Monday, April 30, 2012

Russian Hackers Made $4.5 Billion in Cyber Crime

Russians are hacking into computers and cell phones to make millions!


Few nationalities are as good at making money from hacking than the Russians. Their share of the global cyber crime market, an estimated $12.5 billion black market, doubled last year to $4.5 billion, according to Moscow-based Group-IB, a cyber security services firm working mainly with the Russian government and banks to help reduce online fraud.


Earlier this year, Facebook blew the cover off the malware gang Koobface. All five of their members were Russians from St. Petersburg. Eugene Kapersky, the CEO of software security firm Kaspersky Lab, also based in Moscow, said that the Koobface gang had become millionaires thanks to their hacking skills. “The cybercrime market originating from Russia costs the global economy billions of dollars every year,” said Ilya Sachkov, Group-IB’s CEO. 
“Although the Russian government has taken some very positive steps, we think it needs to go further by changing existing law enforcement practices, establishing proper international cooperation and ultimately improving the number of solved computer crimes.”
The word “hacking” can cause tempers to flare up to 120 degrees or more among hard core computer geeks. Not all hacking is intolerable, or illegal. But a lot of it is, and the Russian computer geniuses walk the red carpet within the international hacker community.


Refer here to read the full news.

Sunday, April 29, 2012

The Risk of Social Engineering on Control Systems

Social engineering provides an effective means for attackers to gain access to systems


While many social engineering attempts, such as those that we receive in our inbox every day in the form of spam and phishing emails, are easy for most to recognize, these attempts can also be highly targeted and conducted in a way that is much more difficult to detect.


Phone-based social engineering attempts were recently experienced at two or more power distribution companies. The utilities received a call from a representative of large software company – yes, that one that sold them the operating system on their computers – warning them that their PCs had viruses and to “Please take the following steps so I can help you correct the problem.” 


The calls purported to be from the “Microsoft Server Department” informing the utilities that they had a virus. Of course, it wasn’t really Microsoft calling, but rather an attacker, attempting to socially engineer the utilities to gain access to their systems. The caller tried to convince the transmission managers to start certain services on their computer (likely, those services would have allowed unauthorized remote access).


Fortunately for the customers of those utilities, the transmission managers recognized the social engineering attempts, refused to comply, and hung up. This event points out the need for continued vigilance for everyone involved in critical infrastructure, particularly regarding recognition of social engineering attempts.


If you are unsure whether the request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided in a URL or link connected to the request; instead, check previous statements or go to the website directly for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).


ICS-CERT recommends that organizations remind users to review US-CERT TIP Avoiding Social Engineering and Phishing Attacks to learn more about what to look out for and what to do if you have fallen victim to this. If you have experienced something similar or think you have revealed sensitive information about your organization, ICS-CERT recommends reporting it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.


In addition, immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. ICS-CERT also encourages reporting these incidents to ICS-CERT or your local ISAC’s for tracking and correlation.


ICS-CERT issued an alert on the US-CERT Secure Portal warning asset owners and operators of this observed activity. ICS-CERT often releases information pertaining to a wide variety of threats on the US-CERT Secure Portal as well as to the ICS-CERT public web page.


Asset owners and operators can request access to this vetted access portal by e-mailing ICS-CERT@dhs.gov.

Source: http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_March_2012.pdf and infosecisland.

Thursday, April 26, 2012

The Risks Of Cloud Computing in Plain English

Know the Risks Before You Head to the Cloud


A "cloud" solution is generally typified by remote access to computing resources and software functionality and frequently involves the storage and maintenance of related data. Today, cloud computing facilitates applications, e-mail, peer-to-peer communication, content sharing, and electronic transactions or storage for nonprofits. 


In many respects, the “cloud” has become a synonym for the “Internet” as cloud computing now encompasses nearly all available computing services and resources. Cloud offerings utlilized by nonprofits tend to come in three flavors. Infrastructure as a Service (IaaS) offerings deliver information technology infrastructure assets, such as additional computing power or storage. 


Platform as a Service (PaaS) offerings provide a computing platform with capabilities, such as database management, security, and workflow management, to enable end users to develop and execute their own applications. And, Software as a Service (SaaS) offerings provide software applications on a remotely accessible basis. SaaS offerings are probably the most commonly understood type of "cloud" solution.


These benefits create flexibility and potentially lower costs for the cloud customer. It is therefore not surprising that this type of computing solution has rapidly become a key component to the operation of many nonprofit organizations. Despite these potential benefits, cloud computing doesn't come without risk.


Below is a list of legal risks and issues for a nonprofit to consider when procuring or using a cloud solution. These risks and issues can appear as either a contractual or an implementation issue. 


