07-02-18 – News This Past Week

Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products
https://www.securityweek.com/rockwell-patches-flaw-affecting-safety-controllers-several-vendors

Industrial IoT: Protecting the Physical World from Cyber Attacks
The convergence of industrial IoT and intelligent automation has been a boon for many enterprises, allowing machines to take on tasks that previous generations of automation could not handle. This shift mirrors the way that connected devices have transformed home life for many consumers
https://www.securityweek.com/industrial-iot-protecting-physical-world-cyber-attacks

Fairhair Alliance Building IoT Security Architecture
A group of companies in the building automation and IoT space is working for a coherent security architecture that incorporates multiple standards
https://www.darkreading.com/iot/fairhair-alliance-building-iot-security-architecture/d/d-id/1332147

House Passes Bill to Enhance Industrial Cybersecurity
The U.S. House of Representatives on Monday passed a bill aimed at protecting industrial control systems (ICS), particularly ones used in critical infrastructure, against cyberattacks
https://www.securityweek.com/house-passes-bill-enhance-industrial-cybersecurity

SIMPLE SECURITY FLAWS COULD STEER SHIPS OFF COURSE
A proof-of-concept attack could cause ships to dangerously veer off course, and it all stems from simple security issues, including the failure to change default passwords or segment networks.

Simple Security Flaws Could Steer Ships Off Course

New WPA3 security protocol simplifies logins, secures IoT
Latest WPA3 security protocol update adds new features to the Wi-Fi access specification for simple and secure wireless access for individuals, as well as enterprises
https://searchsecurity.techtarget.com/news/252443752/New-WPA3-security-protocol-simplifies-logins-secures-IoT

US legislators put industrial control system security on the map
After a spate of attacks on industrial control systems (ICS), the US this week officially recognized the need to secure them with a new bill. On Monday, House representatives passed legislation to bring these systems under the protection of the Department of Homeland Security
US legislators put industrial control system security on the map

CIS Adapts Critical Security Controls to Industrial Control Systems
The Center for Internet Security (CIS) recently updated their popular CIS Controls – formerly known as the SANS Top 20 – and just published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide, in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments
https://www.tenable.com/blog/cis-adapts-critical-security-controls-to-industrial-control-systems

GlobalSign, Comodo launch competing IoT security platforms
GlobalSign Tuesday unveiled its IoT Identity Platform, which includes several products and services aimed at using public key infrastructure (PKI) to assign identities to IoT devices and authenticate them. The cloud-based platform includes IoT Edge Enroll, an enrollment client that provisions and manages PKI-based identities for an assortment of connected devices.
https://searchsecurity.techtarget.com/news/252443994/GlobalSign-Comodo-launch-competing-IoT-security-platforms

06-25-18 – News This Past Week

Pwned with ‘4 lines of code’: Researchers warn SCADA systems are still hopelessly insecure
A presentation at last week’s BSides London conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.
https://www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/

China-based hackers burrow inside satellite, defense, and telecoms firms
An advanced hacking campaign originating in China has spent the past year infiltrating satellite operators, defense contractors, and telecoms companies in the US and Southeast Asia, researchers from Symantec said
https://arstechnica.com/information-technology/2018/06/china-based-hackers-burrow-inside-satellite-defense-and-telecoms-firms/

SCADA Hacking – Industrial Systems Woefully Insecure
It was ok before everything started getting wired up to networks, but with SCADA systems pre-dating the kind of security controls we need to stay safe, it’s hard to retrofit them

SCADA Hacking – Industrial Systems Woefully Insecure

NanoLock Launches Platform to Protect IoT Devices From Production Through End-of-Life
Cybersecurity start-up NanoLock Security today announced a new lightweight security platform designed to add security into the small connected devices better known as the internet of things, rather than to overlay security around those devices.
https://www.securityweek.com/nanolock-launches-platform-protect-iot-devices-production-through-end-life

