Category Archives: Alert

Security alerts

Pipeline Operators Are In the Crosshairs – From Both Regulators and Hackers

The Colonial Pipeline attack exposed what a lot of us have been saying for years – that when it comes to U.S. critical infrastructure, the emperor has no clothes.

After the attack on Colonial was dealt with, TSA issued a directive very quickly that was pretty superficial. It required, among a couple of other things, that operators identify a cybersecurity coordinator who is available 24×7 and assess whether their security practices are aligned with the 2018 pipeline security VOLUNTARY directive.

In fairness, there was not a lot of time to prepare and TSA – those same folks that do a wonderful job of stopping guns getting through security in airports (in a public outing, in 2016 the TSA director was fired after it became public that the TSA failed to detect guns 95% of the time) – said that more would be coming.

The electric distribution network, managed by NERC and FERC, have done a somewhat better job of protecting that infrastructure, but even that has a lot of holes in it. No one seems to be watching the water supply.

Now we are learning that the TSA issued another directive regarding pipeline security. Given all of the recent supply chain attacks, this is decades past due and nothing will change immediately, meaning that the Chinese, Russians, North Koreans and others will still have years to attack us. This directive requires the pipeline industry to implement specific mitigations (not explained, likely due to security issues) to protect against ransomware and other known threats, to develop and implement a cybersecurity contingency plan, to implement a disaster recovery plan and review the security of their cyber architecture.

The TSA is still not acting like a regulator. There do not appear to be any penalties for not doing these things and there doesn’t even seem to be much oversight. The TSA calls the companies that it regulates its partners. I cannot recall, for example, ever hearing banking regulators calling the banks that they regulate their partners. The TSA is not the partner of the companies that it regulates (unless maybe, they are getting kickbacks, in which case, okay).

Sorry, but that is completely the wrong model and is doomed to fail. It may require Congress to do something although I am pessimistic that they will. You can never tell.

This directive comes on the heels of another report from the FBI and CISA that the Chinese targeted 23 pipeline operators between 2011 and 2013. Why they didn’t think it important to tell us about this for 10 years is not explained. Maybe the facts were about to be leaked? Don’t know.

Are there more attacks that they are not telling us about still?

Of the 23 pipeline operators in this report, 13 were confirmed to have been breached. Three more were what the feds call near misses, whatever that means, and the remaining 8 were unknown as to how badly there were compromised.

Well, that certainly gives me a warm fuzzy feeling.

At the same time, CISA has been reporting an insane number of IoT vulnerabilities on every brand of industrial IoT equipment. While it is good that CISA is “outing” these vendors’ decades-old sloppy security practices, there is still a long way to go. For every bug they announce, who knows how many remain and, more importantly, will the operators of the vulnerable equipment even bother to deploy the patches. In fairness, in many cases the cost of downtime is high and the operators’ confidence that their equipment will still work after being patched is low.

For many operators, the equipment that is vulnerable has been in place for 10, 15, even 20 years and the people who installed it or designed it are retired and possibly even deceased. To reverse engineer something like that is an insanely complex task.

The alternative is to ignore the problem and hope that the Chinese, Russians and others decide to play nice and not attack us. Fat chance.

We should also consider that independent hackers who may have even less morals than the North Koreans (is that possible?) may have discovered these bugs – which of course are now being made public on a daily basis – and choose to use them to attack us for their own motives. Even if we do arrest them after, for example, they blow up a refinery, that is a tad bit unsatisfying to me.

If you get the sense that I am disgusted that the government is decades behind in protecting us, I am. You should be too. By the way, this is not a Democratic vs. Republican thing. Administrations on both sides of the aisle have put this in the “too hard to do pile” and pretended that it does not exist.

Are You Ready for the Next Supply Chain Attack?

On Friday Title industry software and consulting provider was hit by a ransomware attack. Cloudstar operates 6 data centers and supports over 40,000 customer users. Now those customers are wondering what are they going to do.

Cloudstar users who close real estate sales are dependent on Cloudstar’s systems being up.

Cloudstar has been down since Friday. Their CEO says he doesn’t know when the systems will be back operational.

Cloudstar’s customers are scrambling today to be able to close loans.

In the meantime Cloudstar has brought in third party experts to help them.

While it is possible that Cloudstar was specifically targeted as suggested in a Housing Wire article, no one knows if that is true or not. It is certainly possible that there were just another random victim after an employee clicked on a malicious link.

