A Cyber Event Interrupted US Power Grid Operations

Stories – and only stories – abound about whether the Ruskies have infiltrated the US power grid – years ago.  The government is not going to tell the truth for fear of scaring the crap out of people.

On March 5th a “cyber event” interrupted the power grid in parts of the western United States.  While in this case it did not cause blackouts ….

California,  Utah. Wyoming.

A cyber event, according to the DOE, involves unauthorized access  to hardware, software or data.  Who?  Not clear.  What?  Not clear.  Why? Not clear.

But …. not a good sign.

The incident lasted from 7 AM to 9 PM that day.  That is a long time.

The DOE did not respond to a request for information.

The Western Electricity Coordinating Council declined to comment.

For security reasons we cannot disclose any further information was the only comment.

So, while this time we averted disaster, that doesn’t mean we will next time.

Was this a test?  To see how the grid responded?  To test a capability?  Kind of like pulling the fire alarm to see how long it takes for the fire department to arrive.

I suspect that, whatever happened, the feds will *TRY* to fix the problem.   But the feds do not have a great track record.

Now might be a good time to buy a generator.

Consider your own cybersecurity  program.

And your disaster recovery/business continuity program.

If you are not familiar with this song in the movie Hoodwinked, it is entertaining and relevent.  Source: Environment & Energy News.

77% of Orgs Lack a Cybersecurity Incident Response Plan

The fourth annual benchmark on cyber resilience authored by  Larry Ponemon and paid for by IBM shows that 77% of the organizations surveyed do not have a cybersecurity incident response program applied consistently across the organization.

Does your organization have an effective, trained and tested cybersecurity incident response program (CSISP) that works across all parts of your organization?

For organizations that said that they do have an CSIRP,  54% said that they do not test it regularly.   Not testing it regularly is the equivalent of not having one.  That is more than half.

Other results from the study include:

  • Less than 25% of the organizations say that they use significant automation in responding to breaches.
  • Only 30% said that they had sufficient cybersecurity staffing.
  • 62% said that aligning cybersecurity and privacy is critical to achieving cyber resilience.

There are some pretty clear recommendations that can be drawn from these results:

1. The three-quarters of organizations that do not have incident response plans need to create one (having one reduces the cost of a breach significantly according to another study).

2. Organizations need to test their plans regularly. 

3. Automation improves the speed and consistency of response.  Not having automation makes response more problematic.

4.  Staffing is still an issue and staffing with the right skills is a problem.

5. With all of the new privacy regulations (such as CCPA, GDPR and others), privacy incident management and security incident management need to be tightly aligned.

How well does your organization do?

Contact us if you need assistance in improving your program.

For more information on the study, go to Help Net Security‘s web site.

Security News for the Week Ending April 26, 2019

As Terrorists Blow Up Soft Targets, Sri Lanka Turns Off Social Media

As Sri Lanka is dealing with multiple bombs exploding at churches and hotels, the country’s solution to the inevitable use of social media to fan flames and release propaganda, in addition to news is to turn off social media.

At the current time, it appears that 8 bombs went off, 200+ people were killed and 400+ people were injured.  The target seems to be minorities and foreigners, which is often the case in terrorist attacks.

Facebook and other social media, in an effort to spin the news, said that they are working to remove content that does not meet their guidelines (which of course could be very different than the government’s guidelines), but as we saw in Christchurch, New Zealand, doing that effectively is very difficult.  Facebook and its cousins would like to be thought of as an important news source and not just a purveyor of trash and hate, so they are no doubt trying to figure out how to respond.

What is not clear is whether other governments (probably not in the U.S.) see this as an effective way to control the flow of information when they choose to (which could include any number of different situations, not just terrorist attacks) and follow Sri Lanka’s example.  If this does become more common, that will not be good for the social media brands.  (Source: CNN).


Businesses Continue to Ignore Contacts About Data Which is Exposed

In this case, it was the Mexican Embassy in Guatemala.  Thousands of documents including passports and birth certificates and also documents related to the embassy itself were accidentally made publicly visible on a cloud storage provider.

But that is not my big concern.

One more time, the researcher contacted Mexican officials but got no response.

If a researcher contacted ANY person in your company saying they found a security issue, does every single employee know what to do?   It is, after all, very simple.

CONTACT SECURITY and provide them the information that they received.  Don’t try to figure out if it is a scam or how to fix it.  Just contact security.  Let them deal with it.  That is what they do for a living.   Now, if security screws up, well, that is their fault.    My guess is that, in this case, the information never made it to the right people.  Eventually, it did get removed.  Source: Engadget).


China Has a New Export

China is the model of a surveillance state.  Now China has figured out that they can make a lot of money exporting that technology to other countries.  Ecuador is the prototype.  4,300 cameras.  16 monitoring centers.  More than 3,000 people watching those cameras.

Oh,  yeah, in addition to spotting crimes, the video feed also goes to Ecuador’s domestic intelligence agency.  Some of the other countries buying the Chinese spy gear include Zimbabwe, Uzbekistan, Pakistan, Kenya, the United Arab Emirates and Germany.

