STE WILLIAMS

Campbell, Calif. – October 15, 2013 – Barracuda Networks, Inc., a leading provider of security and storage solutions, today announced the availability of five new models of the Barracuda NG Firewall F600, all with increased performance. The F600 models feature new, multiple port options and hot-swappable power supplies to accommodate varying network requirements.

With configuration options of 1 GbE copper, 1 GbE fiber-optic and 10 GbE fiber-optic interfaces, the new product range is ideal for internal LAN segmentation – and fast access to internal resources such as applications, print servers and databases. The models also allow rule-based traffic intelligence with WAN optimization, WAN compression and link management to ensure the best use of bandwidth across all locations. Integrated, rack-friendly, redundant power supplies can be included for organizations requiring high fail-safe performance and high availability. IT administrators benefit from easy, centralized management and affordable pricing without limitations on the number of users.

“The new Barracuda NG Firewall F600 models offer powerful next-generation firewall capabilities, with variable port options – up to 2 ports 10 GbE fiber – and fail safe security thanks to redundant power supplies,” said Klaus Gheri, VP Network Security, Barracuda. “This combination makes the new F600 models a great solution for networks requiring high performance and high availability at a very reasonable price.”

Key highlights of the Barracuda NG Firewall F600 models include:

Firewall throughput: up to 5.7 Gbps

VPN throughput: up to 1.6 Gbps

IPS throughput: up to 2.6 Gbps

Up to 400,000 simultaneous sessions

Up to 35,000 new sessions per second

Internal dual hot-swappable power supplies (optional)

Multiple port options:

Standard 8 ports 1 GbE copper

+4 ports 1 GbE copper or

+4 ports 1 GbE fiber or

+2 ports 10 GbE fiber

Pricing and Availability

The new F600 models of the Barracuda NG Firewall are available immediately. The US list price for the Barracuda NG Firewall F600 models starts at $8,999 USD for the appliance and US list price of $1,599 USD for Energize Updates. An optional Instant Replacement subscription featuring priority replacement of failed hardware and complimentary refresh of four-year old hardware units is available starting at US list price of $1,599 USD per year. International pricing and availability vary by region.

Resources

Images: Barracuda NG Firewall 5.4 images can be downloaded at – http://bit.ly/ngfwf600

Latest Blog Post: New Features in Barracuda NG Firewalls – https://www.barracuda.com/blogs/pmblog?bid=2140

Product Blog: The Barracuda NG Firewall blog provides ongoing updates, commentary and analysis related to Barracuda’s NG Firewall product suite – http://bit.ly/ngfirewall54

About Barracuda NG Firewall

The Barracuda NG Firewall is an enterprise-grade network firewall that combines comprehensive next-generation firewall capabilities – based on application visibility and user-identity awareness – with optimal efficiency and throughput. The Barracuda NG Firewall meets the enterprise requirements of massive scalability, easy and efficient management across dispersed networks, low resource consumption, and high performance for business-critical applications. Coordinated WAN optimization, centralized management and cloud-hosted content filtering and reporting are just a few of the key features. The Barracuda NG Firewall is also available as a virtual appliance. To learn more, visit: www.barracuda.com/ngfirewall.

About Barracuda Networks, Inc.

Protecting users, applications, and data for more than 150,000 organizations worldwide, Barracuda Networks provides powerful, easy-to-use, affordable IT solutions. The company’s customer-centric business model focuses on delivering high-value, subscription-based IT solutions for security and storage. For additional information, please visit http://www.barracuda.com or on Twitter: @barracuda.

Article source: http://www.darkreading.com/perimeter/new-barracuda-ng-firewall-f600-models-la/240162624

Some Google users who don’t want their faces used to pimp bagel shops (or spas, or Nexus 7, or whatever ads Google can squeeze money out of) are replacing their photos with one of Executive Chairman Eric Schmidt.

The backlash – the scope of which could be tiny, for all I know, given that news of it apparently comes solely from a retweet by Daring Fireball’s John Gruber – apparently is in reaction to Google’s announcement to grab user’s profile pictures, names, photos and product reviews as harvested from Google+ and plug them into advertisements.

Google is calling the planned advertisements Shared Endorsements.

Google announced new Terms of Service that will go live on 11 November which explain that it will use content in this way.

