Black Hat 2017: Hacking the physical world

By Cameron Camp

For years, attacks against physical industrial plants have been either largely theoretical, or the sophisticated realm of nation-states. While we have spent time looking precisely at this style of attack in other posts, it seems a host of attack automation tools and techniques are starting to hit the streets, as highlighted here at Black Hat.

For example, a few years ago, no one would have suspected hacking the HVAC system would result in a major breach, but it did. This year, there are a variety of talks about hacking physical infrastructure, with everything from wind farms, to building automation, to a host of other industrial components.

It’s easy to understand, as physical infrastructure hasn’t had the same focus on security as other, more traditional IT systems, which have made the headlines for years by getting hacked. But they typically have embedded full processors and operating systems, which are now baked into tiny full-fledged systems that are cost effective. This means it’s easy to bolt an operating system onto an industrial control system, building management system, and other similar systems.

Far fewer vendors of physical plant management systems have a clear-cut patch cycle than do vendors in the traditional IT field. Even with those who do, it often requires non-standard techniques to do the patching, including taking equipment offline, which does not endear the operators to the process. For this reason, many systems stay unpatched for years.

Many focus on security through obscurity, hoping attackers won’t turn their attention to the stalwart equipment. Often, this means they are running on very old operating systems where patches are no longer widely available, further hindering efforts to maintain security.

Penetration testers of the future will have to incorporate physical plant attacks into the repertoire, as these embedded devices will represent networked assets, and typically will be granted some kind of access to an internal management network.

Here at Black Hat, and later at Def Con, there will be plenty of opportunity to network with others to find the latest tools and techniques to help your infrastructure defense efforts. In many (or most) cases, these tools are available for free or low cost, so they really shouldn’t break the bank.

Meanwhile, training IT staff to recognize this ever-widening attack surface – giving them the training to be able to analyze potential vulnerabilities and address them should be a higher priority.

If you brought them to Black Hat, great, that will be a big jump-start for your organization. If not, you may want to sit in on some of the sessions and take the information back with you.

You might be very glad you did.

https://www.welivesecurity.com/2017/07/26/black-hat-hacking-physical-world/

Black Hat 2017: Non-standard hacking platforms reign supreme

By Cameron Camp

This year at Black Hat, tiny automated hacking platforms are everywhere, loaded with tasty purpose-built tools that can be used to break into your systems. It’s no surprise really, that deploying a $35 single board computer running server software which can connect to a network can be used as a fire-and-forget attack platform, and at that price you don’t really care about it being discovered.

With a couple of small ARM-based platforms equipped with cheap machine-to-machine data cards, you now have a server that can be embedded into a hostile environment that will phone home and establish a communication session so you can maintain persistence on the network.

Sure, it might be discovered sitting on a network port (maybe, and even then it may take a while), on a switch or a router, but many of these boards come with Wi-Fi functionality, so you can take your time and run a series of wireless attacks to gain network access, even spoofing a legitimate MAC address to pretend to be another computer on the network. With all of these add-ons, your tiny computer probably costs around $100, which is still a small price to pay to launch an attack.

The good news is that the tools shown at Black Hat address both attack and defense, and that there are tools which can be used to defend against this potential threat as well. This is the good part about Black Hat presentations– they usually talk about how to protect/defend against the type of attack they’re presenting on, they (usually) work for the good guys.

But as an enterprise or other organization, it makes sense to keep your ear on the data feeds coming out of Black Hat in order to get access to these tools and techniques, which are often freely available, so that your team can be prepared against the latest attacks to be released into the wild.

Since these tiny boards are very inexpensive, they’re also very affordable in case you want to run tests against your defense for a correspondingly tiny amount of money, and often there are cut/paste tutorials on how to do it.

Also, now is a good time to get up to speed on non-standard platforms, which are being deployed by the millions in IoT contexts, so that your security team will be familiar with the toolset and the nuances of using them as a working Linux security platform (though some of them run other operating systems, Linux seems to be the default).

