Ads are not an endorsement by the blog author.

Chemical Facility Security News

Public Journal
 Back to Journal Archives | Subscribe to Alerts Alerts Subscribe to Alerts | Feeds
< Update of CSAT We
Thursday, May 8, 2008 Security Guard Ba >
Friday, May 9, 2008
May 2008
5/31/08
DHS FAQ Page Update – 5-30-08
5/31/08
Chemical Incident Review – 5-31-08
5/31/08
Ballistic Attacks on Hazmat Shipping
5/30/08
Ballistic Protection for Railcars
5/30/08
Commercial Comments
5/29/08
HR 5577 Status Update – 5-29-08
5/29/08
Ethanol Producers as Chemical Facilities
5/28/08
Comments on Rail Security and Safety Rules – 5-23-08
5/28/08
Security Equipment Review 5-28-08
5/27/08
Another DHS FAQ Update for 5-23-08
5/27/08
Reader Question 5-24-08
5/27/08
Industrial Chemicals as Weapons of Mass Destruction
5/24/08
Canadians Notice Farm Bill Chemical Security Grants
5/24/08
Chemical Terrorism Insurance?
5/24/08
Public Law 110-234
5/23/08
Another DHS FAQ update – 5-23-08
5/23/08
Farm Bill Passes Over Bush Veto – Maybe
5/22/08
DHS FAQ Update – 5-22-08
5/22/08
Teaching Chemical Facility Security
5/21/08
DHS FAQ Page Update – 5-20-08
5/21/08
Hazmat Rail Routes and the Mayo Clinic
5/21/08
Reader Questions 5-20-08
5/20/08
Possible Chemical Attack Averted
5/20/08
Infrastructure Protection Activities Grants Awarded
5/19/08
Ammonia Safety Information
5/19/08
Comments on Rail Security and Safety Rules – 5-16-08
5/17/08
National Hazardous Materials Fusion Center
5/16/08
To Stop an Attack, Spot the Surveillance
5/15/08
HR2419 Update 05-14-08
5/14/08
IST In New Jersey
5/14/08
Updates of CSAT Top Screen Manuals
5/13/08
Blog Comment 5-12-08
5/12/08
Updates of CSAT Registration Manuals
5/12/08
Comments on Rail Security and Safety Rules – 5-9-08
5/9/08
Security Guard Background Checks
5/9/08
Potential DHS PHISHING Alert
5/8/08
Update of CSAT Web Page and Manuals
5/8/08
Reverse 911 System Exercise
5/6/08
The cost of replacing Chlorine
5/5/08
Cloned Vehicles
5/3/08
Vacation
5/3/08
Alternative to HR 5577
5/2/08
Reader Comments – 05-02-08
5/2/08
Chemical Security Legislation Influenced by Lobbyists
5/1/08
Chemical Sector Security Summit Registration Available
5/1/08
Bizarre Anhydrous Ammonia Release
5/1/08
Inherently Safer Technology Implementation under HR 5577
« May 2008 Archive
Friday, May 9, 2008
Subject: Potential DHS PHISHING Alert
Time: 10:14:00 AM EDT
Author:  pjcoyle


As I mentioned in yesterday’s blog (see: "Update of CSAT Web Page and Manuals") DHS recently updated their CSAT web site and the manuals that provide information on how to work with those sites. While I have yet to complete my review, I did notice something that I felt required immediate notification. It looks like DHS has set itself up for potential PHISHING attacks on chemical facilities registered with CSAT.

On page 8 of the CSAT Account Management User Guide Ver 2.0.a the new manual explains when CSAT accounts should be updated. It includes the following information in its discussion about expiring passwords (CSAT passwords are only good for 90 days):

    • "Two weeks before their CSAT password expires, the user will receive an email instructing them to change their password by directing them to the Account Management System."

It sounds like a good idea to provide advanced notice of the expiration of a password. Chemical facilities will be using the CSAT system infrequently and the password expiration time is shorter than the typical industry standard of 120 days. It is very likely that users will try to access the site after their password has expired.

The problem is that an email notification like this sets up the possibility of PHISHING attacks. Someone wanting to get access to the CSAT system to look at facility Top Screen, SVA and Site Security Plan could send similar emails out with a link to a fake CSAT site. Once the registration information was received the Phisher could set up a Reviewer registration for that facility allowing future access to facility security information.

Most secure sites do not provide advanced notice of password expiration; probably for this very reason. The first time that a person signs onto the site after the expiration they are required to update their passwords. That limits the chance for outsiders gaining access to the system.

It would seem that a Phisher is going to have a hard time figuring out to whom to send the PHISHING email. That has not been a problem for these people. You send out thousands of emails and get one or two to the right people; you have a successful attack. The Phisher can then sell the information to an appreciative terrorist organization.

I am surprised and disappointed that the cyber security experts at DHS did not catch this potential problem before this manual saw the light of day.



Written by pjcoyle Blog about this entry
This entry has 0 comments: (Add your own)