Cyber Research

Cyber News

Cyber Info


september, 2017







 In this issue



*         US NIAC Securing Cyber Assets Critical Infrastructures

*         Hackers Gain Direct Access to US Power Grid Controls

*         8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps

*         The first quantum-cryptographic satellite network will be Chinese

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


US NIAC Securing Cyber Assets Critical Infrastructures

September 5, 2017


Summary Report

Our review of hundreds of studies and interviews with 38 cyber and industry experts revealed an echo chamber, loudly reverberating what needs to be done to secure critical U.S. infrastructure against aggressive and targeted cyber attacks. Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure. When a cyber attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities, and authorities.


Our Assessment

The National Security Council (NSC) tasked the President’s National Infrastructure Advisory Council (NIAC) with examining how federal authorities and capabilities can best be applied to support cybersecurity of high-risk assets. We reviewed a comprehensive dataset of more than 140 federal capabilities and authorities, demonstrating impressive depth and complexity of federal resources.

We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks—provided they are properly organized, harnessed, and focused. Today, we are falling short.



The challenges the NIAC identified are well-known and reflected in study after study. There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions:


1.     Establish SEPARATE, SECURE COMMUNICATIONS NETWORKS specifically designated for the most critical cyber networks, including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.

ACTION REQUIRED BY: U.S. Department of Energy (DOE), U.S. Department of Homeland Security (DHS), Office of the Director of National Intelligence (ODNI), U.S. Department of Defense (DOD), NSC, and the Strategic Infrastructure Coordinating Council (SICC) (Electricity, Financial Services, and Communications)


2.     FACILITATE A PRIVATE-SECTOR-LED PILOT OF MACHINE-TO-MACHINE INFORMATION SHARING TECHNOLOGIES, led by the Electricity and Financial Services Sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.



3.     Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.



4.     Strengthen the capabilities of TODAY’S CYBER WORKFORCE by sponsoring a public-private expert exchange program.



5.     Establish a set of LIMITED TIME, OUTCOME-BASED MARKET INCENTIVES that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.



6.     Streamline and significantly expedite the SECURITY CLEARANCE PROCESS for owners of the nation’s most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.

ACTION REQUIRED BY: DHS, ODNI, NSC, Federal Bureau of Investigation (FBI), U.S. Office of Personnel Management (OPM), and all agencies that issue/sponsor clearances


7.     Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyber attacks.

ACTION REQUIRED BY: NSC, DHS, ODNI, FBI, and the Intelligence Community


8.     PILOT AN OPERATIONAL TASK FORCE OF EXPERTS IN GOVERNMENT AND IN THE ELECTRICITY, FINANCE, AND COMMUNICATIONS INDUSTRIES—led by the executives who can direct priorities and marshal resources—to take decisive action on the nation’s top cyber needs with the speed and agility required by escalating cyber threats. (See explanatory chart on page 16.)

ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, the SICC, DOD, U.S. Department of the Treasury (Treasury), and U.S. Department of Justice (DOJ)


9.     USE THE NATIONAL-LEVEL GRIDEX IV EXERCISE (NOVEMBER 2017) TO TEST the detailed execution of federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the federal government’s response actions where they are unclear.



10.   Establish an OPTIMUM CYBERSECURITY GOVERNANCE APPROACH to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across federal agencies.



11.   Task the Homeland Security Advisor to review the recommendations included in this report and within six months CONVENE A MEETING OF SENIOR GOVERNMENT OFFICIALS to address barriers to implementation and identify immediate next steps to move forward.

ACTION REQUIRED BY: Homeland Security Advisor


The time to act is now. As a nation, we need to move past simply studying our cybersecurity challenges and begin taking meaningful steps to improve our cybersecurity to prevent a major debilitating cyber attack.

Our nation needs direction and leadership to dramatically reduce cyber risks. The NIAC stands ready to continue to support the President in this area.

More info https://www.dhs.gov/publication/niac-securing-cyber-assets-addressing-urgent-cyber-threats-critical-infrastructure-final

Hackers Gain Direct Access to US Power Grid Controls

September 6, 2017

In an era of hacker attacks on critical infrastructure, even a run-of-the-mill malware infection on an electric utility’s network is enough to raise alarm bells. But the latest collection of power grid penetrations went far deeper: Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will.

