STE WILLIAMS

Popular robotics products contain glaring and serious security vulnerabilities that could easily be exploited to hack and take control of a robot’s movements and operations for spying or causing physical damage – and even posing a danger to humans.

Call it the new insider threat:  IOActive researchers Cesar Cerrudo and Lucas Apa have discovered some 50 flaws in popular robots and robot-control software used in businesses, industrial sites, and homes that could allow a hacker to remotely manipulate a robot moving about the office, plant floor, or home, to infiltrate other networks there, spy and steal information, and even wreak physical destruction.

Robots are getting “smarter” and in some cases, with more human-like qualities such as facial recognition features, all of which is helping propel their popularity and usability. IDC estimates that in 2020, worldwide spending on robotics will be at $188 billion. Robots today are mostly in the manufacturing industry, but the consumer and healthcare sectors are up-and-coming in their robotics adoption, according to IDC.

“A robot being inside [an organization] is actually a reality” today, notes IOActive’s Apa, pointing to the rise of use in smart robotics technology. “And it’s very difficult to distinguish between a robot that’s been hacked” and one that’s not, he says. 

A hacked robot could silently be used to go rogue and hack other networks within the office, or even other robots, according to the researchers, who say robots indeed could be the next-generation insider threat.

Apa, who is a senior security consultant with IOActive, and Cerrudo, IOActive’s CTO, in their new research, studied robots and robotics control software products from Softbank Robotics, UBTECH Robotics, Robotis, Universal Robots, Rethink Robotics, and Asratec Corp. The researchers say they wanted to drill down on the security issues now, before robots become mainstream.

The robots and their control software were rife with some of the same security flaws common in notoriously insecure Internet of Things devices: insecure communications weaknesses such as cleartext or weak encryption between the robot and its components that provide its commands and software updates; a lack of authentication (no credentials required to access a robot’s services, for example); and lack of authorization measures, which could leave a robot at the mercy of a nefarious attacker.

In addition, they found weak cryptography in the devices and their software that leave sensitive data and information stored in the robots at risk, such as passwords, crypto keys, and vendor service credentials, for example. Some of the devices also come with weak default configurations that don’t properly lock down the robots and their operations, and Cerrudo and Apa found that some of these devices couldn’t even be properly retrofitted with new passwords, nor even fixed once they had been hacked.

“It can be hard to restore a robot to its original [uncompromised] state,” Apa says. “With some vendors’ products we analyzed, it was impossible,” so the customer is stuck with a hacked robotic system, he says.

Turns out robots also suffer from some of the same open-source framework and library vulnerabilities of other software systems. Many robots run on the the Robot Operating System (ROS), which comes with cleartext communication, authentication, and weak authorization features, according to IOActive. “In the robotics community, it seems common to share software frameworks, libraries, operating systems, etc., for robot development and programming. This isn’t bad if the software is secure; unfortunately, this isn’t the case here,” the researchers wrote in their report published today.

Don Bailey, founder and CEO of Lab Mouse Security, says robot vulnerabilities are another example of the flaws found in embedded, IoT devices. “They’re all embedded systems. You’re going to keep seeing the same threats, over and over,” says Bailey, an IoT security expert.

The bigger risk of today’s robotics-type devices, he says, is data leaking and privacy breaches. The Amazon Alexa and Apple Siri-style smart devices and others can be used more for espionage, he says. “As they [robots] grow into more substantial technologies, we’ll see more [physical] danger to humans,” Bailey says.

A serious concern today is the provisioning and sunsetting of robotics products, he says. “How a robot associates itself with its owner” and what happens when that owner hands it over to another owner or user, pose security and privacy risks, he says. It’s unclear how a new “owner” could be protected from the previous one still having access to the robot, for example.

IOActive’s Apa and Cerrudo aren’t releasing vulnerability details at this time, as they await responses from the vendors. So far, they’ve only heard back from four of them. “Only two said they are going to fix” the flaws, Cerrudo says. The other two indicated they understood they should “do something about it,” he says.

They weren’t able to actually test all of the robots, due to the expense of some of the devices as well as global shipping restrictions, so they mainly analyzed robot software, including mobile apps, operating systems, and firmware images. Those are core elements of robotic systems, they say, so they could get a good take on the security from them as well as from the physical robots they did have in hand.

