10-16-17 – News This Past Week

How smart cities can protect against IoT security threats
As long as developers work in tandem with one another, the security problems presented by the development of IoT within smart cities won’t be insurmountable
https://www.networkworld.com/article/3231988/internet-of-things/how-smart-cities-can-protect-against-iot-security-threats.html

North Korean Threat Actors Probe US Electric Companies
Known threat actors based in North Korea recently targeted several US electric companies in a spear-phishing campaign that appeared to be more of an early reconnaissance mission than an attempt to cause any immediate disruption
https://www.darkreading.com/attacks-breaches/north-korean-threat-actors-probe-us-electric-companies/d/d-id/1330106

IoT: Insecurity of Things or Internet of Threats?
The Internet of Things is pushing billions of connected devices online, he noted. Last year’s Mirai malware attack, which mobilizes hundreds of thousands of devices as bots, highlighted the vulnerability of the Internet of Things and served as an example of what could go wrong
https://www.darkreading.com/endpoint/iot-insecurity-of-things-or-internet-of-threats/d/d-id/1330105

HACKING A POWER GRID IN THREE (NOT-SO-EASY) STEPS
But as real as the threat of power-utility hacking may be, not every grid penetration calls for Defcon 1. Responding to them all with an equal sense of alarm is like conflating a street mugging with an intercontinental ballistic missile attack.
https://www.wired.com/story/hacking-a-power-grid-in-three-not-so-easy-steps/

Siemens Patches Flaws in Building Automation Controllers
Siemens has released a firmware update for its BACnet Field Panel building automation products to address two vulnerabilities, including one classified as high severity
http://www.securityweek.com/siemens-patches-flaws-building-automation-controllers

10-02-17 – News This Past Week

Serious Flaw Exposes Siemens Industrial Switches to Attacks
The flaw, discovered by Siemens itself and tracked as CVE-2017-12736, affects SCALANCE X industrial ethernet switches, and Ruggedcom switches and serial-to-ethernet devices running the Rugged Operating System (ROS).
http://www.securityweek.com/serious-flaw-exposes-siemens-industrial-switches-attacks

SIEMENS PATCHES IMPROPER ACCESS VULNERABILITY IN RUGGEDCOM PROTOCOL
Industrial manufacturer Siemens is encouraging users running devices that use its Ruggedcom Discovery Protocol (RCDP) to apply firmware updates this week. The updates resolve a serious and remotely exploitable vulnerability that could let an attacker carry out administrative actions.

Siemens Patches Improper Access Vulnerability in Ruggedcom Protocol

Thousands of Malware Variants Found on Industrial Systems: Kaspersky
According to the company’s “Threat Landscape for Industrial Automation Systems” report for the first six months of the year, nearly 38 percent of the industrial systems protected globally by its products were targeted during this period. This is 1.6 percent less than in the second half of 2016
http://www.securityweek.com/thousands-malware-variants-found-industrial-systems-kaspersky

DDoS Attacks More Likely to Hit Critical Infrastructure Than APTs: Europol
While critical infrastructure has been targeted by sophisticated threat actors, attacks that rely on commonly available and easy-to-use tools are more likely to occur, said Europol in its 2017 Internet Organised Crime Threat Assessment
http://www.securityweek.com/ddos-attacks-more-likely-hit-critical-infrastructure-apts-europol

Caterpillar Eyes Competitive Edge with Connected Asset Security Program
Over the past five years, Caterpillar has provided “tactical” security for its remote-controlled equipment used in its three areas of business – construction, resources, and energy and transportation, says Joseph Zacharias, global head of information security engineering at Caterpillar
https://www.darkreading.com/iot/caterpillar-eyes-competitive-edge-with-connected-asset-security-program/d/d-id/1330001

Threat Landscape for Industrial Automation Systems in H1 2017
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017

