ISSSource White Papers

Posts Tagged ‘users’

Tuesday, January 8, 2013 @ 05:01 PM gHale

A cross-site scripting (XSS) proof-of-concept exploit potentially puts 400 million Yahoo Mail users at risk of having their accounts taken over, one security researcher said.

In a video posted on YouTube, Shahin Ramezany showed an exploit for what he said is a document object model-based cross-site scripting vulnerability that affects Yahoo Mail users on all current browsers.

Yahoo Adds HTTPS Support
Clickjacking Vulnerability on Chrome
Google Bans Auto Install
Apache Malware Installs Zeus

Using a maliciously crafted link, a pen-testing platform, Chrome browser add-on, and a touch of social engineering, Ramezany takes complete control of a dummy Yahoo Mail account in less than five minutes.

In the video, Ramezany sends an email with a malicious link embedded in it from one Yahoo Mail account he has open in Chrome to another account that he has setup in a separate Internet Explorer 10 browser. Before switching to his IE browser, Ramezany copies and pastes the malicious url into his Chrome address bar and gets a ‘404 Not Found’ message. He then switches over to IE, opens the email, and clicks the link, which, in turn, opens a new IE Window. Ramezany quickly minimizes the new window, so it is impossible to say for certain what happens there.

He then goes back to Chrome and enters the malicious link into the address bar there again. This time, instead of seeing a 404-page, Ramezany gets several lines of URL cookie text, which he copies and decodes in a penetration-testing platform called Burp Suite.

Finally, he takes part of the decoded script and plugs it into the “edit this cookie” Chrome browser add-on, refreshes the page, and, just like that, ends up logged into Chrome to the Yahoo account to which he sent the malicious email in the first place.

Ramezany plans to post the proof-of-concept on his site, after Yahoo patches the vulnerability.

Tuesday, January 8, 2013 @ 05:01 PM gHale

Yahoo is now offering HTTPS as an option on its service.

Support for HTTPS has been a long time need by users of the system to help improve their privacy when accessing mail, especially over Wi-Fi connections; logging in with HTTPS previously redirected users to an HTTP-based service.

Clickjacking Vulnerability on Chrome
Google Bans Auto Install
Apache Malware Installs Zeus
Exploit Kit Guarantee

Now users can select Options>Mail Options and select “Turn On SSL”; this will ensure they have enabled HTTPS on their connection.

According to user feedback, the option appears to be rolling out slowly and may not be available to all user accounts yet.

Yahoo has made no official statement about the new option. The San Francisco-based Electronic Frontier Foundation congratulated Yahoo on moving to fulfill a request the EFF made in November to ensure SSL was available to users, especially those under repressive regimes where Internet monitoring was common.

The organization is now looking at how to enable the Yahoo Mail SSL option automatically in its HTTPS Everywhere software.

Thursday, June 7, 2012 @ 01:06 PM gHale

Google has a new service that automatically displays a warning to users who may be the target of state-sponsored phishing or malware attacks.

While they aren’t saying how they go about determining when a particular attack is a government-focused attack, Google did say the company relies on “detailed analysis” and victim reports that “strongly suggest the involvement of states or groups that are state-sponsored.”

Google: Web Sites Hacked
Focus to Fix Sign-On Flaws
Hackers Expose Site’s Security Hole
Flaws in Microsoft, Dell, TBS Sites

The warning comes in the form of a red banner just above the Google search bar that reads: “Warning: we believe state-sponsored attackers may be attempting to compromise your account or computer.” It includes a link to information users can use to help lock down their computers, smartphones and Google accounts.

The warnings are rolling out after Google users suffered hits from high-profile attacks that show evidence of coming from governments in China and Iran.