Four New Vulnerabilities in Phoenix Contact Industrial Switches
Phoenix Contact has disclosed four vulnerabilities in switches in the FL SWITCH industrial line. The affected devices are typically used in automated processes at digital substations, oil and gas, maritime, and other industrial applications
https://www.darkreading.com/iot/four-new-vulnerabilities-in-phoenix-contact-industrial-switches/d/d-id/1332121

Thermostats, Locks and Lights: Digital Tools of Domestic Abuse
One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there

Rockwell Patches Flaw Affecting Safety Controllers From Several Vendors
In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products
https://www.securityweek.com/rockwell-patches-flaw-affecting-safety-controllers-several-vendors

Hippocratic Oath in German

The country of Siemens, Braun, Dräger, Zeiss and many more renowned medical engineering companies is finally getting it too: I am the Cavalry has published the long and short versions of the Hippocratic Oath for Connected Devices in the German language. The Oath is a voluntary agreement to honour the principles of software engineering safety to protect patients’ health and lives and can be found under https://iamthecavalry.org/eid. Find the PDF here.

06-18-18 – News This Past Week

‘Shift Left’ & the Connected Car
How improving application security in the automotive industry can shorten product development time, reduce costs, and save lives.
https://www.darkreading.com/application-security/shift-left-and-the-connected-car/a/d-id/1332018

ICS/SCADA Smart Scanning: Discover and Assess IT-Based Systems in Converged IT/OT Environments
Increasingly, operational technology (OT) environments are interconnecting with IT and adopting exploitable IT-based assets and protocols. This means OT systems are exposed to IT threats. Additionally, IT/OT convergence is expanding the cyberattack surface.
https://www.tenable.com/blog/icsscada-smart-scanning-discover-and-assess-it-based-systems-in-converged-itot-environments

Security Vulnerabilities: A Threat to Automotive Innovation
The pace of innovation within the automotive industry has been breath-taking. Only ten years ago, the very concept of self-driving cars and heavy goods vehicles was still regarded as far-fetched science fiction. Today, they are already a common sight on many roads around the world.
https://www.securityweek.com/security-vulnerabilities-threat-automotive-innovation

Siemens Patches Vulnerabilities in SCALANCE, Other Devices
Siemens this week published five new security advisories describing several vulnerabilities discovered in its switches, routers, building automation products, and medical devices
https://www.securityweek.com/siemens-patches-vulnerabilities-scalance-other-devices

Critical Flaws Patched in Schneider Building Automation Software
Schneider Electric recently patched four vulnerabilities in its U.motion Builder software, including two critical command execution flaws. Advisories have been published by both the vendor and ICS-CERT
https://www.securityweek.com/critical-flaws-patched-schneider-building-automation-software

06-11-18 – News This Past Week

Tens of Vulnerabilities Found in Quest Appliances
Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details
https://www.securityweek.com/tens-vulnerabilities-found-quest-appliances

Interconnectivity Has Put ICS Environments in Cyber Risk Crosshairs
Tell any IT professional that the computer running the electrical grid has not been updated in 20 years, or that the machine that controls operations in the bottling plant was last tuned up when Y2K was still being planned, and they will look at you like you are crazy. They simply will not believe you.
https://www.securityweek.com/interconnectivity-has-put-ics-environments-cyber-risk-crosshairs

What happens if IoT security doesn’t get solved?
A new Bain & Company report says security concerns are slowing IoT adoption. Is this problem fixable — and what if it isn’t?
https://www.networkworld.com/article/3278023/internet-of-things/what-happens-if-iot-security-doesnt-get-solved.html

Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem
Mirai is the archetypal IoT botnet, first achieving infamy with a 665 Gbps DDoS attack against the KrebsOnSecurity website in September 2016. Within days, a second Mirai attack targeted the French hosting firm, OVH, with an attack that peaked at nearly 1 Tbps. These were, at the time, the largest DDoS attacks ever recorded
https://www.securityweek.com/mirai-variants-continue-spawn-vulnerable-iot-ecosystem