On top of our images, Google will also display reviews of restaurants, shops and products, as well as songs and other content reviewed or bought on the Google Play store, when our friends and connections search on Google.

Of course, the move is a no-brainer for Google.

The company’s revenues come almost entirely – reportedly 96% in 2012, and at 97% in 2011 – on ad revenue.

Google doesn’t make any bones about it. The company said in an annual report from 2012, “We generate revenue primarily by delivering relevant, cost-effective online advertising.”

The move is identical to Facebook’s Sponsored Stories boondoggle, with one exception: It’s looking to not be a boondoggle. Google is doing it right.

Namely, Google is offering users a way to opt out, and that will in all likelihood sidestep the legal swamp that Facebook fell into over Sponsored Stories.

For its part, Facebook paid out $20 million in a personal ads class action lawsuit settlement in August 2013, and another $10 million to settle a lawsuit in 2012.

Antagonising Google by swapping a profile photo for Schmidt’s may feel like fun, in-your-FACE-Google! hijinks, but the chances that Google will roll back the tasty revenue source are approximately, in rounded percentage points, “hahahahahaha!”

It’s likely that the only way to opt out is to opt out.

Here’s how to opt out of Google’s Shared Endorsements:

1. Sign into your Google account. If you’re in the process of setting up an account, finish that first, then come back.
2. Go to the Shared Endorsements setting page. If you’re not already a Google+ user, you will be asked to upgrade your account.
3. Toward the bottom, you’ll see a checkbox that says “Based on my activity, Google may show my name and profile photo in shared endorsements that appear in ads.”
4. Uncheck it and click Save to opt out of the new program.

Google will grab at your ankle to try to drag you back into advertising land, but one extra click saying “Yes, I do, in fact, want to unpeel my mug from your advertisements” won’t kill us, I suppose.

Follow @LisaVaas

Follow @NakedSecurity

Image of Eric Schmidt courtesy of Guillaume Paumier, CC-BY via Wikimedia Commons

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hd0-SvwQ3W0/

Members of the embedded systems hacker collective /dev/ttys0 spend their time playing around with devices like home routers and set-top boxes.

They like to see what interesting facts these devices’ proprietary hardware and firmware might reveal.

Part of the hackers’ motivation is to get the devices to do things that the vendor may not have bothered to implement, thus improving their functionality.

And why not, if it’s your device that you bought outright with your own money?

But hacking on embedded systems can also help to improve security, or at least help others to avoid insecurity, by revealing and helping to fix potentially exploitable vulnerabilities that might otherwise lie dormant for years.

Indeed, in recent times, we’ve written repeatedly about security problems in consumer embedded devices.

We had a botnet that unlawfully mapped the internet by jumping around from router to router and taking measurements without permission.

We described a flaw that allowed attackers to force your router to open up its administration interface to the internet, something you would never normally do.

We’ve talked about how the Wi-Fi Protected Setup (WPS) feature, intended to improve security, typically makes your wireless access point easier to break into.

And we wrote up a widepsread flaw in the way that many routers implement a popular system known as Universal Plug and Play (UPnP).

UPnP is a protocol that is supposed to make it easier to configure your system correctly, but may instead leave you open to the world.

You can probably guess where this is going: another security hole.

This one was found in the firmware of a number of D-Link routers – the author suggests at least the models DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240.

I’ll skip the details – you should read the original author’s analysis, since he did the hard yards to identify the flaw – and cut to the almost unbelievable conclusion.

If you browse to any page on the administration interface with your browser’s User Agent (UA) string set to a peculiar, hard-wired value, the router doesn’t bother to ask for a password.

→ Browsers send a User Agent string in the headers of every HTTP request. This is a handy, if clumsy, way to help web servers cater to the programmatic peccadillos of each browser.

Let’s be perfectly clear what this means: these routers have a hardwired master key that lets anyone in through an unsupervised back door.

“What is this string,” I hear you ask?

You will laugh: it is xmlset_roodkcableoj28840ybtide.

Geddit?

Ignore the xmlset, which probably just means “Configure Extensible Markup Language (XML) setting.”

Flip round the part after the underscore, in reversible-rock-music style, to get the hidden message:

Edit by 04882 Joel: Backdoor.

Can you believe it?

If you tell your browser to identify itself as Joel’s backdoor, instead of (say) as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you’re in without authentication.