In early 2010, for instance, the Web giant said it was the victim of a “highly sophisticated and targeted attack” originating in China and stole information about human rights activists who used the company’s Gmail service. Last June, Google detected a targeted campaign to collect hundreds of personal Gmail passwords belonging to senior U.S. government officials. And in August, officials found a fraudulent secure sockets layer certificate for the Google domain. Later analysis found it was able to spy on more than 300,000 users, most of whom were in Iran.

“We believe it is our duty to be proactive in notifying users about attacks or potential attacks so that they can take action to protect their information,” said Google Vice President of Security Engineering Eric Grosse. “And we will continue to update these notifications based on the latest information.”

Wednesday, April 11, 2012 @ 07:04 PM gHale

By Gregory Hale
Smart meters may not be perfect right now, but they are here to stay and will continue to get a stronger security posture.

“Smart meters provide a net benefit for utilities and for users,” said Jacob Kitchel, senior manager of security and compliance for Industrial Defender. “No computer or software will be totally secure, but it is possible they will have enough security built in to force attackers to go elsewhere.”

Energy Report: Poor Smart Meter Security
Feds: Grid Security Needs a Boost
Execs Unaware of Security Risks
Security to Industry: Time to Wake Up

Kitchel was responding to a report that talked about a series of hacks perpetrated against smart meter installations over the past several years may have cost an U.S. electric utility hundreds of millions of dollars annually.

That report came from a FBI cyber intelligence bulletin obtained by KrebsOnSecurity.

The goal of smart meters is to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. Smart grid technology also holds the promise of improving a utility’s ability to remotely read meters to determine electric usage.

However, some meters are better than others being able to fend off hackers and block unauthorized modifications. The FBI said insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software available on the Internet.

Sometime in 2009, an electric utility in Puerto Rico asked the FBI to help it investigate widespread incidents of power thefts it believed related to its smart meter deployment. In May 2010, the bureau distributed an intelligence alert about its findings to select industry personnel and law enforcement officials.

Citing confidential sources, the FBI said it believes former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. “These individuals are charging $300 to $1,000 to reprogram residential meters, and about $3,000 to reprogram commercial meters,” the alert said. The FBI believes thieves hacked into the smart meters using an optical converter device — such as an infrared light — connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software you can download from the Internet.

“The optical converter used in this scheme can be obtained on the Internet for about $400,” the alert said. “The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact.”

“People have been getting by on utilities in the past, but what sets this apart from the historical ways is using the optical port,” Kitchel said. “There will always be theft from meters, but this allows criminal to modify the configuration from a software perspective. Dumb meters didn’t have that capability.”

Kitchel added there was other potential part that could also come out of this incident and that is the wireless component. “These meters also have methods of wireless communication. That will be something to look at.”

Meter vendors have taken steps to solve security issues, but right now implementation varies. The first round of smart meters came out, but shortly afterward vendors and utilities found out what the problems were and they ended up fixed, Kitchel said.

The beauty of smart meters, though, is the ability to remedy the security profile.

“Meters have some flexibility in the software, so there is some ability to adjust,” Kitchel said. “

Another method of attacking the meters involves placing a strong magnet on the devices, which causes it to stop measuring usage, while still providing electricity to the customer, the FBI said.

“This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company.”

“Each method causes the smart meter to report less than the actual amount of electricity used,” the FBI said. “The altered meter typically reduces a customer’s bill by 50 percent to 75 percent. Because the meter continues to report electricity usage, it appears be operating normally. Since the meter is read remotely, detection of the fraud is very difficult. A spot check of meters conducted by the utility found that approximately 10 percent of meters had been altered.”

The FBI estimated the Puerto Rican utility’s losses from the smart meter fraud could reach $400 million annually.

Monday, February 6, 2012 @ 06:02 PM gHale

There has been a hike in secure shell (SSH) scanning of Internet facing control systems, said ICS-CERT officials and they are issuing a warning for users to be aware.

Quite a few manufacturers have been seeing a large number of access attempts by remote attackers, ICS-CERT said. Systems that provide SSH command line access are common targets for “brute force” attacks.

