chicksdaddy - Slashdot User

Submission + - Attack on Point of Sale Vendor Highlights Supply Chain Risk (securityledger.com)

Submitted by chicksdaddy on Thursday April 30, 2015 @09:07PM

chicksdaddy writes: Warnings about the threat posed by compromised software and hardware supply chains have grown more pointed in recent months. Notably firms like Kaspersky (http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage) and Trend Micro (http://blog.trendmicro.com/trendlabs-security-intelligence/securing-the-it-supply-chain/) have highlighted attacks on technology supply chains, while the firm TrapX reported on a malware family, Zombie Zero, that was found lurking on hand-held scanners shipped from China and used by a prominent logistics firm. (http://deceive.trapx.com/rs/trapxcompany/images/AOA_Report_TrapX_AnatomyOfAttack-InternetOfThings.pdf)

RSA brings more evidence that sophisticated cyber criminal and state sponsored groups are looking for ways to compromise technology supply chains. On Wednesday, the company wrote about what is describes as an attempted “supply chain subversion” attack (https://blogs.rsa.com/attacking-a-pos-supply-chain-part-1/) against a prominent point of sale (POS) hardware vendor with links to the PoSeidon point of sale malware campaign.(http://blogs.cisco.com/security/talos/poseidon).

RSA said it detected a sophisticated “spear phishing” campaign against a European POS vendor. According to RSA, e-mail messages were sent to a “small number of employees” of the Point of Sale system vendor posing as support emails from a customer (a prominent New York City restaurant). A malicious Microsoft Word document attached to the e-mail, if opened, installed a copy of the Vawtrak banking Trojan, which is adept at credential theft, according to The Security Ledger. (https://securityledger.com/2015/04/rsa-warns-of-supply-chain-attack-on-point-of-sale-vendors/)

The company said the goal of the attack was apparently to compromise the vendor itself, providing an avenue to “realize subversion of the vendor’s firmware or software built into the products.”

Comment Re:It's about the PR, not the Hacking (Score 1) 270

by chicksdaddy on Friday April 17, 2015 @01:38PM (#49495009) Attached to: FBI Accuses Researcher of Hacking Plane, Seizes Equipment

Well...I think Mr. Roberts bona fides as an expert on information security and his area of interest in avionics are beyond question. He's been presenting on these topics for upwards of 5 years, so this is hardly a publicity stunt.

Submission + - FBI Accuses Researcher of Hacking Plane, Seizes Equipment (securityledger.com)

Submitted by chicksdaddy on Friday April 17, 2015 @10:09AM

chicksdaddy writes: The Feds are listening and they really can't take a joke. That's the apparent moral of security researcher Chris Roberts' legal odyssey on Wednesday, which saw him escorted off a plane in Syracuse by two FBI agents and questioned for four hours over a humorous tweet Roberts posted about his ability to hack into the cabin control systems of the Boeing 737 he was flying.(https://twitter.com/Sidragon1/status/588433855184375808) Roberts (aka @sidragon1), joked that he could "start playing with EICAS messages," a reference to the Engine Indicating and Crew Alerting System (http://en.wikipedia.org/wiki/Engine-indicating_and_crew-alerting_system).

Roberts was traveling to Syracuse to give a presentation. He said local law enforcement and FBI agents boarded the plane on the tarmac and escorted him off. He was questioned for four hours, with officers alleging they had evidence he had tampered with in-flight systems on an earlier leg of his flight from Colorado to Chicago.

In an interview with The Security Ledger (https://securityledger.com/2015/04/hacker-on-a-plane-fbi-seizes-researchers-gear/), Roberts said the agents questioned him about his tweet and whether he tampered with the systems on the United flight -something he denies doing.

Roberts had been approached earlier by the Denver office of the FBI which warned him away from further research on airplanes. The FBI was also looking to approach airplane makers Boeing and Airbus and wanted him to rebuild a virtualized environment he built to test airplane vulnerabilities to verify what he was saying.

Roberts refused, and the FBI seized his encrypted laptop and storage devices and has yet to return them, he said. The agents said they wished to do a forensic analysis of his laptop. Roberts said he declined to provide that information and requested a warrant to search his equipment. As of Friday, Roberts said he has not received a warrant.