Threat Landscape for Industrial Automation Systems in H1 2017

Docs ran a simulation of what would happen if really nasty malware hit a city’s hospitals. RIP :(
Speaking at DerbyCon in Kentucky, USA, on Saturday, three medics with have a side interest in hacking gave an update on their work analyzing security flaws in medical machinery. And, reader, the results weren’t good. On average, a connected device had about 1,000 exploitable CVE flaws, with some going over the 1,400 mark, it was claimed
https://www.theregister.co.uk/2017/09/26/malware_hospital_simulation

9-11-17 – News This Past Week

Hackers Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses
Now, it turns out that a syringe infusion pump used in acute care settings could be remotely accessed and manipulated by hackers to impact the intended operation of the device, ICS-CERT warned in an advisory issued on Thursday.
https://thehackernews.com/2017/09/hacking-infusion-pumps.html

 

Syringe infusion pumps can be fiddled with by remote attackers
The vulnerabilities, identified by independent researcher Scott Gayou, include buffer overflows, hard-coded credentials and passwords, improper certificate validation, passwords stored in the configuration field, and improper access control.
https://www.helpnetsecurity.com/2017/09/08/syringe-infusion-pump-vulnerabilities/

 

Symantec Researchers Reveal New Ramped-up Attacks on U.S. Power Grid
The malware is delivered using old phishing techniques, but with new payloads. Several power generation and control facilities, perhaps including one nuclear power plant, have already been penetrated.
http://googlewatch.eweek.com/security/symantec-researchers-reveal-new-ramped-up-attacks-on-u.s.-power-grid

 

Hackers lie in wait after penetrating US and Europe power grid networks
Nation-sponsored hackers have penetrated the operational networks multiple US and European energy companies use to control key parts of the power grid that supplies electricity to hundreds of millions of people, researchers warned Wednesday.
https://arstechnica.com/information-technology/2017/09/hackers-lie-in-wait-after-penetrating-us-and-europe-power-grid-networks/

 

Symantec: ‘Dragonfly’ Attack Group Targets Energy Companies In US, Turkey, Switzerland
The company also said the attackers were careful to cover their tracks. Dragonfly is said to have relied on off-the-shelf malware anyone can use, to have avoided using zero-day exploits, and to have used both Russian and French in various code strings to avoid giving away the country of origin via the language used. All of these factors led Symantec to hold off on officially attributing Dragonfly’s actions to a specific country.
http://www.tomshardware.com/news/symantec-dragonfly-cyberattack-energy-companies,35394.html

 

Serious Flaws Found in Westermo Industrial Routers
Qualys researcher Mandar Jadhav discovered that Westermo’s MRD-305-DIN, MRD-315, MRD-355 and MRD-455 industrial routers, which are used for remote access worldwide in the commercial facilities, critical manufacturing and energy sectors, are exposed to attacks by three vulnerabilities
http://www.securityweek.com/serious-flaws-found-westermo-industrial-routers

 

Fixing, upgrading and patching IoT devices can be a real nightmare
Ensuring cybersecurity for computers and mobile phones is a huge, complex business. The ever-widening scope and unbelievable variety of threats makes keeping these devices safe from cyber criminals and malware a full-time challenge for companies, governments and individuals around the world.
https://www.networkworld.com/article/3222651/internet-of-things/fixing-upgrading-and-patching-iot-devices-can-be-a-real-nightmare.html

 

News This Past Week

Siemens Patches Flaws in Automation, Power Distribution Products
Siemens customers were informed last week that some of the company’s automation and power distribution products are affected by vulnerabilities that can be exploited for denial-of-service (DoS) attacks and session hijacking
http://www.securityweek.com/siemens-patches-flaws-automation-power-distribution-products

30 ways to improve IoT privacy
To improve IoT security and privacy, we need to create a security culture. Here are 30 ways IoT device makers and developers can do their part.
https://www.networkworld.com/article/3221474/internet-of-things/30-ways-to-improve-iot-privacy.html

This Linux tool could improve the security of IoT devices
Snappy, a software deployment and management system designed by Canonical for the Ubuntu operating system, could be a shortcut to building trusted IoT applications
https://www.networkworld.com/article/3219725/internet-of-things/this-linux-tool-could-improve-the-security-of-iot-devices.html