Wireless Flaw Allows Easy PIN Access
Enhanced Security for Cloud Computing
Wireless Sensors Collect Water Data
Cell Phone Chemical Detector

ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against their networks last week.

A brute force authentication attack attempts to obtain a user’s logon credentials by guessing usernames and passwords. Brute force login tools exist for most services that allow remote access.

Attackers can use brute force applications, such as password guessing tools and scripts, to automate username and password guessing. Those applications may use default password databases, dictionaries, or rainbow tables that contain commonly used passwords, or they may try all combinations of a character set to guess a password.

To find running SSH services on networks, attackers probe a large number of IPs on Port 22/TCP — the default SSH listening port. If a response from the probe of Port 22/TCP comes back, the attacker may initiate a brute force attack.

ICS-CERT recommended organizations monitor network logs for port scans as well as access attempts.

Hundreds or thousands of login attempts over a relatively short time period is an indicator of a brute force attack because systems running SSH normally do not receive high volumes of login attempts. However, indication of an attack does not necessarily mean the organization is the actual intended target. Scans often go against a wide range of IP addresses looking for any system meeting the attacker’s criteria.

Because high volume scans end up discovered fairly quickly, attackers may try to evade intrusion detection systems (IDS) by making only a few careful attempts, then waiting to try again later. Organizations should look carefully for these “quiet” attempts as possible precursors to more direct attacks.

While SSH relates to UNIX or Linux systems, quite a few types of devices provide SSH access by default, including control systems equipment. Control system devices often have SSH enabled by default.

ICS-CERT suggests critical infrastructure and key resource (CIKR) asset owners and operators to examine their control network configurations and establish a baseline configuration and traffic pattern.

They should also audit their control systems — whether or not they think their control systems are on the Internet — to discover and verify removal of any default user names and passwords, ICS-CERT said.

Control system owners and operators should take the following defensive measures to minimize the risk of exploitation of these vulnerabilities:
1. Minimize network exposure for all control system networks and devices. Control system devices should not directly face the Internet.
2. Locate control system networks and devices behind firewalls, and isolate them from the business network. Stay actively aware of what is on the network by performing periodic port scans (where and when possible).
3. If the user requires remote access, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
4. Remove, disable, or rename any default system accounts wherever possible.
5. Implement account lockout policies to reduce the risk from brute forcing attempts.
6. Implement policies requiring the use of strong passwords. Make password lengths long and combine letters, numbers, and special characters.
7. Monitor the creation of administrator level accounts by third-party vendors.

The following are some specific SSH mitigations:
• Configure SSH servers to use nonstandard ports. SSH normally listens on Port 22/TCP, but can be actually listen on any other unused TCP port (the TCP protocol offers 65,535 ports). Because many scanning tools only scan a limited (low) port range by default, selecting a nonstandard high port number can make the SSH less likely to undergo detection by those tools.
• Restrict access to SSH servers. Only allow access from specific hosts rather than allowing access from anywhere. If the SSH server supports public‐key authentication, consider using this as an option to static passwords.
• Use Intrusion Detection/Intrusion Prevention. An intrusion detection system (IDS) monitors networks for malicious activity or policy violations. IDS systems can aid in investigations of system breaches.

Intrusion prevention systems (IPS) incorporate IDS functionality but also include the ability to block an attack as it is happening, preventing harm to the control system network rather than simply announcing that an attack has occurred.

Organizations that detect suspicious activity should check their logs to see if any of the attempts were successful. If a user finds a successful login attempt from a brute force attack, follow-on steps should mean the organizations is implementing their cyber incident response plan. In addition, organizations should carefully adhere to computer forensic best practices to avoid destroying potential evidence.

Thursday, May 5, 2011 @ 08:05 AM gHale

Editor’s Note: Peter Zornio, chief technology officer at Emerson Process Management sat down with ISSSource editor Gregory Hale a little bit ago and talked about trends in the safety and security market in the manufacturing automation industry.