36 countries received training on topics such as censorship (politely called “public opinion guidance”.  Soource:  The NY Times.


North Carolina Unveils Changes to Privacy Law

An amendment to the North Carolina Identity Theft Protection Act was introduced earlier this month.  Among the changes are:  (1) requires businesses to implement reasonable security practices (where reasonable is undefined and left for the lawyers to argue over in case of a breach), (2) reduces the time to notify victims and the AG to 30 days, like Colorado, (3) expands the definition of protected information to include health and healthcare information (which may also be protected under HIPAA, depending on how the business received it), (4) clarifies that other information may be included as covered PII depending whether there is sufficient information compromised to abuse it (for example, an email ID is not covered, unless the email password is also compromised), (5) changes the definition of a breach to unauthorized access, without regard to whether the compromised information is used, (6) if the business determines that there was no potential harm due to a breach, they must now keep that proof for three years, (7) requires in cases of breaches at a CRA or any breach that involves Social Security Numbers, the company provides 24 or 48 months of credit protection, (8) expands the information that a business may be required to provide to the AG in case of a breach, (9) says that compliance with GLBA or HIPAA gives a business safe harbor FOR THOSE sections of the bill that overlap and (10) imposes other requirements on CRAs and businesses conducting credit checks.

The bill also allows a person to file a private right of action if they have been damaged.  Source: JDSupra  

IoT – It’s Only Getting Worse, Security Wise

With the government doing just about zero when it comes to protecting you from Internet of Things security hacks, this leaves the entire burden on you.

A hacker broke into two different GPS tracker apps – he hacked about 7,000 iTrack accounts and 20,000 ProTrack accounts.

In general hacking into someone’s web account might cost them money or lock them out of their account.

But in this case, the problem is bigger.

The iTrack and ProTrack software plugs into your car’s diagnostic port and can control your car.  As in turn off the engine as you drive down the road.  Or disable the engines of hundreds of cars and cause a traffic nightmare.

In addition, the hacker can track the vehicle location as it travels around the country.

The good news is that the car is smarter than the hacker and it will not turn the engine off if you are going fast.

How did this genius hacker take over almost 20,000 vehicles.

The software for at least one of these products comes from China and they set the password to 123456 .

The software has an API so the hacker brute forced millions of user names like Joe, Sue, Mitch, Car, whatever.  After he had a goodly bunch of user names, he wrote a script to try the default password and voila, he was in.  Once he was in, he was able to scrape whatever information the user entered into the app.  In addition to controlling the car.

So we have two guilty parties here.  The software sets  default password because it is easier for them.

But the device owners are guilty too.  Why did the leave the default password in place?

As we add more and  more IoT devices to our life, we add more and more vulnerabilities.  In this case, while it is possible to disable your car where it is located, steal some information and maybe spy on you, the possibilities are unlimited.

We have already seen cases where exes who knew the passwords to their former spouse’s IoT devices would turn off the heat in the winter and turn off the AC in the summer.

There are web sites that serve up hacked webcams.  A recent case involved a webcam in a kid’s bedroom (Not sure that is great parenting).  Of course the parents didn’t change the password.  Someone in LA discovered this cam on the web site and managed to figure out that the camera was in Houston.  Through some machinations, she was able to figure out who’s camera is was and they got the owner to unplug it.

Story after story, it is a mess.  A real dumpster fire.

It is highly unlikely that the government is going to fix this.

This means that YOU are going to need to understand what these IoT devices do, how they work, how you can secure them and then protect yourself.

Alternatively, consider this.  There was a story this week about a little kid who said that a bad guy was after her.  Her parents didn’t believe her.  Eventually, they heard voices coming out of the baby monitor.  It turns out someone hacked the baby monitor and was watching the kid while viewing porn. 

As gross as that is, it is only going to get worse unless we either unplug from the Internet (which is not likely) or get serious about security.   


Source: Motherboard .

$1.3 Billion is a Lot of Money

The FBI says that reported losses due to Business EMail Compromise attacks reached a whopping $1.3 billion in 2018, double the losses reported in 2017.

On the other hand, the number of ransomware complaints is down to levels reported in 2014.

There were 20,373 Business EMail Attacks reported last year, compared to 15,690 in 2017.   The losses in 2017 were $676 million, but increased to a whopping $1.297 billion last year.

For ransomware attacks, there were 1,783 attacks reported in 2017 and 1,493 attacks last year.   This represents $2.3 million in 2017 and $3.6 million last year (fewer attacks but more cost).

The Securities and Exchange Commission reported late last year that they investigated around a dozen companies who spent $98 million on Business EMail Compromise scams.

Also remember that this only represents what was reported to the FBI.  The total costs are unknown.

This probably means that people are getting better at backups and having emergency plans, so other than the massive ransomware attacks, people are beginning to understand what they need to do in order to avoid paying the ransom.  Are you prepared?