Take It or Leave It: Many cloud solution agreements are non-negotiable or more favorable to the provider than the end user, which places a greater emphasis on pre-negotiation analysis in order to work around inflexible contracts.


All Services, All the Time: All computing and software providers are morphing into service providers, and this change may impact the fee structure, term length, and available warranties.


Law Is Behind the Times; Contracts Even More Important: Existing laws and governance models have not kept pace with technological development, and this may leave the contract as the only means for dispute resolution.


It's All Online: Privacy and information security concerns will only increase with cloud usage.


Less Control of Subcontractors: Cloud providers tend to use subcontractors for hosting, storage, and other related services, and these subcontractors may not be readily known or otherwise liable or responsible for performance under the agreement.


Some Things May Not Be Worth the Risk: The inherent risks associated with cloud computing may make its utilization inappropriate for mission-critical I.T. services or resources.


Not Everybody is on the Same Page: Different cloud solutions on different hardware may increase the possibility of incompatibility with outside software or network systems, i.e., compatibility will be dictated by the provider and not by the customer.


Know Your SLAs: Service level agreements (SLAs) vary and may be inadequate and unchangeable.


General Outages May Be Likelier: Shared resources may increase susceptibility to a single-point of failure. 


Only What You Need: The terms of a license agreement may not fit the service being offered, e.g., cloud providers may grant themselves a greater right to use a customer’s data or materials than necessary to provide the cloud solution.


Own Your Data: It will be more imperative than ever to hold on to the ownership and secrecy of data and materials used with the cloud solution in order to retain rights and ensure confidential treatment.


Don't Allow a Vendor to Have Zero Responsibility: Be wary of excessive disclaimers and limits and seek the implementation of a credit or refund structure to address outages and downtime.


Am I Covered? Check available insurance policies and consider the insurance policy of the cloud provider to determine if it covers business interruption caused by vendor failure. Know the Exits. Know how to terminate a relationship with a cloud provider and plan for how such termination will unfold in order to minimize disruption caused by transitioning to a new service provider.


Where's Your Data? Understand where a copy of all stored data is physically located.


Seek Jurisdictional Clarity: Data transfer is easy and can create jurisdictional issues because the sites where data is located or transferred and where the related services are performed or received can and will typically be different.


You Need Access to Your Data: Know how to access, audit, hold, and retrieve all data or understand the limits on such data access because regulations and e-discovery rules may mandate particular data storage, protection, and transfer protocols.


Don't Forget Compliance with Law: Regulatory compliance may extend to the cloud provider, particularly, for health, financial, educational, or children’s data, and laws and regulations governing privacy and information security.


Rules Are Different Overseas: The United States has more permissive data and database rules than many other countries, particularly by comparison to Europe, where greater restrictions and rights exist.


Will It Still Be There When Disaster Strikes? Understand the cloud providers' business continuity and disaster recovery practices.


Incorporate Overall Risk Management Strategies: Cloud computing risks may expand the notion of risk from I.T. management to operational management or regulatory compliance.


Everybody Is a Renter: Limited-term software licenses will become the norm with customers not having any ownership rights in the software copy being licensed.

Summary


Courts, governmental authorities, and industry standard-setting bodies may address some of the foregoing concerns. But, until then, organisations considering cloud computing solutions will need to look to their written contracts as the primary vehicle to protect their rights and ensure performance.


Moreover, careful due diligence of cloud providers becomes key. Organisations therefore should consider multiple providers and should not make decisions based purely on cost. Instead, organisations should seek references and involve their key decision-makers and outside advisors to assist with the procurement process in order to ensure a thorough evaluation of the potential risks and issues with cloud computing.   

Tuesday, April 24, 2012

Managing The Threat Landscape for SAP Systems

A Ten Step Guide to Implementing SAP’s New Security Recommendations


SAP issued a revamped version of the whitepaper Secure Configuration of SAP Netweaver Application Server using ABAP, which is rapidly becoming the de-facto standard for securing the technical components of SAP.


According to SAP, the guidance provided in the whitepaper is intended to help customers protect “ABAP systems against unauthorized access within the corporate network”. In fact, many of the recommendations can also be used to protect SAP systems against remote attacks originating outside such a network. These attacks are targeted at the technical components of SAP Netweaver that are responsible for managing user authentication, authorization, encryption, passwords and system interfaces, as well as underlying databases and operating systems.


Breaches in these components can enable attackers to take complete control of an SAP environment. The following is a quick guide to help you comply with SAP’s recommendations.


