Search results

Monday, July 23, 2018 @ 05:07 PM gHale

A backdoor on macOS systems remained undetected for at least two years, researchers said.

Calisto is the malware that remained undetected by anti-virus solutions until May 2018, said researchers at Kaspersky Lab.

Air Gap Alert: Attackers on Prowl
New Malware from Attack Group
New Backdoor Based on Hacking Team Tool
Mac OS Backdoor Discovered

They found it was first uploaded to VirusTotal in 2016, which they think could be the year it was created.

The backdoor is going out as an unsigned DMG image supposed to be Intego’s Internet Security X9 for Apple’s macOS.

A comparison with the legitimate application shows the threat is very convincing, said Kaspersky researchers Mikhail Kuzin, Sergey Zelensky in a post.

When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.

The comparison looks convincing, especially if has not used the app before.

Calisto then asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.

On machines with System Integrity Protection (SIP) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified.

The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).

If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.

Researchers said the Calisto backdoor resembles the Backdoor.OSX.Proton family:
• The distribution method is similar: It masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
• The Trojan sample contains the line “com.proton.calisto.plist”
• Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain

“Recall that all known members of the Proton malware family were distributed and discovered in 2017,” the researchers said. “The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.”

To protect against Calisto and Proton, users should:
• Always update to the current version of the OS
• Never disable SIP
• Run only signed software downloaded from trusted sources, such as the App Store
• Use antivirus software

Wednesday, January 17, 2018 @ 09:01 AM gHale

By Chris Grove
Spectre and Meltdown are two newly discovered vulnerabilities that affect hardware running in the majority of the world’s computing devices. Chances are, just about every computer user has an affected device within his or her proximity.

Just about every machine with a modern processor is impacted, ranging from workstations to servers to phones and tablets. 

This includes Microsoft Windows, Linux, Android, Google ChromeOS, Apple macOS on Intel and ARM processors. Most Intel chips manufactured after 2010 are vulnerable, while many AMD, ARM and other chipsets are also affected.

Attackers Leverage Meltdown, Spectre Fears
ICS Vendors Affected by Meltdown, Spectre
Meltdown, Spectre Patches in Firefox Release
Intel Updates Faulty Processors

Spectre and Meltdown are different, but related. Spectre comprises two vulnerabilities: CVE-2017-5753: Bounds check bypass and CVE-2017-5715: Branch target injection, while Meltdown consists of one – CVE-2017-5754: Rogue data cache load.

These vulnerabilities make systems susceptible to what are called ‘side-channel’ attacks, which rely on physical hardware implementation, and do not directly attack the logic or code. These types of attacks generally include things such as tracing electromagnetic radiation (i.e. TEMPEST), monitoring power consumption, analyzing blinking lights, cache analysis, etc.

Since IT, IoT, and IIoT devices are widely prevalent and infrequently updated, the presence of vulnerable devices may remain in production environments for generations to come.

Privileged Data
If one of these vulnerabilities ends up used to compromise a device, this could give an attacker access to privileged data in the system. The vulnerabilities do not grant access to the system — they only enable attackers to read data that should otherwise be restricted. In other words, an attacker still needs to break into the system to execute the attack.

Whereas this might sound “encouraging,” it’s actually a critical concern in systems with multiple users, where data from one space of memory belonging to a user should still be isolated from others.

Simply put, in shared or multi-tenant environments, such as a virtual, cloud, or any other multi-user environment, strict barriers must exist between users. Otherwise, any cloud customer could access data belonging to other customers sharing the same CPU.

The same compartmentalization occurs within applications, which need to be isolated from each other. For example, a web browser shouldn’t have direct access to data the Windows operating system uses to store passwords or other sensitive information.

Every operating system implements multiple levels of security to prevent this behavior from happening — including Windows UAC, SELinux, and more. For that reason, it turns out the Spectre and Meltdown vulnerabilities may not be as bad as you think, particularly if you’re not a cloud user.

Mind Reading Capability
Imagine, for a moment, that you’ve been newly bestowed with: Spectre Meltdown Mindreading Capability. For the sake of brevity, let’s call it SMMC. SMMC gives you the “power” to read someone else’s mind, as long as you’re both in the same room.

Your SMMC can work on almost anyone, anywhere — the mall, theater, and even poker tables in Vegas. Regardless of your location, you can read the minds of others, as long as you’re in the same room with them. You now have access to data that’s meant to be private, such as secrets, confidential or sensitive information, and more.

SMMC doesn’t work remotely; you must be in close proximity to the other person and in the same room.