ISSSource: There has always been an uneasy relationship between IT and process engineers. From your perspective who owns the security area, and how are the groups getting along?

Zornio: That has been a question that has been asked for 15 years now, ever since we started going with open systems. I honestly can’t say there is an overall trend that seems to be going to one point. We have seen sites where automation departments have become a specialized part of IT, where the IT guys have come and taken over. We have seen other sites where the automation guys may have known more than the IT guys and expanded their scope to include some of Level 3 and the production management networks and chiseled that off and hung on to it. We have seen it go both ways.

Emerson's Peter Zornio

Emerson's Peter Zornio

What I can tell you is, in general, the guys in process automation like us to do some things that make our equipment clearly part of production versus being a part of IT. We have responded by making our switches, for example, preconfigured with security features preset in them. That way when you open a cabinet and look in and see Emerson on it, the equipment is clearly part of a control system and not part of an IT network.

That makes a difference because there is still that attitude difference in terms of criticality of uptime that exists between the process world and the IT world. In the IT world, they are used to sending out an email saying “we will take down the server at 8 o’clock and email will not be available. Have a nice day.” Well, that just doesn’t fly in the production world. I think no matter who ends up in control, they like it when we have done things to delineate the equipment that is the part of the keeping-the-plant-running mission versus the business transaction world, which can take some downtime and then pick up and keep going.

It is not just the production. It is also the systems monitoring for the EPA or other environmental areas. They have to keep the systems on line that are tracking all the EPA data and reporting. If you lose systems that are monitoring the EPA data, that is a huge deal because that could result in big fines.

As I said, it has been ten to 15 years now and we haven’t seen a definitive trend shake out; it goes company by company. It is still shaking itself out.

ISSSource: When you talk to users today are they talking more about security?

Zornio: What they are asking for is ways to make security easier. Right now it is perceived as something that can be achieved; all the tools are in place, but it involves a lot of work. It involves writing best practices and procedures and making sure they are enforced and making sure the technology is in place. What users would like is something that makes it automatic. They like what I call “no brainer security.” On the control system side we have our purpose-built switches and everything is already set and with one command you can electrically turn off all the unused ports. It is mission-built for being the control network switch and we set up everything that is needed and turn off all the stuff we know should be turned off from a security perspective. That way you don’t have to worry about it. It is like an appliance rather than something you need to configure. The same is true with the PCs in our system. When you buy a PC from us, we have everything set up from a security point of view to a much higher level than the default settings that you would get if you just installed Windows from Microsoft. It is all geared toward what should work for our control system. So again, you don’t have think about going in and setting it. You are buying something that is purpose built. We do the same thing with patch management with our Guardian offering. We can come down and look around your system and see what you have installed and tell you “these are the patches that apply for you that we tested, so go ahead and install just these.”

Again, what they are really asking for is “make this easy.” Security is complexity and work that is adding little productivity or value. Managing complexity is a big thing, and what we see with security is that our customers see complexity that really isn’t making a single extra drop of product. The attitude, I would say, is, “Please make it so I don’t have to think about this.” That is really what they would like to see.

ISSSource: They are seeing security as a cost center, not necessarily an area that could make them money?

Zornio: I think it is viewed as a potential liability, not an advantage. It is a huge liability that something has to be done about. But are they thinking, “If our plant is more secure than the other guy’s plant, we’ll keep running while they go down during a cyber attack?” I don’t think anyone is thinking that way. They think of it as more like safety. They think it is something everyone needs to have and it is the right thing to do because it can affect safety. Safety and security are pretty well tied together. I don’t think they look at it as an advantage. They just feel it is something we all must do or it could turn into a big problem – and they would like it to be a no-brainer.

ISSSource: The concept of safety has been around for a long time and cyber security has not. Do you find companies are thinking security is part of their DNA?