UK infrastructure failing to meet the most basic cybersecurity standards
More than a third of national critical infrastructure organisations have not met basic cybersecurity standards issued by the UK government, according to Freedom of Information requests by Corero Network Security
https://www.theregister.co.uk/2017/08/29/critical_national_infrastructure_cybersecurity/

Need to Jumpstart IoT Security? Consider Segmentation
In the healthcare industry, medical devices connecting patients, care givers, and systems across facilities are being used to save lives and find cures. Manufacturers embarking on their digital transformation journey are connecting devices on the factory floor to increase uptime, productivity, and competitive advantage
http://www.securityweek.com/need-jumpstart-iot-security-consider-segmentation

FDA issues recall of 465,000 St. Jude pacemakers to patch security holes
Heart patients will have to visit their doctors to have their pacemakers patched for the “voluntary” recall — but there are risks
http://www.zdnet.com/article/fda-forces-st-jude-pacemaker-recall-to-patch-security-vulnerabilities/

Advantech fixes serious vulns in WebAccess HMI/SCADA software
Advantech WebAccess is a web browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA).

Advantech fixes serious vulns in WebAccess HMI/SCADA software

IoT Device Hit by Credential Attack Every Two Minutes: Experiment
Internet of Things (IoT) botnets such as Mirai might not be in the headlines as often as they were several months ago, but the threat posed by insecure IoT devices is as high as before, a recent experiment has revealed
http://www.securityweek.com/iot-device-hit-credential-attack-every-two-minutes-experiment

News This Past Week

Cisco IOS Flaws Expose Rockwell Industrial Switches to Remote Attacks
The Allen-Bradley Stratix and ArmorStratix switches, which ICS-CERT says are used worldwide in the critical manufacturing, energy and water sectors, rely on Cisco’s IOS software for secure integration with enterprise networks. That means Cisco IOS flaws can also affect Rockwell Automation products
http://www.securityweek.com/cisco-ios-flaws-expose-rockwell-industrial-switches-remote-attacks

IoT Thermostat Bug Allows Hackers to Turn Up the Heat
With the ever-increasing impact of smart and connected devices in our daily lives, Cybersecurity has a variety of security challenges to deal with. The field of traditional computer security deals with a myriad of issues like data theft or sabotage. However, when it comes to IoT security, the consequences of a successful attack can be even more diverse.
https://blog.newskysecurity.com/iot-thermostat-bug-allows-hackers-to-turn-up-the-heat-948e554e5e8b

This Linux tool could improve the security of IoT devices
Snappy, a software deployment and management system designed by Canonical for the Ubuntu operating system, could be a shortcut to building trusted IoT applications
https://www.networkworld.com/article/3219725/internet-of-things/this-linux-tool-could-improve-the-security-of-iot-devices.html

Germany publishes ethical guidelines for self-driving cars
The technological developments are forcing government and society to reflect on the emerging changes. The decision that has to be taken is whether the licensing of automated driving systems is ethically justifiable or possibly even imperative
https://www.osnews.com/story/29981/Germany_publishes_ethical_guidelines_for_self-driving_cars

Unfixable Automobile Computer Security Vulnerability
Researchers say this flaw is not a vulnerability in the classic meaning of the word. This is because the flaw is more of a CAN standard design choice that makes it unpatchable
https://www.schneier.com/blog/archives/2017/08/unfixable_autom.html

Unpatchable Flaw in Modern Cars Allows Hackers to Disable Safety Features
Today, many automobiles companies are offering vehicles that run on the mostly drive-by-wire system, which means a majority of car’s functions—from instrument cluster to steering, brakes, and accelerator—are electronically controlled
https://thehackernews.com/2017/08/car-safety-hacking.html

‘Smart’ solar power inverters raise risk of energy grid attacks
Given the dearth of research on this class of device, it’s an eye-catching if sensational claim that shouldn’t come as a total surprise in the light of recent technological developments
‘Smart’ solar power inverters raise risk of energy grid attacks

