Crash Override: Too Big to Ignore

Last December, hackers targeted an electric transmission station in Ukraine, causing approximately one-fifth of the city to go dark. Earlier this month, Cyber security firms DSET and Dragos Inc. released a report on the malware, suggesting an alternative utility for the event.

They’re calling the attack a potential “dry run” for the malware to be adapted and used on a larger scale. “Nothing about this attack looks like it’s singular,” said Robert M. Lee of Dragos.

Nicknamed “Industroyer” or “Crash Override”, it is only the second known malware that targets industrial control systems in order to disrupt their functioning. Stuxnet captured the attention of cyber security exerts after its existence was made public in 2010. The US-Israeli worm however was released for military purposes, to delay the enrichment of uranium needed for the production of nuclear weapons in Iran. The world of nuclear weapons and the world leaders who wield them operates somewhat outside the civilian sphere. Malware that affects public infrastructure, however, has the potentiality to be wide-reaching.

Ukraine is not a stranger to Russian-initiated blackouts. In 2015 hackers remotely controlled power grids to deprive 225,000 people of power. This specific malware functions by scanning industrial systems, manipulating their settings, and opens circuit breakers to cause the power cut.  Once the malware infects a Windows machine on the target’s network, it can map and obtain network logs and send the information back to the proverbial mothership.

Crash Override’s newfangled ability to both physically affect power grids and serve the function of an information-driven computer network operation should serve as a wake-up call. The successful one-hour long operation in Ukraine could serve as a springboard for affecting infrastructure in Europe or North America.

Some nations have built their critical infrastructure to be more resilient to disruption, however. The United States and many coast-bearing nations prepare themselves for natural disasters and for operating infrastructure manually, instead of relying on software.

Politicians often spout imaginary disaster scenarios to encourage funding resilient infrastructure, but it seems a real weapon is looming over the West. “It’s the culmination of over a decade of theory and attack scenarios,” Caltagirone told the Washington Post. “It’s a game changer.”

By Kate Dinnison

An interview with Misha Glenny, author of ‘DarkMarket: How Hackers Became the New Mafia’

 

 

 

 

 

 

 

 

 

 

 

 

We recently interviewed Misha Glenny, journalist and author of DarkMarket: How Hackers Became the New Mafia. His 2011 book explores the world of organized crime on the internet, including spearphising, carding, hacking, and how the UK government is responding to this phenomenon. In the interview, our Communications Manager, Kate Dinnison, asks him to discuss his own personal cyber hygiene, trends in cyber security today, and how technology is aiding traditional organised criminals.

 

Dinnison: After doing research for Dark Market, what personal cyber security practices do you now find important?

Glenny: There are very basic things to do. I still have an antivirus program as standard, even though I use a Mac. Increasingly I use a VPN as well. But the most important I think for me is approach to email. Two things: the first one is simply that I don’t consider email to be a private form of communication. I consider it a public form of communication and so I am polite, courteous, and above all else I don’t put anything sensitive in there. This is the big lesson from Podesta and the DNC hacks. Everyone’s going on about how it was appalling they were hacked. And what’s really appalling is that they are sending sensitive material over email. If anyone has got that message after the Sony hack of 2014, then they shouldn’t really be using a computer. The second thing about emails is that you have to know how to read your messages. And that means being able to read a header. That means automatically being able to detect the type of language that is being used and is that language appropriate to the type of person that is sending it to you. And if there are any links and if they’re disguised links, run your cursor over it and see what that link really is. If you have any doubt about it, you just don’t go for it for attachments or links. There are some things you cannot avoid. You should have within your antivirus software a browser scanner built in as well so that anything that looks at all dodgy is blocked by your antivirus programme or that they at least ask you if you want to the site or not.

