All posts by mitch tanenbaum

This IoT Hack Could Kill You Literally

Researchers at Ben Gurion University in Israel created malware that could infect a CT scanner and cause it to provide either false positive or false negative readings.

The researchers took real CT lung scans and let their malware modify the scans.  In the cases where the researchers created fake cancerous nodes, the radiologists who read the scan diagnosed cancer 99% of the time, even though the scan were actually clean.

After the radiologists were told that the scans were modified by malware, they still got it wrong 60% of the time.

In addition to lung scans, the malware would work on brain tumors, heart disease, blood clots, spinal injuries and other situations.

This concept could also mask cancer, causing the doctors to not diagnose cancer when cancer was present,

The researchers said that this technique could also be used to fake clinical trials one way or the other.

This particular hack works because the CT scans are not digitally signed by the scanner to stop them from being modified in transit and they are not encrypted in the back-end image store called the picture archiving and communications system (PACS).

These poor security practices of the IoT device manufacturers could lead to people dying due to compromised diagnostic tests.

Granted it seems like a hard attack to execute, but if it is a high value target for some reason, such as a clinical trial, for example, well, then, all bets are off.  Is it the vendor conducting the trials that wants the results to look better or is it a competitor that wants to derail the trial?  After all, if a competitor can get a trial derailed, it could  mean a lot of money in the pocket of the competitor either for a new competing drug or an old drug that has extra life.

This, of course, is just one example of how an IoT device could be hacked.  In this case, getting a second opinion from a different facility probably reduces the risk to near-zero, but if your CT scan comes back clear are you really going to get a second opinion?

Source: the Washington Post.

Facebooktwitterredditlinkedinmailby feather

Indian BPO Vendor Wipro Hacked

Brian Krebs reported that Indian mega-outsourcer Wipro was hacked.  Apparently Wipro’s systems were being used to launch attacks against Wipro’s customers.

Wipro’s PR police said that they are investigating.  I am sure that they are.

Given that Wipro’s customers likely trust Wipro, it is a good launchpad for attacks against their customers.

When Brian (Krebs) reached out to Wipro communications head, he said that he was out of town and needed a few days to investigate.  Really?

Wipro finally responded with this:

“Wipro has a multilayer security system,” the company wrote. “The company has robust internal processes and a system of advanced security technology in place to detect phishing attempts and protect itself from such attacks. We constantly monitor our entire infrastructure at heightened level of alertness to deal with any potential cyber threat.”

Somehow they thought this was a good response to the question about whether they had been hacked.  Source: Brian Krebs.

Now Wipro is confirming that, in spite of their wonderful “multilayer security system”, they were, in fact, hacked.

They are saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign…”  All it takes to target your customer is ONE compromised account.

I am glad that they fell for an advanced attack and not just a plain vanilla one.  I am sure that you have noticed that the definition of an advanced attack is any attack that someone fell for.

As a customer of an outsourcer, you have a trust relationship with that company,  They have your data and probably access to your systems.  You are much less likely to question an email received from your outsource vendor as a potential phishing attack.

I know I probably sound like a broken record, but ….

Supply chain risk!

Vendor cyber risk management!

The hackers used Wipro to attack a number of their customers.

Wipro is certainly not the first BPO to be hacked and likely not the last, so you as a customer need to make sure that your vendors have an acceptable cyber risk management program.  This includes managing the risk of your vendor’s vendors. 

What they have not said yet (and I am sure that it will come out) is which of Wipro’s customers the attackers went after and were those attacks successful.  I bet that at least some of them were.   Source: Economic Times of India.

Facebooktwitterredditlinkedinmailby feather

Hacker Well On His Way to Publishing ONE BILLION User Records

While some people say that you can’t prove that people have been harmed by lax cybersecurity practices, the laws are making it more expensive for companies to believe this.  Fines in the hundreds of thousands, millions and even billions of dollars are happening.  So whether companies believe cybersecurity is an issue or not, their wallets are suggesting that they need to make improvements.

To encourage that, one hacker who goes by the handle GnosticPlayer is making it a one man mission to make life miserable for businesses with weak security.

Until this week he has made 4 dumps of data –

  • round one contained 620 million records
  • round two contained 127 million records
  • round three contained 93 million records and
  • round four contained 26.5 million records.

This brought the total to over 850 million records,

Until this week.

Round five contains 65 million records from 6 companies, bringing the total to over 900 million records.

In case you are questioning whether this is a business, apparently the data is available, sorted by category.  For a “fee”.  In Bitcoin.

Stolen email addresses are sold to spam networks,

Financial details are sold to groups that specialize in tax fraud and online fraud.

Usernames and passwords are sold to groups that specialize in credential stuffing (the technique of taking a million userids and passwords, throwing them at a web site and seeing which ones work).

