STE WILLIAMS

Did you hear the one about the African American guy standing in a priority boarding line at the airport who got told to get out of the way by a white lady who assumed he a) either got in the wrong line, and hence was standing in the way of rich people who deserve to be there, or b) must be there because he’s military and should still get out of the way because, again, he was in the way of people who actually paid to be there..?

No? Sorry, this one doesn’t have a punchline. It’s just another story of a viral post that turned the internet into a torch-bearing mob.

The guy’s name was Emmit Eclass Walker. He’s a music industry executive. I don’t know what the white woman’s name was, but I do know that she became the recipient of a dump-truck load of internet scorn, derision and hate speech after Walker posted a photo of her onto Facebook.

From that post, which showed him in front of a white woman who was pointed out with a drawn-in red arrow:

Her: excuse me i believe you may be in the wrong place you need to let us thru. This line is for priority boarding

Me: priority meaning first class correct?

Her: Yes…now excuse me they will call y’all after we board

Me: *shove first class priority boarding pass in her face* you can relax ma’am I’m in the right spot, been here longer, so you can board after me

Her: *still won’t let It go* he must be military or something, but we paid for our seats so he still should have to wait

Me: nope to big to ever be in anybodies military. I’m just a ni**a with money 💰

Everybody waiting in line: starts to clap lmao 😂

Walker must have felt great, right? As of Monday afternoon, his post had been shared 265,959 times. It had 160 comments, in which the woman was insulted every which way from here to Sunday.

“Ignoramus.” “[Dyed] and fried blonde hair.” “Hahahahahahahahahahaha Got eemmmmmm.” “you white WITCH!!!” “White privilege is something else!!!!! Smh! I’m glad you stood your ground!”

And from there, the “conversation” continued to spiral.

GIFs about people righteously clapping. Jeering. One commenter received racist hate speech in their inbox.

And it spiraled.

Another Facebook user claimed that Facebook removed their comment on “the stupid ignorant Caucasian.” (They would; such is considered hate speech and is thus against Facebook’s Community Standards).

It turned and turned in the widening gyre, to paraphrase Yeats, until the falcon could no longer hear the falconer. Things fell apart. The center couldn’t hold. A woman’s misperception – call it informed by white privilege, call it rudeness, call it a faux pas – had exploded into rage and vindictiveness.

It didn’t feel great. Maybe Walker felt vindicated at first, but not after the post went viral and spiraled out of control.

It had gotten so far out of hand that on Friday, Walker posted an apology on Instagram, even though he was the one who’d initially been wronged.

When i posted that post on Facebook i didn’t expect all that to come from it. I can honestly name the four or five people i thought would comment with something funny, and that will be it. This racist stuff is definitely a issue but this is not the solution to that issue. It brings me no joy waking up in paradise to for my 37 bday and knowing that woman might be going threw hell. The story was definitely real, just like this issue is definitely real, but i now know that I myself should of handled it another way, or left it how it was, and not shared It publicly. When dealing with people i always try to stay on the side of Right, so to make sure I never do anybody wrong, I try to always put myself in that persons shoes, and ask how would I feel if that person did this to me, and if I was her this morning i would be a total wreak today, and that doesn’t help this situation, or her…it only makes them more angry, and bring more drama…SO I WOULD LIKE TO APOLOGIZE AGAIN TO THE WOMAN I HAD THIS ENCOUNTER WITH YESTERDAY. NO MATTER HOW WRONG YOUR ACTIONS YOU DON’T DESERVE THIS … I BELIEVE IF YOU CAN’T HELP NOBODY AT THE VERY LEAST YOU SHOULD NEVER DO ANYTHING TO HURT THEM

As you can clearly see by reading the comments to his Instagram post, Mr. Walker is a bigger hero for this apology, and the humility and compassion it demonstrates, than he was for his initial “put-her-in-her-place!” post.

We need to be aware of white privilege. But we also need to be aware of the power that can be unleashed when we publicly ridicule people on social media. It’s a violent power that never seems to leave anything in its wake except damage.

