The Risk of the Insider Threat

Elon Musk, CEO of Tesla, sent an email to all employees over the weekend telling them that the company was hacked by an employee who changed code on an internal product and sent company data outside without permission.

The software, the Tesla Manufacturing Operating System, is likely used internally in the manufacturing process.

The employee created false user names and then modified the software without approval.  He also sent large volumes of sensitive Tesla data to third parties.

This investigation is not over and there is a question about whether outsiders were involved.  There are lots of people who do not like the idea of an electric car, starting with the oil and gas industry and some Wall Street insiders.  The traditional car makers, who seem perfectly willing to lie and cheat to pass emissions test could also be motivated to harm Tesla.

In this particular case, the employee said he was mad because he was passed up for a promotion.  THAT was probably a good move since it is going to be hard for him to work from prison.

This is an important notice for all employers.

Every company, except those with one or two employees, have employees who are not happy.  Would an unhappy employee become a saboteur?  Hopefully not, but the larger the company is, the more likely that at least one person will have a grudge and could, possibly, act on it.

In Tesla’s case, even though this person created fake accounts to try and hide his deeds, the company had sufficient tools in place to uncover the sabotage and figure out who the employee was.

For your company, how much damage could a disgruntled employee do and could you detect it?  How quickly could you repair the damage?  Could you figure out who did the damage in order to prevent a repeat performance?

In today’s world it probably does not take much to get just one employee really peeved and if you have someone outside the company who could motivate that action with money – well you have really increased the odds.

Information for this post came from CNBC.

Facebooktwitterredditlinkedinmailby feather

IoT is Going to Set Security Back a Decade, at Least

Axis Communications, the Swedish maker of high end security cameras (up to $1,000 each), announced patches to seven vulnerabilities that affect almost 400 camera models.

Axis is not some cheap Chinese knockoff;  these are well respected cameras used in businesses the world over.

The vulnerabilities, discovered by the security firm VDOO, comes with in depth documentation and proof of concept code for all of the kiddie hackers to copy.

The vulnerabilities, used in combination, allow an attacker to take over a camera knowing only it’s IP address and not needing the password.

If the camera has a public IP address and is not meant for public consumption, these flaws would allow a hacker to bypass the security that the owner put in place and look at whatever the camera is pointed at, in real time.

So what do you do?

One more time, this is an example of the Internet of Things at its most challenging.

Most companies do not have a patch regimen for IoT devices.

In fact, most companies don’t even check for firmware updates for IoT devices on a regular basis,

This is like PCs 10 years ago.

So, the first step is to inventory all of your IoT devices and keep the inventory current.

Step 2 is to set up a protocol for checking for firmware updates at least monthly. Since IoT devices could be a dishwasher, TV and refrigerator, you will likely be checking with multiple different manufacturers to find all the patches.

Finally, the last step is to set up a protocol to patch your smart coffee maker and security cameras whenever new firmware is available.

Definitely a pain in the <bleep>, but necessary.

Facebooktwitterredditlinkedinmailby feather

Friday News Bites – June 15, 2018

Details Emerge on TicketFly Hack

More details are coming out about the TicketFly attack.  First thing is that the web site was based on WordPress.  While WordPress is a very popular site for individuals and small businesses; using it for something as complex as a concert ticketing site is likely a mistake.  Hackers were able to get data on 27 million customers, but the good news is that no passwords or credit card data was accessed;  only names, addresses, phones, emails,etc. were compromised.  This is likely due to security minded design decisions made early in the development of the site. The site was down for almost a week, a disaster in the online ticketing business and likely they are going to have to pay the venues that use them significant compensation to keep them from jumping ship.  That is in addition to the megabucks spent in recovery and probably more megabucks in rebuilding the site using something other than Worpress. (Source: Variety )

FBI Arrests 74; recoups $14 Million

Business email compromise is a $5 billion industry according to the FBI (see article here).  The FBI says that they disrupted a business email compromise scheme, recovered $2.4 million and halted $14 in bogus wire transfers.  This represents 0.3 percent (about one third of one percent)  of the reputed losses.  While any arrests are a good thing, no one should think that this problem is handled, because, if anything, it is getting worse.  (Source: Ars Technica)

