The outgoing Obama administration has proposed increasing federal cyber-security spending by $5bn, or around a third, in the hope of reaching $19bn in 2017.
Reuters reports that the Democrat president's proposals, due to be unveiled later on Tuesday, will earmark $3.1bn for technology modernisation at various federal agencies.
The proposed spending increases may face a rough passage through the Republican-controlled House of Representatives, which controls the US federal government’s purse strings.
The proposed cyber-security spending increases follow a high profile (and hugely damaging) hack against the Office of Personnel Management last year, as well as a generally more turbulent threat environment, with Chinese and Russian state sponsored hackers at the fore of attempts to break into and perhaps even disrupt US government systems.
Other nation states – most notably Iran and North Korea – as well as terrorist groups affiliated to Islamic State, and cybercriminals – also pose a hacking or malware infection risk to federal systems as well as businesses.
Similar pressures prompted UK Chancellor George Osborne to announce plans to double cybersecurity spending and establish a single National Cyber Centre back in November. Cybersecurity spending will rise to £1.9bn ($2.87bn) at a time of ongoing austerity measures elsewhere. Part of the spending increase will go towards previously announced plans to hire 1,900 more staff at GCHQ.
Meanwhile the NSA is going through a major reorganisation, combining its attack and defence sides into a single organisation, the Washington Post reported last weekend in a authoritative story citing current and former government officials.
The White House is due to announce the creation of a presidential commission on cyber security later on Tuesday, according to (unnamed) senior administration officials. The commission will make recommendations on how to strengthen US cyber-defences. The current US government cyber defence system, known as Einstein, was judged inadequate in a report by a government watchdog last month.
Related plans also due to be unveiled today will see the creation of a Federal Privacy Council, with a mandate to develop comprehensive guidelines on the use of personal data, Reuters adds. ®
Sponsored:
Building secure multi-factor authentication
Obama govt proposes 33% hike in cyber-security spending
↧
↧
How cybercrooks made $330K from ransomware without really trying
The small cybercrime ring behind the CryptoWall 3.0 ransomware was able to collect more than $330,607 in ransom from 670 victims, according to new research.
The figures, published by security firm Imperva, are based on an analysis [PDF] of Bitcoin wallets linked to malware-wielding extortists.
Security researchers discovered that cybercrooks demand different amounts based on the geographical location of their victims.
The ransom amount in the US is $700, a figure that gets reduced to $500 for victims in Israel, Russia, and Mexico. Imperva was able to identify around 1,217 BTC ($337,607) being paid out in ransom in a short period.
A deeper follow-up study would likely identify many more wallets. Imperva concedes it is focusing on one small group that's involved in a much bigger scam.
CryptoWall 3.0 operates by encrypting data on compromised machines before demanding a payment (payable in BitCoins) for the private key that may be necessary to unscramble files and recover their contents.
The FBI received nearly 1,000 complaints between April 2014 and June 2015 from CryptoWall victims reporting combined losses of over $18 million. The true losses are likely to be a lot higher than this. Industry group the Cyber Threat Alliance (CTA) estimated in October that CryptoWall in its various guises is to blame for $325 million in losses.
The estimate – which seems high – comes from combined threat research and intelligence from the founding and contributing members of the CTA (Symantec, Palo Alto Networks, Fortinet and Intel Security). ®
Sponsored:
Building secure multi-factor authentication
↧
Bitcoiners are just like everybody else: They use rubbish passwords
Don't pretend you can invent a strong enough, memorable password to protect your Bitcoins: crypto-boffins can crack the so-called "brain wallet."
In research published at the International Association for Cryptologic Research (IACR), University College London's Nicolas Courtois and Guangyan Song and White Ops' Ryan Castellucci benchmarked the Bitcoin secp256k1 elliptic curve, with depressing results.
The group managed to retrieve more than 18,000 Bitcoin passwords, they claim, using an Amazon EC2 m4.4xlarge instance. That yielded a rather stunning 17.9 billion passwords tested per US$1 spent, or less than $60 to check a trillion passwords.
As is so often the case, one reason pass-phrases are recoverable is that they're relatively predictable. Examples of recovered pass-phrases include "say hello to my little friend," "to be or not to be," "Walk Into This Room," "party like it's 1999," "yohohoandabottleofrum," and the all-too-obvious "Arnold Schwarzenegger."
