About: Newsbites

About:

Documents Show DoE Computer Systems Breached 159 Times in Four Years

September 9 & 10, 2015

According to information obtained by USA Today through a Freedom of Information Act (FOIA) request, the US Department of Energy's computer systems were breached by attackers more than 150 times between 2010 and 2014. There were many failed attempts to break into the systems; the success rate was roughly 15 percent.

DHS Warns of Spear Phishing Attack Targeting Critical Infrastructure Organizations

September 9, 2015

The US Department of Homeland Security has warned providers of the country's critical infrastructure that a spear-phishing campaign targeting their networks has been detected. DHS did not identify the suspected source of the attacks.

[Editor's Note (Assante): DHS is shinning a spotlight on the use of spear phishing to intrude upon infrastructure organizations. This technique is being successfully used by a diverse set of threat actors. More concerning is the focus by some to exploit the inherent trust between suppliers and ICS end user. Phishing is but one delivery method as trojanizing ICS software and water-holing have also been observed.]

Mac Firmware Proof-of-Concept Malware

August 3, 2015

Researchers plan to present proof-of-concept malware that infects Apple systems' firmware and persists even when users wipe the hard drive and reinstall OS X. The demonstration will also show how the malware, called Thunderstrike 2, can spread from MacBook to MacBook even if they are not networked.

[Editor's Note (Assante): This is deja vu for those working ICS security. Here is to hoping the late but heavy-weight arrival of general computing security spurs some positive movement in the firmware/hardware ecosystem. Keeping lights on and chemicals in safe places did not do it, but now we have real stakes as grandma's family photo collection is way too important to lose.]

President Calls CEOs to Cybersecurity Meeting in Situation Room

March 13 & 14, 2013

On Wednesday, March 13, CEOs from the US financial, energy, and technology sectors met in the White House Situation Room for a presidential briefing on cybersecurity. The meeting follows close on the heels of an FBI disclosure that hackers stole personal information of celebrities from a credit report site and two US officials testifying at legislative committee hearings about the increased risk of cyberthreats. The meeting aimed to get private industry on board with the president's recent executive order on cybersecurity. Private companies have been resistant to what they see as the government stepping in and telling them how to run their organizations. The private industry CEO's requested a "light touch" from the government regarding cybersecurity legislation. Former White House cybersecurity adviser Howard Schmidt noted that "cybersecurity is much more than a tech issue. We're only going to be able to address this threat if business and government work together," and that "every leader in the c-suite needs to be focused on cybersecurity."

[Editor's Note (Pescatore): The President and his cybersecurity advisors need to focus on what the government could do to remove the barriers to industry increasing their security level. The current Executive Order "Yet Another Framework" approach will just bring YAF.]

President Calls CEOs to Cybersecurity Meeting in Situation Room

March 13 & 14, 2013

On Wednesday, March 13, CEOs from the US financial, energy, and technology sectors met in the White House Situation Room for a presidential briefing on cybersecurity. The meeting follows close on the heels of an FBI disclosure that hackers stole personal information of celebrities from a credit report site and two US officials testifying at legislative committee hearings about the increased risk of cyberthreats. The meeting aimed to get private industry on board with the president's recent executive order on cybersecurity. Private companies have been resistant to what they see as the government stepping in and telling them how to run their organizations. The private industry CEO's requested a "light touch" from the government regarding cybersecurity legislation. Former White House cybersecurity adviser Howard Schmidt noted that "cybersecurity is much more than a tech issue. We're only going to be able to address this threat if business and government work together," and that "every leader in the c-suite needs to be focused on cybersecurity."

[Editor's Note (Pescatore): The President and his cybersecurity advisors need to focus on what the government could do to remove the barriers to industry increasing their security level. The current Executive Order "Yet Another Framework" approach will just bring YAF.]