Submission + - Why 'Designed for Security' is a Dubious Designation

Submitted by itwbennett on Wednesday April 15, 2015 @02:55PM

itwbennett writes: The list of products designed to be security enhanced that turned out to be anything but seems to get longer by the day. In just the latest instance, reported by Wired last week, the crowd-funded privacy-enhancing home router Anonabox had to be recalled after an independent researcher discovered serious security flaws in the product. But security experts caution that the real problem may be bigger than vulnerabilities hidden in application code: 'Designed for security products don't just have to be good. They have to be beyond reproach,' explains John Dickson, a Principal at the Denim Group. 'All it takes is one guy with a grudge to undo you.'

Submission + - GAO warns FAA of hacking threat to airliners (securityledger.com)

Submitted by chicksdaddy on Wednesday April 15, 2015 @08:54AM

chicksdaddy writes: A report from the Government Accountability Office (GAO) warns that the U.S. Federal Aviation Administration may be failing to address cyber security vulnerabilities that could allow remote attacks on avionics systems needed to keep the plane airborne, Security Ledger reports. (https://securityledger.com/2015/04/gao-warns-of-cyber-risks-in-flight/)

In a report issued Tuesday (GAO-15-370) (http://www.gao.gov/assets/670/669628.pdf), the GAO said that the FAA faces “challenges protecting aircraft avionics used to operate and guide aircraft” and that “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.” Among those: a lack of clear certification for aircraft airworthy readiness that encompasses cyber security protections. That lapse could allow planes to fly with remotely exploitable vulnerabilities that could affect aircraft controls and guidance systems.

The GAO report did not provide details of any specific vulnerability affecting any specific aircraft. Rather, GAO cited FAA personnel and experts, saying that the possibility exists that “unauthorized individuals might access and compromise aircraft avionics systems,” in part by moving between Internet-connected in-flight entertainment systems and critical avionics systems in the aircraft cabin.

“According to FAA and experts we spoke to, IP networking may allow an attacker to gain remote access to avionics systems and compromise them,” GAO said.

Security researchers have long warned that hackers could jump from in-flight entertainment systems in the passenger cabin to cockpit avionics systems if airlines did not take proper precautions, such as so-called "air gapping" the networks. At last year's Black Hat Briefings, researcher Ruben Santamarta of IOActive demonstrated a method of hacking the satellite communications equipment on passenger jets through their WiFi and inflight entertainment systems. (http://www.reuters.com/article/2014/08/04/us-cybersecurity-hackers-airplanes-idUSKBN0G40WQ20140804)

Submission + - IoT Developers Worry More About Security Than Interoperability (securityledger.com)

Submitted by chicksdaddy on Friday April 10, 2015 @12:30PM

chicksdaddy writes: A survey of developers working on Internet of Things technologies reveals that security is the biggest concern, topping even interoperability among developers who plan to deploy an IoT product in the next 6 to 18 months. (https://securityledger.com/2015/04/survey-security-the-top-issue-for-iot-developers/)

The survey, conducted by the Eclipse Foundation's IoT Working Group, polled 356 IoT developers. Fully 44% listed “Security” as one of two top concerns for developing IoT solutions. Thirty one percent listed “Interoperability” as one of two top concerns.

The results (http://www.slideshare.net/IanSkerrett/iot-developer-survey-2015) provide an interesting glimpse into the fast-evolving Internet of Things space, from the software developer’s point of view. Home automation was the most common type of solution that developers reported they were working on, with 44% identifying that as the focus of their work. Industrial automation was a close second,with 35% of respondents reporting having worked on an industrial automation IoT project.(https://ianskerrett.wordpress.com/2015/04/03/iot-developer-survey-what-are-developers-doing-with-iot-2/)

And much of the development work appears to take place at smaller firms. Fifty six percent of respondents said their employer had between 1 and 500 employees. Thirty five percent worked in a company that employed between 1 and 49 employees.

The use of open source technology was pervasive: fully 80% of the developers surveyed said their employer uses open source software for Internet of Things solutions. Linux was the dominant operating system, accounting for 78% used to power IoT devices. HTTP was the most common messaging protocol. Among IoT specific protocols, only MQTT was used by a majority of respondents (53%), Eclipse found.

