08-13-17 – News This Past Week

UK publishes Laws of Robotics for self-driving cars
The United Kingdom has published a set of “Key principles of vehicle cyber security for connected and automated vehicles” outlining how auto-makers need to behave if they want computerised cars to hit Blighty’s byways and highways

NotBeingPetya: UK critical infrastructure firms face huge fines for lax security
The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place

How a Port Misconfiguration Exposed Critical Infrastructure Data
Attacks hitting companies’ electrical systems are possible, especially when information that provides insight into those systems’ weak points is freely accessible online. If you think that such a thing is unlikely, you probably haven’t yet heard about the most recent discovery made by UpGuard researchers

Malicious code written into DNA infects the computer that reads it
“One of the big things we try to do in the computer security community is to avoid a situation where we say, ‘Oh shoot, adversaries are here and knocking on our door and we’re not prepared,’” said professor Tadayoshi Kohno, who has a history of pursuing unusual attack vectors for embedded and niche electronics like pacemakers.

Firmware update blunder bricks hundreds of home ‘smart’ locks
The upshot is you can’t use the builtin keypad on the devices to unlock the door. Lockstate’s smart locks are popular among Airbnb hosts as it allows them to give guests an entry code to get into properties without having to share physical keys. Lockstate is even a partner with Airbnb

Critical Flaws Found in Solar Panels Could Shut Down Power Grids
Willem Westerhof, a cybersecurity researcher at Dutch security firm ITsec, discovered 21 security vulnerabilities in the Internet-connected inverters – an essential component of solar panel that turns direct current (DC) into alternating current (AC).

Who is better prepared for IoT-related attacks, SMEs or large organizations?

Small and midsized organizations (SMEs) are taking more steps to protect themselves from security risks associated with the Internet of Things (IoT) than large businesses, according to Pwnie Express. Small businesses are more likely to close the IoT security gap and better protect mission critical systems and business operations

Siemens CT scanners open to remote compromise via publicly available exploits
After WannaCry hit systems around the world in May, the company acknowledged that some of its customers may be facing impacts from the cyber-attack, as some of Siemens Healthineers’ products “may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware.”

How a port misconfiguration exposed critical infrastructure data
If you think that such a thing is unlikely, you probably haven’t yet heard about the most recent discovery made by UpGuard researchers: an open port used for rsync server synchronization has left the network of Power Quality Engineering (PQE) wide open to malicious attackers

Fuji Electric Patches Vulnerabilities in HMI Software
ICS-CERT informed organizations on Thursday that the Monitouch V-SFT software is affected by stack and heap buffer overflows and improper privilege management vulnerabilities that can be exploited to execute arbitrary code and escalate privileges.

Engineering Firm Exposed Electrical Infrastructure Details: Researchers
Misconfiguration Issues with systems operated by Texas-based electrical engineering operator Power Quality Engineering (PQE) resulted in the information of various clients being exposed to the Internet, along with sensisitve corprorate information from PQE itself, UpGuard security researchers warn.

Has healthcare misdiagnosed the cybersecurity problem?
Most senior leadership in healthcare is medically trained with a clinical background in an industry built on such noble concepts as “do no harm” and forward-thinking practices like evidence-based medicine. Through this lens, healthcare organizations regularly misinterpret the nature of the cybersecurity problem and consequently, how to treat it.

Fuzzing Tests Show ICS Protocols Least Mature
Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.

Cyberattacks on GPS leave ships sailing in dangerous waters
And well they might after a recent spate of GPS jamming incidents involving these countries. Last year North Korea was accused of being behind the mass jamming of dozens of South Korean vessels that was serious enough to force them back to port.

Carmakers warned to focus on security of connected vehicles
Following up 2016’s demonstration of an attack in which the team disabled the car’s brakes via Wi-Fi, this year they remotely turned on the lights while opening and closing the doors, producing a slick video showing off their handiwork.

