Daily Archives: July 25, 2018

Kremlin hackers ‘jumped air-gapped networks’ to pwn US power utilities

Posted on by

The US Department of Homeland Security is once again accusing Russian government hackers of penetrating America’s critical infrastructure.

Uncle Sam’s finest reckon Moscow’s agents managed to infiltrate computers networks within US electric utilities – to the point where the miscreants could have virtually pressed the off switch in control rooms, yanked the plug on the Yanks, and plunged America into darkness.

The hackers, dubbed Dragonfly and Energetic Bear, struck in the spring of 2016, and continued throughout 2017 and into 2018, even invading air-gapped networks, it is claimed.

This seemingly Hollywood screenplay emerged on Monday in the pages of the Wall Street Journal (paywalled) which spoke to Homeland Security officials on the record.

The Energetic Bear aka Dragonfly crew – fingered in 2014 by Crowdstrike and Symantec – was inside “hundreds” of power grid control rooms by last year, it is claimed. Indeed, since 2014, power companies have been warned by Homeland Security to be on the look out for state-backed snoops – with technical details on intrusions published here.

The Russians hacked into the utilities’ equipment vendors and suppliers by spear-phishing staff for their login credentials or installing malware on their machines via boobytrapped webpages, it is alleged.

The miscreants then leveraged their position within these vendors to infiltrate the utilities and squeeze into the isolated air-gapped networks in control rooms, it is further alleged. The hacker crew also swiped confidential internal information and blueprints to learn how American power plants and the grid system work.

We’re told, and can well believe, that the equipment makers and suppliers have special access into the utilities’ networks in order to provide remote around-the-clock support and patch deployment – access that, it seems, turned into a handy conduit for Kremlin spies.

The attacks are believed to be ongoing, and some utilities may not yet be aware they’ve been pwned, we were warned. It is feared the stolen information, as well as these early intrusions, could be part of a much larger looming assault.

“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial control system analysis for Homeland Security, told the paper.

Source: No big deal… Kremlin hackers ‘jumped air-gapped networks’ to pwn US power utilities • The Register

UK snooping ‘unlawful for more than decade’ – but seemingly (and amazingly) responsible

Posted on by

The system that allowed spy agency GCHQ access to vast amounts of personal data from telecoms companies was unlawful for more than a decade, a surveillance watchdog has ruled.

The Investigatory Powers Tribunal said that successive foreign secretaries had delegated powers without oversight.

But it added there was no evidence GCHQ had misused the system.

Privacy International criticised the “cavalier manner” in which personal data was shared.

The group brought the legal challenge and solicitor Millie Graham Wood said it was “proof positive” that the system set up to protect personal data was flawed.

“The foreign secretary was supposed to protect access to our data by personally authorising what is necessary and proportionate for telecommunications companies to provide to the agencies.

“The way that these directions were drafted risked nullifying that safeguard by delegating that power to GCHQ – a violation that went undetected by the system of commissioners for years and was seemingly consented to by all of the telecommunications companies affected.”

Under security rules introduced after the attacks on 11 September 2001, the UK’s foreign secretary had the power to direct GCHQ to obtain data from telecoms companies, with little oversight of what they were subsequently asking for.

Carte blanche

The Investigatory Powers Tribunal (IPT) – set up to investigate complaints about how personal data is handled by public bodies – ruled that most of the directions given between 2001 and 2012 had been unlawful.

The tribunal was critical of the way the government handed on requests to GCHQ, partly because phone and internet providers “would not be in any position to question the scope of the requirement” because they “would have no knowledge of the limited basis upon which the direction had been made”.

“In form, the general direction was a carte blanche. In practice, it was not treated as such and there is no evidence that GCHQ ever sought to obtain communications data which fell outside the scope of data which had been sought in the submission to the foreign secretary,” the IPT ruled.

It added that a series of improvements had been made and were in force “from at least 2014” that ensured “great care” was now taken to ensure the foreign secretary approved any changes to the information being demanded from telecoms companies.

Source: UK snooping ‘unlawful for more than decade’ – BBC News

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M

Posted on by

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

The email allowed the intruders to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.

Armed with this access, the bank says, hackers were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.

National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday. Normally, the bank would be open on a Monday, but that particular Monday was Memorial Day, a federal holiday in the United States. The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

[…]

But just eight months later — in January 2017 according to the lawsuit — hackers broke in to the bank’s systems once more, again gaining access to the financial institution’s systems via a phishing email.

