STE WILLIAMS

It was a miniscule change in parameters – just 2mm – but that tiny deviation delivered to a real robot in a recent hacking experiment could result in a massive product recall or even a major defect in an aircraft design in a real manufacturing scenario.

Researchers at Trend Micro and Italy-based Politecnico di Milano today detailed the proof-of-concept attack they conducted on an ABB Robotics IRB140 industrial robot, exploiting a remote code vulnerability they found in the robot’s controller software. They fed the robot a phony configuration file that modified its parameters for drawing a straight line. Instead of a perfectly straight line, the robot drew a slightly skewed one, following the 2mm change in instructions.

“The code was working as expected, but with the wrong configuration,” says Mark Nunnikhoven, Trend Micro’s vice president of cloud research. “We were getting the robot to change what it thought a straight line was.

“Two millimeters doesn’t sound significant, but it made a defect in manufacturing. If that was an airplane … it can be a catastrophic event,” he says.

The ABB robot hack was part of a larger study published today by Trend Micro on cybersecurity flaws and vulnerabilities in today’s industrial robots, “Rogue Robots: Testing the Limits of an Industrial Robot’s Security.”

The researchers discovered more than 80,000 industrial routers exposed on the public Internet via their FTP servers and industrial routers in a two-week scan for connected robots from major vendors such as ABB Robotics, FANUC FTP, Kawasaki E Controller, Mitsubishi FTP, and Yaskawa. The scan, using Shodan, ZoomEuye, and Censys search engines, revealed that some of the exposed devices didn’t require any authentication to access them.

Industrial robots exposed via their FTP servers as of late March 2017

Source: Trend Micro

Exposed industrial routers, according to Censys, ZoomEye, and Shodan search results as of late March 2017

Source: Trend Micro

Industrial robots are commonplace in the manufacturing operations of aerospace, automotive, packaging and logistics, and pharmaceutical companies and increasingly are showing up in office and home environments. IDC estimates that in 2020, worldwide spending on robotics will be at $188 billion. Meantime, robots and their control software are basically as security-challenged as any other Internet of Things devices, containing critical and painfully obvious security flaws that make them relatively easy to manipulate and hack.

Security vulnerabilities in robots can be exploited to take control of a robot’s movements and operations for spying, sabotage, or damaging the manufacturing process on the plant floor. They even could be used in such a way that poses a physical danger to humans that work alongside this systems, according to recent research from IOActive that studied popular robots and robot-control software used in businesses, homes, and industrial plants.

IOActive discovered some 50 flaws in that could allow a hacker to remotely manipulate a robot moving about the office, plant floor, or home, to infiltrate other networks there, spy and steal information, and even wreak physical destruction.  “Compared with IoT, the cybersecurity threat is a lot bigger with robots. They can move around … and could hurt people or damage property” if hacked, says Cesar Cerrudo, CTO at IOActive.

Even before IOActive and Trend Micro and Politecnico di Milano ‘s work, the academic community was studying robot hacking: In 2015, researchers at the University of Washington hacked a surgical robot to demonstrate how an attacker could hijack and wrest control of a robot during surgery.

Trend Micro’s Nunnikhoven says that like many industrial systems, robots are designed with physical safety in mind, but not cybersecurity. Their controls also are increasingly software-based, and many robots now come embedded with routers for remote-access monitoring and maintenance by the vendor. “Lo and behold we found a ridiculous amount of these [devices] connected to the Internet,” some purposely and some unbeknownst to their owners, he says. “They were never designed to be connected to the Internet.”

Researchers at Trend Micro and Politecnico di Milano pinpointed five classes of attacks that could be waged against industrial robots by exploiting certain combinations of software vulnerabilities. They reported vulnerabilities they discovered to the respective robot vendors, including ABB, which since has updated its robot with security fixes. Trend Micro reverse-engineered ABB’s RobotWare control program as well as the RobotStudio software as part of the PoC hack.

Performing a robot hack isn’t cheap, however: the researchers say a similar configuration used in their hack could be purchased online for tens of thousands of dollars.

According to Nunnikhoven, the flaws Trend found in various vendors’ robots included authentication weaknesses and a lack of end-to-end encryption, as well as other common bugs weaknesses found in IoT and ICS/SCADA systems. 

Robot technical information is often available online, firmware images are unprotected, Web interfaces are left exposed, and their software components are rarely patched, according to Trend’s findings. The security firm didn’t publish specific vulnerabilites in specific products.

They found that an attacker could alter the control system to influence how the robot moves; change the calibration, like in their PoC; manipulate production logic to quietly sabotage the workflow; manipulate the robot’s status information so operators don’t detect any hacks; and manipulate the robot’s status so the attacker gains full control from the legitimate operator.

