Tag: Cybersecurity

Categories
Links Writing

ThyssenKrupp secrets stolen in ‘massive’ cyber attack

Per Reuters:

ThyssenKrupp said it waited to publicize the attack while it identified, then cleansed infected systems in one concerted, global action before implementing new safeguards to monitor its computer systems. “It is important not to let the intruder know that he has been discovered,” a spokesman said.

A criminal complaint was filed with police in the state of North Rhine-Westphalia and an investigation is ongoing, it said. State and federal cyber security and data protection authorities were kept informed at each stage, as well as Thyssen’s board.

Secured systems operating steel blast furnaces and power plants in Duisburg, in Germany’s industrial heartland in the Ruhr Valley, were unaffected, the company said.

No breaches were found at its marine systems unit, which produces military submarines and warships.

A previous cyber attack caused physical damage to an unidentified German steel plant and prevented the mill’s blast furnace from shutting down properly.

The shift towards automation of critical infrastructure and industry systems means that we can reduce costs of production while (in many cases) improve worker safety by keeping workers away from particularly dangerous areas of manufacturing facilities. At the same time, however, by digitizing functions that were once performed using analogue or network-disconnected systems the attack surface of these facilities increases: whereas once a human insider might have been needed, now an attacker just needs an implanted computer that is on, or can gain access to, the relevent network.

The problems linked to digitizing infastructure and manufacturing systems are not going to improve quickly: attackers are just now really starting to launch targeted attacks, and the investmentments made by companies in their equipment are not going to be just thrown out. That means that many systems and companies will likely remain exposed to possible attack for years, if not decades, barring a significant shift in security culture.

Categories
Links

How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World

This is probably the best journalistic account of how current and past members of the Citizen Lab, in tandem with Lookout (a security company), identified the most significant vulnerability to ever target Apple devices.

Categories
Aside Links

Meet USBee, the malware that uses USB drives to covertly jump airgaps

Meet USBee, the malware that uses USB drives to covertly jump airgaps:

The software works on just about any storage device that’s compliant with the USB 2.0 specification. Some USB devices such as certain types of cameras that don’t receive a stream of bits from the infected computer, aren’t suitable. USBee transmits data at about 80 bytes per second, fast enough to pilfer a 4096-bit decryption key in less than 10 seconds. USBee offers ranges of about nine feet when data is beamed over a small thumb drive to as much as 26 feet when the USB device has a short cable, which acts as an antenna that extends the signal. USBee transmits data through electromagnetic signals, which are read by a GNU-radio-powered receiver and demodulator. As a result, an already-compromised computer can leak sensitive data even when it has no Internet or network connectivity, no speakers, and when both Wi-Fi and Bluetooth have been disabled. The following video demonstrates USBee in the lab:

While this is still of limited value because you need to infect the airgapped computer in the first place, it’ll only take a while until this exfiltration method is weaponized. Airgaps have long been seen as a key way of keeping highly sensitive data secure but researchers working inside and outside of government keep revealing all the ways in which data can be quietly extracted from such systems. Their successes should give pause to anyone who is concerned about computer security, generally, to say nothing of those interested in the security of government and corporate systems.

Categories
Links

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open

Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open:

Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.

The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.

There’s a lot that can be said about this absolute debacle. I’ll restrain myself to two things:

  1. This is the exact kind of problem that crops up when you include backdoors in software: eventually the information required to exploit the backdoors emerge.
  2. Microsoft’s own leakage of the key is one of the most amazing ‘own goals’ in recent security history. It’s going to be one for the history books.

Also: remember when Apple said they didn’t, and would vigorously fight, any effort to backdoor their operating systems? Microsoft’s absolutely failure to secure the cryptographic material is just one rationale behind Apple’s security posture.

Categories
Links Quotations

What’s the big deal about Hillary using her personal email at work?

What’s the big deal about Hillary using her personal email at work?

Christopher Parsons, a Toronto-based cybersecurity expert with the think tank Citizen Lab, explained the security difference between a personal and official government email.

“The core security advantage is that the U.S. government will be attuned to the risk of her communications being deliberately targeted and, as such, would have a chance to maximize protections afforded to her communications,” Parsons said. “Moreover, data sent and received in U.S. government systems could be protected according to the sensitivity of the communications. So when sending classified or secret documents, a higher standard of care could have been provided.”

I would note that I don’t work at a think tank: I work at the University of Toronto, within the Munk School of Global Affairs.

Categories
Links

Cyber-security in 2014: What we learned from the Heartbleed bug

Cyber-security in 2014: What we learned from the Heartbleed bug:

Parsons warned that the fallout from Heartbleed may not be over for web users.

We still don’t know just how much information was stolen or accessed as a result of the bug. Stolen login credentials and user information is likely to be leaked by hackers, putting users at risk for additional hacks.

The problem is hackers could leak this information at any time.