Thank you, Mr. Walker, for showing us that we can all rethink, and walk back, our more vindictive first impulses.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NUriTydXpJ4/

Spiceworks user Dave Lass recently alerted Naked Security, and fellow Spiceheads, to a horrible little email scam that’s supposed to scare the life out of you.

One of his users opened their email and saw this compelling subject line, urging them to read on…

Subject: Please read this it can be the most important information in your life

It’s the sort of subject line that people who like you, people you work with and people who actually-have-something-important-to-tell-you-that-might-change-your-life probably don’t use. It’s the language of radio DJs hoping you’ll hang on grimly through the commercials, click-hungry Outbrain headlines and YouTube conmen.

It’s a hook, in other words – a sign that you can take whatever comes next with a pinch of salt.

Which is good, because you’re going to need it for what comes next:

Hello

I advise you to take this message seriously, if you value your life, since this is not a joke or a scam. I've been thinking for a long time whether it's worth sending this message to you and decided that after all you still have the right to know. I'll try to be short. I received an order to kill you, because your activity causes trouble to a particular person. I studied you for quite a time and made a decision to give you a chance, despite the specifics of my job, the business rules of which do not allow me to do this, as this will kill my reputation (more 12 years of perfect order executions)in certain circles. But i decided to break a rule since this is my last order (at least I do hope so).

In general, let's Break it down. I want you to pay the amount of 0.5 Btc. I accept btc. Information how to forward you can find in Google. Here are my payment details:

168firBiYcezkNhpe2CEie3JgjzvF2bfZP

When i will receive funds I'll send you the name of the man order came from, as well as all the evidence i have. You will be able to use them with the police. I would not suggest you to call the police, because you have a little time (2 days) and the police simply will not have time to investigate.

Answering to this letter does not make sense, i use one-time mailbox, cause i really do care about my anonymity. I'll contact you as soon as i'll getfunds.

I really regret that you became my prey.

I’d like to believe that anyone and everyone who gets this will laugh at its sheer preposterousness; that their good sense will tell them that the person who wrote it knows nothing about them; that it’s just words arranged on a page whose rightful place is as an object of fascination and ridicule alongside the infamous liver transplant spam, and nothing more.

I want to believe that because the alternative is that somebody, somewhere is made to feel afraid, even if it’s just for a moment. This isn’t “buy some viagra”, it’s not even “we’ve hacked you, pay the ransom”, it’s “pay up or die”.

Whatever the value of a Bitcoin was when the spammer hit send, it probably wasn’t far off the current value of about $16,500, meaning the spammer was hoping to make somebody so afraid that they’d part with $8000 on the strength of an email.

Thankfully, through the magic of Bitcoin, we can see that they haven’t succeeded yet, not with this Bitcoin address at least. At the time of writing, nobody seems to have fallen for this horrid scam and the spammer’s cupboard is bare.

What to do?

There are two victims here – the person who received the email, and the person who owns the mailbox the email says it came from.

The message looks like it was sent from an address owned by a perfectly legitimate small business – it probably wasn’t. The spammer may have hacked into that company’s email but since they aren’t picking up replies they needn’t, they can simply forge the email’s From header.

If you own a domain name, or your small business does, please take time to set up SPF and DKIM records to prevent people sending emails that appear to come from you.

If you receive one of these emails don’t reply, don’t worry and don’t give it a second thought, but be sure to mark it as spam. Telling your email software that the message is junk or spam helps train your spam filters and reduces the chances of you, or anyone else, seeing something as unwelcome as this again.

Follow @NakedSecurity
Follow @MarkStockley

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/q2XqwHmCKlk/

Britain’s freezing weather has reanimated the issue of insecure building control systems.

Security researchers at Pen Test Partners have discovered that the web interfaces of heating controllers in many schools are accessible on the public internet and fundamentally insecure. The problem largely stems from lax installers who have disregarded installation advice rather than kit manufacturers, according to PTP.

Many UK schools are already closed because of the snow in much of the country and general cold weather. The presence of heating controllers on the open web – coupled with authentication bypass security shortcomings – make it possible for miscreants to turn heating off during the current cold snap.