Air Gap FAILs, Configuration Mistakes Causing ICS/SCADA Cyberattacks
It had the markings of a possible sabotage operation. Stealthy, patient cyber attackers had wrested control of an ICS/SCADA controller in a power plant and were rooting around in what appeared to be a reconnaissance effort to map out the plant’s infrastructure

Schneider Electric, Claroty Partner on Industrial Network Security
Energy management and automation giant Schneider Electric has teamed up with industrial cybersecurity startup Claroty to offer its customers solutions for protecting industrial control systems (ICS) and operational technology (OT) networks

Exploited Windows Flaws Affect Siemens Medical Imaging Products
One advisory, published by both Siemens and ICS-CERT, warns of two critical Windows vulnerabilities that allow a remote, unauthenticated attacker to execute arbitrary code. The security holes impact Siemens Healthineers’ PET/CT and SPECT/CT medical imaging products running on Windows XP.

IoT Security: Where There is Smoke, There is Fire
We have collectively heard the saying, “where there is smoke, there is fire” throughout our lives. And, sure enough, it is true far more often than it is false. I have been seeing a lot of smoke lately, so I suspect that there is an interesting fire burning.

Attacks on manufacturing industry continue to rise
The motivations for these attacks are often criminal in nature, including extortion via ransomware, industrial espionage, and theft of data such as account numbers. What poses an even greater problem is that when these breaches are successful, yet go undetected, they allow hackers to establish footholds in organizations’ networks where they have free reign to wreak havoc over extended periods.

News This Past Week

Researchers Find a Malicious Way to Meddle with Autonomous Cars
While automakers focus on defending the systems in their cars against hackers, there may be other ways for the malicious to mess with self-driving cars. Security researchers at the University of Washington have shown they can get computer vision systems to misidentify road signs using nothing more than stickers made on a home printer.

Can US senators secure the Internet of Things?
In an intriguing choice of words, the bill aims to specify what the regulators are calling “minimal cybersecurity operational standards” for IoT devices.

New Legislation Could Force Security Into IoT
After years of warnings from security experts and researchers, the Internet of Things (IoT) remains fundamentally insecure. Now a group of senators has introduced bipartisan legislation to force vendors to ensure basic security within their IoT devices if they wish to sell into the government market.

Multiple vulnerabilities found in radiation monitoring gateways
Every now and then, a presentation at Black Hat throws up a security vulnerability that has been missed either because it exists in equipment researchers haven’t been paying attention to, or is simply inherently difficult to uncover.

Bipartisan Group Proposes IoT Cybersecurity Improvement Act
U.S. Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA), and Steve Daines (R-MT) have introduced the Internet of Things Cybersecurity Improvement Act of 2017, a new bill that seeks to ensure that IoT devices sold to the U.S. government meet security requirements.

It’s 2017 and Hayes AT modem commands can hack luxury cars
A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America’s ICS-CERT reckons is easy to exploit.

07-31-17 – News This Past Week

Testing the security of connected cars and IOT devices
Finding issues in your products and services upfront is a far better investment than the expense of letting cybercriminals find and exploit vulnerabilities. Our own investments in people, tools and expertise have more than tripled our security testing capabilities in the first year of IBM X-Force Red, making our offense our clients’ best defense

Testing the security of connected cars and IOT devices


ICS Networks Not Immune To Insider Threats
The security threat from within can be even more potent than many external attacks. This is particularly the case with Industrial Control System (ICS) networks, which manage critical infrastructure and manufacturing processes. A smart, motivated, perhaps disgruntled employee or ex-employee with knowledge of a plant and access to the network, can cause a variety of disruptions that may result in tainted products, financial losses, equipment damages and even threaten human lives.


WHISTL Labs will be Cyber Range for Medical Devices
Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms


What is the car industry’s problem with over-the-air software updates?
Boiled down to its essence, OEMs can’t offer existing customers new features for their vehicles without the car dealerships getting their cut. This is in contrast to Tesla, which has done much to highlight the utility of OTA updates


‘Devil’s Ivy’ Is Another Wake-Up Call for IoT Security
The vulnerability — called Devil’s Ivy or CVE-2017-9765 — was made public last week by Senrio, a company that specializes in IoT security. It initially found the bug in the M3004 model security camera marketed by Axis Communications, but further research found that 249 of Axis’s 251 surveillance camera models are affected.


