Saturday, September 20, 2014

Bills Introduced – 09-18-14

This is a day late because it took the folks at some extra time to list the 242 bills that were introduced on Thursday. This was the last day that both the House and Senate were scheduled to be in Washington until November 12th so the number of political posturing bills was huge. Of all of those bills it looks like there are five that may be of specific interest to readers of this blog:

HR 5532 Latest Title: To improve the Compliance, Safety, Accountability initiative of the Federal Motor Carrier Safety Administration, and for other purposes. Sponsor: Rep Barletta, Lou (R,PA)

HR 5534 Latest Title: To amend the Safe Drinking Water Act to increase assistance for States, water systems, and disadvantaged communities; to encourage good financial and environmental management of water systems; to strengthen the Environmental Protection Agency's ability to enforce the requirements of the Act; and for other purposes. Sponsor: Rep Tonko, Paul (D,NY)

HR 5593 Latest Title: To amend the Intelligence Reform and Terrorism Prevention Act of 2004 to enhance security clearance investigation procedures, and for other purposes. Sponsor: Rep Gabbard, Tulsi (D,HI)

S 2858 Latest Title: A bill to enhance rail safety and provide for the safe transport of hazardous materials, and for other purposes. Sponsor: Sen Menendez, Robert (D,NJ)

S 2869 Latest Title: A bill to enhance the homeland security of the United States, and for other purposes. Sponsor: Sen Coats, Daniel (R,IN)

The chances are slim that any of these bills will do anything more than take up space in the Library of Congress. I don’t expect that any of them will make it to committee consideration in the lame duck session.

Thursday, September 18, 2014

ICS-CERT Publishes Advantech Advisory

Earlier this evening the DHS ICS-CERT published a new advisory for multiple buffer overflow vulnerabilities in the Advantech WebAccess application. The vulnerabilities were identified by Ricardo Narvaja of Core Security Technologies in a coordinated disclosure. Advantech has provided a patch to resolve the vulnerabilities and Narvaja has verified the efficacy of the fix.

The eight stack buffer overflow vulnerabilities affect the following parameters:

● NodeName, CVE-2014-0985;
● GotoCmd, CVE-2014-0986;
● NodeName2, CVE-2014-0987;
● AccessCode, CVE-2014-0988;
● AccessCode2, CVE-2014-0989;
● UserName, CVE-2014-0990;
● ProjectName, CVE-2014-0991;
● Password, CVE-2014-0992.

Because exploiting these vulnerabilities would require a social engineering attack, ICS-CERT reports that an exploitation of one of these vulnerabilities could be done remotely, but there would be a reduced likelihood of a successful attack.

Senate Passes HJ Res 124

Earlier this evening the  Senate took up the FY 2015 Continuing Resolution, HJ Res 124 and passed it with a bipartisan vote of 78 to 22. Eight Republicans joined 14 Democrats in voted in voting against the bill. Once the President signs the bill the government will remain funded through December 11th.

As passed the bill has some relatively vague to provisions supporting select anti-Assad rebels. It also includes an extension of the CFATS to that same December date.

There is still a chance that some of the individual spending bills might be taken up after the election, but most will probably be lumped together in an omnibus spending bill.

Wednesday, September 17, 2014

House Amends and Passes HJ Res 124

Earlier this evening the House passed the FY 2015 Continuing Resolution, HJ Res 124, after adopting the only amendment available for consideration. The Syrian rebel aid amendment passed in a by-partisan vote of 273 to 156; more Democrats supported it than there were Republicans who opposed the bill. The final vote was much more bipartisan with a final vote of 319 to 108.

This bill will extend government spending through December 11th. It also extends the CFATS regulations through that date.

The Senate has until September 30th to pass the bill.

ICS-CERT Publishes Yokogawa Advisory

This afternoon the DHS ICS-CERT published an advisory for an authentication vulnerability in the Yokogawa Centum 3000 series. The vulnerability was initially reported by Tod Beardsley of Rapid7 in a semi-coordinated disclosure. It was initially disclosed to Yokogawa (May 1st according to Rapid 7), CERTS (June 25th; presumably Japan-CERT and ICS-CERT?). The semi comes from the publication of a Metasploit module on August 9th and a Defcon presentation at about the same time. No word why ICS-CERT did not produce an alert at that point particularly since it appears that Yokogawa probably had interim mitigation measures available at that time. It could be that Yokogawa, not ICS-CERT was responsible for that decision.