The hacker is selling his data on Dream Market, a pretty public dark web marketplace.  He does not appear to be very shy about publicity, so my guess is that he is not in a country friendly to the U.S.

For businesses and consumers, this means that your information is being used against you.  

Credential stuffing allows hackers to attempt to hack your bank account and empty it.  Is that important to you?

Tax fraud means that your tax return will be rejected by the IRS and you will not get the refund that you are owed.

Other attacks might mean that you will lose access to your email account or other accounts.

So unless you think that the issues above are not important to you or your customers, you need to work hard to improve your business’ and personal cybersecurity hygiene.   

Source: ZDNet.

 

Facebooktwitterredditlinkedinmailby feather

Security News Bites for the Week Ending April 12, 2019

A New Reason to Not Use Huawei 5G Telecom Equipment

The President has been trying to get our allies to not use Huawei equipment in the buildout of their next generation cellular networks due to concerns that the Chinese government would compromise the equipment.

Now the British spy agency GCHQ is saying that Huawei’s security engineering practices are equivalent to what was considered acceptable in the year 2000.  And, they don’t seem to be getting any better.  Source: BBC .

 

Researchers Figure Out How to Attack WPA 3

Standards for WiFi protocols are designed in secret by members of the WiFi Alliance.  Those members are sworn to secrecy regarding the protocols.  The First version had no security, the next version had crappy security, the current version was hacked pretty quickly.

These protocols are never subjected to outside independent security tests.  Anyone who wants to hack it has to do so treating it as a black box.  And some researchers have done so.

Now WPA3, which is not widely deployed yet, has been compromised by researchers.  One of the attacks is a downgrade attack; the other attacks are side channel attacks.  They also figured out how to create a denial of service attack, even though the new protocol is supposed to have protections against that.

Conveniently, the researchers have placed tools on Github to allow (hackers or) access point buyers to figure out if a specific access point is vulnerable.  Hackers would use the tools to launch attacks.

The WiFi Alliance is working with vendors to try and patch the holes.  The good news is that since there are almost no WPA 3 devices in use, catching the bugs early means that most devices will be patched.  After all, it is highly unlikely that most users will ever patch their WiFi devices after installing them.  Source: The Hacker News.

Amazon Employs Thousands to Listen to Your Alexa Requests

For those people who don’t want to use an Amazon Echo for fear that someone is listening in, apparently, they are right.

Amazon employs thousands of people around the world to listen to your requests and help Alexa respond to them.  Probably not in real time, but rather, after the fact.

The staff, both full time and contractors, work in offices as far flung as Boston and India.  They are required to sign an NDA saying they won’t discuss the program and review as many as 1,000 clips in a 9 hour shift.  Doesn’t that sound like fun.  Source: Bloomberg.

Homeland Security Says Russians Targeted Election Systems in Almost Every State in 2016

Even though President Trump says that the election hacker might be some 400 pound people in their beds, the FBI and DHS released a Joint Intelligence Bulletin (JIB) saying that  the Russians did research on and made “visits” to state election sites of the majority of the 50 states prior to the 2016 elections.

While the report does not provide a lot of technical details, it does expand on how much we know about the Russian’s efforts to compromise the election and it will likely fuel more conversations in Congress.  Source: Ars Technica.

 

Researchers Reveal New Spyware Framework – Taj Mahal

The Russian anti-virus vendor Kaspersky, whom President Trump says is in cahoots with President Putin, released a report of a new spyware framework called Taj Mahal.

The framework is made up of 80 separate components, each one capable of a different espionage trick including keystroke logging and screen grabbing, among others.  Some of the tricks have never been seen before like intercepting documents in a print queue.  The tool, according to Kaspersky, has been around for FIVE YEARS.

While Kaspersky has only found one instance of it in use, given the complexity of the tool, it seems unlikely that it was developed for a one time attack.  Source: Wired.

Facebooktwitterredditlinkedinmailby feather

Hackers Target Industrial Control Networks

For many years hackers have been content destroy companys’ office networks and demand ransom if those companies wanted control of their systems back in order to do business.

But that is not enough for the hackers.  They want to shut down factories and due damage.

There have been a couple of barriers to hackers being successful in this venture, which is a good thing.

Unlike office computers which are built around a handful of chips (Intel, AMD, Arm, etc.), the computers that run factories are built around a much wide range of computers.  In addition, every manufacturer runs its own operating system and sometimes different products from the same manufacturer run different operating systems, although some of the new hardware runs a version of Linux.  Lastly, these so-called OT or operational-technology are often isolated from the corporate networks, at least in theory.

One of the first public OT attacks was done by a US/CIA and Israel joint venture – the Stuxnet attack against Irans’s uranium enrichment program (although neither country formally admitted to doing it, it is widely believed that it was them).  Then there was an attack that Russia did against Ukraine, turning off the power in the middle of the Winter.  Twice.

