civil liberties director of the Electronic Frontier Foundation, “Essentially, the Act would federalize critical infrastructure security. Since many systems (banks, telecommunications, energy)are in the hands of the private sector, the bill would create a major shift of power away from users and companies to the federal government.”

My Google AdWords balance this past two months has peaked at 10 dollars and some change. I’m wondering if they disregard repeat traffic for matched ads. It seems most of my site viewers are all return visitors being family and friends and all. We’ll see if we cant use this site to drive more targeted results.

Check this post often, and I’ll update the situation. Any amount of money is good of course, however more money is always better. ;-)

Ad-Free for now of course. More stuff to come.

They’re baaaack.

Those impish Chinese government cyber-saboteurs we last saw posing as 20-foot high trees to trigger the 2003 northeast power outage have returned in an all new adventure, this time in the pages of the Wall Street Journal.

In this episode, the clever hackers have teamed with the Russians to penetrate the U.S. electrical grid from coast-to-coast, planting diabolical malware designed to let them plunge portions of America into darkness with a few keystrokes, the paper reports.

The real authors of this tale are unnamed “U.S. intelligence officials,” perhaps the same ones who claimed last year that the Chinese government may have caused the 2003 blackout that cut off electricity to 50 million people in eight states and a Canadian province.

Sadly, this new installment doesn’t contain the kind of juicy details that made the previous one so easy to debunk. In fact, it contains almost no details at all. The attacks are “pervasive,” and yet not a single utility company is named as a victim. Even better, the blackout-triggering malware hasn’t been spotted by the companies — which explains perfectly why this is the first we’ve heard of it. Only America’s intelligence community has seen the code. They could show us, but then they’d have to kill us.

The unspoken lesson here is obvious: Chinese Superhackers Are Our Superiors. No, wait. That’s not it. I know … Only the intelligence agencies are equipped to protect us from foreign cyber attacks.

It’s an unusually opportune time for this revelation, since the NSA is at this very moment jockeying to take over cyber security from DHS, which lacks the wholesale warrantless-wiretapping capabilities needed to detect Chinese hackers. What a lucky coincidence of timing that this exciting, if uncheckable, story should emerge now.

Source: http://www.wired.com