Fortunately, the administration interface isn’t accessible from the internet-facing port of these routers by default, which limits the exploitablity of this vulnerability.

(If you have one of these models, check right now that you can’t access the management interface directly from the outside!)

This is a shabby feature to put in any product, let alone in a router than aims to provide at least some additional security.

It begs the question, “Why have Joel’s code there at all?”

A good guess is that the backdoor probably wasn’t put there to enable illicit surveillance, or for any other nefarious purpose, but as a favour to special-purpose D-Link software, so it could make configuration tweaks without needing a password.

Or it was put in to save time in development and debugging, but never taken out again.

Sadly for the world, though, 04882 Joel made it easy for anyone at all to make configuration tweaks without needing a password.

For the second time this year, we’d therefore like to say, “Hardwired passwords were a design blunder back in the 1970s. In the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code.”

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dEfbW9SjZEw/

Federal money earmarked to thwart terrorist attacks in the US is instead getting funneled into increasingly pervasive surveillance of citizens, the New York Times reports.

Police departments are rolling out technologies including gunshot-detection sensors, license plate readers, data-mining of social media posts for criminal activity, tracking of toll payments when drivers use electronic passes, and even at least one police purchase of a drone in Texas,

The paper outlined one such expansive initiative being undertaken in the California city of Oakland, where a federal grant of $7 million, originally meant largely to protect its busy seaport, is instead being devoted to a police initiative that will collect and analyze “reams” of surveillance data, from gunshot detection sensors in its barrios to the license plate readers mounted on the city’s patrol cars.

Alameda County, where Oakland is located, also tried to copy Texas by using homeland security funds to buy a drone, but the plan was shelved after public protest.

Oakland is, in fact, setting up what the American Civil Liberties Union of Northern California called a program of “warrantless surveillance” that would enable the city to “collect and stockpile comprehensive information about Oakland residents who have engaged in no wrongdoing whatsoever.”

Oakland’s City Council on 30 July rejected concerns of privacy advocates and citizens (who pointed out that the initiative was being pushed through without privacy or data-retention guidelines) and voted in favor of a $11 million surveillance center, the so-called Domain Awareness Center (DAC), that will consolidate a vast network of surveillance data from over 1,000 cameras and sensors pointed at Oakland residents.

And when it comes to surveillance, Oakland is only one of many US cities that are following in the National Security Agency’s (NSA’s) footsteps.

Some examples from the NYT:

• The New York Police Department, aided by federal financing, has a big data system that links 3,000 surveillance cameras with license plate readers, radiation sensors, criminal databases and terror suspect lists.
• Police in Massachusetts have used federal money to buy automated license plate scanners.

Oakland’s DAC kicks all that surveillance up quite a few notches.

It will work around the clock to gather data from sensors and databases in a central location, analyze the data and display information on a bank of giant monitors. In the summer of 2014, it will be integrated with a database that allows police to tap into calls to emergency services, as well.

In the future, school surveillance cameras, as well as video from the regional commuter rail system and state highways, may also be added.

Citizens aren’t necessarily taking this lying down.

Iowa City, in the state of Iowa, is one example. Politicians in June very reluctantly passed a ban on drones, traffic cameras and license plate readers after being compelled to do so after 4,000 citizens signed a petition.

The Seattle City Council for its part, forced its police department to return a federally financed drone to the manufacturer, the NYT reports.

In fact, the city council – which is supposed to oversee the city’s police department – was startled to find that Seattle was on a list of agencies that would get streamlined approval for police use of drones, the Electronic Frontier Foundation (EFF) reported.

Will these ever-broadening uses of surveillance enhance safety? That’s what law enforcement would have us believe.

Whether that expectation reflects reality is another matter entirely.

A case in point: studies such as this one that point to red light cameras leading to more accidents, perhaps because of drivers who stop abruptly, in fear of getting tagged when going through a yellow light, and thereby cause rear-end collisions.

Do you think the privacy tradeoff is worth the questionable benefit of enhanced safety? Let us know in your thoughts in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Image of surveillance courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nvHnlcAED_E/

Free ESG report : Seamless data management with Avere FXT

D-Link has promised to close its routers’ backdoors by Hallowe’en, following revelations that many of its consumer-grade devices accept unauthenticated access to its admin Web page.

