Cyber Research

Cyber News

Cyber Info


July, 2017







 In this issue



*         Industry Massively Underinsured Against Global Cyber Attacks: Study

*         Solving Cyberwar the Old Fashioned Way - Via Diplomacy?

*         UK Spy Agency Warns of State-sponsored Hackers Targeting Critical Infrastructure

*         Your Guide to Russia’s Infrastructure Hacking Teams

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Industry Massively Underinsured Against Global Cyber Attacks: Study

July 17, 2017


Industry is massively underinsured against a major global cyberattack -- which could trigger losses on a par with natural disasters such as Hurricane (Superstorm) Sandy. This is one of the main conclusions of a study conducted by Lloyds of London (the world's oldest insurance organization with more than 20% of the global cyber insurance market), and Cyence (a risk modeling firm).


The report, "Counting the cost: Cyber exposure decoded" (PDF), examines two attack scenarios. In the first, attackers make a malicious modification to a hypervisor controlling the cloud infrastructure, which causes multiple server failures in multiple cloud customers. In the second, a zero-day vulnerability affecting an operating system with 45% share of the market is obtained by unidentified criminal groups that attack vulnerable businesses for financial gain.

In the first (cloud) scenario, the projected losses range from $4.6 billion for a large event to $53.1 billion for an extreme event. In the second (zero-day) scenario, the projected losses range from $9.7 billion for a large event to $28.7 billion for an extreme event. However, the report also notes that losses could be much lower or very much higher: as low as $15.6 billion or as high as $121.4 billion for an extreme cloud event.

The uninsured gap could be as much as $45 billion for the cloud services scenario – meaning that less than a fifth (17%) of the economic losses are covered by insurance. The insurance gap could be as high as $26 billion for the mass vulnerability scenario – meaning that just 7% of economic losses are covered.

This represents both a major market opportunity for the cyber insurance industry, and a poor understanding of the financial risk level within industry. The warning comes just weeks after major global ransomware attacks (WannaCry and NotPetya) and a U.S. government warning to industrial firms about a hacking campaign targeting the nuclear and energy sectors. 


This variation in projected costs is caused by the second major conclusion drawn by the study -- neither the security industry nor the underwriting industry yet has sufficient understanding of global cybersecurity risk to formulate accurate risk/exposure figures for insurance purposes.

For example, for motor insurance, the industry has many years of detailed data on motor accidents: types of vehicle, ages of drivers, geolocations and so on; all against a background of improving motor safety. Cyber security, however, has little such data in a market whose conditions are continually worsening with new and more sophisticated attackers. This is further complicated by a poor understanding of liability and risk aggregation in cyber liability.

"The doomsday scenarios painted in the report highlight the growing issue of cyber risk aggregation," suggests Pete Banham, cyber resilience expert at Mimecast. "By adopting a cloud strategy that seeks to reduce the number of vendors, organizations may be tipping towards short term cost savings at the expense of security."


"For the insurance industry to capitalize on the growing cyber market," notes the report, "insurers would benefit from a deeper understanding of the potential tail risk implicit in cyber coverage." At the same time, it suggests, "Risk managers could use the cyber-attack scenarios to see what impacts cyber-attacks might have on their core business processes, and plan what actions they could take to mitigate these risks."

"This report gives a real sense of the scale of damage a cyber-attack could cause the global economy," comments Inga Beale, CEO of Lloyd's. "Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers' claims costs. Underwriters need to consider cyber cover in this way and ensure that premium calculations keep pace with the cyber threat reality."

It should be noted, however, that the cyber security industry -- which could be impacted if industry diverts its primary risk strategy from mitigation (buying security controls) to transference (buying insurance) -- has its doubts. 


"These are big numbers," comments David Emm, principal security researcher at Kaspersky Lab; but they don't mean much unless terms such as ‘serious cyber-attack' are quantified. How can we assess the global cost of an attack? It could mean anything from a temporary interruption of service to the takeover of customer systems – with very different costs. It's important for companies to conduct their own risk assessment and develop a strategy that's designed to secure corporate systems and mitigate the risk of an attack on those systems."