School’s out

Among the insecure systems accessible on the open net was one controlling the heating at an infants school in Chelmsford, Essex.

Shodan search throws up web control panel for building management system of an Essex school [Source: PTP]

The problem is far from limited to schools. Searches on the Internet of Things each engine Shodan by PTP have revealed the same vulnerable kit and set-ups are present in government offices, universities, fire stations and even a restaurant.

PTP is highlighting the issue, of which mischievous hackers would already be aware, to raise awareness and to encourage building owners to ensure systems are set up correctly.

Ken Munro, a security consultant at Pen Test Partners, and his colleagues have looked into the issue before (first in 2006 and later 2013) but it has not yet been picked up by manufacturers or (more importantly) heating and air conditioning installation engineers.

Shodan searches threw up hits for building controllers made by Trend Controls, Mitsubishi, BACnet and more. Some of these devices are vulnerable, have weak or no authentication (meaning they are are easy to take over) or “wobbly” web interfaces that make it easy to crash built-in web servers, as demonstrated by previous research.

BMS pwned

During recent tests comparing a used 2013 model of the same controller and a brand new 2017 controller from the same vendor, Munro discovered continuing cause for concern. Some of the accessed systems have already been hacked.

“The controller security has improved some, but we’ve found large numbers installed on the public internet, unprotected, with complete authentication bypass in some cases,” he writes.

“We found them in military bases, schools, government buildings, businesses and large retailers among many. Ripe for compromise of these organisations.

“We also found some that had already been compromised to a point by malware. Further compromise would be trivial.”

In at least some of these cases the malware was an opportunistic infection by a crypto-mining worm that had been dropped onto controllers and wouldn’t run on the devices. But that is no excuse for complacency.

Bob the bodger

Most of these issues have been caused by HVAC [heating, ventilation and air conditioning] and building management system installers, rather than the vendor. Trend Controls, for example, tells installers (PDF) that its devices should be on isolated subnets and never exposed to the internet.

Despite this, Munro found more than a thousand insecure Trend Controls on the net within seconds through a simple Shodan search.

“The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements, though,” Munro said.

The issue of insecure building management systems is far from purely a seasonal concern.

“Smart building controllers manage door access control, heating, ventilation and air conditioning and much more,” Munro notes. “Remember the Target breach in the US? The ingress point was believed to be their HVAC management company.”

Authentication bypass vulnerabilities present in some of the systems open the door to a range of hacking possibilities far beyond messing with heating controls. These include unlocking doors, setting off alarms and using compromised controllers as a stepping stone into the corporate network. Dodgy insiders might be just as much a problem as external hackers in many scenarios.

“Building management systems are often installed by electricians and HVAC engineers who simply don’t understand security,” Munro concludes.

“Ask questions about what ‘stealth’ technology is in your buildings. Ask the guys who look after your HVAC how it’s monitored and managed. While you’re there, ask about your door controllers and your IP alarm systems.

“BMS vendors need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/12/building_heating_systems_still_hackable/

Employees’ corporate mobile devices are connected to WiFi networks on average 74% of the time.

While a majority of corporate employees connect their corporate mobile devices to WiFi networks, only a small percentage face man-in-the-middle attacks, a report released today finds.

Wandera’s WiFi Mobile Security Report, based on a November sample of 100,000 corporate mobile devices on its network, revealed:

-74% of wireless data usage on average relies on WiFi

-12% of WiFi hotspots used by employees are open, lacking encryption

-4% of corporate mobile devices came into contact with a man-in-the-middle attack

“Even though it was 4% in November, it’s usually about this level day in and day out,” says Dan Cuddeford, Wandera’s director of sales engineering. “Despite what people think, your phone is not constantly being attacked. If you go to Starbucks, an attacker cannot attack all the devices. They have to have a stronger signal than those they are attacking.”

The man-in-the-middle attacks ranged from intercepting data leaks to compromising the device’s trust model, the report notes.