Zornio: That mindset is coming in kicking and screaming. It is not something you are excited about spending a bunch of extra money on because you don’t view it as a differentiator for you. But you know you have to. It also depends on the size of the company. The bigger ones are putting in dedicated folks and making sure best practices are going in and things are getting done. In the case of the power industry, they have some very specific regulations now with NERC-CIP being thrust upon them. They have no choice because there are fines and other enforcement that would happen. Again, we can help by making sure that not a lot of extra work is involved, so it will feel like less of a hassle.

Security is a journey and not a destination. That is something else our customers don’t like about security. They like projects. They like to tackle a thing: We put this technology in and we drive on. Security is a lifestyle thing, just as safety is a lifestyle thing. This is an ongoing lifetime expense and effort that needs to be put in.

ISSSource: Do you see the government getting more involved in security across the board?

Zornio: From my perspective, four or five years ago I would have thought that was coming, with the Department of Homeland Security getting more involved with everyone. But the level of involvement seems to have stabilized for now.

ISSSource: No talk about security is complete without discussing Stuxnet. Looking back, just what did Stuxnet mean for the industry?

Zornio: What it did is make it clear that somebody can specifically target any company or any group of users if they have enough detailed knowledge. When Stuxnet first came out, I thought it was a disgruntled inside worker. To me, in all the security stuff I have ever seen, the hardest thing to protect against is an insider with knowledge who is out to get you. At the end of the day, in any security scenario you end up trusting someone or some people, and if that goes south you are in real trouble. It makes it clear that everyone is vulnerable. The other scary thing about Stuxnet, and many newer viruses in general, is when they go in and settle down and wait for instructions. That is a very scary thought.

ISSSource: Are manufacturers secure today?

Zornio: I would say everything exists for them to be secure to the best level they can achieve, however our experiences show that a small percentage are actually following all the best practices they need to follow to be secure. I am basing that on data we are actually able to see when we visit control systems we installed and gauge how well they have been keeping up to date installing security patches and closing holes to make systems more secure as vulnerabilities have been exposed. It is a pretty small percentage today that are really doing a good job of keeping up.

ISSSource: There seems to be a big increase in safety incidents of late. Is it just coincidence or in a down economy are people cutting corners?

Zornio: It’s easy to speculate that some of this is happening because of the cost pressures some of the manufacturing guys have been under. I can’t say that is the case because I am not working in a plant right now. I would also speculate another piece of it would be the experience – what we are calling the brain drain – leaving an organization. You may have less experienced people around who have not seen the realm of circumstances and operating conditions the senior guys have seen and know how to recognize when something is not the way it should be.

The whole safety area, as we have talked about, is a lifestyle kind of thing. There are a lot of technology and tools to help. Obviously we are big in helping in the SIS area and enforcing the IEC standards around that. But then again those are just tools. You can decide to lose weight and buy the best exercise equipment in the world and let it gather dust in the living room. If you don’t take advantage of using it and applying it properly it will not deliver any results for you.

ISSSource: We have seen numbers thrown around the industry that manufacturers are losing around $20 billion a year in safety and security incidents. Do you think that is a solid number?

Zornio: I think it is a reasonable number. I would say the total unplanned downtime is definitely around that number. Are they all safety and security kind of incidents? I don’t know about that. There are also other large contributors. If you also put in “failure to follow the correct procedure” under safety – that is a very large contributor – then I think the number is real. Frequently people do not follow established procedures or those procedures are out of date or not well documented. If somebody is not experienced in starting up a facility after it has been shut down for a long time, that can be a problem. Equipment failure is still a part of unplanned downtime. Also acts of nature, like lightning strikes, are also a big cause behind unplanned downtime. It depends on what you put in safety.

On security, the number revolves around opportunity costs you are losing. That is a hard true number to come up with. That is very different from when you are forced to shut down a plant for a day and you know what the costs are.

Archived Entries