1. Disable unnecessary network ports and services. In most cases, this means blocking all connections between end user networks and ABAP systems other than those required by the Dispatcher (port 32NN), Gateway (33NN), Message Server (36NN) and HTTPS (443NN). NN is a placeholder for your SAP instance number. Administrative access should only be allowed through secure protocols such as SSH and restricted to dedicated subnets or workstations through properly configured firewall rules.


2. Install the latest version of SAP GUI. This should be 7.10 or 7.20 with activated security rules configured with the ‘Customized’ setting and the ‘Ask’ default action.


3. Implement strong password policies, restrict access to password hashes in tables and activate the latest hashing algorithms. SAP does not specify the exact settings for password policy parameters but you should use frameworks such as the PCI DSS as a proxy. Refer to section 8.5 of the standard. Default passwords should be changed for standard users and the password hashing mechanism should be upgraded to the latest version available for your system. Wherever possible, downward-compatible hashes should be removed from the database.


4. Enable SNC and SSL. SAP client and server communication traffic is not cryptographically authenticated or encrypted. Therefore, data transmitted within SAP networks can be intercepted and modified through Man-In-The-Middle attacks. Secure Network Communication (SNC) should be used for mutual authentication and strong encryption. This can be performed natively if both servers and clients run on Windows. You will need to use a third party product to secure connections between heterogeneous environments such as AIX to Windows. SNC will secure network communication using the SAP DIAG and RFC protocols. For Web-based communication, you should switch to HTTPS/ SSL and restrict access to the relevant cryptographic keys.


5. Restrict ICF services. Many of the services enabled by default in the Internet Communication Framework (ICF) are open to abuse and could enable unauthorized and malicious access to SAP systems and resources. At a very minimum, you should deactivate the dozen or so services mentioned by SAP in the white paper. This can be performed through transaction SICF.


6. Secure Remote Function Calls (RFC). Wherever possible, remove trust relationships between systems with differing security classifications and hardcoded user credentials in RFC destinations. The belief that RFC connections using SAP_ALL privileges is fine as long as the user type is set to dialog is a myth. This represents a serious risk to the integrity of information in SAP systems.


7. Secure the SAP Gateway. The Gateway is used to manage RFC communications which support SAP interfaces such as BAPI, ALE and IDoc. Access Control Lists (ACL) should be created to prevent the registration of rogue or malicious RFC servers which can lead to the interruption of SAP services and compromise data during transit. You should also enable Gateway logging and disable remote access.


8. Secure the SAP Message Server. The Message Server is primarily a load balancer for SAP network communications. Similar to the Gateway, it has no default ACL which means it is open to the same type of attacks. You should filter access to the Message Server port using a firewall and create an ACL for all required interfaces.


9. Regularly patch SAP systems. Implement missing SAP Security Notes and patch systems at least once a month. Security Notes can be downloaded from the SAP Service Market Place.


10. Regularly monitor the SAP security configuration. Standard SAP services such as EarlyWatch (EWA) and the Computing Center Management System (CCMS) can be used to monitor some security-relevant configurations. However, they do provide the same coverage as professional-grade security tools such as those used to perform SAPSCAN, a vulnerability assessment specifically engineered for SAP systems. SAPSCAN automatically reviews the configuration of your SAP environment against SAP security recommendations and hundreds of other vulnerabilities not included in the SAP white paper.


Reference: Layer Seven Security 

Sunday, April 22, 2012

5 Common Types of Security Professionals

Information Security is all about managing risk not scaring people!


Information Security Profession is a fascinating and an interesting field but we do have some interesting characters!


Today, I'll be presenting 5 most common types of security professional you will see/meet in your career. 


5 – The NO-MASTER


Have you ever been to a meeting that goes where security professional instead of listening to the business requirements and trying to meet their expectations with reasonable security controls, he/she cans the idea straight off the bat.


What happens next is simple: business escalating to the Executives who basically mandate/bypass all the policies(because they can). The NO-master just missed a great opportunity to make a difference, and position himself/ herself as a contributor, rather than a roadblock! 


Example:


So as part of our growth strategy, we are planning to have a company presence on Facebook, and also advertise on Twitter.


so… - No way! - Sorry Jimmy, did you say something? - Yes, I said no way we are opening Facebook for employees, nor publishing any company related information in it. But all the other companies out there are already.


What do you prefer? Being on Facebook or being hacked?


Ok, Security didn’t approve it, we are not going to use Facebook then.


4 – The By-The-Book Preacher


Here is another truth, if it’s written, it’s right! A typical scenario:


This machine needs to be patched right now! I know that this machine is not sitting in our external DMZ, but patching best-practice/our policy says that critical patches must be installed X hours after being released!


You will find hundreds of Information Security Professionals like this. There is no context applied, there is no risk profiling, it needs to be done because the book/policy say so. 