This particular software is core to the title business so it is not like a title company can do a Google search and replace it. Cloudstar’s competing service providers are circling like vultures, offering free setup and who knows what else, but the problem is that the companies that use Cloudstar’s services do not have access to the forms and client data that lives on Cloudstar’s platform, which is now encrypted. Credit: ALTA

Title companies who are affected by this attack likely must report this to their regulator as the assumption by the federal government is that ransomware equals data compromise. They also likely have to tell customers that their loan or other data may have been compromised.

Some of Cloudstar’s customers may go out of business, depending on how long Cloudstar is down. It could anywhere from a few days to a month. Or more.

In helping our clients respond to Fannie Mae audits (MORA), Fannie seems to be much more interested in regulated entitys’ ability to respond to a ransomware attack and continue to support their customers. This is yet another concern that companies need to be concerned about.

But take a step back from from the specifics of this supply chain attack. You likely have vendors that are critical to your business and which are also a single point of failure that cannot be easily or quickly replaced. Given the number of ransomware and other cyber breach attacks against service providers, companies need to prepare themselves for the possibility that they will be in the same boat as the customers of Cloudstar are today. The alternative is that you lose access to your data, your business comes to a complete standstill, you have to report to regulators and customers that you lost control of your data and potentially, face significant expenses.

Are you ready?

Additional info credit: The Title Report

IoT Bug Could Lay Waste to Factories ….

When people talk about IoT – Internet of Things – these days, they are thinking of Amazon Alexa or Phillips Vue lightbulbs, but where IoT started was in factories and warehouses, decades ago.

Industrial automation or IIoT is still where the biggest in IoT attacks lies.

Today we learned about a critical remote code execution bug in Schneider Electric’s programmable logic controllers or PLCs.

The bug would allow an attacker to get ROOT level access to these controllers and have full control over the devices.

These PLCs are used in manufacturing, building automation, healthcare and many other places.

If exploited, the hackers could shut down production lines, elevators, heating and air conditioning systems and other automation.

The good news, if there is any, is that the attacker would need to gain access to the network first. That could mean an insider attack, a physical infiltration or something simple like really bad remote access security like that water plant in Florida. That means that you probably should not count on this extra level of hardness to protect the millions of systems that use Modicon controllers.

Schneider Electric has released some “mitigations” but has not released a patch yet.

The bug is rated 9.8 out of 10 for badness.

What is really concerning is that Schneider released patches for dozens of bugs today.

Given that IIoT users almost never install patches, this “patch release” doesn’t make me feel much better.

But it appears that the velocity of IIoT bug disclosures and patches is dramatically increasing. Given that, factory and other IIoT owners have to choose between two uncomfortable choices – don’t patch and risk getting hacked or patch and deal with the downtime. They are not going to like either choice, but they are going to have to choose.

My guess is that they are going to choose not to patch and we are going to see a meltdown somewhere that is going to be somewhat uncomfortable for the owner. An example of past similar events is the Russians blowing up a Ukrainian oil pipeline a few years ago. In the middle of winter. When the temperature was below zero.

Credit: Threatpost

Colorado is the Third State to Enact A Robust Privacy Law

First it was California (of course). Then it was California version 2. In 2020, things were quiet and no states joined the club. Earlier this year Virginia joined the club and today Colorado became the third state to enact a California-style or Europe-style privacy law, with some significant differences.

Here are some of the key parts of the law.

  • Consumers have the right to get a copy of their data, get it corrected, delete it and be able to port it to a competing service
  • Allows consumers to opt out of targeted advertising, sale of data and some profiling
  • Exempts employee data, deidentified data and publicly available data
  • It also exempts data covered by HIPAA, GLBA and COPPA
  • Companies that collect data need to tell consumers how they are going to use it
  • It requires a duty of care to protect data. This is also known as the full employment act for lawyers
  • And of course, it has a number of exemptions

One new twist – while there is no private right of action, action can be taken by local DAs – many of whom are planning to run for higher office – in addition to the AG, who is pretty busy.

California’s law is based on global revenue; the Colorado law is based on the number of Colorado residents the company collects data on (100,000) or fewer residents if you also sell some data (25,000). Still, that should eliminate many smaller companies.

Business to business transactions are also exempt.

Like most of the similar laws, processing of sensitive data like racial, ethnic, mental or physical health, sexual orientation, etc. require an opt-in.

Finally, the AG is authorized to create rules to carrying out this new law.

Companies need to have a much more robust privacy disclosure, which includes a number of specific items.

Also, and this is a weakness for many companies, the law requires companies to have a WRITTEN contract with all data processors (think of cloud software providers, for example) which documents instructions for processing data, confidentiality requirements and the requirement to notify the data owner before subcontracting, among other requirements.

