Sunday, 30 October 2016

Major Security Flaw Targets Industrial Computer Systems

A major security vulnerability affecting one of the world’s largest manufacturers of computerized industrial control systems, Schneider Electric, has recently been identified, according to a leading cybersecurity firm.

Researchers at the Israel-based Indegy Corporation Tuesday publicly announced their identification of the security hole and details of how it could have been exploited. The security threat has since been filled by engineers at Schneider Electric.

"This vulnerability is unique for Schneider Electric systems," said Mille Gandelsman, Indegy’s Chief Technology Officer and co-founder. "Vulnerabilities traditionally are found around executable codes that the attacker builds without having permission to do so, and that’s exactly what we found," he said.
Industrial control systems, such as the type that Schneider Electric manufactures, are used in nearly every modern automated factory or processing plant.

"Everything from the manufacture of soda drinks and pharmaceuticals to electricity generation or oil and gas transfer," said Gandelsman.

Unlike IT systems that protect a computer or mobile device’s software, ICS networks were built largely by mechanical engineers to monitor and control actual physical things, such as temperature gauges, pressure flow valves, or containment chambers.

Headline grabbers

Because of the potential for catastrophic damage, some hackers have long targeted ICS networks in hopes of grabbing headlines. Just last month, an anonymous hacker detailed a successful hack of a Schneider Electric system that controls building heating and cooling systems.

These systems, as Indegy’s CEO Barak Perelman previously told VOA, can last for decades and were created long before cybersecurity was even a concept. “Practices like authentication, logging in with passwords, it doesn’t even exist…” in many ICS networks, Perelman said.

These industrial control systems often are hard to find, and more difficult to log in to, via another computer operating at a remote site than standard desktop-type computer systems more familiar in the home or office. But once inside, gaping security holes such as the type discovered by Indegy can give hackers the potential ability to destroy machinery, create widespread havoc, and even take lives by altering the physical industrial automation systems.

"Engineering stations were targeted; that’s where the various control parameters for the industrial systems can be changed," Gandelsman told VOA. "It was these workstations with specialized software [called Unity Pro] that communicate with the controllers that were made totally vulnerable…" by this recently discovered security flaw.

"That means that every system that uses this specific software for Schneider Electric systems would be vulnerable,” he said, entailing everything from the manufacture of yogurt and automobile parts to the control of urban sewage treatment and storage of highly toxic chemicals. "In a very real, physical sense, a cyberattack [in this situation] could create enormous damage."

No comment

Neither Indegy nor Schneider Electric will say whether any of its systems had been hacked prior to the recent release of a software patch.

But Gandelsman said it’s clear that other such vulnerabilities may currently exist with Schneider products, or those of other ICS vendors, like Siemens, Rockwell or others.

"These systems… are the crown jewels of industrial production," he cautioned. "Once you have access to these systems, you can do anything you want."
"Some of these control companies are very cybersecurity aware and doing their best to avoid, or at least fix, vulnerabilities," Gandelsman told VOA. "Unfortunately other vendors are not aware of the risks. These are systems that can be around for decades, so these things unfortunately continue to exist all around the world."

Would You Click on These Fake Gmail Alerts?

The months-long espionage campaign against US political targets allegedly orchestrated by hackers working for the Russian government hinged on a simple, yet effective, hacker trick: booby-trapped emails.
In some cases, such as with the hack on John Podesta or Colin Powell, the phishing emails were designed to look like Gmail alerts containing a Bitly link that led to a fake webpage to harvest the victim’s password. Podesta and Powell were fooled, but don’t think only baby boomers aren’t good at spotting malicious emails.
In fact, one in two people click on phishing links, according to some estimates. And, of course, some look more credible than others.
For example, you probably wouldn’t click on this email I got a few weeks ago, even if it contained the name of your mother, as it’s the case here.
Last week, the journalists who work for the independent investigative project Bellingcat received a series of messages that looked like legit Google security alert emails. They didn’t click on them, but would you have been able to spot that they were malicious?
This one used Google’s own style and look for a security alert. To a distracted or untrained eye, there would be no difference between this and the real thing. Imagine you get this in the middle of the day, while you’re stressed at work. Would you have clicked on it? Would have spotted that the hackers misspelled “Montain View” and “Amphithaetre”?
The hackers actually used three different types of phishing attempts, in an attempt to fool the targets. All of them prompted the would-be victims to change their passwords, and enter them in a website under the control of the hackers.
Ask yourself: would you have clicked on these emails?
Luckily, if you’re worried about phishing emails like that, and you don’t trust yourself, there’s an easy way to make these attacks much harder to pull off. Turn on two-factor authentication on Gmail or your webmail provider of choice (and do it for your social media accounts too).
With two-factor or two-step authentication, even if you click on a booby-trapped link and then give up your password to the hackers, they still can’t get in, unless they have hacked your phone too or have control of the phone network—something not all hackers can do.

Florida man ran $1.35m hack-and-spam racket with 50m-plus addresses

The wages of sin include a Ferrari F430

SpamThe leader of a spamming gang that took over corporate servers and private email accounts to send out spam has pled guilty to charges of computer hacking and identity theft.
Timothy Livingston, 31, of Fort Lauderdale, Florida, worked with two other partners to run A Whole Lot of Nothing, LLC. The shell company pulled in hundreds of thousands of dollars between January 2012 and June 2015 with spamming campaigns for illicit drugs, and also targeted some legitimate companies.
According to court documents [PDF], Livingston had experience running a spamming company called AWLN before setting up this operation. With the new company he charged advertisers between $5 and $9 for every spam email that resulted in a sale.
Livingston admitted hiring Tomasz Chmielarz to write spamming software that pumped out the digital junk mail that evaded commercial spam filters. Chmielarz, 33, of Rutherford, New Jersey, also hacked into corporate servers to subvert them into sending out the spam and to harvest email addresses from staff.
At the time of Livingston's arrest, police found at least 50 million email addresses in the group's database.
The third partner, Devin James McArthur, worked for Comcast and provided 24.5 million email addresses from the firm's database. The 28-year-old also worked with the other two men to grab more from other companies. Chmielarz and McArthur, of Ellicott City, Maryland, pled guilty to the scam in June.
As part of the plea deal, Livingston has agreed to return $1,346,442 in illicit funds and property the company purchased using spamming revenues. He has also handed over his car collection, including a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.
Livingston faces charges that could put him in the Big House for up to 25 years – but is unlikely to receive a maximum sentence after cooperating with the authorities.