Entries Tagged "ICS"

Page 1 of 4

Iranian Attacks on Industrial Control Systems

New details:

At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company’s threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That’s generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.

[…]

The hackers’ motivation—and which industrial control systems they’ve actually breached—remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. “They’re going after these producers and manufacturers of control systems, but I don’t think they’re the end targets,” says Moran. “They’re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems.”

It’s unclear whether the attackers are causing any actual damage, or just gaining access for some future use.

Posted on December 17, 2019 at 6:05 AMView Comments

Pinging the Entire Internet

Turns out there’s a lot of vulnerable systems out there:

Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them.

On Tuesday, Moore published results on a particularly troubling segment of those vulnerable devices: ones that appear to be used for business and industrial systems. Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all.

[…]

The new work adds to other significant findings from Moore’s unusual hobby. Results he published in January showed that around 50 million printers, games consoles, routers, and networked storage drives are connected to the Internet and easily compromised due to known flaws in a protocol called Universal Plug and Play (UPnP). This protocol allows computers to automatically find printers, but is also built into some security devices, broadband routers, and data storage systems, and could be putting valuable data at risk.

Posted on April 30, 2013 at 6:11 AMView Comments

Phishing Has Gotten Very Good

This isn’t phishing; it’s not even spear phishing. It’s laser-guided precision phishing:

One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change.

“The message had the subject line ‘China and Climate Change’ and was spoofed to appear as if it were from a legitimate international economics columnist at the National Journal.”

The cable continued: “In addition, the body of the email contained comments designed to appeal to the recipients as it was specifically aligned with their job function.”

[…]

One example which demonstrates the group’s approach is that of Coca-Cola, which towards the end was revealed in media reports to have been the victim of a hack.

And not just any hack, it was a hack which industry experts said may have derailed an acquisition effort to the tune of $2.4bn (£1.5bn).

The US giant was looking into taking over China Huiyuan Juice Group, China’s largest soft drinks company—but a hack, believed to be by the Comment Group, left Coca-Cola exposed.

How was it done? Bloomberg reported that one executive—deputy president of Coca-Cola’s Pacific Group, Paul Etchells—opened an email he thought was from the company’s chief executive.

In it, a link which when clicked downloaded malware onto Mr Etchells’ machine. Once inside, hackers were able to snoop about the company’s activity for over a month.

Also, a new technique:

“It is known as waterholing,” he explained. “Which basically involves trying to second guess where the employees of the business might actually go on the web.

“If you can compromise a website they’re likely to go to, hide some malware on there, then whether someone goes to that site, that malware will then install on that person’s system.”

These sites could be anything from the website of an employee’s child’s school – or even a page showing league tables for the corporate five-a-side football team.

I wrote this over a decade ago: “Only amateurs attack machines; professionals target people.” And the professionals are getting better and better.

This is the problem. Against a sufficiently skilled, funded, and motivated adversary, no network is secure. Period. Attack is much easier than defense, and the reason we’ve been doing so well for so long is that most attackers are content to attack the most insecure networks and leave the rest alone.

It’s a matter of motive. To a criminal, all files of credit card numbers are equally good, so your security depends in part on how much better or worse you are than those around you. If the attacker wants you specifically—as in the examples above—relative security is irrelevant. What matters is whether or not your security is better than the attackers’ skill. And so often it’s not.

I am reminded of this great quote from former NSA Information Assurance Director Brian Snow: “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

Actually, that whole essay is worth reading. It says much of what I’ve been saying, but it’s nice to read someone else say it.

One of the often unspoken truths of security is that large areas of it are currently unsolved problems. We don’t know how to write large applications securely yet. We don’t know how to secure entire organizations with reasonable cost effective measures yet. The honest answer to almost any security question is: “it’s complicated!”. But there is no shortage of gungho salesmen in expensive suits peddling their security wares and no shortage of clients willing to throw money at the problem (because doing something must be better than doing nothing, right?)

Wrong. Peddling hard in the wrong direction doesn’t help just because you want it to.