Now, let’s imagine a different scenario: You’re in your own room, by yourself, and you use SMMC to gain access to your own data. Aside from the potential mind-mirror exploding aftermath, what’s the point of executing an attack on your own mind? You already have access to the data, and you can recall it at will.

In a nutshell, that’s the idea behind Spectre and Meltdown. They’re effective in a multi-tenant room where more than one person’s secrets must remain private.

However, there’s no point in executing an attack in a room with only one owner, since technically, there are no secrets. As long as you’re the only person who will ever occupy the room, your data is safe – even though you’re still vulnerable to attack.

Volume Vulnerability
Spectre and Meltdown have generated coverage in mainstream media due to the sheer number of systems they’ve impacted. Nearly everyone owns a device that’s vulnerable to attack.

However, being vulnerable doesn’t necessarily mean you’ll be impacted by the bug itself. Sometimes, as in the case of the Microsoft patch, the cure causes the pain, not the attack itself.

Another example is the impact of the Meltdown/Spectre patch on Rockwell FactoryTalk, which resulted in outages on FactoryTalk Servers. As of now, the patch has not yet been tested by Rockwell, and is currently not approved for use on any FactoryTalk systems.

The mitigations are still a topic of considerable debate. A few have negatively impacted performance, rendering systems unusable and creating other problems still being resolved by various vendors and user communities. Some patches are no longer available to the public, and have yet to be re-issued.

ICS Impact
ICS environments encompass different types of equipment, including:
• Windows workstations (engineers)
• Windows servers (DNS, AD, etc)
• Linux servers (Historians, Firewalls, automation systems)
• PLCs
• HMIs
• Switches

Almost all ICS networks are vulnerable to attack. Whether or not a specific device is at risk depends on multiple factors, such as chipset, firmware level, etc. Needless to say, we can expect substantial research and patching in the near future.

HMIs, panels, and displays utilize the affected chips. Some PLC manufacturers are still assessing the threat. Many systems that support industrial controllers such as automation systems, batch control systems, production control servers, printers, OPC Systems, SCADA systems, peripheral devices, and IIoT devices including cameras, sensors, etc., are most likely vulnerable.

Understand the Vulnerability
First and foremost, being aware of what exists in your ICS environment is critical to securing it successfully. You can’t secure what you’re not aware of. In turn, having an automated asset inventory in your toolbox is essential to understanding what equipment is at risk and requires attention.

Next, having visibility into your asset inventory is vital. Without this, you’re left with a list of industrial devices that must be manually examined to determine whether their specific hardware module is affected.

Understanding the ICS asset inventory is also important to identify vulnerable assets and to track patching efforts.
Chris Grove, CISSP, NSA-IAM, is director of industrial security at network monitoring provider Indegy.

Monday, June 26, 2017 @ 08:06 PM gHale

Automobile security is weak and, as been shown at countless security events over the years, they are hackable to the point of danger.

Then there is Ohio State University Associate Professor Emre Koksal, who devotes most of his time to thinking about how to protect vehicles from cyberattacks.

App Can Protect Against Voice Hacking
Random Security at Quantum Level
Post-Quantum Cryptography on Contactless Chip
Intentional Flaws Prevent 3-D Printing Hacks

Koksal’s electrical and computer engineering research team is focused on the security of wireless interfaces utilized by vehicles, the number of which will only grow as autonomous cars and trucks roll closer to reality. These interfaces in our vehicles, not unlike the computers in our homes and in our hands, can be susceptible to attacks. The major difference is attacks on a vehicle’s computer systems, which are connected to critical controls, can have potentially fatal consequences.

“Connecting vehicles is a great thing,” Koksal said. “Arguably, the ability to connect vehicles wirelessly is the biggest enabler of autonomous and intelligent transportation systems, which promise many safety benefits. On the other hand, now that a vehicle’s computers are connected, you introduce security issues that can affect the safety of those inside and near the vehicle.”

Examples of security issues include fake signals or messages transmitted to a vehicle. Koksal and graduate student Amr Abdelaziz believe signal authentication is the front line of cyberattack defense.

“When my vehicle receives a signal or a message from another vehicle — for instance a public safety vehicle — how do I know for sure that it is coming from that vehicle and not a hacker?” Koksal asked.

Koksal’s authentication approach involves multiple input, multiple output antenna technology, or MIMO for short. With MIMO, multiple antennas at the transmitter and receiver combine to minimize errors and optimize data speed. MIMO also enables estimation and detection of the signal’s direction, Koksal said.