Submission + - Research Finds Shoddy Security on Connected Home Gateways (securityledger.com)

Submitted by chicksdaddy on Tuesday April 07, 2015 @10:48AM

chicksdaddy writes: Connected home products are the new rage. But how do you connect your Nest thermostat, your DropCam surveillance device and your Chamberlin MyQ "smart" garage door opener? An IoT hub, of course. But not so fast: a report from the firm Veracode (https://info.veracode.com/whitepaper-the-internet-of-things-poses-cybersecurity-risk.html ) may make you think twice about deploying one of these IoT gateways in your home.

As The Security Ledger reports (https://securityledger.com/2015/04/research-iot-hubs-expose-connected-homes-to-hackers/), Veracode researchers found significant security vulnerabilities in each of six IoT gateways they tested, suggesting that manufacturers are giving short shrift to security considerations during design and testing.

The flaws discovered ranged from weak authentication schemes (pretty common) to improper validation of TLS and SSL certificates, to gateways that shipped with exposed debugging interfaces that would allow an attacker on the same wireless network as the device to upload and run malicious code. Many of the worst lapses seem to be evidence of insecure design and lax testing of devices before they were released to the public, Brandon Creighton, Veracode’s research architect, told The Security Ledger.

This isn't the first report to raise alarms about IoT hubs. In October, the firm Xipiter published a blog post (http://www.xipiter.com/musings) describing research into a similar hub by the firm VeraLite. Xipiter discovered that, among other things, the VeraLite device shipped with embedded SSH private keys stored in immutable areas of the firmware used on all devices.

Submission + - DHS: Drug Infusion Pumps Vulnerable to Trivial Hacks (securityledger.com)

Submitted by chicksdaddy on Thursday April 02, 2015 @09:55PM

chicksdaddy writes: The Department of Homeland Security warned that drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.

The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. DHS’s Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory (https://ics-cert.us-cert.gov/advisories/ICSA-15-090-03) issued Tuesday that the MedNet software from the firm Hospira contains four, critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.

The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios’s discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps.

Rios also discovered that the MedNet software uses vulnerable versions of the JBoss Enterprise Application Platform software. That software could allow unauthenticated users to execute arbitrary code on the target system. The vulnerability assigned to that issue, CVE-2014-5401k, was assigned a CVSS (Common Vulnerability Scoring System) severity rating of 10 – the highest possible rating. While no known public exploits specifically target these vulnerabilities, the alert notes that even an unskilled attacker could exploit the vulnerabilities.

Submission + - Petulant Penguin Hackers use Antarctica as Base (securityledger.com)

Submitted by chicksdaddy on Wednesday April 01, 2015 @10:59AM

chicksdaddy writes: Security Ledger reports on a new and sophisticated cyber crime campaign dubbed “Petulant Penguin” that is using compromised computers at Antarctic research bases to launch targeted attacks on government agencies in the U.S. and Europe. (https://securityledger.com/2015/04/petulant-penguin-attacks-use-antarctica-as-base/)

“To say we were surprised is an understatement,” said Matt Flinders, a security researcher at the firm Crowdstrike, which was among a handful to identify the attack. “We’re used to seeing attacks with ties back to countries like Russia, China – even Brazil. But Antarctica? Nobody expected that.”

Crowdstrike issued a report (http://goo.gl/26Demt) that provides information on the attacks Wednesday. Its profiles of sophisticated hacker groups include names like “Deep Panda” (a Chinese hacking crew with links to the People’s Liberation Army), “Energetic Bear,” (a group with its base in the Russian Federation) and “Flying Kitten” (with links to the Islamic Republic of Iran).

Antartica is connected to the Internet and even has its own top-level domain, .AQ. But data access for the icy continent is spotty and heavily reliant on satellites. Internet access to the Amundsen-Scott South Pole Station is provided by access via NASA’s TDRS-F1, GOES & Iridium satellite constellation. The South Pole’s TDRS relay (named South Pole TDRSS Relay or SPTR) was upgraded recently to support a data return rate of 50 Mbit/s. That accounts for more than 90% of the South Pole’s data capability and is primarily used to relay scientific data from the many research stations.