Researcher Successfully Hacked In-Flight Airplanes – From the Ground
It’s been four years since researcher Ruben Santamarta rocked the security world with his chilling discovery of major vulnerabilities in satellite equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities
https://www.darkreading.com/vulnerabilities—threats/researcher-succesfully-hacked-in-flight-airplanes—from-the-ground/d/d-id/1331961

US Government Probes Airplane Vulnerabilities, Says Airline Hack Is ‘Only a Matter of Time’
According to DHS and other US government documents obtained by Motherboard, the DHS is continuing to investigate how insecure commercial aircraft are to cyber attacks, with one research lab saying hacking a plane may lead to a “catastrophic disaster.”
https://motherboard.vice.com/en_us/article/d3kwzx/documents-us-government-hacking-planes-dhs

Vulnerable ship systems: Many left exposed to hacking
Pen Test Partners’ Ken Munro and his colleagues – some of which are former ship crew members who really understand bridge and propulsion systems – have been probing the security of ships’ IT systems for a while now and the results are depressing: satcom terminals exposed on the Internet, admin interfaces accessible via insecure protocols, no firmware signing, easy-to-guess default credentials, and so on

Vulnerable ship systems: Many left exposed to hacking

Serious Flaws Found in Philips Patient Monitoring Devices
Researchers have discovered serious vulnerabilities in patient monitoring devices from Philips. The vendor has shared some recommendations for mitigating the risks until patches are made available
https://www.securityweek.com/serious-flaws-found-philips-patient-monitoring-devices

Triton ICS Malware Developed Using Legitimate Code
The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work
https://www.securityweek.com/triton-ics-malware-developed-using-legitimate-code

MIT researchers develop transmitter to prevent hackers from attacking IoT devices
One method that has been looked into to protect the data on these devices is “frequency hopping”, a technique which sends each data packet, containing thousands of individual bits, on a random, unique radio frequency (RF) channel, so hackers can’t pin down any given packet
https://www.v3.co.uk/v3-uk/news/3033887/mit-researchers-develop-transmitter-to-prevent-hackers-from-attacking-iot-devices

05-21-18 – News This Past Week

Siemens Patches DoS Flaws in Medium Voltage Converters
According to advisories published by ICS-CERT and Siemens, the flaws impact SINAMICS GH150, GL150, GM150, SL150, SM120 and SM150 converters, which are used worldwide in the energy, chemical, critical manufacturing, water and wastewater, and food and agriculture sectors
https://www.securityweek.com/siemens-patches-dos-flaws-medium-voltage-converters

Many Vulnerabilities Found in OPC UA Industrial Protocol
Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IIoT) and smart city systems
https://www.securityweek.com/many-vulnerabilities-found-opc-ua-industrial-protocol

‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK
The group, tracked as “Allanite,” has been linked to campaigns conducted by Dragonfly (aka Energetic Bear and Crouching Yeti) and Dymalloy, which Dragos discovered while analyzing Dragonfly attacks
https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk

Internet of Things Security Policies Still Lagging, Report Finds
Internet of things (IoT) security has been a growing concern in recent years, with vulnerabilities continuing to be reported and hackers continuing to launch attacks.
http://www.eweek.com/security/internet-of-things-security-policies-still-lagging-report-finds

A flaw in a connected alarm system exposed vehicles to remote hacking
A bug that allowed two researchers to gain access to the backend systems of a popular internet-connected vehicle management system could have given a malicious hacker everything they needed to track the vehicle’s location, steal user information, and even cut out the engine.
https://www.zdnet.com/article/flaw-connected-alarm-system-exposed-vehicles-remote-hacking/

IT Pros Worried About IoT But Not Prepared to Secure It
Few organizations have a security policy in place for Internet of Things devices, new survey shows
https://www.darkreading.com/endpoint/it-pros-worried-about-iot-but-not-prepared-to-secure-it/d/d-id/1331817

Relying on legacy security technologies leaves you blind to IoT threats
IoT and IIoT (Industrial IoT) introduce new IoT networks autonomous from the enterprise network. Organizations are blind to these IoT networks and devices across a plethora of new protocols and frequencies.

