A Congressional report authored by California Representative Michael Waxman and Massachusetts Representative Ed Markey publicizes that some United States utility companies are under constant cyberattack. Based upon a survey of 160 utilities, the publication notes that a dozen of the respondents report that they experience “daily, constant or frequent attempted cyber attacks.” Congress and the White House are understandably concerned that hackers could damage the nation’s powergrid, but the utilities say that their security standards are sufficient to protect the systems that keep America’s lights on, and that the attacks suffered by the utilities are no different than the ones that other American businesses and organizations suffer on a regular basis.
What this means for you:
Unless you happen to be a highly placed Security Officer at the North American Electrical Reliability Corporation or a member of the House Energy and Commerce Committee, there’s not much you’ll be able to do personally to prevent cyberterrorists hacking a utility eventually. Many security analysts predict that it’s only a matter of time before a US utility gets hacked, and you may recall a rather hushed-up incident affecting a large Saudi energy company not too long ago.
The real truth of the matter is that most companies, regardless of size, function or even nationality, are being probed and tested on a regular basis. The server that hosts this website experiences dozens (sometimes hundreds) of attacks on a daily basis. Is C2 being targeted specifically? Unlikely, but whether there is specific human intent behind the attacks or not, the fact remains that if (when) one of those automated attacks actually manages to penetrate a weakness, you can bet a human will follow along behind to assess whether the target is worth further hacking, or simply relegated to the growing army of zombified computers that are pointed at more high-value targets. My server doesn’t contain anything important enough to warrant concentrated effort, but you can bet that a compromised utility company server is a high-value target. And when everyone is gunning for you, it can’t dodge bullets forever, no matter how good you think your security is.
Though it’s no secret to the security world, the US government has specifically avoided naming Chinese state agencies as the source of a tremendous surge in cyberattacks on corporate and government institutions over the course of the past 2 years. On Monday, the gloves finally came off as Obama’s security advisor, Tom Donilon pointed the finger of blame right at China’s military in a speech given to the Asia Society in New York, NY, as evidence gathered by multiple security firms continues to build an unavoidable confrontation on this issue. The Chinese government has of course denied these allegations, but has also said that it is willing to meet with the US and other nations to discuss cybersecurity.
What this means for you:
It’s still very early in the ballgame to decide if this is going to make things better or worse for the average business. At the moment, unless you are on the short list of companies that have information worthy of corporate or state-sponsor cyber-espionage, nothing will change for you, as your threats are likely still coming from the “traditional” vectors: either organized criminal elements seeking to steal from you, or random mischief and mayhem generated by malware controlled by those with less focus and malice. Today, as before, constant vigilance remains the most effective tool in your defense.
Targets of state-sponsored cyberattacks will continue to have a great deal to worry about. Where a “garden variety” attacker encountering strong defenses would normally move on to easier marks, cyber espionage targets will typically suffer through a dedicated, prolong campaign of multiple types of attacks (brute force, trojan horse, spear phishing, social engineering, etc.) because of the valuable data or services protected within and the deep pockets of the government powering their efforts.
It’s not immediately clear what either government hopes to accomplish around meeting on cyber warfare, other than to set up guidelines that will only be used for political leverage when violated by the other party, and probably ignored when it suits either country. As you can imagine, rules like the Geneva War Conventions only work when both sides are willing to abide by them.
Remember the announcement of Facebook’s new “Graph Search” feature? No? I don’t blame you. Until most folks can get their hands on it and see what it can do with data from people they know, it’s hard to envision how Facebook’s “innovation” is important. Security analysts, of course, eat and breath this stuff, and as they are trained (and expected) to do, they have extrapolated how this powerful social media search tool could be put to nefarious use. Christopher Hadnagy (Social-Engineer.org) put it succinctly:
Usually, a phisher or spammer collects a couple hundred email addresses and they’re hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests.
In case you aren’t aware how “phishing” works, the core conceit is focused on fooling the reader into clicking on links and providing confidential information to a counterfeit website. Phishing is most effective when the target gets an email that seems legitimate, e.g. using graphics and fake address from bank with which they already do business. Instead of having to rely on statistical probability, phishers can now target with ruthless efficiency any data available through Facebook’s Graph Search.
