writes "Researchers from the firm Trend Micro are warning that the Automated Identification System (or AIS) — a monitoring system that is used on over 400,000 ocean-going vessels — is profoundly insecure and vulnerable to both software and radio-based hacks, The Security Ledger reports. (https://securityledger.com/2014/12/research-finds-cyber-physical-attacks-against-vessel-tracking-system/)
AIS is a global system for tracking the movement of vessels. It is intended to supplement marine radar and relies on ship, land and satellite-based systems to exchange data on ships’ position, course and speed and is used for everything from collision avoidance to security, ship-to-ship communications and weather forecasting.
AIS is required to be deployed on all passenger vessels and on international-voyaging ships with gross tonnage of 300 or more. However, researchers Marco Balduzzi and Kyle Wilhoit found that AIS is rife with exploitable software- and protocol vulnerabilities. Chief among them are flaws in the AIS protocol which was developed in a “hardware epoch” and lacks even basic security features such as authentication and message integrity checks. While hacks of radio-based systems like AIS would have been expensive and difficult to conduct 10 or 15 years ago, the advent of tools like Software Defined Radio make it possible to craft sophisticated attacks with just a small investment, the researchers discovered.
In their work, Balduzzi and Wilhoit – working with an independent security researcher – were able to use software-defined radio based attacks to trigger a range of phony messages, from false SOS and “man in the water” distress beacons to fake CPA (or Closest Point of Approach) alert and collision warnings on an AIS system set up in a lab environment. A copy of their ACSAC presentation slides can be found here: http://blog.trendmicro.com/tre...
The two have written about AIS vulnerabilities before, including susceptibility of AIS to man-in-the-middle attacks (http://blog.trendmicro.com/trendlabs-security-intelligence/captain-where-is-your-ship-compromising-vessel-tracking-systems/). Their latest work expands the list of attacks and vulnerabilities found in AIS to include both software and RF-based hacks, SQL injection, buffer overflow and so on."Link to Original Source
writes "The story about the disastrous hack of Sony is the gift that keeps on giving. There's been a wealth of revelations about Sony Pictures Entertainment's internal culture: its tendency to pay male executives more than their female counterparts (http://fusion.net/story/30838/does-a-powerful-sony-pictures-partnership-have-a-gender-pay-gap/), tepid enthusiasm of employees about SPE's output (http://gawker.com/sony-hack-reveals-25-page-list-of-reasons-it-sucks-to-w-1666264634) and a kind of compulsive transparency within its IT operations (http://gawker.com/sonys-top-secret-password-lists-have-names-like-master_-1666775151). There have also been revelations about the attacks themselves, including analysis that shows both that the malware used was tailored specifically to Sony's network (http://logfile.packetninjas.net/malware-created-specifically-for-sony/) and that the attackers apparently took a page from the 2012 attack on Saudi Aramco known as "Shamoon." Specifically: both the Sony malware and “Disstrack” (the malware used in the “Shamoon” attack on Saudi Aramco) relied on the same commercial tool to access and erase the hard drive, a program called RawDisk by the company Eldos, according to a source with knowledge of the attack, the Christian Science Monitor reported today."Link to Original Source
writes "A copy of the FBI's recent five page FLASH alert reveals that the malware alleged to have wiped out systems at Sony Pictures Entertainment deployed a number of malicious modules, including a version of a commercial disk wiping tool on target systems. Samples of the malware obtained by the FBI were also found to contained configuration files created on systems configured with Korean language packs.
The use of Korean could strengthen theories that the destructive cyber attacks have links to North Korea, though it is hardly conclusive. It does appear that the attack was targeted at a specific organization. The malware analyzed by the FBI contained a hard coded list of IP addresses and computer host names.
Media reports have linked the malware to the destructive attack on Sony Pictures Entertainment, though the FBI FLASH alert does not name Sony or any other organization. A group calling itself #GOP – for Guardians of Peace – took responsibility for that attack last week.
