STE WILLIAMS

With August looming, we at Naked Security won’t be the only ones getting ready to head off on holiday, so with the beach in mind, we’ve come up with some tips to help you plan a safer summer holiday (and with apologies to our readers in the southern hemisphere winter!)

Plan ahead! It wasn’t raining when Noah built the ark

If your travels are going to take you abroad, do your homework on what’s going on in the locale you are about to travel. Both the British Foreign Office and the US State Department issue travel alerts and warning on a regular basis. These are compiled by the diplomatic staff on the ground, and having a bit of fore-knowledge goes a long way when visiting a foreign land. US citizens can register their itinerary with the Department of State.

The Smart Traveler Enrollment Program helps the US embassy contact citizens in the event of an emergency in the country/city/area you are visiting and help family and friends get in touch with you during a crisis.

Make sure your emergency contact at home has a copy of your itinerary, lodging details and your local plans if any.

Passports: who are you?

Leave a color copy of your passport information page with your emergency contact and put a copy of the passport page in your folio or travel bag, kept separate from the passport itself. If you and your passport get separated, this will go a long way toward getting your new passport expedited at a consulate.

If you are traveling across borders with children, keep in mind that many countries require parental permission from everyone with parental responsibility. Check with the embassy of the country to which you are traveling for their requirements.

Luggage: make it easy for the bag to find you

Label all your bags with a name and your phone number – not your address: there’s no need to alert any passing stranger to the fact that your home is empty. Your name, phone number or email address is all you need to be reconnected with a lost bag. And take a photo of your bag: if it goes off on travels of its own in a country where you don’t speak the language, that photo answers the question “what does your bag look like?”

Money, money, money

Money cards, identity cards, insurance cards, etc are all to be found in our wallets and purses: make copies and leave them with your trusted contact at home. Or encrypt the data into a file and upload it to the cloud for retrieval in case of emergency.

Nothing is more disruptive than to go to pay at the beach café and have the proprietor tell you that there is a problem with your card. With today’s anti-fraud algorithms, the card you usually use in London or New York suddenly popping up in Corfu or Costa Rica will quickly be flagged as an anomaly: tell your card issuer where you’re going so that the algorithms leave you in peace.

Similarly, call your health insurance provider and determine what, if any health coverage you at the various locales included in your vacation.

Does this watch make me look like a million bucks?

There are two schools of thought on what you take on vacation with you as far as jewelry. One says only take with you that which you have insured, so that if it does get lost or stolen, you’ll be able to claim for it. The second is to leave anything valuable behind, preferably in a safe or in your bank’s safety deposit box.

If you do take valuables away with you and you’re planning to use the safe in your hotel room to store them, remember that it is only a semi-secure environment. The safe is to ensure those who are accessing your room (housekeeping, room service, maintenance) don’t have ready access to your valuables.

That safe can be opened in seconds by a person with the right device, and you can bet one or more of these devices are stored at the hotel so that when you forget your code, they can have you reunited with your valuables in moments. If you really don’t want it stolen from your room, keep it with you at all times. Or better yet, leave it at home.

Yes, we put heads in beds and we have WiFi

Is your hotel WiFi secure? Almost never, though there are a few exceptions. Remember the focus of the hotelier is to get your head on the pillow, and WiFi is not their primary objective: often the service is farmed out to a third-party.

If you’ve got a mobile signal (and a generous roaming allowance), use your cellphone as a hotspot instead.

If you must use the public or hotel WiFi, consider using a trusted VPN instead. (But even that isn’t a panacea – be careful!)

If you can’t be sure your connection is secure, please don’t conduct financial transactions.  A 2015 AARP Washington study found that 95% of those surveyed (800 Washingtonians) used public WiFi hotspots in airports, hotels, and coffee shops, while 27% said they were using public WiFi for banking or shopping.

The lights are on, but no one’s home

We all have seen the house with the shades drawn and the living room light illuminated 24/7 for a fortnight. Yes, the Smiths are on vacation. And, if that were not enough of a giveaway, their mail is overflowing from the mailbox

Think about having your lights, radio and television go on and off at variable times. Our homes are smart, right? (We’ll leave to one side some of the issues with that for now … ) If not, inexpensive outlet timers work well for lights.

Sharing where you are, shares where you’re not

Every app we use now seems to ask us to provide our location for their marketing purposes, and many simply don’t function if you don’t allow the access – maps apps are an obvious example here.

If you lock your device down so that it isn’t broadcasting your location to all and sundry, then lock down the urge to share where you are while in travel mode.