‘Gloomy times ahead’ for security on critical infrastructure, warn experts
It looks like pretty good timing. Less than a week after a couple of critical infrastructure experts bemoaned the ongoing lack of security in the industry, the US National Institute of Standards and Technology (NIST) is out with the latest (fifth) draft of its Security and Privacy Controls for Information Systems and Organizations
‘Gloomy times ahead’ for security on critical infrastructure, warn experts

How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?
Richard A Clarke, who in 2000 was the US’s top counter-terrorism and cybersecurity chief, gets credit for coining the term “digital Pearl Harbor”. He said at the time that it was “improbable,” but added that “statistically improbable events can occur”.
How likely is a ‘digital Pearl Harbor’ attack on critical infrastructure?

Hacked robots can be a deadly insider threat
IOActive researchers have probed the security of a number of humanoid home and business robots as well industrial collaborative robots, and have found it seriously wanting

Hacked robots can be a deadly insider threat

Medical devices and the Internet of Things: Defending against cyber threats
More than one-third (35.6 percent) of surveyed professionals in the Internet of Things-connected medical device ecosystem say their organizations have experienced a cybersecurity incident in the past year, according to Deloitte

Medical devices and the Internet of Things: Defending against cyber threats

Insecure IoT Devices Pose Physical Threat to General Public
At the car wash, look out for attack robots. Billy Rios, CEO of Whitescope, visits the Dark Reading News Desk to discuss how IoT devices could be hacked to physically attack people in everyday public settings.
https://www.darkreading.com/iot/insecure-iot-devices-pose-physical-threat-to-general-public-/v/d-id/1329712

Report Suggests ‘Fleeting Window’ to Prevent Major Cyber Attack on Critical Infrastructure
The National Infrastructure Advisory Council (NIAC) published a draft report this week titled Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure (PDF). The report warns there is a narrow and fleeting window to prepare for and prevent “a 9/11-level cyber-attack” against the U.S. critical infrastructure
http://www.securityweek.com/reports-suggests-fleeting-window-prevent-major-cyber-attack-critical-infrastructure

Healthcare Providers Warned of Flaws in Philips Product
The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and Philips have warned healthcare providers that one of the company’s radiation dose management tools is affected by potentially serious vulnerabilities
http://www.securityweek.com/healthcare-providers-warned-flaws-philips-product

Overcoming the Lost Decade of Information Security in ICS Networks
Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations – tons of investment in terms of people and money, the birth and evolution of an industry/subindustries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous number of positives hidden behind the losses
http://www.securityweek.com/overcoming-lost-decade-information-security-ics-networks

Fourth US Navy Collision This Year Raises Suspicion of Cyber-Attacks
Early Monday morning a U.S. Navy Destroyer collided with a merchant vessel off the coast of Singapore. The U.S. Navy initially reported that 10 sailors were missing, and today found “some of the remains” in flooded compartments
https://it.slashdot.org/story/17/08/22/2020254/fourth-us-navy-collision-this-year-raises-suspicion-of-cyber-attacks

Industrial hack can turn powerful machines into killer robots
In a post titled “Exploiting Industrial Collaborative Robots,” security researchers at IOActive detail how popular models of consumer and industrial robots have already been compromised in such a way that could cause humans bodily harm. The study examines a class of collaborative robots designed to work together with their human counterparts, often in industrial settings.
https://techcrunch.com/2017/08/22/universal-robots-exploit-ioactive/amp/

DJI Spark Gets Mandatory Firmware Update, Won’t Fly Unless Updated
Given that drones are basically robots with fast-spinning rotary blades that can fly high up in the sky, clearly there are safety issues to be considered since you don’t want these drones to fall out of the sky and land on someone’s head. This is why we can’t say we’re surprised to learn of one of the measures DJI is taking to ensure drone safety
http://www.ubergizmo.com/2017/08/dji-spark-mandatory-firmware-update/amp/

