For the last couple of decades industrial concerns, including public utilities such as power and gas providers, have been incorporating IP networks into their industrial control systems; apparently with very little awareness of the security problems this could cause. One of the reasons for this is that ICS/SCADA systems had always been fairly safe from tampering. They were “dumb” systems that had their own protocols, and were not connected to public networks. System administrators never had to think in terms of hackers and remote attacks. They were more concerned with things like physical break-ins and theft at that time, and hackers were mainly computer-savvy kids that weren’t really out to hurt anyone.
Another reason is that security almost always takes a back seat to greater efficiency and profitability. Couple this with the fact that public utilities were increasingly strapped with budgetary cutbacks, and it’s a no-brainer from their point of view. IP protocols were already in place and off-the-shelf hardware and software applications were relatively cheap.
Embracing expediency in this way is really costing the industry now, though. Public utilities are often guilty of failing to adequately segregate their control networks from their business networks, and even if they do, it is very difficult to fend off a persistent and talented attacker. Malware and social engineering techniques become more clever every day.
Factors such as these have made the security industry increasingly antsy for years. We have been warning that these vulnerabilities exist, and have been expecting a concrete example to crop up – and now it has!
Late last month, hackers caused what is believed to be the world’s first power outage using malware. It occurred in the Ukraine and knocked out regional power for several hours. The malware family used to perpetrate this outage is known as “BlackEnergy” and has been on the radar for some time.
Luckily, this was a relatively minor, short lived incident, and nothing like this has occurred (yet) in the United States. However, the fact that this outage was possible should be a wake-up call for all of us. Hopefully, the industry will pay attention to this incident and redouble their efforts to update, secure and monitor their systems.
Knock knock! Who’s there? The FBI….
This is never the way you’d like your day to play out. Last week, Time Warner was notified by the FBI that a cache of stolen credentials that appear to belong to Time Warner customers had been discovered.
At this point, the origination of the usernames and passwords is a bit of a mystery. Time Warner states:
“We have not yet determined how the information was obtained, but there are no indications that TWC’s systems were breached.
The emails and passwords were likely previously stolen either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored TWC customer information, including email addresses.
For those customers whose account information was stolen, we are contacting them individually to make them aware and to help them reset their passwords.”
Time Warner customers who have not yet been contacted should still consider changing their passwords – there is no indication at this point if this is new or previously compromised password data, and a new password is never a bad idea.
Please share with anyone who is using Time Warner systems – friends, co-workers, weird relatives and neighbors as well. Remember that any password that is used twice isn’t a safe password – unique passwords are always the best practice. Password managers (LastPass, KeePass, etc.) are often a good idea to help maintain unique, difficult to decipher passwords.
It seems like every year there is another phishing scam using the name of the Internal Revenue Service. Well, this year is no exception. This version claims to be a refund notification and contains an attachment for the unwary to click on. Don’t do it! For one thing, you should be aware that the IRS never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information.
This scam and other, similar scams also are perpetrated by telephone. Callers may say you have a refund due and try and get you to disclose private information to them. They may also call, say you owe them money, and demand immediate payment; they may even threaten to send the police to your home! Don’t panic. The more serious and immediate their demands seem, the more likely they are to be fakes. It will never hurt you to take the time to call the IRS and see if the call, text or email you have received is legitimate. Also, if you do happen to lose money to one of these scams, you can file a complaint with the Treasury Inspector General for Tax Administration.
The IRS website has resources in place to help taxpayers with this problem. This information is not particularly easy to find, but is accessible in a couple of areas of the website. If you click on the “News & Events” tab of the website there is a hyperlink to “Tax Scams”. This will get you started. You can also go to the “Help & Resources” tab. This area has links for reporting suspicious emails and scams, as well as a link to report tax fraud activity. For more information about past scams of this type, there is a page entitled “Phishing and Other Schemes Using the IRS Name.”
The important thing to take away from this is that Phishing and other types of social engineering techniques are becoming more prevalent every day, and are not about to go away. This is because as firewalls, SIEM solutions and other information security mechanism have become more effective, cyber criminals have had to find new ways to worm their way into your networks. So stay wary and avoid being credulous. Never open an attachment or click on a link anywhere without checking it out first. Also, never give unsolicited or suspicious callers any kind of private information. The old adage “Look Before You Leap” has never been more true and appropriate than it is right now!