Symantec on Wednesday revealed a new campaign of attacks by a group it is calling Dragonfly 2.0, which it says targeted dozens of energy companies in the spring and summer of this year. In more than 20 cases, Symantec says the hackers successfully gained access to the target companies’ networks. And at a handful of US power firms and at least one company in Turkey—none of which Symantec will name—their forensic analysis found that the hackers obtained what they call operational access: control of the interfaces power company engineers use to send actual commands to equipment like circuit breakers, giving them the ability to stop the flow of electricity into US homes and businesses.

“There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage ... being able to flip the switch on power generation,” says Eric Chien, a Symantec security analyst. “We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.”

Never before have hackers been shown to have that level of control of American power company systems, Chien notes. The only comparable situations, he says, have been the repeated hacker attacks on the Ukrainian grid that twice caused power outages in the country in late 2015 and 2016, the first known hacker-induced blackouts.

The Usual Suspects

Security firms like FireEye and Dragos have pinned those Ukrainian attacks on a hacker group known as Sandworm, believed to be based in Russia. But Symantec stopped short of blaming the more recent attacks on any country or even trying to explain the hackers' motives. Chien says the company has found no connections between Sandworm and the intrusions it has tracked. Nor has it directly connected the Dragonfly 2.0 campaign to the string of hacker intrusions at US power companies—including a Kansas nuclear facility—known as Palmetto Fusion, which unnamed officials revealed in July and later tied to Russia.

Chien does note, however, that the timing and public descriptions of the Palmetto Fusion hacking campaigns match up with its Dragonfly findings. “It’s highly unlikely this is just coincidental,” Chien says. But he adds that while the Palmetto Fusion intrusions included a breach of a nuclear power plant, the most serious DragonFly intrusions Symantec tracked penetrated only non-nuclear energy companies, which have less strict separations of their internet-connected IT networks and operational controls.

As Symantec's report on the new intrusions details, the company has tracked the Dragonfly 2.0 attacks back to at least December of 2015, but found that they ramped up significantly in the first half of 2017, particularly in the US, Turkey, and Switzerland. Its analysis of those breaches found that they began with spearphishing emails that tricked victims into opening a malicious attachment—the earliest they found was a fake invitation to a New Year's Eve party—or so-called watering hole attacks that compromise a website commonly visited by targets to hack victims' computers.

Those attacks were designed to harvest credentials from victims and gain remote access to their machines. And in the most successful of those cases, including several instances in the US and one in Turkey, the attackers penetrated deep enough to screenshot the actual control panels for their targets' grid operations—what Symantec believes was a final step in positioning themselves to sabotage those systems at will. "That’s exactly what you’d do if you were to attempt sabotage," he says. "You’d take these sorts of screenshots to understand what you had to do next, like literally which switch to flip."

And if those hackers did gain the ability to cause a blackout in the US, why did they stop short? Chien reasons that they may have been seeking the option to cause an electric disruption but waiting for an opportunity that would be most strategically useful—say, if an armed conflict broke out, or potentially to issue a well-timed threat that would deter the US from using its own hacking capabilities against another foreign nation's critical infrastructure. "If these attacks are from a nation state," Chien says, "one would expect sabotage only in relation to a political event."

The Ukrainian Precedent

Not every group of hackers has shown that kind of restraint. Hackers now believed to be the Russian group Sandworm used exactly the sort of access to electricity control interfaces that Symantec describes Dragonfly having to shut off the power to a quarter million Ukrainians in December 2015. In one case they took over the remote help desk tool of a Ukrainian energy utility to hijack engineers' mouse controls and manually clicked through dozens of circuit breakers, turning off the power to tens of thousands of people as the engineers watched helplessly.

Operations like that one and a more automated blackout attack a year later have made Russia the first suspect in any grid-hacking incident. But Symantec notes that the hackers mostly used freely available tools and existing vulnerabilities in software rather than previously unknown weaknesses, making any attribution more difficult. They found some Russian-language strings of code in the malware used in the intrusions, but also some hints of French. They note that either language could be a "false flag" meant to throw off investigators.

In naming the hacking campaign Dragonfly, however, Symantec does tie it to an earlier, widely analyzed set of intrusions also aimed at the US and European energy sectors, which stretched from as early as 2010 to 2014. The hackers behind that series of attacks, called Dragonfly by Symantec but also known by the names Energetic Bear, Iron Liberty, and Koala, shared many of the same characteristics as the more recent Dragonfly 2.0 attacks, Symantec says, including infection methods, two pieces of malware used in the intrusions, and energy sector victims. And both the security firm Crowdstrike and the US government have linked those earlier Dragonfly attacks with the Kremlin—a report published by the Department of Homeland Security and the FBI last December included the group on its list of known Russian-government hacking operations.