Working through NASA and other agencies, researchers were eventually able to trace the malicious traffic back to research installations at the South Pole including the Amundsen-Scott base, Concordia Station (a joint Italian and French research base) and Japan’s Dome Fuji station. Interestingly, the attackers were apparently able to work around the continent’s spotty access to the Internet and limited bandwidth: scheduling their malicious activities for seasons and periods in which the stations enjoyed strong and reliable Internet access.

Submission + - Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers (securityledger.com)

Submitted by chicksdaddy on Tuesday March 31, 2015 @09:11AM

chicksdaddy writes: Lots of studies have shown that assertiveness works (http://www.ncbi.nlm.nih.gov/pubmed/8056571) in the professional as well as personal sphere. It turns out to work pretty well in the cyber criminal sphere, also (https://securityledger.com/2015/03/wire-transfer-scam-shows-assertiveness-works-with-phishing-too/).

Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message. (http://community.websense.com/blogs/securitylabs/archive/2015/03/30/Assertiveness-is-a-valuable-quality-for-the-C_2D00_Level-and-cyber-crooks-alike.aspx)

According to Websense, these attacks are low tech. The fraudsters register “typo squatting” domains that look like the target company’s domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts.
Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – “obeisance,” Websense notes. “When the CEO or CFO tells you to do something, you do it.” Specifically, the attackers sent emails to lower level employees that appeared to come from executives. The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail. (http://www.reuters.com/article/2015/02/04/usa-grain-scoular-idUSL1N0VE2NX20150204)

Submission + - Turns out nobody's sure what should count as a Cyber Incident (csmonitor.com)

Submitted by chicksdaddy on Monday March 23, 2015 @05:21PM

chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure (http://hardware.slashdot.org/story/14/04/15/2032239/lack-of-us-cybersecurity-across-the-electric-grid), The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported. (http://www.csmonitor.com/World/Passcode/2015/0323/How-cyberattacks-can-be-overlooked-in-America-s-most-critical-sectors)

Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however.

His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.

While official reports like this one about the San Bruno pipeline explosion (http://www.cpuc.ca.gov/NR/rdonlyres/85E17CDA-7CE2-4D2D-93BA-B95D25CF98B2/0/cpucfinalreportrevised62411.pdf) duly note the role that the software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event.

Weiss says he has found many other, similar omissions that continue even today. One obstacle to properly identifying such incidents is that the popular understanding of a cyberincident borrows too much from the information technology industry, which focuses on malicious actors and software based threats operating in traditional IT environments. “In the IT world, ‘cyber’ is equated with malicious attacks,” Weiss said. “You’re worried about a data breach and stolen data, or denial of service attacks.”

Weiss argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. “San Bruno wasn’t malicious, but it easily could have been,” Weiss notes. “It’s a nonmalicious event that killed 8 people and destroyed a neighborhood.”

Submission + - DHS: Advanced Threats behind most Industrial Control System Hacks Last Ye (securityledger.com)

Submitted by chicksdaddy on Monday March 16, 2015 @09:37PM

chicksdaddy writes: A new report from the Department of Homeland Security (https://ics-cert.us-cert.gov/ICS-CERT-Publishes-Monitor-Newsletter-September-2014-%E2%80%94-February-2015) reveals that, of 245 reported incidents of cyber attacks on critical infrastructure in 2014, more than half were attributed to sophisticated “APT” type actors.

The revelation comes from DHS’s Industrial Control System Cyber Emergency Response Team (ICS-CERT), which reported on incident response and vulnerability coordination in 2014. (https://securityledger.com/2015/03/dhs-apt-behind-half-of-cyber-incidents-in-critical-infrastructure/) Among the 245 incidents reported were malware infections on “air-gapped control system networks,” strategic compromises of so-called “watering hole” web sites and the use of previously unknown or “zero day” vulnerabilities in industrial control system software. DHS found 55% involved APT or sophisticated actors. Hactivists, malicious insiders and cyber criminals were behind other incidents. In many other cases, asset owners were unable to determine who or what was attacking them, the report said.

The report from ICS-CERT gives the best picture available of the scope of cyber attacks on critical infrastructure. Firms in the energy sector reported the biggest share of cyber attacks: 79, or 32% of the incident reports. The “critical manufacturing” sector reported the next highest number of incidents: 65, or 27% of the total recorded by ICS-CERT.