As reported here yesterday, a researcher at /DEV/TTYS0 blog unpacked the firmware of a number of D-Link devices, finding that if a browser presented the correct user agent string to the internal administrative Web server, it would receive unauthenticated and unfettered access to the device’s administration panel. From there, it would be a cinch to snoop on users’ communications.

According to D-Link, the company is working on the fix now, and in a statement sent to The Register, the company said the firmware will be provided here.

The company also offered this advice:

“As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.”

In the meantime, users should ensure there’s a strong Wi-Fi password on their kit, and should disable remote administrative access. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/14/dlink_plans_firmware_update_to_disable_dbackdoor/

Free ESG report : Seamless data management with Avere FXT

Lavabit, the secure email service which shut down after pressure from the US government to access customer emails, is back up for a brief window during which users can change passwords and recover lost data.

Company founder Ladar Levison posted a brief message claiming that first a 72-hour period starting from 7.00 PM US Central time on Monday, (GMT – 5 hours) would allow users to change their passwords.

He said the decision was taken after “recent events in the news” led some Lavabit account holders to believe their emails may have been compromised.

Levison continued:

If users are indeed concerned that their account information has been compromised, this will allow them to change their account password on a website with a newly secured SSL key. Following the 72 hour period, Thursday, October 17th, the website will then allow users to access email archives and their personal account data so that it may be preserved by the user.

Levison closed down Lavabit back in August after refusing to hand over the encryption keys which would have theoretically given the FBI access to all of his customers’ accounts.

In reality, it was one particular Lavabit user – PRISM whistleblower Edward Snowden – whose account they really wanted to access.

However, despite Levison offering to log and decrypt just Snowden’s communications, the order stood.

Levison was fined $10,000 for his non-compliance and is currently planning to challenge the government’s much criticised surveillance orders in the US Fourth Circuit Court of Appeals, where a successful outcome could allow him to resurrect the firm.

That appears pretty unlikely though, as does the window for Lavabit users to retrieve lost emails to last any longer than a day or two. ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/15/lavabit_levison_account_access_password_change/

5 ways to prepare your advertising infrastructure for disaster

D-Link has promised to close its routers’ back doors by the end of the month, in response to revelations that many of its consumer-grade devices included a string that provided unauthenticated access to its admin Web page.

As reported here yesterday, a researcher at /DEV/TTYS0 unpacked the firmware of a number of D-Link devices, finding that if a browser presented the correct user agent string to the internal administrative Web server, it would receive unauthenticated and unfettered access to the device’s administration panel. From there, it would be a cinch to snoop on users’ communications.

According to D-Link, the company is working on the fix now, and in a statement sent to The Register, the company said the firmware will be provided here.

The company also offered this advice:

“As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.”

In the meantime, users should ensure there’s a strong WiFi password on their kit, and should disable remote administrative access. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/14/dlink_plans_firmware_update_to_disable_dbackdoor/

5 ways to prepare your advertising infrastructure for disaster

The National Security Agency is hurting the US economy with its “dragnet” surveillance, says uber-leaker Edward Snowden.

Snowden made his remarks at an event in Russia last week, footage of which surfaced on Monday. He also alleged, via The Washington Post, that the NSA has been slurping the contents of some 250 million electronic address books a year.

“These [surveillance] programs don’t make us more safe. They hurt our economy. They hurt our country. They limit our ability to speak and think and to live and be creative, to have relationships, to associate freely,” said Snowden, who has been accused of aiding terrorists and America’s enemies. The footage of his speech appeared on Democracy Now.

One such program is a scheme that sees the secretive agency collect the contact books associated with widely used email services, such as Hotmail and Gmail, and instant-messaging clients such as Yahoo! Messenger, according to The Washington Post on Monday.

The agency grabs this data as it passes over major internet transit points, so it does not need to slurp it from internal Google or Yahoo! servers and therefore doesn’t need to make an official request for the information.

Major web providers are thought to have added SSL encryption to their services in response to programs like this, but there is evidence the NSA has been trying to smash internet encryption by performing man-in-the-middle attacks using compromised cryptographic certificates.

Though the NSA insists that American citizens are not specifically targeted, it does proactively collect network traffic from numerous international arteries, such as submarine cables connecting up continents. If traffic passes through these inspection points, then the agency slurps the data indiscriminately.

“The assumption is you’re not a U.S. person,” one spy source told The Washington Post. As Reg readers know, this is a rather strange way to view intercepted communications.