Symantec says it has assisted the power companies that experienced the deepest penetrations, helping them eject the hackers from their networks. The firm also sent warnings to more than a hundred companies about the Dragonfly 2.0 hackers, as well as to the Department of Homeland Security and the North American Electric Reliability Corporation, which is responsible for the stability of the US power grid. NERC didn't immediate answer WIRED's request for comment on Symantec's findings, but DHS spokesperson Scott McConnell wrote in a statement that "DHS is aware of the report and is reviewing it," and "at this time there is no indication of a threat to public safety."

But Symantec's Chien nonetheless warns any company that thinks it may be a target of the hackers to not only remove any malware it has identified as the group's calling card but also to refresh their staff's credentials. Given the hackers' focus on stealing those passwords, even flushing all malware out of a targeted network might not prevent hackers from gaining a new foothold if they still have employees' working logins.

The Dragonfly hackers remain active even today, Chien warns, and electric utilities should be on high alert. Given that the group has, in some form, been probing and penetrating energy utility targets for the past seven years, don't expect them to stop now.

Read more https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/

8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps

September 8, 2017.

The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) on Thursday issued an advisory detailing eight cybersecurity vulnerabilities found in Smiths Medical's Medfusion 4000 wireless infusion pumps.


The vulnerabilities, identified by cybersecurity researcher Scott Gayou, range in severity from low severity to critical on the Common Vulnerability Scoring System (CVSS V3), and according to ICS-CERT, could be exploited remotely by a skilled hacker.

"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump," ICS-CERT says.

But despite this, Smiths Medical says it is "highly unlikely" that the vulnerabilities would be exploited in a clinical setting, and that it is planning to release an update to address the vulnerabilities by mid-January 2018.

Smiths also says it has been working with ICS-CERT and the US Food and Drug Administration (FDA) to mitigate the cybersecurity issues.


The advisory lists eight vulnerabilities found on three versions of Smiths' Medfusion 4000 Wireless Syringe Infusion Pump (versions 1.1, 1.5 and 1.6).

Six of the vulnerabilities involve the use of hard-coded credentials, authentication gaps and certificate validation issues, which could allow a hacker to gain access to the device.

The other two involve third-party components. One of which is a component that "does not verify buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device." But the advisory notes that the pump receives these inputs infrequently and only under certain circumstances, which make the vulnerability more difficult to exploit.

The second relates to a component that that could cause memory out of bounds errors, which could cause the devices communications module to crash, though Smiths says this type of crash would not impact the device's therapeutic functionality.


To mitigate the risks posed by the vulnerabilities, ICS-CERT says that facilities using the devices should conduct a risk assessment to determine whether they should disconnect the pumps from their network until a fix is available.

While disabling networking features would minimize the possibility of attacking the devices, ICS-CERT says this would require staff to manually update the pumps' drug libraries.

If the devices remain networked, ICS-CERT says users should close off several ports, including Port 20/FTP, Port 21/FTP and Port 23/Telnet and ensure the FTP server is disabled.

Additionally, ICS-CERT says that network traffic to the devices should be monitored and logged and that the devices should be isolated from the Internet and any untrusted systems.

More Info http://www.raps.org/Regulatory-Focus/News/2017/09/08/28438/DHS-Warns-of-8-Cybersecurity-Vulnerabilities-in-Smiths-Medical-Wireless-Infusion-Pumps/




The first quantum-cryptographic satellite network will be Chinese

September 1, 2017.

In the never-ending arms race between encryptors and eavesdroppers, many of those on the side that is trying to keep messages secret are betting on quantum mechanics, a description of how subatomic particles behave, to come to their aid. In particular, they think a phenomenon called quantum entanglement may provide an unsubvertable way of determining whether or not a message has been intercepted by a third party. Such interception, quantum theory suggests, will necessarily alter the intercepted message in a recognisable way, meaning that the receiver will know it is insecure. This phenomenon depends on the fact, surprising but true, that particles with identical properties which are created simultaneously are entangled in a way that means one cannot have its properties altered without also altering the other, no matter how far apart they are.


