Home

Cyber Research

Cyber News

Cyber Info

Contact

 november, 2016

 

 

 

NEWS-UPDATE
ISSUE

84

 

 In this issue

 

 

*         This security camera was infected by Mirai-like worm malware 98 seconds after it was plugged in

*         Hackers Use DDoS Attack To Cut Heat To Apartments

*         Release of Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

*         Russia launches dedicated anti-hacking center for defense industry

*         Latest Cyber Security NewsLatest Cyber Security News

 

about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net

 

This security camera was infected by Mirai-like worm malware 98 seconds after it was plugged in

November 18, 2016

 

Here’s an object lesson on the poor state of the so-called Internet of Things: Robert Stephens plugged a Wi-Fi-connected security camera into his network and it was compromised in… 98 seconds.

Stephens, a tech industry veteran, wasn’t so naive as to do this without protecting himself. It was walled off from the rest of the network and rate-limited so it couldn’t participate in any DDoS attacks.

He monitored its traffic carefully, expecting to see — as others have — attempts to take over the device. But even the most jaded among us probably wouldn’t have guessed it would take less than two minutes.

Ninety-eight seconds after it jumped on the Wi-Fi, the camera was attacked by a Mirai-like worm that knew the default login and password. The worm (its advance agent, really) checked the specs of its new home and then downloaded the rest of itself onto the device and, had Stephens not locked it down beforehand, would then be ready to participate in all manner of online shenanigans.

The camera, a cheap off-brand one from a company that sells smartwatches for $12, isn’t exactly best-in-class. This type of thing could be fixed with a firmware update or, in some cases, by simply changing the default password, but not everyone knows to do that, and even the most tech-savvy people might not get that done in two minutes.

Better-quality devices will almost certainly be better protected against this kind of thing, and may for example block all incoming traffic until they’re paired with another device and set up manually. Still, this is a good reminder that it really is a jungle out there.

More info https://techcrunch.com/2016/11/18/this-security-camera-was-infected-by-malware-in-98-seconds-after-it-was-plugged-in/

Hackers Use DDoS Attack To Cut Heat To Apartments

November 7, 2016

Residents of two apartment buildings in Lappeenranta, a city of around 60,000 people in eastern Finland, were literally left in the cold this weekend. The environmental control systems in their buildings stopped working, and it wasn’t because of a blackout. It was actually a DDoS attack that took them down.

Both buildings are managed by Valtia, a facilities services company headquarted in Lappeenranta. Valtia CEO Simo Rounela confirmed to Metropolitan.fi that the central heating and hot water systems in both buildings had been attacked. In attempt to fight off the attack, the systems rebooted — and subsequently got stuck in an endless loop. This is precisely the kind of thing that Chester Wisniewski at SophosLabs was concerned with when he urged makers (and users) of industrial control systems to take meaningful steps toward improving security.

Fortunately for the residents, it’s not that cold Lappeenranta. The high today should be around 20°F. That’s a few degrees below the historical average for November, certainly, but nowhere near the -25 they’ll see once winter finally arrives. Valtia quickly relocated those affected while they addressed the DDoS attack and brought the control systems back online.

In that sense, it’s a good thing the attack happened now. At least Valtia had a chance to shore up defenses while the mercury in Finnish thermometers hasn’t plunged as far as it’s going to this winter.

Something about this attack feels like the one launched on a Liberian mobile provider last week. Was someone probing a relatively small system in a relatively remote location just to test capabilities? It’s a strong possibility. The end game might be a much larger building managed by a company with much deeper pockets… and perhaps one willing to pay attackers to call off the dogs.

Read more at  http://www.forbes.com/sites/leemathews/2016/11/07/ddos-attack-leaves-finnish-apartments-without-heat/#6dedbcd27472

Release of Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

November 10, 2016.

The U.S. Coast Guard, the National Institute of Standards and Technology (NIST), and maritime industry stakeholders have developed a voluntary cybersecurity “Profile” for Maritime Bulk Liquid Transfer (MBLT) facilities. This Profile will be released Thursday at the American Petroleum Institute’s 11th Annual Cybersecurity Conference in Houston.

The Profile implements the NIST Cybersecurity Framework, which was developed in 2014 to address and manage cybersecurity risk in a cost-effective way based on business needs and without placing additional regulatory requirements on businesses. The Profile is how organizations align the Framework’s cybersecurity activities, outcomes, and informative references to organizational business requirements, risk tolerances, and resources. Through this industry-focused Profile, MBLT facilities are provided a pathway for integrating the Framework into organizational operations.