And although 12% of employees use unsecure WiFi hotspots, the report notes it could have been worse, given 24.7% of WiFi hotspots worldwide use no encryption. These results hint to the possibility employees are taking some care in avoiding unsecure hotspots, the report states.

WiFi Over Cellular

Cellular networks, says Cuddeford, are far safer than WiFi, yet employees connect their corporate mobile devices to these networks only 26% of the time.

“We have never seen man-in-the-middle attacks on cellular networks in the wild. It could happen in theory, but it is so much easier for attackers to do a WiFi attack that they don’t bother with cellular networks,” Cuddeford says.

He speculated companies may be prompting employees to use WiFi as often as possible as a means to cut costs on roaming charges that would be incurred if they were connected to cellular networks.

“The takeaway for CISOs is more of their mobile devices are connecting to WiFi than cellular and although the number of these devices are increasing, the number of them connecting to encrypted connections is not,” Cuddeford warns.

Hotels accounted for 25% of the open WiFi hot spots employees use, followed by airports at 20%, the report states.

Whether at a hotel or airport, Cuddeford says employees should turn off their device’s WiFi capabilities unless they intentionally want to connect to a hot spot. That reduces the odds their corporate mobile device will automatically connect to a spoofed WiFi network.

Related Content:

• Secure Wifi Hijacked by KRACK Vulns in WPA2
• Startup Builds Secure Router For IoT-Laden Home WiFi
• Man-in-the-Middle Flaw in Major Banking, VPN Apps Exposes Millions

 

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/mobile/employees-on-public-wifi-rarely-face-man-in-the-middle-attacks/d/d-id/1330609?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Follow these five guidelines to keep your organization’s data protected.

Your brand can be one of your company’s most valuable assets. It can command premium prices, customer loyalty, a faster sales cycle, and an overall healthier bottom line. But unfortunately, even the strongest brands can have difficulty withstanding the impact of a data breach.

Consider that the average cost of a single data breach is $3.62 million. On top of this, data breach incidents reportedly cause 65% of individuals to lose trust in the organization experiencing it. This loss of customer trust may take years to recover, if it even can do that at all.

Addressing Privacy Law Variations
In response, organizations have stepped up their efforts to help protect data privacy. While this must be an ongoing business priority, it is far from simple, bearing in mind the trove of personal data that organizations collect and the range of privacy laws that exist to protect it.

Privacy laws vary from country to country — and even state to state, with 52 US state and territory breach laws in effect. The Alaska Personal Information Protection Act, for example, protects personal information in all verbal, electronic, physical, and visual forms. Then there are industry-specific regulations to consider, such as the Health Insurance Portability and Accountability Act, which safeguards medical information, and the Federal Information Security Management Act, which protects government information.

There are also age-specific regulations, such as the Children’s Online Privacy Protection Act, that address the unique rights of individuals under the age of 13. And there’s the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, and requires organizations worldwide to implement comprehensive data protection programs that govern how they control and process personal data of individuals in, and citizens of, the EU.

January 28 is Data Privacy Day. Use this day as an opportunity to educate your colleagues on best practices to help safeguard data privacy. These five tips can help protect your company’s brand and, more importantly, your customers’ and workers’ data privacy.

1. Understand what constitutes a data breach. A data breach is an incident in which sensitive, protected, or confidential personal data potentially has been viewed, stolen, or used by an individual unauthorized to do so. This can include sensitive information discussed in a doctor’s office, viewed on someone’s laptop screen, hacked from a computer, or perhaps left on the printer. It could involve thousands of records, or just one. Depending on the regulation, it could involve identifiers, such as a name or identification number. Or it could be images of individuals, in photos or videos. It also could be data revealing racial or ethnic origin, political opinions, religion, trade-union membership, genetic data, health information, personal preferences, and so on.

2. Be aware of your surroundings. Workers should be trained to always be aware of their surroundings. Employees frequently use mobile devices to access and share data, often in full view of others. There’s increased risk of data exposure inside the office too. Open-office floor plans remove physical barriers that in the past helped shield computer screens. Those who work in public spaces and in heavy-traffic areas like emergency departments, public lobbies, government offices, and guest-service desks should know to look for suspicious behaviors, such as identifying a visitor who is pointing a smartphone toward a computer screen.

