Archive for the ‘Cyber security’ Category

From the Black Hat Europe security conference in London: researchers create an undetectable rootkit that targets industrial equipment

black-hat-london-2016

 

Eric De Grasse
Chief Technology Officer

7 November 2016 –  Last week two researchers at the Black Hat Europe security conference in London revealed a method of infecting industrial equipment with an undetectable rootkit component that can wreak havoc and disrupt the normal operations of critical infrastructure all over the world. The attack targets PLCs (Programmable Logic Controllers), devices that sit between normal computers that run industrial monitoring software and the actual industrial equipment, such as motors, valves, sensors, breakers, alarms, and others.

Researchers say they packed their attack as a loadable kernel module, which makes it both undetectable and reboot persistent. The attack goes after PLC pin configurations, meaning the PLC won’t be able to tell which are the actual input and output pins, allowing the attacker full-control to make up bogus sensor data, send fake commands, or block legitimate ones.

The researchers acknowledge that the attack is extremely complicated, but the article argues it would still be of interest to a state-sponsored actor.

 … Read more

There are 1,000+ U.S. spies protecting the Rio Olympics

Rio olympics security

 

6 August 2016 – U.S. intelligence agencies have assigned more than 1,000 spies to security at the Rio 2016 Summer Games. NBC News reports:

“The classified report outlines an operation that encompasses all 17 U.S. intelligence agencies, including those of the armed services, and involves human intelligence, spy satellites, electronic eavesdropping, and cyber and social media monitoring. Areas of cooperation include vetting 10,000-plus athletes and 35,000-plus security and police personnel and others; monitoring terrorists’ social media accounts; and offering U.S. help in securing computer networks, the review shows. ‘U.S. intelligence agencies are working closely with Brazilian intelligence officials to support their efforts to identify and disrupt potential threats to the Olympic Games in Rio,’ said Richard Kolko, a spokesman for National Intelligence Director James Clapper.”Read more

How the U.S. uses “stealth” submarines to cyber hack other countries

Stealth submarine
 

1 August 2016 – When the Republican presidential nominee Donald Trump asked Russia — wittingly or otherwise — to launch hack attacks to find Hillary Clinton’s missing emails, it stirred a commotion. Russia is allegedly behind the DNC’s leaked emails (see our boss’ take on all of this here).

 

But The Washington Post is reminding us that U.S.’s efforts in the cyber-security world aren’t much different. From the report:

The U.S. approach to this digital battleground is pretty advanced. For example: Did you know that the military uses its submarines as underwater hacking platforms? In fact, subs represent an important component of America’s cyber strategy. They act defensively to protect themselves and the country from digital attack, but — more interestingly — they also have a role to play in carrying out cyberattacks, according to two U.S. Navy officials at a recent Washington conference. “There is a — an offensive capability that we are, that we prize very highly,” said Rear Adm. Michael Jabaley, the U.S. Navy’s program executive officer for submarines. “And this is where I Read more

The Super Bowl … the biggest national security event of the year

Super Bowl security

 

2 February 2016 – Super Bowl 50 will be big in every way. A hundred million people will watch the game on TV. Over the next ten days, 1 million people are expected to descend on the San Francisco Bay Area for the festivities.

And, according to the FBI, 60 federal, state, and local agencies are working together to coordinate surveillance and security at what is the biggest national security event of the year.

Previous year’s Superbowl security measures have included WMD sensors, database-backed facial recognition, and gamma-ray vehicle scanners. Given the fears and cautions in the air about this year’s contest, it’s easy to guess that the scanning and sensing will be even more prevalent this time.… Read more

At how much risk is the U.S.’s critical infrastructure, really?

infrastructure

 

23 January 2016 – There is growing evidence that intrusions into the power grid and other critical infrastructure by hostile foreign nation states are real and happening. But there’s “much less agreement over how much of a threat hackers are,” writes Taylor Armerding. “On one side are those – some of them top government officials – who have warned that a cyber attack on the nation’s critical infrastructure could be catastrophic,”writes Armerding.

Others are crying FUD, including C. Thomas, a strategist at Tenable Network Security, who got some attention when he argued in an op-ed that the biggest threat to the U.S. power grid not a skilled hacker, but squirrels, are crying FUD.

Who has it right? Agreement seems to coalesce around two points:

1) the cyber security of industrial control systems remains notoriously weak, and

2) hostile hackers will improve their skills over time.

So, while we haven’t reached “catastrophe” yet, a properly motivated terrorist group could become a cyber threat.

 Read more

Preparing countermeasures for terror attacks using drones

Terror drones

13 January 2016 – You can add terrorist-controlled drones to the list of dangers we need to be prepared for, says the Oxford Research Group.

Its new report contains information about over 200 current and upcoming unmanned aerial, ground and marine systems, and evaluates their capabilities for delivering payloads (e.g. explosive devices), imaging capabilities (e.g. for reconnaissance purposes), and their general capabilities. Even though the report notes that commercial drones have a limited flight time, range of movement, and payload capacity, and that their operators still have to be relatively close to a potential target, the researchers are particularly worried about the possibility of drones being used as remotely controlled explosive devices. They say, “The technology of remote-control warfare is impossible to control; the ultimate defense is to address the root drivers of the threat in the first place.”… Read more

The top programming languages that spawn the most security bugs

The Top Programming Languages That Spawn the Most Security Bugs

5 December 2015 –  Veracode has put together a report after static analysis of over 200,000 apps, and its results show that Classic ASP, ColdFusion, and PHP generated the most security bugs in scanned applications. Ignoring the first two, which are almost extinct languages, PHP, used for Drupal, Joomla, and WordPress (which recently announced it runs a quarter of the Internet) is the programming language with the most security woes.… Read more

Chinese hackers targeted insurer … to learn about the U.S. healthcare system

Chinese hacking

30 October 2015 – When Anthem revealed a data breach that exposed the details of more than 80 million people, the incident raised a lot of questions: who would conduct such a hack against a health insurance firm? Investigators finally have some answers… and they’re not quite what you’d expect. Reportedly, the culprits were Chinese hackers helping their nation understand how US medical care works. It may be part of a concerted campaign to get ready for 2020, when China plans to offer universal health care.

Next, maybe we should outsource politicians from China to fix our healthcare system.

 Read more

Experts: “We have no confidence that we can protect cars and streets from hackers”

Hacker typing

 

18 October 2015 – Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they’ll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office:

“The government is coordinating with the transportation industry on the Security Credential Management System (SCMS), a project to verify that basic road-safety messages come from authorized devices. … At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing ‘a more active leadership role’ for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational.”

 Read more

Stealing passwords from the cloud. Scary stuff from Las Vegas …

Amazon Web Service re Invent conference

 

Gregory P. Bufithis

Eric De Grasse

 

7 October 2015 – Thousands of cloud fanatics have descended on Las Vegas this week for Amazon Web Service’s re:Invent conference. One item that grabbed our attention was the announcement of a group of researchers from Massachussets who published a concept test which uses a failure in the AWS virtual machines to steal their RSA cryptographic passes. Nowadays the failure is already patched, but according to the researchers we really need to think more seriously about the security on the cloud.

 

The group of professors … at Worcester Polytechnic Institute … demonstrated in a recently published paper named “Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud,” a proof of concept hack of secret cryptography keys used in an AWS virtual machine. The now-patched flaw – which was not specific to AWS — showed that a hacker could theoretically gain a user’s secret keys that are used to encrypt sensitive data.

 

Security experts say the risk of this specific attack being used is quite low … Read more