NOTE: The ICS-CERT advisory gives co-discovery credit to Jim Denaro of CipherLaw. According to the Rapid 7 post about this vulnerability it sounds like Denaro was providing legal advice, not technical involvement in discovering the vulnerability.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploit to remotely leak the CENTUM project database location, read and write arbitrary files,

Yokogawa expects to publish patches for the affected projects by the end of this month. The Advisory provides information on interim mitigation strategies.

There is an interesting comment in the Yokogawa report on this vulnerability (pg 2) that did not make it into the ICS-CERT advisory:

“When Yokogawa service personnel perform updating the revision and application the software patch, those charges are borne by the customer.”

I’m hoping that it lost something in translation, but it sure sounds like if Yokogawa has to send out a rep to install their patches, the system owner is going to pay for that service. 

S 2784 Introduced – Rail Safety

As I noted last week Sen. Blumenthal (D,CT) introduced S 2784, the Rail Safety Improvement Act of 2014. The bill would provide authorization for funding various DOT rail safety programs under 49 USC 20117 and adds some new safety requirements; including specific requirements for highly hazardous flammable trains (HHFT).

HHFT Rulemakings

In many ways Section 6 of this bill is a specific authorization for the current HHFT,  HHFT emergency response and train securement rulemakings that are being undertaken by the Pipeline and Hazardous Material Safety Administration (PHMSA) and the Federal Railroad Administration (FRA). There are some significant differences that could affect those rulemaking processes.

One significant affect could be on the timing of those rules. This bill would provide a very short time requirement (180 days for the emergency response {§6(e)(1)} and train securement {§13}) rulemakings and  for DOT to put these rules into place. There is no specific requirement for a deadline on the HHFT regulation process, but the HHFT requirements would become law upon this bill being signed by the President.

DOT could, of course, ignore these time limits as they have done for so many other congressional requirements or they could short-cut the publication and comment provisions of the rulemaking process and institute the provisions as a directed rulemaking. That response would almost certainly be challenged in court.

HHFT Requirements
This bill has some differences from the current PHMSA proposed rule. First it would codify the requirements in 49 USC 5111. It would expand the route notification requirements to include county officials {§5111(b)(1)}, require submission of copies of those notifications to DOT{§5111(b)(2)}, and specifically place those submissions to DOT under the public disclosure requirements of the Freedom of Information Act (5 USC 552). Interestingly, the DOT notification requirements do not apply to the requirement to provide route update information to State and County emergency response officials. It also provides for civil fines of up to $175,000 per day for failure to comply with these requirements {5111(b)(5)},

PTC for Crude Trains

Section 6(d) would amend 49 USC 20157(a)(1) by adding the requirement that any mainline over which “20 or more tank cars loaded with petroleum crude oil” are transported would have to be covered by a positive train control system (PTC). There is no provision changing the time by which that PTC system for these lines would have to be operational so presumably the December 21st, 2015 deadline would still apply. The wording does not seem to require that the 20 cars be in a single train so that further complicates the interpretation of this provision.

Moving Forward

This bill was introduced way too late in this session to be actually considered and passed. While there is a certain amount of political pressure on this issue, I do not believe that it is enough to overcome the political inertia of an election season and a busy lame duck session. This bill or another version of it will almost certainly be re-introduced in the next session.

DHS ‘Access Denied’

Okay DHS web site people, this has gone too far. What is going on with the new standard error message: “Access Denied. You are not authorized to view the web page you are attempting to load.”

I am seeing this crop up on too many public DHS web pages that I routinely check. I know that it is not a mistyping issue; I use a standard list of sites that I prepared and now just click on the links; those links have worked fine in the past.

Now all muckrakers are a tad bit paranoid, so my heart skips a beat when I see this on a new web site. My first thought is always “Have I finally pushed DHS too far?” After I take a quick breath I realize that this is probably just a new default that web site scripters are using for some inexplicable reason. Unfortunately, it seems that once this affliction hits a web site it becomes permanent.

This is currently in use for the following pages: (the one that set me off today);

Let’s get this fixed. Paranoia already afflicts too many people when it comes to DHS operations. We don’t need to expand that list.
/* Use this with templates/template-twocol.html */