Monday, March 18, 2024

Short Takes – 3-18-24

Iceland Volcano Erupts in Plumes of Fire With Little Notice. NYTimes.com article. Pull quote: “Lava fountains burst out of the ground, and a nearly two-mile-long fissure opened up on the Reykjanes Peninsula around 8:30 p.m., the Icelandic Meteorological Office said. The eruption occurred near the town of Grindavik, the Svartsengi Power Plant and the Blue Lagoon, one of Iceland’s most famous tourist attractions.”

US government agencies demand fixable ice cream machines. ArsTechnica.com article. Pull quote: “Every three years, the Copyright Office allows for petitions to exempt certain exceptions to DMCA violations (and renew prior exemptions). Repair advocates have won exemptions for farm equipment repair, video game consoles, cars, and certain medical gear. The exemption is often granted for device fixing if a repair person can work past its locks, but not for the distribution of tools that would make such a repair far easier. The esoteric nature of such "release valve" offerings has led groups like the EFF to push for the DMCA's abolishment.”

NASA investigating 2023 theft of astronaut training devices. FedScoop.com article. Pull quote: “The topic has continued to come up. In 2014, a NASA OIG report found the agency did not, at the time, have an accurate inventory of mobile devices, including tablets. A 2021 NASA OIG report focused on the space agency’s cyber readiness, noting that lost and stolen equipment can be a “common attack vector” for cyber incidents and pointed to hundreds of instances of “loss/theft of equipment” annually.”

Cybersecurity Professional Engineer (my title). LinkedIn.com/Pulse post. Pull quote: “A Cybersecurity Professional Engineer certification would force process change. The Cyber PE is not going to put their signature on anything that leaves them with doubt because their livelihood and freedom are on the line. Just ask any of the other licensed PE disciplines Want me to sign off on this system implementation? I need visibility and understanding of the design intent, development, and implementation of every element in the system, which means bringing me in when the business idea starts.”

Urban humans have lost much of their ability to digest plants. ArsTechnica.com article. Pull quote: “In addition, many gut bacteria use the energy they get from our food to produce chemicals that are helpful to humans—which may help explain some of the benefits of high-fiber diets. So, while these bacteria may be a minor component of our ability to process food, we may still learn that they make critical contributions to our health.”

Congress scrambles to avert shutdown after weekend delay. TheHill.com article. Pull quote: “Top leaders planned to roll out their funding deal on Sunday, which included a package of five appropriations bills and a continuing resolution to fund DHS through the end of the fiscal year, which ends on Sept. 30. Appropriators had to turn to a stopgap for DHS amid deep disagreements between the two parties over immigration and border security.”

NIST NVD Halt Leaves Thousands of Vulnerabilities Untagged. HackRead.com article. Pull quote: “As pointed out by a report referring to NetRise CEO Tom Pace, reported that only 200 out of 2700 Common Vulnerabilities and Exposures (CVEs) have been enriched. This means over 2500 vulnerabilities added to the database have been uploaded without crucial metadata information.”

White House, Johnson close out Homeland Security negotiations holding up final funding deal. Politico.com article. Pull quote: “Legislative text of the six-bill funding bundle is now expected late Tuesday or Wednesday, potentially teeing up a House vote on Friday at the earliest, if Speaker Mike Johnson adheres to a pledge to give Republicans 72 hours to review legislative text. Once the package passes the House, Senate leaders will need consent from all 100 senators to ensure speedy votes on the spending package. That task is already expected to be politically tricky, with Republicans likely to demand a swath of amendment votes on issues ranging from immigration to earmarks.”

Starship successfully makes orbit – but the FAA has grounded it anyway. NewAtlas.com article. Pull quote: “"A return to flight is based on the FAA determining that any system, process, or procedure related to the mishap does not affect public safety," reads the FAA statement. "In addition, SpaceX may need to modify its license to incorporate any corrective actions and meet all other licensing requirements."”

Debris from burning satellites could be affecting Earth's magnetic field. Space.com article. Pull quote: “"Satellites are mostly made of aluminum and aluminum is a superconductor," Solter-Hunt said. "Superconductors are used for blocking, distorting or shielding of magnetic fields. My concern is that at some point in the future, this conductive dust could create some perturbations in the magnetosphere."”