Interestingly, the researchers say they easily found the flaws without drilling down too deeply in their security audit of the products, since their aim was to get a more high-level sense of robot security today. They aren’t finished, though, and plan to do some deeper dives, they say.

“We consider many of the vulnerabilities we found simple to exploit,” Apa says. “Anyone with a phone and app can remotely control the robot [via these bugs]. They don’t need to develop an exploit.”

Among the products with flaws were SoftBank Robotics’ NAO and Pepper robots; UBTECH Robotics’ Alpha 1S and Alpha 2 robots; ROBOTIS’s OP2 and THORMANG3 robots; Universal Robots’ UR3, UR5, and UR10 robots; Rethink Robotics’s Baxter and Sawyer robots; and Asratec Corp.’s robots using V-Sido.

In one especially creepy scenario, the researchers say robots with face-recognition features in order to work with humans could be hacked and even manipulate their co-workers. Robots often come with microphones and cameras, so an attacker could employ the robot like a spy to get information, for example. “If an attacker can control this, they can use the built-in features to get information about the faces the robot recognizes,” Apa says.

IOActive isn’t the first to explore robot security: Researchers at the University of Washington in 2015 hacked a surgical robot to demonstrate how a bad guy could hijack and take control of a robot during surgery.

For now, business and home robotics users are basically at the mercy of their insecure robots, the researchers say. What can they do to protect themselves: “Pray,” Cerrudo quips. “If I was a robot user, I would unplug it when I’m away at night,” for example, he says.

Related Content:

• IoT Security: A Ways To Go, But Some Interim Steps For Safety
• Windows Can Help Mirai Botnet Spread
• DDos On Dyn Used Malicious TCP, UDP Traffic
• 20 Cybersecurity Startups To Watch In 2017

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/hacked-robots-present-a-new-insider-threat/d/d-id/1328292?_mc=RSS_DR_EDT

In recent months, ransomware campaign activity has increased exponentially. Over 27,000 incidents surged on the scene in early 2017 when a commonly misconfigured setting on open source database called MongoDB made hundreds of thousands of databases vulnerable to ransom. Threat actors logged on to victims’ databases, backed up data offsite, deleted it, and offered to return it for .2 Bitcoins, which translates to $200. 

While this might seem like a minuscule amount, there is logic behind it. If too much is asked, the propensity to pay declines. Plus, the volume of the attack yields serious dividends. Regardless, for those afflicted, losing access to important information to operate a business is extremely disconcerting, creating desperation and making them prone to pay up.

The Mechanics
There are two primary vectors into a commercial IT environment. The first is to assume remote access to a user’s computer and traverse the network until administrator credentials to databases and data stores are gained. This is accomplished by sending an employee a phishing email that entices them to open an attachment or visit a compromised website that loads malicious code on their computer terminal. Once the computer is compromised, threat actors scan the environment and try to find a computer terminal used to access network data. After a foothold on an administrator’s computer is established, they can remotely encrypt or wipe data and then issue ransom demands. 

The second method is more of a frontal assault on the database servers. Most companies have public-facing websites and, as a result, threat actors will find a server with a vulnerable application, then exploit it to get a foothold in the data center. If an IT staff has not properly separated public-facing websites from database servers and file shares –  a common mistake with small staffs –  a threat actor can use that access to pursue the database. While this vector requires more sophistication, ransomware actors are increasingly pivoting in this direction, implying that more skilled actors are getting into the game.

The Response
With all of these new techniques in play, what can security teams do to mitigate the threat? The good news is that your IT staff is probably already doing many of the things needed to protect your environment. Here are a few best practices to help lower the risk further:

User Vector:

• Establish a third-party user education program on how to identify a phishing email.
• Shut down the ability for user terminals to share resources peer-to-peer.
• Implement a back-up strategy for personal data on external drives or virtual drives.
• Install a reputable antivirus program that will block a majority of known ransomware attacks.

Website Vector:

• Never host an external-facing server on the same hardware as a database or data store.
• Ensure proper segmentation between web servers and database servers. 
• Track vulnerability patch status of critical data servers and file shares.
• Make sure IT staff has a data back-up strategy for databases and file shares,
• Consider using secure third-party cloud or virtualized services for critical data storage and files shares offsite.

