STE WILLIAMS

Russia’s vulnerability database is much thinner than its US or Chinese counterparts, but does contain a surprisingly high percentage of security bugs exploited by its cyber-spies.

Recorded Future’s Priscilla Moriuchi and Dr Bill Ladd found the database is highly focused yet incomplete, slow and “likely intended to support the control of the Russian state over technology companies and users”.

Over the last year or so, the threat intel firm has examined the publication speeds, missions and utility of the national vulnerability databases (NVDs) of two countries: China and the United States. The researchers then decided to apply the same analytic techniques to Russia’s vulnerability database.

Generally, Russia publishes only 10 per cent of known vulnerabilities, is on average 83 days slower than China’s NVD and 50 days slower than the US version. Aside from being slow, the database is incomplete in the few technologies it does cover.

Russia’s NVD is run by the Federal Service for Technical and Export Control of Russia (FSTEC), a military organisation with a closely defined mission to protect the state’s critical infrastructure systems and support counterintelligence efforts. It’s all about state security unlike its counterparts in the US or China, which claim a public service mission.

“FSTEC is not vastly under-resourced for its mission and that reporting only 10 per cent of published vulnerabilities is a function of choice and not due to resource constraints,” Recorded Future said.

Comparison of disclosure delay in days between different NVDs [source: Recorded Future]

“FSTEC’s primary focus is on technical control of the domestic information and technology environment, which is a much broader mission than CNITSEC’s [its Chinese equivalent].”

FSTEC only began publishing vulnerability data in 2014, roughly 15 years after the US NVD was established.

FSTEC’s NVD is also known as the BDU (Банк данных угроз безопасности информации, or “Data Security Threats Database”). The BDU has published only 11,036 vulnerabilities of the 107,901 reported by the US database (or approximately 10 per cent). FSTEC has made no claim that its database is exhaustive nor aimed at consumers or mainstream business. The focus is on vulnerabilities for information systems used by the state and in “critical facilities”.

Three in five (61 per cent) of the vulnerabilities exploited by Russian state-sponsored groups have been published on FSTEC’s NVD. “This is substantially above the norm of 10 percent; however, the data is insufficient to determine the influence of Russian intelligence services on FSTEC publication,” according to Recorded Future. “The few vulnerabilities it does publish tell us more about FSTEC’s mission and Russian state information systems than the intentions of the Russian military for offensive cyber operations.”

Recorded Future ran an analysis of all vulnerabilities exploited by Russian APT (advanced persistent threat) groups in the last four years.

Utilizing only vulnerabilities with a CVE number and those which were also published by US NVD and CNNVD, we identified 49 vulnerabilities that had been utilized by Russian APT groups in that timeframe.

Thirty of those 49 vulnerabilities, or 61 per cent, were published by FSTEC. This is substantially higher than FSTEC’s average of 10 per cent. Further, 18 of those 30 published vulnerabilities have been exploited by APT28, which has been attributed to the Russian military’s Main Intelligence Directorate (GRU). This amounts to FSTEC publishing 60 per cent of vulnerabilities exploited by the Russian military. This is far outside FSTEC’s statistical average of 10 per cent.

FSTEC BDU entry for CVE-2018-8148, a typical entry in Russia’s vulnerability database

FSTEC has populated the BDU database with vulnerabilities that primarily present a threat to Russian state information systems. This bias created a means for security researchers to infer the technologies used on Russian government networks.

Linux, Microsoft, Novell and Apple were far better covered than IBM and Huawei, for example. Almost half of all Adobe flaws cropped up in the Russian database. Even many critical or high-risk Adobe bugs – fodder for cyber-spies and ordinary criminals alike – were omitted. The same or even patchier coverage applied to browser flaws and Microsoft Office exploits.

FSTEC has stated that the database “contains information about the main threats to information security and vulnerabilities, primarily those characteristic of state information systems and automated systems for managing production and technological processes of critical facilities”, according to a translation sourced by Recorded Future.