In addition to utilizing proven cyber encryption methods to authenticate the content of a signal, Koksal’s team proposes using MIMO, including roadside antennas, to verify the transmitter’s claimed location. This layer of authentication would be especially important if your vehicle is on a busy highway and it receives a signal the vehicle in front if it just stopped suddenly. In milliseconds, both the content and location of the signal must be verified.

Current approaches toward achieving cybersecurity in vehicular communication is based on public key infrastructure (PKI). The Ohio State research team asserts that PKI-based authentication can be broken via GPS spoofing, where someone can take an authenticated radio and transmit fake signals from an external location. This security opening has potentially fatal consequences as vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications become more widespread.

Cyberattacks, or the vulnerability of such attacks, can also deliver a heavy financial penalty. In 2015, Chrysler issued a recall for 1.4 million vehicles after security researchers demonstrated how to control a Jeep Cherokee remotely.

Wednesday, April 26, 2017 @ 02:04 PM gHale

Thermal image showing thermal runaway of an 18650 cell with an implanted internal short circuiting device.
Image by Donal Finegan

How lithium-ion (Li-ion) batteries behave under short-circuit conditions can now be examined using a new approach to help improve reliability and safety.

The use of high energy density Li-ion batteries is ubiquitous — from powering portable electronics to providing grid-scale storage — but defects can lead to overheating and explosions. 

More Efficient Robot Interface
Gaining Control over Soft Robots
Light Sources can Hijack Scanner
Speeding Up Testing of Networking Protocols

Although catastrophic failure is extremely rare, high-profile cases including the recall of Samsung’s Galaxy Note 7 smartphone line and the grounding of an aircraft fleet, highlight why it’s important to understand battery failure. 

“In previous work, we’ve tracked Li-ion battery failure caused by extreme heat in 3D and real-time, but this is the first time we’ve tracked what happens to the temperature and structure of cells when we short circuit the battery in a controlled way at an internal location of our choosing, initiating a series of potentially dangerous events,” Dr. Donal Finegan, of the University College of London (UCL) and the first author of a paper on the subject.

“This is of particular interest, as short-circuiting is thought to be responsible for a number of high-profile, real world failures. Knowing when and where the cell will fail has allowed us to characterize what happens during catastrophic failure in-depth using high-speed X-ray imaging,” he said. “This provides us with new insights to help guide the design and development of safer and more reliable Li-ion batteries.”

The study involved researchers from UCL, NASA-Johnson Space Center, the U.S. Department of Energy’s National Renewable Energy Laboratory (NREL), WMG University of Warwick, Diamond Light Source, The European Synchrotron (ESRF) and the National Physical Laboratory (NPL).

To induce failure, the team inserted a device capable of generating an internal short circuit on-demand and at a pre-determined location into commercially available Li-ion batteries, which are commonly used to power portable electronics and electric vehicles. 

Designed and patented by U.S. researchers Dr. Eric Darcy (NASA) and Matthew Keyser (NREL), the temperature-activated device allows researchers to mimic hidden defects that can occur during the battery manufacturing processes, leading to a dangerous chain reaction of heat generation and battery failure.

The team used the device to gain insight into cell design vulnerabilities by causing cell walls to rupture or cells to burst open. Using high-speed X-ray imaging, researchers monitored what happened to the structure of the cells in real-time, as the short circuit drove the catastrophic failure process which propagated through cells and modules.

Individual cells, as well as small cell modules, were tested under conditions that represented a worst-case battery failure scenario. Short circuits were initiated inside the batteries at ~60 degrees C. During the failure process, cell temperatures reached in excess of 1085 degrees C. 

From analyzing the high-speed imaging frame by frame, the team looked at the effects of gas pockets forming, venting and increasing temperatures on the layers inside two distinct commercial Li-ion batteries and identified consistent failure mechanisms.

“It is fascinating to see how quickly the process of thermal runaway can spread throughout these cells, which went from being completely intact to being completely destroyed within around one second,” said corresponding author, Dr. Paul Shearing of UCL.

“This investigation provides the first description of how short-circuit failure propagates inside a cell in real time, this was only possible by combining the novel short-circuiting devices developed by NASA and NREL with ultra high-speed X-ray imaging. We were surprised to learn how susceptible neighboring cells are to propagation of thermal runaway,” he said. “This demonstrates the importance of isolating failing cells within larger battery packs and modules, which may be found in a range of applications from space suits to electric vehicles.”