08-13-17 – News This Past Week

UK publishes Laws of Robotics for self-driving cars
The United Kingdom has published a set of “Key principles of vehicle cyber security for connected and automated vehicles” outlining how auto-makers need to behave if they want computerised cars to hit Blighty’s byways and highways
https://www.theregister.co.uk/2017/08/07/uk_key_principles_of_vehicle_cyber_security_for_connected_and_automated_vehicles/

NotBeingPetya: UK critical infrastructure firms face huge fines for lax security
The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place
https://www.theregister.co.uk/2017/08/08/critical_infrastructure_firms_threatened_with_huge_fines_for_lax_security/

How a Port Misconfiguration Exposed Critical Infrastructure Data
Attacks hitting companies’ electrical systems are possible, especially when information that provides insight into those systems’ weak points is freely accessible online. If you think that such a thing is unlikely, you probably haven’t yet heard about the most recent discovery made by UpGuard researchers
https://tech.slashdot.org/story/17/08/09/1440235/how-a-port-misconfiguration-exposed-critical-infrastructure-data

Malicious code written into DNA infects the computer that reads it
“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,’” said professor Tadayoshi Kohno, who has a history of pursuing unusual attack vectors for embedded and niche electronics like pacemakers.
https://techcrunch.com/2017/08/09/malicious-code-written-into-dna-infects-the-computer-that-reads-it/

Firmware update blunder bricks hundreds of home ‘smart’ locks
The upshot is you can’t use the builtin keypad on the devices to unlock the door. Lockstate’s smart locks are popular among Airbnb hosts as it allows them to give guests an entry code to get into properties without having to share physical keys. Lockstate is even a partner with Airbnb
https://www.theregister.co.uk/2017/08/11/lockstate_bricks_smart_locks_with_dumb_firmware_upgrade/

Critical Flaws Found in Solar Panels Could Shut Down Power Grids
Willem Westerhof, a cybersecurity researcher at Dutch security firm ITsec, discovered 21 security vulnerabilities in the Internet-connected inverters – an essential component of solar panel that turns direct current (DC) into alternating current (AC).
https://thehackernews.com/2017/08/solar-panel-power-grid.html

Who is better prepared for IoT-related attacks, SMEs or large organizations?

Small and midsized organizations (SMEs) are taking more steps to protect themselves from security risks associated with the Internet of Things (IoT) than large businesses, according to Pwnie Express. Small businesses are more likely to close the IoT security gap and better protect mission critical systems and business operations
https://www.helpnetsecurity.com/2017/08/10/prepare-iot-related-attacks/

Siemens CT scanners open to remote compromise via publicly available exploits
After WannaCry hit systems around the world in May, the company acknowledged that some of its customers may be facing impacts from the cyber-attack, as some of Siemens Healthineers’ products “may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware.”
https://www.helpnetsecurity.com/2017/08/07/siemens-ct-scanners-compromise/

How a port misconfiguration exposed critical infrastructure data
If you think that such a thing is unlikely, you probably haven’t yet heard about the most recent discovery made by UpGuard researchers: an open port used for rsync server synchronization has left the network of Power Quality Engineering (PQE) wide open to malicious attackers
https://www.helpnetsecurity.com/2017/08/09/critical-infrastructure-data/

Fuji Electric Patches Vulnerabilities in HMI Software
ICS-CERT informed organizations on Thursday that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management vulnerabilities that can be exploited to execute arbitrary code and escalate privileges.
http://www.securityweek.com/fuji-electric-patches-vulnerabilities-hmi-software

Engineering Firm Exposed Electrical Infrastructure Details: Researchers
Misconfiguration Issues with systems operated by Texas-based electrical engineering operator Power Quality Engineering (PQE) resulted in the information of various clients being exposed to the Internet, along with sensisitve corprorate information from PQE itself, UpGuard security researchers warn.
http://www.securityweek.com/engineering-firm-exposed-electrical-infrastructure-details-researchers