IBM Will Expand Security Testing Services To Automotive And IoT Companies
IBM seems to have recently refocused its efforts towards digital security, with the release of the new IBM Z mainframe, too, a computing system that aims to fully encrypt cloud services and data for its corporate customers.


Majority of Consumers Believe IoT Needs Security Built In
Respondents to a global survey say Internet of Things security is a shared responsibility between consumers and manufacturers


Car Wash Hack Can Strike Vehicle, Trap Passengers, Douse Them With Water
“We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” researchers presenting the proof-of-concept say.


Independent labs to probe medical devices for security flaws
They suffer from many miseries: lack of quality assurance and testing, rush to release pressures on product development teams, accidental coding errors, malicious coding, inherent bugs in product development tools, being tiny, having low computing power in internal devices, and, well, the list goes on.
Independent labs to probe medical devices for security flaws


How to protect the power grid from low-budget cyberattacks
Cyberattacks against power grids and other critical infrastructure systems have long been considered a threat limited to nation-states due to the sophistication and resources necessary to mount them

How to protect the power grid from low-budget cyberattacks


Security vulnerabilities in radiation monitoring devices
IOActive researcher Ruben Santamarta has uncovered a number of cybersecurity vulnerabilities in widely deployed Radiation Monitoring Devices (RDMs), and has presented his research at the Black Hat conference in Las Vegas.

Security vulnerabilities in radiation monitoring devices


Researchers Release Free Tool to Analyze ICS Malware
The researchers who discovered the game-changing malware used against Ukraine’s power grid in 2016 that knocked out power for an hour in part of Kiev released a tool here this week for analyzing malicious code targeting industrial networks.


ICS-CERT Warns of CAN Bus Vulnerability
A team of Italian researchers published a paper last year describing various CAN weaknesses and an attack method that can be leveraged for denial-of-service (DoS) attacks. They also published a proof-of-concept (PoC) exploit and a video showing how they managed to exploit the flaw to disable the parking sensors on a 2012 Alfa Romeo Giulietta.


Researchers remotely hack Tesla Model X
Security researchers from Tencent’s Keen Security Lab have done it again: they’ve found vulnerabilities in one of Tesla’s cars and demonstrated that they can be exploited remotely to do things like open the car’s doors and force it to break while in motion

Researchers remotely hack Tesla Model X


Lethal Dosage of Cybercrime: Hacking the IV Pump
Why would someone hack an IV pump? There are several reasons, Regalado pointed out. If successful, an attacker could steal personally identifiable information (PII), hijack hospital devices and demand ransom, corrupt the device in a denial-of-service attack, or use the pump as an entryway into the broader corporate network.


Medical Device (Virtual) Village at DEF CON

There will be a Medical Device (Virtual) Village this year at DEF CON, organized in conjunction with I Am The Cavalry, the BioHacking Village, and the IoT Village (located in IoT Village) from July 28-30th at Caesars Palace in Las Vegas, Nevada. We seek to establish a high-trust, high-collaboration environment where security researchers, medical device makers, healthcare providers, doctors, and others can come together in a joint mission to preserve patient safety. This event builds on work such as our Hippocratic Oath for Connected Medical Devices and our Position on Disclosure.

The latest medical advances lay at the intersection of patient care and connected technology. Integration of new technology enables innovations that improve patient outcomes, reduce cost of care delivery, and advance medical research. A growing number of medical devices are designed to be networked to facilitate patient care. As such, accidents and adversaries that trigger software vulnerabilities may harm human life, patient safety, and public trust.

Researchers may be more reluctant to disclose if they know a vulnerability has not been (or cannot be) fixed. On the other hand, the prospect of high consequence failures may motivate action. Remediation urgency can preserve safety, life, and trust; at the same time, validation and verification avoid unintended consequences, Vulnerability discovery, disclosure and remediation in public safety and human life contexts should be handled with both due haste and due care.

News This Past Week 2017-07-09

Russian hackers target the US nuclear industry
The New York Times and Bloomberg both claim that Russian hackers have been attempting to infiltrate America’s nuclear power industry. The infiltrations themselves have been public knowledge since last week, but now fingers are being pointed towards the usual suspects.