Review – S 3792 Introduced – Technology Workforce

Last month, Sen Peters introduced S 3792, the Technology Workforce Framework Act of 2024. The bill would add development of workforce frameworks to the description of duties for NIST as well as updating the NICE Workforce Development for Cybersecurity and requiring the development of a new workforce framework for artificial intelligence. No new funding is authorized by this legislation.

Moving Forward

Peters, and his sole cosponsor {Sen Schmitt (R,MO)} are members of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I see nothing in this bill that would engender any organized opposition. I suspect that there would be bipartisan support for the bill. This bill is not politically important enough for it to be considered by the full Senate. While the bill might be able to move forward under the unanimous consent process (a politically fraught process at the best of times), it would be more likely to advance as a floor amendment to a larger bill.

 

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3792-introduced - subscription required.


VA Adopts CISA’s Software Attestation Form

On Friday, the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved a request for common form (RCF) use from the Veterans Administration for “Secure Software Self-Attestation Common Form”. This CISA sponsored form was approved last week. Agencies wanting to use the form now must submit a request to OIRA (pg 90) to use that form, providing a one-time burden estimate. The VA is one of the first agencies to complete an RCF for this form.

The VA’s burden estimate (based upon CISA’s estimates of time per response):

Burden Estimate

 

Annual Responses

3,975

Burden (hrs)

9,632

NOTE: I do not plan on noting each approved RCF for this form.

Saturday, March 16, 2024

Short Takes – 3-16-24

Houthis Threaten to Target Merchant Ships in Indian Ocean. News.USNI.org article. Pull quote: “Their weapons can go at least 650 kilometers, while the drones can go up to 2,000, Ben Taleblu said. But they cannot hit ships that are going around the Cape of Good Hope.”

The first test of a magnetic levitation train on an existing track. TheNextWeb.com article. Not much in the way of tech details. Pull quote: “The maglev journey took place on a railway line near Venice. Across the two-kilometre route, the prototype vehicle hit a speed of 70 km/h. According to IronLev, not a single modification had been made to the track.”

International effort to disrupt cybercrime moves into operational phase. TheRegiser.com article. Pull quote: “"This is part of the idea of disruption: it's not only to make an impact, but to send a message back to the cybercriminals that we mean business, and that we can make it more cost prohibitive for them to operate," Manky said.”

Review – Public ICS Disclosures – Week of 2-9-24 – Part 2

For Part 2 we have four additional vendor disclosures from Schneider, Softing, WAGO, and Western Digital. We also have 17 vendor updates from Dell, HP (5), and Siemens (11). There is a researcher report about vulnerabilities in products from FortiGuard. Finally, we have five exploits for products from FortiGuard, Hitachi, Honeywell, Solar View, and VMware.

Advisories

Schneider Advisory - Schneider published an advisory that describes three vulnerabilities in their Easergy T200 RTU product line.

Softing Advisory - Softing published an advisory that describes a missing release of memory after effective lifetime vulnerability in their UA Toolkit and smartLink products.

WAGO Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the WAGO 750-8xx series PLCs.

Western Digital - Western Digital published an advisory that describes an uncontrolled search path element vulnerability in their SanDisk PrivateAccess Desktop App.

Updates

Dell Updates - Dell published an update for their Wyse Password Encoder advisory that was originally published on February 1st, 2019.

HP Update #1 - HP published an update for their Intel 2023.4 IPU advisory that was originally published on December 11th, 2023.

HP Update #2 - HP published an update for their AMI UEFI Firmware advisory that was originally published on January 26th, 2024.

HP Update #3 - HP published an update for their Intel Graphics Drivers advisory that was originally published on November 15th, 2023.

HP Update #4 - HP published an update for their AMD SMM Supervisor advisory that was originally published on December 7th, 2023.

HP Update #5 - HP published an update for their AMD Client UEFI Firmware advisory that was originally published on January 8th, 2024.

Siemens Update #1 - Siemens published an update for their n SIMATIC STEP 7 advisory that was originally published on June 13th, 2023.

Siemens Update #2 - Siemens published an update for their SINEC NMS advisory that was originally published on February 13th, 2023.

Siemens Update #3 - Siemens published an update for their Polarion ALM advisory that was originally published on February 13th, 2024.

