Month: April 2016

A recent article in New York Times titled, “US Cyberattacks Target ISIS in New Line of Combat” highlights how the military is using computer-network attacks alongside traditional weapons for the first time.

Richard Cassidy, technical director EMEA, at Alert Logic has offered via Q&A to @DFMag, some insight into this new “cyberbomb” tactic.

What type of attack do you think the military might be using?

Richard Cassidy: “Government and military organisations have long been aware of the need to ensure effective capabilities in dealing with threats to national security in this new age of cyber warfare that we’ve seen proliferating quite rapidly over the past 3 to 5 years. Key considerations in any cyber warfare strategy will be based upon both disruptive operations and counter intelligence activities; ultimately working to render efforts (or potential targeted campaigns) by any terrorist or cyber-criminal group, either useless or of too high a risk to initiate in the first instance. Military organisations will quite clearly be working to understand the tools, techniques, tactics and procedures in use by these dissident groups and as such will be poised to proactively research and analyse how each threat proliferates from initial reconnaissance of targeted networks through to malware activity both within the targeted environment and external communication attempts to malicious domains/IP’s. Overall we’ll find that the tools in operation wont differ a great deal from what is already available openly on both the Internet and DarkWeb, which to all intents and purposes makes lives a great deal easier when conducting such operations.

The ability to disrupt will be born out of a diverse and constantly evolving toolset, allowing military organisations to disable environments where attacks may be launched (through Infrastructure based threats, DNS level attacks and blocking capabilities), in addition to monitoring key DarkWeb communication channels to monitor for creation and movement of malware that may be used by these organisations, with a view to identifying sources and disabling the chain at a grass roots level. Counter-Intelligence operations may well reap far more rewards in terms of taking the fight direct to the source(s) of such nefarious activity, often by reverse engineering malware through specially crafted environments designed to track and monitor this behaviour, a huge degree of detail can be retrieved often leading military organisations right to a specific individual or group of individuals involved in terrorist or criminal activity from a cyber perspective.” 

Is this the first time the military is using cyber attacks against ISIS? If so, why do you think the military is now implementing this tactic? Was it a technology issue?

Richard Cassidy: “It should be clear that cyber attacks have long been a tool in the arsenal of most military organisations across the globe, and we’ve seen some examples of this specifically when looking at breaches or attempted breaches against U.S military and government organisations from other parts of the world. “State Sponsored” is a term we have become more accustomed to today, more than ever before and for obvious reason. How often governments have condoned or even utilised cyber attack capabilities as part of operations against known terrorist or criminal groups is a point of contention and clearly no reliable data source exists; it is however a key capability that we need to be able to execute on as a country, given the evolution of how these groups are now working to target nations, key infrastructure, utilities, security and public organisations.” 

Will this set the “cyber”  precedent for combat with future enemies?

Richard Cassidy: “We are already at a point where to implement an effective and reliable defence strategy in the interest of national security, there needs to be capabilities in both physical and virtual warfare approaches. We can no longer rely on just physical intelligence and operational activities to remain one step ahead of terrorist or criminal groups; we now have to focus a great deal of resource in cyber warfare activities, given that we are seeing increased activities by these groups in this area. If you look at the astonishing number of exploits and vulnerabilities that have existed in online environments (right across all industries), coupled with application weaknesses that can be targeted relatively easily, exposing weaknesses at the very gateway to key information stores and network infrastructures, then it’s no wonder at all that government and military organisations are already ensuring their own “cyber” capabilities in terms of protecting themselves. The path of least resistance still remains a key threat vector in all aspects of security and online warfare represents a key focus (as we’ve seen over the past several years) for terrorist organisations, given the ease at which these type of attacks can be instigated and sustained with relatively little resource overall.”

(192)

Kaspersky Labs research has shown that ATMs can easily be hacked by cyber criminals, meaning funds could be stolen.

Alex Cruz Farmer, VP of cloud at NSFOCUS IB has the following expert comments;

Why are banks still using old models of ATMs that lack security?

“This is simple. A bank is an enterprise, and it is their prerogative to deliver profits for their staff and, most importantly, shareholders. With this mindset, ATMs and installations are delivered and deployed with a particular strategy to ensure a good return on investment. Looking at the UK, since ATM withdrawal fees are no longer a thing, I can absolutely understand the return on investment due to maintaining these would be much lower or take longer. With that in mind, updating and putting state of the art technologies within ATMs will be challenging. As we have also seem, the use of contactless payment methods and general card transactions are far exceeding cash. The last time I had to use hard cash was to enter a pub quiz!”

