Security Watch: Electric Bills May Carry Security Charge; Verizon Wireless Is Off the Hook

News Analysis: Columnist Larry Loeb finds hidden charges lurking in the latest U.S. energy legislation, and all-too-available billing information on Verizon Wireless' Web site. And online gambling sites have been paying a wholly different kind of s

  • Power to the People

The energy bill signed into law last week by President Bush has some large security implications for power companies.

The feds will be able, according to the law, to enforce some new (and more stringent) security standards developed by NERC (the North American Electric Reliability Council) based in Princeton, N.J.

NERC has been developing standards, called CIP-002 through CIP-009, for the last two years, with the third draft of these standards being the latest one out.

They call for a reliability organization to be established that will audit the physical and cyber assets of the regional power grids that deliver power.

Though some progress has been made in the last few years by the grids in identifying their most critical assets, the new standards will apply security principles to facilities that were never built with security as a design parameter.

While disruptions of power are not to be expected, rate increases by the operators might follow due to increased administrative overhead.

  • Anarchy in the United Kingdom

This fifth public edition of the UKTA (United Kingdom Threat Assessment) describes and assesses the threats to the United Kingdom from "serious organized crime," and looks at how they are likely to develop. The 3MB PDF file was released to the public last week, and is available here.

Section 8 on "Hi-Tech Crime" will be the most interesting to those in the IT field, as it describes how DDoS (distributed denial-of-service) attacks coordinated by Russian crews were used to extort payoffs from e-gambling sites.

First, the crew zombied PCs with a virus, then turned the slave machines into e-mail-generating botnets which flooded the target with 200K e-mails per second. Thats the equivalent of 3-4G bits per second.

The crews did this for two or three days and then offered to stop for the low, low price of $5,000. Since the gambling sites were losing $100,000 per hour of downtime, the crews got paid.

But the report notes that some of the crews have offered to sell their DDoS capabilities to others for about $100 a day. I guess you can buy a lot of Doritos and soda for that kind of money.

  • Can You Hack Me Now?

Verizon Wireless Web site is now (supposedly) fixed after Jonathan Zdziarski of Milledgeville, Ga. discovered that he could access other subscribers information through use of the "My Account" feature of the Web site.

Zdziarski said he found that just by entering a phone number into one portion of the site, he could obtain the remaining airtime minutes for the number as well as the minutes used in the current billing cycle.

Zdziarski also said he could get to account balances and the date of the most recent payment, which Verizon says it could not confirm.

Verizon also could not confirm Zdziarskis claim that he could transfer one account to another using "cloning," which maps existing phones to new handsets. This would allow an interloper to charge calls to another persons account. The feature seems to have been taken offline by Verizon.

The site has been active for 5 years, and there is no estimate forthcoming from Verizon at to how long the "glitches" have been available for exploit.

Check your bills, kiddies.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.