Researchers in several countries have experimented with the idea of quantum encryption, with some success. They have sent quantum-entangled messages through optical fibres, and also through the air, as packets of light. This approach, though, suffers from the fact that the signal is absorbed by the medium through which it is passing. The farthest that a quantum signal can be sent through an optical fibre, for example, is about 100km. Sending one farther than that would require the invention of quantum repeaters, devices that could receive, store and re-transmit quantum information securely. Such repeaters are theoretically possible, but so technologically complex that they remain impossible in practice.

An alternative is to beam entangled photons through the vacuum of space, where there is nothing to absorb them. This would mean transmitting them via satellite. Whether that can be done while preserving entanglement was, for a long time, unclear. But it is clear now. Experiments conducted recently, by Pan Jianwei, a physicist at the University of Science and Technology of China, in Hefei, have shown that it can.

The keys to the high castle

Such tests have been made possible by the launch, in August 2016, of Micius, the world’s first quantum-communication satellite. Micius (named after a Chinese philosopher of the 5th century BC, who studied optics) now orbits Earth at an altitude of 500km. Using it, Dr Pan and his colleagues have been testing the protocols that a global quantum-communications network will need to work.

Their first study, published in June, showed that entangled photons sent by the satellite to pairs of ground stations remain entangled, even when those stations are as much as 1,200km apart. Following that success, they attempted to use entanglement to “teleport” information from the ground to orbit. Information teleporting, so called because it happens without anything physical passing from one place to another, involves the sender changing a quantum aspect of one photon of an entangled pair that he has control over, and the receiver observing the same change in the other member of the pair, over which he has control. A series of such changes on successively transmitted photons can carry information, provided a code has been agreed on in advance.

To minimise the amount of atmosphere in the way, and thus the risk of signal disruption, Dr Pan and his team put their ground station for this experiment in Ngari, a region of south-western Tibet that has an altitude of 5,100 metres. They beamed one of an entangled pair of photons to Micius and kept the other on the ground. They then entangled the grounded photon with a third photon, and measured how this altered its polarisation and the polarisation of the photon on the satellite. The result, reported in July, was that the two do, indeed, change in lockstep. The team had thus succeeded in teleporting information from the ground to the satellite.

In a third study, also published in July, Dr Pan showed that Micius is able to transmit useful information, in the form of quantum-encryption keys, to a ground station in Xinglong, near Beijing. The transmission of such keys is crucial to quantum cryptography. Quantum-encryption keys are the quantum states of long strings of photons. Using one, a receiver can decrypt a message which has been encrypted with the key in question.

The security of quantum cryptography relies on the fact that eavesdropping breaks the entanglement by observing what is going on. It is a real-life example of the thought experiment known as Schrödinger’s cat, in which a cat in a box remains both dead and alive until someone opens the box to look—at which point it becomes one or the other. Though entanglement-breaking will not be noticed by the receiver of a single photon, doing it to a series of photons will be statistically detectable, alerting him that the line is insecure.

This third demonstration of Micius’s capabilities paved the way for a subsequent, successful, attempt to share a secure key between Xinglong and a station 2,500km away in Nanshan, a town in Xinjiang, China’s westernmost province. To do so, Micius sent one half of a stream of entangled photon pairs to Xinglong when it passed over the place, and held the other half on board for two hours until it passed over Nanshan on its succeeding orbit.

The next stage, scheduled to happen in about five years’ time, will be to launch a quantum-communications satellite in a higher orbit than Micius’s. The altitude Dr Pan has in mind is 20,000km, which will permit the satellite to communicate simultaneously with a much bigger part of Earth’s surface and allow him to test the feasibility of building a practical quantum-communications network. He is also hoping to put an experimental quantum-communications payload on board China’s space station, which is scheduled for completion by 2022. Having this device on board the station will mean it can be maintained and upgraded by human operators—a rare example of space-station crew doing something that could not easily be accomplished by robots. If all this goes well, the ultimate goal is a world-spanning ring of satellites in geostationary orbits.

One question Dr Pan and his colleagues particularly want to answer with their next experiments is whether entanglement is affected by a changing gravitational field. They could do this by comparing photons that stay in the weaker gravitational environment of orbit with their entangled partners sent to Earth. He also has other questions about the basic physics underlying entanglement—in particular, how it is that an entangled particle “knows” the result of changes made to its far-distant partner? That would be Nobel-prizeworthy stuff. Albert Einstein, famously, called the phenomenon of quantum entanglement “spooky actions at a distance”. Dr Pan’s work is helping to exorcise those particular ghosts.