The manufacturing sector is a juicy target for hackers. According to the new Verizon Data Breach Investigations Report, last year Verizon investigated 115 cyber espionage incidents at manufacturing firms, 108 of which included a data breach. And manufacturing is one of the most frequently hacked industries, according to IBM X-Force Research’s 2016 Cyber Security Intelligence Index.

When it comes to robots on the plant floor, the security challenges are similar to that of any other industrial network. The devices are in place for many years and rarely get software updates for design and operational reasons. “These are multi-year investments, similar to SCADA controllers,” Nunnikhoven says of industrial robots. He recommends that manufacturing firms conduct network monitoring to watch for nefarious activity, for example.  “That way you can see what’s going in and out of the robot.”

“And [robot] vendors have to do a lot of work to build more secure systems from day one,” he says.

Related Content:

• Hacked Robots Present a New Insider Threat
• Security Experts Call For Regulation On IoT Cybersecurity
• The Hidden Dangers of Component Vulnerabilities
• 3,000 Industrial Plants Per Year Infected with Malware

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/researchers-hack-industrial-robot-/d/d-id/1328790?_mc=RSS_DR_EDT

Sabre Corp. is investigating a potentially massive data breach of a reservations system, which serves more than 32,000 hotels and other lodging businesses, KrebsonSecurity reports. The breach was disclosed in a quarterly filing with the US Securities and Exchange Commission.

The Texas-based travel business says it is “investigating an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.”

Sabre has informed affected properties that unauthorized access has been shut down and they have not detected signs of ongoing illicit activity. It did not have additional details about what caused the breach or when it took place. Forensics firm Mandiant is helping with its investigation.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/sabre-breach-may-put-traveler-data-at-risk/d/d-id/1328792?_mc=RSS_DR_EDT

Ransomware can be a highly lucrative system for extracting money from a customer. Victims are faced with an unpleasant choice:  either pay the ransom or lose access to the encrypted files forever. Until now, ransomware has appeared to be opportunistic and driven through random phishing campaigns. These campaigns often, but not always, rely on large numbers of emails that are harvested without a singular focus on a company or individual.

As ransomware perpetrators continue to hone their skills, we’re seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms.

This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.

The best defensive strategies should include the following:

1. Provide user awareness training and friendly testing. This can reduce the human attack surface.

2. Maintain a comprehensive patch management program to keep all systems up to date and reduce the endpoint attack surface.

3. Limit users’ privilege and network drive connectivity to the minimum essential for job requirements.

4. Conduct frequent backups and store them offline because many ransomware variants will spread through drive shares and can even reconnect a disconnected drive share.

5. Use network segmentation that requires authentication. For example, a user must enter a password before traversing the network. This will reduce the network attack surface.

6. Deploy advanced threat intelligence tools. Threat intelligence can be used to identify IP addresses of known command and control sites. Blocking these sites can potentially prevent malware from being able to establish its encryption routine. It’s important to note this strategy may not work on some newer versions of ransomware that operate independently and create their own encryption keys without having to communicate with a command and control server.

7. Lastly, as a final fallback, know how to buy Bitcoin (or Monero, which is emerging as an alternative means of payment.) Consider pre-purchasing some in advance in the event a ransom needs to be paid on short notice.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Mitigating Risk
Although the ultimate goal is to avoid falling victim, this isn’t always possible. An attack only takes one gullible employee to click on or open something he shouldn’t. Then what?

Should you pay the ransom to continue operations, or do you refuse to pay it as a matter of principle? The tie-breaker is the cost of downtime — measured potentially in the range of thousands of dollars per hour. One should establish in advance the financial impact of losing access to critical information or business processes, and work through the decision before facing a crisis.

Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you’re vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you’re relying upon to prevent an infection is hope — and hope is not a strategy. By implementing the seven defensive actions listed above you can greatly reduce, and potentially eliminate, vulnerabilities. Review the list again, and remember that increased security awareness training with testing can be your most effective defense.

Note: G. Mark Hardy will be giving a talk on this topic at an upcoming SANS event in Denver, Colorado.

Related Content:

• Ransomware Has Evolved, And Its Name Is Doxware
• Why Ransomware Is Only Going To Get Worse
• ‘Shock Awe’ Ransomware Attacks Multiply

G. Mark Hardy is an instructor with SANS and the founder and president of National Security Corporation. He has been providing cybersecurity expertise to government, military, and commercial clients for over 30 years and is an internationally recognized expert who has spoken … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/7-steps-to-fight-ransomware/a/d-id/1328673?_mc=RSS_DR_EDT

Inadequate budgets are the largest obstacle for local government chief information officers in obtaining the highest level of cybersecurity for their organization, according to a survey released today by the International City/County Management Association.