Share where you’ve been rather than where you are is always a good rule of thumb, as movie star Hillary Duff will attest. Duff posted photos of herself and her five-year old son on vacation in Canada  – shortly after doing so, her home in Los Angeles was robbed.

Packed and good to go

The good news for travelers visiting or returning home to the US is that the laptop ban has been lifted, which means you can now take your devices into the cabin. However, it still applies on some carriers to the UK from some destinations, so to round up our travel advice, here’s a summary of our tips for taking your laptop, tablet and other devices with you:

• Make sure your devices are encrypted, so that if they fall into malicious hands, your data is safe,
• If you must pack devices in hold luggage, wrap them in bubble wrap and put the bag containing the device inside another suitcase.
• Back up your data on to an encrypted drive and carry that in the cabin with you.

Enjoy your summer holidays, and stay safe.

Follow @NakedSecurity
Follow @burgessct

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/OMqWXXpkveI/

We’re hanging out the bunting here at Naked Security and we can’t believe how fast #SysAdminDay has come round again! It barely seems any time at all since we were last reminding you that IT system administrators, who keep all our systems running and who daily save us from not only bugs and issues but also from ourselves, deserve your appreciation today – and of course, every day.

To mark the day, we’ve prepared a handy #SysAdminDay guide to your sysadmins’ favourite programming languages so that you can share their fervour with them, win their favour and jump to the front of the IT support queue every time. (You might not want to tell your friends about our guide, though – otherwise they’ll be queue-jumping in front of you.)

And for those of you who are sysadmins and want to explain to Muggles what you do and why you deserve love and respect, check out this excellent video.

(Can’t see the video directly above this line? Watch on Facebook instead.)

Later on today we’ll be posting a quiz to see if you’ve got the IT chops to consider yourself up there with the sysadmins – watch this space!

(The quiz is now up: Are you a Sysadmin? Find out now for free!)

Just to remind you of what your friendly neighbourhood sysadmin is up against, here’s a glimpse of what a Sophos sysadmin gets up to during the day, and we’d also urge you to revisit Mark Stockley’s guide to how you, a technology Muggle, sound to a sysadmin.

We really appreciate sysadmins here at Naked Security: they’re the heroes who keep Sophos running smoothly. So take some time to show some love to your own sysadmins, whether it’s the person in the office who makes sure a printer meltdown doesn’t stop you hitting deadlines or whether it’s your offspring – or parent! – who’s keeping your home IT purring along.

Have you got a sysadmin you’d like to big up to us? Let us know in the comments who your sysadmin hero is.

Follow @NakedSecurity
Follow @katebevan

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6qMCuaf3FNY/

As internet-watchers will be aware, fake news is the rough beast stalking mainstream media organisations, post-enlightenment democracy, and perhaps even popular notions of truth itself.

Democracy and truth have responded with a small but booming sector of fact-checking organisations, an evolving movement that has now spawned a new body, Defending Digital Democracy (DDD), launched last week from the offices of Harvard University’s Kennedy School of Government.

If fact-checking was version 1.0 of the fightback, the DDD’s stated aim of acting as a resource to defend democratic culture and processes from political manipulation looks more like the version 2.0 upgrade.

The list of tech luminaries involved is impressive, including executives from Google, CrowdStrike, a former under-secretary for the Department of Homeland Security and a former NSA director too. At the top of its letterhead sit the names Hillary Clinton and Mitt Romney.

By the time we learned this week that Facebook has signed up as a launch sponsor to get the DDD of the ground (for an undisclosed sum), it’s clear that something is up. But what?

You couldn’t accuse the DDD of aiming low. Explains project director Eric Rosenbach:

Americans across the political spectrum agree that political contests should be decided by the power of ideas, not the skill of foreign hackers.

This project brings together key partners in politics, national security, and technology to generate innovative ideas to safeguard our key democratic institutions.”

Specifically, the DDD’s job will be to come up with “playbooks” election administrators can use to understand vulnerabilities, as well as acting as a pressure group to help improve election technology.

Facebook’s backing is intriguing, although some will cast it as virtue-signalling. The company already uses third-party fact-checking organisations to tag stories suspected of playing fast and loose with what used, quaintly, to be called “facts”. Not everyone has been convinced by these efforts.

But as a platform beloved of the fakers, Facebook should have insight into what is going on its pages, the better to feed this back to democratic institutions. If it’s the platform of fakery, it can just as easily become a platform for disassembling such campaigns.