“If logins and passwords were successfully extracted – and I’m willing to say 99.9 per cent of people haven’t changed all of their passwords – people still could be affected,” he said.

“Always expect at some point, possibly through no fault of your own, you will be compromised,” Parsons warned.

“Then think, ‘What would I do if my personal information was leaked?’ Thinking before these things happen can help you come up with a recovery strategy.”

 

Categories
Quotations

2014.11.26

The debate about cyber-security in political science and international relations has been very visible among policy elites. Policy-makers and their advisers read Foreign Affairs and Foreign Policy. However, political and social scientists often do not appreciate the technical details of network breaches, or security setups in critical infrastructure and industrial plants.

Most political scientists also lack the technical skills to call out poor- quality company reports or government documents. Instead, too many scholars seem happy to engage in self-referential theoretical debates of little relevance to anybody else – for instance, on the ‘securitisation’ of cyber-security.

Robert M. Lee and Thomas Rid. (2014). “OMG Cyber!: Thirteen Reasons Why Hype Makes for Bad Policy,” The RUSI Journal 169(5).

I cannot overstate how emphatically I agree with this general assessment of political science analyses of digital security issues.

Categories
Aside Links

Canada Bought $50 Million Worth of ‘Secure’ Phone Systems from the NSA

Canada Bought $50 Million Worth of ‘Secure’ Phone Systems from the NSA:

Technically, the Canadian Prime Minister shouldn’t have to worry about being snooped on. Declassified information on the so-called Five Eyes partnership—an intelligence-sharing agreement between America, Canada, the United Kingdom, Australia, and New Zealand—supposedly forbids the five friendly governments from snooping on each other. But we don’t know what caveats exist in that agreement, because it’s kept top secret. We do know, however, that the NSA was operating in Toronto during the G8 and G20—and that CSE knew about it. That sort of cooperation, Parsons says, is to be expected by the Five Eyes partners.

“There is of course a concern that in the Five Eyes agreement there is an proviso that members of the Five Eyes network can engage in surveillance on other partners if it’s in their sovereign interest,” Parsons said.

It’s certainly interesting (and newsworthy) that Canada is buying cryptographically-secure systems from the NSA, though not necessarily surprising: the NSA is recognized as a leader in this technical space and has economies of scale that could reduce the cost of the equipment. These isn’t, however, any indication whether CSEC examines or tests the devices for backdoors. Presuming that the math hasn’t been compromised, and the phones and faxes aren’t being compromised by our close ally, then there are presumably (relatively) few worries with the Canadian procurement strategy and lots of benefits.

Categories
Aside Links

Heartbleed may lead to more security audits, advanced security services

Chris Parsons, a post-doctoral fellow with the Citizen Lab at the Munk School of Global Affairs, said that there has been an increased call for outside security audits for OpenSSL, the security system affected by Heartbleed.

“Researchers have been grumbling that OpenSSL and other highly-relied upon security libraries need to be subject to more ‘forensic audits’ by professionals to identify and patch flaws before they are exploited in the wild,” he said.

Heartbleed was discovered by ateam of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.

Missed this when it went up, but posting because I think it touches on something that is important to track as things move forward: despite experts inside and outside of industry recognizing the need for more audits of critical packages like OpenSSL, will resources actually be devoted to enable such work?

Source: Heartbleed may lead to more security audits, advanced security services

Categories
Links Quotations

Potholes abound on the road to car-to-car communication

The security design of the system as implemented in tests so far will require a national certificate infrastructure much like that used for preventing domain spoofing and securing the Web. It will require a database of certificates—like the X.509 certificates used in public key infrastructure (PKI)—to verify that devices are legitimate and make it possible to rescind permissions to ensure that no one can send out spoofed messages. If a certificate were to become compromised or if a manufacturer misconfigured a batch of V2V systems, the certificate authority would be able to revoke the associated certificate. This prevents spoofing much in the way that DNS SEC prevents the “poisoning” of Internet domain address tables by a rogue Domain Name Service server.

The problem is that no one has ever developed a PKI system large enough to handle every vehicle in the United States—every car, truck, bus, and motorcycle. The revocation table for expired or compromised certificates would have to be distributed constantly to cars to make sure they weren’t victimized by recorded data attacks or other systems that used hacked hardware to spoof traffic.

So far, there hasn’t been any agreement yet on how this PKI would distribute its certificates. Proposals have included having roadside systems issue certificates as vehicles drive by and having certificates sent to vehicles out-of-band over cellular connections. The latter would mean that every car in the country would have to have its own integrated cellular phone or that drivers would have to connect their phones regularly to the systems to ensure they didn’t get shut out of the network.

Oh yes, please: let’s build a mass communications network dependent on a (largely) creaky Certificate system, deploy the devices to the attackers (i.e. car owners), and just trust that no one’s gonna hack a mass, nation-wide, Vehicle-to-Vehicle communications network.

Also: taking bets on it being an escrowed certificate system. For public safety and all that good stuff.