Two years ago, Lloyd's predicted that a major successful attack against the U.S. power grid "would cause between $243 billion to more than $1 trillion in economic damage."


More info http://www.securityweek.com/industry-massively-underinsured-against-global-cyber-attacks-study

Solving Cyberwar the Old Fashioned Way - Via Diplomacy?

July 10, 2017

What is Essentially Needed is a NATO or Similar Structure Organization for Cyberwarfare

In case you missed it, Canada and China have just announced signing an agreement vowing not to hack each other for the purpose of economic espionage. The agreement specifically cites confidential business information and stealing trade secrets. It does not refer to national intelligence gathering or espionage.

As we stated back in 2012, agreements and treaties will be far more effective and cost effective than trying to secure our fundamentally flawed supply chains and infrastructure, and less risky and potentially ineffective than the insane idea of active defense and hackback (although no-one seems to have told the UK government this).

According to the Verizon Data Breach report 2017, the main target of economic espionage is the manufacturing sector, with the pharmaceutical sector a close second. Verizon identified 620 breaches targeting the manufacturing sector,with 94% defined as economic espionage and attributable to nation state actors. 91% of the targeted and stolen data was classified as “secret”, indicating that these were trade secrets and intellectual property. In many instances, the targeted business units were Research & Development or related departments.

Cyberwar DiplomacyWorryingly, the majority of attacks against manufacturing and pharmaceutical companies are not opportunistic. Due to the fact that trade secrets are obviously a valuable and critical data type, and also actively developed and kept in specific business units and assets, they are better secured than most companies infrastructure.

R&D is expensive. It can require many years of iterative research that is difficult to begin from scratch or catch up, and can also frequently be a gamble without a guaranteed payoff. In the pharmaceutical industry for example, the success rate of a new medication getting through FDA approval is only 9.6%. This makes R&D a very lucrative and worthwhile target of cyberwar.

Most people will however have noticed that there is a lot less news around the topic of Chinese hacking recently. This can be partially explained due to a similar agreement between the USA and China that was conclused in 2015. The common wisdom is that this was based on the potential negative impact from the  threat of economic sanctions. Similar agreements have also been concluded with Germany, the United Kingdom and Australia.

The threat of economic sanctions was however not new, may have had only a negligible impact and China would of course have had the ability to retaliate in many different ways. So this begs the question, why did they agree to do this when they did?

There may be two fundamental reasons why China has agreed to cooperate in recent years. The first is that they are now not the ones just copying anymore, they are also being copied, as Andreessen-Horrowitz have recently stated. In essence, they now have to protect their own intellectual property and trade secrets and are experiencing the same difficulties in securing their digital infrastructure as any other nation.  The second is a little more sobering: China may have already acquired the majority of the data that they needed or wanted from the USA and Canada.

Even though chinese cyber-espionage activity focused on the USA has diminished, It appears as though China is still very much active in other regions, if you trust the attribution.

We may now see a wave of increased activity against other nation states targeting trade secrets and IP. In each case, there will be a window of opportunity before the targeted nation will be able to reliably attribute the attacks (if at all, not every nation has the same capabilities in this regard as the USA), and before the slow wheels of governance begin to pivot towards threatening sanctions or other disincentives - at which point China will in some cases, depending on the clout of threats, be willing to offer an agreement such as with the USA or Canada. Bilateral agreements with China will only be a viable path for some nations and be based on the geopolitical and economic relations that they have with China. This bodes badly for Taiwan, South Korea and Japan for example. China has been very shrewd and an observer may note that the agreements so far have been with the Five-Eyes and related nations, who’s cyberwarfare capabilities are equal if not superior to China’s. This was to an extent predictable and is based purely on power dynamics.

The same approach will also sadly not work with Russia. There are already a large number of sanctions in place and Putin’s government is motivated more by geopolitical than economic strategic objectives. However, the lifting of certain sanctions may provide an alternative incentive to limit certain types of cyberwar activity.