Facebook’s chief security officer Alex Stamos has even come up with some jargon to describe this function, describing the DDD as the start of a “standalone ISAO” – that stands for “Information Sharing and Analysis Organization”, by the way.

If the DDD sticks to technical assistance and intelligence it might be a useful tool for the institutions it seeks to advise. But it can’t on its own tackle a fake news challenge morphing from one of truth v falsehood to one of post-truth.

In this pessimistic scenario, voters stop worrying about truth because they no longer care either way. When the world of facts has been levelled by a shifting and uncertain hyper-reality, beliefs become about choice and emotion, not veracity.

The danger of fakery and manipulation, then, is not that people believe lies but that they stop believing anything. In the unlikely event that humans end up on this high road to despotism, it would be a problem for Facebook (which depends on economic and individual freedoms) as much as democracy.

Despite what critics say, the company could turn out to have an important stake in the future of truth after all.

Follow @NakedSecurity
Follow @JohnEDunn

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zTX8x5vDr30/

We already know that police scoured the social media accounts of at least some of the 230 protesters arrested on inauguration day in January 2017 (pictured).

They also seized the phones of more than 100 people and began rooting around for data.

In March, prosecutors said in a court filing (PDF) that at that point, the government expected to be in a position “to produce all of the data from the searched Rioter Cell Phones in the next several weeks”.

It would take a while, the government said in the March filing:

All of the Rioter Cell Phones were locked, which requires more time-sensitive efforts to try to obtain the data.

Well, it turns out that most, but not all, of the phones were locked, as in, encrypted. And the police plan to have quite the field day with those few in the inauguration day court cases.

In March, federal prosecutors were stitching together a cloud-based database full of all the personal data they had managed to squeeze out of those 100 phones. Some of the phones belonged to people who had been indicted, while others belonged to un-indicted arrestees.

They sought to make the data available to the lawyers of 214 defendants accused of felony rioting.

Now, thanks to a a July 21 filing seen by The Daily Beast, we know exactly what data investigators managed to get their hands on after cracking the passwords of at least eight locked phones.

Namely, prosecutors say they want to use extracted internet histories, communications, and photos as evidence against the defendants in court.

The July 21 filing moved to enter evidence from eight seized phones, six of which were encrypted and two of which were not. A Department of Justice representative confirmed to the Daily Beast that “encrypted” meant additional privacy settings beyond a lockscreen.

According to the July 21 filing, encryption did what encryption’s supposed to do. The encrypted phones didn’t offer up much of anything: just “a short data report which identifies the phone number associated with the cell phone and limited other information about the phone itself”.

The unencrypted phones, on the other hand, offered up a jackpot. Investigators got everything: the phones’ “call detail records,” “SMS or MMS messages,” “contact logs/email logs,” “chats or other messaging applications,” “website search history and website history,” and “images or videos.” Prosecutors are seeking to use whatever of that data related to January 20 – the date of the protest – or to other people who are suspected of having been involved in the protest.

As CityLab reported in January, police may have been attempting to search arrested people’s devices for content pre-trial, within a day of seizing them. One detainee’s Gmail account sent out a Google alert about being accessed at 4:15 pm the day after its owner had been arrested, while the device was in police possession.

Prosecutors claimed in the March filing that they had accessed a “large amount” of personal information that was irrelevant to the charges the defendants are facing, including photos and videos. In fact, assistant United States attorney Jennifer Kerkhoff told the court in March that the government had collected more than 600 hours of video footage from the confiscated phones.

Mark Goldstone, a lawyer representing six of the accused, said it’s not surprising that some of the footage is irrelevant. It’s pretty mundane, and it’s hard to see how it could be used to prosecute people on charges of rioting. Esquire quoted Goldstone when he was on a late-March conference call with 15 other lawyers representing protestors, when he said that for some of the defendants, the video amounted to…

Here’s your client at the beginning of the march, wearing black clothes and goggles, your client could have left but did not, and here is your client at the end, in the police kettle.

It sure doesn’t sound like much of a smoking gun. But as Esquire puts it, it’s not hard to demonize a masked protester.

Goldstone:

The scary thing about it is that defendants who want to test that theory have to be willing to face a jury, who could uphold the government’s line.

It’s one example of how there are good reasons to keep personal data private – and your phone encrypted. If law enforcement is looking through your device after you’ve been at a protest, making it harder to access makes sense.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FgHkThRvJRQ/

It’s #SysAdminDay, and although most of us think we know what sysadmins are, it’s easy to make mistakes.

Some people say that if you yourself think you are a sysadmin, then ipso facto you are not; similarly, that if you think you are not a sysadmin, then ipso facto you are not.