The Register presumes that the person or people using "andreas antonopoulos" as a password are merely admirers of the Bitcoin entrepreneur, rather than Antonopoulos himself using his own name as a password.
While not the first study to look into brute-forcing Bitcoin passwords, the researchers reckon their attack more than doubles the speed of password tests against secp256k1 achieved by the attack first disclosed at last August's DEFCON 23.
Their conclusion is simple – you almost certainly can't invent a password too complex to be brute-forced: "Our research demonstrates again that brain wallets are not secure and no one should use them."
In other words, generating a genuinely strong password and keeping it somewhere safe is irritating, but absolutely necessary. ®
Sponsored:
Building secure multi-factor authentication
↧
White House Budgets $19 Billion for New Cyber-Security Measures
The White House calls for more investment in protecting data and proposes to spend $19 billion this year on a variety of security initiatives, including educating consumers to use two-factor authentication.
President Barack Obama on Feb. 9 proposed spending more than $19 billion over the next year on cyber-security initiatives as part of a new plan to better protect the computers, networks and data of United States’ citizens, businesses and government agencies.
The initiatives, which the administration wove together in its 2016 budget proposal as the Cybersecurity National Action Plan (CNAP), aim to secure government computers and increase the security of corporate networks and citizens’ data. The White House earmarked $19 billion in its proposed budget for cyber-security, an increase of 35 percent over the previous year, Michael David, special assistant to the President and cyber-security coordinator, said in a statement posted to the official White House site.
“The President believes that meeting these new threats is necessary and within our grasp,” David said. “But it requires a bold reassessment of the way that we approach security in the digital age and a significant investment to ensure we can implement the best security strategies.”
The cyber-security spending increase is part of the $4.1 trillion federal budget proposal Obama sent to Congress on Feb. 9.
The plan follows yet another abysmal year for American citizens’ efforts to protect their personal data. The U.S. Office of Personnel Management reported in June that hackers had compromised its systems and stolen extremely sensitive information on federal employees and job seekers—information which included the contents of background checks.
In November, federal authorities charged three men with infiltrating and stealing data from nine financial institutions and publishers, including JPMorgan, Dow Jones, Scottrade and eTrade. Information on more than 100 million customers was compromised in the breaches.
A variety of initiatives make up the Cybersecurity National Action Plan. The Obama administration plans to establish a panel of experts to advise the government on ways to improve its cyber-security and to protect citizens’ data. The administration also proposed a federal chief information security officer (CISO) to identify weak spots in the infrastructure. The White House also intends to expand education initiatives to make consumers more security aware, such as teaching people that passwords are not enough.
Security firms applauded the Obama administration’s efforts, but also pointed out numerous shortcomings of the plan. The CISO, for example, will be ineffective, unless given direct power over the government's cyber-security infrastructure.
“The CISO needs to be both a leader and a recognized cyber-security expert who can move the needle quickly and make decisions on behalf of the entire federal government,” Mark Weatherford, chief strategist for cyber-security firm vArmour, said in a statement sent to eWEEK. “Without this level of authority, there is no chance for any real success.”
Before joining vArmour, Weatherford served in the Department of Homeland Security as its first deputy undersecretary for cyber-security.
Avivah Litan, research vice president with business intelligence firm Gartner, agreed that a federal CISO needs to have power to require agencies to secure their infrastructure.
“Obviously it is a step in the right direction, but in many ways, it is just one more level of bureaucracy,” she told eWEEK.
Pointing to reports from last year that showed the Internal Revenue Service paid out more than $5 billion to fraudsters as part of tax-refund fraud schemes, Litan argued that security improvements at the IRS could easily pay for themselves in reduced losses due to fraud.
“They should not have to allocate extra money for the civilian agencies,” she said.
↧
Moscow raids could signal end of global Dyre bank trojan menace
One of the worst examples of financial malware appears to have fallen silent after operators were reportedly arrested in Moscow after a rare raid by the Federal Security Service of the Russian Federation (FSB).
Reuters reports Russian police raided Moscow film studio 25th Floor and a neighbouring office in November. Western law enforcement authorities are apparently aware of the incident but Moscow has kept mum with requests to the FSB for comment unanswered at the time of writing.