The Profile is the first of its kind for the maritime transportation sector, and it is the result of the coordination between the Coast Guard Office of Port and Facility Compliance, the NIST’s National Cybersecurity Center of Excellence (NCCoE), and industry stakeholders.

“Working with the Coast Guard to engage the oil and natural gas industry in creating this profile is a prime example of the collaboration that takes place at the NCCoE,” said Don Tobin, senior security engineer at the NCCoE. “Organizations working in this critical mission area can leverage the profile to determine and reach their desired state of cybersecurity.”

The Profile identifies and prioritizes the minimum subset of Framework Subcategories relevant to MBLT facility operations, providing the flexibility to address Subcategories in a systematic way that is relevant to their unique operations. The Profile pulls into one document the recommended cybersecurity safeguards and provides a starting point to review and adapt risk management processes. It outlines a desired minimum state of cybersecurity and provides the opportunity to plan for future business decisions.

“This first Cybersecurity Framework Profile for the maritime transportation sector is the culmination of hard work from industry stakeholders, the Coast Guard and NIST to provide guidance to the MBLT industry to adapt their risk management processes to include cyber risk management,” said Capt. Ryan Manning, chief of the Office of Port and Facility Compliance. “While these profiles are voluntary in nature, I highly encourage industry to consider using this to achieve optimal cybersecurity for their respective organization.”

Cyber risk management in the maritime industry has become increasingly important with the evolvement of cyber-dependent technologies in the past decade. The Coast Guard and the maritime industry have recognized the growing potential for cyber-based systems to impact bulk liquid and other elements of the Marine Transportation System. Operational technology, now more than ever operates valves, pumps, sensors, control gates, cameras, and performs many other vital safety and security functions. Cyber attacks could lead to significant consequences. Cyber incidents, such as software problems, non-targeted malware, or operator error could have equally as serious of an impact. The potential consequences of a cyber attack or incident not only impact operations, but can also pose a threat to the Marine Transportation System as a whole.

“These facilities face inherent cybersecurity vulnerabilities and the. Coast Guard hopes this profile will assist organizations with mitigating them, and provide a long-term process for developing an internal cyber risk management program,” said Lt. Cmdr. Josephine Long, a marine safety expert in the Critical Infrastructure Branch within the Coast Guard’s Office of Port & Facility Compliance.

According to Long, the Coast Guard anticipates working with the NCCoE to build four additional profiles; the next two will address passenger vessel and terminal operations, as well as mobile offshore drilling operations.

For more information, please view the entire Maritime Bulk Liquids Transfer Cybersecurity Framework Profile.

More Info http://www.uscg.mil/hq/cg5/cg544/docs/Maritime_BLT_CSF.pdf

Russia launches dedicated anti-hacking center for defense industry

November 7, 2016.

 

Russian state-run weapons corporation Rostec has set up a special center for countering cyber-attacks on all Russian defense enterprises and companies, a popular daily reports.

Rostec’s director for data security, Aleksandr Yevteyev, told Izvestia that the new structure will be called the ‘Corporate Center for Detection, Prevention and Liquidation of Consequences of Computer Attacks’.

The main purpose of the center is to detect attempts to break into data networks of Russian defense enterprises and cut off data arrays in order to prevent information leaks. After this, the data security specialists would pass all information on the attempted hacking to Russia’s Federal Security Service (FSB).

Yevteyev also said that the new system will start working with purely defense enterprises, such as the Unified Instrument-Building Corporation, Helicopters of Russia, High-Precision Complexes and the Unified Engine Building Corporation. The first stage of the system will be completed before the end of 2017.

Over the past few years, Russian authorities have taken considerate measures to protect the nation’s data facilities and networks from leaks and attacks. In mid-2014 Russian introduced the federal law that obliges all internet companies collecting personal information from Russian citizens to store that data inside the country. The sponsors of the bill reason that it will prevent foreign states from misusing Russian citizens’ personal data and strengthen Russia’s national security. They also said the new law accords with the current European policy of legally protecting online personal data.

In July this year, President Vladimir Putin signed into law a set of anti-terrorist amendments that contained the obligation for communication companies, including internet providers, to retain information about their clients’ data traffic for three years (one year for messengers and social networks) and also to keep actual records of phone calls, messages and transferred files for six months.