And those are the major things that I do. Because I am a member of a family I make sure that everyone else is also taking some of these security measures. Because you can be as careful as you like but if you get a bug on your network then you’re vulnerable. And also I change passwords on routers so it’s not the default password. Another thing I do is I use a master password, basically a password accumulator so that I don’t have to worry about that. Now there are problems with those programs. For logins that are not important, where you’re not storing personal data, where you’re not storing debit or credit card data, where there’s nothing sensitive, you can then use ’password’ or ‘123456’ or whatever it is you want as an easy password provided you don’t use that password on any sensitive things. I suggest basic domestic hygiene really.

 

Dinnison: I imagine the same as in a family, the same goes for when you’re operating in a business environment. Everyone must practice these security measures.      

When it comes to corporate, it’s very different. There you need active engagement from the Infosec department and the risk management department. Some companies will have a fraud department and above all else you need the board to be fully engaged with it. If the board is not fully engaged, then what usually happens is that InfoSec and IT security are unable to spread a culture of appropriate cyber hygiene through the company and that means you’re riddled with potential vulnerabilities. I keep track of various surveys that are made of IT security and board members on what their engagement with cyber security is. And what we see, even now, in 2017, we still see something the range of 50% of CEOs and other board members not engaged with the issue of cyber. This means you don’t get the vertical and horizontal communication that you need in organizations. These are corporations that have the type of money to invest in this. You have other things like government institutions but also NGOs and charities are extremely vulnerable because they don’t have the cash to put in any digital solutions and often don’t understand the culture required that all employees or members should be working with.

 

Dinnison: That was the excuse of the DNC.

Glenny: It’s not an excuse, it’s a failure. It’s a complete management failure.

 

Dinnison: The industrialization of cybercrime poses a big challenge to not only individuals but law enforcement. You illustrate this in your book through different case studies. After interviewing these subjects for DarkMarket are there any simple policy suggestions you would pass on to the UK government?

There are a number of things. You have a problem that arises from the development of secondary markets and off the shelf malware. This means that because you can either buy malware to deploy or you can hire out botnets to launch DDOs attacks. Or you can request a team of hackers to create your own botnet, which is becoming particularly dramatic with the Internet of Things. What this means is that the government really needs to step up. Here in the UK I suspect the National Centre for Cybersecurity in Victoria, which is an offshoot of GCHQ, could be a very useful thing. Britain has been pretty advanced in terms of coordinating government, business and the public sector in terms of security. I’m a little worried that the National Cyber Security Centre has absorbed too much of the culture of secrecy that necessarily defines GCHQ. So I’ve talked to a few people who have tried to approach it for advice and media requests and they have been very, very unhelpful. And I think that’s a mistake – you need to enable and encourage people. That was the whole point of putting the National Cybersecurity Centre in the middle of London so that it would be accessible, they wouldn’t be locked up in the donut in Cheltenham.

The other thing is of course resources. This is going to require more money. The British government has been channelling a lot into cyber defences and I think that’s the right thing to do. But it also requires explaining to people why you need to take police resources away from where people feel comfortable with the old syndrome we have here in the UK of ‘the bobby on the beat’. It’s necessary to shift some of those resources toward active cyber defence because many, many people are now subject to attacks whether its credit card fraud or identity theft or the use of the computer power as a botnet. People don’t know what to do when it happens. If you ring up the police and they don’t know how to proceed if you are a victim of crime online, it starts to unnerve people. One of the things I discovered talking to victims of chronic fraud or indeed identity theft is that psychologically it is perhaps not quite as devastating as finding someone has been in your home but it really does frighten people. It triggers extreme anxiety to find out that what you thought was entirely intimate, private sphere has been violated by an unknown outsider. So you really need your enforcement officers who are capable of dealing with these victims but with a degree of psychological understanding as to what victims are going through when they report crimes. You need support for that and support requires resources. And that means these days taking it away from somewhere else.

 

Dinnison: Do you anticipate any changing trends in cybercrime due either to reliance on new technologies or any societal change?