According to 411 respondents in the Cybersecurity 2016 survey, 32% reported seeing an increase in cyberattacks to their organizations within the past 12 months. But despite this increase, more than half of the CIOs surveyed found steep obstacles still stood in their way of achieving the highest level of cybersecurity as possible.

Survey respondents pointed to these reasons as the barriers to obtaining high cybersecurity levels:

• 58% noted inability to pay competitive salaries
• 53% attributed small cybersecurity staff as the main obstacle
• 52% cited overall lack of funds

Although adequate funding was listed as the top need in achieving the highest level of cybersecurity for local governments, improved cybersecurity policies ranked as No. 2, followed by government employees having a better understanding of cybersecurity as No. 3, according to the survey.

Read more about the Cybersecurity 2016 survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/small-budgets-cripple-cybersecurity-efforts-of-local-governments/d/d-id/1328793?_mc=RSS_DR_EDT

As I sit here writing this piece, there is a bird that is repeatedly flying into the window next to me.  This is something that has happened each day for quite some time now. Yet, until recently, I couldn’t figure out why the bird would fly into the window over and over again. That is, until I found myself on the other side of the window one day, seeing things from the perspective of the bird.

What I saw from the other side of the window was that the bird cannot see inside my home.  Rather, the bird sees its reflection, which I presume it thinks is another bird. Repeated efforts to be friendly and greet this bird, of course, result in repeated collisions with the window.

What does this have to do with security?  Allow me to elaborate.

I’ve noticed over the course of my career that those of us in the security world struggle to understand what our world looks like from the other side of the window.  Because we live and breathe security, we struggle to understand those who do not. Often, our frustration with those on the other side of the window grows. What we may not understand, however, is that those on the other side of the window also struggle to understand us and, likewise, are increasingly frustrated by us. Here are two examples that I come across frequently.

The Mockers and the Mocked
It would be an understatement to say that there are many in the security field who have a tendency to mock those who make mistakes or poor decisions. I don’t know about you, but I most certainly make mistakes. When I realize I’ve made a mistake, it generally doesn’t feel so great. Do you think that if someone were to mock me, it would make me feel better about the mistake I’ve made, or somehow encourage me to learn from it?  In fact, the opposite is true.  Mocking people causes them to dig in deeper, and to avoid listening to anything the mocker says at all costs.

For example, after a breach or otherwise high profile security error goes public, I rarely see very many helpful suggestions or analysis in the subsequent public discussion.  Most of what I see on social media and in the news doesn’t neatly and concisely summarize the mistakes that were made, offer lessons learned, or advise on how a similar situation can be avoided elsewhere.  Rather, I see a bunch of mocking: How could they have been so stupid?  Do these people know nothing about security?  What is wrong with these people?  You get the idea, and I know you’ve seen it as well.

Well, guess what? The victim and other organizations that may empathize with the victim don’t find this very motivating. Rather than provide them with helpful suggestions to improve their security postures, we mock them. To the constructive masses on the other side of the window, that isn’t particularly helpful. And it certainly doesn’t help them understand  the issues and challenges faced by security professionals any better.

The Business of Security
In most organizations, security is a cost. To a business, costs are seen as somewhat of a necessary evil. There is a general understanding that it takes investment in various different areas in order to run a business properly.  Of course, as you might expect, those running the business and making those investments generally want to know what return their investments are bringing, and whether or not continued investment is justified and at what level.

Let’s look at another business cost unrelated to security for a moment. Say my business sells widgets that I need to ship. Obviously, shipping these widgets costs money, but it is an integral part of the business. After all, customers need to receive the widgets they order.  From the business side, I know what I sell each widget for, and I can calculate the costs involved in their production, including the shipping costs. Further, beyond just cost of shipping, I have metrics available on average delivery time, percentage of deliveries that resulted in delivery to the wrong address or of damaged goods, and many other such data.  There is quite a bit of information available for the business decision maker who wants to evaluate whether or not the shipping choices that have been made are the right ones for the business.

Let’s transition to a look at security as a business cost. Some in the security world spend lots of energy complaining about how people just don’t get it. But how much energy is spent trying to see things from the business perspective, or help business managers see things from ours? Business leaders ask logical questions that most areas of the business have no trouble answering.  But for security organizations, this can be a tricky exercise.  Let’s take a look at a few examples.”