3. Deploy layers of protection to avoid breaches. Add layers of protection as part of a defense-in-depth security approach. This often involves perimeter technologies, such as firewalls, data encryption, and two-factor authentication. Using privacy filters can help protect sensitive data displayed on computer and device screens by blocking unauthorized side views. Other important protection measures include implementing clean-desk policies, using password-protected screensavers, and requiring that sensitive information be printed and stored in locked areas, and then finely shredded when disposed. Regular assessments can help identify vulnerabilities in these areas, as well as other gaps, such as poorly trained employees.

4. Collect only what you need. In the spirit of improving the buying experience, many organizations are collecting an increasing amount of personal information about their customers. They are asking for birthdays, ages of children, etc. Collecting this level of information requires organizations to be aware of privacy laws, such as the GDPR, that are very stringent in how personal information is used. As a best practice, organizations should proactively identify and collect only the personal information necessary for their intended purposes, for a period strictly necessary (minimization principle), and they should ensure that personal data will not be made accessible to an indefinite number of people.

5. Be ready to respond quickly. Have a documented breach response plan that details roles, responsibilities, and processes. Schedule regular training exercises to help ensure your organization’s incident response and breach notification policies and plans will work. Conduct tests to see if employees know who to alert if their device is compromised or they become aware of a data breach. Make sure you have the forensics in place so you can quickly communicate what happened and what the company is going to do about it.

Together, these five tips can help safeguard data privacy, build customer trust, and protect your company’s brand.

Related Content:

• 8 Things Every Security Pro Should Know About GDPR
• 5 Tips for Making Data Privacy Part of the Company’s Culture
• GDPR the Rise of the Automated Data Protection Officer

John Brenberg has over 30 years of experience spanning new product introduction, system development, infrastructure management and information security and compliance across multiple business segments and processes. He is responsible for leading the IT programs for … View Full Bio

Article source: https://www.darkreading.com/how-good-privacy-practices-help-protect-your-company-brand/a/d-id/1330560?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Corporate leaders know little about common security threats like ransomware and phishing, driving their risk for attack.

One-third of business leaders have heard about the WannaCry ransomware attack. Less than 5% say the Equifax breach prompted them to rethink their business’ approach to cybersecurity. Both findings, released by Veracode today, indicate a troubling lack of awareness and understanding around major breaches and common security problems.

Researchers polled corporate leaders to gauge their understanding of secure software. One in five said their software budget increased 50% or more over the past three years, but only 50% surveyed understand the risk vulnerable software poses for their business. One-quarter do not understand threats like ransomware, phishing attacks, DDoS attacks, and malicious insiders.

There is a slight shift in awareness, however. Of the 33% who said a cyberattack on another company prompted them to rethink their security strategy, many have taken steps to improve their security posture or plan to do so over the next year. More than one-third have started regularly scanning for vulnerabilities or plan to start in the next twelve months.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/only-5--of-business-leaders-rethought-security-after-equifax/d/d-id/1330611?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security policies for USB drivers are severely outdated or inadequate, a report finds.

Virtually all employees use USB devices at work, with 80% of those workers relying on non-encrypted USB drives, a report released today finds

The vast majority of workers, 87%, also acknowledge they fail to notify their organizations when they lose their USB drive, according to Apricorn, which surveyed 400 respondents for its Current State of USB Data Protection report.

Companies that are responsible for sensitive information, such as credit card data or patient medical records, face a serious problem with employees’ use of unencrypted USB drives and failure to notify when devices are lost.

Only half of survey respondents say their organization has a policy to address lost or stolen USB drives, with 54% noting their company has technology to detect or prevent confidential data from loading onto USB drives.

Read more about the report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/8-out-of-10-employees-use-unencrypted-usb-devices/d/d-id/1330612?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ.