The Register has inquired with police and threat intelligence sources previously tracking the malware group.
Little is known about the gang behind the Dyre malware. It is understood to have links to the FBI's most wanted cyber criminal Evgeniy Mikhailovich Bogachev aka Slavik ,who switched over to the crimeware after his pet project Gameover was take down in raids by authorities.
The malware is an advanced trojan capable of evading white hat analysis tools and antivirus products and was spreading rapidly last year. But Dyre became less so as 2015 wore on, then fell silent in November.
It is known to be responsible for inflicting tens of millions of dollars in damages to Western banks and businesses in the US, the UK, and Australia, spreading through dozens of separate spam and phishing campaigns since June 2014.
In May Dyre was fingered for stealing some US$5.5 million from budget carrier RyanAir and has fleeced individual businesses of up to $1.5 million each in large scale wire transfers using stolen online banking credentials.
Dyre flatlines. Image: IBM.
IBM analysis shows the Dyre activity flatlined in November after a steady decline since October. Sudden silence from malware operators is generally a hallmark of arrests in the cybercrime world but an intentional hiatus it is not without precedent.
Researchers from Russia's Kaspersky Labs reported the Carbanak gang had resumed campaigns with renewed gusto after falling silent for five months last year during which time analysts assumed the gang had disbanded.
Dyre's domination. Image: IBM.
IBM security expert Limor Kessem suggests the death in activity gives credibility to the possible arrests.
"It has been close to three months now since Dyre went silent," Kessem says.
"This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time.
"But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble."
Kessem says the arrests if confirmed would be one of the most significant in Russia's history.
"A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks," she says. "But Dyre’s absence will also give a bigger market share to other malware." ®
Sponsored:
Building secure multi-factor authentication
↧
↧
GSMA outlines thoroughly sensible IoT security rules
About time: the GSM Association has released a bunch of guidelines to try and address the chronic insecurity of the Internet of Things.
The significance of the initiative is that it's been agreed to by a collective of major carriers – the organisation's announcement lists AT&T, China Telecom, Etisalat, KDDI, NTT DOCOMO, Orange, Telefónica, Telenor and Verizon but there are plenty of others.
With a common set of security recommendations, carriers will also have a stick they can wave at vendors that don't care: do it right, or we won't connect your stuff.
The group has put together documents for the three key segments (as it sees the IoT market anyhow): telecommunication carriers, service operators, and device manufacturers.
The GSMA says different industries are kidding themselves that their security considerations are unique – and that attitude helps make things insecure.
“Almost all IoT services are built using endpoint device and service platform components that contain similar technologies to many other communications, computing and IT solutions. In addition to this, the threats these different services face, and the potential solutions to mitigate these threats, are usually very similar, even if the attacker’s motivation and the impact of successful security breaches may vary,” the guidelines observe.
The Register doesn't propose reviewing the whole suite of documents, but it's gratifying to see that the GSMA has noticed critical issues such as orphaned devices.
Hence in addition to obvious requirements like crafting a trusted computing model and a root of trust for IoT kit, it reckons businesses running the services devices connect to need to include a sunsetting model.
Device makers are given the kind of list that's all-too-often ignored by thing-makers, to date. Good cryptography, APIs to the security model, perfect forward secrecy, application rollback and signed application images are among the requirements the GSMA sets out.
Network operators are called on to protect the security and privacy not just of the IoT devices and services, but also end users.
The full pack of documents is available here. ®
Sponsored:
Building secure multi-factor authentication
↧
Flash flushed as Google orders almost all ads to adopt HTML5
Google's getting serious about hastening the oh-so-timely demise of Adobe Flash, telling advertisers they've just under a year to move to HTML 5.
The ad giant has given advertisers notice that from June 30th, 2016, AdWords and DoubleClick won't accept upload of Flash ads. Come January 2nd, 2017, display ads won't run on the Google Display Network or through DoubleClick.
That's a decent amount of lead time for the advertising industry and its suppliers which, if the rumblings we sometimes hear coming from the sales side of the office are any guide, sometimes take rather a while to finish off their banner ads!
Google's already blocked Flash ads from running in Chrome and banished it from YouTube. Facebook did likewise, for videos.