Vulnerabilities might be exploited by hacking tools and intel agencies worldwide to take advantage of security bugs to spy on foreign governments and businesses. Recorded Future concluded that Russia has a markedly different philosophy on indexing bugs than the Chinese, for example.

“The public record and available data is not yet sufficient to determine the relationship between FSTEC and Russian state-sponsored cyber operations,” the firm said. “However, it is clear that FSTEC’s vulnerability database is utilised by Russian intelligence services in a different manner than CNNVD is by Chinese intelligence. In China, CNNVD delays or hides the publication of vulnerabilities being used by the intelligence services, while in Russia, it is possible that FSTEC publishes vulnerabilities being used by the intelligence services in order to protect against them.”

Recorded Future concluded that “FSTEC’s vulnerability database provides a baseline for state information systems and legitimate cover for foreign technology reviews”. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/17/russia_vuln_database/

Con artists have been charged with operating a scheme that cost users of American dating websites more than $1.5 million.

A federal grand jury in Atlanta has charged seven Nigerian nationals for their involvement in a scheme that leveraged fake online dating profiles to con victims out of $1.5 million, the Department of Justice reports. Five of the seven have been arrested, and two remain at large.

The defendants and their co-conspirators allegedly created phony dating profiles and would spend weeks building relationships with their targets before defrauding them. After establishing trust, the con artists would tell elaborate stories to convince victims to send them money; for example, they claimed to be working overseas and needed money to travel back to the United States. Their targets were often vulnerable and wealthy, and their funds were sent to bank accounts controlled by the attackers.

Defendants have been charged with 60 counts of wire fraud, money laundering, identity theft, and use of fake passports. The US Capitol Police and Internal Revenue Service Criminal Investigations Division are investigating the case.

Read more details here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/7-nigerians-indicted-for-fraud-operation-on-dating-sites/d/d-id/1332312?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Nearly 60% of surveyed organizations using SCADA or ICS reported they experienced a breach in those systems in the last year. Here are four tips for making these systems safer.

A large number of government agencies and private organizations have SCADA (supervisory control and data acquisition) or industrial control systems (ICS). The benefits of these technologies come with significant security challenges. In a recent survey by Forrester commissioned by Fortinet, nearly six in 10 surveyed organizations using SCADA or ICS indicate that they experienced a breach in those systems in the past year.

Part of the challenge is that these systems are being used to manage not only their traditional OT (operational technology) infrastructures but also a host of new Industrial Internet of Things (IIoT) devices. What’s more, many of those organizations are adding to their risk by providing new technologies and partners with a high level of access into their systems. In addition, most organizations now report developing connections between their traditional IT systems and their SCADA/ICS, introducing the potential for outside hackers to penetrate into these control systems.

Rapid Adoption, Access, and Security
Though SCADA/ICS systems were once primarily used by electric and water utilities, many organizations in recent years have begun using these technologies to automate data collection and related equipment. Transparency Market Research predicts the global ICS market alone will grow from $58 billion in 2014 to $81 billion in 2021. Industrial control systems, for example, have become widely used in manufacturing, at seaports, in water treatment plans, in oil pipelines, in energy companies, and in building environmental control systems. At the same time, SCADA systems, which serve as the graphical user interface into ICS, are growing at an annual growth rate of 6.6%.

Consequently, SCADA/ICS technologies and related IIoT devices have become high-value targets for hackers looking to disrupt business operations, collect ransom, or compromise a rival nation’s critical infrastructure. Per the Forrester study, while a staggering 56% of organizations using SCADA/ICS reported a breach in the past year, even more astonishing is that only 11% indicate that they have never been breached.

Easy access to SCADA/ICS by third parties is a major part of the problem. Many organizations place a lot of trust in the security of their technology vendors and other outside organizations by giving them wide access to their internal systems. More than six in 10 organizations surveyed by Forrester give either complete or high-level access to partner or government organizations. Thus, SCADA/ICS operators face serious risks, many of their own design.