Well IOT (Internet of Things) is the greatest concern. Because in a short space of time thanks largely to the mirror botnet we have seen just how powerful the IOT can make sophisticated hackers, people with real technical ability. It basically multiplies computing power by an incalculable amount and if that computing power is in the hands of competent criminals then that can be very dangerous indeed. The problem here is quite simply that innovation, our resistance to boredom, our delight of convenience drives products coming to the market and security is never thought of. And even if people start thinking of security now, the situation with routers around the world is so vulnerable. Basically, products need to come on the market with full security requirements already built-in. And that only happens in maybe 10% of the products.

The second thing that is happening is that up until now traditional organized crime and cybercrime have tended to be two very different things. If you’re involved traditional organized crime, then a sine qua non of your activity is your ability to threaten or deploy violence. And in cybercrime that is not a sine qua non. You don’t need to have a capacity for violence. This is a unique development where an entire raft of crimes will attract socioeconomic groups that are very different from what we understand by organized crime historically. The only thing which connects the two of them in terms of their makeup is the gender issue. That is about 92-93 percent of organized crime syndicates are male, and 95-96 percent of hackers are male. So this is a huge marker. But other than that, class, intellectual capability, age, because hackers start much younger as a whole, are very different. You’re dealing with a different set of motivations, different psychology. You’re dealing with different modi operandi as well.

However, the reason why these two groups have been separate up until now is because traditional organized crime is still dominated by a generation who are frightened or even dismissive of tech. The new generation of organized criminals growing up are digitally literate. This means first of all they understand how cyber can be used to make their business more efficient and accelerated in all sorts of ways. The forerunner of that were the Nigerian 419 scammers who understood the scalability of their operation through email. But now what you’re beginning to see are entire tribe organizations assuming a cyber capacity to make their work more efficient. You can see that in the accounting capability of someone like the PCC, the first capital command of Sao Paulo, the largest organized crime group in South America. You can see it in the Mexican cartels. You can see it really wherever you go in Europe.

The latest Europol organized crime threat assessment makes it very clear that organized crime is being digitalised. Now for example you now get organized crime involved in burglary. They’ll do two things before they attack a street of houses; they’ll send drones over first of all to ascertain where the vulnerabilities are in terms of breaking in. At the same time as scoping it physically though drone technology, they’ll be checking everyone’s social profile on the street so they identify who lives there, when they go to work, when they go on holiday, what sorts of things they’re involved in. Whether they have lots of computers or cameras. Then they will coordinate the actual break-in very carefully and they’ll take six to eight houses all in one go in the space of about an hour or so, and they’ll be gone across borders before anyone gets home. So that is using cyber to increase your capacity but then there is also the industrialization of cyber malfeasance. I use the word malfeasance because attribution is a big problem. You don’t know if you’re dealing with espionage, intellectual property theft or whether you’re dealing with bulk standard ransomware criminals and credit card fraudsters.

In terms of the current threat the two fastest-growing cybercrimes are ransomware and what’s called CEO fraud. It’s basically when a CEO gets a message from someone he or she knows asking for a payment to be made. It’s a very targeted attack where they authorize the transfer of money which is in fact going to fraudsters. There were two cases last year in which single transfer where a CEO of a large German electronics company called Leone and a large aerospace manufacturer in Austria called FACC. Both of them authorized the transfer of 4 million euros. This led to the FACC CEO having to resign. This is a huge industry now against American companies increasingly and the European Union as well.

 

Dinnison: Lastly, where do you go to keep up-to-date on cybercrime related subjects?

Glenny: I track websites like Brian Krebs’ website. I met Brian when I was researching DarkMarket and he does a fantastic job. Bruce Schneier has a fantastic blog. What Bruce does is link cybersecurity to larger security issues and geopolitical issues which is what really interests me. I’ll also look at The Register and various tech-security websites to see what’s happening and then talk to people in the industry.

Bitcoin: the risks and how to stay safe using it?

Developed in 2009 by an unknown individual or group under the pseudonym Satoshi Nakamoto, Bitcoin was the first ever crypto-currency to be used in the world. Bitcoin is a decentralised digital currency, which means it can be transferred instantly to anyone in the world without having to rely on a central authority such as a government or a bank.

