Category Archives: Hacks

Pipeline Operators Are In the Crosshairs – From Both Regulators and Hackers

The Colonial Pipeline attack exposed what a lot of us have been saying for years – that when it comes to U.S. critical infrastructure, the emperor has no clothes.

After the attack on Colonial was dealt with, TSA issued a directive very quickly that was pretty superficial. It required, among a couple of other things, that operators identify a cybersecurity coordinator who is available 24×7 and assess whether their security practices are aligned with the 2018 pipeline security VOLUNTARY directive.

In fairness, there was not a lot of time to prepare and TSA – those same folks that do a wonderful job of stopping guns getting through security in airports (in a public outing, in 2016 the TSA director was fired after it became public that the TSA failed to detect guns 95% of the time) – said that more would be coming.

The electric distribution network, managed by NERC and FERC, have done a somewhat better job of protecting that infrastructure, but even that has a lot of holes in it. No one seems to be watching the water supply.

Now we are learning that the TSA issued another directive regarding pipeline security. Given all of the recent supply chain attacks, this is decades past due and nothing will change immediately, meaning that the Chinese, Russians, North Koreans and others will still have years to attack us. This directive requires the pipeline industry to implement specific mitigations (not explained, likely due to security issues) to protect against ransomware and other known threats, to develop and implement a cybersecurity contingency plan, to implement a disaster recovery plan and review the security of their cyber architecture.

The TSA is still not acting like a regulator. There do not appear to be any penalties for not doing these things and there doesn’t even seem to be much oversight. The TSA calls the companies that it regulates its partners. I cannot recall, for example, ever hearing banking regulators calling the banks that they regulate their partners. The TSA is not the partner of the companies that it regulates (unless maybe, they are getting kickbacks, in which case, okay).

Sorry, but that is completely the wrong model and is doomed to fail. It may require Congress to do something although I am pessimistic that they will. You can never tell.

This directive comes on the heels of another report from the FBI and CISA that the Chinese targeted 23 pipeline operators between 2011 and 2013. Why they didn’t think it important to tell us about this for 10 years is not explained. Maybe the facts were about to be leaked? Don’t know.

Are there more attacks that they are not telling us about still?

Of the 23 pipeline operators in this report, 13 were confirmed to have been breached. Three more were what the feds call near misses, whatever that means, and the remaining 8 were unknown as to how badly there were compromised.

Well, that certainly gives me a warm fuzzy feeling.

At the same time, CISA has been reporting an insane number of IoT vulnerabilities on every brand of industrial IoT equipment. While it is good that CISA is “outing” these vendors’ decades-old sloppy security practices, there is still a long way to go. For every bug they announce, who knows how many remain and, more importantly, will the operators of the vulnerable equipment even bother to deploy the patches. In fairness, in many cases the cost of downtime is high and the operators’ confidence that their equipment will still work after being patched is low.

For many operators, the equipment that is vulnerable has been in place for 10, 15, even 20 years and the people who installed it or designed it are retired and possibly even deceased. To reverse engineer something like that is an insanely complex task.

The alternative is to ignore the problem and hope that the Chinese, Russians and others decide to play nice and not attack us. Fat chance.

We should also consider that independent hackers who may have even less morals than the North Koreans (is that possible?) may have discovered these bugs – which of course are now being made public on a daily basis – and choose to use them to attack us for their own motives. Even if we do arrest them after, for example, they blow up a refinery, that is a tad bit unsatisfying to me.

If you get the sense that I am disgusted that the government is decades behind in protecting us, I am. You should be too. By the way, this is not a Democratic vs. Republican thing. Administrations on both sides of the aisle have put this in the “too hard to do pile” and pretended that it does not exist.

Security News for the Week Ending July 16, 2021

Supply Chain Attacks Roll On

The Accellion File Transfer Appliance vulnerabilities have been the source of many breach notifcations over the last several months. For whatever reason, they seem to be dribbling out. The newest one is Morgan Stanley. In this case, it was a Morgan Stanley VENDOR that was using Accellion, so instead of the third party attacks we talk about all the time, this is a fourth party attack. Of course, Morgan Stanley will take the heat, fines and lawsuits. Are you sure your vendors have your back? What about their vendors? Credit: Data Breach Today

Senate Finally Confirms Jen Easterly as Head of DHS/CISA

After CISA has not had an official chief for 8 months and after one Senator pulled a pre-July 4th political stunt that delayed her confirmation, the Senate unanimously confirmed Easterly this week. Easterly, who retired from the Army in 2011, was the deputy director for counterterrorism at the NSA, was on the National Security Council staff at the White House and is a two time Bronze Star recipient, is an outstanding person to lead CISA after Chris Krebs was fired last year for not following the party line. Credit: CNN

Did Russia Get the Message?