Threats and Breaches
The Forrester survey asked organizations operating SCADA/ICS about their most serious security threats. More than three-quarters of organizations acknowledge being very or extremely concerned about outside malware. Seven in 10 are very or extremely concerned about internal hackers, the leakage of sensitive data and external hackers.

Not only are SCADA/ICS breaches common, but they also have serious repercussions. Unlike traditional IT networks, OT networks often manage and control systems where a compromise can have potentially devastating consequences. A compromised IoT device that monitors inventory represents a very different threat than an IIoT device monitoring or managing a temperature control system on a 50,000-gallon boiler at a chemical plant.

As a result, 63% of organizations say the safety of their employees was highly or critically affected by a SCADA/ICS security breach. Another 58% report major impacts to their organization’s financial stability, and 63% note a serious drag on their ability to operate at a sufficient level.

Addressing Security and Compliance
There are a variety of responses to these security issues. Nearly half of surveyed organizations see a full business or operational risk assessment as the top way to improve their risk posture as OT and IT systems converge. Other common approaches for mitigating risk include implementing common standards, increasing the centralization of device management, and consulting government bodies such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Compliance with industry and security standards is another top concern.

Steps Toward Greater Security
SCADA/ICS operators can take several steps to protect their assets, even as they consider what security measures to spend their budget on. These include:

• Securing the network infrastructure, including switches, routers, wireless networks, and IoT/IIoT devices, as well as appropriately hardening devices by turning off or disabling unused ports and/or features.
• Segmenting networks by, where possible, separating connected wireless and IoT/IIoT technologies from the SCADA/ICS deployment.
• Applying identity and access management policies to control and monitor outsiders who may need to access the network, to prevent employees from accessing parts of the network they don’t need to access, and to control and manage IoT/IIoT devices being connected to the network.
• Deploying endpoint protections to IoT and other devices to establish visibility into threats.

Security considerations for SCADA/ICS take on a higher priority than those for traditional IT systems due to the potential impact of an attack on the physical safety of employees, customers, or communities. Because the repercussions of a breach are so potentially serious, the need to remain in compliance is also high. Fortunately, organizations can significantly improve their security posture and thereby reduce their risks by taking a multilayered approach to SCADA/ICS security.

Related Content:

• 7 Tools for Stronger IoT Security, Visibility
• Anatomy of an Attack on the Industrial IoT
• Industrial Safety Systems in the Bullseye
• Schneider Electric: TRITON/TRISIS Attack Used Zero-Day Flaw in Its Safety Controller System

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Peter Newton is the Senior Director of Product Marketing for Fortinet. He has more than 15 years of experience in high-tech product management and product marketing. Newton is the product marketing lead for Fortinet’s Operational Technology (OT) solution, including ICS SCADA. View Full Bio

Article source: https://www.darkreading.com/endpoint/scada-ics-dangers-and-cybersecurity-strategies/a/d-id/1332278?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Black hats haven’t yet found a way to mass-exploit the Spectre vulnerability – but mitigations are already arriving.

Beyond chip vendor and operating system patches, there remain reasons to seek out additional defences: there are still circumstances in which protective coverage is incomplete – and over in the world of Android phones, updates dribble out slowly.

Be of good heart, sysadmins. At arXiv, Singaporean and US researchers have published work, appropriately dubbed “007”, which checks code to see if it’s trying to exploit Spectre; and at Virus Bulletin, Fortinet’s Axelle Apvrille takes a look at the bug from an Android point of view.

Another data-leaking Spectre CPU flaw among Intel’s dirty dozen of security bug alerts today

READ MORE

Apvrille’s work backs up what we’ve heard from other researchers: so far, Spectre exploitation is theoretical, with no exploits in the wild. She wrote that while there was a flurry of “Spectre exploit” stories based on AV-Test sample collection, it turned out that all of the reported samples were proofs-of-concept rather than genuine malware.

She adds: “there is a significant difference between a PoC of Spectre and a piece of malware using Spectre. Turning a PoC into a malicious executable is far from a trivial process.”