But the real solution lies the creation of agreements and governance that will provide protection for everyone. One possible example sanction would be to disconnect rogue nations entirely from the internet, but as the internet has no discernible borders this would require the cooperation of many countries. Nations refusing to join and adhere to any agreements could be firewalled off, with all traffic originating there being treated as potentially hostile with increased monitoring and restricted access. The internet is a shared commons with such a strategic importance for everyone, and it is time to stop pretending that it is a self-enclosed world without rules. What is essentially needed is a NATO or similar structure for cyberwarfare.

Read more http://www.securityweek.com/solving-cyberwar-old-fashioned-way-diplomacy

UK Spy Agency Warns of State-sponsored Hackers Targeting Critical Infrastructure

July 18, 2017.


The U.K. Government Communications Headquarters (GCHQ), Britain's secret eavesdropping agency, warns that 'a number of [UK] Industrial Control System engineering and services organisations are likely to have been compromised' following the discovery of 'connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.'



The warning comes from a National Cyber Security Centre (NCSC) memo obtained by Motherboard and confirmed by the BBC. NCSC is part of the UK's primary cyber intelligence agency, GCHQ.


From the little information available, it doesn't appear as if there are any specifically known compromises -- NCSC might simply be working from the statistical probability that if enough phishing attacks are launched, at least some will inevitably succeed. 

Spear-phishing is not specifically mentioned within the memo, although it does mention a separate, non-public report from the FBI and DHS last month suggesting the same attackers were using spear-phishing to deliver poisoned Word documents. Motherboard also points to a paywalled report in the Times, Saturday, which states, "Hackers backed by the Russian government have attacked energy networks running the national grid in parts of the UK, The Times has learnt."


The clear unproven implication is that Russian state-backed actors are specifically targeting the western energy sector. Having said that, however, the Times report differs from the FBI/DHS and NCSC memos by stating that the intention was "to infiltrate control systems... This would also have given them the power to knock out parts of the grid in Northern Ireland."


Both the FBI/DHS and NCSC memos point to attacks against services organizations, indicating that in the UK and America, it is primarily the supply chain to the critical infrastructure that is being targeted. Indeed, the FBI/DHS statement comments, "There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks."


So, apart from the Times report, this would appear to be a large-scale campaign designed to find ways to infiltrate the critical infrastructure rather than anything designed to damage the critical infrastructure. This is probably standard practice for most cyber-advanced nations -- ensuring they have the capacity to respond to a potential enemy if it ever becomes necessary.


The importance to an enemy and the potential danger to the critical infrastructure should not, however, be underestimated. A known and ready access route into, for example, the power grid, would be similar to having a nuclear deterrent primed and ready -- there is no intention to use it, but accidents can happen.

Neither the FBI/DHS nor the NCSC names the attackers.


The NSCS clearly has suspects since it recognizes the infrastructure used. The New York Times, however, implicates Russia. "Two people familiar with the investigation say that, while it is still in its early stages, the hackers' techniques mimicked those of the organization known to cybersecurity specialists as "Energetic Bear," the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012."

More Info http://www.securityweek.com/uk-spy-agency-warns-state-sponsored-hackers-targeting-critical-infrastructure




Your Guide to Russia’s Infrastructure Hacking Teams

July 12, 2017.


Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits. Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cybercriminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years.

Over the past weekend, US officials solved at least part of that mystery, revealing to the Washington Post that the hackers behind the utility attacks worked for the Russian government. But that attribution raises a new question: Which of the Kremlin's hackers groups attempted the power grid intrusions?

Russia, after all, is perhaps the only nation in the world with multiple known hacker teams that have targeted energy utilities for years. Each has its own techniques, broader focus, and motivation—and deciphering which group is behind the attacks could help determine the intended endgame of this latest infrastructure hacking spree, too.

As the cybersecurity world's Kremlinologists seek those answers, here's what we know about the groups that may have pulled it off.

Energetic Bear

The prime candidate among Russia's array of hacker teams is a group of cyberspies most widely identified as Energetic Bear, but also known by names including DragonFly, Koala, and Iron Liberty. First spotted by the security firm Crowdstrike in 2014, the group initially seemed to indiscriminately hack hundreds of targets in dozens of countries since as early as 2010, using so-called "watering hole" attacks that infected websites and planted a Trojan called Havex on visitors' machines. But it soon became clear that the hackers had a more specific focus: They also used phishing emails to target vendors of industrial control software, sneaking Havex into customer downloads. Security firm FireEye found in 2014 that the group breached at least four of those industrial control targets, potentially giving the hackers access to everything from power grid systems to manufacturing plants.