Instead, it uses cryptography and block chain technology to control the creation and transfer of money therefore giving it an advantage over other traditional currencies that we use. Other benefits of using Bitcoin include being free from government interference and manipulation (e.g. inflation), reduced transaction costs, faster transactions and inability to commit credit card fraud.

Consequently, there has been a rise in many online services and retailers in different industries that now use and accept Bitcoin. A few examples include Amazon, Paypal, Bloomberg and Microsoft. It’s also worth mentioning the rise of Bitcoin usage within the Darkweb. Did you know that the selling of illegal drugs on the Internet make up a large proportion of transactions made using Bitcoins today? Due to its powerful encryption protections, it’s no wonder that other illegal activities such as selling of arms, weaponry and illegal services or tax evasion take advantage of this impressive technology.

It’s true that when scaled to a global and mass level of consumption, major issues such as criminality, security and price volatility concerns need to be addressed, and like any new financial technology, the use of a decentralised online currency introduces many uncertainties and risks that we haven’t had to face before.

However, our society is slowly transitioning towards a digital age and this provides us with more opportunities to liberate ourselves from old traditional concepts such as bank-controlled currencies. It may take several decades or even a lifetime before we see the Bitcoin become a global currency but as the world is evolving towards new technologies, we should make an effort to embrace Bitcoin with open arms. I imagine it won’t be long before we see a digitally rich economy that includes Bitcoin, other crypto-currencies and a working coalition between central banks and digital currencies.

So when it comes to using Bitcoins, here are a few ways you can keep safe and prevent these risks when making transactions online.

Make sure to secure your wallet:

Unfortunately once Bitcoin is stolen it is almost impossible to recover. There is no refund or guarantee against fraudulent charges so we cannot emphasise how important it is to make sure to secure your Bitcoin wallet. There are several security features and good practises that you can read up on to prevent theft (see link below). A few examples include enabling two-factor authentication, phone number verifications and multi-signatures.

 

Read up on scams:

Online scams and fraud are on the rise and scammers are becoming increasingly sophisticated, especially when it comes to new technology. The best way to stay safe and avoid them is to know what to look for. This can be done by spending time learning about some common scam traps to prevent you from falling into them. A few can be found on these websites:

https://www.weusecoins.com/bitcoin-scams-how-stay-safe/

https://www.cryptocoinsnews.com/bitcoin-scams/

 

Price volatility:

The price of a Bitcoin can be volatile and in the past, has shown to unpredictably increase or decrease quite rapidly. An important risk factor for the future of Bitcoin is whether it can achieve a stable value. Stable prices are an important quality of a successful currency but due to Bitcoin’s young economy and novel nature, it’s important to be wary of the risks when storing money with Bitcoin.

 

Protect your privacy:

Although a Bitcoin transaction is often perceived as an anonymous payment, in reality, all transactions are public, traceable and permanently stored in the Bitcoin network. A Bitcoin address holds all the information about where Bitcoins are sent and once an address is used, it becomes tainted by the history of all transactions used with it. The address history, along with the revealing of user identity during a purchase, shows that trading Bitcoins is not at all anonymous. It’s therefore vital to only use a Bitcoin address once, and users must be careful not to disclose their addresses.

 

Bitcoin is new:

Bitcoin is still a relatively new technology and there are a lot of potential risks associated with investing in it. There is still a lot of room for development and ‘unknown unknowns’ and with each improvement there is a liability of revealing new challenges and issues. Make sure to be prepared for problems and if they arise, consult a technical expert before making any major investments.

For more information on how to stay safe please visit https://bitcoin.org/en/you-need-to-know

 

Written by Melissa Liow; MSc in Physics, interested in outer space, artificial intelligence and Elon Musk!