Mozilla's always a bit different, so tried to ban Flash from Firefox, but recanted and has since declared the plugin a common part of the Web experience for most users and therefore deserving of grudging tolerance.
Google's shown a little of the same sentiment, granting an indefinite exception for video ads.
It's not hard to see why Google is urging advertisers to abandon Flash: the product is infamously insecure and a favoured vector for those who use advertising networks to distribute malware and stage other forms of attack.
If only we didn't have to wait most of a year for the hammer to fall. ®
Sponsored:
Building secure multi-factor authentication
↧
Gmail growls with more bad message flags to phoil phishers
Google's taking some of the user interface techniques it uses to flag insecure Web pages and applying them to email.
The plan: to warn users of Gmail on the Web when they receive emails from people who aren't using encrypted connections, or if message authentication fails.
The change is outlined on the Gmail blog.
While a Gmail user is protected by TLS encryption, there's no way for them to know whether the email service they're sending to or receiving from is also protected.
Google, however, can see that exchange, so if the far-end isn't encrypted, it is going to start showing users a broken lock.
Name-and-shame: if the email service doesn't encrypt,
Gmail on the Web will tell you
The second UI flag Gmail is adding covers authentication: while it's easy to trust an email address you've exchanged messages with for a long time (a partner, a boss, an old friend and so on), a lot of messages arrive claiming to be from banks, shops and payment houses.
As Mountain View explains here, it's a little burdensome for end-users to double-check the details that would let them authenticate messages.
So Google will simply substitute a question mark for the avatar or logo if a message can't be authenticated.
How an authentication failure will be flagged
A question mark accompanied by the claim that "this is a message from your bank" will, The Chocolate Factory hopes, go a long way to stopping people falling for phishing scams. ®
Sponsored:
Building secure multi-factor authentication
↧
Are Industrial Control Systems the Latest Weapon in Modern Warfare?
By Barry Mattacott, marketing director, Wick Hill Group Are industrial control and SCADA (Supervisory Control and Data Acquisition) systems the new frontier, not just for cyber-crime but also for cyberwar? Until recently, when you were at war with a country, you sent in your bombers. First they hit the military targets. Once they had finished those off, they would hit infrastructure, with attacks designed to destroy industry and demoralise the civilian population. Electricity production, oil and gas, even water and waste services would all be targeted. However, nowadays, you don't need brute force to turn the lights off. This was recently demonstrated by hackers attacking The Ukraine, who succeeded in knocking out power supplies to up to 1.4 million residents through the social engineering attack known as spear phishing. An infected Word document was used to introduce BlackEnergy malware into critical systems. http://www.bankinfosecurity.com/ukrainian-power-grid-hacked-a-8779/op-1 It was also social engineering which introduced that classic piece of industrial control malware, Stuxnet. It is now widely believed that Stuxnet was originally developed by an American/Israeli alliance, specifically to attack the control systems within Iran's nuclear industry. It eventually destroyed around 20% of Iran's centrifuges. The belief is that it was introduced into their system via an infected USB stick. Statistically, 60% of found USB sticks get plugged straight in, with this rising to 90% if the USB stick has a recognizable logo on it. https://en.m.wikipedia.org/wiki/Stuxnet More recently, researchers revealed a vulnerability in the Chrysler Jeep which caused the virtual recall of 1.4 million vehicles. It was demonstrated that a hacker could wirelessly access the control systems of the Jeep with the potential to disable the brakes and steering. Although a recall notice was issued, owners were sent a USB stick that allowed them to apply an update themselves without the need to take the vehicles back to a dealer. Chrysler also implemented network level security protection to block the exploit on the Sprint cellular network that connects their cars to the Internet. http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ Let's not stop at cars, let's think big - The Great Train Robbery 21st Century style. Now they can steal the whole train! A hacking team has discovered vulnerabilities within the control systems used in train networks worldwide that could allow attackers to cause derailments and even steal a whole train. https://www.rt.com/usa/327514-absolutely-easy-hacking-train-systems/ Other worrying hacking incidents include The Slammer Worm, which affected critical infrastructure as diverse as emergency services, air traffic control, water systems, ATMs, electrical companies, and a nuclear power plant’s process computers and safety display systems. So why are these systems all so vulnerable? It’s probably due to a number of widely held misconceptions which were highlighted in research by Kaspersky Lab entitled ‘Five Myths of Industrial Control Systems Security.’ http://media.kaspersky.com/pdf/DataSheet_KESB_5Myths-ICSS_Eng_WEB.pdf Myth Industrial control systems are not connected to the outside world. Fact: Most industrial control systems have eleven connections to the Internet. Myth We are safe because we have a firewall. Fact Most firewalls allow "any" service on inbound rules. Myth Hackers don't understand SCADA. Fact More and more hackers are specifically investigating this area. Myth We are not a target. Fact Stuxnet showed us that just because you weren't the intended target of industrial hacking, doesn't mean you won't become a victim. Myth Our safety system will protect us. Fact The chances are that your safety and control is using the same operating system with the same vulnerabilities. ConclusionLittle recognised, dangerous, seriously disruptive, disabling, potentially lethal, and not widely defended against, industrial control and SCADA systems have the potential to be the new front line in modern warfare. Instead of brute force, countries can be softened up by the loss of essential infrastructure and services. Infrastructure providers, utility companies, transport companies and any organisation whose disruption could cause serious problems, as well as governments themselves, need to look much more seriously at how to defend against such cyber- attacks. Or there could be serious consequences for national security. About the author Barry Mattacott is marketing director of Wick Hill Group, which is based in Woking, Surrey and Hamburg Germany. Wick Hill Group is part of Rigby Private Equity (RPE), a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc. Specialist distributor Zycko is also part of RPE, and in co-operation with Zycko, Wick Hill can offer a pan-European service which provides a common proposition and consistent delivery for vendor and reseller partners covering 13 countries. Users of products sourced through Wick Hill include most of the Times Top 1000 companies, in addition to many non-commercial organisations, government departments and SMEs across all business sectors. Through its channel partners, the company has delivered IT solutions to more than a million users world-wide. Wick Hill currently has offices in Woking, Surrey, with sister offices in Hamburg. ENDS For further press information, please contact Annabelle Brown on 01326 318212, email pr@wickhill.com, Wick Hill https://www.wickhill.com Source: RealWire
↧
↧
House bill would kill state, local bills that aim to weaken smartphone crypto
Bipartisan legislation likely to be thorn in law enforcement's "Going Dark" side.
↧
Crypto connoisseurs: Curl up with Princeton’s 300-page ode to Bitcoin
Bitcoin boffins have been gifted a 300-page treatise on the workings of their favourite crypto-currency as told by the academics of Princeton and Stanford universities.
The first draft of the book written in a conversational narrative rather than binary research paper format is geared to the those with at least a basic understanding of computer science with some programming experience.
The book Bitcoin and Cryptocurrency Technologies [PDF] is written by Princeton assistant professor Arvind Narayanan; professor Edward Felten; PhD Steven Goldfeder; Stanford University postdoc researcher Joseph Bonneau; Concordia Institute assistant professor Steven Goldfeder, and University of Maryland PhD Andrew Miller.
It addresses the "important questions about Bitcoin" including security, anonymity, and regulation.
"Each chapter has a series of homework questions to help you understand these questions at a deeper level," the authors write.
"After reading this book, you’ll know everything you need to be able to separate fact from fiction when reading claims about Bitcoin and other crypto-currencies.
"You’ll have the conceptual foundations you need to engineer secure software that interacts with the Bitcoin network and you’ll be able to integrate ideas from Bitcoin into your own projects."
Readers are given programming assignments to implement Bitcoin components into simple models. They can step up their education and enroll in Narayanan's free online Bitcoin course.
The authors say Bitcoin is exciting because of its technology which the describe as "deep, novel, and interesting" that will break its present obscurity to find commercial and social success.
Readers are invited to submit comments on the draft. The final text will be published later this year.