Has healthcare misdiagnosed the cybersecurity problem?
Most senior leadership in healthcare is medically trained with a clinical background in an industry built on such noble concepts as “do no harm” and forward-thinking practices like evidence-based medicine. Through this lens, healthcare organizations regularly misinterpret the nature of the cybersecurity problem and consequently, how to treat it.
https://www.helpnetsecurity.com/2017/08/07/healthcare-cybersecurity-problem/

Fuzzing Tests Show ICS Protocols Least Mature
Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.
http://www.securityweek.com/fuzzing-tests-show-ics-protocols-least-mature

Cyberattacks on GPS leave ships sailing in dangerous waters
And well they might after a recent spate of GPS jamming incidents involving these countries. Last year North Korea was accused of being behind the mass jamming of dozens of South Korean vessels that was serious enough to force them back to port.
https://nakedsecurity.sophos.com/2017/08/07/cyberattacks-on-gps-leave-ships-sailing-in-dangerous-waters/

Carmakers warned to focus on security of connected vehicles
Following up 2016’s demonstration of an attack in which the team disabled the car’s brakes via Wi-Fi, this year they remotely turned on the lights while opening and closing the doors, producing a slick video showing off their handiwork.
https://nakedsecurity.sophos.com/2017/08/09/carmakers-warned-to-focus-on-security-of-connected-vehicles/

Air Gap FAILs, Configuration Mistakes Causing ICS/SCADA Cyberattacks
It had the markings of a possible sabotage operation. Stealthy, patient cyber attackers had wrested control of an ICS/SCADA controller in a power plant and were rooting around in what appeared to be a reconnaissance effort to map out the plant’s infrastructure
https://www.darkreading.com/vulnerabilities—threats/air-gap-fails-configuration-mistakes-causing-ics-scada-cyberattacks-/d/d-id/1329608

Schneider Electric, Claroty Partner on Industrial Network Security
Energy management and automation giant Schneider Electric has teamed up with industrial cybersecurity startup Claroty to offer its customers solutions for protecting industrial control systems (ICS) and operational technology (OT) networks
http://www.securityweek.com/schneider-electric-claroty-partner-industrial-network-security

Exploited Windows Flaws Affect Siemens Medical Imaging Products
One advisory, published by both Siemens and ICS-CERT, warns of two critical Windows vulnerabilities that allow a remote, unauthenticated attacker to execute arbitrary code. The security holes impact Siemens Healthineers’ PET/CT and SPECT/CT medical imaging products running on Windows XP.
http://www.securityweek.com/exploited-windows-flaws-affect-siemens-medical-imaging-products

IoT Security: Where There is Smoke, There is Fire
We have collectively heard the saying, “where there is smoke, there is fire” throughout our lives. And, sure enough, it is true far more often than it is false. I have been seeing a lot of smoke lately, so I suspect that there is an interesting fire burning.
http://www.securityweek.com/iot-security-where-there-smoke-there-fire

Attacks on manufacturing industry continue to rise
The motivations for these attacks are often criminal in nature, including extortion via ransomware, industrial espionage, and theft of data such as account numbers. What poses an even greater problem is that when these breaches are successful, yet go undetected, they allow hackers to establish footholds in organizations’ networks where they have free reign to wreak havoc over extended periods.
https://www.helpnetsecurity.com/2017/08/09/attacks-manufacturing-industry-rise/

News This Past Week

Researchers Find a Malicious Way to Meddle with Autonomous Cars
While automakers focus on defending the systems in their cars against hackers, there may be other ways for the malicious to mess with self-driving cars. Security researchers at the University of Washington have shown they can get computer vision systems to misidentify road signs using nothing more than stickers made on a home printer.
http://blog.caranddriver.com/researchers-find-a-malicious-way-to-meddle-with-autonomous-cars/

Can US senators secure the Internet of Things?
In an intriguing choice of words, the bill aims to specify what the regulators are calling “minimal cybersecurity operational standards” for IoT devices.
https://nakedsecurity.sophos.com/2017/08/03/can-us-senators-secure-the-internet-of-things/