Advanced Planning Outside Resources:

• Have an incident response plan in place before an incident occurs. Having a plan in place allows for the immediate documentation all of the possible decisions and communication plans that need to be applied under the pressure of a real-life incident. 
• Visit the NoMoreRansom.org website to seek assistance. This non-profit website is a partnership between antivirus vendors, international law enforcement, and cybersecurity threat researchers. This resource has helped thousands of victims decrypt data, complete with recommendations for what to do in the event of an attack. 
• Pay or not pay? A final consideration that enters the mind of many is whether or not to pay the ransom. The majority experts’ view is consistent with those of the Federal Bureau of Investigation – do not pay. However, this is an easy decision for third-parties to make because it is someone else’s data being ransomed. 

At the end of the day, the decision will come down to the impact of the attack on your company’s business. While ransomware actors in many cases return the data as promised, they may leave backdoors to return for more money, time and time again, or may not return data at all.

These present very unattractive options, so it is best to avoid falling prey in the first place. To be successful, advance preparation and applying proven best practices will be the most effective way to avoid a ransomware scenario completely. Having an entire organization aligned on how to avoid being a victim, from the IT staff to executive management, is essential to maintain the sanctity of data.

Related Content:

• Ransomware Growth Fueled By Russian-Speaking Cybercriminals
• ‘Shock Awe’ Ransomware Attacks Multiply
• Ransomware: How A Security Inconvenience Became The Industry’s Most-Feared Vulnerability

Jeff Schilling, a retired U.S. Army colonel, is Armor’s chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of focus include cloud operations, client services, … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/best-practices-for-lowering-ransomware-risk/a/d-id/1328294?_mc=RSS_DR_EDT

Today’s the day the much-anticipated new cybersecurity regulations for the financial industry go into effect in the state of New York.

Security experts say the new regulations by the state’s Department of Financial Services (DFS) set a minimum baseline for security best practices, and acknowledge that small- to midsized businesses with fewer resources and smaller IT staffs may find compliance more challenging.

The regulations require that banks, insurance companies, and other financial institutions establish and maintain a cybersecurity program. The new rules are widely viewed as the first of their kind and potentially a baseline model for other states.

“These new regulations will push companies to have a basic level of cybersecurity, but it doesn’t create an unfair competitive situation because it’s generally applied across the board,” says Tim Erlin, senior director, product management and IT risk and security strategist at Tripwire.

The new regulations will be phased in over the next two years. Companies with less than $5 million in revenues and $10 million in assets are exempt from many of the more costly, technical aspects of the regulations, such as pen testing and vulnerability assessments, but still must document that they have implemented a security policy and program.

The vast majority of companies are now on the hook to develop an incident response plan and a training program in the next 180 days. Companies must also notify DFS of a security breach within 72 hours and have a CISO or a similar person responsible for protecting private data. The breach-notification portion requires companies to start the clock on notification from the time they have determined that a breach would cause material harm to the business.

By one year from today, companies must also demonstrate that they have pen testing, risk assessment, and multifactor authentication practices in place. In 18 months, they must have developed audit trail capabilities, application security, data retention (five years for financial, three years for non-financial), and encryption. The DFS requirements for third parties will be phased in over two years.

David Murray, chief business development officer at Corvil, says the vast majority of the large banks and financial institutions are well on their way to having implemented many of the best practices outlined by the DFS regulations.

While smaller hedge funds, retail banks, and credit unions have expressed concerns that implementing these security technologies will be too costly, he points out that many of these companies already have security analytics technologies that provide visibility into their operations.

“What we’re saying is that you can start by getting a better read on what’s happening within your organization and you don’t necessarily have to spend more money and time deploying new technology,” Murray says. “We see this as pushing companies to be more proactive, because they are now tracking incidents and attacks versus just looking for a piece of malware.”

Tripwire’s Erlin adds that the strength of these regulations will be to what extent they are enforced. He points to recent cases where New York’s DFS fined Deutsche Bank $425 million and Mega Bank $180 million for violating state money-laundering laws.

“While those fines are not related to cybersecurity, it does indicate that the agency is capable of imposing those type of fines and that they actually might do it,” he says. 