Apple Continues to Poke the Tiger in the Eye

Apple seems to be committed to doing battle with the feds while the rest of us enjoy popcorn.  When Apple refused to unlock an iPhone after the San Bernadino shooting (in part because the FBI did not follow Apple’s instructions), the FBI paid a third party to hack it.  Now Apple is saying that, in the next software release, they are going to disable data transfer from locked iPhones via the charging port after a phone has been locked for an hour.  Why that should have ever been open is not clear.  This will likely break some of the hacking software that the police are using.  (Source: NY Times)

Another Day, Another Intel Speculative Execution Bug

I am beginning to feel sorry for Intel.   In addition to the original Spectre and Meltdown bugs, some of which will never be fixed and others of which are hard to exploit, there recently were 8 more flaws announced with differing degrees of difficulty and impact.  This week brings Lazy State, an exploit that allows a process to infer the contents of floating point arithmetic registers of another process due to a time optimization called lazy floating point state restore.  Some operating systems have already turned this optimization off (Red Hat Enterprise Linux) and any Linux variant running version 4.9 of the Kernel or newer is also safe.  Others have patched the flaw recently (OpenBSD, FreeBSD).  I am assuming that Microsoft and Apple will fix this month since turning off this optimization does not require a microcode update.  Still, collectively, all of these fixes will reduce performance.  (Source: ZDNet)

Another Crypto-currency Breach

We continue to see attacks against crypto-currencies.  Why?  Because, hackers think it is easy to do and the odds of getting caught is low.  This week it is Ethereum and they lost about $20 million.  One more time, this is not an attack on the math, but rather on the implementation.  Users leaving ports open on their client computers which allowed the attackers to steal the user’s wallets. (Source: The Hacker News)

 

Facebooktwitterredditlinkedinmailby feather

DoD Moving Forward on Cybersecurity After Breach

In the wake of the cybersecurity disaster at the Naval Undersea Warfare Center, where a contractor lost control of over 600 gigabytes of extremely sensitive weapons system data for the Sea Dragon program, the DoD is reacting.  Sea Dragon, based on the few details we have, is a disruptive offensive weapon targeting Chinese submarines.

Among the data compromised is cryptographic information about how the subs communicate.

Now the Chinese have those secrets and the billions of dollars probably spent on the program may be flushed down the toilet.

DODDAC, the Department of Defense Damage Assessment Center, is trying to assess the level of damage that was done.  It is likely that we will never find out the true impact of this breach.

The category of information that was breached is known, generally, as controlled unclassified information or CUI.  The DoD has been talking for years about implementing an acquisition rule called DFARS 204.252-7012, securing controlled unclassified information and NIST SP 800-171, the how to guide for doing that.  December 31, 2017 was supposed to be the date the regulation went into effect, but in mid December the DoD blinked.  Again.  The instructions to industry were that they just needed to have a plan for becoming compliant.

But the problem is that no one was assigned to fix the problem.

In the wake of this new and recurring scandal, Defense Secretary  Jim Mattis ordered the Under Secretary of Defense for Intelligence to deal with this.  The Under Secretary instructed the Defense Security Service, who is accountable for managing classified information in the defense contractor community, to come up with a plan to manage controlled unclassified information too.  The challenge with that is the amount of controlled unclassified information and the number of people handling it dwarfs the amount of classified information by many times.

Given this, what should defense contractors and sub-contractors do now?

While we don’t know the how and the when, it is very likely that DoD will begin to clamp down on how contractors handle CUI and the Defense Security Service will expand their sphere of influence to contractors handling CUI.  Starting with the primes – and letting them handle the subs.  We have seen that this has already started, but we believe it will accelerate.

For the most part, what NIST 800-171 mandates is “best in industry” cyber security practices.

If you are a contractor, you should be actively working on becoming compliant.  You should have been already doing this, but there should be more urgency now.  Starting with implementing the policies, procedures and practices and moving on from there.  Adding the controls and monitoring; incident response and so on.

While we don’t know when, my guess is General Mattis does not want another disaster on his watch and he already has the regulations on the books to help fix the problem.  All he needs to do is make it happen.  Remember, Generals, especially Marine Corps Generals,  are very good at “making it happen” and I would not question his desire to not be embarrassed again.  He is going to have to, at some point, explain to Congress why the billions of dollars they gave him have been wasted.  Not a fun conversation.