Theories about the purpose of the attack on Sony abound. One of the more colorful explanations has the destructive cyber attack as retribution for The Interview, a new Sony film due out at Christmas starring Seth Rogen and James Franco. (http://www.independent.co.uk/arts-entertainment/films/news/did-north-korea-hackers-leak-sony-films-in-revenge-for-comedy-the-interview-9896716.html)The two play western journalists who score an interview with North Korean dictator Kim Jong Un, and are then instructed by the U.S. Central Intelligence Agency to assassinate him. The government of the Democratic Peoples Republic of Korea (DPRK) publicly criticized Sony for plans to release the film and lodged a complaint with the United Nations.(http://www.telegraph.co.uk/news/worldnews/asia/northkorea/10914088/North-Korea-slams-US-film-The-Interview-about-Kim-Jong-un.html)"Link to Original Source
writes "Reuters has the scoop this morning on a new report out from the folks at FireEye about a cyber espionage ring that targets financial services firms. (http://www.reuters.com/article/2014/12/01/cybersecurity-wall-street-idUSL2N0TK0SE20141201)
The campaign, dubbed FIN4 by FireEye, stole corporate secrets for the purpose of gaming the stock market. FireEye believes that the extensive cyber operation compromised sensitive data about dozens of publicly held companies. According to the report FireEye the victims include financial services firms and those in related sectors, including investment bankers, attorneys and investor relations firms.
Rather than attempting to break into networks overtly, the attackers targeted employees within each organization. Phishing e-mail messages led victims to bogus web sites controlled by the hackers, who harvested login credentials to e-mail and social media accounts. Those accounts were then used to expand the hackers reach within the target organization: sending phishing email messages to other employees."Link to Original Source
An anonymous reader writes "The University of Virginia School of Engineering and Applied Science Department of Systems and Information Engineering announced the success of an early-stage demonstration to improve defenses for unmanned aerial vehicles against cyber attacks. U.Va.’s System-Aware Cybersecurity concept and Secure Sentinel technology were tested in collaboration with Georgia Tech Research Institute through a series of live flight cyber-attack scenarios. Research focuses on providing additional security by employing an on-board secure monitoring subsystem to detect illogical behaviors relative to the expected profile of a system’s performance. Detections can serve to initiate automated recovery actions and to alert operators of the attack."
writes "How bad is the gridlock in Washington D.C.? So bad that the nation's retailers are calling for federal legislation on cyber security and data protection to protect consumer information — this even though they would bear the brunt of whatever legislation is passed.
The Security Ledger notes (https://securityledger.com/2014/11/retailers-demanding-federal-action-on-data-breach/) that groups representing many of the nation's retailers sent a letter to Congressional leaders last week urging them to pass federal data protection legislation that sets clear rules for businesses serving consumers. The letter, dated November 6, was addressed to the majority and minority party leaders of the U.S. Senate and the House of Representatives and signed by 44 state and national organizations representing retailers, including the National Retail Federation, the National Grocers Association, the National Restaurant Association and the National Association of Chain Drug Stores, among others.
“The recent spate of news stories about data security incidents raises concerns for all American consumers and for the businesses with which they frequently interact,” the letter reads. “A single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”
Retailers would likely bare the brunt of a new federal data protection law. The motivation for pushng for one anyway may be simplicity. Currently, there are 47 different state-based security breach notification laws, as well as laws in the District of Columbia and Guam. (http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx) There is broad, bi-partisan agreement on the need for a data breach and consumer protection law. However, small differences of opinion on its scope and provisions, exacerbated by political gridlock in Congress since 2010 have combined to stay the federal government’s hand."Link to Original Source
writes "The technology revolution that is “fracking” has created billions in wealth for states like Pennsylvania, Texas, Ohio and Wyoming. But all that oil and all those dollars have attracted the attention of sophisticated spies from near and far to steal valuable trade secrets. (https://digitalguardian.com/blog/industry-spies-do-mess-texas)
Digital Guardian's blog notes this report (http://www.news4sanantonio.com/news/features/top-stories/stories/oil-field-espionage-eagle-ford-shale-16921.shtml) from News 4 San Antonio in Texas which quotes local FBI officials saying they are “very concerned” about theft of trade secrets from companies engaged in “fracking” in the Eagle Ford Shale in Texas.
“It's corporate espionage, there’s no question about it," said Christopher Combs of the San Antonio FBI. “Foreign governments or foreign companies are looking for any competitive advantage. Whether it's the widget that you use to drill, or it's a process that you use to track inventory better. They're really looking at the company as a whole to find out every little thing that you do that makes you a better company on the world market."
Combs declined to name specific firms, but said that Chinese firms are “aggressively” engaged in industrial espionage. However, the problem isn’t limited to China. Companies with ties to governments that are U.S. allies are believed to be conducting espionage against innovative US firms as well.