OK, so by now most folks know that we spent the last few years building out our own analytics platform, called TigerTrax™. Some folks know that we have been using it as a way to add impressive value to our traditional security offerings for the last couple of years. If you are a traditional assessment client, for example, you are likely seeing more threat data that is pinpoint accurate in your reports or you have been the beneficiary of some of the benefits of our passive technologies based on the platform, perhaps. If your organization hasn’t been briefed yet on our new capabilities and offerings, please let us know and we will book a time to sit down and walk you through what we believe is a game changing new approach to information security!
But, back to the message at hand. TigerTrax is already benefitting our clients in three very specific ways, and I wanted to take a moment to discuss them.
Those are the 3 key ways that TigerTrax customers are benefiting today. Many many more are on the roadmap, and throughout 2016 we will be bringing new offerings and capability enhancements to our clients – based on the powerful analytics TigerTrax provides. Keep an eye on the blog and our website (which will be updated shortly) for news and information. Better yet, give us a call or touch base via email and schedule a time to sit down and discuss how these new capabilities can best assist you. We look forward to talking with you!
— info (at) microsolved /dot/ com will get you to an account rep ASAP! Thanks for reading.
A vulnerability has been discovered in the GRUB2 boot loader that affects versions dating back to 2009. GRUB2 is the default boot loader for a variety of popular Linux distributions including Ubuntu, Red Hat and Debian. The vulnerability can be exploited by pressing the backspace button 28 times when the boot loader asks for your username. This sequence of keys places the user into a “rescue shell”. An attacker could leverage this shell to access confidential data or install persistent malware.
It’s worth noting that the vulnerability requires access to the system’s console. Even if your organization has proper physical security controls in place, this issue should still be addressed as soon as possible. Ubuntu, RedHat and Debian have already released patches for this vulnerability.
If you run DNS on Microsoft Windows, pay careful attention to the MS-15-127 patch.
Microsoft rates this patch as critical for most Windows platforms running DNS services.
Remote exploits are possible, including remote code execution. Attackers exploiting this issue could obtain Local System context and privileges.
We are currently aware that reverse engineering of the patch has begun by researchers and exploit development is under way in the underground pertaining to this issue. A working exploit is likely to be made available soon, if it is not already in play, as you read this.
One of the most frustrating phrases I’ve heard as an IT professional is, “We’re not a target.”
Using HoneyPoint, I have created “fake companies” and observed how they are attacked. These companies appear to have social media profiles, web pages, email servers and all of the infrastructure you would expect to find within their industry. The companies are in a variety of verticals including but not limited to Financial, Energy, Manufacturing and after analyzing the data collected during this process, I can definitively state that if your company has an internet connection, you’re being targeted by attackers.
Within hours of creating a HoneyPoint company, we typically begin to see low-level attacks against common services. These often involve brute-force attacks against SSH or Telnet. Regardless of the fake company’s industry, we’ve noticed that more complicated attacks begin within days of exposing the services and applications to the internet. These have ranged from the attackers attempting to use complicated exploits to the installation of malware.
During our “fake companies” testing, we even “accidentally” exposed critical services such as MSSQL and LDAP to the internet. The attackers were always vigilant, they often attempted to take advantage of these exposures within hours of the change taking place. One of my favorite moments that occurred during this test was watching how quickly attackers started to use an exploit after it was released. In some cases, we noticed the exploit being used within hours of it becoming public. These are both great examples of why it’s worthwhile to have 3rd parties review your infrastructure for vulnerabilities or misconfigurations on a regular basis.
Even if you don’t think your company has anything to “steal”, you still need to take measures to protect your systems. You might not be protecting PHI or Social Security Numbers but you can’t underestimate the bad guys desire to make money. Even if attackers don’t find any data worth stealing, they’ll always find a way to profit from the exploitation of a system. A great example of this occurred last year when it was discovered that attackers were hacking SANs to install software to mine for cryptocurrency. It’s even been reported that attackers are exploiting MySQL servers just to launch Distributed Denial of Service (DDoS) attacks. So, even if your bare metal is worth more than the data it hosts, it doesn’t mean that attackers won’t attempt to use it to their advantage.
It’s the holidays! Everyone is busy shopping, getting ready for parties, meeting folks for a cup of good cheer, and all manner of other fun activities. Yes, it is safe to say that the holidays generally fill people with feelings of warmth and good cheer.
It’s also a great time of year for hackers! The fact that people are busy, distracted and even a little bit tipsy is what fills them with good cheer. What better time to break into a network and get your hands on some private information or to set up a blackmail scheme?
That is why it is most important for you not to neglect your log monitoring and other information security duties during the silly season. Make sure you don’t turn off alerting on your systems, look for activity at odd times of the day, and make sure you are monitoring what leaves the network and where it’s going. If you neglect these tasks now you just might not have any happy holidays at all!