Snowden said: “There’s a far cry between legal programs, legitimate spying, legitimate law enforcement, where it’s targeted, it’s based on reasonable suspicion and individualized suspicion and warranted action, and sort of dragnet mass surveillance that puts entire populations under sort of an eye that sees everything, even when it’s not needed.”

We imagine the NSA would bridle at this description, given the shadowy organization’s recent claim that it isn’t spying on digital interactions, rather it is “seeking to understand online communication tools technologies”.

Just as Uncle Sam’s spooks are trying to understand what we do online, Snowden says in his speech that he felt compelled to leak the information on the programs so citizens can do the same.

“If we can’t understand the policies and programs of our government, we cannot grant our consent in regulating them,” he said. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/15/snowden_nsa_snooping_hurts_our_economy/

5 ways to prepare your advertising infrastructure for disaster

Following in the footsteps of Facebook, Google, and Microsoft, Yahoo! has said that it will make SSL encryption the default for all users of its Yahoo! Mail service beginning in January.

The Purple Palace confirmed the plan in an emailed statement to the Washington Post on Monday.

Yahoo! has only offered SSL encryption for its email service since January of this year, well behind other, competing webmail services, and the feature is currently only enabled for users who opt in.

By comparison, Google’s Gmail service has made SSL the default since January 2010, and the online ad giant has been gradually switching on the protocol for search and other services ever since.

Microsoft followed suit in 2012 by adding encryption to its own webmail service during the migration of its users from Hotmail to Outlook.com, and Facebook switched on SSL by default for all of its worldwide users in August of this year.

Yahoo! has been criticized for dragging its feet to do the same, even as security researchers have raised concerns that SSL web encryption may actually have been compromised by domestic spying programs, based on documents revealed by NSA leaker Edward Snowden.

In July, Snowden made the eyebrow-raising claim that Microsoft had collaborated with the NSA and the FBI to build a government backdoor into its encrypted Outlook.com service, a charge Redmond has since denied in a letter to the US Attorney General.

More crucially, however, researchers now believe that spy agencies including the NSA and the GCHQ have been actively working to compromise many of the encryption methods used on the web for years, and that deciphering SSL-encrypted communications may present little difficulty for them.

If that is in fact the case, then Yahoo!‘s decision to switch on SSL years after most of its competitors is not just very late, but very little.

Still, any move toward increased security at the Purple Palace is welcome. In a statement to the Washington Post, the company said it “takes the security of [its] users very seriously.” ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/15/yahoo_mail_encryption_by_default_in_2014/

Second installment in a series on cyberthreats to the oil and gas industry

There’s a mindset shift slowly permeating the oil and gas industry that it’s no longer immune to hackers.

“Before, we had insecure systems and it didn’t really matter because we didn’t think of ourselves as a target. No one really knew about it,” says an engineer for a U.S. oil and gas company who spoke on the condition of anonymity. “Now that we are a hot spot, it necessitates a closer look.”

Big changes in the threat landscape for the energy industry — think Stuxnet and Saudi Aramco – have changed the game, especially for the oil and gas industry, which increasingly is finding itself a target by nation-state threats as well as plain-old malware attacks.

The data-destruction attack last year on Saudi Aramco’s internal corporate network that left the oil and natural gas giant to replace hard drives on some 30,000 or so Windows machines continues to haunt the industry that witnessed a major player getting hit in a big way.

“If it can happen to Saudi Aramco, it can happen to everyone,” says Nate Kube, CTO of Wurldtech.

[Cyberattacks on oil and gas companies could have real-world economic consequences, even at the pump. See Destructive Attacks On Oil And Gas Industry A Wake-Up Call.]

The Stuxnet and Saudi Aramco incidents, the attack on Qatar’s RasGas, as well as other lower-profile attacks, have forced some of these firms to face how to balance their signature productivity and availability priorities with security. Taking an oil production plant system offline to better lock it down means lost productivity and possibly lost revenue, so security typically gets back-burnered. But oil and gas companies are getting some pushback from their techies who are getting security religion. “You have to identify the risk and explain this to people who don’t always see the threat; they see it as very remote, and in a lot of cases, it is very remote,” the U.S. oil company engineer says.

“A lot of times, I wait for a [planned] shutdown … when the [system] is out of service, I can put passwords or [other types of security] protection” on it, he says.