Relying on legacy security technologies leaves you blind to IoT threats

‘Chrysene’ Group Targets ICS Networks in Middle East, UK
Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks
https://www.securityweek.com/chrysene-group-targets-ics-networks-middle-east-uk

Critical Flaws Patched in Phoenix Contact Industrial Switches
Several vulnerabilities, including ones rated critical and high severity, have been patched in industrial ethernet switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions
https://www.securityweek.com/critical-flaws-patched-phoenix-contact-industrial-switches

Critical Code Execution Flaws Patched in Advantech WebAccess
Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.
https://www.securityweek.com/critical-code-execution-flaws-patched-advantech-webaccess

Severe DoS Flaw Discovered in Siemens SIMATIC PLCs
SIMATIC S7-400 is a family of programmable logic controllers (PLCs) designed for process control in industrial environments. The product is used worldwide in the automotive, mechanical equipment manufacturing, building engineering, steel, power generation and distribution, chemical, warehousing, food, and pharmaceutical sectors
https://www.securityweek.com/severe-dos-flaw-discovered-siemens-simatic-plcs

Hacking train Wi-Fi may expose passenger data and control systems
Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers’ credit card information, according to infosec biz Pen Test Partners this week
https://www.theregister.co.uk/2018/05/11/train_wifi_hackable_on_some_networks/

2018: Scariest Year of Evil Things on the Internet
The report indicates that security professionals have a heightened concern for growing threats, with 85% of respondents believing their country will suffer a major critical infrastructure cyber-attack in the next five years
https://www.infosecurity-magazine.com/news/2018-scariest-year-of-evil-things/

The Enterprise of Thing’s troubling lack of security
Enterprise deployment of IoT devices brings a unique requirement to enterprise security that is distinct from normal end points and data centers. Here are three strategies to address it
https://www.networkworld.com/article/3272828/internet-of-things/the-enterprise-of-things-troubling-lack-of-security.html

Getting grounded in IoT networking and security
The internet of things already consists of nearly triple the number of devices as there are people in the world, and as more and more of these devices creep into enterprise networks it’s important to understand their requirements and how they differ from other IT gear.
https://www.networkworld.com/article/3269736/internet-of-things/getting-grounded-in-iot-networking-and-security.html

Most Industrial Networks Vulnerable to Attack
Despite the fact that so many aspects of a modern society rely on the proper and uninterrupted operations of critical infrastructure, security flaws across many industrial control systems (ICSs) are largely vulnerable to cyber-attacks
https://www.infosecurity-magazine.com/news/most-industrial-networks/

The ABCs Driving the Growth of Industrial Cybersecurity
Nothing in industrial cybersecurity is as simple as ABC. Protecting complex, yet aging industrial networks against direct and indirect attacks, planned by increasingly sophisticated adversaries, is as big a challenge as you’ll find in operational technology. And, for decades, the exposure of industrial control systems was overlooked and fell far behind IT in terms of risk management
https://www.securityweek.com/abcs-driving-growth-industrial-cybersecurity

05-07-18 – News This Past Week

KRACK VULNERABILITY PUTS MEDICAL DEVICES AT RISK
A slew of devices from medical technology company Becton, Dickinson and Company (BD) are vulnerable to the infamous KRACK key-reinstallation attack, potentially enabling hackers to change and exfiltrate patient records.