The 41-gigabyte file was discovered on December 5 and had been updated at the end of last month, indicating the data is both current and being used by third parties. The identity of the collator isn’t known but the miscreant left Bitcoin and Dogecoin wallet details for donations.

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true,” said Julio Casal, founder of @4iQ. “The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.”

The Exploit.in list is included in this dump, as are records reported stolen before, but a lot of this data is new. It has even all been indexed for easy searching and search tools are also included in the archive.

Disturbingly the archive also shows that years of advice on choosing strong passwords is still being ignored. The top password is, depressingly, still 123456, followed by 123456789, qwerty, password and 111111, and the history of some accounts shows the minor variations that would make other passwords for the account easier to guess.

It’s hardly rocket science to guess the possible permutations

When the firm contacted some of the recipients, the email addresses of many proved to be still active, although in most cases the passwords were no longer in use. That said, those passwords may well have been used on other accounts, making the job a lot easier for hackers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/12/archive_of_14_beeelion_credentials_in_clear_text_found_in_dark_web_archive/

Security researchers have demonstrated a new technique for hacking air-gapped industrial control system networks, and hope their work will encourage the development of more robust defences for SCADA-based systems.

Air-gapped industrial networks are thought to be difficult if not impossible to hack partly because they are isolated from the internet and corporate IT networks. However, in practice there are multiple ways that attackers can deploy malware on such a network, including compromising vendor update mechanisms or infecting USB drives or laptops of third-party contractors who connect directly to the network for maintenance purposes.

During a presentation at the Black Hat conference in London last week, researchers from CyberX ran through a scenario involving the initial deployment of malware that discovered the topology of an air-gapped network, the specific types of industrial devices connected into the system (as with the CrashOverride malware used in the 2016 Ukrainian grid attack), and perhaps sensitive documents the malicious code hoovers up along the way.

Even if this reconnaissance phase works like a charm, hackers are still left with the tricky problem of how to get their hands on this sensitive information.

Previous work has shown how to exfiltrate data from air-gapped networks using RF signals emitted from PCs. That’s not ideal because persistent PC-based malware has a high probability of being detected.

The CyberX team went into the problem from a completely different direction by focusing on infecting Programmable Logic Controllers (PLCs), the building blocks of industrial control systems. PLCs have limited CPU/memory and run embedded real-time operating systems.

CyberX demonstrated how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded data.

The emitted RF signals are a byproduct of repeatedly writing to PLC memory in a specific way.

Once transmitted the signal can be picked up by a nearby antenna before been decoded using a low-cost Software-Defined Radio (SDR) and a PC. “The receiving equipment can be located just outside the facility or even mounted on a drone flying overhead,” according to CyberX.

The CyberX SCADA hack rig

The data exfiltration method does not rely on any vulnerability or design flaw in the Siemens PLC – this particular model and brand was simply chosen because it is widely used in the industry. The same approach might work on other kit, although this has not been tested. CyberX goes on to provide advice on how this potential attack might be mitigated.

Organisations can prevent these types of attacks with continuous monitoring and behavioural anomaly detection. For example, this approach would immediately detect the cyber reconnaissance phase preceding data exfiltration — such as devices scanning the network and querying devices for configuration information – as well as unauthorised updates to PLC ladder logic code to deploy the specially-crafted code to generate encoded RF signals.

The Black Hat presentation, entitled Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks, feature a live demo. Only very low data rates in the range of bits per second were achieved in the demo. In response to questions, CyberX researchers said that this data rate might be increased by using harmonics and other techniques designed to increase the bandwidth of transmissions.

The research – presented by CyberX’s David Atch and George Lashenko – focused on how to exfiltrate reconnaissance data after a successful intrusion to an air-gapped industrial control network, one phase of a potential attack.

“There are multiple ways that attackers can deploy reconnaissance malware to an air-gapped network, including compromising vendor update mechanisms via a water-holing attack (as in the original Dragonfly/Havex campaign, where three trusted ICS vendors had their software updates compromised by the Havex Trojan); infecting USB drives or laptops of third-party contractors who connect directly to the air-gapped network for maintenance purposes (as in Stuxnet); or by posting malicious ladder logic code to code-sharing repositories that gets downloaded by engineers who are looking to save development time,” according to CyberX.