New Legislation Could Force Security Into IoT
After years of warnings from security experts and researchers, the Internet of Things (IoT) remains fundamentally insecure. Now a group of senators has introduced bipartisan legislation to force vendors to ensure basic security within their IoT devices if they wish to sell into the government market.
http://www.securityweek.com/new-legislation-could-force-security-iot

Multiple vulnerabilities found in radiation monitoring gateways
Every now and then, a presentation at Black Hat throws up a security vulnerability that has been missed either because it exists in equipment researchers haven’t been paying attention to, or is simply inherently difficult to uncover.
https://nakedsecurity.sophos.com/2017/08/01/multiple-vulnerabilities-found-in-radiation-monitoring-gateways/

Bipartisan Group Proposes IoT Cybersecurity Improvement Act
U.S. Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA), and Steve Daines (R-MT) have introduced the Internet of Things Cybersecurity Improvement Act of 2017, a new bill that seeks to ensure that IoT devices sold to the U.S. government meet security requirements.
http://www.tomshardware.com/news/bipartisan-iot-cybersecurity-improvement-act,35134.html

It’s 2017 and Hayes AT modem commands can hack luxury cars
A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America’s ICS-CERT reckons is easy to exploit.
https://www.theregister.co.uk/2017/08/01/telematics_vulnerabilities_in_bmw_infiniti_ford_nissan/

07-31-17 – News This Past Week

Testing the security of connected cars and IOT devices
Finding issues in your products and services upfront is a far better investment than the expense of letting cybercriminals find and exploit vulnerabilities. Our own investments in people, tools and expertise have more than tripled our security testing capabilities in the first year of IBM X-Force Red, making our offense our clients’ best defense

Testing the security of connected cars and IOT devices

 

ICS Networks Not Immune To Insider Threats
The security threat from within can be even more potent than many external attacks. This is particularly the case with Industrial Control System (ICS) networks, which manage critical infrastructure and manufacturing processes. A smart, motivated, perhaps disgruntled employee or ex-employee with knowledge of a plant and access to the network, can cause a variety of disruptions that may result in tainted products, financial losses, equipment damages and even threaten human lives.
http://www.securityweek.com/ics-networks-not-immune-insider-threats

 

WHISTL Labs will be Cyber Range for Medical Devices
Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms
https://securityledger.com/2017/07/exclusive-whistl-labs-will-be-cyber-range-for-medical-devices/

 

What is the car industry’s problem with over-the-air software updates?
Boiled down to its essence, OEMs can’t offer existing customers new features for their vehicles without the car dealerships getting their cut. This is in contrast to Tesla, which has done much to highlight the utility of OTA updates
https://arstechnica.com/cars/2017/07/gm-to-offer-ota-software-updates-before-2020-but-only-for-a-new-infotainment-platform/

 

‘Devil’s Ivy’ Is Another Wake-Up Call for IoT Security
The vulnerability — called Devil’s Ivy or CVE-2017-9765 — was made public last week by Senrio, a company that specializes in IoT security. It initially found the bug in the M3004 model security camera marketed by Axis Communications, but further research found that 249 of Axis’s 251 surveillance camera models are affected.
http://windowsitpro.com/internet-things-iot/devils-ivy-another-wake-call-iot-security

 

IBM Will Expand Security Testing Services To Automotive And IoT Companies
IBM seems to have recently refocused its efforts towards digital security, with the release of the new IBM Z mainframe, too, a computing system that aims to fully encrypt cloud services and data for its corporate customers.
http://www.tomshardware.com/news/ibm-securiy-testing-automotive-iot,35072.html

 

Majority of Consumers Believe IoT Needs Security Built In
Respondents to a global survey say Internet of Things security is a shared responsibility between consumers and manufacturers
https://www.darkreading.com/vulnerabilities—threats/majority-of-consumers-believe-iot-needs-security-built-in/d/d-id/1329459

 