The team now plans to examine how these new insights can end up used to improve the safety of commercial battery and module designs. For example, researchers will study how the rupture of the highest energy density commercial cells can be prevented and how to reduce the risk of cell-to-cell propagation.

Wednesday, March 22, 2017 @ 12:03 PM gHale

Honeywell Process Solutions (HPS) unveiled a connected-learning solution based on its UniSim Competency Suite platform.

Part of the Honeywell Connected Plant initiative, UniSim eLearn is hosted in the cloud and allows access to operator training simulation (OTS).

OTS is a solution for operator training in the process industries. Studies consistently show trainees retain up to 15 times the information they can otherwise recall from a typical lecture with hands-on practice. Dynamic models of complex industrial processes, combined with real-world operator interfaces, provide OTS trainees the practice and experience to quickly develop confidence and competencies to manage normal and abnormal situations.

“With UniSim eLearn, we bring the training direct to the trainee’s work station,” said Shree Dandekar, vice president and general manager, Honeywell Connected Plant. “Businesses don’t have to worry about travel time or operators missing scheduled training sessions. They can easily fit training around work commitments and absences to ensure essential training is never missed.”

For a higher level of learning experience, competency management offers instructors the opportunity to create problems for operators to respond to in a simulated environment. UniSimeLearn can improve the effectiveness of OTS training interventions by combining a range of online learning methods, providing tailored curriculums for smarter, faster training. Courses rapidly build and test foundation skills with interactive Q&As and video learning, followed by OTS exercises to practice and hone performance.

Using the cloud to connect trainees across enterprises, UniSim eLearn dismantles barriers to operator learning and delivers consistent experiences. It offers a simple multi-site training solution, and improved access to OTS for those with logistical, personnel or infrastructure constraints. UniSimeLearn brings on-demand training to staff, wherever they need it.

Click here for more information about Honeywell’s solutions for simulation and operator training.

Friday, February 17, 2017 @ 02:02 PM gHale

A connected car, or a car equipped with Internet access, has been gaining popularity for the last several years.

Not only multimedia systems are available, but also car key systems in literal and figurative senses. By using proprietary mobile apps, it is possible to get the GPS coordinates of a car, trace its route, open its doors, start its engine, and turn on its auxiliary devices.

Tesla Fixes Gateway ECU Issue
Drawing Up Plans for Auto Security
VW Starts Security Firm
Summer Project: Securing Autos

There is no doubt these are great features used by millions of people, but if a car thief were to gain access to the mobile device that belongs to a victim, it would be rather easy to drive away with a new purloined vehicle.

Along those lines, Mikhail Kuzinf and Victor Chebyshev from Kaspersky Lab reviewed how car owners can avoid possible predicaments related to this issue.

Car-controlling apps are very popular right now with most popular brands releasing apps between several tens of thousands and several million people.

For the Kaspersky experiments, the researches took several apps that control cars from various manufacturers. They did not disclose the app titles, but they did notify the manufacturers of findings.

Kaspersky reviewed the following aspects of each app:
• Availability of potentially dangerous features, which basically means whether it is possible to steal a car or incapacitate one of its systems by using the app.
• Whether the developers of an app employed means to complicate reverse engineering of the app (obfuscation or packing). If not, then it won’t be hard for an evildoer to read the app code, find its vulnerabilities, and take advantage of them to get through to the car’s infrastructure.
• Whether the app checks for root permissions on the device (including subsequent canceled installations in case the permissions have been enabled). After all, if malware manages to infect a rooted device, then the malware will be capable of doing virtually anything. In this case, it is important to find out if developers programmed user credentials to be saved on the device as plain text.
• Whether there is verification it is the GUI of the app that ends up displayed to the user (overlay protection). Android allows for monitoring of which app is displayed to the user, and a malware can intercept this event by showing a phishing window with an identical GUI to the user and steal, for instance, the user’s credentials.
• Availability of an integrity check in the app, i.e., whether it verifies itself for changes within its code or not. This affects the ability of a malefactor to inject his code into the app and then publish it in the app store, keeping the same functionality and features of the original app.

As it turns out, all of the apps turned out to be vulnerable to attacks in one way or another, the Kaspersky researchers said.

Theoretically, after stealing credentials, an attacker will be able to gain control of the car, but this does not mean that the criminal is capable of simply driving off with it. The thing is, a key is needed for a car in order for it to start moving. Therefore, after accessing the inside of a car, car thieves use a programming unit to write a new key into the car’s on-board system. Now, let us recall that almost all of the described apps allow for the doors to be unlocked, that is, deactivation of the car’s alarm system, the Kaspersky researchers said. Thus, a thief can covertly and quickly perform all the actions in order to steal a car without breaking or drilling anything.