(This does not leave the set of all sysadmins empty: if you form no personal opinion about whether you are a sysadmin or not, then it is clearly still possible for you to be one. Or not.)

We thought we’d try to sort out the confusion using a classification technique called “feature extraction”, which is where you try to identify those parts of an object that are sufficient on their own to differentiate between, say, documents and spreadsheets, or between malware and goodware…

…or between sysadmins and, well, other people,

Take our quick quiz and find out for sure

Here goes: choose one of A, B or C for each of the five questions below. (You must choose the closest answer each time – don’t skip a question because your own perfect answer isn’t listed.)

You don’t need to keep track of which answer you gave to what question – just count the number of times you said each of A, B and C.

1. A healthy breakfast is:

A. A bowl of cereal.
B. Smashed avocado on pumpernickel.
C. C₈H₁₀N₄O₂.

---

2. A purposeful weekend that benefits those around me includes:

A. Mowing the lawn.
B. Visiting a craft brewery.
C. Call of Duty.

---

3. My favourite computer is:

A. Latest model iPhone.
B. iMac (2003 model year, purple variant).
C. No favourites. I love my whole botnet.

---

4. The coolest sort of transport is:

A. Ford Focus ST.
B. Fixed-gear bicycle.
C. SSH.

---

5. On a first date, I wear:

A. Chinos, boat shoes, 100% cotton T-shirt.
B. Skinny jeans, paisley button-down, vintage brogues.
C. Doesn’t matter, I keep the webcam on my face.

---

Find out about yourself

Here’s what your answers mean:

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FZbHfFJP3t0/

Analysis The energy sector across multiple Western countries is under intensified assault by hackers. Security experts warn that industrial systems are wide open to potential exploit once hackers secure a foothold, the most difficult part of the hacking process, using targeted phishing or similar tactics.

The UK’s government lead cyber defence agency recently warned that hackers are targeting the country’s energy sector to some effect. Just over a week ago, a memo was leaked from the NCSC (National Cyber Security Centre) warning that it had spotted connections “from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors,” Motherboard reported.

That warning implied that state-sponsored hackers may have already secured a foothold in the UK’s energy sector network. Whether or not this compromised access is enough to do any harm is unclear.

Such attacks are far from limited to the UK. Ireland’s Electricity Supply Board (ESB) is under attack from suspected Russian hackers out to infiltrate control systems, The Times reports. Security sources in the Emerald Isle tell El Reg the attack involved a phishing email sent to an engineer who twigged it was bad and reported it. ESB said the attack failed.

Meanwhile, multiple US energy companies were sent phishing emails as part of a campaign aimed at stealing stealing credentials, Cyberscoop adds.

Reconnaissance

Added together, the reports suggest a concerted effort to gather steal credentials, map networks and probe for weaknesses in Western energy sector firms in preparation for a possible future attack. While nothing damaging has happened to date, the whole threat of attacks on the energy sector has ratcheted up since December 2015’s game changing BlackEnergy malware-based attacks in the Ukraine, which resulted in power outages for hours in districts around Kiev.

The recent “reconnaissance” campaign on Western energy sector targets likely takes the form of directed phishing attacks rather than internet-wide scanning and worm activity, according to experts at Rapid7, the firm behind the popular Metasploit pen-testing tool.

Hackers phish people targeted as working in energy sector in assault probably aimed at getting shells on victims’ computers. Shelled accounts then connect back “to infrastructure associated with advanced state-sponsored hostile threat actors”.

“None of these steps are particularly visible to Rapid7 Sonar, nor Heisenberg. Heisenberg is good at catching undirected attacks (internet-wide scanning and worm activity), not so much directed attacks like this,” explained Tod Beardsley at Rapid7.

A short history of hacks against critical infrastructure/industrial targets

1982: Siberian pipeline – The US’s CIA planted falsified information in designs stolen by Russian agents that resulted in one of the world’s largest non-nuclear explosions.

2010: Stuxnet – US and Israeli cyber forces attack Iranian nuclear program in the attempt to slow down the country’s ability to enrich uranium. Malware infected control systems tied to high speed Uranium enrichments centrifuges, randomly putting them through mechanically extreme operations and wiping logs. These actions were designed to induce failures that the Iranians would be inclined to blame on their suppliers.

2012: Saudi Aramco – Iranian actors wiped over 35k drives in an attack on Saudi Arabia’s state-owned oil company.

2014: German Steel – Unknown attackers infected the industrial control system (ICS) of a German Steel Mill causing an unscheduled shutdown of a blast furnace that resulted in significant damage.