He says so far he’s seen mostly non-targeted worms or ransomware malware spreading to plants in the oil and gas industry and resulting in temporary shutdowns for cleanup. “They are mostly ancillary, accidental attacks,” he says.

Although the enterprise IT network of an oil and gas company is technically separate from the plants and oil rig production systems, for example, there is always the risk of an infected laptop getting plugged into the plant, or a malware-ridden USB stick polluting the control systems.

Meanwhile, there’s a gap between the control systems group and IT security that’s like corporate rift between IT security and IT proper — on steroids. Control systems engineers in the oil and gas industry aren’t trained in IT security. “A lot of the control systems guys I know wholeheartedly understand the threat of cyber warfare. It scares them because of the potential impact … But their training and everyday job is not cyberwarfare,” says Jim Butterworth, CSO at HBGary.

The control systems engineering process includes very little on cybersecurity, he says. “Even if you look at the controls systems engineering process, 15 percent of the course material is security. All the rest is how to control a valve, fix an HMI [human machine interface]. It’s just [a] part of their job,” Butterworth says. “They’re just not looking at malware every day.”

The reverse, of course, is that oil and gas industry IT security teams are not conversant in programmable logic controllers (PLCs) and HMIs. “Largely, the problem is there is a different language,” he says. That leaves a dangerous air gap in security strategy and controls.

Physical safety, like production system availability, traditionally trumps cyber security as well. Andrew Ginter, vice president of technology at Waterfall Security, says his recent visit to an oil firm site illustrates just where these firms’ priorities lie. Ginter says he had to scan in and out with his badge, which was also manually inspected by security. “There were three layers of security. They weren’t worried whether we were going to damage or steal [information]. They need to be airtight on who is where in the facility if there’s an innocent” physical emergency, Ginter says.

“Security looks the same as a government building or military installation, but it’s focused on safety,” he says.

Partner Problems
The Saudi Aramco attack also raised another concern for the industry: partners as the weak link in the security chain. Oil and gas relies heavily on joint ventures and supply chain arrangements for oil fields, for instance. While these organizations struggle to catch up with their own security weaknesses, they have little control over their partner’s.

Saudi Aramco’s breach was a reality-check of the vulnerability of the global and interconnected industry. “There are significant number of joint ventures in oil and gas; most oil fields are” joint ventures, Wurldtech’s Kube says. “One of the key concerns with Saudi Aramco was will these infections make their way into other oil and gas companies through the connection of other joint ventures. That’s definitely top-of-mind.”

There were no reports of collateral damage to other oil and gas companies as a result of the Saudi Aramco attacks, but the risk of such a ripple effect in such cases is very real, experts say. “That’s definitely a possibility,” says Giovanni Vigna, co-founder of Lastline. “One thing I know for sure is there is a lot of cross-pollination across those companies in [the Middle East]. I was especially surprised how much …they talk to each other, and even exchange IT resources with each other. This of course creates a vulnerable ecosystem.”

Experts say oil and gas companies in the Middle East are even more vulnerable than their counterparts in the U.S. Most have not employed basic security measures like system patching or least privilege controls, says Marc Maiffret, CTO at BeyondTrust.

“I think what is different is about the application of security technology [in the oil and gas industry in the Middle East] is some organizations are going from not having much of a basis in security to trying to jump immediately to advanced threat protection without even having a fundamental such as system patching or least privilege in place,” Maiffret says. “And that makes things difficult … without the basics, the amount of noise you will deal with is enormous and makes it harder to find the targeted attacks.”

Maiffret says it’s not that advanced threat protection tools won’t work for oil and gas firms. It’s just that without basic security measures as well, companies could be wasting time and energy chasing fake AV attacks rather than nation-state attacks, for instance.

“If you do not have something as basic as a patching process, then you’re going to be exploited [with] two-year-old Java or Adobe bugs by any random hacker, and it will be harder to find that person leveraging zero-day or something more advanced, [who] is really targeting you versus the run-of-the -mill hacker.”

But the worst nightmare scenario would be a combination physical and cyber attack, which would wreak the most devastation, experts say. “If a coordinated physical and cyberattack took out computers and [oil] terminals at the same time … then it [would be] absolutely chaos. This really is a big danger,” says Eyal Aronoff, co-founder of the Fuel Freedom Foundation.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/the-long-shadow-of-saudi-aramco/240162634