Narayanan says the authors will published an improved version soon that will include elements of Stanford University's programming assignments. ®
Sponsored:
Building secure multi-factor authentication
↧
Thenue Drives Digital Efficiencies With 1st Touch Mobile Working
Thenue Housing Association has introduced mobile workforce technology from 1st Touch (www.1sttouch.com). The software will be used to support the Association’s strategy to deliver more services digitally through its mobile operatives. Initially, these include estate management and tenancy services along with pre and post void inspections. A registered Scottish charity, Thenue Housing owns and manages over 3500 properties spread across 6 main communities in the Glasgow region. They chose 1st Touch as it had a proven integration with the Association’s Aareon back office system. In addition, they had received a number of strong references from other users of the software whilst researching the options available on the market. Another factor was the system’s unique Smart Airtime facility. This enables operatives to send data back to base in compressed and encrypted bursts, whenever a signal becomes present. By utilising this function, users can continue working and do not need to waste time looking for a constant signal.Commenting on the news Brian Gannon Head of Housing at Thenue noted, “We see our Digital Strategy as a very sound investment and 1st Touch is an important element of this. Not only will its deployment boost customer service delivery but it will also deliver significant efficiencies for the business. Naturally, any resources we save as a result can be redirected towards helping those tenants in greatest need, especially those struggling with the impact of Welfare Reform.“We looked at a number of different solutions but 1st Touch won through. We were aware that they are a leader in the market in the supply of enterprise mobile workforce software for social housing. However, the main driver for us is the software’s ability to integrate with our existing back-office Aareon QL system. With 1st Touch we can now have live real-time data going straight from the mobile device into Aareon and that is a real step forwards. In addition, the system’s Smart Airtime feature will ensure that communicating this data is exceptionally easy, as the system doesn’t require a constant signal. We were also impressed that these processes are already in place at other 1st Touch customers and that we were able to read the testimonials from numerous happy users. We look forward to identifying other areas where 1st Touch software can help us.”For his part, Greg Johns CEO of 1st Touch noted, “Thenue Housing Association has a clear digital vision and could see the very real benefits that our software will deliver. Whilst we are delighted at the efficiencies this will bring to their business, it’s especially pleasing that the savings they derive will ultimately help those tenants who need support the most.”EndsNote to Editors: About 1st Touch (www.1sttouch.com) Southampton based 1st Touch, a subsidiary of Aareon AG (www.aareon.com), has enabled dozens of social housing organisations to embrace new technologies, such as mobile working, to achieve significant savings, greater productivity and more cost-effective use of resources. The system’s flexibility through simple customer control over mobile and customer service forms creation and amendment is also widely acclaimed. Of particular note is 1st Touch 360. This intuitive new dashboard solution, streamlines processes by delivering a single, 360 degree-view of all key metrics and customer data access points. As a result, all the information needed to conduct any customer visit is collated in one central easily navigable location. With such cross-functional visibility, tasks which would previously have required numerous customer visits by different teams are now resolved in one visit from a staff member operating in a multi-functional role. There is Integration to multiple back office and other enterprise software applications, so that data is entered only once.1st Touch has a clear focus on the Social Housing and Local Government markets. Many social housing providers and local authorities, at large, now benefit from the fast and tangible, best of breed benefits that 1st Touch technology delivers across the enterprise. To date, over 50% of the social housing market, which has deployed mobile technology, has chosen to implement 1st Touch. In total, over 1.6 million properties are managed across 130 customers/Housing Associations using 1st Touch.In local government too 1st Touch has been adopted for a wide range of mobile workforce uses. Ready to use applications for local authority organisations include: Public Buildings, Highways/Street Services, Environmental/Waste Management, Revenues and Benefits, together with Planning Control and Trading Standards. 1st Touch software is available on a wide variety of platforms including: Windows Mobile, Apple and Android.For further information on 1st Touch please contact: Cherry Rance1st Touch 02380 111206cherry.rance@1sttouch.com www.1sttouch.com orLeigh Richards The Right Image PR & Marketing Group07758 372527leigh.richards@therightimage.co.uk www.therightimage.co.uk Source: RealWire
↧
SAP plugs critical software flaw that could let hackers into factories
SAP has issued a critical software update that plugged 23 security holes on Tuesday, including a fix for security issues in its industrial manufacturing software.
The manufacturing software patch addresses a critical vulnerability in SAP Manufacturing Integration and Intelligence (xMII).
The product provides a bridge between ERP (Enterprise Resource Planning) and other enterprise applications with plant floor and OT (Operational Technology) devices. The technology is widely used in manufacturing as well as the oil and gas exploration business and energy utilities.
Left unresolved, the directory traversal vulnerability in SAP xMII would create a potential means for hackers to penetrate into plant floor and OT networks where ICS (industrial control systems) and SCADA systems are located.