With the volume of proof-of-concepts and mature software launched on the little devices, it’s no longer a corner of security you can ignore. They have become much more powerful in recent years, often hosting multiple-core CPUs, decent memory, gigabit Ethernet and very capable Wi-Fi chipset integration. In short, they’re very real computers the size of a credit card that can run on flashlight batteries, and that’s something you shouldn’t ignore in your environment.

https://www.welivesecurity.com/2017/07/27/black-hat-2017-non-standard-hacking-platforms-reign-supreme/

Black Hat 2017 industrial hacking: The song remains the same By Cameron Camp

By Cameron Camp

If industry frameworks are to inform and secure the critical infrastructure writ large, here at Black Hat there a lot of people punching holes in them, and in simple ways.

It would be one thing if some of the most critical systems have basic protections in place, like encrypted traffic and non-standard passwords, but as the talk on hacking wind farms points out – many or most don’t.

Networks shouldn’t be compromised by MiTM (Man in The Middle) by Rapsberry Pi 3 boxes spoofing ARP requests and sending write instructions to halt wind generators suddenly. But they do, and they can.

What’s needed to pull this off? Some very simple tools (released here at the show) and some rudimentary physical access.

Once you gain access, you can send commands via a SOAP interface, but also pivot and move laterally between industrial control boxes and continue the nastiness.

Sure, the speaker said his team had worked with manufacturers to plug the holes, but it was surprising how many didn’t seem to listen. Luckily some did, and he worked with them to help keep us all safe.

In our research, there have been surprising gaps in the digital defenses at critical infrastructure providers, and we attempt to educate and assist, but if the default protocols and hardware have default credentials and the operators use old, unsupported or unpatched operating systems, it’s an uphill battle.

When will it change? If enlightened IT staff at critical infrastructure providers can build bridges, they can educate the senior engineers who know how to run the plant, but often know precious little about how packets and networks work.

This is a generational issue, as the folks who are very good at running power plants that have basically operated year in and year out for decades, have spent their careers perfecting the craft without any “need” for packet networks, and so find little value. As they near retirement and are replaced with a generation raised on networks, some of the education will transfer, but that will still take years.

Meanwhile, frameworks intended to secure critical infrastructure, or offer guidance for operators to make it happen, are being rolled out to the industry as a hopeful first step (of many) that will help secure the whole ecosystem.

But since many pieces in the larger ecosystem are interdependent, especially in the event of a cascading failure mode, it can’t come soon enough.

In the recent years, there has been an escalation on the attempts to gain access to these network-connected systems, which paints sort of a heat map of how interested a potential adversary may be, and they are indeed interested. Now, it will be up to the plant operators to embrace the transition to a more IT-aware environment they find themselves thrust into. Whether or not that will be smooth remains to be seen. But change must come, so that simple network-based attacks showcased here at Black Hat won’t be effective at taking down vast swaths of the critical infrastructure that we all use and (mostly) take for granted.

https://www.welivesecurity.com/2017/07/27/black-hat-2017-industrial-hacking-song-remains/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Going to Black Hat? Bring your (marketing) wallet

By Cameron Camp

With the steep rise in breaches and related financial losses, some vendors are going nuts, pricewise. It used to be you could hack together a centralized syslog for free if you had a server sitting around, but now, if you need a tasty looking dashboard, bring your wallet.

It’s easy to see why, as the speed of remediation (or stopping an attack in the first place) has been subjected to enough financial metrics to justify the spend to the boardroom and perhaps even to stockholders. But be careful, as the marketers have entered the fray – you could be buying a lot of hot air.

We’re not saying don’t spend for quality, but a healthy dose of fact-finding prior to purchase can save you more than the cost of a new hire, even in the competitive marketplace of today. Marketers have even invaded the booths of Black Hat recently, as we’ll see this year. No? Go ask a sampling of booth staff to describe BGP in detail. I’ll bet I can predict the results.