These attacks legitimized this form of attack in many people’s mind, particularly the hackers.

In 2017 the Triton family of malware was discovered by researchers.

Designed to be very low key in order to not set off any alarms, it attacks Triconex controllers made by Schneider Electric.  These controllers are designed to be a “kill switch” to shut down the factory or refinery or whatever in case of a critical failure that causes the refinery to operate outside of its safety limits.  This is only one family of malware that affects these networks;  there are likely more.

Unless that is, you can fool the controllers into thinking they are operating within limits while at the same time making the devices operate unsafely.  This is how Stuxnet destroyed the Iranian centrifuges and also how someone damaged a German steel plant.

FireEye released a report on how the early generations of Triton operated and remained under the radar.  To date, Triton has only been deployed at a handful of facilities to make it more immune to detection and protection.

Since they were not trying to steal data from the IT network, they didn’t make copies of files or steal large amounts of data.

Mostly, they wandered through the network for years undetected, looking for the right workstation to attack and to better understand how the network operates.

They also worked hard to install multiple backdoors so that if they got detected and were kicked out, they could come back in again.

FireEye says that the attack lifecycle of a sophisticated attack is often measured in years

All of this means that owners of control networks like factories need to step up their security game and not hope obscurity will protect them.  Even the government admits that it is likely that many of our critical infrastructure systems have already been compromised.

We also need to understand that OT-style controls are used more and more in the office environment.  Things like controlling TVs, projectors, heating and cooling, electronic signs, video conferencing systems, security cameras, etc.

Proper design would say that these devices need to be isolated, but often it is more convenient to connect them to the IT network.  Since almost no one patches their TV, refrigerator or light bulbs and even fewer people know what normal behavior of these devices is in order to monitor these devices’ actions, these devices put the IT network at greater risk.

FireEye says:

“We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks.”

AS WE BELIEVE THAT THERE IS A GOOD CHANCE THE TREAT ACTOR WAS OR IS PRESENT IN OTHER TARGET NETWORKS!!!

Well that is comforting.

Bottom line is that we need to up our game in securing these OT networks and devices.

As if we didn’t have enough work already.

Source: CSO Online.

Facebooktwitterredditlinkedinmailby feather

The FBI’s Cyber Challenge Exceeds Its Bandwidth

Or so says Christopher Wray, the current director of the FBI, testifying before a Congressional committee.

My guess, having talked to my share of FBI agents, including today,  is that he is correct.

The basic premise of all police work is that the number of crimes is relatively small.  No so with cyber.

Also, it used to be that crime was local.  It is hard to break into your house and steal your TV from Kiev.  You MUST have an operative in town, even if you are in Kiev.  Not so when it comes to cybercrime.

Jurisdiction was never an issue.  Yeah, sometimes a crook would flee the state before the cops caught up with him or her.  Now, a large percentage of cybercrime is committed offshore.  Even if it comes from a country friendly to us, there are an amazing number of hoops that cops have to jump through to get information from even the friendly countries.  Imagine what it is like to get information from countries that you have to Google just to figure out exactly where they are located.

As the FBI agents who briefed us today said (thank you Nate and Dennis), they need a lot of  help from businesses if they even stand a chance of catching the bad guys, but if businesses do what is required, it is possible.  Sometimes.  Let me know if you would like a briefing.

According to this year’s budget.  The FBI has 1,981 employees involved in cyber investigations.  Assuming the FBI has 56 field offices and not counting all the satellite offices, that means that the FBI has about 35 employees at all levels, on average, at each field office to investigate the roughly 300,000 crimes that were reported to the FBI in 2017 and probably 10 times that many which people didn’t even bother to report.

Given that most of these crimes involve foreign countries and therefore  reams of paperwork, if you ever do get cooperation,  they are fighting a losing battle.

One of the roles of these roughly 2,000 people is to help state and local law enforcement solve cyber crimes reported to them, so the problem multiplies.

What this means is that you are much better off trying to keep the bad guys out rather than trying to get help after the fact.

Just a matter of simple math.  Not. Enough. Resources.

Of course, it is virtually impossible for the FBI to retain top cyber talent.  A really smart cyber investigator can likely earn double or more what they would make at the FBI in private industry, with less hassle and more perks.  Yes, they don’t get to wear a badge and carry a gun, but that excitement wears off quickly.

The FBI is trying to improve the overall cyber knowledge of its total staff, but that is hard.  These people have spent their entire careers searching for traditional crooks,  This is a very different skill.  You don’t send someone to a one day class and make their a cyber expert.

Source: Government Computer News.

Facebooktwitterredditlinkedinmailby feather