A skilled attacker might harness the directory traversal flaw to access files and directories located in an SAP server filesystem, including application source code, configuration and system files.
“Any vulnerability affecting SAP MII can be used as a starting point of multi-stage attacks aiming to get control over plant devices and manufacturing systems,” said Polyakov Alexander, CTO at SAP and Oracle security specialists ERPScan, told El Reg. “Similar attack scenarios were presented by us at the BlackHat conference but for the oil and gas [industry] in particular.”
ERPScan’s analysis of SAP’s patch batch can be found here. SAP’s own summary of its Febuary patch update is here.
Most of the patched vulnerabilities reside in SAP NetWeaver's J2EE application security. The most common vulnerability type is Cross Site Scripting and missing authorisation check. Four of the patched vulnerabilities, including the critical xMII flaw, were discovered by ERPScan researchers Dmitry Chastuhin and Vahagn Vardanyan. ®
Sponsored:
Building secure multi-factor authentication
↧
↧
IRS website attack nets e-filing credentials for 101,000 taxpayers
Breach comes a year after a previous hack compromised 300,000 people.
↧
New report contends mandatory crypto backdoors would be futile
With two-thirds of crypto developed abroad, crooks have plenty of non-US alternatives.
↧
School network manager wins £10,000 in NCC Group Cyber 10K challenge
The second edition of a business-development focused cyber security challenge, the Cyber 10K, has concluded – with the worthy winner receiving £10,000 to further develop an innovative security dashboard tool.
The challenge was run by the information assurance firm NCC Group supported by a judging panel including and your correspondent, representing The Register.
Cyber 10K was open to both individuals and groups and geared towards backing ideas to tackle the most pressing security challenges affecting businesses and consumers. Students, graduates and non-security specialist IT workers and software developers were all encouraged to apply.
Products from across the spectrum of infosec problems were considered but applicants were offered suggestions of areas that might want to focus upon. These included: consumer and user awareness, training and support; IoT and mobile security1; cyber incident response and clean-up; and cloud security. The challenge was opened in September, with a 30 November deadline set for competition entries.
Entries were judged by a panel consisting of: Paul Vlissidis, director of the .trust division at NCC Group; Professor Tim Watson, director at University of Warwick’s cyber security centre; Professor Steve Schneider, director of the Surrey Centre for Cyber Security; Alex van Someren, founder and former chief exec of nCipher turned managing partner at Amadeus Capital Partners; and your correspondent.
The entries were whittled down to a short-list of the two most promising: "MouseVault", a computer mouse with a built-in fingerprint sensor and password storage technology, and "Defence in Depth", a computer health-check and security dashboard app for Windows aimed at small businesses. Judges were asked to evaluate each on the basis of the significance of the problem being addressed, market potential and feasibility.
Each of the two finalists were gently grilled by the judges on their ideas during a 30-minute group Skype session during which the finalists pitched their product development ideas. "Defence in Depth" emerged victorious from this Dragons’ Den-style exercise, gaining higher marks for both technical merit and artistic flair.
Winner Ross Higgins, a school network manager with IT security training, will be offered additional advice and support from NCC on how to develop his product alongside the prize money.
"Defence in Depth" has already reached the prototype stage, with Windows 7 as the initial target platform. During the judging processes, the idea of further developing the technology so it helped promote user awareness of social engineering threats such as phishing and tricking users into downloading dodgy apps was floated. Runner-up Alex Illsley, a software engineer, was also be offered tips.
Defence in Depth screenshot
A (slightly edited) version of Higgins' pitch for "Defence in Depth" can be found (below):
Many home users and small businesses have poor defences against malware, viruses and rootkits, often only relying on antivirus products alone. The main point of entry for attacks is usually email or exploitation of vulnerabilities in web browser plugins. Users have little visibility of these problems.
The Defence in Depth depth application is designed to carry out an overall assessment of the computers defences, assisting users to make any required changes to improve this, such as updating out-of-date apps or remove insecure plug-ins. A score level is also provided for the computers current state along with a separate score for future protection.
Cyber 10K aimed to stimulate creative thinking as well as encouraging innovative approaches towards addressing the many challenges the industry faces. The competition is partly designed to encourage students and recent grads to take up careers in IT security.