That doesn’t make this kind of work pointless, though, since it’s a good thing to stay ahead of whatever nasties black hats might devise.

In developing a detection technique, Apvrille’s second conclusion was also good news: an attack against Spectre, she found, seems relatively easy to detect.

She wrote that “we had expected several false positives with this signature, but that was not the case: this imperfect signature turns out to be quite good in practice.”

The signature Apvrille searched for (using the in-practice impracticably-slow technique of searching whole binaries) was to identify “Flush+Reload cache attacks in ELF x86-64 executables”.

Although slow, that technique detected all of the viable samples in the proof-of-concept code gathered by AV-Test. Those that weren’t successfully scanned, it turned out, wouldn’t have worked anyway: “they were all damaged: the cache flush instruction was missing”.

And there’s yet more good news for Android users: all of the proof-of-concept samples so far identified are for x86-64 architectures, and code doesn’t easily port from there to ARMv7 architectures.

Double-oh Seven

The paper that landed at arXiv also seeks to detect code that attacks Spectre, at a generic level the authors describe as a “binary analysis framework to check and fix code snippets against potential vulnerability to Spectre attacks”.

Such things already exist, but the authors – Guanhua Wang, Tulika Mitra, and Abhik Roychoudhury from the National University of Singapore; Sudipta Chattopadhyay from the Singapore University of Technology and Design; and Ivan Gotovchits of Carnegie-Mellon University – explain that they impose heavy overheads, while their 007 framework imposed less than two per cent overhead, as measured by GNU Core Utilities.

They also claim to have detected “fourteen out of the fifteen Spectre vulnerable code patterns proposed by Paul Kocher, a feat that could not be achieved by the Spectre mitigation in C/C++ compiler proposed by Microsoft” (Kocher was one of the discoverers of Spectre, and he wrote this critique of Microsoft’s C/C++ compiler fixes).

In the abstract, the 007 crew says their approach includes: “control flow extraction, taint analysis and address analysis to detect tainted conditional branches and their ability to impact memory accesses. Fixing is achieved by selectively inserting a small number of fences, instead of inserting fences after every conditional branch”.

The detection algorithm proposed in 007 is shown below (from the paper).

Input: P: Program binary
Output: Φ: A set of triplets of the form ⟨CB, IM1, IM2⟩ capturing Spectre vulnerabilities
1: Φ ← ∅;
2: TS.policy ← VtoV ▷ Taint policy set value-to-value
3: step ← None ▷ Initialize Spectre detection stage
4: Let inst be the first instruction of P
5: while inst , ex it do
6:              GS ← Interpreter.exe(inst) ▷ GS: Global State
7:              TaintEngine.taint(inst, GS) ▷ propagate taints
8:              if τ (inst) then ▷ oo7 is invoked only for tainted instruction
9:                      DS ← oo7.check(inst) ▷ DS: Detector State
10:     end if
11:     inst ← P.next() ▷ fetch next instruction
12: end while
13: procedure oo7.check(inst)
14:     step ← DS.step() ▷ Checks the stage of detection
15:     if br(inst) then ▷ check for CB
16:             DS ← DS.setCB(inst) ▷ recognize that inst might capture CB
17:             step ← STEP_CB ▷ progress the detection stage to CB
18:             TS.policy ← PtoV ▷ enable pointer-to-value taint
19:     end if
20:     if (load(inst) ∧ step = STEP_CB) then
21:             cb ← DS.CB() ▷ get CB from detection state
22:             if (Dep(cb, inst) ∧ ∆(cb, inst) ≤ SEW) then ▷ check for IM1
23:                     DS ← DS.setIM1(inst) ▷ recognize that inst might capture IM1
24:                     step ← STEP_IM1 ▷ progress the detection stage IM1
25:             end if
26:     end if
27:     if (mem(inst) ∧ step = STEP_IM1) then
28:             DS ← DS.setCB(inst) ▷ get CB from detection state
29:             if (Dep(cb, inst) ∧ ∆(cb, inst) ≤ SEW) then ▷ check for IM2
30:                     DS ← DS.setIM2(inst) ▷ recognize that inst might capture IM2
31:                     Φ ∪ = ⟨DS.CB(), DS.IM1(), DS.IM2()⟩ ▷ catch Spectre
32:                     step ← None ▷ reset checker
33:                     TS.policy ← VtoV ▷ disable pointer-to-value taint
34:                     end if
35:     end if
36:     if (step = STEP_CB ∧ ∆ (DS.CB(), inst)  SEW) then ▷ Outside SEW
37:             step ← None ▷ Reset detection beyond speculation window
38:             TS.policy ← VtoV
39:     end if
40:     if (step = STEP_IM1 ∧ ∆ (DS.CB(), inst)  SEW) then ▷ Outside SEW
41:             step ← None ▷ Reset detection beyond speculation window
42:             TS.policy ← VtoV
43:     end if
44:     return DS
45: end procedure