This article appeared in the Science and technology section of the Economist print edition under the headline "The early bird"

Read more: https://www.economist.com/news/science-and-technology/21727889-quantum-cryptographys-early-birds-first-quantum-cryptographic-satellite

Latest Cyber Security News

Individuals at Risk

Individuals at Risk

Identity Theft

Equifax Hack Exposes Regulatory Gaps, Leaving Consumers Vulnerable: Despite the wealth of sensitive information in their databases, credit bureaus don’t face the same kind of scrutiny and oversight that banks do. The New York Times, September 8, 2017

Here are all the ways the Equifax data breach is worse than you can imagine: Another day, another massive data breach. Except this one involves Equifax, one of the credit-monitoring companies you might expect to be ultrasensitive to the importance of safeguarding your personal information from hackers. LA Times, September 8, 2017

Equifax Breach Response Turns Dumpster Fire: I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans. KrebsOnSecurity, Septeber 8, 2017

Equifax Breach: 8 Takeaways: After Equifax on Thursday warned that 143 million consumers’ personal details may have been stolen by hackers, criticism of the consumer credit reporting agency – and data broker – has been swift. BankInfoSecurity, September 8, 2017

Outrage builds after Equifax executives banked $2 million in stock sales following data breach: The sale of nearly $2 million in corporate stock by high-level Equifax executives shortly after the company learned of a major data breach has sparked public outrage that could turn into another hurdle for the credit rating agency. The Washington Post, September 8, 2017

Equifax Says Cyberattack May Have Affected 143 Million in the U.S.: Criminals gained access to certain files in the company’s system from mid-May to July, according to an investigation by Equifax. The New York Times, September 7, 2017

Cyber Defense

Password Managers: One of the most important steps you can take to protect
yourself online is to use a unique, strong password for every one of your accounts and apps. Unfortunately, it is most likely impossible for you to remember all your different passwords for all your different accounts. This is why so many people reuse the same password. SANS, September 2016

Information Security Management in the Organization

Cyber Warning

New Dridex Phishing Campaign Delivers Fake Accounting Invoices: A new variant of the banking trojan Dridex is part of a sophisticated phishing attack targeting users of the cloud-based accounting firm Xero. ThreatPost, September 7, 2017

Cyber Defense

Are you an easy hacking target? Cybersecurity tips for small business: Small businesses and self-employed people are big targets for hackers, and the financial implications can be crippling. Gone are the days of thinking “It’ll never happen to us”. A total of 61% of all data breaches this year occurred in businesses with fewer than 1,000 employees, according to the Verizon Data Breach Investigations Report. Estimates vary on how much a breach truly costs, but it can often be millions of pounds. The Guardian, September 8, 2017

The 5 cyber attacks you’re most likely to face: As a consultant, one of the biggest security problems I see is perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. For example, they hire me to deploy state-of-the-art public key infrastructure (PKI) or an enterprise-wide intrusion detection system when really what they need is better patching. CSO, August 21, 2017

Cyber Talent

Meet the WISOs: 10 Women Information Security Officers to watch: As girls and young women become interested in cybersecurity, they can look to these Women Information Security Officers for inspiration. CSO, September 8, 2017

Cybersecurity in Society

Cyber Freedom

German hackers find security hole in software used for vote counts: Serious security flaws in the software used to register voting tallies in Germany and transmit them across the country have been found by a hackers’ collective, who have warned of the possibility of external attacks. The Guardian, September 8, 2017

Cash-strapped states brace for Russian hacking fight: The U.S. needs hundreds of millions of dollars to protect future elections from hackers — but neither the states nor Congress is rushing to fill the gap. Politico, September 3, 2017

Fake News

The Fake Americans Russia Created to Influence the Election: Posing as ordinary citizens on Facebook and building “warlists” of Twitter accounts, suspected Russian agents intervened last year in the American democratic process. The New York Times, September 7, 2017