Remember the Revil ransomware gang? The folks that hacked Kaseya and JBS, among others? Well their web sites are no more. Did the U.S. take them down? Did Putin decide he didn’t like the heat? Will they come back later under a different name? Not clear. But what is clear is that people who were trying to get their files decrypted by paying the ransom – they have a bit of a problem as in kinda out of luck. My guess is Biden told Putin to fix the problem or we would fix it for him and he probably would not like the collateral damage. Credit: MSN

Hackers are Hard to Kill Off

Last year around election time the Pentagon was all full of press releases that they took down a Russian hacking operation called Trickbot. They have millions of victims around the globe. Bitdefender found that they are resurrecting their tools; updating them, etc. While Bitdefender found this particular tool using a honeypot, it doesn’t that was their only tool and it certainly does not mean they will shut down. It does mean that hacker networks are so profitable, that they will come back from the dead. Credit: The Daily Beast

Want a $10 Million Prize?

The feds are offering a reward of up to $10 million for information on operations conducted by actors working for a foreign government. On Thursday, the U.S. Department of State announced that its Rewards for Justice (RFJ) program now incentivizes reports of foreign malicious activity against U.S. critical infrastructure. The actions may include extortion as part of a ransomware attack, stealing information from protected systems, “and knowingly causing the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causing damage without authorization to a protected computer.” The feds set up a Tor site to report information confidentially. Credit: Bleeping Computer

IoT Bug Could Lay Waste to Factories ….

When people talk about IoT – Internet of Things – these days, they are thinking of Amazon Alexa or Phillips Vue lightbulbs, but where IoT started was in factories and warehouses, decades ago.

Industrial automation or IIoT is still where the biggest in IoT attacks lies.

Today we learned about a critical remote code execution bug in Schneider Electric’s programmable logic controllers or PLCs.

The bug would allow an attacker to get ROOT level access to these controllers and have full control over the devices.

These PLCs are used in manufacturing, building automation, healthcare and many other places.

If exploited, the hackers could shut down production lines, elevators, heating and air conditioning systems and other automation.

The good news, if there is any, is that the attacker would need to gain access to the network first. That could mean an insider attack, a physical infiltration or something simple like really bad remote access security like that water plant in Florida. That means that you probably should not count on this extra level of hardness to protect the millions of systems that use Modicon controllers.

Schneider Electric has released some “mitigations” but has not released a patch yet.

The bug is rated 9.8 out of 10 for badness.

What is really concerning is that Schneider released patches for dozens of bugs today.

Given that IIoT users almost never install patches, this “patch release” doesn’t make me feel much better.

But it appears that the velocity of IIoT bug disclosures and patches is dramatically increasing. Given that, factory and other IIoT owners have to choose between two uncomfortable choices – don’t patch and risk getting hacked or patch and deal with the downtime. They are not going to like either choice, but they are going to have to choose.

My guess is that they are going to choose not to patch and we are going to see a meltdown somewhere that is going to be somewhat uncomfortable for the owner. An example of past similar events is the Russians blowing up a Ukrainian oil pipeline a few years ago. In the middle of winter. When the temperature was below zero.

Credit: Threatpost

What is the U.S. Going to do About Putin?

The last presidential administration went hard after China – applying sanction after sanction, but with minimal success. They also seemed to give Russia a free pass.

Many of the very public recent hacks are being attributed to Russia, including SolarWinds and Kaseya.

When Biden met with Putin in Helsinki last month, the two agreed to form a committee to address the problem.

Since it is popular understanding that Putin is directing the attacks – or at least approving them (and probably taking a cut) – it is not clear that a committee will do much.

Still, that is the step that this administration is willing to take at this time.

However, there are some hints that this administration might be willing to do more.

When Biden was specifically asked if it made sense to attack back, he responded, somewhat cryptically, with a simple YES.

When Biden was asked what he expected Putin to do, he declined to say. He did say “we’ll see”.

We need to both defend and offend.

U.S. businesses need to harden their systems to attack and redesign them to mitigate the losses. While Russia is certainly a player in the attack business, it is not the only one and even if a miracle happened and Putin shut down his revenue stream, that will only reduce the number of attacks. AND, I don’t anticipate a miracle.

At the same time the U.S. government needs to make hackers face consequences. Having the DoJ indict people that will never be arrested, like the last administration did, is not terribly effective. Every now and then we catch a stupid one who crosses into friendly territory, but all that does is teach the smart ones not to do that.