The good news is there are plenty of good technical resources and reputable companies at Black Hat that will give you good advice. But increasingly, we see non-technical people placed in charge of large departments which are tapped with protecting the organization’s IT system, and they head to the show to find out what to do. Unfortunately, some companies prey on decision makers who have big wallets but minimal technical skills.

What to do? First, if you’re heading to Black Hat, understand that it’s a very technical landscape, where technologists will be deep in the weeds discussing the latest threats. You should bring someone of that type with you if you’re a decision maker; it will be the cost-effective thing you can do, especially compared to buying equipment that costs more than a house to solve a perceived problem that may be vastly overstated.

This year at Black Hat, it will be incumbent upon newer vendors to make sensational claims to gain market share from established vendors; call it cheap (or free) marketing. And while it’s nice to visit the startup areas and learn about new tech, consider the value of the thing you’re protecting, and that bleeding edge products probably don’t have much of a track record in your field of interest.

You might, for example, do some tests on cutting edge gear in an evaluation setting, where you can run it through the paces and determine your comfort level first. Many vendors, if they find out you’re serious, will let you do extended testing to enable you to convince yourself of the product’s value. Take them up on it.

Along the way, realize that open source projects form the underpinnings of (almost) all commercial offerings. Want the technology to continue to thrive? Spend some money and time with the open source community to support the hard work that forms the foundation for all of us. It will help all the vendors, which in turn will help your organization. Throwing a few thousand into the pot to support the community has a very large leverage effect on the good of the whole ecosystem. Some of the largest vendors have realized this, and sponsor many open source projects with resources; you should too.

This isn’t at odds with commercial vendors, who build customization on top of that foundation; it simply bolsters that effort, writ large. It’s likely you don’t own or use a single piece of software that doesn’t have open source bits at the foundation somewhere, so you’ll be helping the commercial vendors build secure layers where they are experts, and have a stronger foundation to support their trick tech.

Remember, no one thinks your information is more important than you do, so in the end it’s up to you to determine your best defense. Get all the facts and bring your own expert to Black Hat with your best interest in mind, and you’ll have a far better chance of buying good tech – without all the hot air.

https://www.welivesecurity.com/2017/07/24/going-black-hat-bring-marketing-wallet/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

88% feel vulnerable to data threats

By Editor

 

Organizations are increasingly aware of the threat posed by data breaches, according to Thales’ 2017 Data Threat Report.

A remarkable 88% of respondents also admitted to feeling vulnerable to threats, with 9.1% feeling “extremely vulnerable”. This is significantly higher than the number actually experiencing data breaches.

26% of respondents reported their organizations had experienced a breach in the last year, a notable increase from 21.7% in 2016.

In addition to this, more than two in three respondents (67.8%) said they have previously experienced a data breach, an increase of almost 7% from 2016.

Garrett Bekker, principal analyst for information security at 451 Research, said: “These distressing breach rates serve as stark proof that data on any system can be attacked and compromised.”

One encouraging result found that the number of US-specific data breaches has started to fall.

Bekker expanded: “The good news: Only 19% of US retail respondents reported being breached last year, significantly less than the global average.”

Another positive finding was that 73% of respondents, up from 58% in 2016, predicted that security spending would increase over the next year.

With Lloyd’s of London estimating that a major cyberattack could cost the global economy $53 billion, increased spending is advisable – if not directly proportionate to this figure, certainly significantly heightened based on recent security scares.

Over the past few years at least, security budgets have been regularly reported to be on the rise, but the commitment needs careful planning.

Bekker said: “Unfortunately, organizations keep spending on the same security solutions that worked for them in the past, but aren’t necessarily the most effective at stopping modern breaches.”

Firms should use their increased budgets wisely, firstly identifying their weak points before they begin allocating resource.

https://www.welivesecurity.com/2017/07/24/data-threat-report-data-breaches-rise/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29