Despite these steps, attempts to disrupt important Russian data networks continue. Also in July, the FSB reported that computer systems in about 20 Russian state defense, scientific and other high-profile organizations had been infected with malware used for cyberespionage.

The agency said that all the cases are linked and appear to be part of a well-coordinated attack requiring considerable expertise. The coding of the malware and vectors of attack are similar to those used in previous cyber-offensive operations against targets in Russia and other nations, the report stated.

The agency did not specify which party it suspects to be behind the reported cyber espionage or whether it was sponsored by any foreign government.

Read more: https://www.rt.com/politics/365597-russia-launches-dedicated-anti-hacking/

 

 

 

Latest Cyber Security News

Individuals at Risk

Cyber Privacy

Firefox Focus: Private iOS browsing made easy: Mozilla has released Firefox Focus, an iOS app that lets you browse the Internet without having to worry who’s tracking your online activity. HelpNetSecurity, November 18, 2016

Signal encryption app sees 400 percent boost after election: The co-founder of Open Whisper Systems says installations of its app have increased four-fold since November 8. CNet, November 18, 2016

8 Public Sources Holding ‘Private’ Information: Personal information used for nefarious purposes can be found all over the web – from genealogy sites to public records and social media. DarkReading, November 17, 2016

iPhone Call History Synced to iCloud Without User Consent, Knowledge: iPhone users are being warned that their call history may be synced and stored on their iCloud account without their knowledge, making their personal phone records a target for a determined third party. ThreatPost, November 17, 2016

Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say: WASHINGTON — For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. The New York Times, November 15, 2016

Adult FriendFinder hit with one of the biggest data breaches ever, report says: A hack against popular adult dating and entertainment company FriendFinder Networks exposed data related to more than 412 million user accounts, according to a report from breach notification site LeakedSource. The Washington Post, November 14, 2016

Cyber Update

Drupal Fixes ‘Moderately Critical’ Vulnerabilities in Core Engine: The Drupal Security Team fixed a handful of issues in version 7 and 8 of its content management system core engine this week that could have led to cache poisoning, social engineering attacks and a denial of service condition. ThreatPost, November 18, 2016

Cyber Warning

Powerful backdoor/rootkit found preinstalled on 3 million Android phones: Firmware that actively tries to hide itself allows attackers to install apps as root. ars technica, November 18, 2016

Meet PoisonTap, the $5 tool that ransacks password-protected computers: The perils of leaving computers unattended just got worse, thanks to a newly released exploit tool that takes only 30 seconds to install a privacy-invading backdoor, even when the machine is locked with a strong password. ars technica, November 16, 2016

Cyber Defense

Attacks to make Ask.com Toolbar a conduit for malware are nipped in the bud: Attackers who were trying to turn the Ask.com Toolbar into a malware dispensary got caught early on when their scheme was picked up by security services that were looking for anomalies. NetworkWorld, November 18, 2016

You’d likely give up sex for cybersecurity, poll finds: Could you become, as Jerry Seinfeld put it, “master of your domain” to save your web domains? CNet, November 17, 2016

Facebook is buying up stolen passwords on the black market: Facebook shops for passwords sold on the online black market, buying up credentials from crooks to sniff out which ones its users are reusing, Chief Security Officer Alex Stamos said at the Web Summit in Lisbon on Wednesday. NakedSecurity, November 11, 2016

Sharing Threat Intel: Easier Said Than Done: For cyber intelligence-sharing to work, organizations need two things: to trust each other and better processes to collect, exchange, and act on information quickly. DarkReading, November 11, 2016

SMBs risk data security by using free cloud storage: SMBs risk data security if they use free cloud storage, but nearly 25% still do, despite warnings from industry experts. In addition, new findings reveal that 11% of SMBs are storing banking information and 14% are storing medical records in free cloud storage, according to a survey of 293 SMBs by Clutch. HelpNetSecurity, November 11, 2016

Bridging the Gulf Between the IT and Security Teams : AUSTIN, Texas—The tales of a fundamental disconnect between the IT staff in many companies and the security staff in those same companies abound. eWeek, November 5, 2016

The Five Step Ransomware Defense Playbook: Over the past three years, ransomware has jumped into the spotlight of the cyber threat landscape; in fact the FBI estimates that $1 billion in losses will be incurred in 2016 from ransomware alone. Until recently, most ransomware attacks were opportunistic, targeting individual users’ or small businesses’ computers, and demanding just a few hundred dollars for an individual PC. ITSP Magazine, November 3, 2016