As a security professional, you are not paid to stick to a manual. You are paid to help the business to understand what the risks are, and the consequences of their (lack of) actions. 


Information Security is all about managing risk. In the real world, some rules need to be bent occasionally provided that you know what the risk is to satisfy an SLA or to meet a business requirement.


Asking your support team to bring down the whole payroll system on the 30th of the month because a critical Microsoft patch was released is not the way to manage risk in efficient manner.


This type of security professional goes hand in hand with the NO-Master. All those security professionals who fit in this type should apply your knowledge and use the policies and books and procedures as a reference.


They should understand business comes first and if a decision has to be made between security and being available, you going to lose credibility. 


3 – The Dinosaur


There is nothing he/she hasn’t seen before, there will always be a real life FUD story to back up their claims.


The dinosaurs are one of the hardest to fight against because they know it all. 


Their philosophy is simple: 


Everything boils down to access control. If people are not allowed to do something, you have nothing to worry about. I have to say I agree with this person to an extent, but to dismiss the fact that there are exploits out there that could give unauthorized user super privileges goes beyond access control. 


2 – The Technology-Solves-It-All


Setting up a firewall might take you a couple of hours, but teaching someone why they cannot download uTorrent takes years. And sometimes not even years will do.


But it doesn’t necessarily mean that technology will substitute the need to have well trained human beings with well-defined processes in place. The tool should exist to make the process viable, and not vice-versa.


Example:


Hey Adri, we have antivirus installed, the scan is set to run on a weekly basis, the signature files are being updated on a daily basis, why do we need to implement monitoring of our antivirus console?


You will notice, conversations like this happens every day


1 – The paranoid


These ones are the most dangerous and insecure professionals.


The paranoid sends you SMS at 3 in the morning about an article they read about a just-disclosed compromise in company X. They also call you to make sure you got the SMS. The paranoid asks you to send emails from your work e-mail, they don’t trust Hotmail accounts.


You could have met someone who is a little bit of all of the above, "NO COMMENT"!

Thursday, April 19, 2012

Why Cyber Security is Critical for Smart Grid?

Critical Issues for the security requirements of Smart Grid!


Power system operations pose many security challenges that are different from most other industries. For instance, most security measures were developed to counter hackers on the Internet.


The Internet environment is vastly different from the power system operations environment. Therefore, in the security industry there is typically a lack of understanding of the security requirements and the potential impact of security measures on the communication requirements of power system operations. 


In particular, the security services and technologies have been developed primarily for industries that do not have many of the strict performance and reliability requirements that are needed by power system operations. 


Security services for instance:
  • Operation of the power system must continue 24×7 with high availability (e.g. 99.99% for SCADA and higher for protective relaying) regardless of any compromise in security or the implementation of security measures which hinder normal or emergency power system operations
  • Power system operations must be able to continue during any security attack or compromise (as much as possible). Power system operations must recover quickly after a security attack or compromised information system
  • The complex and many-fold interfaces and interactions across this largest machine of the world – the power system – makes security particularly difficult since it is not easy to separate the automation and control systems into distinct “security domains”. And yet end-to-end security is critical
  • There is not a one-size-fits-all set of security practices for any particular system or for any particular power system environment
  • Testing of security measures cannot be allowed to impact power system operations
  • Balance is needed between security measures and power system operational requirements. Absolute security may be achievable, but is undesirable because of the loss of functionality that would be necessary to achieve this near perfect state
  • Balance is also needed between risk and the cost of implementing the security measures.
In the Smart Grid, there are two key purposes for cyber security: 


Power system reliability


Keep electricity flowing to customers, businesses, and industry. For decades, the power system industry has been developing extensive and sophisticated systems and equipment to avoid or shorten power system outages. In fact, power system operations have been termed the largest and most complex machine in the world.


Although there are definitely new areas of cyber security concerns for power system reliability as technology opens new opportunities and challenges, nonetheless, the existing energy management systems and equipment, possibly enhanced and expanded, should remain as key cyber security solutions. 


Confidentiality and privacy of customers


As the Smart Grid reaches into homes and businesses, and as customers increasingly participate in managing their energy, confidentiality and privacy of their information has increasingly become a concern. 


How can security requirements for smart grid interfaces be determined?


There is no single set of cyber security requirements and solutions that fits each of the Smart Grid interfaces. Cyber security solutions must ultimately be implementation-specific, driven by the configurations, the actual applications, and th e varying requirements for security of all of the functions in the system.


That said, “typical” security requirements can be developed for different types of interfaces which can then be used as checklists or guidelines for actual implementations. Typically, security requirements address the integrity, confidentiality, and availability of data.