The group seemed at least in part focused on broad surveillance of the oil and gas industry, says Adam Meyers, Crowdstrike's vice president of intelligence. Energetic Bear's targets included everything from gas producers to firms that transported liquid gas and oil to energy financing companies. Crowdstrike also found the group's code contained Russian-language artifacts, and that it operated during Moscow business hours. All of that suggests, Meyers argues, that the Russian government may have used the group to protect its own petrochemical industry and better wield its power as a fuel supplier. "If you threaten to turn off the gas to a country, you want to know how severe that threat is and how to properly leverage it," Meyers says.

But security firms noted that the group's targets included electric utilities, too, and some versions of Energetic Bear's malware had the capacity to scan industrial networks for infrastructure equipment, raising the possibility that it could have not just collected industry intelligence, but performed reconnaissance for future disruptive attacks. "We think they were after control systems, and we don’t think there was a compelling intelligence reason for that," says John Hultquist, who leads a research team at FireEye. "You’re not doing that to learn the price of gas."

After security firms including Crowdstrike, Symantec, and others released a series of analyses of Energetic Bear's infrastructure in the summer of 2014, the group abruptly disappeared.


Only one Russian hacker group has actually caused real-world blackouts: Cybersecurity analysts widely believe the hacker team called Sandworm, also known as Voodoo Bear and Telebots, carried out attacks on Ukrainian electric utilities in 2015 and 2016 that cut off power to hundreds of thousands of people.

Despite that distinction, Sandworm's larger focus doesn't appear to be electric utilities or the energy sector. Instead it has spent the last three years terrorizing Ukraine, the country with which Russia has been at war since it invaded the Crimean Peninsula in 2014. Aside from its two blackout attacks, the group has since 2015 rampaged through practically every sector of Ukrainian society, destroying hundreds of computers at media companies, deleting or permanently encrypting terabytes of data held by its government agencies, and paralyzing infrastructure including its railway ticketing system. Cybersecurity researchers including those at FireEye and ESET have also noted that the recent NotPetya ransomware epidemic that crippled thousands of networks in Ukraine and around the world matches Sandworm's history of infecting victims with "fake" ransomware that offers no real option to decrypt their files.

But amidst all that chaos, Sandworm has shown a special interest in power grids. FireEye has tied the group to a series of intrusions on American energy utilities discovered in 2014, which were infected with the same Black Energy malware Sandworm would later use in its Ukraine attacks. (FireEye also linked Sandworm with Russia based on Russian-language documents found on one of the group's command-and-control servers, a zero-day vulnerability the group used that had been presented at a Russian hacker conference, and its explicit Ukraine focus.) And security firms ESET and Dragos released an analysis last month of a piece of malware they call "Crash Override" or "Industroyer," a highly sophisticated, adaptable, and automated grid-disurpting piece of code used in Sandworm's 2016 blackout attack on one of the transmission stations of Ukraine's state energy company Ukrenergo.

Palmetto Fusion

The hackers behind the fresh series of attempted intrusions of US energy utilities remain far more mysterious than Energetic Bear or Sandworm. The group has hit energy utilities with "watering hole" and phishing attacks since 2015, with targets as far-flung as Ireland and Turkey in addition to the recently reported American firms, according to FireEye. But despite broad similarities to Energetic Bear, cybersecurity analysts have not yet definitively linked the group to either of the other known Russian grid hacking teams.

Sandworm, in particular, seems like an unlikely match. FireEye's John Hultquist notes that his researchers have tracked both the new group and Sandworm for several overlapping years, but have seen no common techniques or infrastructure in their operations. And according to the Washington Post, US officials believe Palmetto Fusion to be an operation of Russia's secret services agency known as the FSB. Some researchers believe Sandworm works instead under the auspices of Russia's military intelligence group known as the GRU, due to its focus on Russia's military enemy Ukraine and some early targeting of NATO and military organizations.