Hydraulic fracturing – or “fracking” is a method used to extract oil or gas deposits from porous rock like sandstone and shale. The technique was developed in the United States with financial support from the U.S. government and is now used commercially in shale deposits in the U.S., Canada and China. However, the specific technology and methods associated with fracking are closely guarded and highly valuable to drilling outfits.
Recent history suggests that oil and gas exploration is an area of intense activity for cyber spying. In July, the Department of Homeland Security warned of targeted attacks against energy firms in the U.S. and Europe linked to the "Havex" malware, a kind of remote access tool. (https://securityledger.com/2014/07/dhs-warns-energy-firms-of-malware-used-in-targeted-attacks/). That same month, the American Petroleum Institute launched an Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) designed to help protect companies in the industry from attacks and evaluate risks through information sharing.(http://ongisac.org/)"Link to Original Source
writes "Headline grabbing data breaches are such a fixture of our modern business environment (https://corporate.homedepot.com/mediacenter/pages/statement1.aspx) that they’ve spawned a knock-off market: phony data breaches designed to look like the real thing, the Security Ledger reports.(https://securityledger.com/2014/10/wanna-breach-counterfeit-data-breaches-are-a-thing/)
A research note from the firm Deloitte & Touche is warning companies about the threat of counterfeit breaches, in which malicious actors use false claims about massive data breaches to bedevil established firms – inflicting real economic and reputation damage.
Bogus breach claims are becoming more common — with gullible or hair trigger 24/7 media coverage a leading contributor to the phenomenon. In October, for example, an individual posted what were purported to be stolen Dropbox account credentials on the site Pastebin. The message claimed the leaked credentials were part of a larger trove of 7 million accounts that were compromised — a claim that was widely reported. Dropbox, however, maintained that it was not hacked and that the leaked credentials – user names and passwords – were stolen from other online services.
Deloitte researcher Allison Nixon said companies need to develop strategies to quickly assess data breach claims: from automated analysis of user names against known customer accounts to statistical analysis of user name and password entropy. And, companies should feel free to use the "sniff test": asking them how likely a real cyber criminal is to behave in the way they are observing.
The public and media should also view claims of data theft and hacks with a more skeptical eye, Nixon says."Link to Original Source
writes "PCs are being co-opted into a massive botnet called Qbot. They're getting compromised by hitting legitimate sites providing legitimate content using frameworks such as Wordpress. Online bank account information is also getting harvested. 75% of these machines are located in the USA, with just under 40% of them running Windows 7 and over half of them machines that are still running XP.
From PCWorld India :
"Link to Original Source
The MO is to target, compromise and harvest legitimate Wordpress sites using bought-in credentials, even exploiting newsletters from these sites to spread drive-by malware links. From this, users with vulnerable browsers or software (Java, Reader, Flash) of the sort that can be hit by exploit kits to infect machines using droppers in chosen geographical locations.
What the attackers are after is online banking logins, which form half the business, and PCs that can be sold on to other criminals as compromised machines inside interesting organisations. These can also then be used a proxies for third-party attacks.
They seem keen to protect this nice little business, going to some lengths to regenerate different pieces of the attack chain every time anti-virus engines have started to detect it.
Molly McHugh (3774987)
writes "We spoke with Navy Federal Credit Union, USAA, Chase, and PNC—banks who are working with Apple to incorporate Apple Pay—to find out just how secure Apple Pay will be when the "October" release date finally arrives. (USAA tells us that Apple Pay will be available for its Visa and MasterCard carrying customers starting Nov. 7.)"Link to Original Source
writes "The Security Ledger reports on a survey from consulting firm McKinsey & Co. (https://securityledger.com/2014/10/mckinsey-consumers-want-connected-cars-and-fear-them-too/#.VDa0dyldXWI) that has some sobering data for car makers: concerns about privacy and the possibility of car hacking are major concerns that could dampen enthusiasm for smart vehicles.
The report, “What’s Driving the Connected Car?” (http://www.mckinsey.com/insights/manufacturing/whats_driving_the_connected_car) finds that connectivity features will be a major driver of car sales in the coming years. The survey of 2,000 new car buyers in Brazil, China, Germany and the U.S. found that a quarter of respondents considered connectivity a more important feature than engine power or even fuel efficiency.
Connected (or "smart") car features will become ubiquitous and expected, McKinsey predicts, but won't demand a premium from buyers as they do today.
However, car makers also face a considerable hurdle in convincing the buying public to accept connected car technologies. According to McKinsey, 37 percent of respondents to their survey said they “would not even consider a connected car.”At the root of resistance to connected vehicle technology were ubiquitous fears about vehicles being hacked – which were evident in each country that McKinsey surveyed.