However, in the Smart Grid, the complexity of stakeholders, systems, devices, networks, and environments precludes simple or one-size-fits-all security solutions. Therefore, additional criteria must be used in determining the cyber security requirements before selecting the cyber security measures.


These additional criteria must take into account the characteristics of the interface, including the constraints and issu es posed by device and network technologies, the existence of legacy systems, varying organizational structures, regulatory and legal policies, and cost criteria.


Once these interface characteristics are applied, then cyber security requirements can be applied that are both specific enough to be applicable to the interfaces, while general enough to permit the implementation of different cyber security solutions that meet the cyber security requirements or embrace new security technologies as they are developed.


This cyber security information can then be used in subsequent steps to select cyber security controls for the Smart Grid.

Tuesday, April 17, 2012

Ernst & Young: Attacking the smart grid

Penetration testing techniques for industrial control systems and advanced metering infrastructure


The industrial control systems that provide automation for critical infrastructure have recently come under increased scrutiny, and the need to protect current infrastructure as well as integrate security into new system design is now a top priority. Penetration testing has become the latest trend in the ICS space; however, the cultural and technological differences between control systems and traditional IT systems have caused confusion around how to perform a penetration test safely and effectively. 


In this briefing, we will discuss the changing landscape in control system architecture, with special attention paid to smart grid infrastructure, and highlight the implications for security. A description of the lifecycle of a penetration test is followed by a breakdown of a typical ICS infrastructure. Specific penetration testing activities are explained for each component to provide insight for control system engineers and management into how penetration testing can benefit their organization.


Refer here to download the whitepaper.

Sunday, April 15, 2012

Insufficient security controls for smart meters

Smart meters are not secure enough against false data injection attacks


False data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection; experts say current generation of smart meters are not secure enough against false data injection attacks nCircle the other day announced the results of a survey of 104 energy security professionals.


The survey was sponsored by nCircle and EnergySec, a DOE-funded public-private partnership that works to enhance the cyber security of the electric infrastructure. The online survey was conducted between 12 March and 31 March 2012. 


When asked, “Do smart meter installations have sufficient security controls to protect against false data injection?” 61 percent said “no.” Power grids connect electricity producers to consumers through interconnected transmission and distribution networks. In these networks, system monitoring is necessary to ensure reliable power grid operation. 


The analysis of smart meter measurements and power system models that estimate the state of the power grid are a routine part of system monitoring. An nCircle release notes that false data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection. Smart meters vary widely in capability and many older meters were not designed to adequately protect against false data injection. It doesn’t help that some communication protocols used by the smart meter infrastructure don’t offer much protection against false data injection either. 


Together, these facts highlight a much larger potential problem with data integrity across the smart grid infrastructure. Because our nation relies on the smart grid to deliver robust and reliable power, we need to make sure that all systems that process usage data, especially those that make autonomous, self-correcting, self-healing decisions, assure data integrity.


Elizabeth Ireland, vice president of marketing for nCircle, noted, “A false data injection attack is an example of technology advancing faster than security controls."


This is a problem that has been endemic in the evolution of security and it’s a key reason for the significant cyber security risks we face across many facets of critical infrastructure. Installing technology without sufficient security controls presents serious risks to our power infrastructure and to every power user.

Friday, April 13, 2012

Satellite Communications for SCADA equipment monitoring

Benefits of satellite communications


Benefits of introducing a satellite communication link into SCADA systems include: 

  • Ubiquitous service territory closes gaps in terrestrial coverage
  • Fast cost-effective deployment with low hardware and installation costs
  • More reliable than congested cellular data networks
  • Benefits of remote monitoring

Benefits of monitoring and controlling oil & gas and utilities equipment remotely include: 

  • Higher operational efficiencies
  • Reduced site visits Improved safety
  • Increased scalability

About this white paper: 


"Satellite Communications for SCADA Equipment" outlines the benefits of remote monitoring and shows how satellite communications equipment fits into the SCADA monitoring system. It also discusses how to connect to an RTU using satellite messaging terminals and explores cost structure for mass deployment.


Timely information about asset health and behavior, along with software applications that organize data and implement work flows, allows oil and gas companies to save time and streamline processes that previously required arduous paperwork and manually tracked decision-making.

Refer here to download the whitepaper.

Thursday, April 12, 2012

Smart meter hacks likely to spread

Miscreants are reprogramming meters to report less power usage, for a fee


A series of hacks perpetrated against so-called "smart meter" installations over the past several years may have cost a single electric company hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. 


The US law enforcement agency said this was the first known report of criminals compromising the hi-tech meters, and that it expected this type of fraud to spread across the country as more utilities deploy smart grid technology. Smart meters are intended to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. 