The researchers note that their detection code is available on request from the National University of Singapore’s Website. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/17/spectre_protectors/

The world’s most powerful governments are today accused of bankrolling surveillance kit and training for smaller and dubious nations – and the tech industry stands to benefit.

In a dossier published on Tuesday, civil-rights warriors Privacy International said that top governments – from the US, UK and China to France, Germany, and the European Union – are financing, training and equipping countries, including authoritarian regimes, with surveillance capabilities. By doing so, the countries with the most extensive security and military agencies are “transferring their electronic surveillance capabilities, practices, and legislation around the world,” the report said.

It said that some of the funds for such programmes were being badged as development. The US spent more than $20bn in security aid in 2017, with recipients of training and kit over the years including African nations and Afghanistan.

Privacy International said that despite such efforts boosting recipients’ security capacities, it can also play “a defining role in maintaining the ability of recipient governments to exercise functions of the state and political control.”

As more data is being generated and as surveillance technology advances ahead of laws sufficiently regulating them, and while authoritarian leaders continue to use surveillance as tools of political control, such transfers pose a substantial threat to human rights around the world.

The trend is a boon for contractors, as they “already benefit substantially from these surveillance programmes” in the donor states. Spreading surveillance capabilities opens up new markets and creates opportunities to grow.

“Such securitisation is hugely appealing for industry, allowing security companies and contractors to benefit from increased sales of security equipment, training contracts, and increased public financial support for the research and development of their products,” the civil rights fighters noted.

Although there are no specific criticisms of the corporations named in the report, Privacy International argued that their widespread contracts have already given them great influence over public policy and that their importance will likely increase as they implement surveillance technology.

“Historically, one of the consequences of the vast privatisation of US security and military forces over the past 20 years has been an inappropriate influence of contractors on policy,” the report said.

Now, it said, contractors “stand to benefit even more, which will only naturally increase their potentially damaging influence over public policy, as exemplified during the most recent invasions of Afghanistan and Iraq by US-led coalition forces.”

Among the companies named in the report are Leidos Inc, a major contractor for the Pentagon and the NSA that was formed from a merger with the Information Systems and Global Solutions division of Lockheed Martin; intelligence, security and reconnaissance training firm North American Surveillance Systems; and military firms AAR and DynCorp.

Financed

The report also noted that the US State Department had financed and granted surveillance equipment acquisitions for foreign countries, which included a monitoring centre for intercepting, analysing, and using information obtained from communications systems in Mexico. Business intelligence, call centre and surveillance outfit Verint scored that deal.

Biometric traveller screening systems, developed by defence contractor Booz Allen Hamilton, were provided to Burkina Faso, Cameroon, Chad, Djibouti, Ethiopia, Kenya, Mali, Niger, Tanzania, Uganda, Iraq, Jordan, Yemen, Maldives, Afghanistan, and Macedonia, the report added.