In Germany and Brazil, 59 percent of those surveyed strongly agreed with the statement “I am afraid that people can hack into my car and manipulate it (eg, the braking system) if the car is connected to the Internet.” 53 percent of respondents agreed with that statement in China and 43% in the U.S.
That leaves car makers in a tricky position: trying to satisfy customers who "demand connectivity, have security concerns regarding it, and are only marginally willing to pay for it." Hmm...where have we heard that before??"Link to Original Source
writes "Although it has been fading for years, the final death knell came recently for the iconic Lotus 1-2-3. In many ways, Lotus 1-2-3 launched the PC era (and ensured the Apple II success), and once was a serious competitor for Excel (and prior to that Multiplan and VisiCalc). Although I doubt if anyone is creating new Lotus 1-2-3 spreadsheets, I'm sure there are spreadsheets still being used who trace their origin to Lotus 1-2-3, and even Office 2013 still has some functions and key compatibility with Lotus 1-2-3. Oh, how far the mighty have fallen."Link to Original Source
writes "The White House has identified cyber-physical system research and development as a “national priority” that could boost U.S. productivity. But federal spending is telling a different story. A major source of research dollars is the National Science Foundation (NSF). It will fund more than $40 million in cyber-physical systems research in the 2014 fiscal year, which ended Tuesday. This amounts to about 0.5% of the approximately $7 billion the U.S. spends on basic research through this agency. It has spent, in total, $200 million in this area since 2009. Separately, the National Institute of Standards and Technology (NIST), which is deeply involved in standards and data formats, is running its cyber-physical program on $4.3 million. A NIST report found that the European Union “is already investing $343 million per year for 10 years to pursue ‘world leadership’ through advanced strategic research and technology development related to CPS" (cyber-physical systems). That includes $199 million in public funds and $144 million in private funds"Link to Original Source
writes "The Security Ledger reports (https://securityledger.com/2014/10/fda-issues-guidance-on-security-of-medical-devices) that the U.S. Food and Drug Administration (FDA) has issued final guidance on Wednesday that calls on medical device manufacturers to consider cyber security risks as part of the design and development of devices.(http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm416809.htm)
The document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” (http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf) asks device makers seeking FDA approval of medical devices to disclose any “risks identified and controls in place to mitigate those risks” in medical devices. The guidance also recommends that manufacturers submit documentation of plans for patching and updating the operating systems and medical software that devices run.
While the guidance does not have the force of a mandate, it does put medical device makers on notice that FDA approval of their device will hinge on a consideration of cyber risks alongside other kinds of issues that may affect the functioning of the device. Among other things, medical device makers are asked to avoid worst-practices like 'hardcoded' passwords and use strong (multi-factor) authentication to restrict access to devices. Device makers are also urged to restrict software and firmware updates to authenticated (signed) code and to secure inbound and outbound communications and data transfers."Link to Original Source
writes "The Security Ledger reports (https://securityledger.com/2014/09/senate-report-warns-of-attacks-on-military-transport-contractors/#.VBrO4C5dXWI) on a Senate Armed Services Committee investigation that found evidence that hackers associated with the Chinese government compromised the computer systems of U.S. Transportation Command contractors at least 20 times in a single year. The attacks pose a serious risk to the system that moves military troops and equipment.
U.S. Transportation Command – a joint military/civilian program – was targeted by hackers believed to be affiliated with the Chinese government, a Senate Intelligence Committee investigation found.
The Committee released the report on Wednesday. (http://www.armed-services.senate.gov/imo/media/doc/SASC_Cyberreport_091714.pdf) It found a serious gap in awareness and reporting requirements. TRANSCOM was only aware of two of the 20 intrusions, while U.S. Transportation Command remained mostly unaware of the computer compromises of contractors during and after the attacks.
The incidents include an attack that spanned two years – from 2008 to 2010 – and that captured emails, documents, passwords and computer code. A 2012 attack gained access to “multiple systems” onboard a commercial ship contracted by TRANSCOM, the Committee found.
Information sharing about cyber attacks was woeful. An audit of a subset of TRANSCOM contractors uncovered 11 cyber intrusions believed to be linked to China. The Committee said the FBI or DoD had already identified another 9 linked to TRANSCOM contractors. Of those 20, however, information on just two was relayed back to TRANSCOM."Link to Original Source