Tag Archives: Utility security

Security News for the Week Ending April 16, 2021

Not a Good Week for Social Media Privacy

After the January 6th attack on the US Capitol, we saw terabytes of conversations and videos and profiles from the alt-right Twitter clone Parler posted online. Last week we saw 500+ million Facebook profiles for sale on the dark web (Facebook says this isn’t a breach) and then we saw another 500 million Linkedin profiles for sale. This week it is Clubhouse, but since it is new, there are only a million+ users in the free database. These social media sites on one hand sue people for taking their data but on the other hand, say that actions like this are not a breach because they offer APIs that allow people to do it. What is the message? Anything associated with your social media world is not private and is fair game. Credit: Cyber News

Some Said Biden Would Cave to China – Not Yet Apparently

The US has just added seven new Chinese companies to the ENTITY LIST, the list of companies that US businesses cannot work with unless they get a get out of jail card from the Commerce Department. These seven companies are supercomputer makers and Chinese National Supercomputing Centers. Looks like the pressure is still on. Credit: ZDNet

Hackers and Blockchain

One way the fuzz have been able to take down botnets is to disable their command and control server(s). Most malware that uses a command and control center usually hard codes the C&C address or addresses or puts them in a DNS record. If law enforcement takes down those servers or reroutes their traffic to a black hole, the botnet is dead. Hackers are creative, so they came up with a workaround.

Put the information they need on the Blockchain. Or many blockchains. Since the Blockchain is both public and immutable, problem solved. If we change the rules regarding whether someone can change a Blockchain, the entire usefulness of the Blockchain and all of the industries that have been built up around it, including all of the value stored in Bitcoin, gets flushed down the toilet. The current worldwide value of all Bitcoin is about $160 billion. If the cops have to break all blockchains worldwide to catch a hacker, I suspect that there will be a lot of unhappy people. I don’t think any government is interested in risking $160 billion (and growing) of capital to take down a hacker. Not sure how to fix this. Dictatorial countries might be willing to destroy their capital market, but I don’t think western countries are willing.

If this happens you better dump any Bitcoin you have quickly. Credit: Bruce Schneier

Domain Name Service Security Neglected by US Energy Companies

Unfortunately, there is no surprise here.

The Biden administration says utilities in the United States are sort of clueless when it comes to cybersecurity. Data collected shows that nearly 80% of the top energy organizations are at risk of cyberattacks due to totally elementary cyber hygiene errors – either willful or through ignorance.

80% of the organizations do not use domain registry locks, which help stop domains from being hijacked. More than 66% use consumer grade registrars, likely because they are a little bit cheaper but also because they don’t understand that those registrars have weak security practices. I looked up my electric utility. They passed the first test and failed the second. Only 3% use DNSSec (mine does not). Only 17% use DNS hosting redundancy. While 73% have some sort of DMARC policy in place, many are set to NONE, meaning that the setting is useless. This is pretty much in line with the results found as part of a global test last year.

As I said, no surprise, but a lot of disappointment. Credit: Security Week

Security News for the Week Ending December 6, 2019

Caller Poses as CISA Rep in Extortion Scam

Homeland Security’s CISA (Cybersecurity and Infrastructure Security Agency) says that they are aware of a scam where a caller pretends to be a CISA rep and claims to have knowledge of the potential victim’s questionable behavior.  The caller then attempts to extort the potential victim.

CISA says not to fall for the scam, do not pay the extortion and contact the FBI.  Source: Homeland Security.

Senate Committee Approves $250 Mil for Utility Security

The PROTECT  program would provide grants for utilities to improve their security.  Given that a carefully distributed government report says that the Russians (and not the Chinese) have compromised a number of US utilities already, improving security is probably a smart idea. The nice part is that it is a grant.  The important part is that the money would be spread out over 5 years, so in reality, we are talking about spending $50 million a year.  It also seems to be focused on electric and doesn’t seem to consider water or other utilities.  There are around 3,300 electric utilities alone in the US.  If we ignore everything but electric and spread the money equally (which of course, they won’t), every utility would get $15,000.  That will definitely get the job done.  NOT!  Source: Nextgov

Smith & Wesson’s online Store Hacked by Magecart

Lawrence Abrams of Bleeping Computer fame tried to warn Smith & Wesson that their online store had been compromised by the famous Magecart malware.  The join the likes of British Airways (183 million Euro fine) and thousands of others.  Abrams did not hear back from them by publication time.  Source: Bleeping Computer

Another MSP Hit by Ransomware Attack

CyrusOne, one of the larger MSPs was hit by a ransomware attack which affected some of their customers.  As I said in my blog post earlier this week, attacks against MSPs are up because they are juicier targets.

In CyrusOne’s case, they said the victims were primarily in a data center in New York (which hopefully means that they have segmented their network), it did not affect their colo customers, only their managed customers (because in a colo, the provider does not have credentials to their customer’s servers) and they are investigating.

This just is one more reminder that you can outsource responsibility to a service provider, but the buck still stops with you when the provider is hacked.  Source: MSSP Alert

Reuters Says Census Test Run in 2018 Was Attacked By Russia

Commerce outsourced the first digital census to Pegasystems and at last check the cost has doubled to $167 million.  More importantly, in a 2018 test, Russian hackers (not China) were able to penetrate a firewall and get into places where they should not have been.  In addition, the test was hit with DNS attacks.

Sources say this raises concerns whether T-Rex Solutions, the Commerce Department’s main security contractor, can keep the Russians out when the site actually goes live.  Or the Chinese. Or other countries that would like to embarrass us.

Census said (a) no comment, (b) no data was stolen (this was likely a reconnaissance test by the Russians, so no surprise) and (c) the system worked as designed (i.e. the Russians got in and we panicked).

Clearly if the Russians are able to compromise the Census, that would be a HUGE black eye for this President and the Executive Branch.

They can hide things during a test, but cannot hide them when it goes live, so lets hope they are able to fix it.  Source: Reuters