 

Why Browser Vendors Chose to Distrust 2 Certificate Authorities: A foundational element of the Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate system is that browser vendors need to trust the certificate authorities that issue certificates. eWeek, November 2, 2016

Information Security Management in the Organization

Information Security Governance

NIST Releases Version of Cybersecurity Framework for Small Businesses: NIST has been working closely with the Small Business Administration on cybersecurity issues for small business since 2003. DarkReading, November 17, 2016

Cyber Defense

Retail Cybersecurity: Black Friday and Cyber Monday Are Upon Us: In the U.S., the post-Thanksgiving shopping blitz of Black Friday often serves as a make-or-break event for many retailers. Indeed, Black Friday is the day when retailers start to make a profit for the year. SecurityIntelligence, November 18, 2016

It’s a Marketing Mess! Artificial Intelligence vs Machine Learning: Artificial intelligence is a thing. No matter where you turn, technology companies are selling AI as the secret sauce in their cybersecurity platforms, their decision support systems, their network analytics tools, even their email marketing software. You name it, it’s got “AI Inside.” You’ll see that acronym AI often, as companies refer to artificial intelligence that way – which in itself is pretty vague, as you’d expect for a term that’s been bandied about for many decades and has a great number of representative branches. In our current context, AI generally refers to hardware or software that thinks, learns, and cognitively processes data the same way a human would, although presumably faster and more accurately: Think about Commander Data from Star Trek as a human-shaped role model for what AI could become someday. ITSP Magazine, November 16, 2016

Cyber Security in Society

Cyber Attack

Cloud Storage Site Mega Compromised by Hackers: Mega, the cloud storage site originally founded by Kim Dotcom, was compromised by hackers this week. Outsiders gained access to part of the site’s infrastructure and released some source code, claiming to have user details as well. Mega confirmed the hack of their seperate blog/help centre system but says that no user data was compromised. TorrentFreak, November 17, 2016

Russian ‘Dukes’ of Hackers Pounce on Trump Win: Less than six hours after Donald Trump became the presumptive president-elect of the United States, a Russian hacker gang perhaps best known for breaking into computer networks at the Democratic National Committee launched a volley of targeted phishing campaigns against American political think-tanks and non-government organizations (NGOs). KrebsOnSecurity, November 10, 2016

Hackers Use DDoS Attack To Cut Heat To Apartments: Residents of two apartment buildings in Lappeenranta, a city of around 60,000 people in eastern Finland, were literally left in the cold this weekend. The environmental control systems in their buildings stopped working, and it wasn’t because of a blackout. It was actually a DDoS attack that took them down. Forbes, November 7, 2016

US National Cyber Security

The encryption conundrum: Should tech compromise or double down?: Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy. TheRegister, November 18, 2016

With CIA choice, Trump picks a foe of Silicon Valley’s encryption stance: In his nomination of Representative Mike Pompeo to head the CIA, President-elect Donald Trump has picked someone who has supported NSA surveillance programs and has criticized Silicon Valley’s stance on encryption. PCWorld, November 18, 2016

NSA Chief Says DNC Email Leak Was Deliberate Act: Attack was a conscious effort to achieve a specific effect, Director Michael Rogers told the Wall Street Journal this week. DarkReading, November 18, 2016

Trump presidency fuels heated encryption debate: Cindy Cohn says she’s tired of having the same conversation about encryption. That might be why Cohn, the executive director of the Electronic Frontier Foundation, made frank and impassioned comments throughout a debate held Wednesday between her and Daniel Rosenthal, the former director of counterterrorism at the White House who currently works at investigative firm Kroll. CNet, November 17, 2016

Paul Rosenzweig & Shane Harris Talk About Trump & Cybersecurity w Steptoe’s Stewart Baker: We couldn’t resist. This week’s topic is of course President-elect Trump and what his election could mean for All Things Cyber. It features noted cybercommentator Paul Rosenzweig and Daily Beast reporter Shane Harris. Steptoe Cyberblog, November 14, 2016

Here’s Trump’s plan to stop hackers: The incoming Trump administration wants to audit the security of the federal government’s computer systems — a massive undertaking — and strengthen the hacking division of the U.S. military. CNN, November 11, 2016

Russian Hackers Target Think Tanks In Post-Election Attacks: According to security firm Volexity, staff at several U.S. political think tanks and numerous non-government organizations (NGOs) are the targets of a sophisticated new phishing campaign. Forbes, November 11, 2016