Also, the risks should not be limited to a mere car theft. Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.

None of the reviewed apps have defense mechanisms. Due credit should be given to the app developers though: It is a very good thing that not a single of the aforementioned cases uses voice or SMS channels to control a car. Nonetheless, these exact methods end up used by aftermarket alarm-system manufacturers. On the one hand, this fact does not come as a surprise, as the quality of the mobile Internet does not always allow cars to stay connected everywhere, while voice calls and SMS messages are always available, since they are basic functions, the Kaspersky researchers said. On the other hand, this creates supernumerary car security threats, which we will now review.

Voice control is handled with DTMF commands. The owner literally has to call up the car, and the alarm system responds to the incoming call with a pleasant female voice, reports the car status, and then switches to standby mode, where the system waits for commands from the owner, the Kaspersky researchers said. Then, it is enough to dial preset numbers on the keypad of the phone to command the car to unlock the doors and start the engine. The alarm system recognizes those codes and executes the proper command.

Developers of such systems have taken care of security by providing a whitelist for phone numbers that have permission to control the car, the Kaspersky researchers said. However, nobody imagined a situation where the phone of the owner suffers compromise. This means it is enough for a malefactor to infect the smartphone of a victim with an unsophisticated app that calls up the alarm system on behalf of the victim. If the speakers and screen are disabled at the same time, then it is possible to take full command of the car, unbeknownst to the victim.

Certainly though, not everything is as simple as it seems at first glance, the Kaspersky researchers said. For example, car enthusiasts save the alarm-system number under a made-up name, i.e. a successful attack necessitates frequent interaction of the victim with the car via calls. Only this way can a thief that has stolen the history of outgoing calls find the car number in the victim’s contacts.

The developers of another control method for the car alarm system certainly have read none of our articles on the security of Android devices, as the car is operated through SMS commands. The thing is, the first and most common mobile Trojans that Kaspersky Lab faced were SMS Trojans, or malware that contains code for sending SMS surreptitiously, which was done through common Trojan operation as well as by a remote command issued by malefactors.

As a result, the doors of a victim’s car can end up unlocked if malware developers perform the following three steps:
1. Go through all the SMS messages on the smartphone to look for car commands
2. If the needed SMS messages end up located, then extract the phone number and password from them in order to gain access
3. Send an SMS message to the discovered number that unlocks the car’s doors

All three steps can occur via a Trojan while its victim suspects nothing. The only thing that needs to be done, which malefactors are certainly capable of handling, is to infect the smartphone.

Being an expensive thing, a car requires an approach to security that is no less meticulous than that of a bank account.

The attitude of car manufacturers and developers is clear: they strive to fill the market quickly with apps that have new features to provide quality-of-life changes to car owners. Yet, when thinking about the security of a connected car, its infrastructure safety (for control servers) and its interaction and infrastructure channels are not the only things worth considering. It’s also worth it to pay attention to the client side, particularly to the app installed on user devices, the Kaspersky researchers said. It is too easy to turn the app against the car owner nowadays, and currently the client side is quite possibly the most vulnerable spot that can end up targeted by malefactors.

At this point, it should be noted we have not witnessed a single attack on an app that controls cars, and none of the thousands of instances of our malware detection contain a code for downloading the configuration files of such apps, the Kaspersky researchers said. However, contemporary Trojans are quite flexible: if one of these Trojans shows a persistent ad today (which cannot be removed by the user himself), then tomorrow it can upload a configuration file from a car app to a command-and-control server at the request of criminals. The Trojan could also delete the configuration file and override it with a modified one. As soon as all of this becomes financially viable for evildoers, new capabilities will soon arrive for even the most common mobile Trojans.

Friday, September 2, 2016 @ 06:09 PM gHale

Magellan Midstream Partners is recalling gasoline containing unacceptably high levels of ethanol distributed from the Midstream facility in Oklahoma City.

The amount of fuel involved totals about 10,700 barrels (about 449,400 gallons), officials said
The fuel may contain as much as 30 percent ethanol.

Sulfur Tank Breach at Tesoro Refinery
Steam Loss Shuts Hydrocracker
Open Valve Leads to AL Acid Spill
14 Injured in IL Chemical Spill

High-ethanol fuels can cause engines to run poorly or stop. The fuel is especially bad for smaller engines like lawn mowers.

The fuel went out from the Magellan facility from August 23 to August 29 from one of six delivery bays.