Protecting yourself against Ransomware

If you’ve watched the news lately you will see ransomware, ransomware, ransomware all over the place. Some of you may ask: what is ransomware? Ransomware is simply a program that encrypts your hard drive and or files and asks for a sum of money in return for a decryption key. Ransomware can spread very easily and can cripple a network in matter of minutes, if not seconds.

 

How To Defend Short Version

Literally the short way to defend against ransomware is to simply follow best practices.

 

Detailed Version

Well if you made it this far, I guess you really want to know what you can do to help yourself and your organization. Here is a list:

1. Train Everyone – Training is essential. Every employee of your organization needs at the very least awareness training. They need to know how to spot hazards and how to avoid them. Please include higher ups such as the CEO and other non-technical management staff in your training because they will be vulnerable to Spear Phishing attacks.

2. Install and Keep Your Anti-Virus Updated – In this day and age people still avoid updating their anti-virus and some even worse have none at all. This puts you and your organization at serious risk. Ransomware can also infect your mobile devices from phones to tablets so get to it. Some protection is better than none.

3. Stay Away From Sketchy Websites – A seasoned internet user may not fall for this and some know when to get out because it just doesn’t feel right. For those of you who have trouble identifying sketchy websites you can use an anti-virus such as Avast. It has a feature called Real Site. There is no free version available, but it helps a lot.

4. Don’t Torrent Anything – Many people don’t know this but a lot of torrents are infected with malware that can more than encrypt your hard drive and files. Black hat hackers use torrents to secretly steal people’s login information for websites like your bank, PayPal etc.

5. Implement a Paranoid Web Usage Policy – Network administrators: this one is for you. You can do a lot to protect your network. Ban everything except for what are known to be a safe sites. Even then you can’t fully protect your network because legitimate sites if their security is not up to par they can become infected and spread malware also. A good idea also is to set a rule to automatically delete web attachments in email once they hit your server. Email still is and will always be a popular infection vector. As network admins you can hold people accountable if you train them how to recognize and avoid threats. Perform a sting operation. Send out some prank malware and when they call you for help you say you didn’t do what you needed to do. Make sure you retrain them. Training is essential.

6. Keep Your Systems Updated – Time and time again people just don’t update their PC’s phones and tablets. It simple guys. As a network admin or security professional it is your job to make sure that all the PC’s are updated. Remember that Microsoft and other vendors and makers of software release updates that could potentially save you and your organization from disaster.

7. Perform Vulnerability and Penetration Testing – Sometimes you may feel like you’re safe when you really aren’t. If you perform this type of testing on a regular basis you can stay on top of things. It may be costly but would you rather lose a little money or A LOT OF MONEY? Just a little? I thought so.

8. Keep Up With The News – Yes this one might be a little boring but this could be the difference between your company losing millions of dollars or you just losing a few minutes of your time daily.

9. Log Monitoring – This one is hard to do I must admit. Combing through logs day after day will probably drive anyone insane but it’s a must. Many hackers try for months or even years to break into a system. If you can notice a pattern like failed admin login attempts after works hours – bingo.

10. Browse Forums – I would never tell anyone to browse the deep web but sometimes black hats know about vulnerabilities and ways to exploit them way before security experts. If you do decide to go there make sure you know what you’re doing but for the average Joe STAY FAR AWAY !!!

 

Conclusion

No system is ever secure 100% of the time. If you keep up with all that I have mentioned here in this blog you can rest assure that you have a relatively safe system. Remember to be forever a student and keep learning. The more you know, the better you can protect yourself.

 

Written by Joel Chang; Cyber Security Professional and forever a student of learning (CEH,Security+,Network+)

 

Four recommended Cyber Security Summer reads

We’ve selected some celebrated books in the world of cyber security you should check out this Summer to expand your knowledge of contemporary issues.