A key aim of the competition is to engage young people and discover hidden talent in the field of cyber security.
The UK is historically a key worldwide centre of infused development, spawning security innovators such as nCipher, Sophos and many others. Cyber 10K aims to help in finding the next generation of security innovators. Seeking out new talent and encouraging the younger generations to become immersed in the world of cyber security more generally can be part of wider plans to tackle the skills gap. ®
The Register is a media partner of Cyber 10K and our security correspondent John Leyden is a member of the judging panel.
Bootnote
1There was a marked shortage in the number of mobile or IoT security apps entries submitted to the competition, for reasons that aren’t immediately clear. Perhaps the problems in these areas are so severe that they are putting would-be developers off. Alternatively it might be that designing mobile security apps has become somewhat unfashionable, possibly temporarily.
Sponsored:
Building secure multi-factor authentication
↧
More Uber drivers file labor lawsuits: One claims he makes only $80 per week
Plaintiffs' lawyer: "The laws need to keep pace with the technology."
↧
↧
Cricket can get nasty: India v Pakistan rivalry boils over into cyber-war
The continuing rivalry between India and Pakistan has spilled over into cyberspace, with activity peaking around nationalist holidays and sports fixtures.
A study of recent real-world events and hacktivist operations by threat intelligence firm Recorded Future highlights the varied motives behind online malfeasance.
Events including Indian Independence Day (15 August), Pakistan Independence day (15 August) to anniversaries of the Mumbai attacks by Islamist terrorists (26 November) and even India versus Pakistan cricket matches often coincide with increased cyber activity.
“India and Pakistan’s independence days, which fall on August 15 and August 14 respectively, create a predictable pattern (at least over the past three years) of attacks and retaliatory strikes by the opposing hacker groups,” Recorded Future reports. Hacktivists have also been known to take up arms because of passions ignited by cricket, it adds.
On March 2, 2014, Pakistan defeated India in a cricket match in the Asia Cup held in Dhaka, Bangladesh. The next day (March 3), in Meerut, India, 67 Kashmiri students at Swami Vivekanand Subharti University were suspended for having cheered for Pakistan and distributing sweets after their win.
Then on March 5, 2014, the website of Swami Vivekanand Subharti University was hacked by a group claiming to be the Pakistan Cyber Army (AKA Bangladesh Cyber Army) in response to expelling pro-Pakistan students.
Finally, on March 7, 2014 the sedition charges against expelled students are dropped but they could still face prosecution over the incident.
A 1970 FIFA World Cup qualifier famously ignited existing tensions between El Salvador and Honduras to provoke a brief war in July 1969. Recorded Future’s research shows cricket can also spark off tensions.
Hacktivists from the Pakistan Cyber Army (PCA) have targeted India since 2007. Government and private sites targeted by the PCA at various times have included the Indian Oil and Natural Gas Corporation, Indian Railways, the Central Bureau of Investigation, Central Bank of India, and the State Government of Kerala. Recorded Future has republished Facebook posts seemingly by member of the PCA that provide tutorials on how to set up phishing attacks.
Individuals affiliated with the PCA may have skills including zero-day vulnerabilities, SQL injection, WEP cracking, and spear phishing, according to reports by Recorded Future and other threat intel experts, including ThreatConnect and FireEye.
It’s far from all one-way traffic. Indian hackers took part in a revenge attack in response to the deadly 2 January attack on the Indian Air Force base in Pathankot. Indian hacker groups include the Indian Black Hats and the Mallu Cyber Soldiers. Methods used by these groups include SQL injection and PHP web application hacks.
“There [are] many possible motivations and objectives of the cyber activities between India and Pakistan,” Recorded Future concludes. “These could range all the way from loosely affiliated hacktivist groups avenging attacks by defacing symbols and institutions to more coordinated state-sponsored attacks.”
The threat analyst firm plans to look closer into state sponsored hacking in the sub-continent in a follow-up study. ®
Sponsored:
Building secure multi-factor authentication
↧
UK authorities sue Star Wars producer over Harrison Ford’s broken leg
Health and Safety Executive says Foodles Production created an unsafe workplace.
↧
NYPD used stingrays over 1,000 times without warrants since 2008
New York Civil Liberties Union: "The privacy of nearly all New Yorkers is at risk."
↧
More Pages to Explore .....