What this means for you:
If you are an avid user of Facebook with a tendency to openly share just about everything through social media, your data is already out there and viewable. If you are a casual Facebook user, but haven’t taken the time to adjust your privacy setttings, your data is already out there and viewable. Nothing has changed in that regard. However, up until now, you had a very, very thin layer of protection through the concept of “security through obscurity”. In other words, the sheer, overwhelming amount of data that is available greatly reduces your chances of being randomly identified and targeted. Think of it as wandering into the Library of Congress where the only way to find something was to know exactly what it was called and where it was located physically in the building.
Facebook’s Graph Search gives anyone the ability to search for anything in Facebook using a natural language query like, “Show me all the books on 19th century bridges built in the US with wood.” If those books are in the library and are viewable to the public, then they would be delivered in a tidy page that could be reloaded and refreshed whenever the search was needed. Here’s the key: the data is viewable only by those to whom you’ve granted permission to view. If you allow the public to see your contact information and “Likes”, that data will be viewable by not only your friends, but the internet, including the aforementioned phishers. If you haven’t reviewed the privacy and security permissions on your Facebook account, now is a good time to do so.
Security researcher Bogdan Calin has reportedly devised a new cyberattack method that can compromise certain types of routers merely by a local user opening an email on their iPhone, iPod or Mac. This new vector takes advantage of two common security weaknesses: the default mail client settings on Apple devices that loads remote images automatically, as well as default or weak admin passwords on consumer-grade routers that are often found in residences and small businesses. In a nutshell, the attack works by taking advantage of your router’s ability to be managed via web-browser by opening dozens of hidden pages with login and setting changes, each firing off in turn until one of them affects the change.
All of this happens in the blink of an eye, and because the changes don’t have to be destructive immediately, the user would not know they had just compromised their own network. These settings could include changing your DNS settings to servers that a hacker controls, allowing them to misdirect anyone on that network to sites that can further hijack computers. For example, typing “Google.com” would no longer take you to the actual Google website, but could instead send you to a counterfeit site that, for all intents and purposes, looks very similar to Google’s own site, and from there, could lure unsuspecting users into further compromising decisions.
What this means for you:
As of now, this particular attack only works on specific types of routers, and relies on the fact that many people have never set their router password to something other than the default it shipped with from the factory. Despite Mr. Calin’s warning, Apple is not planning to address the settings exploit, and has instead suggested that users can turn off the automatic loading of remote images in emails (the default setting in Android mail clients) if they wish additional security, but with the downside that all images, legitimate or not, would be prevented from loading. The simplest solution, of course, is to set your router password to something other than the default, and preferably one that is hard to guess or brute-force.
Image courtesy of Victor Habbick / FreeDigitalPhotos.net
In August of this year, one of the world’s largest oil producers, Saudi Aramco, was targeted in a cyberattack that crippled tens of thousands of its computers. Despite the apparent success of the attack and the impact this would have had on the company’s operations, oil production did not falter, and the global economy continued its drunken flirtation with failure instead of rushing into an oil-shortage-fueled orgy of self-destruction. Saudi Aramco has not been forthcoming on the details of the attack, or how they managed to survive it relatively unscathed, but in the eyes of security analysts and even our own Secretary of Defense, Leon Panetta, this attack was “probably the most destructive attack that the private sector has seen to date.”
There are conflicting reports about the motivation behind the attack. The hacktivist group “Cutting Sword of Justice” has claimed responsibility, citing the act as a strike at the House of Saud, the ruling body of Saudi Arabia, refuting claims by security analysts who believe the attack to be a state or government-sponsored reprisal for the Stuxnet attacks that crippled the Iranian Nuclear Program. Intended to cripple oil-dependent economies like the US, government-backed cyberattacks on companies like Saudi Aramco can also gain proprietary geological survey data that could be extremely profitable for other, competing state-sponsored oil companies.
What this means for you:
Information is power, and there are very few companies that don’t store their most valuable data on computers and servers that are somehow connected to a network, if not the internet itself. Even if they had the best security known to man, it’s believed that at least one individual inside Saudi Aramco provided the means for attackers to compromise a company that produces 12% of the world’s oil. You should never rely 100% on technology alone for security – humans will always be more fallible than computers. Additionally, it’s important to provide some level of separation in your core business operations so that if a segment of your business is paralyzed, the entire operation doesn’t grind to a halt because the computers are offline getting repaired.