2015: Black Energy (Ukraine Power Grid) – Russian attackers, using a primarily open-source toolkit, manage to attack Ukrainian distribution companies interrupting the power to approximately 225,000 customers.

2016: Crash Override – Malware used against the Ukrainian power grid was specifically designed to attack ICS systems associated with power grids. Not only does it have the capability to delete data and disrupt IT systems, it also has the capability to physically damage ICS systems. – source: Cybereason

Mind the air-gap. What air-gap?

Andrea Carcano, founder and chief product officer of Nozomi Networks, said that the impracticality of air gap sensitive operation networks and systems from corporate IT networks is partly responsible for the problem.

“Targeting engineers with access to control systems with phishing messages is pretty straight-forward and, if successful, could be extremely damaging,” Carcano explained. “In tandem, while air-gapping offered a degree of protection, the way our nuclear plants, and any infrastructure for that matter, is maintained today means this practice is defunct.”

“We often see engineers ‘plugging’ in their own devices to perform diagnostic checks. Should that person’s device have been compromised, this action could unleash malware directly into the heart of each component being checked, which then crawls and burrows deeper into the infrastructure,” he warned.

Air-gapping SCADA systems might seem as sensible tactic but as Faizel Lakhani, a pioneer of SCADA technology, previously told El Regin practice operational networks are seldom isolated because of a test link someone has forgotten to take out or a bridge to Wi-Fi networks someone has set up, among other reasons.

Almost everything is connected to the internet one way or another and the sectors tightening embrace of industrial IoT technology for remote monitoring and other functions is only pushing this along. All this added connectivity has implications for those attempting to defend industrial control and energy distribution systems from attack.

Carcano added: “You have to assume that all parts of critical infrastructure are being probed for vulnerabilities 24/7 from a risk management point of view. While Information Technology (IT) and Operation technology (OT) that control the electric grid systems and other critical infrastructure are separated, there have been increasing connections.

“Risk management is an ongoing process. Up to date patching and the use of artificial intelligence and machine learning to immediately identify suspicious network communications and incidents helps to harden the security that guards industrial control systems,” he added.

Industrial control; system threats [source: ENISA whitepaper: Communication network dependancies for ICS/SCADA Systems]

Internet exposure

A report on the Industrial Control Systems (ICS) threat landscape last year by Kaspersky Lab revealed that large organisations likely have ICS components connected to the internet that could allow cybercriminals to attack critical infrastructure systems. US organisations were especially exposed.

The investigation found that 17,042 ICS components on 13,698 different hosts exposed to the internet likely belong to large organisations. These include energy, transportation, aerospace, oil and gas, chemicals, automotive and manufacturing, food and service, governmental, financial and medical institutions. The figures are the latest available from Kaspersky Lab. Other more recent studies present a similar picture albeit it in less detail.

“The world isn’t ready for cyber threats against critical infrastructure, but criminals are clearly ready and able to launch attacks on these facilities – as the widely-speculated compromise of the UK’s energy sector shows,” said David Emm, principal security researcher at Kaspersky Lab.

“We’ve seen attempts on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – cases where organisations have spotted attacks and acknowledged them. However, many more companies do neither, and the lack of reporting these incidents hampers risk assessment and response to the threat.”

“Security must be tailored to the specific needs of each organisation and be seen as an ongoing process. This is true also of the human dimension – tricking people into taking action that launches the initial exploit is as common in attacks on such facilities as it is in any other context.” he added.

Phish fry

Groundbreaking research by ERPScan unveiled two years ago showed how hackers might be able to bridge the gap between ostensibly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems. Vulnerabilities and insecure installations in SAP business software and other enterprise systems might be used to interfere with loosely-couple but nonetheless connected industrial control systems.

That might be one way in but, in practice, there might be more straightforward ways to secure the first crucial foothold into targeted networks.

Michael Shalyt, chief exec of APERIO Systems, and a former team leader in an elite Israel Defense Forces (IDF) intelligence unit, explained that the initial point of entry is key in any operation ultimately geared towards planting malware at strategic locations on a targeted SCADA (industrial control) network.

“Unfortunately, a typical SCADA environment today is very easy to branch out across and/or affect any specific piece of equipment remotely – whether due to lack of patching of known PLC vulnerabilities or the wealth of 0-day vulnerabilities that we don’t yet know about but are obviously there. So, once an attacker has a foothold – spreading and “borrowing” is easy,” Shalyt told El Reg.