Magellan is working to identify the distributors who picked up fuel from the bay in question, and notify them and the retail establishments served by the distributors.

It appears the fuel ended up dispatched entirely or mostly to retail facilities in Oklahoma, Tulsa, McClain, Love, Lincoln, Major, Seminole, Logan, Kingfisher and Pottawottamie and Cleveland counties.

The Oklahoma Corporation Commission’s Petroleum Storage Tank division fuel inspectors will be working to ensure impacted retailers stopped sale of the fuel in question, and that the product is returned to Magellan.

Monday, August 15, 2016 @ 05:08 PM gHale

Thirteen small businesses picked up $1.3 million to develop cyber security technology.

Each business earned $100,000 in preliminary funding through the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) Small Business Innovation Research (SBIR) program.

The SBIR proposal solicitation, released in December 2015, included four topics developed by Cyber Security Division (CSD) program managers to address the research and development needs of DHS components and the homeland security enterprise. Each of these small businesses may be eligible for further development funding based on their initial project results as well as its scientific and technical merit and perceived commercialization potential.

Following are brief explanations of the four research topics and the awarded small businesses for each:

Applicability of Blockchain Technology to Identity Management and Privacy Protection: The goal of this topic is to use blockchain technology, which centralizes and validates new entries added into an existing data field to support identity verification.

Awardees are:
• Digital Bazaar, Inc., Blacksburg, Virginia, is developing a Linked Data ledger format and architecture to demonstrate how to publish identity credentials.
• Respect Network Corporation, Seattle, Washington, is developing a decentralized registry and discovery service to integrate with the public blockchain.
• Narf Industries LLC, Washington, D.C., is working to achieve an identity management solution built on a permission-less blockchain: confidentiality (with selective information disclosure), integrity, availability, non- DHS repudiation, provenance and pseudo-anonymity.
• Celerity Government Solutions, LLC, McLean, Virginia, is researching blockchain solutions to enable users to establish and maintain trusted identity transactions with public and private organizations.

Remote Identity Proofing Alternatives to Knowledge-Based Authentication and Verification: The objective of this topic is to design and demonstrate the feasibility of high-assurance alternatives to knowledge-based verification techniques, such as the ability to recall a password, for online identification.

Awardees are:
• CardSmart Technologies, Basking Ridge, New Jersey, is investigating the effectiveness of alternative approaches ranging from a person’s online reputation to voice forensics.
• Pomian & Corella, LLC, Carmichael, California, is exploring innovations including the use of chip-enabled credit cards, federated identity protocols and cryptographic credentials carrying validated attributes.
• PreID Inc., Atherton, California, is investigating several new identity-verification approaches to determine strengths and weaknesses (security, privacy, accuracy) and commercial feasibility (cost, time to market, consumer acceptance) of each.

Malware Prediction for Situational Understanding and Preemptive Cyber Defense: The goal of this topic is to develop capability to predict and prevent malware.

Awardees are:
• BlueRISC, Inc., Amherst, Massachusetts, is developing a method to capture network system motion as a predictive indication of potential malicious activity
• GrammaTech, Inc., Ithaca, New York, is creating a tool to understand the evolution of malware characteristics and anticipating future malware evolution.
• Red Balloon Security, New York City, New York, is developing a hybrid model using long-term malware trend prediction and a short-term approach to monitor malware and capture forensic data to provide real-time predictions.
• ZeroPoint Dynamics, LLC, Cary, North Carolina, is developing techniques for conducting automated analysis of malicious documents and malware and providing enhanced understanding and preemptive malware and exploit defenses.

Real‐Time Assessment of Resilience and Preparedness: The objective of this topic is to develop a low-cost, flexible application that can analyze a community’s resilience on a near real-time basis and present this information in visual and data formats on mobile and fixed platforms.

Awardees are:
• Datanova Scientific LLC, Baltimore, Maryland, is developing an application for site-specific predictive and proactive risk generation and resilience assessment.
• InferLink Corporation, El Segundo, California, is developing an end-to-end prototype system for resiliency assessment.

Initiated in 2004, the DHS S&T SBIR Program is a competitive contract awards program to increase the participation of innovative and creative U.S. small businesses in federal research and development initiatives and to increase private-sector commercialization of SBIR-funded solutions. CSD leverages the SBIR Program to fund small business development of new and enhanced cybersecurity solutions.

Click here for more about the S&T SBIR Program.