Palmetto Fusion doesn't exactly share Energetic Bear's pawprints, either, despite a New York Times' report tentatively linking the two. While both target the energy sector and use phishing and water hole attacks, Crowdstrike's Meyers says they don't share any of the same actual tools or techniques, hinting that the Fusion operation may be the work of a distinct group. Cisco's Talos research group, for instance, found that the new team used a combination of phishing and a trick using Microsoft's "server message block" protocol to harvest credentials from victims, a technique never seen from Energetic Bear.

But the timing of Energetic Bear's disappearance after its discovery in late 2014 and Palmetto Fusion's initial attacks in 2015 remains suspect. And that timeline may provide one sign that the groups are the same, but with new tools and techniques rebuilt to avoid any obvious connection.

After all, a group of attackers as methodical and prolific as Energetic Bear doesn't simply call it quits after having their cover blown. "These state intelligence agencies don’t give up because of a setback like that," says Tom Finney, a security researcher with the firm SecureWorks, which has also closely tracked Energetic Bear. "We’ve expected them to reappear at some point. This might be it."


Read more: https://www.wired.com/story/russian-hacking-teams-infrastructure/

Latest Cyber Security News

Cyber Update

Individuals at Risk

Cyber Privacy

White House releases sensitive personal information of voters worried about their sensitive personal information: The White House on Thursday made public a trove of emails it received from voters offering comment on its Election Integrity Commission. The commission drew widespread criticism when it emerged into public view by asking for personal information, including addresses, partial social security numbers and party affiliation, on every voter in the country. The Washington Post, July 14, 2017

Cyber Update

Adobe, Microsoft Push Critical Security Fixes: It’s Patch Tuesday, again. That is, if you run Microsoft Windows or Adobe products. Microsoft issued a dozen patch bundles to fix at least 54 security flaws in Windows and associated software. Separately, Adobe’s got a new version of its Flash Player available that addresses at least three vulnerabilities. KrebsOnSecurity, July 11, 2017

Cyber Defense

Keep security in mind on your summer vacation: When you travel, there probably are a few must-haves in your suitcase: your toothbrush, deodorant, socks, shoes – you get the idea. But one travel must-have we don’t always think about is security. While you’re away from home, you might be using public Wi-Fi, tagging your locations (whether or not you realize it), carrying around your passport, and using your credit card more often. Those things could put you at a higher risk of identity theft. Federal Trade Commission, Consumer Information, July 13, 2017

Cyber Warning

macOS users beware: A new and nearly undetectable malware is on the rise: Often thought of as impenetrable, macOS is falling prey to a sneaky malware that’s stealing bank credentials, bypassing Gatekeeper, and disabling attempts to remove it. Find out more here. TechRepublic, July 14, 2017

Watch out for this money stealing macOS malware which mimics your online bank: OSX Dok now attempts to steal money from Apple Mac users — and could be being prepared for use in further attacks. ZDNet, July 14, 2017

Information Security Management in the Organization

Information Security Management and Governance

Beyond Breach Notification: Ever since California adopted the nation’s first breach notification law in 2002, companies that have suffered a data breach have focused on whether and how to notify their customers, employees and others of the nature and extent of the breach. California’s law has been amended multiple times, and has been followed by breach notification laws in almost every state, as well as the notification requirements under the Health Insurance Portability and Accountability Act (“HIPPA”). As these laws developed, a tandem requirement has emerged: the obligation to take reasonable steps to protect data, and companies are, increasingly focused on taking steps to ensure the security of their data. Robert Braun, SecureTheVillage Leadership Council, Jeffer Mangels Butler & Mitchell Cybersecurity Lawyer Forum, July 7, 2017

Cyber Awareness

How to Avoid Being the Weakest Link in Your Company’s Information Security: When you think of hackers, you probably think of some spy movie where they come down from the ceiling to steal a computer off of a desk and then whisk it away to their laboratory where they input lines of code to crack the encryption. In reality, hacking is often as simple as learning about a user and then guessing their password or even asking them for it: a process called social engineering. INC, July 13, 2017