“The hardest part is getting the initial ‘foot in the door’ – as the SCADA network is usually isolated from the outside networks (in theory…),” he added.

One of the easiest ways is still the fairly simple phishing attack, but state-sponsored hackers have a much more compressive playbook at their disposal that feature “willing or unwilling” insiders and equipment counterfeiting and/or interference.

“Even isolated systems still must allow access – sometimes remotely – for maintenance and installation purposes,” Shalyt explained. “A state actor can uncover these types of business relationships and infect the relevant personnel in advance.”

Strategic infection of equipment before it is even installed at the plant/facility is an option open to hackers playing the long game.

Sleeper cells

There are additional possibilities that involve chaining 0-days to progressively gain access to incremental parts of the outside administrative network, and then breaking into networking hardware like routers and equipment that are designed to keep SCADA network separated from the rest of the world.

What might the capable hackers seemingly probing Western electricity distribution systems be seeking to do? Having “digital sleeper agents” – very well hidden malware that is completely passive at the moment but can shut down operations with the push of a (remote) button – is one possible objective. The goal on potential activation could be a show of strength – creating a psychological intimidation effect – rather than a tool to cause real economic damage. But once achieved, compromised access also offers a capability that might be deployed in times of war or conflict, as best evidenced by the attacks in Ukraine, Saudi Arabia and Qatar over recent years.

Best practice

Earlier this month, the SANS Institute released the results of their 2017 survey of energy companies, chemical producers, critical infrastructure providers and other industrial operators. The survey revealed that industrial control system (ICS) security risks had reached an all-time high-water mark.

Four out of 10 ICS security practitioners quizzed as part of the study said they lacked visibility into their ICS networks. Despite high profile news coverage of recent attacks on unpatched systems, SANS found that only 46 per cent of respondents regularly apply vendor-validated patches, and 12 per cent neither patch nor layer controls around critical control system assets.

While reliability and availability remain the highest priority for OT systems, 69 per cent of ICS security practitioners believe threats to the ICS systems are high or severe and critical.

ICS-SCADA security [source: ENISA]

The latest annual study by EU security agency ENISA provides recommendations on how to protect critical infrastructure systems such as industrial control systems against cyber threats. ENISA’s paper on communication network dependencies for ICS/SCADA systems can be downloaded here. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/energy_sector_hackers/

Black Hat Vulnerabilities in widely deployed Radiation Monitoring Devices (RDMs) present a potential mechanism for triggering false alarms and worse, according to research unveiled at Black Hat on Wednesday.

RDMs are used to monitor radiation in critical infrastructure such as nuclear power plants, seaports, borders, and hospitals. However, like many Internet of Things devices, security shortcomings provide a means to subvert their operation.

An inspection of the technology by Ruben Santamarta, principal security consultant for IOActive, uncovered flaws in RDMs from multiple vendors, including Ludlum and Mirion. Santamarta’s research focused on testing software and hardware, firmware reverse engineering and radio frequency analysis.

The vulnerabilities create a means to meddle with “critical systems used for monitoring radiation levels, for example by falsifying measurement readings to simulate a radiation leak, tricking authorities to give incorrect evacuation directions, or increasing the time an attack against a nuclear facility or an attack involving a radioactive material remains undetected by sending normal readings to deceive operators”.

Inspection of software that ships with the Model 53 Gamma Personnel Portal from Ludlum revealed a backdoor password. “As a result, malicious personnel can bypass the RPM’s authentication and take control of the device, which could be used to disable it, thus preventing the RPM from triggering proper alarms,” Santamarta warned.

Ludlum 53 and software [source: IOActive whitepaper]

Ludlum’s gate monitors – Model 4525 – for vehicle inspection lack any security measure for data communication. Any attacker in the adjacent network can change the device’s network settings, which opens the door to multiple attacks. Worse yet, the device communicates via cleartext, so attackers would be able to falsify readings, disable alarms, or perform any other originally supported operation.

Ludlum’s gate monitors – Model 4525 – for vehicle inspection [source: IOActive]

After studying the hardware and firmware, IOActive also uncovered potential attacks against Mirion WRM2-capable Radiation Monitoring Devices at nuclear power plants. A skilled and sufficiently motivated attacker might be able to forge or sniff “WRM2 transmissions, either by repurposing a Digi S3/S3B XBee Module or by implementing the XSC and WRM2 protocol layers in a SDR device”. Such devices are located at secure facilities, reducing the likelihood of any attack in most scenarios. IOActive is convinced nonetheless that it has identified issues that merit remediation.