On the other hand, it apparently means that businesses have not gotten their arms around sending money to scammers.  The dollars basically doubled from 2017 to 2018.  That is not a good sign.

The attacks are, for the most part, straight forward.  Usually they send someone an email saying change the destination for a payment (ACH or wire into the scammers account) or create fake invoices and see if they get paid.  Creating some processes should really reduce the likelihood of falling for an attack.  One common thread to these scams is that they try to create a lot of urgency around getting the money out to them.  They probably figure that the longer the request is in accounting, the greater the chance that the scam will be detected.

Train your employees to resist the temptation to respond to the urgency, to walk down the hall to executive row if some large or odd request comes in and follow the defined payment processes.

$1.3 billion is a number that is enough to get my attention.  Does it get your attention?

Source: ZDNet.

More Info on the Wipro Hack

Last week, I wrote about the Wipro hack (if you didn’t see that post, click on the search box and enter Wipro).  While Wipro is being pretty close-mouthed about what happened due to the inevitable lawsuits, SLA complaints and even claims of breached contracts, it isn’t stopping the media from reporting on it.

In fact, Wipro would probably have been better off addressing the issue rather than attempting, unsuccessfully, to stonewall the media.

When Brian Krebs, who was the first to report on this, reached out Wipro for a comment, they took several days and then came back with a non-answer that said how wonderful their security was.

Apparently their incident response program didn’t include how to deal with the media.

After Brian’s story broke, Wipro decided to talk to an (perhaps more friendly) Indian media outlet and reported that they had a breach.  They did not reach out to Brian.

The next day they had a quarterly investor conference call (bad timing for them) and their CEO said that many of Brian’s details were in error.  They basically said that the issue was handled.

Brian then asked Wipro’s CEO what parts of the story were in error, instead of responding, he read some PR statement about their response to the incident.

Note that if you are going to call a reporter a liar, you probably ought to be able to back that up, because the reporter is likely to call you out on it otherwise. 

The CEO did agree to have a one on one call with Brian, a statement that another reporter recorded and posted on twitter.

During the follow up call, the CEO took issue with Brian’s statement that the incident lasted months.  When Brian asked when it did start, the CEO said he didn’t know but surely it wasn’t months.

It would seem that if you are going to put your CEO on a one on one call with a reporter, you probably ought to make sure that the CEO is prepared.

The CEO also claimed that the company was hit by a zero-day attack.  Given that they are a very large IT services firm, that doesn’t seem like a great defense.  Certainly, no one is bulletproof, but you need evidence.

When asked about the details of the zero-day, they have been quiet other than to say that they shared the details with their anti-virus vendor- and apparently no one else.

That is very unusual for zero-days.  Generally, if you think you have uncovered something new, you want to let others know so that they don’t get hit by the same attack.

In reality, they probably meant, according to Brian, that zero-day in this context means an attack that their anti-virus software didn’t catch. Unfortunately, nowadays, that is not much of a surprise.  Anti-virus software, unless it is very special (and there are a few such products but not any of the typical mainstream ones) it will only catch basic attacks.

A few hours after the call, Brian heard from one of Wipro’s customers in the US.  They decided to sever all electronic communications with Wipro as a result of the attack since Wipro was found to be attacking this customer.  This is the exact right thing to do.  Disconnect now and then figure out IF and WHEN you should reconnect.  This should only happen after the customer is sure they are safe.

A large retailer who is a Wipro customer said that the attackers used the compromise to execute a gift card fraud attack.  Something that would generate cash right away.

India has no laws requiring a company to disclose a breach, so anyone who is outsourcing to India (and other countries) needs to make sure that contractually the outsourcer must report and report within, say, 24 hours, any cyber incident to the customer.  That way, if it doesn’t happen, it is a breach of contract that be dealt with in any number of ways.  Source: Brian Krebs.

Since this story won’t go away, Brian reported the next day that not only was Wipro attacked, but other Indian outsourcers were attacked.  Specifically, Infosys and Cognizant were also attacked.

It appears that some of the companies the hackers were after were Sears, Green Dot (the prepaid credit card company), Evalon (credit card processor), Rackspace, Avanade, Capgemini and others.  Looking at this list, it is clear the attackers want fast money (Sears) but also more victims by attacking a bunch of outsourcers like Rackspace, Avanade and Capgemini.

Sourcces are saying that the attack may have been initiated by hacking a remote desktop software, Screen Connect.  That is consistent with an alert I got from Homeland Security over the weekend that said that hackers were using remote access software to perpetrate attacks and mentioned Screen Connect by name.  Possibly that is a coincidence, but I doubt it due to the timing.

Some of the companies mentioned confirmed the attack in this additional post of Brian’s, here.

Bottom line is that when it comes to breaches, stonewalling DOES NOT WORK. Period.  Plan your response long before you are going to need it.    That is just smart.  The media will keep reporting on it until you either deal with the core issues or look like a bumbling idiot,  Wipro opted for the second in my opinion.