“Industroyer/CrashOverride also showed that it is now possible for malware to autonomously gather reconnaissance data about the environment, such as the models and configurations of installed equipment,” it added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/12/12/scada_hacking/

Debugging code left in production software is often a security problem waiting to happen.

That’s because debugging code is typically put in when you need an “insider view” of what’s going on.

Debugging features often puncture deliberate security holes to allow troubleshooting data to escape – something that’s OK in an in-house test environment, but unacceptable in an official product release.

So, you should not only remove debugging code when it’s no longer needed (code that isn’t there can’t get included by mistake!), but also arrange your production builds so that any debugging code that’s left behind by mistake gets discarded or disabled automatically when the software is compiled for release.

Many a slip

But there’s many a slip, as they say, twixt the cup and the lip.

The infamous Internet Worm of 1988 had three propagation tricks; the easiest and most effective of these was to connect to your email server in the hope that your system administrator had left debugging turned on in the Sendmail product.

If Sendmail debugging was on, the server would take an incoming email and run it directly as a series of system commands – clearly the sort of debugging bodge that makes no sense outside a controlled lab environment.

Dlink did something equally dangerous in some of its recent routers: if you told your browser to announce itself under the weird name of xmlset_roodkcab­leoj28840ybtide instead of, say, Firefox or Safari, then you could run any sysadmin command on the router without knowing the password.

Reading that peculiar “roodk cable oj” incantation backwards makes the blunder obvious: the text string is Edit by 04882 Joel: Backdoor in reverse.

And HP blundered with a number of its LaserJet printers a few years ago, accidentally leaving a telnet command shell open for debugging…

…in the production code running on shipping printers.

An open telnet shell meant that anyone could simply connect to the device login and get a command prompt to allow them to mess with the printer at will, without needing any special software or a password.

According to security researcher Michael Myng, HP made another debug-code-in-real-build mistake this year, leaving a deliberately-created keylogger built into the keyboard drivers on a number of HP laptop models.

Myng says he started disassembling HP’s keyboard driver to help a friend, who wanted to figure out how to take control of the keyboard backlight.

While reverse engineering the code, he noticed a bunch of text strings including intriguing messages like this:

ulScanCode=0x%02X, kKeyFlags=%X
CPalmDetect::KeyboardHookCallback

Don’t worry if you aren’t a C programmer: all you need to know is that these messages imply that there’s some sort of keyboard hook (the fancy name for a keylogger function) in the code, and that the program might keep a record of scancodes (the identifying numeric codes of individual keypresses based on their keyboard positions) as you type.

It didn’t take Myng much more digging to realise that by setting a special registry entry called Mask, he could trigger the driver into recording every keypress via an official Windows logging system called WPP.

WPP is short for Windows Software Trace Preprocessor, and Microsoft officially advises that:

WPP software tracing is primarily intended for debugging code during development.

In other words, that CPalmDetect::KeyboardHookCallback we saw above should not have survived release.

Fortunately, Myng reports that:

I messaged HP about the finding. They replied terrifically fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace.

Well done to HP for a straight-talking answer followed by rapid action – we’ll call that a good result.

Note that you’d have needed administrator power to authorise the registry tweak needed to start this “keylogger” in the firt place, so the risk can be considered low.

Nevertheless, for a hacker who already has a foothold inside your network, setting a registry entry to start capturing keystrokes via an official, digital signed keyboard driver…

…is a lot easier than fiddling with the driver software itself, or trying to install a new driver to do the job.

What to do?

• If you have an affected HP computer, get and install the update now. (Warning: there are well over 450 different models on HP’s official list, all the way from HP 240 G2 to the Star Wars Special Edition 15-an000 Notebook.)
• If you’re a programmer, don’t leave debug code behind.
• If you’re a quality assurance tester, don’t believe the programmers when they assure you “that debug code is harmless and can stay”.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Ue0sz9nt-Go/