“Failed evacuations, concealed persistent attacks and stealth man-in-the-middle attacks are just a few of the risks I flagged in my research,” said Santamarta. “Being able to properly and accurately detect radiation levels is imperative in preventing harm to those at or near nuclear plants and other critical facilities, as well as for ensuring radioactive materials are not smuggled across borders.”

Exposed Digi S3B Module [source: IOActive]

IOActive informed the affected vendors of the findings weeks before Santamarta delivered his talk, Go Nuclear: Breaking Radiation Monitoring Devices, at Black Hat. Despite initial responses indicating the issues would not be addressed, more recent communications from some vendors have indicated work is being done to patch the critical vulnerabilities uncovered.

El Reg contacted Ludlum and Mirion for comment but we’re yet to hear back from either.

A white paper on IOActive’s research includes technical details for the testing conducted and the vulnerabilities identified. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/28/radiation_monitoring_infosec/

Alexander Vinnik and Bitcoin exchange BTC-e have been charged in a 21-count indictment for money laundering and related crimes.

Russian citizen Alexander Vinnik and BTC-e, the Bitcoin exchange he allegedly controlled, have been charged in a 21-count indictment for money laundering, operating an unlicensed money service business, and related crimes, the DoJ reported.

BTC-e was founded in 2011 and was one of the largest and most broadly used digital currency exchanges in the world. According to the indictment, it allowed users to anonymously trade Bitcoin and built a customer base of mostly cybercriminals. Users did not have to validate their identities, could anonymize transactions and sources of funds, and avoid anti-money laundering processes. BTC-e receives more than $4B in Bitcoin over the course of its operation.

The indictment also alleges Vinnik received funds from the hack of Mt. Gox, an earlier digital currency exchange that failed. He allegedly laundered those funds through several online exchanges, including BTC-e and Tradehill, another failed change based in San Francisco.

“Mr. Vinnik is alleged to have committed and facilitated a wide range of crimes that go far beyond the lack of regulation of the bitcoin exchange he operated,” says Chief Don Fort, IRS Criminal Investigation. “Through his actions, it is alleged that he stole identities, facilitated drug trafficking, and helped to launder criminal proceeds from syndicates around the world.”

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/russian-operator-of-bitcoin-exchange-charged-with-money-laundering/d/d-id/1329478?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Four reasons why enterprises that rely on playbooks give hackers an advantage.

For coaches and athletes, playbooks are invaluable. Games played by a set of known rules can benefit from playbooks that help teams use variations of known tactics against known opponents to gain a competitive advantage. But for enterprise security teams, playbooks can be more like an Achilles heel, especially as an incident response tactic. They create a sense of false security because playbooks are only useful against known threats, using known tactics against known adversaries.

Unlike athletes in organized sports, hackers play by their own set of rules, and threat tactics are ever-evolving. This means playbooks, by definition, leave gaps in security because they rely on established criteria. Additionally, playbooks place a heavy workload on security teams, creating even more vulnerabilities for enterprises.

First, playbooks consist of a pre-assembled set of tasks triggered by the detection of a recognized threat. Many organizations use some form of workflow orchestration to create and/or automate a task list, but the actual tasks are still manually performed by a security analyst. This means that teams get bogged down in reactive, tactical responses, instead of placing more effort into strategic, proactive activity to help prevent attacks.

Second, playbooks are very static, as they involve translating response processes into integrations. If you change the process or the involved systems, then you need to update the code that implements the integrations. Playbooks and orchestration are just continuing the tradition of viewing incident response as a process problem.

Third, since playbooks create a standard response to threats, hackers can easily determine how a specific organization will respond to a known threat. It’s the equivalent of a defensive line already knowing where the quarterback is going to throw the ball. Hackers use playbooks as a distraction by targeting an organization with a tactic that triggers a known response, and then launching a new attack while the team is busy responding to the distraction. This results in a loss of productivity and increases the chances that the real attack achieves its intended purpose.  

Lastly, the use of playbooks caters to the skills gap that is plaguing security teams, rather than encouraging skill advancement. Reliance on playbooks has created an environment in which analysts only learn what it takes to complete the series of tasks, and that requires a broad, lower level understanding of a known threat. This has hindered the skills growth and put the business at risk. Playbooks do not take into account organization-specific factors or the skill advancement of the analyst, because she does not get to apply her own insight into the response and build her skillset based on what she may have learned through this experience.

Enterprises relying on playbooks for incident response are doing themselves a disservice. While they may survive an attack today, they are not taking a forward-looking approach to keeping pace with the threats of tomorrow. 