[…]

Prior to executing the second heist, the hackers used the bank’s Navigator system to fraudulently credit more than $2 million to various National Bank accounts. As with the first incident, the intruders executed their heist on a weekend. Between Jan. 7 and 9, 2017, the hackers modified or removed critical security controls and withdrew the fraudulent credits using hundreds of ATMs.

All the while, the intruders used the bank’s systems to actively monitor customer accounts from which the funds were being withdrawn. At the conclusion of the 2017 heist, the hackers used their access to delete evidence of fraudulent debits from customer accounts. The bank’s total reported loss from that breach was $1,833,984.

Source: Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M — Krebs on Security

Bluetooth security: Flaw could allow nearby attacker to grab your private data

Posted on by

A cryptographic bug in many Bluetooth firmware and operating system drivers could allow an attacker within about 30 meters to capture and decrypt data shared between Bluetooth-paired devices.

The flaw was found by Lior Neumann and Eli Biham of the Israel Institute of Technology, and flagged today by Carnegie Mellon University CERT. The flaw, which is tracked as CVE-2018-5383, has been confirmed to affect Apple, Broadcom, Intel, and Qualcomm hardware, and some Android handsets. It affects Bluetooth’s Secure Simple Pairing and Low Energy Secure Connections. Fortunately for macOS users, Apple released a patch for the flaw in July.

As the CERT notification explains, the vulnerability is caused by some vendors’ Bluetooth implementations not properly validating the cryptographic key exchange when Bluetooth devices are pairing. The flaw slipped into the Bluetooth key exchange implementation which uses the elliptic-curve Diffie-Hellman (ECDH) key exchange to establish a secure connection over an insecure channel.

This may allow a nearby but remote attacker to inject a a bogus public key to determine the session key during the public-private key exchange. They could then conduct a man-in-the-middle attack and “passively intercept and decrypt all device messages, and/or forge and inject malicious messages”.

Source: Bluetooth security: Flaw could allow nearby attacker to grab your private data | ZDNet

On Highway Noise Barriers, the Science Is Mixed. Are There Alternatives?

Posted on by

Engineers and acousticians have known for years that the sound barriers bracketing America’s urban and suburban highways are only marginally useful, and that a variety of better technologies could be developed.

The problem: Nobody has an incentive to get them on the road.

“Walls are not a very effective solution,” said Robert Bernhard, vice president for research at the University of Notre Dame and an expert on noise control. Because the federal government pays for noise walls — and only noise walls — as part of highway expansion projects, he said, there is little incentive for researchers to keep testing and perfecting the alternatives.

Sound moves in not-so-mysterious ways, meaning that typical sound barriers have only limited effectiveness.

Visual: Wisconsin DOT

[…]

Even with the sound reduction, however, roadside residents are unlikely to hear crickets chirping. A dishwasher running in the next room is 50 dB, as are the ambient sounds of a laid-back city. The noise criteria aim to allow people to talk over their backyard picnic table, or shout at someone several feet away. “It’s not a situation where meeting the standard makes for a great backyard environment,” Bernhard said.

Of course, some of our ability to process sound is psychological: If people can see the tops of trucks over the wall they say it’s noisier, something people in the field call “psycho-coustics,” explained Bruce Rymer, a senior engineer at the California Department of Transportation. Just by ensuring a wall breaks that line of sight, “we achieve a reduction of 5 decibels,” said Mariano Berrios, environmental programs coordinator at FDOT.

But because noise travels in waves, not straight lines, sounds can and do go over the walls. This is why even with barriers standing 16 feet, homes several blocks away can hear the highway. Part of the sound wave is absorbed, part is reflected away from the wall, and part is transmitted through, Berrios explained. “Most of it goes above the barrier and gets diffracted, and gets to the receiver,” — that is, to a resident’s ears — he said.

This is especially problematic during certain weather conditions. When the consulting firm Bowlby & Associates, in Franklin, Tennessee, measured sounds around a highway in a yet-to-be-published study, they found that residents hundreds of feet from the highway could hear sounds some 5 decibels louder if the wind was blowing towards them, said Darlene D. Reiter, the firm’s president.

Weather, however, isn’t taken into account by the regulations. The noise model “assumes neutral conditions — no wind and no temperature effects — when in reality that happens only occasionally,” Reiter said. In the early morning, if the ground is cool but the air warms up, for instance, sound that would normally be pushed up is refracted downward, causing homes some 500 or 1,000 feet from the road to hear it loudly.

Source: On Highway Noise Barriers, the Science Is Mixed. Are There Alternatives?