3-18-19 – News This Past Week

Tripwire debuts pentesting and industrial cybersecurity assessment services
With Tripwire’s new services, organizations can establish and maintain a strong foundation of security. The Penetration Testing Assessment leverages highly skilled cybersecurity experts who discover and then exploit vulnerabilities to assess the security of an organization’s IT environment

Tripwire debuts pentesting and industrial cybersecurity assessment services

Quantum Physics Could Protect the Grid From Hackers—Maybe
Cybersecurity experts have sounded the alarm for years: Hackers are ogling the US power grid. The threat isn’t merely hypothetical—a group affiliated with the Russian government gained remote access to energy companies’ computers, the Department of Homeland Security published last March.
https://www.wired.com/story/quantum-physics-protect-grid/

Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software
Patches released by Rockwell Automation for its RSLinx Classic software address a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly for remote code execution
https://www.securityweek.com/rockwell-automation-patches-critical-dosrce-flaw-rslinx-software

IoT automation platforms open smart buildings to new threats
IoT automation platforms in smart buildings are presenting attackers with new opportunities for both physical and data compromise, Trend Micro researchers warn in a newly released report

IoT automation platforms open smart buildings to new threats

Triton is the world’s most murderous malware, and it’s spreading
The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.
https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/

Firms Continue to Fail at IoT Security
He said, smart devices are still too easy a target with vectors such as man-in-the-middle attacks. Case and point, in February Checkmarx discovered a bevy of flaws in a consumer smart scale that could allow hackers to launch a variety of attacks, from man-in-the-middle to denial of service

RSA Conference 2019: Firms Continue to Fail at IoT Security

Pentagon reassures public that its autonomous robotic tank adheres to “legal and ethical standards” for AI-driven killbots
The Pentagon is seeking bids to improve its Advanced Targeting and Lethality Automated System (ATLAS) so that it can “acquire, identify, and engage targets at least 3X faster than the current manual process.”

Pentagon reassures public that its autonomous robotic tank adheres to “legal and ethical standards” for AI-driven killbots

DHS: No Investigation Planned for Electrical Grid Incursions
Despite concrete evidence of Russian infiltration of the US electrical grid and acknowledgment of the hacking by the US government, no formal investigation is planned, according to a Department of Homeland Security (DHS) official who spoke here at this week’s RSA Conference
https://www.darkreading.com/threat-intelligence/dhs-no-investigation-planned-for-electrical-grid-incursions/d/d-id/1334121

Flaws in Smart Alarms Exposed Millions of Cars to Dangerous Hacking
Serious vulnerabilities found in high-end car alarms could have been exploited to remotely hack millions of vehicles, including to track them, immobilise them and spy on their owners
https://www.securityweek.com/flaws-smart-alarms-exposed-millions-cars-dangerous-hacking

Venezuela’s Maduro Says Cyber Attack Prevented Power Restoration
Venezuela President Nicolas Maduro claimed on Saturday that a new cyber attack had prevented authorities from restoring power throughout the country following a blackout on Thursday that caused chaos
https://www.securityweek.com/venezuelas-maduro-says-cyber-attack-prevented-power-restoration

We’re still bad at securing industrial controllers
The bugs range in severity and impact, though Positive Tech noted that even something as simple as a denial of service issue could have a profound impact when it comes to industrial control systems (ICS).
https://www.theregister.co.uk/2019/03/11/industrial_controllers/

Many Vulnerabilities Discovered in Moxa Industrial Switches
Over a dozen vulnerabilities, including ones classified as critical, have been found by Positive Technologies researchers in EDS and IKS switches made by industrial networking solutions provider Moxa. The vendor has released patches and mitigations that should address the flaws
https://www.securityweek.com/many-vulnerabilities-discovered-moxa-industrial-switches

Hacking 10 percent of self-driving cars would cause gridlock in NYC
That question inspired scientists at the Georgia Institute of Technology to quantify the likely impact of such a large-scale hack on traffic flow in New York City. Skanda Vivek, a postdoctoral researcher at Georgia Tech, described the study’s findings at the American Physical Society’s 2019 March meeting, held last week in Boston
https://arstechnica.com/science/2019/03/study-hacking-10-percent-of-self-driving-cars-would-cause-gridlock-in-nyc/

Boeing will release software updates for 737 Max jets by April
Both investigations are still in the early stages, but experts are concerned about the similarities in the accidents. “It’s highly suspicious,” aviation analyst Mary Schiavo told CNN.
https://www.engadget.com/2019/03/12/boeing-software-update-737-max/

Don’t be too shocked, but it looks as though these politicians have actually got their act together on IoT security
The legislation has been introduced into both the House and the Senate with politicians from both sides supporting it. What’s more, the Internet of Things (IoT) Cybersecurity Improvement Act has the backing of industry and security experts and is well written
https://www.theregister.co.uk/AMP/2019/03/13/congress_iot_security/

IoT Security Meets Healthcare: What You Need to Know
Like in any environment, more connected devices means a larger attack surface. I’s been proven time and again that security breaches are a significant challenge for healthcare organizations, resulting in major fallout. Security is not optional.
https://www.securityweek.com/iot-security-meets-healthcare-what-you-need-know

Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators
Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to “replay attacks” that allowed the researchers to bypass the encryption

Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators

IoT Security Bills for US Government Will Also Affect Business IT
Once the rules go into effect in 2020, the new requirements include making IoT devices patchable, certifying that they are free from known vulnerabilities and that the devices use standard protocols
https://www.eweek.com/security/iot-security-bills-for-us-government-will-also-affect-business-it

Dragos Acquires NexDefense, Releases Free ICS Assessment Tools
The second tool, developed by members of the Dragos team before the company was founded, is CyberLens, an assessment tool designed for quickly processing packet captures and visualizing ICS environments
https://www.securityweek.com/dragos-acquires-nexdefense-releases-free-ics-assessment-tools

Posted in Uncategorized.