Essays: American Elections Will Be Hacked. Will We Be Ready?: It’s over. The voting went smoothly. As of the time of writing, there are no serious fraud allegations, nor credible evidence that anyone hacked the voting rolls or voting machines. And most important, the results are not in doubt. Schneier On Security, November 9, 2016

Financial Cyber Security

Crypto Currency Use Seen Limited by Cybersecurity Concerns: Some economists believe we are making strides toward becoming a cashless society. But taking the wider view, the role of cash is changing as new kinds of cryptocurrencies such as bitcoin and Ethereum are becoming more popular, offering consumers more choices in terms of credit and payments. Whether cash continues to be king will hinge on the perception of cybersecurity and how it evolves with these alternative currencies. SecurityIntelligence, November 10, 2016

Tesco Bank: Raid on 20,000 Accounts Fuels Cybercrime Fears in U.K: Tesco Bank, owned by Britain’s biggest retailer Tesco, halted all online transactions on Monday after money was stolen from 20,000 accounts in the country’s first such cyber heist. Fortune, November 7, 2016

Internet of Things

Test Driving Privacy and Cybersecurity: Regulation of Smart Cars: The modern automobile is less a mechanical device and more an intricate computer. Regulating the privacy and security risks presented by a computer on wheels has its challenges: as technologist Bruce Schneier said to the House Energy and Commerce Committee in a hearing on IoT last Wednesday, the average connected device has “crossed four regulatory agencies and it’s not even eleven o’clock.” This dynamic is particularly true in the automated vehicles context, but the issue went unexplored in the Committee’s hearing on self-driving vehicles the day prior. CDT, November 18, 2016

This security camera was infected by malware 98 seconds after it was plugged in: Here’s an object lesson on the poor state of the so-called Internet of Things: Robert Stephens plugged a Wi-Fi-connected security camera into his network and it was compromised in… 98 seconds. TechCrunch, November 18, 2016

Bruce Schneier’s House of Representatives Testimony on Role of IoT in Recent Attack: Good morning. Chairmen Walden and Burgess, Ranking Members Eshoo and Schakowsky, members of the committee: thank you for the opportunity to testify on this matter. Although I have an affiliation with both Harvard University and IBM, I am testifying in my personal capacity as a cybersecurity expert and nothing I say should be construed as the official position of either of those organizations. Schneier On Security, November 16, 2016

Congress Explores How to Bolster IoT Cybersecurity: What’s needed to bolster the security of internet of things devices to help prevent cyberattacks, such as the October botnet-driven distributed denial-of-service attack on web services provider Dyn that crippled Netflix, Twitter and many other websites? BankInfoSecurity, November 16, 2016

DHS on IoT cybersecurity: Fix it or get sued: Companies that make products for the Internet of Things must build security in at the design stage or face the possibility of getting sued, the Department of Homeland Security said in guidelines released Tuesday. cyberscoop, Novemebr 16, 2016

NIST and DHS Issue Guidelines for IoT Cybersecurity: The National Institutes of Standards and Technology on Tuesday issued comprehensive cybersecurity for internet-connected devices, stressing an engineering-based approach that builds security systems directly into Internet of Things technology. The Department of Homeland Security separately released its own cybersecurity policy for IoT devices on Tuesday, delineating six strategic principles that it believes will help stakeholders stop hackers from tampering with connected devices. MorningConsult, November 15, 2016

The perfect cybercrime: selling fake followers to fake people: Hackers are recruting the internet of things into a botnet. But this time they’re not trying to take down the internet, just using them to make fake social media accounts – which they can sell to online narcissists to make an easy buck. New Scientist, November 11, 2016

Russian Banks Hit By IoT DDoS Attack: Five Russian banks have been under intermittent cyber-attack for two days, said the country’s banking regulator. BBC, November 10, 2016

Your WiFi-Connected Thermostat Can Take Down the Whole Internet. We Need New Regulations: Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the “Internet of Things” and increased regulation of what are now critical and life-threatening technologies. It’s no longer a question of if, it’s a question of when. Schneier On Security, November 3, 2016

Cyber Research

How IBM’s Watson will change cybersecurity: IBM ventures into cognitive security, where AI systems learn to understand infosec terms and concepts well enough to reduce detection and response time. InfoWorld, November 15, 2016

 

 

 

 

Home

Cyber ReseArch

Cyber News

Cyber info

 

The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.

 

 

Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.

 

 

Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net