Why are hackers moving onto ATMs from hacking through internet banking?

“Hacking ATMs is straight forward. However it requires a physical person to commit the fraud. By that I mean having to physically attend an ATM, and install equipment. For example, a basic attack could be skimming equipment on the card reader. That alone is not foolproof, as many users of ATMs became vigilant and started covering their PIN numbers. Hackers got smarter and put an overlay on the keypad to log the PIN code as well, which made this successful. However, all of this still required someone to physically attend the machine to install and remove the equipment to receive the data or commit the act, and then return to ATMs to withdraw cash or remove the equipment. Generally, the withdraws from skimming are limited to £250 at a time, and often people do not leave vast sums of money in their current accounts.

The move to internet banking is now taking the physical attendance away, unless done through social engineering of course. This not only allows criminals from anywhere in the world to attack their victims, it also means that generally they have access to much more funds. Many people in the UK have a main current account, a savings account, and perhaps an ISA for the more tax savvy of us. A one hit smash on an internet banking account could be as much as £25-100k or more. The worst part of this is that theft through internet banking can be automated.”

How can banks reduce the risk of these issues?

“I have a love-hate relationship with my two-factor banking provided security. On one hand, having to punch in digits to access my account, and then for any transaction to a new payee, having to qualify that with the amount, and their account number, is cumbersome. However, on the other hand, I do know that it takes some effort for a hacker to steal my money. Whilst this does sound flawless, it is for online attackers. However, for more organised crime, it would take the loss of just my debit card, which has all of my critical details on it, plus my PIN for them to be able to access my account and take funds. Whilst I do have extensive monitoring set up, the risk is still very prominent, as monitoring only protects me after the fact.

The difficulty again is that banks could absolutely increase security for their customers, but it would be at the risk of user experience. It’s a careful balance, and I believe improvements still could be made, perhaps around verification for transactions which are larger than a certain amount, and increasing threat intelligence relating to specific accounts which have been used for depositing stolen funds. There are maximum amounts that can be transferred from an account, however with Faster Payments today, the ability to transfer £10k between one account and another can be done in seconds. Once that transfer has been done, it can be repeated multiple times until the limit of that account has been hit.”

What other things can be done to protect banking infrastructure from such ATM attacks?

“If ATMs were treated the same way as we treat security appliances, or secure data stores, meaning tamper-proof blackboxes, any tampering causes them to lockdown, or in some cases wipe themselves, followed by an alert and a lockdown, then any attempts hacking them would be much more difficult or hopefully near impossible. Even vendors like Intel have created free technology built in their processors to deal with detecting malware on boot, so the solutions are there to be utilised.”

(119)

The Telegraph has reported that a nuclear power plant in Germany has been found to be infected with computer viruses. The Gundremmingen plant, located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE. The viruses, which include “W32.Ramnit” and “Conficker”, were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualisation software associated with equipment for moving nuclear fuel rods, RWE said.

Alex Cruz Farmer, VP of cloud at NSFOCUS IB offered the following expert comment;

“This is a fantastic example of where the Internet of Things, as well as BYOD (Bring Your Own Device) adoption, without the consideration of security has created a huge risk to an organisation. Almost every person who walks around today has a USB stick, or a device which can be turned into a removable drive – even your iPhone. With businesses now issuing laptops, rather than the traditional desktops, and also more of the worldwide workforces taking their work home with them, means we are, without knowing it, more susceptible to infection. The saving grace here is that the German power plants were isolated from the internet, which is becoming more and more of a technique for Enterprises to protect themselves.”

(155)

Recently over seven million members of the independent Minecraft “Lifeboat” community have had their security and privacy put at risk after hackers breached servers and stole usernames, email addresses and MD5-hashed passwords.

Ken Spinner, VP of global field engineering at Varonis offers the following expert opinion for children (and parents)

“Children need to be taught the value of information and the importance of keeping it safe. Personal information that they share in-person or online is like putting a coin in someone else’s piggy bank – be careful what you share, and with whom, because some people and businesses guard their piggy banks better than others. Some basic guidelines that children (and their parents) should follow:

Don’t use the same password in more than one place.
Don’t make passwords easy to guess
Don’t share them with your friends
Changing passwords regularly – monthly.

If you have a choice, share information with businesses and web sites that take security seriously – support for multi-factor authentication is a good start.”

(89)

Recently a Chinese hacker who goes by Daishen claims he can hack the Volkswagen Toureg, Audi A6, Audi A7 and more, without an internet connection through the car’s GPS and stereo systems exploiting the flaws
in car’s security layers. (http://www.techworm.net/2016/04/chinese-hacker-claims-can-hack-car-even-without-internet-connection.html)

On this @DFMag had the following exclusive comment from Automotive Cyber Security expert Jim Ogilvie founder of EP90group Ltd.