Some of the surveillance training was by government agencies. According to the study, last year, the International Law Enforcement Academies – a scheme run by the state department – in Botswana had courses on counter-terrorism and cybercrime delivered by the FBI and on “Investigations of Computers and Electronic Crimes” delivered by the US Secret Service.

Training

Meanwhile, it has been reported that the UK College of Policing has provided training to the Saudi Ministry of the Interior in investigative techniques since 2009, with plans to expand this to include high tech crime and digital forensics, and GSM mobile phone examinations.

The civil rights group warned that some of the recipient countries “lack basic rule of law”, which poses “significant and foreseeable risks” to individuals’ privacy. It also pointed out that the lawfulness of states’ activities in some of the countries exporting surveillance capabilities are themselves being challenged.

The group called for increased focus on due diligence – ensuring that training isn’t provided to states that violate human rights, for example – plus greater transparency and the promotion of best practices and governance of surveillance alongside training programmes. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/16/states_fund_foreign_surveillance/

Researchers have claimed the infamous APT28 Kremlin-linked hacking group was behind a new cyber-espionage campaign they believe was targeted at the Italian military.

Security researchers from the Z-Lab at CSE Cybsec spent the weekend unpicking a new malware-base cyber-espionage campaign allegedly conducted by APT28 (AKA Fancy Bear).

The multi-stage campaign features an initial dropper malware, written in Delphi, and a new version of the X-agent backdoor, a strain of malicious code previously linked to APT28.

One malicious library (dll) file associated with the campaign phones home to a command-and-control server with the name “marina-info.net”. This is a reference to the Italian Military corp, Marina Militare, according to the researchers.

“The dll that connect[s] to ‘marina-info.net’ might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges,” claimed to the researchers.

The Russian state-backed hackers may be targeting specific organisations including the Italian Marina Militare and its subcontractors, the researchers conclude. The targeting of Italian organisations during the summertime led the researchers to nickname the campaign “Roman Holiday”.

Researchers from Z-Lab worked with independent researcher Drunk Binary (@DrunkBinary) on malware samples spotted in the wild and uploaded them to VirusTotal as they put together their analysis.

Further details on the malware samples analysed by CSE Cybsec, including the indications of compromise, are available in a report published by researchers at ZLAb here (pdf).

Operation Roman Holiday – Hunting the Russian APT28

The APT28 hacking crew has been active since at least 2007, since when it has targeted governments, militaries, and other organisations worldwide.

The group – identified by Western intel agencies as a unit of Russian military intelligence, the GRU – has also been alleged to be behind attacks on the German Bundestag, French TV station TV5Monde and (most notoriously) a hack and leak campaign that targeted the US Democrats during the 2016 US presidential election.

More recently, in the second half of 2017, the group turned their attention away from NATO countries and Ukraine with attacks against countries included China, Mongolia, South Korea and Malaysia.

Researchers from Palo Alto Networks spotted attacks against the various Asian countries that made use of the SPLM and the Zebrocy tools previously linked to the group.

A dozen individuals who are alleged to be GRU intelligence operatives were indicted last week over a string of attacks that targeted 2016 US Presidential election. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/16/apt28_italian_job/

Researchers have developed kit that masquerades as GPS satellites to deceive nearby GPS receivers and thus potentially trick drivers into heading off in the wrong direction.

The team – a trio of groups at Microsoft, Virginia Tech in the US, and the University of Electronic Science and Technology of China – detailed in a paper out this month that, by spoofing the packets of data sent to smartphones and cars’ built-in navigation systems from orbiting positioning satellites, they can remotely change the routes with up to 95 per cent accuracy.

They built a radio-transmitting Raspberry Pi-based device, using just $223 of components, that blasts out fake location information and drowns out the real positioning data from the skies. Miscreants could use this equipment, while following a target in a car, to beam bogus location data to their mark and reroute their victim’s journey.

Easy as Pi … a Raspberry Pi: How the system is set up

“Our measurement shows that effective spoofing range is 40–50 meters and the target device can consistently latch onto the false signals without losing connections,” the researchers write.