For a long time, anti virus vendors sold the idea that using their tools would keep users safe. Some pointed out that anti virus software could be described as “necessary but not sufficient” at best, and horribly ineffective snake oil at the least, but AV vendors have big PR budgets and customers need to feel like they are doing something. Examining the AV industry is a good proxy for the security industry in general. Good arguments can be made for the industry and indulging it certainly seems safer than not, but the truth is that none of the solutions on offer from the AV industry give us any hope against a determined targeted attack. While the AV companies all gave talks around the world dissecting the recent publicly discovered attacks like Stuxnet or Flame, most glossed over the simple fact that none of them discovered the virus till after it had done it’s work. Finally after many repeated public spankings, this truth is beginning to emerge and even die hards like the charismatic chief research officer of anti virus firm FSecure (Mikko Hypponen) have to concede their utility (or lack thereof). In a recent post he wrote: “What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.. This story does not end with Flame. It’s highly likely there are other similar attacks already underway that we havn’t detected yet. Put simply, attacks like these work.. Flame was a failure for the anti-virus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”

Posted on March 1, 2013 at 5:05 AMView Comments

Pentagon Staffs Up U.S. Cyber Command

The Washington Post has the story:

The move, requested by the head of the Defense Department’s Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians.

[…]

The plan calls for the creation of three types of forces under the Cyber Command: “national mission forces” to protect computer systems that undergird electrical grids, power plants and other infrastructure deemed critical to national and economic security; “combat mission forces” to help commanders abroad plan and execute attacks or other offensive operations; and “cyber protection forces” to fortify the Defense Department’s networks.

This is a big deal: more stoking of cyber fears, another step toward the militarization of cyberspace, and another ratchet in the cyberwar arms race. Glenn Greenwald has a good essay on this.

Posted on February 1, 2013 at 12:36 PMView Comments

Hackers Use Backdoor to Break System

Industrial control system comes with a backdoor:

Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. “[Th]e published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login,” said the memo.

The security of this backdoor is secrecy. Of course, that never lasts:

Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.

Posted on December 26, 2012 at 6:05 AMView Comments

Stoking Cyber Fears

A lot of the debate around President Obama’s cybsersecurity initiative centers on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general.

It’s difficult to have any serious policy discussion amongst the fear mongering. Secretary Panetta’s recent comments are just the latest; search the Internet for “cyber 9/11,” “cyber Pearl-Harbor,” “cyber Katrina,” or—my favorite—”cyber Armageddon.”

There’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.

But while scare stories are more movie-plot than actual threat, there are real risks. The government is continually poked and probed in cyberspace, from attackers ranging from kids playing politics to sophisticated national intelligence gathering operations. Hackers can do damage, although nothing like the cyberterrorism rhetoric would lead you to believe. Cybercrime continues to rise, and still poses real risks to those of us who work, shop, and play on the Internet. And cyberdefense needs to be part of our military strategy.

Industry has definitely not done enough to protect our nation’s critical infrastructure, and federal government may need more involvement. This should come as no surprise; the economic externalities in cybersecurity are so great that even the freest free market would fail.

For example, the owner of a chemical plant will protect that plant from cyber attack up to the value of that plant to the owner; the residual risk to the community around the plant will remain. Politics will color how government involvement looks: market incentives, regulation, or outright government takeover of some aspects of cybersecurity.

None of this requires heavy-handed regulation. Over the past few years we’ve heard calls for the military to better control Internet protocols; for the United States to be able to “kill” all or part of the Internet, or to cut itself off from the greater Internet; for increased government surveillance; and for limits on anonymity. All of those would be dangerous, and would make us less secure. The world’s first military cyberweapon, Stuxnet, was used by the United States and Israel against Iran.

In all of this government posturing about cybersecurity, the biggest risk is a cyber-war arms race; and that’s where remarks like Panetta’s lead us. Increased government spending on cyberweapons and cyberdefense, and an increased militarization of cyberspace, is both expensive and destabilizing. Fears lead to weapons buildups, and weapons beg to be used.

I would like to see less fear mongering, and more reasoned discussion about the actual threats and reasonable countermeasures. Pushing the fear button benefits no one.

This essay originally appeared in the New York Times “Room for Debate” blog. Here are the other essays on the topic.

Posted on October 19, 2012 at 7:45 AMView Comments

1 2 3 4

Sidebar photo of Bruce Schneier by Joe MacInnis.