Smart grid technology also holds the promise of improving a utility's ability to remotely read meters to determine electric usage. Advertisement: Story continues below But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorised modifications. 


The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the internet. Citing confidential sources, the FBI said it believed former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. "These individuals are charging $300 to $1000 to reprogram residential meters, and about $3000 to reprogram commercial meters," the alert states. 


The FBI believes that miscreants hacked into the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the internet. 
"The optical converter used in this scheme can be obtained on the internet for about $400," the alert reads. "The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact." 
The bureau also said another method of attacking the meters involved placing a strong magnet on the devices, which caused it to stop measuring usage, while still providing electricity to the customer. 
"This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company." 
"Each method causes the smart meter to report less than the actual amount of electricity used. The altered meter typically reduces a customer's bill by 50 per cent to 75 per cent. Because the meter continues to report electricity usage, it appears be operating normally. Since the meter is read remotely, detection of the fraud is very difficult. A spot check of meters conducted by the utility found that approximately 10 per cent of meters had been altered." 
"The FBI assesses with medium confidence that as Smart Grid use continues to spread throughout the country, this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer," the agency said in its bulletin.
The hacks described by the FBI do not work remotely, and require miscreants to have physical access to the devices. They succeed because many smart meter devices deployed today do little to obfuscate the credentials needed to change their settings, according to Tom Liston and Don Weber, analysts with InGuardians, a security consultancy based in Washington, DC. 


Liston and Weber have developed a prototype of a tool and software program that lets anyone access the memory of a vulnerable smart meter device and intercept the credentials used to administer it. Weber said the toolkit relied in part on a device called an optical probe, which can be made for about $US150 in parts, or purchased off the internet for roughly $US300. 
"This is a well-known and common issue, one that we've warning people about for three years now, where some of these smart meter devices implement unencrypted memory," Weber said. 
"If you know where and how to look for it, you can gather the security code from the device, because it passes them unencrypted from one component of the device to another."
The two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference. Utilities have to be more enterprise security-aware. With these incidents at organisations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we're going to fix a security problem is to expose it.


Australia has approximately 1.5 million smart meters installed, according to telecommunications analyst Paul Budde, founder of Smart Grid Australia, an industry alliance working on Australia's Smart Grid-Smart City electricity network upgrade project. Approximately 1 million are deployed in Victoria, the state chosen as the test site for the country, he said. 


Budde said the hacking of smart meters was among the issues electricity companies would work to prevent. 
"Obviously as soon as you start adding communications to the [electricity] network there are possibilities of others getting access to it as well. It applies to everything that has to do with communications. Smart grids and smart meters are also affected by that."
But [the risk] is very well understood now; companies involved are making sure there's security in place to make it less [likely] to happen." Budde said the US was one of the first countries to rollout smart meters and learnings from the North American experience were shared among all countries working on smart grids. "Other electricity companies can learn from that," Budde said.


Refer here to read further details.

Tuesday, April 10, 2012

“Malware Classifier” Tool

Python tool for quick malware triage


Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.” The tool extracts seven key features from a binary, feeds them to one or all of the four classifiers, and presents its classification results.


The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a data set of approximately 100,000 malicious programs and 16,000 clean programs.


Malware Classifier is available at Open @ Adobe.

Sunday, April 8, 2012

SCADA security’s most daunting challenges along with some recommendations

Six Ways to Improve SCADA Security 

Industrial control systems (ICS), distributed control systems (DCS), supervisory control and data acquisition systems (SCADA) have all been around for decades, but thanks to Stuxnet, DuQu and other major incidents, these systems have recently began receiving serious security consideration. When it comes to securing SCADA networks, we are years or even decades behind when compared to securing typical IT networks. 

1. A SCADA network is inadvertently connected to a company’s IT network or even to the internet 

Companies believe that their SCADA networks are air-gapped or separated from other networks in their organizations. In some cases, business needs require data from SCADA systems (like electric outage information, etc.) to be exposed on the internet. And during this implementation, the secure network diagram on paper starts deviating to the insecure configurations of the real world. 

A search for ‘data presentation and control’ software on the internet yields SCADA systems with management services exposed to the internet. If an organization's SCADA network is not securely connected with the IT network, worms can jump from the HR desktops or reception kiosk into the SCADA network. 

Recommendation: Based on available resources, use a mapping tool or professional service (who will use some tools on your behalf) to investigate your SCADA network connectivity and deviations from the securenetwork diagram on paper. 

Caution: Not all tools are created equal and a blind scan of your network could knock down SCADA components like PLCs, RTUs and IEDs. Thus, it is important to ask your tool vendors if the tool has ever beenused in SCADA environment and if a SCADA configuration is available.

