A major security vulnerability affecting one of the world’s largest
manufacturers of computerized industrial control systems, Schneider
Electric, has recently been identified, according to a leading
cybersecurity firm.
Researchers at the Israel-based Indegy Corporation
Tuesday publicly announced their identification of the security hole
and details of how it could have been exploited. The security threat has
since been filled by engineers at Schneider Electric.
"This vulnerability is unique for Schneider Electric systems," said
Mille Gandelsman, Indegy’s Chief Technology Officer and co-founder.
"Vulnerabilities traditionally are found around executable codes that
the attacker builds without having permission to do so, and that’s
exactly what we found," he said.
Industrial control systems, such as the type that Schneider Electric
manufactures, are used in nearly every modern automated factory or
processing plant.
"Everything from the manufacture of soda drinks and pharmaceuticals to
electricity generation or oil and gas transfer," said Gandelsman.
Unlike IT systems that protect a computer or mobile device’s software,
ICS networks were built largely by mechanical engineers to monitor and
control actual physical things, such as temperature gauges, pressure
flow valves, or containment chambers.
Headline grabbers
Because of the potential for catastrophic damage, some hackers have long
targeted ICS networks in hopes of grabbing headlines. Just last month,
an anonymous hacker detailed a successful hack of a Schneider Electric system that controls building heating and cooling systems.
These systems, as Indegy’s CEO Barak Perelman previously told VOA,
can last for decades and were created long before cybersecurity was
even a concept. “Practices like authentication, logging in with
passwords, it doesn’t even exist…” in many ICS networks, Perelman said.
These industrial control systems often are hard to find, and more
difficult to log in to, via another computer operating at a remote site
than standard desktop-type computer systems more familiar in the home or
office. But once inside, gaping security holes such as the type
discovered by Indegy can give hackers the potential ability to destroy
machinery, create widespread havoc, and even take lives by altering the
physical industrial automation systems.
"Engineering stations were targeted; that’s where the various control
parameters for the industrial systems can be changed," Gandelsman told
VOA. "It was these workstations with specialized software [called Unity
Pro] that communicate with the controllers that were made totally
vulnerable…" by this recently discovered security flaw.
"That means that every system that uses this specific software for
Schneider Electric systems would be vulnerable,” he said, entailing
everything from the manufacture of yogurt and automobile parts to the
control of urban sewage treatment and storage of highly toxic chemicals.
"In a very real, physical sense, a cyberattack [in this situation]
could create enormous damage."
No comment
Neither Indegy nor Schneider Electric will say whether any of its
systems had been hacked prior to the recent release of a software patch.
But Gandelsman said it’s clear that other such vulnerabilities may
currently exist with Schneider products, or those of other ICS vendors,
like Siemens, Rockwell or others.
"These systems… are the crown jewels of industrial production," he
cautioned. "Once you have access to these systems, you can do anything
you want."
"Some of these control companies are very cybersecurity aware and
doing their best to avoid, or at least fix, vulnerabilities," Gandelsman
told VOA. "Unfortunately other vendors are not aware of the risks.
These are systems that can be around for decades, so these things
unfortunately continue to exist all around the world."
Sunday, 30 October 2016
Would You Click on These Fake Gmail Alerts?
The months-long espionage campaign
against US political targets allegedly orchestrated by hackers working
for the Russian government hinged on a simple, yet effective, hacker
trick: booby-trapped emails.
In some cases, such as with the hack on John Podesta or Colin Powell, the phishing emails were designed to look like Gmail alerts containing a Bitly link that led to a fake webpage to harvest the victim’s password. Podesta and Powell were fooled, but don’t think only baby boomers aren’t good at spotting malicious emails.
In fact, one in two people click on phishing links, according to some estimates. And, of course, some look more credible than others.
For example, you probably wouldn’t click on this email I got a few weeks ago, even if it contained the name of your mother, as it’s the case here.
Last week, the journalists who work for the independent
investigative project Bellingcat received a series of messages that
looked like legit Google security alert emails. They didn’t click on
them, but would you have been able to spot that they were malicious?
This one used Google’s own style and look for a security alert.
To a distracted or untrained eye, there would be no difference between
this and the real thing. Imagine you get this in the middle of the day,
while you’re stressed at work. Would you have clicked on it? Would have
spotted that the hackers misspelled “Montain View” and “Amphithaetre”?
The hackers actually used three different types of phishing
attempts, in an attempt to fool the targets. All of them prompted the
would-be victims to change their passwords, and enter them in a website
under the control of the hackers.
Ask yourself: would you have clicked on these emails?
Luckily, if you’re worried about phishing emails like that, and you don’t trust yourself, there’s an easy way to make these attacks much harder to pull off. Turn on two-factor authentication on Gmail or your webmail provider of choice (and do it for your social media accounts too).
With two-factor or two-step authentication, even if you click on a booby-trapped link and then give up your password to the hackers, they still can’t get in, unless they have hacked your phone too or have control of the phone network—something not all hackers can do.
In some cases, such as with the hack on John Podesta or Colin Powell, the phishing emails were designed to look like Gmail alerts containing a Bitly link that led to a fake webpage to harvest the victim’s password. Podesta and Powell were fooled, but don’t think only baby boomers aren’t good at spotting malicious emails.
In fact, one in two people click on phishing links, according to some estimates. And, of course, some look more credible than others.
For example, you probably wouldn’t click on this email I got a few weeks ago, even if it contained the name of your mother, as it’s the case here.
Luckily, if you’re worried about phishing emails like that, and you don’t trust yourself, there’s an easy way to make these attacks much harder to pull off. Turn on two-factor authentication on Gmail or your webmail provider of choice (and do it for your social media accounts too).
With two-factor or two-step authentication, even if you click on a booby-trapped link and then give up your password to the hackers, they still can’t get in, unless they have hacked your phone too or have control of the phone network—something not all hackers can do.
Florida man ran $1.35m hack-and-spam racket with 50m-plus addresses
The wages of sin include a Ferrari F430
The leader of a spamming gang that took over
corporate servers and private email accounts to send out spam has pled
guilty to charges of computer hacking and identity theft.Timothy Livingston, 31, of Fort Lauderdale, Florida, worked with two other partners to run A Whole Lot of Nothing, LLC. The shell company pulled in hundreds of thousands of dollars between January 2012 and June 2015 with spamming campaigns for illicit drugs, and also targeted some legitimate companies.
According to court documents [PDF], Livingston had experience running a spamming company called AWLN before setting up this operation. With the new company he charged advertisers between $5 and $9 for every spam email that resulted in a sale.
Livingston admitted hiring Tomasz Chmielarz to write spamming software that pumped out the digital junk mail that evaded commercial spam filters. Chmielarz, 33, of Rutherford, New Jersey, also hacked into corporate servers to subvert them into sending out the spam and to harvest email addresses from staff.
At the time of Livingston's arrest, police found at least 50 million email addresses in the group's database.
The third partner, Devin James McArthur, worked for Comcast and provided 24.5 million email addresses from the firm's database. The 28-year-old also worked with the other two men to grab more from other companies. Chmielarz and McArthur, of Ellicott City, Maryland, pled guilty to the scam in June.
As part of the plea deal, Livingston has agreed to return $1,346,442 in illicit funds and property the company purchased using spamming revenues. He has also handed over his car collection, including a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.
Livingston faces charges that could put him in the Big House for up to 25 years – but is unlikely to receive a maximum sentence after cooperating with the authorities.
Subscribe to:
Posts (Atom)