The Fake-News Fallacy: Old fights about radio have lessons for new fights about the Internet: On the evening of October 30, 1938, a seventy-six-year-old millworker in Grover’s Mill, New Jersey, named Bill Dock heard something terrifying on the radio. Aliens had landed just down the road, a newscaster announced, and were rampaging through the countryside. Dock grabbed his double-barrelled shotgun and went out into the night, prepared to face down the invaders. But, after investigating, as a newspaper later reported, he “didn’t see anybody he thought needed shooting.” In fact, he’d been duped by Orson Welles’s radio adaptation of “The War of the Worlds.” Structured as a breaking-news report that detailed the invasion in real time, the broadcast adhered faithfully to the conventions of news radio, complete with elaborate sound effects and impersonations of government officials, with only a few brief warnings through the program that it was fiction. The New Yorker, September 4, 2017

National Cybersecurity

The Cyberlaw Podcast – Stewart Baker interviews Michael Mainelli: In Episode 177, fresh from hiatus, we try to summarize the most interesting cyber stories to break in August. Paul Rosenzweig kicks things off with the Shunning of Kaspersky. I argue that the most significant – though unsupported – claim about Kaspersky is Sen. Shaheen’s assertion that all of the company’s servers are in Russia. If true, that’s certainly an objective reason not to let Kaspersky install sensors in non-Russian computers. The question that remains is how much due process companies like Kaspersky should get. That’s a question unlikely to go away, as DOD is now comprehensively shunning DJI drones, issuing guidance that sounds a lot like Edward Snowden demanding that users uninstall all DJI apps and remove all batteries and storage media. Steptoe Cyberblog, September 5, 2017

The first quantum-cryptographic satellite network will be Chinese: IN THE never-ending arms race between encryptors and eavesdroppers, many of those on the side that is trying to keep messages secret are betting on quantum mechanics, a description of how subatomic particles behave, to come to their aid. In particular, they think a phenomenon called quantum entanglement may provide an unsubvertable way of determining whether or not a message has been intercepted by a third party. Such interception, quantum theory suggests, will necessarily alter the intercepted message in a recognisable way, meaning that the receiver will know it is insecure. This phenomenon depends on the fact, surprising but true, that particles with identical properties which are created simultaneously are entangled in a way that means one cannot have its properties altered without also altering the other, no matter how far apart they are. The Economist, August 31, 2017

Cyber Law

Could CareFirst Data Breach Case Be Headed to Supreme Court?: Could the class action lawsuit filed against CareFirst Blue Cross Blue Shield after a 2014 cyberattack impacting 1.1 million individuals be the first data breach case headed to the Supreme Court? A recent ruling by a federal court makes that a possibility. BankInfoSecurity, September 8, 2017

SEC Chief: Regulators must do more to help small investors better understand cyber crime and online fraud: NEW YORK (Reuters) – Regulators must do more to help mom-and-pop investors better understand the potential risks posed by cyber crime and new technologies used to commit fraud, U.S. Securities and Exchange Commission Chairman Jay Clayton said on Tuesday. Reuters, September 5, 2017

Cyber Medical

DHS Warns of 8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps: The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) on Thursday issued an advisory detailing eight cybersecurity vulnerabilities found in Smiths Medical’s Medfusion 4000 wireless infusion pumps. RAPS, September 8, 2017

Critical Infrastructure

Symantec Report: Hackers found to gain direct operational access to US power grid controls: In an era of hacker attacks on critical infrastructure, even a run-of-the-mill malware infection on an electric utility’s network is enough to raise alarm bells. But the latest collection of power grid penetrations went far deeper: Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will. Wired, September 6, 2017

Internet of Things

IoT Security: What’s Plan B?: In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn’t regulate the IoT market. It doesn’t single out any industries for particular attention, or force any companies to do anything. It doesn’t even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want. SchneierOnSecurity, September 2017

Cyber Miscellany

If Blockchain Is the Answer, What Is the Security Question?: Like any technology, blockchain has its strengths and weaknesses. But debunking three common myths can help you cut through the hype. DarkReading, September 8, 2017

Boston Red Sox Used Apple Watches to Steal Signs Against Yankees: When confronted by Major League Baseball, the Red Sox admitted they were using Apple Watches in a scheme to gain an edge at the plate. The New York Times, September 5, 2017

Cyber Research

Security researchers in China send silent commands to speech recognition systems with ultrasound: Security researchers in China have invented a clever way of activating voice recognition systems without speaking a word. By using high frequencies inaudible to humans but which register on electronic microphones, they were able to issue commands to every major “intelligent assistant” that were silent to every listener but the target device. TechCrunch, September 6, 2017



Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net