• How do I know that my security team is qualified?  Well, we are a profession with innumerable numbers of confusing certifications, none of which prove competence or provide any sort of licensing. 
• If I invest $X in security, what will it get me? Unfortunately, we don’t have a very good handle of return on investment in the security field. 
• How do I know if my security program is performing to the level it needs to?  Again, we as a field don’t have great metrics to show that we are getting the job done.

So looking at security from the other side of the window, it would appear that we are a cranky bunch who always need more money but can’t explain why. I’m not saying that security should be handled like shipping. I am saying, though, that we should consider how we look from the other side of the window, particularly to a business leader.

As time goes on, security is becoming more and more mainstream. Gone are the days in which we were an obscure profession shrouded in secrecy and mystery. As a result, we need to understand that we are now a business function, and we need to get better at functioning as one. Seeing how we appear from the other side of the window is an important step in getting there. If you haven’t already, you should try it sometime.

Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.

Related Content:

• Setting Up Security as a Business: 3 Best Practices for Security Execs
• Why ( How) CISOs Should Talk to Company Boards
• How Innovative Companies Lock Down Data

Josh is an experienced information security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as VP and CTO – Emerging Technologies at FireEye. Until its acquisition by FireEye, Josh served as … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/seeing-security-from-the-other-side-of-the-window/a/d-id/1328786?_mc=RSS_DR_EDT

A record-breaking 328 healthcare businesses reported data breaches in 2016, surpassing the record of 268 set one year prior. Healthcare records of about 16.6 million Americans were exposed due to hacks, lost or stolen devices, unauthorized disclosure, and other activity.

It’s not all bad news, however. Sixteen million is significantly less than the nearly 35 million leaked records in 2015, which excludes the Anthem breach that compromised the information of nearly 80 million people.

These updates come from the Bitglass 2017 Healthcare Breach Report, which aggregates data from the US Department of Health and Human Services’ Wall of Shame — a collection of breach disclosures mandated under HIPAA — to identify common causes of data exposure.

Bitglass product manager Salim Hafid says the study was done to analyze the causes of breaches and effects they have on businesses and customers. The factors behind data leakage have changed since 2014, when lost or stolen devices were primary drivers of data exposure.

“In the past few years, unauthorized disclosures, and hacking and IT incidents, have taken hold,” Hafid says. “Folks are becoming more aware of the value of healthcare data.”

Unauthorized disclosures are typically unintentional, he continues, but increasingly common as applications like Google Drive and Dropbox make it easier for employees to send large amounts of sensitive information to the wrong people.

“The rise in unauthorized disclosure isn’t because people are more malicious, but because it’s easier to share large volumes of data,” says Hafid. “The ease with which you can share is both a positive and a negative.”

However, bad actors are also part of the problem.

Hacking has become a bigger problem as a rise in publicized breaches is leading attackers to realize healthcare targets aren’t as security-savvy as they once believed, especially when many are adopting mobile and cloud systems to accommodate their employees and patients.

“Businesses are incredibly vulnerable, and they don’t have the appropriate security tools in place,” Hafid continues. “The ability to access data from a personal device outside the corporate network is becoming more common, and organizations don’t have the security to protect that kind of access.”

While the industry has consistently seen more breaches year after year, Hafid says the decline in exposed records and affected individuals is a sign businesses are heading in the right direction.

A combination of proactive and reactive measures is essential to mitigate the effects of cyberattacks. Proactive measures, like restricting access to sensitive files and putting firewalls in place, are the primary means of limiting data leakage in the event of a breach.

“I think this is a positive sign and shows organizations are taking big steps,” says Hafid of the rise in proactive security. “Even if they can’t prevent a hack, they can lessen the effects of the hack.”

While it’s still early to tell how the rest of 2017 will unfold, he wouldn’t be surprised to see the number of breaches continue to grow as attackers aim to capitalize on valuable healthcare data. The number of affected individuals will likely continue to drop as businesses put more security measures in place.

Hafid recommends three steps for businesses working to protect themselves:

• Identity management: Ensure users are who they say they are. Authentication can prevent breaches caused by compromised credentials.
• Mobile security: Many businesses let their guards down when it comes to mobile security, says Hafid. It’s key to stay vigilant in terms of mobile security and protecting devices within the organization.
• Encryption and data protection: Take steps to ensure files with sensitive data are encrypted. If data is leaked but protected, businesses still have visibility into who is accessing that data.

Related Content:

• Getting Threat Intelligence Right
• Financial Services Sector the #1 Target of Cybercriminals
• The Cyber-Committed CEO Board
• 6 Steps to Find Your Next Dozen Cloud Security Experts

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/healthcare-breaches-hit-all-time-high-in-2016/d/d-id/1328787?_mc=RSS_DR_EDT