“Irrespective of the various potential technologies, processes and policies, any viable system of connected and autonomous vehicles to thrive, the twin requirements of security and safety must satisfy a public acceptance test and have a resilient confidence level. 
Most markets are familiar with an annual vehicle certification of roadworthiness. It is a limited assurance that provides a certification that at a moment in time a vehicle was deemed roadworthy from a safety perspective to all road users. To maintain public confidence in connected and autonomous vehicles that have an increasing proportion of software, with numerous communications protocols and over-the-air updates it is easily argued that electrical and/or electronic (E/E) security should come within the purview of this annual roadworthiness assessment and a new approach to testing will be required.

Modern vehicles have legacy systems of technology fused with tomorrow’s architecture e.g. CAN and LIN with automotive ethernet. Todays vehicles have complex communications protocols including GSM, Wifi, Dedicated short range communications (DSRC), Lidar, RFID, and Bluetooth and a variety of access points to vehicle networks that will support V2V, V2I and V2X communications (IEEE 802.11a/b/g/n and IEEE 802.11pas well as LTE-v). Increasingly we will see a migration to off-boarding processing and the sensors on vehicles will increasingly serve a wider interest, where vehicular resources become an integral part of the existing infrastructure, blending the Internet of Vehicles into the Vehicles of the Internet. All this has to be assured as safe and secure. 

Over the past twelve years numerous insecurities have been highlighted that are not dependant on internet connectivity or broadcast signals such as DAB radio, however whilst important to identify vulnerabilities and exploits it is vital for us to turn our collective attention to approaching the design and development process with security integrated throughout. This may necessitate a whole new approach to vehicle architecture and maybe we cannot rely on ‘ separation  ,’ gateways’ and ‘bug bounties’ as a way forward in the longer-term. With concepts and initiatives such as Attacker-in-the-loop (AIL), Tested-in-the-wild (TIW) and the application of blockchain technologies this may be achieved. 

What is clear is that the role of forensic examination and potential for the presentation of information for a range of investigations will be a vital component to ensure a public acceptance and confidence in connected and autonomous vehicles.”

About the Author
Jim Ogilvie is founder and owner of EP90groupo Ltd, a diversified company spanning security and investigations. With a specialist consultancy business and a growing automotive cyber security business amongst the business within the group, Jim is fusing past careers to explore new solutions and bringing together Government security, with commercial cyber security and automotive engineers to create unique and different solutions to emerging insecurity.
A former Senior UK Police Officer, Jim was a detective for over 20 years and was head of Cyber for UK Counter Terrorism Policing and Programme Director for a National Digital Exploitation Service. 

Jim was the first UK police officer to be appointed as a technical advisor to UK Secretaries of State.  Having been a Senior Investigating Officer for Serious & Organised Crime, Counter Corruption and Counter Terrorism Investigations, Jim has been involved with some of the UK’s most high profile investigations and has a keen interest in investigation methodology and innovating cyber investigation. Having started his working life an Automotive Engineer, Jim is now fusing interest areas and is actively  pursuing research into Automotive Cyber Security.

www.ep90group.co.uk

(454)

In a recent report from ICIT entitled “Combatting the Ransomware Blitzkreig”, the authors James Scott and Drew Spaniel make the point that “It is not inconceivable that malware, and ransomware in particular, will eventually target IoT devices.”  They cited the scenario of someone paying to remove ransomware from a pacemaker, which could ultimately drain the battery.  Commenting, Cesare Garlati, chief security strategist for the prpl Foundation said:

“prpl agrees that connected devices represent a major threat to consumers and the public at large due to poor or non existent security in place to help protect them.  Ransomware, however, is traditionally used for criminals to prevent users from accessing important data or files.  This is an important distinction to make, as connected devices generally do not store any valuable information or personal content.   Having said that, they do make up critical devices, such as the home router – and while there is no information to encrypt, it does sit at the edge of the home network and in that way it will be attractive to attackers who may be able to penetrate it to pursue the home network.

“The distinction here is between actually placing ransomware on a connected device, which is unlikely since connected devices themselves tend not to contain data, or using that connected device as a gateway to users’ critical information, which is more likely.”

He goes one to elaborate on securing devices at the chip or hardware level can solve this problem and also how by manufacturing devices that are “always connected” via the internet is not necessary and can be unnecessarily exposing consumers to data theft.