Related Content:

• The Shifting Mindset Of Financial Services CSOs
  
• Financial Industry Anticipates Payment Fraud Spike
• SWIFT Confirms Cyber Heist At Second Bank; Researchers Tie Malware Code to Sony Hack
• From NY To Bangladesh: Inside An Inexcusable Cyber Heist

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: http://www.darkreading.com/risk/new-cybersecurity-regulations-begin-today-for-ny-banks/d/d-id/1328295?_mc=RSS_DR_EDT

The Dark Web is a growing hotspot for transactions involving mobile malware kits, which make it easier for threat actors to target victims, according to a new mobile malware report from Kaspersky Lab.

In 2016, Kaspersky Lab detected 8,526,221 malicious installation packages, three times the amount it found in 2015, the report states. Researchers also found 128,886 mobile banking Trojans and 261,214 mobile ransomware Trojans.

Kaspersky Lab’s report included insight from specialist officers working with INTERPOL’s Global Complex for Innovation. They found the Dark Web continues to appeal to hackers doing illicit business, due to its anonymity, low prices, and client-focused strategy.

In their investigations of mobile malware platforms, INTERPOL experts found mobile malware is increasingly sold on the Dark Web in the form of software packages, individual products, sophisticated tools, or smaller-scale tools as part of a “Bot as a Service” model.

The rise in mobile malware kits is not new, explains Kaspersky Lab security expert Roman Unuchek. These kits have grown in popularity as mobile malware becomes more available, and less expensive, on the Dark Web.

“Some of this malware was available in 2014 and 2015, but this year we saw it much more,” he says. “It’s easier for regular people who want to steal money to go to the Dark Web, go to forums, and buy kits to infect users.”

Mobile malware kits can include phishing pages, remote access Trojans (RATs), or hacking software bundles that contain forensic and password-cracking tools. Both individual and packaged malware tools often come with how-to guides for hacking popular systems like Android and iOS.

The biggest trend of 2016 was a rise in malicious programs, particularly advertising Trojans capable of exploiting super-user privileges, according to Kaspersky Lab’s mobile malware report. This trend is unrelated to the increase in mobile malware kits, says Unuchek, but it’s dangerous news for both consumers and businesses. The rise of BYOD makes it tough to track activity of malicious apps.

“[Cybercriminals] can use vulnerabilities in the system to get additional rights,” explains Unuchek. “They can do anything on the device. It’s a major problem because after a user’s device becomes infected, it’s almost impossible to use it.”

Root privileges enable hackers to secretly display ads, install malware and advertising apps on infected devices, and buy apps on Google Play. The malware installs its modules in the system directory, complicating treatment, and some Trojans can infect the recovery image, meaning a restore to factory settings won’t fix the problem.

To gain super-user privileges, threat actors use vulnerabilities that are typically patched in newer versions of Android. They are taking advantage of the fact that most users don’t receive OS updates and remain open to older, readily available exploits. Further, cybercriminals are looking for different ways to bypass protection mechanisms created for Android.

Unuchek anticipates we will most likely see the continued growth of advertising Trojans in 2017. As the mobile space is getting crowded for cybercriminals, and they begin to explore opportunities outside it, he also expects 2017 could bring major attacks on the IoT launched from mobile devices.

Related Content:

• Best Practices for Lowering Ransomware Risk
• Hacked Robots Present a New Insider Threat
• How Security Pros Can Bridge The Skills Shortage

Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

Article source: http://www.darkreading.com/mobile/malware-kits-advertising-trojans-drive-mobile-risk-/d/d-id/1328298?_mc=RSS_DR_EDT

Network security company Palo Alto Networks (PAN) has acquired behavioral analytics firm LightCyber for $105 million in what it says will help expand its automated threat prevention capabilities. PAN will continue to offer LightCyber products and provide support to existing customers while, at the same time, integrating the company’s technology into its Next-Generation Security Platform.

Gonen Fink of LightCyber says: “We are pleased to join the Palo Alto Networks team, combining our technology innovations and accelerating adoption of behavioral analytics to help organizations bolster their defenses against the advanced and sophisticated adversaries they are facing today.”

Palo Alto Networks expects to increase its ability to detect anomalous behavior with the addition of LightCyber’s technology.

“The LightCyber team’s vision to bring automation and machine learning to bear in addressing the very difficult task of identifying otherwise undetected and often very sophisticated attacks inside the network is well-aligned with our platform approach,” says Mark McLaughlin of Palo Alto Networks.

For details, see the acquisition announcement.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/perimeter/palo-alto-networks-acquires-lightcyber/d/d-id/1328289?_mc=RSS_DR_EDT