KRACK Vulnerability Puts Medical Devices At Risk

Schneider Electric Development Tools Affected by Critical Flaw
Security firm Tenable has disclosed the details of a critical remote code execution vulnerability affecting Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition products
https://www.securityweek.com/schneider-electric-development-tools-affected-critical-flaw

Microsoft Unveils New Solution for Securing Critical Infrastructure
Microsoft’s TCPS project aims to address these types of threats by providing end-to-end security through hardware, software and trust mechanisms that should help organizations ensure they don’t lose control over critical systems
https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure

Medical devices vulnerable to KRACK Wi-Fi attacks
Medical devices from Becton, Dickinson and Company (BD) that rely on Wi-Fi networks encrypted by Wi-Fi Protected Access II (WPA2) encryption are vulnerable to the KRACK Wi-Fi attacks, the company said in a security advisory.
Medical devices vulnerable to KRACK Wi-Fi attacks

Industrial Networks Easy to Hack From Corporate Systems: Study
The study, based on data from nearly a dozen companies around the world in the oil and gas, metallurgy, and energy sectors, found that the corporate network perimeter can be penetrated in 73% of cases, often due to misconfigurations.
https://www.securityweek.com/industrial-networks-easy-hack-corporate-systems-study

SCHNEIDER ELECTRIC PATCHES CRITICAL RCE VULNERABILITY
Researchers discovered a critical remote code execution vulnerability in two Schneider Electric industrial control related products that could give attackers the ability to disrupt or shut down plant operations

Schneider Electric Patches Critical RCE Vulnerability

Volkswagen Cars Vulnerable To Flaws The Company Won’t Patch
Daan Keuper and Thijs Alkemade, two researchers from a Dutch security firm Computest, discovered a flaw in Volkswagen and Audi cars that attackers could exploit remotely, over the internet. Volkswagen will not patch the flaw, as those car models lack the capability to be updated over-the-air
https://www.tomshardware.co.uk/volkswagen-cars-vulnerable-won-t-patch,news-58351.html

Half a million pacemakers need a security patch
Some 465,000 patients are affected. The FDA is recommending that all eligible patients get the firmware update “at their next regularly scheduled visit or when appropriate depending on the preferences of the patient and physician.”
Half a million pacemakers need a security patch

Critical Flaw Puts US Industrial Systems At Risk
A critical security flaw in the InduSoft Web Studio and InTouch Machine Edition applications, both of which are made by Schneider Electric and are used in many industries that rely on automated systems, has been discovered by researchers at the Tenable security company. Tenable’s researchers said the popularity of Schneider Electric’s tools, combined with the severity of the vulnerability, could endanger many U.S. businesses.
https://www.tomshardware.co.uk/critical-flaw-us-industrial-systems,news-58359.html

ABBOTT ADDRESSES LIFE-THREATENING FLAW IN A HALF-MILLION PACEMAKERS
Abbott (formerly St. Jude Medical) has released another upgrade to the firmware installed on certain implantable cardioverter defibrillator (ICD) or cardiac resynchronization therapy defibrillator (CRT-D) devices – a.k.a., pacemakers

Abbott Addresses Life-Threatening Flaw in a Half-Million Pacemakers

04-30-18 – News This Past Week

Hackers Behind Healthcare Espionage Infect X-Ray and MRI Machines
Security researchers have uncovered a new hacking group that is aggressively targeting healthcare organizations and related sectors across the globe to conduct corporate espionage
https://thehackernews.com/2018/04/healthcare-cyber-attacks.html

Cybersecurity task force addresses medical device safety
In an effort to harmonize the work being done in hospitals and by device manufacturers to address medical device vulnerabilities, Vizient has formed the Medical Device Cybersecurity Task Force

Cybersecurity task force addresses medical device safety

RANSOMWARE ATTACK HITS UKRAINIAN ENERGY MINISTRY, EXPLOITING DRUPALGEDDON2
The Ukrainian Energy Ministry has been hit by a ransomware attack – and for once it looks like this is the work of amateurs, not nation-state attackers bent on making a geopolitical point. However, the bad actors appear to have made use of the recently patched Drupal vulnerability

Ransomware Attack Hits Ukrainian Energy Ministry, Exploiting Drupalgeddon2

04-23-18 – News This Past Week

FDA plans to improve medical device cybersecurity
Fixing vulnerabilities in a timely manner and propagating the fixes to the customers and users is also important, and to that end the FDA aims to push firms to adopt policies and procedures for coordinated disclosure of vulnerabilities

FDA plans to improve medical device cybersecurity

Energy security pros worry about catastrophic failure due to cyberattacks
70 percent of energy security professionals are concerned that a successful cyberattack could cause a catastrophic failure, such as an explosion, a recent survey has shown.