One important first step for companies to take, no matter whether they just operate in Colorado, also operate in Colorado or operate in multiple states, is to get a really good handle on what data you collect, where you store it and who you share it with, either for financial purposes or just to run the business. Our experience tells us that this is a real challenge for most companies.

Credits:

National Law Review

Venturebeat

JD Supra

NFC is Convenient – Just Not Secure

NFC, or Near Field Communications, is that technology that allows you to wave your credit card or phone near a reader and pay for a Starbucks or get money from an ATM without having to take that card out of your wallet.

Many of you have heard me say “Security or convenience, pick only one”. This is an example of that expression.

Historically, researchers and hackers have broken into ATMs using mechanical methods. Opening them up and installing hardware; hacking the software and even drilling holes to expose the innards.

Add to that a pure 21st century attack.

Security firm IOActive has been working on hacking the NFC chips that are used in ATMs and tens of millions of credit card readers in stores and other places that accept credit cards.

The result is an app that allows the researcher to imitate what the chips do.

That means he can crash the devices in stores and other places where credit cards are accepted, hack them to collect stored credit card data, change the value of transactions invisibly (want to buy that Rolex – how about $1.29?)

He even figured out how to make one brand of ATM “jackpot” – spit out money. The researcher isn’t saying what brand of ATM it was, but he was working FOR the ATM maker, so that issue is likely fixed. Maybe – see below.

The researcher has told the chip makers about the problems he found, but there is a slight problem.

Many ATMs will require a technician to go to the ATM to physically do the update. After all, doing the update over the wire seems a bit insecure for something that amounts to a small bank vault.

7 months or so after reporting his findings to the ATM maker, he waved his phone in front of an ATM in Madrid where he lives and caused the ATM to crash. Which, I guess, is better than making it jackpot. But crashes can often be turned into more dangerous hacks.

But here is the bigger problem.

While there are tens of thousands of ATMs that need to be upgraded, there are tens of millions of point of sale credit card readers that need to be updated. I will guarantee you that many of those will never be updated. That means clever hackers will walk into stores, pick out something expensive, and pay a dollar for it. Then fence it or sell it on the black market.

For consumers, that means higher prices due to fraud, but for business owner, it could mean fraud losses and for privately owned ATMs – well, I hope they have good insurance. Credit: Wired

Florida Law Designed to Punish Twitter Enjoined

Florida’s governor Desantis, a likely Republican presidential candidate in 2024, and his Republican dominated legislature passed a bill this year designed to punish the likes of Twitter and Facebook.

Unless they were very naive, they knew this law was going to be challenged in court, and likely struck down for a number of reasons.

But that probably was not the reason for this legislative circus. Much more likely, it was to show certain voters that Desantis had similar ideas to ex-president Trump and would, similar to Trump, attempt to shut down social media platforms that he disagreed with. He certainly got that attention.

While a federal Judge blocked Florida’s SB 7072, this will likely get appealed to the 11th circuit and from there to the Supremes if they are willing to take it.

The court’s conclusion was this:

The legislation now at issue was an effort to rein in social-media providers deemed too large and too liberal. Balancing the exchange of ideas among private speakers is not a legitimate governmental interest. And even aside from the actual motivation for this legislation, it is plainly content-based and subject to strict scrutiny. It is also subject to strict scrutiny because it discriminates on its face among otherwise-identical speakers: between social-media providers that do or do not meet the legislation’s size requirements and are or are not under common ownership with a theme park. The legislation does not survive strict scrutiny. Parts also are expressly preempted by federal law.

The state attempted to use the First Amendment, which only applies to the government, as a reason to apply this law to certain, specific, large, more liberal, social media companies only. The judge didn’t buy it.

the State has asserted it is on the side of the First Amendment; the plaintiffs are not. It is perhaps a nice sound bite. But the assertion is wholly at odds with accepted constitutional principles….

The judge also said that even if the state thinks that these large companies are operating in a monopolistic fashion, it doesn’t give the state the right to trample on the first amendment.

Whatever might be said of the largest providers’ monopolistic conduct, the internet provides a greater opportunity for individuals to publish their views—and for candidates to communicate directly with voters—than existed before the internet arrived

The judge also said that the purpose of the law was overturn the media companies’ editorial judgements themselves, which this judge says is unconstitutional.

the targets of the statutes at issue are the editorial judgments themselves. The State’s announced purpose of balancing the discussion—reining in the ideology of the large social-media providers—is precisely the kind of state action held unconstitutional in Tornillo, Hurley, and PG&E.

The judge goes on to continue to blast the law, but stay tuned for the appeal. Get some popcorn, because this is definitely not over. Credit: Professor Eric Goldman, Santa Clara University School of Law