The sly passenger

Of course, tailgating might look somewhat suspicious, so the researchers also experimented with stashing the spoofing device in the trunk of a mark’s car or under the back seat. They could then add new route details via a cellular network connection with the spoofing gizmo without needed to get so close to the target.

During testing in a Chinese parking lot, the boffins found that establishing control of the target’s GPS took slightly longer if the spoofer was in the trunk (48 seconds) as opposed to under the seat, which took just 38 seconds.

‘Plane Hacker’ Roberts: I put a network sniffer on my truck to see what it was sharing. Holy crap!

READ MORE

This isn’t the first time researchers have used GPS spoofing to take over a vehicle. In 2013, a group of university students used a similar spoofing technique to send a luxury yacht off course in the Mediterranean.

In this new case, however, the process was more tricky as the cars were out on the road, rather than a body of water. The team used data from OpenStreetMap to construct routes the target could take without crashing into pedestrians or buildings.

“First, road navigation attack has strict geographical constraints. It is far more challenging to perform GPS spoofing attacks in real-time while coping with road maps and vehicle speed limits,” the researchers explained.

“In addition, human drivers are in the loop of the attack, which makes a stealthy attack necessary.”

But if properly conducted the spoofing attacks are highly effective. A trial carried out by 40 volunteer drivers found that 95 per cent of the time the attackers were able to trick the targets into following the bogus directions rather than the usual GPS route.

Don’t trust the computer

One limitation of the attack is human familiarity with the surrounding area. The researchers noted that the spoofing is only believable in areas where the target is heavily reliant on GPS directions and unfamiliar with the route and the language used on street signs.

All the test subjects noticed that their GPS took a dive for around 30 seconds while the spoofer took over, but weren’t worried – thinking it was a normal outage that most of us have experienced. But only two of the 40 participants recognized that they had been hacked by spotting that the types of roads they were driving down weren’t matching the GPS readout.

These kind of attacks could be particularly harmful in an era of self-driving cars and trucks, the researchers noted. Hijacking a shipping container on the back of a truck could be as easy as slipping a spoofer under the cab and, with no human driver noting something was wrong, a criminal to could just direct the vehicle to a safe house and steal its contents.

The eggheads said the attack could be effectively stopped in a number of ways. The best solution would be to enable encryption on civilian GPS signals, however, that’s a massive undertaking since it would involve upgrading the millions of GPS-enabled devices out there.

Anther method would be to have the navigation unit automatically check that landmarks along the way, such as gas stations and highway types, corresponded to the expected route. Again though, that will require a lot of new hardware and software.

A lower-tech solution would be to have the inertial sensors in the car check to see it the expected acceleration and deacceleration matched the predicted route, however, the researchers noted this would be very imprecise in practice.

In the meantime, keep your eyes open and your hands on the wheel. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/16/researchers_hack_gps/

US prosecutors have extradited an Irish man to America, where he will face charges of allegedly helping run the infamous Silk Road drugs e-souk.

The US Attorney for the Southern District of New York said that 30-year-old Gary Davis, who went by the handle Libertas on the underground cyber-bazaar, is accused of conspiracy to distribute narcotics, conspiracy to commit computer intrusion, and conspiracy to commit money laundering. He faces life in prison if convicted on all charges.

According to prosecutors, from June through October of 2013, Davis was one of three people who performed day to day admin and forum moderation duties for Silk Road boss Ross Ulbricht. This included customer support and dispute resolutions as well as enforcement of what few rules there were in the anonymous crime market. In exchange, prosecutors claimed, Davis received a weekly salary from Ulbricht that, over the course of a year, would have fallen between $50,000 and $75,000.

Davis has been held in Ireland since his 2014 arrest by authorities there. Having now been extradited, his next stop will be in the Manhattan Federal Court to face trial.

