Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Electric Grid in US Penetrated by Spies

Published: 2009-04-08
Last Updated: 2009-04-08 20:17:17 UTC
by Joel Esler (Version: 2)
5 comment(s)

Many readers sent this article in this morning.  Thanks to our readers!

According to this article in the Wall Street Journal, apparently, the U.S. Electrical Grid has been intruded upon by Spies from China, Russia, and "other countries".

Now for those of us in the security space, this should be nothing too terribly alarming.  We know this has happened before, in fact, I am quite sure we have written about it here on the Internet Storm Center.

According to a chart that is on the article, the number of reported cybersecurity breaches in the US has risen.  Now, I look at this graph and I say to myself, "number of reported", not "number of actual".  Meaning there were probably many more, and in previous years, not reported.  So I take that graph with a grain of salt.  However, it does make an important point. 

Security awareness is very high right now, and a lot of money is being spent on it, according to the article "under the Bush Administration, Congress approved $17 Billion in secret funds to defend govermnent networks.  The Obama Adminstration is weighing whether to expand the program to address vulnerabilities in private computer networks.." 

 Update:  Many people have written in today about this article either agreeing or disagreeing, however, I couple emails really stood out to me. 

One email stated that The power systems we have in place today are ran by Knobs and Switches.  Mostly built int he 70's and 80's, these power stations are mostly ran by manual intervention.  The power stations that _have_ been stood up since then, a couple of Nuclear Power stations, are federally regulated to not have any connections to anything, let alone the Internet. 

Since this particular email comes from a very trusted source, I am inclinded to believe this person.  Is it possible that there ARE computers in power stations that are connected to the Internet?  Yes, I am quite sure there are.  However, is it possible that the computer or computers (if there are any) that actually CONTROL the power are connected to the internet, I tend to not believe that.

-- Joel Esler

5 comment(s)

Snort 2.8.4 upgrade is out -- Upgrade now!

Published: 2009-04-08
Last Updated: 2009-04-08 13:30:34 UTC
by Joel Esler (Version: 2)
0 comment(s)

We over at Sourcefire (yes, I work for Sourcefire in case you don't know by now!) have been putting the word out for a couple months now about the Snort 2.8.4 upgrade, how it's very important, and you need to go upgrade now.

Well yesterday, after months and months of hard work, Sourcefire released SEU 216 for their Intrusion Prevention System customers and Snort 2.8.4 hit the Open Source community at the same time. 

"Okay, so why is this so important?!"  You may be asking.

For awhile now, a lot of netbios flow tracking has been done with our rules language.  This results in 100's of rules to do flow tracking for a particular exploit.  For example, the rules that detect the exploit that Confiker uses (MS08-067), before the preprocessor, there were 168 rules.  Introduced in 2.8.4 is a new target based DCE/RPC preprocessor, called "DCE/RPC2".  This preprocessor provides a bunch of the flow tracking internally and provides rule options that rule writers can call.  So, after the new netbios rules go out (in the next few days, according to, the number of MS08-067 rules will be reduced to 2. 

For instance, the old netbios rule file:

# wc -l  netbios.rules
5828 netbios.rules

The new:

# wc -l netbios.rules
122 netbios.rules


So this is great!  However, the warning about this is, VRT is no longer providing the "old" method of rule updates to netbios vulnerabilities.  So, unless you are on Snort 2.8.4, you will no longer receive updates to protect you against the current netbios threats.  So you if you are VRT rules subscriber, who relies on those same-day rule releases, you need to update now.  If you are just a regular subscriber that gives you the rule updates after 30 days, you have 30 days to upgrade.  But I would suggest getting started on it now, as you will have to remodify your snort.conf file.

If you are using a package or port (Debian, Ubuntu, FreeBSD, etc.)  I would suggest downloading Snort from source and compiling the old fashioned way.  Hopefully the package maintainers will update their stuff soon.  (Although Sourcefire does provide some binaries for Linux.

While this is certainly the biggest update to Snort 2.8.4, there are several more (This is brought over from

- Support for IPV6 in Frag3 and all application preprocessors

- Improved Target-based support in preprocessors.

- Option to automatically pre-filter traffic that is not inspected in order to improve performance.

- Plus some other improvements and fixes, for a full changelog, please go here

So in case you haven't heard me say it enough in this diary, Update!

-- Joel Esler


0 comment(s)
Diary Archives