 

A cautionary tale: Spam Nation by Brian Krebs

In an exposé delving into a dark side of the online world, Krebs, a former Washington Post journalist and cybersecurity expert, pulls back the digital curtain to reveal the secrets behind email spam, botnets, rogue pharmacies, and other Internet threats. Armed with reams of information sent to him by feuding hackers and cybercrooks, Krebs explores just how and why these spammers get away with so much—how they make millions by flooding our email in-boxes with ads for cheap (and often unreliable, dangerous, or illegal) drugs, and how they stay one step ahead of the authorities. He traces many of them back to cabals taking refuge in the relatively laissez-faire former Soviet states, where the so-called Russian Business Network flourishes somewhat openly. Krebs plays the role of fearless crusader and hard-nosed investigative journalist, his crusade costing him his job at the Washington Post and his curiosity taking him to meet Russian spamlords face-to-face. By exposing our digital weaknesses and following the money, he presents a fascinating and entertaining cautionary tale. Krebs’s work is timely, informative, and sadly relevant in our cyber-dependent age.

Review from Publisher’s Weekly

Buy at your local bookstore or online here.

 

 

A holiday read: Zero Day by Mark Russinovich

If you’re looking for something less complex that still provides an accurate picture of what’s going on in cybersecurity, this novel can give you that mental break. Although the story is fictional, the scenario it depicts of a cybersecurity attack on an airplane’s on-board computer isn’t at all unrealistic. Several references to real cyberattacks are included, and descriptive language brings the mechanics of these threats to life in a way that a wide audience can understand and appreciate. You won’t get any technical knowledge from this book, but its subject matter is timely enough to make you think more critically about current cybersecurity issues.

Review from Homeland Security Degree

Buy at your local bookstore or online here.

 

 

A comprehensive cyber security guide: Cybersecurity and Cyberwar: What Everyone Needs to Know by P. W. Singer and Allan Friedman

“I found Cybersecurity and Cyberwar: What Everyone Needs to Know to be an enjoyable read, filled with engaging (funny) stories and illustrative anecdotes. Readers are taken on an entertaining tour of the important issues, history and characters of cybersecurity, from the Anonymous hacker group and the Stuxnet computer virus to the cyber units of the Chinese and U.S. militaries.

For readers without a military or public policy background this book will provide a common base of knowledge around cybersecurity issues. As cybersecurity practitioners, having a common base of knowledge will allow us to cooperatively engage in a dialogue and much-needed conversation around how to approach, understand and deal with the important policy implications of cybersecurity and cyberwar.

Cooperation is a key theme and takeaway from the book, focusing on how difficult, yet necessary, cooperation is for addressing cybersecurity issues. Today we talk in terms of “threat intelligence sharing.” The authors suggest that a governance model based on the U.S. Centers for Disease Control and Prevention could serve to encourage cooperation, disseminate information and recommendations, and mobilize rapid responses as needed. Understanding, communication and cooperation in cybersecurity are truly what everyone needs to know.”

Review from Palo Alto Networks

Buy at your local bookstore or online here.

 

 

For some state-on-state political intrigue: The Cybersecurity Dilemma by Ben Buchanan

Why do nations break into one another’s most important computer networks? There is an obvious answer: to steal valuable information or to attack. But this isn’t the full story. This book draws on often-overlooked documents leaked by Edward Snowden, real-world case studies of cyber operations, and policymaker perspectives to show that intruding into other countries’ networks has enormous defensive value as well. Two nations, neither of which seeks to harm the other but neither of which trusts the other, will often find it prudent to penetrate each other’s systems. This general problem, in which a nation’s means of securing itself threatens the security of others and risks escalating tension, is a bedrock concept in international relations and is called the ‘security dilemma’.

This book shows not only that the security dilemma applies to cyber operations, but also that the particular characteristics of the digital domain mean that the effects are deeply pronounced. The cybersecurity dilemma is both a vital concern of modern statecraft and a means of accessibly understanding the essential components of cyber operations.

Review from the Belfer Center

Buy at your local bookstore or online here.

 

Click here for the Cyber Security Cannon, a longer list of books that every cyber security professional should read, according to Palo Alto Networks.