Unpatched Flaws in Schneider Electric U.motion Builder Disclosed
Schneider Electric’s U.motion is a building automation solution used around the world mainly in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices

Breach at US nuclear plants raises concerns in wake of Petya
For anyone old enough to remember the 1980s, the Chernobyl accident and the radiation it released in a cloud across Europe is a byword for nuclear disaster, and the human tendency to underestimate the importance of having a plan B. The area around the plant (pictured)  is still an abandoned exclusion zone, 31 years after the disaster

In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine
While there is little doubt that MeDoc users were infected via malicious updates with ExPetr, it appears that ExPetr was not the only malware they received. Our telemetry confirms that MeDoc users received at least one other malicious program at the same time. This additional malware, which was run as “ed.exe” in the “MeDoc” program folder

Intel AMT bug bit Siemens industrial PCs
You don’t need state-sponsored hackers to crack industrial control systems, just an empty Intel AMT login – something Siemens started patching against last week

This weekly report was compiled, with comments, by Tim Anater (@bfbcping). Tim comments on security, beer, and movies. In that order. All views are his, except links. Those belong to whomever is on the other side of the link.

IATC at ISSA Summit

On Friday, May 19, I attended the ISSA Summit 9 in Los Angeles to run the I Am The Cavalry booth. I Am The Cavalry was an honorary sponsor of the event and I thoroughly enjoyed the experience. From the keynotes about the current state of cyber security and life lessons learned from IT, to the in-depth breakdown of WanaCrypt0r, there was plenty to take away from each and every talk. Perhaps most importantly were the amazing connections we were able to establish at and around the booth. A speaker at the CISO panel mentioned I Am The Cavalry which also helped bring more interest over to the booth.

Of particular note, we received some very interesting questions, ideas, and even invitations to speak at other industry events, such as Big Data Day LA and SoCal Linux Expo (SCALE). One of the interesting enquiries we received was about creating a Pwn2Own for medical devices, which could facilitate more security research on them as more and more malware has been victimizing medical equipment. This brought to our attention the subject that is somewhat unique to healthcare and other special-device industries: the devices are so pricey that it is often impractical for security researchers to even get their hands on them in order to test. For example, an MRI machine costs upwards of hundreds of thousands of dollars and no known hospital currently has MRI machines to sacrifice on security tests.

Jennifer Granick, Stanford Law School’s Director of Civil Liberties, also stopped by the booth and asked to see some x86 disassembly, so I walked her through some WanaCrypt0r code which was a hot topic recently. Ms. Granick has a very thorough book that she recently published about the current state of privacy and surveillance in the United States entitled American Spies: Modern Surveillance, Why You Should Care, and What to Do About It. The book has a similar feel to Data and Goliath by Bruce Schneier, but as one would imagine, it covers a lot more policy and law rather than the technical focus of Schneier’s books. I feel this title makes a great companion to Data and Goliath and frankly was very necessary at this point in time. I’ve enjoyed the 50 pages that I’ve read so far and each page is jam-packed with value.

Last but not least, the CTF was put on by Somerset Recon from San Diego. These gentlemen are very, very skilled at what they do and brought an awesome, e-sports-esque head-to-head rig. If I would have had extra time, I certainly would have spent more time reversing binaries at the CTF, but every minute was well-spent at this event and I look forward to the next ISSA Summit.

Todd Cullum

US Government ❤ Coordinated Disclosure

Thanks to a great friend and graphic designer, @NguyetV, we have an infographic of the US Federal Government’s work around coordinated disclosure over the last two years.

UPDATE: Since publication, the FDA released their final postmarket guidance on December 28.

UPDATE 2017.06.07: In May, a Senate bill was introduced for a government-wide bug bounty, and in June the House bug bounty equivalent was also introduced. And Mårten Mickos, of HackerOne pointed out that the General Services Administration’s (GSA) 18F  has a disclosure policy, and that Hack The Air Force is currently running.