Car Wash Hack Can Strike Vehicle, Trap Passengers, Douse Them With Water
“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” researchers presenting the proof-of-concept say.
https://motherboard.vice.com/en_us/article/bjxe33/car-wash-hack-can-smash-vehicle-trap-passengers-douse-them-with-water

 

Independent labs to probe medical devices for security flaws
They suffer from many miseries: lack of quality assurance and testing, rush to release pressures on product development teams, accidental coding errors, malicious coding, inherent bugs in product development tools, being tiny, having low computing power in internal devices, and, well, the list goes on.
Independent labs to probe medical devices for security flaws

 

How to protect the power grid from low-budget cyberattacks
Cyberattacks against power grids and other critical infrastructure systems have long been considered a threat limited to nation-states due to the sophistication and resources necessary to mount them

How to protect the power grid from low-budget cyberattacks

 

Security vulnerabilities in radiation monitoring devices
IOActive researcher Ruben Santamarta has uncovered a number of cybersecurity vulnerabilities in widely deployed Radiation Monitoring Devices (RDMs), and has presented his research at the Black Hat conference in Las Vegas.

Security vulnerabilities in radiation monitoring devices

 

Researchers Release Free Tool to Analyze ICS Malware
The researchers who discovered the game-changing malware used against Ukraine’s power grid in 2016 that knocked out power for an hour in part of Kiev released a tool here this week for analyzing malicious code targeting industrial networks.
https://www.darkreading.com/attacks-breaches/researchers-release-free-tool-to-analyze-ics-malware/d/d-id/1329484

 

ICS-CERT Warns of CAN Bus Vulnerability
A team of Italian researchers published a paper last year describing various CAN weaknesses and an attack method that can be leveraged for denial-of-service (DoS) attacks. They also published a proof-of-concept (PoC) exploit and a video showing how they managed to exploit the flaw to disable the parking sensors on a 2012 Alfa Romeo Giulietta.
http://www.securityweek.com/ics-cert-warns-can-bus-vulnerability

 

Researchers remotely hack Tesla Model X
Security researchers from Tencent’s Keen Security Lab have done it again: they’ve found vulnerabilities in one of Tesla’s cars and demonstrated that they can be exploited remotely to do things like open the car’s doors and force it to break while in motion

Researchers remotely hack Tesla Model X

 

Lethal Dosage of Cybercrime: Hacking the IV Pump
Why would someone hack an IV pump? There are several reasons, Regalado pointed out. If successful, an attacker could steal personally identifiable information (PII), hijack hospital devices and demand ransom, corrupt the device in a denial-of-service attack, or use the pump as an entryway into the broader corporate network.
https://www.darkreading.com/vulnerabilities—threats/lethal-dosage-of-cybercrime-hacking-the-iv-pump/d/d-id/1329490

 

Medical Device (Virtual) Village at DEF CON

There will be a Medical Device (Virtual) Village this year at DEF CON, organized in conjunction with I Am The Cavalry, the BioHacking Village, and the IoT Village (located in IoT Village) from July 28-30th at Caesars Palace in Las Vegas, Nevada. We seek to establish a high-trust, high-collaboration environment where security researchers, medical device makers, healthcare providers, doctors, and others can come together in a joint mission to preserve patient safety. This event builds on work such as our Hippocratic Oath for Connected Medical Devices and our Position on Disclosure.

The latest medical advances lay at the intersection of patient care and connected technology. Integration of new technology enables innovations that improve patient outcomes, reduce cost of care delivery, and advance medical research. A growing number of medical devices are designed to be networked to facilitate patient care. As such, accidents and adversaries that trigger software vulnerabilities may harm human life, patient safety, and public trust.

Researchers may be more reluctant to disclose if they know a vulnerability has not been (or cannot be) fixed. On the other hand, the prospect of high consequence failures may motivate action. Remediation urgency can preserve safety, life, and trust; at the same time, validation and verification avoid unintended consequences, Vulnerability discovery, disclosure and remediation in public safety and human life contexts should be handled with both due haste and due care.