CSD’s mission is to enhance the security and resilience of the nation’s critical information infrastructure and the Internet by developing and delivering new technologies, tools and techniques to defend against cyberattacks. The division conducts and supports technology transitions and leads and coordinates R&D among the R&D community, which includes DHS customers, government agencies, the private sector and international partners.

Wednesday, June 8, 2016 @ 01:06 PM gHale

Security for automobiles is once again proving to be an issue that will not go away.

This time, attackers can easily break into the Mitsubishi Outlander, a popular hybrid SUV. Attackers could exploit security weaknesses in the setup that allows a user to remotely control the car via an app.

Radio Attack Breaks into Autos
Vehicles that Communicate through Intersections
Tips on Securing a Vehicle
Leaf Hole Brings IoT Security Alert

Pen Test Partners discovered the weaknesses, which include:
• The mobile app connects to the car through a Wi-Fi access point on it, instead of a web service and GSM module, making it impossible to use if one is not in range of the car’s wireless network.
• This wireless network’s Wi-Fi pre shared key is on a piece of paper included in the owners’ manual, but its format is also too simple and too short, allowing attackers to crack it easily and relatively quickly.
• The car’s Wi-Fi access point has a unique SSID, but in a predictable format. This allowed the researchers to geolocate various Outlanders.
After discovering the SSID and the pre-shared key, they connected to a static IP address within a network’s subnet, and this allowed them to sniff the Wi-Fi connection and send messages to the car.

Through these messages they were able to turn the car’s lights, air conditioning and heating on and off, change the charging program and, most importantly, to disable the car’s anti-theft alarm.

“Once unlocked, there is potential for many more attacks. The on board diagnostics (OBD) port is accessible once the door is unlocked. While we haven’t looked in detail at this, you may recall from a hack of some BMW vehicles which suggested that the OBD port could be used to code new keys for the car,” the researchers said in a blog post.

“We also haven’t looked at connections between the Wi-Fi module and the Wi-Fi module and the Controller Area Network (CAN). There is certainly access to the infotainment system from the Wi-Fi module. Whether this extends to the CAN is something we need more time to investigate.”

They have tried to get in touch with Mitsubishi and share these discoveries responsibly, but didn’t have much luck initially. Only after they made them public the company contacted them.

Mitsubishi is currently working on new firmware for the Wi-Fi module that should fix these flaws. Until they push it out, they advised owners to deactivate the Wi-Fi using the “Cancel VIN Registration” option on the app, or by using the remote app cancellation procedure.

Friday, March 18, 2016 @ 05:03 PM gHale

Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience.

That is all well and good, but with this increased connectivity, it is important consumers and manufacturers maintain awareness of potential cyber security threats.

Vehicle hacking occurs when someone with a computer seeks to gain unauthorized access to vehicle systems for the purposes of retrieving driver data or manipulating vehicle functionality. While not all hacking incidents may result in a risk to safety – such as an attacker taking control of a vehicle – it is important that consumers take appropriate steps to minimize risk.

Leaf Hole Brings IoT Security Alert
GM Urges Hackers to Report Flaws
Hacking Car via Smartphone
Tracking Internet Connected Cars

That is why the FBI and National Highway Traffic Safety Administration (NHTSA) are warning users and manufacturers to maintain awareness of potential issues and cyber security threats related to connected vehicle technologies in modern vehicles.

Computer Use in Autos
Motor vehicles contain an increasing number of computers in the form of electronic control units (ECUs). These ECUs control vehicle functions from steering, braking, and acceleration, to the lights and windshield wipers. A range of vehicle components also have wireless capability: From keyless entry, ignition control, and tire pressure monitoring, to diagnostic, navigation, and entertainment systems.

While manufacturers attempt to limit the interaction between vehicle systems, wireless communications, and diagnostic ports, these new connections to the vehicle architecture provide portals through which attackers may be able to remotely hack the vehicle controls and systems. Third-party devices connected to the vehicle, for example through the diagnostics port, could also introduce vulnerabilities by providing connectivity where it did not exist previously.

Wireless Vulnerabilities
Vulnerabilities may exist within a vehicle’s wireless communication functions, within a mobile device – such as a cell phone or tablet connected to the vehicle via USB, Bluetooth, or Wi-Fi – or within a third-party device connected through a vehicle diagnostic port. In these cases, it may be possible for an attacker to remotely exploit these vulnerabilities and gain access to the vehicle’s controller network or to data stored on the vehicle. Although vulnerabilities may not always result in an attacker being able to access all parts of the system, the safety risk to consumers could increase significantly if the access involves the ability to manipulate critical vehicle control systems.