Submission + - Stolen Data is a Perishable Commodity (digitalguardian.com)

Submitted by chicksdaddy on Thursday March 12, 2015 @03:57PM

chicksdaddy writes: Ben Franklin famously observed that “guests, like fish, begin to smell after three days.” Hospitality, Franklin realized, was a perishable commodity.

According to a post on Digital Guardian's blog, it may turn out that the same is true of stolen data. The post picks up on new research on cyber criminal networks from The University of Massachusetts (https://digitalguardian.com/blog/sell-date-research-finds-stolen-data-perishable-commodity), which finds that “time” is the key element in understanding the behavior of cyber criminals operating within larger cyber criminal marketplaces. Stolen data's “sell by” date actually has a big impact on cybercriminal activity and how such networks operate.

The research is presented in a new paper: “A Multiproduct Network Economic Model of Cybercrime in Financial Services.” (http://pubsonline.informs.org/doi/abs/10.1287/serv.2015.0095) by Professor Anna Nagurney of the Isenberg School of Management at the University of Massachusetts, Amherst. Nagurney models cybercriminal networks by looking at the interplay between three factors: the supply price, the transaction cost, and demand price functions. Nagurney’s model is novel because it figures in the “average time associated with illicit product delivery at the demand markets” and the tendency of demand price to go down over time.

Of course, the notion that the value of goods decreases over time isn’t unusual. Every butcher or grocer contends with that reality daily. But Nagourney may be the first to attempt to model how the value of stolen data decreases with its “freshness” – the proximity to the theft event.

Her research puts weight behind the oft-stated (but not studied) notion that cyber criminals aren’t shadowy super villains, but rational, economic agents. They make decisions about which targets to pursue by calculating the difference between the demand price that products (such as credit and debit cards) fetch and the associated costs of stealing and transacting them.

The goal is to identify ways to make it harder to attack financial organizations, thus raising the cost of obtaining the data – or ‘increasing transaction costs’ to use the language of economics. Her model allows researchers to show, graphically, how increasing or decreasing demand for stolen goods will affect the functioning of the criminal enterprise, overall.

Submission + - Survey: Trust in Public Key Encryption Nearing Breaking Point (itworld.com)

Submitted by itwbennett on Wednesday March 11, 2015 @08:59AM

itwbennett writes: A Ponemon survey of more than 2,000 IT professionals in the U.S., U.K. Germany, France and Australia finds increased reliance on and fading faith in Public Key encryption — a dangerous combination. Data collected in the survey found that the number of keys and certificates deployed within organizations has grown by 34% to almost 24,000 per enterprise. At the same time, 54% percent of organizations surveyed acknowledged that they did not know where all their keys and certificates are located, the report said.

Submission + - Anthem Blocking Federal Auditor from Doing Vulnerability Scans (digitalguardian.com)

Submitted by chicksdaddy on Thursday March 05, 2015 @03:12PM

chicksdaddy writes: File this one under "suspicious behavior." Anthem Inc., the Indiana-based health insurer has informed a federal auditor, the Office of Personnel Management, that it will not permit vulnerability scans of its network — even after acknowledging that it was the victim of a massive breach that leaked data on tens of millions of patients.

According to this article (http://www.healthcareinfosecurity.com/anthem-refuses-full-security-audit-a-7980/op-1), Anthem is citing "company policy" that prohibits third party access to its network in declining to let auditors from OPM's Office of the Inspector General (OIG) conduct scans for vulnerable systems. OPM's OIG performs a variety of audits on health insurers that provide health plans to federal employees under the Federal Employee Health Benefits Program, or FEHBP. Insurers aren't mandated to comply — though most do.

This isn't Anthem's first time saying "no thanks" to the offer of a network vulnerability scan. The company also declined to let OIG scan its network in 2013. A partial audit report issued at the time (http://www.opm.gov/our-inspector-general/reports/2013/audit-of-information-systems-general-and-application-controls-at-wellpoint-inc-1a-10-00-13-012.pdf) warned that the company, then known as WellPoint, "provided us with conflicting statements" on issues related to information security, including Wellpoint's practices regarding regular configuration audits and its plans to shift to IBM's Tivoli Endpoint Manager (TEM) platform.

Slashdot Top Deals