2. ‘Data presentation and control’ now runs off-the-shelf software

Long gone are the days when control systems ran on proprietary or custom platforms. Most SCADA systems today use off-the-shelf operating systems, standard browsers and other technologies which are used in desktop environments. Hackers can easily create exploits that target the underlying software vulnerabilities to infect and propagate their worms.

Recommendation: Use your IT experience to deal with IT problems. Scan for vulnerabilities in your IT and SCADA networks and patch them as soon as possible. Our research has shown that patching is the most simple yet effective solution. In some cases patches cannot be applied, and I will discuss that issue in the next section. 

There are various technical security benchmarks (like CIS) and compliance standards available for off-the-shelf systems like Windows, Solaris, Oracle, Apache and others. Use a policy compliance system to make sure that off-the-shelf systems are configured securely. Anti-virus, IDS, firewalls and other well-known IT solutions will also be helpful.

3. Control systems not patched

In many SCADA systems, the underlying OS or applications have not patched for years. It’s not fair to blame SCADA system administrators in all instances because there is little guidance from SCADA vendors regarding whether or not an OS patch is safe for SCADA software. 

For example, Microsoft releases patches every month. Without any guidance from SCADA vendors on the compatibility of the patch with their SCADA software, SCADA system administrators will not apply the patch. In some cases the underlying OS is a modified version of the standard OS. Some vendors may quickly translate and re-release the OS patches from Microsoft for their modified OS, while other vendors may not be as quick to release the patch.

Recommendation: Demand your SCADA vendor to provide guidance on patching Microsoft, Adobe, Oracle, etc., for all software used in the setup. If acustomized version of the standard OS is used, then demand quick release of customized patches. If possible, invest in a lab where you can test for patch compatibility yourself. Use a vulnerability management system to identify missing patches.

4. Authentication and authorization

In many instances ‘data presentation and control’ software is not capable of basic authentication and authorization. Even if the software is capable weak configuration, shared or default passwords render these features useless. If a worm gets on the machine it can easily manipulate a SCADA environment provided that it knows how to communicate with the SCADA control software via default password or nopassword set.

Recommendiation: Configure SCADA control software to use per user authentication, authorization and logging controls. In addition to strong passwords, use a smart token based authentication scheme. 

5. Insecure ‘datacommunication’ protocols

Decades ago, SCADA protocols were not designed with security in mind as networks were air-gapped and this thing called as Internet did not exist. However, 20 to 30 year-old protocols like Modbus and DNP3 still exist and thrive in SCADA networks.Manipulating PLCs running on such protocols is trivial, and upgrading to newerprotocols (like secure DNP3) often requires you to replace components, which can be costly.

Recommendation: If your system is already using newer protocols with key management and secure communication, make sure they are configured to use these newer features. Investigate your upgrade options and the costs associated with them. If upgrades are not possible, determine whether there is a way to tunnel the communication through secure channel.

6. Long life span of SCADA systems

Finally, the achillesheel of SCADA systems is their long lifespan, which is often measured in decades. These systems are built to last, and unlike PCs, which are easy to replace, it’s difficult and costly to replace even part of a SCADA infrastructure. 

Recommendation: There is no easy fix for this. While designing new systems or expanding existing systems, consider the long life cycle and architect your infrastructure accordingly so that components are easily upgradable or replaceable.

Friday, April 6, 2012

10 Threats to IT over the Next Two Years

Threats Seen Intensifying as They Combine with Other Ones


Providing IT security will only get tougher over the next couple of years as digital threats become more numerous and complex. That's the gist of a new report from the Information Security Forum entitled Threat Horizon 2014: Managing Risks When Threats Collide.
"While individual threats will continue to pose a risk, there is even more danger when they combine, such as when organized criminals adopt techniques developed by online activists," Steve Durbin, global vice president of the Information Security Forum, said in announcing the report. 
"Traditional risk management is insufficiently agile to deal with the potential impacts from activity in cyberspace." 
The report categorizes 10 threats in three basic areas: external, regulatory and internal, including: 


External Threats 


1. Cyber criminality increases as the malware space matures: The sophistication and scale of the global industry that has evolved to commit cybercrime, espionage and other malevolent activity will grow and develop. 


2. The cyber arms race leads to a cyber cold war: Nations developing more sophisticated ways to attack via cyberspace will get better at it, those who haven't will start, and organizations will suffer collateral damage. Targets for espionage will include anyone whose intellectual property can turn a profit or confer an advantage. 


3. More causes come online; activists get more active: Anyone not using the Internet to advance their cause will start: customer affinity groups, community associations, terrorists, dictators, political parties, urban gangs - the list is endless. Online organizing will become easier and protest channels will be available to greater numbers. 