Related Content:

• 8 Most Overlooked Security Threats
• 7 Deadly Sins to Avoid When Mitigating Cyberthreats
• Organizations Are Detecting Intrusions More Quickly

 

 

Liz Maida is instrumental in building and leading the company and its technology, which is founded on core elements of her graduate school research examining the application of graph theory to network interconnection. She was formerly a senior director at Akamai Technologies, … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/throw-out-the-playbooks-to-win-at-incident-response/a/d-id/1329450?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Today is 2017-07-28, and it’s #SysAdminDay.
Why not stop by IT for a cheery chat?
Here’s how to hold your own if you do…

How to hack influence a sysadmin

First, don’t be afraid.

It’s easy to be daunted, but sysdamins are more like the rest of us than we sometimes realise.

After all, anyone over 18 can lawfully get a tattoo, although yours probably won’t be written in hexadecimal; death metal is pretty much mainstream in 2017, so it’s not exactly anarchic or reactionary any more; and cammo trousers are practically formal wear these days.

Second, sysadmins are so smart that they don’t actually know how smart they are.

Third, all sysadmins are weakened by one irremediable prejudice: they think that there is one, and only one, valid programming language for all system administration tasks.

All you have to do is find out which language it is, somehow let it slip that you feel the same way, and you’re golden – you’ll have plenty to talk about (by which we mean you’ll have plenty to listen to), and you’ll never have to configure your own wireless router ever again!

We’ve published a handy guide to help you fathom some of the top sysadmin languages, and match them to the victims sysadmins whom you want to hack influence inside your organisation.

1. PERL

Perl is a compact, verbose, easy-to-learn, complex, effective and utterly confusing language that is so powerful that it can solve every known problem in computer science, which is a jolly good thing because most of those problems have arisen because of Perl. No programming task can more easily be complicated than by coding it in Perl.

If Perl were a beard, it would be Zakk Wylde’s. In fact, Perl would be two beards, or perhaps even three, given the official motto of the language, and the fact that many Perl programs contain text that looks like use strict; my $error; or use Carp; die("BOMBED");

Language motto: There’s more than one way to do it.

2. PYTHON

Python is a literate, legible, powerful and flexible language designed to avoid the lowbrow pugnacity of Perl. It sounds pretentious to say it, but Python is the “thinking man’s” Perl – indeed, it’s the language you use because you think it will deliver you a more robust solution in a fraction of the time. And you’re right, except that the fraction will be 8/3 (267%), or close to three times as long.

Python is one of very few programming languages in which the meaning of a line of code is determined by how many spaces there are at the start. This is very similar to the notion that indenting a series of incomplete, inept and illiterate sentences and turning them into PowerPoint bullets magically makes them insightful.

Language motto: Python doesn’t have a motto. It has Zen. (True.)

3. BASH

Bash isn’t really a programming language, not least because it has grown so complicated that it is no longer possible to describe the language in formal terms – you can’t write down what techies call its parsing grammar.

Bash code is illegible, imprecise, incomprehensible, insecure, unmaintainable and grindingly slow, to the point that it is enviably egalitarian. Indeed, all Bash programs have the same quality: none. Bash is so desirably dreadful that Microsoft now officially supports it on Windows 10.

Language motto: BUGS: It’s too big and too slow. (Official bash man page.)

4. POWERSHELL

Powershell is Microsoft’s seventeenth attempt to introduce a script-based programming language for Windows sysadmins. It is far and away the weirdest, the most convoluted, the most annoying and the hardest to learn. Powershell makes Applescript look crisp, clean, clear and purposeful.

But here’s the thing: Powershell is perfectly named. It is a shell, and it gives you POWER. Real, unbridled, scary, interplanetary sysadministrative power. For the first time ever, Unix sysadmins are looking at their Windows cousins and saying, “If only I could do that.”

Language motto: Because POWER!

5. JAVA

You may be surprised to hear this, given the reputation of Java, but sysadmins secretly love Java to bits.

Hahahahahahahahahahahahahaha. Only kidding.

Language motto: Careful with that axe, Eugene.

Not on the list?

If you can’t figure out what language best fits the sysadmin you are targeting, you may need to fall back on what are known as esolangs: programming languages that are weird and wacky on purpose.

Just drop the name of one of them into casual conversation every once in a while when the sysadmin you are targeting is around, and have patience.

Eventually you will hit the spot, and you’re done.

Example: “Imagine trying to program that in Befunge!” (Give a wry but happy smile at this point.)

Happy #SysAdminDay!

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/74xuYduzmBc/