“Gary Davis allegedly served as an administrator who helped run the Silk Road, a secret online marketplace for illegal drugs, hacking services, and an assortment of other criminal activities,” said Geoffrey Berman, Manhattan US Attorney General, on Friday.

“Thanks to our partner agencies here and abroad, Davis now faces justice in an American court.”

Davis is one of three Silk Road admins named in a 2013 indictment. Two other men, Andrew Michael Jones of Virginia and Peter Philip Nash of Australia, were hit with the same charges and both agreed to plead guilty – Jones in 2014 and Nash in 2015.

Ulbricht was sentenced to life without parole in 2015, though he has been trying to appeal that sentence. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/07/16/silk_road_extradition/

Organizations ‘should be restrained from using metadata to identify individual users,’ says the Telecom Regulatory Authority of India.

The Telecom Regulatory Authority of India (TRAI) has advised stricter rules around data protection and taken a stance on users’ information control: The institutions that collect and handle personal data do not have primary rights over that data, it reports.

The country’s telecom regulator also says its current framework for securing data is not up to par, according to a new report from Reuters. TRAI has requested the Indian government build a policy framework to regulate devices, browsers, operating systems, applications, and other technologies that collect and process user data.

In addition, it has recommended a study to create standards to de-identify personal data collected by connected devices, maintaining that organizations don’t have primary control over it. “All entities in the digital eco-system, which control or process the data, should be restrained from using metadata to identify the individual users,” TRAI says in a statement.

TRAI’s news arrives shortly after the arrival of the European General Data Protection Regulation (GDPR), the privacy guidelines forcing businesses to buckle down on privacy rights and pay closer attention to how they collect, store, and process the information of European users. While it only applies to data of EU citizens, GDPR is causing other entities to re-evaluate how they handle personal data.

Read more details here.

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/india-telecom-regulator-users-have-primary-data-rights/d/d-id/1332303?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here’s how to safeguard three other network foundation protocols so they don’t become weapons or critical vulnerabilities.

When an attack using a basic Internet protocol makes the news, it tends to focus on the Web, with either HTTP or DNS in a starring role. But history shows us that other protocols can be used as both weapons and doors for attacking vulnerable organizations.

Three different protocols — BGP, NTP, and FTP — are especially useful to threat actors looking to disrupt operations or steal assets from individuals and organizations. Recent incidents around cryptocurrency wallets show just how effective Border Gateway Protocol (BGP) hijacking can be as part of an attack plan. BGP’s mystery, from most users’ points of view, stems from its complexity and adds to the danger because most organizations only begin to work directly with BGP when their networks pass into the “very large” category.

Network Time Protocol (NTP) might seem like the sort of protocol that is merely convenient, allowing users to avoid listening for time announcements on the radio and typing the results into their systems, but everything from cryptography to file transfer depends on computers and network components getting authoritative time from a canonical server. This requirement makes NTP ubiquitous and valuable when it comes to wreaking havoc on a victim.

And while users tend to use HTTP far more than File Transfer Protocol (FTP) for moving files between systems, many applications and systems still use FTP as an essential mechanism. Because FTP is often used for transferring very large files, it becomes a powerful weapon when criminals are able to use it against a target.

“Stop using these protocols” isn’t practical advice for most organizations; far too many applications and users depend on them to make abandonment anything but a very long-term solution — and in the case of BGP and NTP, no replacement is on the horizon. So it becomes necessary for companies to figure out how to protect the protocols so that they remain tools while not becoming weapons or critical vulnerabilities.

There are, of course, many ways to protect network foundation protocols, but a handful of suggestions may help spur thought and provide inspiration for moving defense forward. This list is intended to provide a jumping-off point for discussions on how an organization can protect itself and its Internet neighbors from harm through one of these protocols.

What steps has your organization taken to protect these essential protocols? If you have found a suggestion not on this list to be especially helpful, let us know in the comments, below. The online community is waiting to become more secure!

(Image: Tatiana Popova)

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/operations/10-ways-to-protect-protocols-that-arent-dns/d/d-id/1332298?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple