Home

Cyber Research

Cyber News

Cyber Info

Contact

 

 March, 2016

 

 

 

NEWS-UPDATE
ISSUE

75

 

 In this issue

 

 

*         Power Grid Protection: Using device “fingerprints” to Protect Power Grid, Industrial Control Systems

*         Nuclear Accidents2014 French nuclear accident more serious than official reports suggested

*         New vulnerability discovered in Open SSL, a common encryption protection package

*         Pentagon Boosts Cyber War Against IS Group

*         Latest Cyber Security News

 

about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net

 

Power Grid Protection: Using device “fingerprints” to Protect Power Grid, Industrial Control Systems

March 1, 2016

Human voices are individually recognizable because they are generated by the unique components of each person’s voice box, pharynx, esophagus and other physical structures. Researchers are using the same principle to identify devices on electrical grid control networks, using their unique electronic “voices” — fingerprints produced by the devices’ individual physical characteristics — to determine which signals are legitimate and which signals might be from attackers. A similar approach could also be used to protect networked industrial control systems in oil and gas refineries, manufacturing facilities, wastewater treatment plants and other critical industrial systems.

Human voices are individually recognizable because they are generated by the unique components of each person’s voice box, pharynx, esophagus and other physical structures.

Researchers are using the same principle to identify devices on electrical grid control networks, using their unique electronic “voices” — fingerprints produced by the devices’ individual physical characteristics — to determine which signals are legitimate and which signals might be from attackers. A similar approach could also be used to protect networked industrial control systems in oil and gas refineries, manufacturing facilities, wastewater treatment plants and other critical industrial systems.

Georgia Tech reports that the research, reported 23 February at the Network and Distributed System Security Symposium in San Diego, was supported in part by the National Science Foundation (NSF). While device fingerprinting is not a complete solution in itself, the technique could help address the unique security challenges of the electrical grid and other cyber-physical systems. The approach has been successfully tested in two electrical substations.

“We have developed fingerprinting techniques that work together to protect various operations of the power grid to prevent or minimize spoofing of packets that could be injected to produce false data or false control commands into the system,” said Raheem Beyah, an associate professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology. “This is the first technique that can passively fingerprint different devices that are part of critical infrastructure networks. We believe it can be used to significantly improve the security of the grid and other networks.”

The networked systems controlling the U.S. electrical grid and other industrial systems often lack the ability to run modern encryption and authentication systems, and the legacy systems connected to them were never designed for networked security. Because they are distributed around the country, often in remote areas, the systems are also difficult to update using the “patching” techniques common in computer networks. And on the electric grid, keeping the power on is a priority, so security can’t cause delays or shutdowns.

“The stakes are extremely high, but the systems are very different from home or office computer networks,” said Beyah. “It is critical that we secure these systems against attackers who may introduce false data or issue malicious commands.”.

More info http://www.homelandsecuritynewswire.com/dr20160301-using-device-fingerprints-to-protect-power-grid-industrial-systems

Nuclear Accidents2014 French nuclear accident more serious than official reports suggested

March 6, 2015

 

German media charges  that the French nuclear authority and the French company operating the aging Fessenheim nuclear facility in France, concealed the seriousness of the April 2014 incident at the site. The French nuclear authorities withheld information not only from the German government, but also from the IAEA, to which they were required to submit a detailed report about the incident.

 

German newspaper Süddeutsche Zeitung and public broadcaster WDR claim that both the French nuclear authority (ASN) and French energy giant EDF, which operates the two Fessenheim nuclear reactors, concealed the seriousness the 19 April 2014 incident at the site, when one of the reactors had to be shut down after water was beginning to leak from several places in the facility.

The nuclear incident at Fessenheim, located in Alsace near the border with Germany, may prove to be one of “most dramatic nuclear accidents ever in Western Europe,” researchers for SZ say. The researchers obtained a document which was sent by ASN to the then-head of the facility on 24 April 2014.

Yahoo News reports that the letter and subsequent reply show that the reactor could not be shut down in accordance with the routine procedure because the control rods were jammed. The reactor had to be shut down by adding boron to the pressure vessel, an unprecedented procedure in Western Europe, nuclear experts say.

“I don’t know of any reactor here in Western Europe that had to be shut down after an accident by adding boron,” Manfred Mertins, expert and government advisor on nuclear reactor safety, told WDR and SZ.

The media reports note that the official report on the incident, which ASN released weeks later, did not mention the adding of boron or the jammed control rods. The International Atomic Energy Agency (IAEA) requires that details of every nuclear incident be submitted to the agency, and ASN and EF submitted such a report – but it, too, failed to mention the boron and the jammed control rods.

The Fessenheim reactors, which went online in 1977 and 1978, are France’s oldest nuclear reactors. French politicians, energy experts, and neighboring Germany and Switzerland have been pressuring the French government to shut down the aging facility, and the government has said it would.

Yahoo News quotes Eveline Lemke, environment minister for the German state of Rhineland-Palatinate, which borders Alsace, who called for Fessenheim to be shut down immediately. She said she was “dismayed to hear about yet another incident involving a French reactor,” adding that France’s nuclear watchdog was “evidently failing.”

Germany is facing a similar problem with Belgium, where the aging Thiange nuclear reactor, located near the Belgium-Germany border, is reaching the end of its operational life. The reactor was shut down in March 2014, but went back online in December last year, in the face of mounting concerns over cracks in its containment vessels.

About three-quarters of France’s energy needs are met by nuclear power, but last summer the government passed legislation to reduce France’s dependence on nuclear energy.

Read more at http://www.homelandsecuritynewswire.com/dr20160304-2014-french-nuclear-accident-more-serious-than-official-reports-suggested

 

 

New vulnerability discovered in Open SSL, a common encryption protection package

March 74, 2016.

One of the world’s most common security software packages — used as the basis of protection for many Web browsers — has been found to be vulnerable to a specific form of attack, according to new research. Researchers have discovered that OpenSSL is vulnerable to a type of attack known as a “side channel attack.”

One of the world’s most common security software packages — used as the basis of protection for many Web browsers — has been found to be vulnerable to a specific form of attack, according to research led by the University of Adelaide.

OpenSSL provides encryption protection for a range of applications on most types of computers and is similar to the encryption packages used by the Web browsers Google Chrome (BoringSSL) and Firefox (Mozilla’s Network Security Service (NSS)).

U Adelaide reports that Dr. Yuval Yarom, Research Associate at the University of Adelaide’s School of Computer Science, says he and colleagues Daniel Genkin (Tel Aviv University) and Dr. Nadia Heninger (University of Pennsylvania) have discovered that OpenSSL is vulnerable to a type of attack known as a “side channel attack.”

 

A side channel attack enables a hacker to take important information about software by examining the physical workings of a computer system — such as minute changes in power usage, or observing changes in timing when different software is being used.

Dr. Yarom has found that it is possible to “listen in” to the workings of the OpenSSL encryption software. In the team’s case, they measured highly sensitive changes in the computer’s timing — down to less than one nanosecond (one billionth of a second). From these measurements they recovered the private key which OpenSSL uses to identify the user or the computer.

In the wrong hands, the private key can be used to ‘break’ the encryption and impersonate the user,” Dr. Yarom says.

At this stage we have only found this vulnerability in computers with Intel’s ‘Sandy Bridge’ processors. Computers with other Intel processors may not be affected in the same way.”

 

Dr. Yarom says the likelihood of someone hacking a computer using this method is slim: “We seem to be the first to have done it, and under controlled conditions.

Servers, particularly Cloud servers, are a more likely target for this side-channel attack. It’s less likely that someone would use it against a home computer. There are so many easier-to-exploit vulnerabilities in home computers that it’s unlikely someone would try to do this in the real world — but not impossible.”

 

Dr. Yarom says there have been debates about this form of attack on OpenSSL for more than ten years now, with some manufacturers claiming it couldn’t be done. “But we have proven the vulnerability exists,” he says.

With OpenSSL being the most commonly used cryptographic software in the world right now, it’s important for us to stay vigilant against any possible attack, no matter how small its chances might be.

Once we discovered the vulnerability, we contacted the developers of OpenSSL and have been helping them to develop a fix for the problem,” he says.

More Info http://www.homelandsecuritynewswire.com/dr20160307-new-vulnerability-discovered-in-open-ssl-a-common-encryption-protection-package

 

 

Pentagon Boosts Cyber War Against IS Group

March 1, 2016.

 

The Pentagon is expanding its cyber war against Islamic State computer networks, senior defense officials said Monday as they claimed to have seized the momentum in the 18-month-old fight against the jihadists.

Defense Secretary Ashton Carter and the US military's top officer, General Joe Dunford, told reporters the United States was determined to "accelerate" the anti-IS campaign, and indicated cyber warfare is playing an increasingly important role in doing so.

The US-led coalition is working to disrupt IS's command chain "to cause them to lose confidence in their networks," Carter said.

He did not offer technical specifics but said the tactic was to "overload their network so that they can't function, and do all of these things that will interrupt their ability to command and control forces there, control the population and the economy."

Overloading a network is a common type of cyber attack known as a denial of service, but Carter hinted that other techniques are being used.

"The methods we're using are new, some of them will be surprising and some of them are applicable to other challenges... we have around the world," he said.

 

Carter and Dunford visited the US Cyber Command headquarters in Fort Meade, Maryland in January and encouraged workers there to "do what they can" to intensify the fight against the IS group.

Nearly two years since it started bombing IS positions in Iraq and Syria, in a campaign that also included training and equipping local anti-IS forces, the US-led coalition is now focusing on cyber tactics.

 

'Momentum now on our side'

 

While the IS group maintains a firm grip on vast areas of Iraq and Syria, the jihadists have suffered some serious setbacks.

In Iraq, coalition-supported Iraqi forces recaptured Ramadi, the capital of Anbar province west of Baghdad, in December.

And in recent weeks in Syria, a largely Kurdish group called the Syrian Democratic Forces, again backed up by commando training and US-led precision air strikes, encircled the town of Al-Shadadi in Hasakeh province, then moved in and recaptured it from the jihadists.

"Because of our strategy and our determination to accelerate our campaign, momentum is now on our side and not on ISIL's," Carter said, using an alternative abbreviation for the IS group.

 

Dunford, the chairman of the Joint Chiefs of Staff, noted the next major step in Iraq -- to retake the key city of Mosul -- is already well underway even though Iraqi officials have been skeptical that the task could be accomplished this year.

"People have confused maybe when would Mosul be secure with when will operations start," Dunford said.

"Both in terms of the cyber capability, as the secretary spoke about, as well as operations to cut the line of communications and begin to go after some of the targets in and around Mosul, those operations have already started."

For the coalition, a key prize is the recapture of Raqa, the IS group's de facto capital. Pentagon officials have suggested local forces are getting closer to mounting an assault.

 

Despite defeats in Iraq and Syria, the IS group has nonetheless expanded its presence in Libya.

US warplanes and drones on February 19 pulverized a jihadist training camp near the Libyan coastal city of Sabratha, killing dozens of people including an IS operative who allegedly helped plot two deadly attacks in neighboring Tunisia.

Dunford said the Pentagon was looking at ways to increase such strikes.

 

"Where there is opportunity to conduct operations against ISIL, to disrupt them at this point and not undermine the political process, that is where we are," he said.

Read more: http://www.securityweek.com/pentagon-boosts-cyber-war-against-group

 

 

Latest Cyber Security News

Cyber Crime

Pirates hack into shipping company’s servers to identify booty: When the terms “pirate” and “hacker” are used in the same sentence, usually it’s a reference to someone breaking digital rights management on software. But that wasn’t the case in an incident detailed in the recently released Verizon Data Breach Digest report, unveiled this week at the RSA security conference. Verizon’s RISK security response team was called in by a global shipping company that had been the victim of high-seas piracy aided by a network intrusion. ars technica, March 3, 2016

Credit Unions Feeling Pinch in Wendy’s Breach: A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot. KrebsOnSecurity, March 2, 2016

Verizon releases first-ever data breach digest with security case studies: Verizon is known for its huge annual Data Breach Investigations Report, but this morning it released a less data-heavy digest organized by case study. CSO, March 1, 2016

Financial Cyber Security

Weak Bank Password Policies Leave 350 Million Vulnerable, Say Researchers: Should passwords that protect your financial data be less secure than the ones used to lock up selfies, cat videos and tweets swapped on social networks? ThreatPost, March 3, 2016

Cyber Privacy

Microsoft’s top lawyer defends encryption and Apple; Argues people can’t be kept safe in the real world if they aren’t safe online: Microsoft’s top lawyer delivered a very powerful keynote speech at the recent RSA 2016 security conference on online security and the need for encryption, transparency and trust, while also offering a full throated defense of Apple in its fight with the FBI. NetworkWorkd, March 4, 2016

How the FBI will lose its iPhone fight, thanks to ‘West Coast Law’: The vast majority of it has centered on the rights and the wrongs, about the loss of privacy, and of the precedent that breaking one iPhone would create. The Register, March 4, 2016

Sparks fly over Apple v. FBI dispute at major cybersecurity gathering (+video): SAN FRANCISCO — It was all anyone seemed to want to talk about. Whether inside the vast exhibit halls or at the after parties at this year’s RSA Conference, just about everyone had something to say about the legal dispute between Apple and the FBI. CSMonitor, March 4, 2016

Amazon Quietly Removes Encryption Support from its Gadgets: While Apple is fighting the FBI in court over encryption, Amazon quietly disabled the option to use encryption to protect data on its Android-powered devices. Motherboard, March 3, 2016

Cryptography Pioneers Win Turing Award: SAN FRANCISCO — In 1970, a Stanford artificial intelligence researcher named John McCarthy returned from a conference in Bordeaux, France, where he had presented a paper on the possibility of a “Home Information Terminal.” The New York Times, March 1, 2016

Cyber Fraud

Thieves Nab IRS PINs to Hijack Tax Refunds: Last year, KrebsOnSecurity warned that the Internal Revenue Service‘s (IRS) solution for helping victims of tax refund fraud avoid being victimized two years in a row was vulnerable to compromise by identity thieves. According to a story shared by one reader, the crooks are well aware of this security weakness and are using it to revisit tax refund fraud on at least some victims two years running — despite the IRS’s added ID theft protections. KrebsOnSecurity, March 1, 2016

Identity Theft

How to Avoid Being a Victim of Tax-Time Identity Theft: Tax-time identity theft is a growing problem in the U.S., and has the potential to cause you a headache and tie up your tax refund well into the summer months or beyond. USNews and World Report, March 3, 2016

Cyber Warning

Triada trojan on Android devices “complex as Windows malware”: A new Trojan targeting Android devices has been found to be a risk to around 60 per cent of Android devices. SCMagazine, March 4, 2016

It’s 2016, so why is the world still falling for Office macro malware?: In the late 1990s, Microsoft Office macros were a favorite vehicle for surreptitiously installing malware on the computers of unsuspecting targets. Microsoft eventually disabled the automated scripts by default, a setting that forced attackers to look for new infection methods. Remotely exploiting security bugs in Internet Explorer, Adobe Flash, and other widely used software soon came into favor. ars technica, March 4, 2016

New attack steals secret crypto keys from Android and iOS phones: Researchers have devised an attack on Android and iOS devices that successfully steals cryptographic keys used to protect Bitcoin wallets, Apple Pay accounts, and other high-value assets. ars technica, March 3, 2016

Cyber Security Management – C Suite

Businesses are still scared of reporting cyberattacks to the police: Report suggests organisations, be it because of embarrassment or ignorance, aren’t seeking help from the authorities when they’re victims of cybercrime. ZDNet, March 3, 2016

Cyber Security Management – Cyber Defense

Protection Is Necessary, But Not Sufficient: It’s time to move the conversation beyond malware and point defenses and onto dealing with breaches in their entirety. DarkReading, March 4, 2016

Why Marrying Infosec & Info Governance Boosts Security Capabilities: In today’s data centric world, security pros need to know where sensitive data is supposed to be, not just where it actually is now. DarkReading, March 4, 2016

7 Attack Trends Making Security Pros Sweat: A look at the most dangerous threats and what to expect for the rest of 2016. DarkReading, March 3, 2016

Cisco Nexus 3000 Series and 3500 Platform Switches Insecure Default Credentials Vulnerability: A vulnerability in Cisco NX-OS Software running on Cisco Nexus 3000 Series Switches and Cisco Nexus 3500 Platform Switches could allow an unauthenticated, remote attacker to log in to the device with the privileges of the root user with bash shell access. Cisco, March 2, 2016

Secure the Village

Opinion: Cybersecurity needs less talk, more action: As this year’s RSA Conference, the world’s largest cybersecurity gathering, comes to an end, it’s time for the digital security industry to start sharing threat intelligence information in earnest and training the next generation of cybersecurity workers. CSMonitor, March 4, 2016

US National Cyber Security

Steptoe Cyberlaw Podcast – Hostfull II: Due to technical difficulties, the interview for the 103rd episode will be released as a separate post next week. In the news roundup, we explore Apple’s brief against providing additional assistance to the FBI in its investigation of the San Bernardino killings. Michael Vatis finds good and bad in the brief – some entirely plausible arguments about burden mixed with implausible ones aimed more at the public than at the magistrate judge. I suggest that the burden argument may be weaker than it seems, both because the costs can be spread over many requests for assistance and because the accounting of work to be done feels “as padded as a no-bid government contract offer.” Which, now that the FBI has offered to pay Apple’s costs, is pretty much exactly what it is. Steptoe Cyberblog, March 2, 2016

White House Officials Soften Approach at RSA Conference: SAN FRANCISCO — Attorney General Loretta E. Lynch joined a parade of Obama administration officials to tech’s home turf on Tuesday. Their message: National security depends on the industry’s cooperation. The New York Times, March 1, 2016

Cyber Underworld

RSAC16: Cyber criminals are hiding in plain sight, says RSA report: Cyber criminals are using social media as a communication and sales channel, not just for reconnaissance and phishing, an RSA study has revealed. ComputerWorld, March 4, 2016

Cyber Sunshine

Feds go after online payment firm for deceptive cybersecurity: Federal regulators on Thursday sent a major signal to financial technology companies, settling charges against an online payment firm for deceiving customers about data security. The Hill, March 3, 2016

Turkish mastermind of $55m ATM card hacking spree pleads guilty: Ercan Findikoglu has admitted his role in three cyberattacks which netted a criminal gang $55 million in a matter of hours. ZDNet, March 3, 2016

 

 

 

Home

Cyber ReseArch

Cyber News

Cyber info

 

The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.

 

 

Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing expert center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.

 

 

Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net