Why your company needs clear security policies: A cautionary tale: An IT employee was recently almost fired for storing documents on Dropbox. Here’s how the employee and the company could have prevented that situation. TechRepublic, July 13, 2017

Using Feedback Loops to Enhance End User Security: The security world abounds with case studies demonstrating that end users are a weak point within the organization. End users are constantly bombarded by phishing attacks, are notorious for using weak account credentials and are preyed on by malware relying on the user to introduce malicious software into an environment. All of these examples may lead to significant damage to the organization and negative headlines. SecurityIntellegicen, August 9, 2017

Cyber Warning

Darkweb Hackers Begin Offering Functional Mac Malware and Ransomware as a Service: With the popularity of both ransomware and the creation of macOS malware on the rise with hackers, Apple users face a growing number of threats. It now appears that others have turned their attention to the creation of new malware to spy on Mac users — but these programmers have gone a step further. Rather than developing a tool and deploying it personally, they have taken to the dark web to offer their products for sale. Known respectively as MacSpy and MacRansom, the hackers provide the malware to users while operating a centralized web portal. The authors’ continued involvement is why this threat is often called malware- or “ransomware-as-a-service.” SecureMac, June 29, 2017

Cyber Defense

To update or not to update: There is no question: Updating software has become one of the many keys to data security. Jack Wallen explains why the excuses for failing to update must become a thing of the past. TechRepublic, July 13, 2017

IT is NOT Cybersecurity: Having IT isn’t enough anymore, businesses need a separate security team also. Policemen and firefighters are a good examples of this, both of them will help you in your time of need, but each of them has very specific training for specific functions. CSO, July 11, 2017

Cyber Security in Society

Cyber Crime

Half-Year Roundup: The Top Five Data Breaches of 2017 — So Far: Data breaches aren’t slowing down. If anything, they’re set to break last year’s record pace. As noted by 24/7 Wall Street, the 758 breaches reported this year mark nearly a 30 percent increase from 2016. If cybercriminals keep it up, the total number of attacks could break 1,500 by the end of 2017. SecurityIntelligence, July 13, 2017

Self-Service Food Kiosk Vendor Avanti Hacked: Avanti Markets, a company whose self-service payment kiosks sit beside shelves of snacks and drinks in thousands of corporate breakrooms across America, has suffered of breach of its internal networks in which hackers were able to push malicious software out to those payment devices, the company has acknowledged. The breach may have jeopardized customer credit card accounts as well as biometric data, Avanti warned. KrebsOnSecurity, July 8, 2017

Cyber Espionage

Vault 7 reports new WikiLeaks dump details CIA’s Android SMS snooping malware: Since launching its Vault 7 project in March, WikiLeaks has dumped documents outlining the CIA’s efforts to exploit Microsoft and Apple technology. In this week’s latest release, it focuses on malware called HighRise, which the agency used to target Android devices. Naked Security, July 14, 2017

Know Your Enemy

With this $7 malware, anyone can be a hacker for cheap: Proofpoint security researchers examined the Ovidiy Stealer malware, which steals credentials and operates primarily in Russian-speaking regions. TechRepublic, July 14, 2017

National Cyber Security

Private Email of Top U.S. Russia Intelligence Official Hacked: On Tuesday morning, a hacker going by the name Johnnie Walker sent a group email to an unknown number of recipients claiming to have a trove of emails from the private account of a U.S. intelligence official. Foriegn Policy, July 14, 2017

Governors ask Congress to create cybersecurity committee: The leadership of the National Governors Association, including incoming chairman Gov. Brian Sandoval, repeated a plea to Congress on Friday to create a national committee to address cybersecurity threats. Las Vegas Review Journal, July 14, 2017

States Pledge to Meet Cyber Threats; Publish Resource Guide: National Governors Association (NGA) Chair Virginia Gov. Terry McAuliffe kicked off the 2017 NGA Summer Meeting with a discussion on how states continue to develop strategies to thwart cyber threats. Dark Reading, July 14, 2017