Given all this, being prepared is a really good plan.  We can help.

Information for this post is based on a memo from the Pentagon.

Facebooktwitterredditlinkedinmailby feather

The Global Shipping Industry is a Shipwreck

Maybe we should call it a dumpster fire, but whether we call it a shipwreck or a dumpster fire, it is a mess.

According to pen testers, shipping industry security is where mainstream IT was years ago.

The pen  testers say that the attacks are TRIVIAL to execute an easy to mitigate against.

These ships are connected via satellite and are always on the Internet, like most businesses.  Just with crappy, insecure software.

The pen testers created proof of concept attacks were they took ships off course.  A bad guy could cause ships to crash into each other at night or in fog.

The flaws that they revealed are just the tip of the iceberg, the pen testers say.

They say that this is definitely a matter of when a big attack happens and not if.

One attack targeted the electronic chart display and information system (ECDIS).    Hack the charts and young sailors who believe computers instead of “looking out the window” will be easily fooled.  They tested 20 different ECDIS systems and they were all easy to hack.  If the ship is in autopilot mode tied to ECDIS and ECDIS is hacked, then the hackers can make the ship go anywhere they want it to go.  That is just one attack.

OK, so what does this mean to you and me?

Since most of us are not a captain of a tanker or container ship, it is not about that.  But,  if you are, take note!

These shipboard systems are just sophisticated IoT systems and like most IoT systems, the security is horrible.

While you may not captain a ship, your car likely has hundreds of computers in it and we have seen them hacked in the news from time to time.  When you buy a car, do you ask about the security of it?  If you do, the salesperson is probably clueless and has no idea about the answer.  Most people just believe whatever babble the salesperson provides.

Whether it is a car, TV, refrigerator or factory floor machine, ask questions, educate yourself and don’t believe the first answer you get.

Once you buy it, you likely own the problem.  The problem has to get massively large before anyone is really going to help you.

You are, pretty much, on your own.  Understand that and make sure that you are OK with that.

Information for this post came from Threatpost.

Facebooktwitterredditlinkedinmailby feather

Cryptocurrencies Under Attack

A story that seems to be repeated with way too much frequency is cryptocurrency attacks.  This is because most users don’t understand how easy these attacks are.

I am aware of *NO* attacks that compromised the cryptography of cryptocurrencies.  Always it is the software.  Sometimes on the user’s side.  Other times on the exchange’s side.

The cryptocurrency exchange called Coinrail lost $40 million to an attack.  Coinrail has taken its service offline and has moved what is left of its currency into cold storage to make it harder for the hackers and to help investigators figure out how the attackers got in (source: Techcrunch).

The Japanese exchange Coincheck lost $400 million to hackers.  They say they do not know how the attackers stole the money. They are considering compensating users who lost money – whatever that means. (Source: Techcrunch)

Tether, a cryptocurrency startup lost $31 million to attackers.  (Source: Techcrunch)

Bitcoin lost $500 of value in an hour after the most recent attack.  The industry as a whole lost $42 billion in value. (Source: Bloomberg)

As a coin speculator, what should you be doing?

First, you need to understand that you are a speculator in a wildly volatile commodity and that commodity has zero inherent value, unlike hog bellies or gold.

Second, understand that there is no insurance, very limited government regulation and no government protection from losses suffered.  This is about as risky as loaning money to your cousin Vinny.

Third, like all investments, diversify.  Whether that means stocks, bonds and Crypto or just different crypto exchanges (and not different currencies at the same exchange), diversify.  I recommend the first;  you do the second at your own peril.

Keep your wallet offline.  Hackers stole $20 million in Ethereum because users had opened a port on their local machines which allowed hackers to empty their wallets.  Offline is not a silver bullet, but it will stop that particular attack as long as the wallet stays offline.

Only run cryptocurrency transactions on a machine that you know to be secure.  One recent attack used DNS compromises on user’s machines to make their software think they were connecting to their exchange when, in fact, they were connecting to their attacker’s computers.

Bottom line – it is your money.  Treat it like it is important.

 

 

Facebooktwitterredditlinkedinmailby feather