5 Motivations of Security Researchers

Security researchers have diverse motivations for investigating security flaws in software and systems. As companies, policymakers, lawyers, and others interact with the security research community, understanding this truth can unlock more fruitful engagement. I Am The Cavalry has been using a simple and useful framework to discuss the drivers of security researcher behavior. While this list isn’t comprehensive, and while most of us fit at least two of these categories, this framing can catalyze a dialog that allows a fuller appreciation of why we do what we do, and that is the value of the framework.

  • Protect – make the world a safer place. These researchers are drawn to problems where they feel they can make a difference.
  • Puzzle – tinker out of curiosity. This type of researcher is typically a hobbyist and is driven to understand how things work.
  • Prestige – seek pride and notability. These researchers often want to be the best, or very well known for their work.
  • Profit – to earn money. These researchers trade on their skills as a primary or secondary income.
  • Protest/Patriotism – ideological and principled. These researchers, whether patriots or protestors, strongly support or oppose causes.

6 Differences in Internet of Things and Cyber Safety

We’ve been using a framework for a couple of years to explain how the Internet of Things and Cyber Safety are different from Enterprise IT and most other high tech products we’re familiar with. It’s proven useful to frame discussions, particularly with a non-technical audience, and builds a base of agreement for more substantive conversations. Most of our (debatably) “best practices” are highly tuned for financially motivated adversaries, with confidentiality impacts, in managed corporate environments, with common technologies, and established economics and time scales. As compared with Enterprise IT, the Internet of Things and Cyber Safety has several differences that must be appreciated and accounted for throughout the device’s lifecycle by all stakeholders who design, build, or operate them. 

  • Consequences – When software is a dependency for safety-critical systems, consequences of security failure may manifest in direct, individual harm including loss of life. Impacts from widescale harm can shatter confidence in the firm or the market, as well as trust in government to safeguard citizens through oversight and regulation.
  • Adversaries – Different adversaries have different goals, motivations, methods, and capabilities. While some adversaries may be chastened by potential harm from safety-impacting systems, others may seek these systems out. For instance, ideological actors may wish to inflict harm, and criminal groups may suspect owners will pay higher ransoms.
  • Composition – Some components in Internet of Things devices, including safety systems, are not found in typical IT environments. Elements such as sensors, programmable logic controllers, low power chips, embedded controllers, limited battery life, etc., limit capabilities available to the manufacturer in design and response.
  • Economics – Components for safety systems may require both a high degree of resourcing to protect and have a very low cost of goods, and margins may also be smaller. Security capabilities for million dollar data centers are likely cost prohibitive in 42 cent microchips.
  • Context and Environment – Safety critical systems often exist in unique operational, environmental, physical, network, immediacy/realtime, and legal contexts. For instance, a pacemaker is implanted in a human body, has no IT staff, must respond immediately, has no bolt-on security measures, and carries strict regulatory requirements.
  • Timescales – Timescales for design, development, implementation, operation, and retirement are often measured in decades. Response time may also be extended because of composition, context, and environment. Safety systems in design today may be with us for 10, 20, 40 years.

Hack In The Box AMS 2017

hitb-logo-regularWe’re happy to announce a partnership with Hack in the Box Security Conferences! At Hack In The Box Amsterdam (HITB2017AMS), April 10-14, 2017, 50% of the Commsec track will be dedicated to talks that fall within the IATC domains and we will be part of the CFP selection committee for these talks. The HITB Commsec track has the huge advantage that it’s open to the general public, so it will be possible to bring in interested parties from manufacturers and government without them needing to pay the conference admission fee. We will also arrange an IATC meetup again in 2017 during HITB2017AMS, so if you’re interested in our work and you’re in Europe, you should consider attending this conference.

HITB has always been run ‘by and for’ the community (everyone is essentially a volunteer), and the CommSec track is a natural extension of the main conference program. Think of it sort of like having their own ‘B-Sides’. The main conference Call for Papers gets somewhere between 4 or 5:1 talk to slot submissions and a lot of these presentations are good but there’s simply not enough space for them all. The CommSec track was partially born out of that and in keeping with the HITB spirit of ‘keeping knowledge free’, they decided that access to the CommSec track (like the CommSec Village and technology exhibition area) should be free as well.