Siemens Update #4 - Siemens published an update for their e OPC UA Implementation advisory that was originally published on September 12th, 2023 and most recently updated on February 13th, 2024.

Siemens Update #5 - Siemens published an update for their Web Server of Industrial Products Advisory that was originally published on December 12, 2023.

Siemens Update #6 - Siemens published an update for their SIMATIC S7-1500 CPUs advisory that was originally published on December 12th, 2023.

Siemens Update #7 - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on December 13th, 2022 and most recently updated on September 12th, 2023.

Siemens Update #8 - Siemens published an update for their GNU/Linux subsystem advisory that was originally published on December 12th, 2023 and most recently updated on February 13th, 2024.

Siemens Update #9 - Siemens published an update for their SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family that was originally published on November 14th, 2023 and most recently updated on December 12th, 2023.

Siemens Update #10 - Siemens published an update for their SIPROTEC 5 Devices advisory that was originally published on April 11th, 2023 and most recently updated on September 12, 2023.

Siemens Update #11 - Siemens published an update for their Simcenter Femap advisory that was originally published on February 13th, 2024.

Researcher Reports

FortiGuard Report - Horizon3 published a report describing six vulnerabilities in the Fortinet FortiWLM product.

Exploits

FortiGuard Exploit - H4x0r-dz published an exploit for an out-of-bounds write vulnerability that is on the CISA Known Exploited Vulnerabilities Catalog.

Hitachi Exploit - Arslan Masood published an exploit for an improper authentication vulnerability in the Hitachi NAS.

Honeywell Exploit - BYTEHUNTER published an exploit for a command injection vulnerability in the Honeywell PM43 industrial printers.

Solar View Exploit - BYTEHUNTER published an exploit for a command injection vulnerability in the Solar View compact product.

VMware Exploit - Abdualhadi Khalifa published an exploit for a missing authentication for critical function vulnerability in the VMware Cloud Director.

 

For more information on these disclosures, including a brief description of changes in updates, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-5d3 - subscription required.

Chemical Incident Reporting – Week of 3-2-24

NOTE: See here for series background.

Bath, NY – 3-11-24

Local news reports: Here, here, here and here.

Three-alarm fire at manufacturing facility. No injuries were reported. Building destroyed.

Google satellite view does not show any external chemical storage tanks, but there were almost certainly chemicals (drums and totebins) in the building, making this a chemical fire. Building/business damage is almost certainly >$1 million.

Probably CSB reportable.

Red Oak, IA – 3-11-24

Local news reports: Here, here, and here.

About 1,500 tons of ‘liquid nitrogen’ fertilizer (probably some sort of ammonia compound) leaked from a storage tank at a farm cooperative into the East Nishnabotna River. No injuries reported but large scale fish kills reported miles downstream. Interesting question about how much fish kills ‘cost’ as part of the damage estimate.

Possible CSB reportable.

CRS Reports – Week of 3-9-24 – Change Healthcare

This week the Congressional Research Service (CRS) published a report on “The Change Healthcare Cyberattack and Response Considerations for Policymakers”. The report provides a brief look at the BlackCat ransomware attack on Change Healthcare and the wide spread consequences of that attack. It concludes by introducing a new term to cybersecurity considerations: ‘information parity’.

The author makes the point that following the FBI takedown of the BlackCat infrastructure, the ransomware organization re-grouped and encouraged its affiliates to attack hospitals and other healthcare organizations. While a number of hospitals were successfully attacked, the victim that caused the most disruption and political notice was the attack on Change Healthcare. Almost certainly, that disruption was because the immediate response to the attack was to shut down all cyber systems to stop the potential spread of the ransomware. As the report notes there is a similarity here to the attack on Colonial Pipeline: “Both attacks began with ransomware, led the victim to disconnect systems thereby causing operational disruptions, which resulted in physical consequences.” The physical consequences here were to interfere with the delivery of prescriptions to many people across the country.

In addition to a discussion about policy issued revealed by this attack, the report looks at three information parity (in this case government agencies having access to the same level of details about the situation in making agency decisions) problems raised by this incident:

• Coordination of offensive and defensive actions,

• Knowledge of conditions in decision making, and

• Information sharing reach.

 
/* Use this with templates/template-twocol.html */