This is a hard problem, but continuing to do what we have done in the past is not going to work. Credit: The White House

Security News for the Week Ending July 9, 2021

Flash – The Gift That Keeps on Giving

Flash, that piece of garbage software that Adobe finally killed a few months ago and which, I have said, should have been killed 20 years ago, it turns out, is at the root of another supply chain hack. For many people, supply chain attacks first came to their attention after the Russians compromised SolarWinds and hacked 9 government agencies and hundreds, if not thousands, of companies. But supply chain attacks have been around for a long time. One of the earliest ones was the compromise of RSA’s secure token back in 2011. For those not familiar with that attack, it compromised every RSA secure token in the world, affecting banks, businesses and even the Pentagon. After a 10 year NDA expired, the story is now being told to Wired. And yes, the root was a Flash vulnerability. One reason this is an interesting learning experience is that RSA sort of accidentally detected the hack within a few days and played cat and mouse the hackers after that. That whole story is a lesson for all companies. Credit: Wired

Team Trump Launches Buggy Twitter Competitor

Last week former Trump spokesman Jason Miller launched a right-wing oriented social media platform called Gettr. While visually it is a Twitter clone, technically is has some work to do. The app apparently uses Twitter’s API to allow you to import your Tweets.

Apparent Trump supporter (NOT!) Ashkan Soltani said this of the app:

“This app looks like a dumpster fire that was coded from the lavatory of Donald Trump,” Soltani told Motherboard. “It literally took me longer to copy the screenshot images off of my test phone than it did to find the actual bug.”

GETTR Is the Trump Team’s Buggy, Leaky Twitter Clone (vice.com)

He also demonstrated that GETTR is already well set up to be a haven for bots and fake accounts.

Don’t be surprised if they get Parlered. I don’t think Parler ever recovered from that event. Credit: Vice

Chain Gangs Are Back Again

No not that kind of chain gang. Apparently hackers in Texas and other states have decided that stealing construction equipment, attaching chains to ATMs and then connecting the two while pulling hard is a good strategy. Some ATMs can hold a quarter million dollars, but you have to pick wisely. The FBI has made more than 50 arrests in Texas and has documented at least 139 chain gang attacks. Wow! Credit: Brian Krebs

Biden Issues EO on Right to Repair, Net Neutrality

President Biden issued an EO today including 72 initiatives by more than a dozen agencies to tackle some major competition issues. In some cases, the EO asks federal agencies to do things that he cannot order them to do, so stay tuned for more action. Among the 72 items are banning or limiting non-competes that stop people from changing jobs, supporting state efforts to lower drug prices by allowing them to import drugs, allowing hearing aids to be sold over the counter at drug stores, barring manufacturers from stopping self-repairs or third party repair services, calling on the DoJ and FTC to strictly enforce antitrust laws and other requirements. This will take a while to digest, but definitely attacks some sacred cows. Credit: The White House

NFC is Convenient – Just Not Secure

NFC, or Near Field Communications, is that technology that allows you to wave your credit card or phone near a reader and pay for a Starbucks or get money from an ATM without having to take that card out of your wallet.

Many of you have heard me say “Security or convenience, pick only one”. This is an example of that expression.

Historically, researchers and hackers have broken into ATMs using mechanical methods. Opening them up and installing hardware; hacking the software and even drilling holes to expose the innards.

Add to that a pure 21st century attack.

Security firm IOActive has been working on hacking the NFC chips that are used in ATMs and tens of millions of credit card readers in stores and other places that accept credit cards.

The result is an app that allows the researcher to imitate what the chips do.

That means he can crash the devices in stores and other places where credit cards are accepted, hack them to collect stored credit card data, change the value of transactions invisibly (want to buy that Rolex – how about $1.29?)

He even figured out how to make one brand of ATM “jackpot” – spit out money. The researcher isn’t saying what brand of ATM it was, but he was working FOR the ATM maker, so that issue is likely fixed. Maybe – see below.

The researcher has told the chip makers about the problems he found, but there is a slight problem.

Many ATMs will require a technician to go to the ATM to physically do the update. After all, doing the update over the wire seems a bit insecure for something that amounts to a small bank vault.

7 months or so after reporting his findings to the ATM maker, he waved his phone in front of an ATM in Madrid where he lives and caused the ATM to crash. Which, I guess, is better than making it jackpot. But crashes can often be turned into more dangerous hacks.

But here is the bigger problem.

While there are tens of thousands of ATMs that need to be upgraded, there are tens of millions of point of sale credit card readers that need to be updated. I will guarantee you that many of those will never be updated. That means clever hackers will walk into stores, pick out something expensive, and pay a dollar for it. Then fence it or sell it on the black market.

For consumers, that means higher prices due to fraud, but for business owner, it could mean fraud losses and for privately owned ATMs – well, I hope they have good insurance. Credit: Wired