US Director of National Intelligence Says Cyberattacks Top List of Security Threats to US

March 12 & 13, 2013

For the first time, cyberattacks top the list of security threats facing the country, according to the annual Worldwide Threat Assessment of the US Intelligence Community report. In testimony before the Senate Select Committee on Intelligence, US Director of National Intelligence James Clapper said "there is a remote chance of a major cyberattack against US critical infrastructure during the next two years that would result in long-term, wide-scale disruption." Clapper said that most attackers lack the necessary skills to launch such an attack and control systems allow for manual overrides. He added that the countries that have the necessary skills to launch such an attack do not have a motive right now. It is more likely that attacks on critical infrastructure elements would come from non-state sponsored hackers who are not as skilled. While the disruptions they might cause would probably be limited, "there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and Mistakes."

ICS-CERT, SCADA Patching Under The Microscope

Some experts say that the ICS-CERT's vulnerability reporting is not addressing the underlying issue - "that the most serious vulnerabilities in control systems are deliberate design features, not bugs." http://www.darkreading.com/vulnerability-management/167901026/security/vulnerabilities/240150763/ics-cert-scada-patching-under-the-microscope.html

[Editor's Note (McBride): Let me put the problem another way. If you are on an ICS network, and can access a vulnerable PLC Web server (that's used to configure the device), you can probably already talk directly to/with the PLC! Who cares if a vulnerability allows an attacker do directory traversal and get log-in credentials? The attacker can already interact with the PLC at will (tell it how to manipulate the physical process)! It's not a matter of whether the ICS-CERT is fulfilling some part of its mission, it's a matter of whether that part of the mission makes much sense in the first place.

(Assante): These architectural weaknesses are the reason ICS systems must remain behind defenses and should not rely upon the simple security features of any single component or device. Addressing vulnerabilities will continue to be important, but these systems require holistic defenses and informed engineering decision to compensate for the inherent machine-to-machine trust in the legacy designs. (Pescatore): The same is true across much of Operational Technology, such as medical machinery, kiosks/ATM machines and the like. If the front door doesn't even have a lock, reporting that the hinges can be removed is not all that valuable. Need to get the manufacturers to take responsibility for bad designs and fix them.]

Greater Transparency About Cyberattacks Beneficial for Security

March 1, 2013

In the past several weeks, at least 19 US financial institutions have disclosed cyberattacks on their computer systems. The disclosures were made in annual financial reports to the US Securities and Exchange Commission (SEC). (In October 2011, the SEC issued guidance requiring companies to report significant computer security incidents.) Nearly all of the institutions reporting incidents say that their systems were targeted in a series of distributed denial-of-service (DDoS) attacks that made headlines in 2012. Officials have suggested that the Iranian government may have been behind those attacks. The increased level of disclosure is beneficial because it "brings greater awareness, greater diagnosis and a desire to find a stronger cure," according to the president of a financial services trade organization. The increased disclosure "is the market solution to cybersecurity," according to a Senate Commerce Committee staff member. "It's getting investors aware of the issue. And it's getting senior executives to manage cyber risk the same way they would manage other business risks." http://www.washingtonpost.com/world/national-security/more-companies-reporting-cybersecurity-incidents/2013/03/01/f7f7cb68-8293-11e2-8074-b26a871b165a_story.html

[Editor's Note (Henry): Recent reporting by many companies across multiple sectors is positive. The long reluctance to report due to concerns about how it will impact the business is subsiding as this threat receives increased publicity, resulting in enhanced awareness. That's all good. But in this case, the banks report they're being attacked, to the tune of hundreds of millions of dollars. It's likely by Iran, and everyone knows it. The banks have taken reasonable and appropriate defensive action, yet 5 months later they're still being attacked. Information sharing that doesn't lead to action by someone who can mitigate the threat is half a solution.

(Paller): A great deal of wisdom in Shawn Henry's comment. Tony Sager, NSA's top cyber defender for many years, has often said "information sharing is overrated," clarifying his words by adding that if the organization receiving the shared information is not fully prepared to act on it, sharing doesn't do a lot of good. That means to me that the information should go to technical people in a position to act, and with the right skills and authority to act. Otherwise information sharing is just window dressing.