Stewart Baker interviews DSB’s Jim Miller re cyber conflict & deterrence: In this episode, we interview Jim Miller, co-chair of a Defense Science Board panel that reported on how the US is postured for cyberconflict and the importance of deterrence. The short answer: deterring cyberconflict is important because our strategic cyberconflict posture sucks. The DSB report is thoughtful, detailed, and troubling. Jim Miller manages to convey its message with grace, good humor, and clarity. Steptoe Cyberblog, July 10, 2017

Stewart Baker interviews ex-NSA Deputy Director Richard Ledgett: Today we deliver the second half of our bifurcated holiday podcast with an interview of Richard Ledgett, recently retired from his tour as NSA’s deputy director. We cover much recent history, from Putin’s election adventurism to questions about whether NSA can keep control of the cyberweapons it develops. Along the way, Rick talks about the difference between CIA and NSA approaches to hacking, the rise of NSA as an intelligence analysis force, the growing effort to keep Kaspersky products out of sensitive systems, and the divergence among intel agencies about whether Putin’s attack on the American election was intended mainly to hurt Hillary Clinton or to help Donald Trump. Steptoe Cyberblog, July 5, 2017

Financial Cyber Security

Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’: A greater number of ATM skimming incidents now involve so-called “insert skimmers,” wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers — which record card data and store it on a tiny embedded flash drive — are equipped with technology allowing them to transmit stolen card data wirelessly via infrared, the same communications technology that powers a TV remote control. KrebsOnSecurity, July 13, 2017


HIPAA: Five Steps to Ensuring Your Risk Assessment Complies with OCR Guidelines: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and healthcare technology have changed significantly over the past 20 years. Covered entities and their business associates face an ever-evolving risk environment in which they must protect electronic protected health information (ePHI). Although healthcare security budgets may increase this year, the cost of implementing and maintaining adequate security controls to protect an entity’s ePHI far exceeds what is often budgeted. As a result, some ePHI may be under-protected and vulnerable to data breach. A long-term, consistent and cost-conscious approach to HIPAA compliance is needed. healthcare informatics, July 14, 2017

Critical Infrastructure

Your Guide to Russia’s Infrastructure Hacking Teams: Since reports first surfaced that hackers targeted more than a dozen American energy utilities, including a Kansas nuclear power plant, the cybersecurity community has dug into the surrounding evidence to determine the culprits. Without knowing the perpetrators, the campaign lends itself to a broad range of possibilities: a profit-seeking cybercriminal scheme, espionage, or the first steps of hacker-induced blackouts like the ones that have twice afflicted Ukraine in the last two years. WIRED, July 12, 2017

U.S. officials say Russian government hackers have penetrated energy and nuclear company business networks: Russian government hackers were behind recent cyber-intrusions into the business systems of U.S. nuclear power and other energy companies in what appears to be an effort to assess their networks, according to U.S. government officials. The Washington Post, July 8, 2017

Combating a Real Threat to Election Integrity: Russia’s meddling in the 2016 election may not have altered the outcome of any races, but it showed that America’s voting system is far more vulnerable to attack than most people realized. Whether the attackers are hostile nations like Russia (which could well try it again even though President Trump has raised the issue with President Vladimir Putin of Russia) or hostile groups like ISIS, the threat is very real. The New York Times, July 8, 2017

Internet of Things

The Threat From Weaponized IoT Devices: It’s Bigger Than You Think!: IoT devices, such as smart meters, smart watches and building automation systems, are prolific. You may think that compromised IoT devices pose a danger only to the devices’ owners — for example, it’s easy to understand the privacy violation of an attacker viewing a web camera feed without the owner’s permission. SecurityIntelligence, July 20, 2016

Cyber Sunshine

Darknet Marketplace AlphaBay Offline Following Raids: A joint law enforcement investigation involving the United States, Canada and Thailand appears to have resulted in the takedown of the world’s largest darknet marketplace, called AlphaBay. Meanwhile, one of its alleged operators has been found dead in a Bangkok jail cell. BankInfoSecurity, July 14, 2017

Cyber Miscellany

Pew Report: Whose job is it to keep us safe from online harassment?: A new report has found that 41% of Americans have personally experienced online harassment, 66% have seen it directed to others, and 62% consider it a major problem. Naked Security, July 14, 2017




Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net