Security Roundup for Week Ending Dec. 2: Carrier IQ Stink, SCADA Troubles

If a cyberattack from a hostile foreign source ever hit a public electric or water utility, affecting its industrial control systems, causing America's critical infrastructures to fail, would we understand that had even happened? We have more doubts than ever, after every twist and turn in the saga that began with the Nov. 10 "Public Water District Cyber Intrusion" report from the Illinois Statewide Terrorism & Intelligence Center (STIC) that set off a media firestorm after the report was leaked to the media.

The Illinois STIC report said a cyberattack from Russia had hit an Illinois water facility, causing a water pump to fail. The Department of Homeland Security (DHS) and the FBI, in tandem with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), has since concluded that the Illinois STIC report was in error. It may have been -- it would not be surprising if reasonable doubts remain -- but this episode of intelligence failures and slow response times has laid bare how poorly prepared America is, as Network World Editor in Chief John Dix summarizes in his editorial "The water pump alarm."

This fiasco related to the Curran-Gardner Townships Public Water District in Springfield, Ill., which offers a rare glimpse into how the secretive intelligence-gathering "fusion centers" promoted by DHS really operate, raises the question of whether America's critical-infrastructure response system even works at all -- or is need of critical rethinking.

MORE ON SECURITY PROBLEMS: 2011's biggest security snafus

A mobile privacy firestorm

Beleaguered software vendor Carrier IQ was still on Friday denying its embedded smartphone application records, stores or transmits personal user information. A number of programmers have been trying to figure out how Carrier IQ's software actually works and what information it accesses following a series of blog posts by a systems administrator named Trevor Eckhart that purportedly show the CIQ application was logging keystrokes and SMS messages contents. Eckhart sparked a firestorm of denunciation and outrage, despite the fact his analysis has received almost no peer review.

AT&T and Sprint confirmed that their mobile phones integrate Carrier IQ, but insist the software is used solely to improve wireless network performance. Phone makers HTC and Samsung said they were integrating the software into their handsets only because their carrier customers were asking for it. Apple said it included the Carrier IQ software in earlier version of its iOS firmware for devices such as iPhones and iPads, but dropped the code from iOS 5, the most recent version. Verizon, Research In Motion and Nokia have distanced themselves from the software and insist that reports about their devices integrating the tool are false.

Sen. Al Franken (D-Minn.) is demanding that Carrier IQ explain whether its smartphone application is spying on users.

More Duqu for you

One thing of which there is no doubt is that the era of sophisticated malware used in cyberattacks is well underway. The recently-discovered Duqu, a Trojan-based botnet that shares some characteristics with the notorious Stuxnet that hit Iranian industrial facilities last year, is being watched by several security firms. Last week, Kaspersky Lab said hackers behind the Duqu botnet shut down 12 known command-and-control servers that had been hosted in a number of countries. However, there is a sense that a "modified operation," as one Kaspersky researcher put it, may well be underway.

In other news

- The FBI and the police in the Philippines have jointly busted a ring of four alleged hackers in Manila with connections to a terrorist group in Saudi Arabia, according to the criminal investigation and detection group of the Philippines. The terrorists were apparently targeting AT&T services, though AT&T last week was disputing that, saying it was the phone systems of a number of businesses, including some of its customers, that were targeted.

- TheInfoPro's biannual report on what investments, changes and budgets are anticipated in enterprise security, based on in-depth interviews with 182 IT security professionals at companies representative of the Fortune 1000, offers a popularity snapshot of security vendors.

- Startup Agari made its debut this week with email security services aimed at letting businesses operating online protect their email domain names from exploit and abuse by scammers and fraudsters. The Agari technology is being backed by AOL, Google, Microsoft and Yahoo Mail. Facebook is said to be among the first big customers of the service.

Security notes

- There are some special considerations around attacks on networks based on IPv6, and our article on that topic explains that here.

- Also, if cloud security is your main concern, here's a checklist that could help.

- Wondering how truly horrendous the security situation has been throughout 2011? Well, our annual "security snafus" story recounts for you the biggest incidents, meltdowns, lapses and service collapses we noticed during the past year. And of course, we still have a few weeks left to go ...

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)