(McBride): Disclosing in SEC filings is probably a good step 1. We are now admitting we have a challenge. Putting cyber attacks into terms understood by executives and investors (think impact on financial statements) remains a significant hurdle.]

Industrial Control Systems Sandbox

February 28, 2013

The Industrial Control Systems (ICS) Sandbox allows oil and gas companies in the US, Canada, and Brazil to test the resilience of their systems and learn about real-world effects of cyberattacks in a closed environment. Organizations running control systems need to know how attacks will affect their ability to provide services. In addition, malware attacks on control systems cannot be addressed the way they are in traditional IT environments.

http://www.darkreading.com/risk-management/167901115/security/news/240149728/scada-sandbox-tests-real-world-impact-of-cyberattacks-on-critical-infrastructure

[Editor's Note (Assante): Understanding consequences is important and shared assets like the Sandbox are wonderful additions that promote learning. We need a wider use of tools that allow entire teams of defenders and system operators and engineers to hone their skills and find workable practices to develop a confident play book. (McBride): The ability to understand how the cyber might affect the physical is a significant missing piece. The efforts covered in this story represent one attempt to bridge that gap. (Paller): A much more sophisticated simulator, being built for the U.S. military gets right at the heart of building the skills and teams Mike Assante describes. Called CberCity, it was the subject of a front page article in the Washington Post: http://www.washingtonpost.com/investigations/cybercity-allows-government-hackers-to-train-for-attacks/2012/11/26/588f4dae-1244-11e2-be82-c3411b7680a9_story_1.html]

Cyberspies Targeted US Natural Gas Pipeline Control Systems

February 27, 2013

According to a classified US Department of Homeland Security (DHS) report, Chinese-linked cyberespionage campaigns targeted 23 US natural gas pipeline operators between December 2011 and June 2012. The companies were targeted through spear phishing attacks. The DHS report does not name China, but the indicators of compromise (IOCs) reported to DHS match those that Mandiant has linked to a group, known by several different names, with ties to China's People's Liberation Army. The information stolen in the attacks - usernames, system manuals, and pipeline control system access credentials - could allow attackers to cause damage to compressor stations. The cyberspies also appear to be targeting information related to fracking.

http://www.csmonitor.com/Environment/2013/0227/Exclusive-Cyberattack-leaves-natural-gas-pipelines-vulnerable-to-sabotage?nav=87-frontpage-mostViewed

[Editor's Comment (Assante): The "who" is not insignificant but the important point to consider is the focused interest in pipeline control systems and operations related information, reported here. It is getting more difficult to understand the different motivations associated with these highly targeted attacks. Many people believe the Industrial Control Systems security model is all about "availability", but I believe the most important element is "Integrity" as it is the foundation for safe and reliable operations.]

DHS Sharing Cyberattack Information with Critical Infrastructure Operators

February 25, 2013

President Obama's cybersecurity executive order requires government agencies to share cyberthreat intelligence with critical infrastructure operators, and asks that private companies also share information they have. The US Department of Homeland Security (DHS) has begun sharing information about the cyberattacks that affected Apple, Microsoft, Twitter, and other companies. The DHS bulletin sent out on Friday, February 22 warned organizations responsible for systems that support elements of the country's critical infrastructure of "ongoing malicious cyber activity against US government and private sector entities," and provided information about how those organizations that had been contacted could obtain confidential guidance, including malware indicators.

http://www.nextgov.com/cybersecurity/2013/02/dhs-notifies-companies-offers-intel-about-ongoing-hacks/61482/?oref=ng-channelriver

[Editor's Comment (McBride): When it comes to DHS information sharing, I always like to ask, where does this information come from? Is it supplied by third parties, or did the government "figure it out"? This is important because allowing the government to act as a filter/modifier may not be in the best interest of eventual recipients.]