Energy security pros worry about catastrophic failure due to cyberattacks

IOT SECURITY CONCERNS PEAKING – WITH NO END IN SIGHT
With the massive influx of connected devices into our digital lives, it’s no surprise that IoT security was on the forefront of the 2018 RSA Conference this year. But despite numerous talks about IoT vulnerabilities this week, a clear resolution seems nowhere in sight.

IoT Security Concerns Peaking – With No End In Sight

70% of Energy Firms Worry About Physical Damage from Cyberattacks
High-profile ICS attacks Triton/Trisis, Industroyer/CrashOverride, and Stuxnet have driven energy firms to invest more in cybersecurity, survey shows
https://www.darkreading.com/attacks-breaches/70–of-energy-firms-worry-about-physical-damage-from-cyberattacks/d/d-id/1331589

Putting the S.M.A.R.T. in Smart Cities: How to Address the Expanding Attack Surface
The concept of a smart city came of age in conjunction with another now ubiquitous term: digital transformation. Cities and counties rely heavily on their taxing authority to provide critical services such as public safety, public works and infrastructure maintenance
https://www.tenable.com/blog/putting-the-s-m-a-r-t-in-smart-cities-how-to-address-the-expanding-attack-surface

AN ELABORATE HACK SHOWS HOW MUCH DAMAGE IOT BUGS CAN DO
Vulnerabilities in internet-connected devices are well-documented by this point, but the most common exploitations generally involve conscripting thousands of vulnerable IoT devices into botnets, or getting onto a network through a weak IoT device for ransomware attacks. These aren’t using data-stealing missions.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/

Surge of Attacks Targeting Network Infrastructure Devices – What You Need to Know
Based on the recent surge of attacks on network devices by Russian state-sponsored cyber actors, the US-CERT has released Technical Alert (TA18-106A). As of now, targets are primarily government and private-sector organizations, critical infrastructure providers and the internet service providers (ISPs) that support U.S. infrastructure
https://www.tenable.com/blog/surge-of-attacks-targeting-network-infrastructure-devices-what-you-need-to-know

How to Protect Industrial Control Systems from State-Sponsored Hackers
US-CERT recently issued an alert about Russian threat activity against infrastructure sectors. Is there a way to fight back?
https://www.darkreading.com/attacks-breaches/how-to-protect-industrial-control-systems-from-state-sponsored-hackers/a/d-id/1331529

Surprise! Wireless brain implants are not secure, and can be hijacked to kill you or steal thoughts
And because this particularly bit of kit resides amid sensitive gray matter – to treat conditions like Parkinson’s – the potential consequences of successful remote exploitation include voltage changes that could result in sensory denial, disability, and death
https://www.theregister.co.uk/2018/04/18/boffins_break_into_brain_implant/

04-16-18 – News This Past Week

The way we regulate self-driving cars is broken—here’s how to fix it
The key issue is this: the current system is built around an assumption that cars will be purchased and owned by customers. But the pioneers of the driverless world—including Waymo, Cruise, and Uber—are not planning to sell cars to the public. Instead, they’re planning to build driverless taxi services that customers will buy one ride at a time
https://arstechnica.com/cars/2018/04/the-way-we-regulate-self-driving-cars-is-broken-heres-how-to-fix-it/