Over the past year, researchers identified a number of vulnerabilities in the radio module of a MY2014 passenger vehicle and reported its detailed findings in a whitepaper published in August 2015. The vehicle studied was unaltered and purchased directly from a dealer.

In this study, conducted over a period of several months, researchers developed exploits targeting the active cellular wireless and optionally user-enabled Wi-Fi hotspot communication functions. Attacks on the vehicle that were conducted over Wi-Fi ended up limited to a distance of less than about 100 feet from the vehicle. However, an attacker making a cellular connection to the vehicle’s cellular carrier – from anywhere on the carrier’s nationwide network – could communicate with and perform exploits on the vehicle via an Internet Protocol (IP) address.

In that case, the radio module contained multiple wireless communication and entertainment functions and connected to two controller area network (CAN) buses in the vehicle. Following are some of the vehicle function manipulations that researchers were able to accomplish.

In a target vehicle, at low speeds (5-10 mph):
• Engine shutdown
• Disable brakes
• Steering

In a target vehicle, at any speed:
• Door locks
• Turn signal
• Tachometer
• Radio, HVAC, GPS

Vehicle Recall
In this case, NHTSA believed the vulnerability represented an unreasonable risk to safety based on a number of critical factors: Once exploited, the vulnerability allowed access to and manipulation of critical vehicle control systems; the population of vehicles potentially at risk was huge; and the likelihood of exploitation was great given that the researchers were scheduled to publish the bulk of their work product. As a result, the manufacturer recalled almost 1.5 million vehicles. Before the researchers’ report released, the cellular carrier for the affected vehicles blocked access to one specific port (TCP 6667) for the private IP addresses used to communicate with vehicles. However, the recall was still necessary to mitigate other, short-range vulnerabilities.

The manufacturer and cell service provider provided a remedy to mitigate the specific vulnerabilities. The manufacturer said it would notify owners of vehicles affected by the recall and would mail them a USB drive containing the update and additional security features for the vehicle software.

Alternatively, the manufacturer said owners could visit a Web site to check if their vehicle was in the recall and to download the software update to a USB drive. Owners who did not wish to install the update via USB to their own vehicles were given the option to have their vehicle dealer install the update.

Minimize Security Risk
One way to lower the security risk is to:
1. Ensure your vehicle software is up to date
If a manufacturer issues a notification that a software update is available, it is important the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date.

As a note of caution, if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method. A criminal could send socially engineered email messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could end up tricked into clicking links to malicious Web sites or opening attachments containing malicious software (malware). The malware could end up designed to install on the owner’s computer, or be in the vehicle software update file, which would download into the owner’s vehicle when the owner attempts to apply the update via USB. Additionally, an attacker could attempt to mail vehicle owners USB drives containing a malicious version of a vehicle’s software. To mitigate potential risks, vehicle owners should always:
• Verify any recall notices received by following the steps for determining whether a vehicle has been recalled for a vehicle cyber security issue
• Check on the vehicle manufacturer’s Web site to identify whether any software updates have been issued by the manufacturer
• Avoid downloading software from third-party Web sites or file-sharing platforms
• Where necessary, always use a trusted USB or SD card storage device when downloading and installing software to a vehicle
• Check with the vehicle dealer or manufacturer about performing vehicle software updates

If uncomfortable with downloading recall software or using recall software mailed to you, call your dealer and make an appointment to have the work done by a trusted source.

2. Be careful when making any modifications to vehicle software
Making unauthorized modifications to vehicle software may not only impact the normal operation of your vehicle, but it may introduce new vulnerabilities that could end up exploited by an attacker. Such modifications may also impact the way in which authorized software updates can be installed on the vehicle.

3. Maintain awareness and exercise discretion when connecting third-party devices to your vehicle
All modern vehicles feature a standardized diagnostics port, OBD-II, which provides some level of connectivity to the in-vehicle communication networks. This port is typically accessed by vehicle maintenance technicians, using publicly available diagnostic tools, to assess the status of various vehicle systems, as well as to test emissions performance. More recently, there has been a significant increase in the availability of third-party devices that can plug directly into the diagnostic port. These devices, which may be independent of the vehicle manufacturer, include insurance dongles and other telematics and vehicle monitoring tools. The security of these devices is important as it can provide an attacker with a means of accessing vehicle systems and driver data remotely.

While in the past accessing automotive systems through this OBD-II port would typically require an attacker to be physically present in the vehicle, it may be possible for an attacker to indirectly connect to the vehicle.

4. Be aware of who has physical access to your vehicle
In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.