4. Cyberspace gets physical: The increasing convergence of cyber and physical worlds will bring more attacks on physical systems, from attempts to turn out lights or climate control systems to disrupting manufacturing systems. Whether attacks are successful or not, credible publicised threats will cause disruption and panic.


Regulatory Threats 


5. New requirements shine a light in dark corners exposing weaknesses: Further movement toward increasingly transparent security disclosures will publicize weaknesses, making organizations more vulnerable to attack. Organizations forced to report security risks may have as much to fear from customers and business partners as they do from hackers and regulators. 


6. A focus on privacy distracts from other security efforts: New privacy requirements from consumers, business customers and regulators impose a heavy compliance burden. Organizations will need to decide whether to invest in the necessary security and legal controls, outsource to someone who can or exit certain markets. They will also need to consider the message their actions send to their customers. Internal Threats 


7. Cost pressures stifle critical investment: An undervalued function can't keep up. It would be normal to see investment increase after the prolonged downturn, but some economies are still struggling. Even organizations that are increasing security spending have a legacy of under-investment that can't be corrected overnight. But cyber criminals have been investing, and it will become easier and less expensive to buy criminal technology and services. 


8. A clouded understanding leads to an outsourced mess. Continued cost pressure will lead to a new form of digital divide: between organizations that understand the marriage between IT and information security - and everyone else. Leading organizations will appreciate the strategic value of channels, systems and information and will invest; the others will suffer competitive disadvantage and heightened risk of damaging incidents. 


9. New technologies overwhelm: Organizations are unlikely to slow their adoption of new technology or decrease their participation in cyberspace. Along with business benefits come potential vulnerabilities and methods for attack, and organizations will continue to be hit. Organizations that don't understand their dependence on technology may have a nasty surprise if it leads them astray or suddenly goes offline. 


10. The supply chain springs a leak as the insider threat comes from outside: A modern organization's data are spread across many parties, and more organizations will fall victim to incidents at suppliers. This will increase as organizations further digitize supply chains, outsource functions and rely on external advisers. 3D printers create three-dimensional products from digital blueprints - increasing the theft of intellectual property, the frequency of attacks and the amount of counterfeit product on the market. 


Organizations are being left behind, with some seeing their finances and reputations damaged because of the speed and complexity of the threat landscape. They need to take stock now to ensure they are fully prepared and engaged.

Wednesday, April 4, 2012

Burglars watching online moves

Home Tweet Home

Being checked-in on Facebook has become the digital equivalent of an overflowing letterbox that tells burglars you're away on holidays.

ADT Security's Secure Homes report has found 86 percent of Australians are concerned their social media location data could be used for malicious purposes, including telling the world when no one is home.

Facebook, Twitter and Foursquare allow users to have their location posted online. The survey of 2000 home-owners also found while 48 percent of GEN-Y regarded identity theft as a concern, they were not as worried about it as Baby Boomers.

Savvy criminals are getting access to up to the minute details through people's status updates and posts, allowing them to learn when the home is likely to be vacant. It's important to think twice before updating your Facebook status or tweeting or checking into Foursquare.

Setting your profiles to private, turning off location finders, or a bit of self-cencorship when it comes to announcing an extended holiday, can help prevent falling victim to burglary.

Monday, April 2, 2012

Protecting Your Privacy on (and off) Facebook

Minimum Qualifications: Facebook Password

In the past couple of weeks, media caught wind of a hiring practice large numbers of employers have put into place. They are requesting Facebook passwords from their applicants to consider them for open positions, and asking current employees to hand over their passwords (even with their own "do not share passwords" policies in place). 

There are at least six good reasons employers should NOT do this. I recently wrote about it here on The Privacy Professor Blog

Whatcha Doing Outside of Facebook? 

Thanks to the clever programmers at Facebook, the social media giant - now public and more responsible than ever for reporting accurate user numbers - knows exactly when you open one of their emails. 

This is particularly interesting because, as PandoDaily points out, it indicates a desire to track its users' behavior even when they are not logged into Facebook. As they point out, you can exterminate Facebook's email bugs by reading your email outside of Internet Explorer and Outlook. 

Don't Judge a 'Friend' by His Photo 

Bogus Facebook accounts are a growing problem impacting a wide range of people, from high schoolers battling "mean girls" to NATO officials in charge of national security. There are, fortunately, several ways to spot a fake, and here's an excellent article outlining exactly how.

Starting from Scratch

Often you'll hear identity and privacy experts advise that you close down your Facebook account if it becomes hacked. But what if your account is years old, housing countless contacts, memories, photos and videos? Fortunately, there is a way to back up all of that information, so it will be at the ready should you ever need to rebuild your Facebook account or if you simply want to keep all those past posts.