Critical Infrastructure Threat Is Much Worse Than We Thought
Last October the United States Computer Emergency Readiness Team (US-CERT) published a technical alert on advanced persistent threat (APT) activity targeting energy and other critical infrastructure sectors. Recently, it was updated with new information uncovered since the original report, and there are some interesting revelations this time around
https://www.securityweek.com/critical-infrastructure-threat-much-worse-we-thought

Schneider Electric Patches 16 Flaws in Building Automation Software
U.motion is a building automation solution used around the world in the commercial facilities, critical manufacturing and energy sectors. U.motion Builder is a tool that allows users to create projects for their U.motion devices.
https://www.securityweek.com/schneider-electric-patches-16-flaws-building-automation-software

6 Myths About IoT Security
Here are common misconceptions about these securing these devices – and tips for locking them down.
https://www.darkreading.com/attacks-breaches/6-myths-about-iot-security/d/d-id/1331408

Splunk turns data processing chops to Industrial IoT
Splunk has always been known as a company that can sift through oodles of log or security data and help customers surface the important bits. Today, it announced it was going to try to apply that same skill set to Industrial Internet of Things data.

Splunk turns data processing chops to Industrial IoT

A LONG-AWAITED IOT CRISIS IS HERE, AND MANY DEVICES AREN’T READY
YOU KNOW BY now that Internet of Things devices like your router are often vulnerable to attack, the industry-wide lack of investment in security leaving the door open to a host of abuses. Worse still, known weaknesses and flaws can hang around for years after their initial discovery. Even decades. And Monday, the content and web services firm Akamai published new findings that it has observed attackers actively exploiting a flaw in devices like routers and video game consoles that was originally exposed in 2006
https://www.wired.com/story/upnp-router-game-console-vulnerabilities-exploited/

Flaw in Emergency Alert Systems Could Allow Hackers to Trigger False Alarms
The emergency alert sirens are used worldwide to alert citizens about natural disasters, man-made disasters, and emergency situations, such as dangerous weather conditions, severe storms, tornadoes and terrorist attacks
https://thehackernews.com/2018/04/hacking-emergency-alert-sirens.html

Industrial Internet Consortium Develops New IoT Security Maturity Model
The Industrial Internet Consortium (IIC) has developed a new IoT Security Maturity Model (SMM), building on its own security framework and reference architecture. This week it has published the first of two papers: IoT Security Maturity Model: Description and Intended Use. This is primarily a high-level overview aimed at the less technical of IoT stakeholders
https://www.securityweek.com/industrial-internet-consortium-develops-new-iot-security-maturity-model

Electrical Substations Exposed to Attacks by Flaws in Siemens Devices
On March 8, Siemens and ICS-CERT published advisories to warn organizations of the existence of three vulnerabilities in SIPROTEC 4, SIPROTEC Compact, and Reyrolle devices, which provide integrated protection, control, measurement, and automation functions for electrical substations and other applications. The vendor has released patches and mitigations for each of the flaws
https://www.securityweek.com/electrical-substations-exposed-attacks-flaws-siemens-devices

Why Mass Transit Could Be the Next Big Target for Cyber Attacks—and What to do About it
The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next?
https://www.securityweek.com/why-mass-transit-could-be-next-big-target-cyber-attacks%E2%80%94and-what-do-about-it

Moxa plugs serious vulnerabilities in industrial secure router
A slew of serious vulnerabilities in the Moxa EDR-810 series of industrial secure routers could be exploited to inject OS commands, intercept weakly encrypted or extract clear text passwords, expose sensitive information, trigger a crash, and more.

Moxa plugs serious vulnerabilities in industrial secure router

Severe Flaws Expose Moxa Industrial Routers to Attacks
Cisco’s Talos intelligence and research group has reported identifying a total of 17 vulnerabilities in an industrial router from Moxa, including many high severity command injection and denial-of-service (DoS) flaws
https://www.securityweek.com/severe-flaws-expose-moxa-industrial-routers-attacks