(110)

During a gathering of World Congress of Crimean Tatars, and an international conference on Mass Violations of Human Rights in Occupied Crimea on Monday April 11, the Lithuanian parliament (Seimas) website suffered a cyber attack. Cerniauskas also confirmed that the so-called DDoS attack had been carried out from at least 10,000 computers from each continent.

http://www.euractiv.com/section/digital/news/lithuanian-parliament-under-cyber-attack/

http://www.baltictimes.com/cyber_attack_on_lithuanian_parliament_over/

Aftab Afzal, SVP & GM EMEA at NSFOCUS IB offered @DFMag the following expert comment;

“We often see and hear of similar types of DDoS attacks targeting major political events that have an online element which, in today’s terms, mean most major events. Online political events and parliamentary services are subjected to prolonged and multi vector cyber attacks. Waiting for an event before implementing protection is a high risk strategy, as anything deployed in a hurry will invariably have limited results and, more often than not, will have a wider impact. Service denigration is common without correct scoping, provisioning, learning and configuration. We always advise our clients and partners to explore and build protection services in plenty of time to ensure they can withstand even the most complex attacks without service impact.”

(75)

The Washington Post has reported that data on roughly 44,000 Federal Deposit Insurance Corporation customers was recently breached accidentally by a departing employee.

Commenting on this, David Gibson, VP of strategy and market development at Varonis, said: “A vast number of data breaches are due to insiders, malicious or otherwise. The root of the problem is that most employees have access to far more information than they need to do their jobs, their data activities are not monitored or analysed for malicious behaviour. This is especially true for unstructured data – the largest, fastest growing kind of data that often contains an organisation’s intellectual property, financial records, and other important content. As a result, low-level workers can access and make off with highly sensitive information, often without anyone knowing. To make matters worse, outsider attackers often hijack employee or contractor credentials and then have the same free access as insiders. Organisations have to start doing a better job of tracking and analysing how users use data, profiling their roles and behaviours, mapping and reducing unwanted access, discovering sensitive data and locking it down or moving it out of harm’s way.”

(93)

Yesterday, the FOX-IT Security Operations centre started to see an increase of exploit kit related incidents. The incidents originated from a large malvertising campaign hitting the Netherlands. The list of affected websites spreads across most of the popular Dutch sites, with at least 288 websites being affected.  Paul Fletcher, cyber security evangelist at Alert Logic told @DFMag;

“Advertising networks/brokers can only do so much, because the biggest problem with malvertising has more to do with browser and plug-in settings. Delivering dynamic content to every browser (and version level) and a variety of plug-ins (like Java or Flash) and their version level is a difficult task. Malicious attackers know that browser and plug-in security is more of a “user” responsibility and “users” act differently to pop-ads etc. Advertising networks/brokers could do more to protect their customers, however each “user” would need to help fix this issue. The advertising network/brokers could build in browser and plug-in intelligence into their code and NOT run if the browser and plug-in settings don’t meet a certain standard, however the way to fix the problem is to prompt the user to update their settings (which is counter to good user behaviour…clicking on a link to “update” plugins) or NOT deliver the marketing content (which is counter to ads in the first place).

Malvertising is still a problem because of possible zero day threats to browser-based plug-ins. Also, most end users don’t update their browsers and plug-ins in a timely manner. Organisations should maintain a minimum baseline for browser versions and plug-ins, have a process to identify and remediate “out of compliance” browsers and include browser and plug-in settings in their Patch Management system.

Advertising networks/brokers could try to enforce a “minimum” version level for browsers and plug-ins, but that is a difficult task that is dynamically changing. Users can disable plug-ins (but probably won’t because it causes a disruption to their web browsing experience) and be willing to use other browsers with the proper updates (again, that changes the web browsing experience and takes time and effort on the users part). Finally, users can use browsers that currently support “sandboxing” technology, like Google Chrome, Internet Explorer and Microsoft Edge.”

Fraser Kyne, regional SE director at Bromium had the following further comments;

“Malvertising is highly effective because cyber criminals can target their attacks to specific demographics and deliver them with tremendous volume. The online advertising model is such that ad networks simply cannot verify the validity of each and every advertisement it serves, which ultimately passes the cost of security onto security teams. In order to prevent malvertisements, and other endpoint attacks, organisations should invest in strong endpoint protection. Most traditional endpoint protection solutions are failing because they rely on detection, which allow many attacks to succeed. Instead, organisations should investigate proactive protection, in the form of prevention, such as endpoint threat isolation or virtualization based security. Additionally, ad-blocking browser extensions can be a highly effective way of mitigating malvertising attacks.”

(123)