As I mentioned in yesterday’s blog (see: "Update of CSAT Web Page and Manuals") DHS recently updated their CSAT web site and the manuals that provide information on how to work with those sites. While I have yet to complete my review, I did notice something that I felt required immediate notification. It looks like DHS has set itself up for potential PHISHING attacks on chemical facilities registered with CSAT.
On page 8 of the CSAT Account Management User Guide Ver 2.0.a the new manual explains when CSAT accounts should be updated. It includes the following information in its discussion about expiring passwords (CSAT passwords are only good for 90 days):
- "Two weeks before their CSAT password expires, the user will receive an email instructing them to change their password by directing them to the Account Management System."
It sounds like a good idea to provide advanced notice of the expiration of a password. Chemical facilities will be using the CSAT system infrequently and the password expiration time is shorter than the typical industry standard of 120 days. It is very likely that users will try to access the site after their password has expired.
The problem is that an email notification like this sets up the possibility of PHISHING attacks. Someone wanting to get access to the CSAT system to look at facility Top Screen, SVA and Site Security Plan could send similar emails out with a link to a fake CSAT site. Once the registration information was received the Phisher could set up a Reviewer registration for that facility allowing future access to facility security information.
Most secure sites do not provide advanced notice of password expiration; probably for this very reason. The first time that a person signs onto the site after the expiration they are required to update their passwords. That limits the chance for outsiders gaining access to the system.
It would seem that a Phisher is going to have a hard time figuring out to whom to send the PHISHING email. That has not been a problem for these people. You send out thousands of emails and get one or two to the right people; you have a successful attack. The Phisher can then sell the information to an appreciative terrorist organization.
I am surprised and disappointed that the cyber security experts at DHS did not catch this potential problem before this manual saw the light of day.