For most practical uses today, a combination of hardening and vulnerability detection is required to secure even the most basic digital environment. In each area it is important to see the progress you’re making in these competencies so that you can improve and build on the work you and your team have done over time. […]… Read More
The post Best Practices for Scoring Your Environment’s Security Measures appeared first on The State of Security.
Cutting the cord is the concept of breaking free from the traditional method of receiving...
The post Cutting The Cord & Keeping Cable TV With Amazon Fire Sticks appeared first on Binary Blogger.
The head of McAfee Advanced Programs Group, Patrick Flynn and Security Researcher Anne An discuss Chinese Cyber Crime trends and operations.
The post ST18 Chinese Cyber Crime with Anne An & Patrick Flynn appeared first on McAfee Blogs.
In response to the shift in educational modalities toward distance and e-learning, McAfee had taken our signature Online Safety Program (OSP) virtual. That’s right, McAfee OSP is serving up a new Online Safety Session every week!
Join us for a brand-new, 30-minute lesson every Thursday at 9 a.m. CST on the McAfee Facebook page during May. From cyberbullying and fake news to malware and cybercrime, McAfee’s cybersecurity experts are teaching students and families how to stay safe on the web.
Amid the challenges we are facing as a global community, it has never been more important to practice vigilance and safe practices online. We must equip kids, teens and families with the tools necessary to stay safe while WFH and e-learning becoming essential, and social media serves as a central social outlet.
The Latest on Online Safety Sessions
Recently, Chief Scientist Raj Samani shared how Rihanna changed his life and offered up unique insights for the next generation of cyber defenders. On May 7 (also World Password Day!), Senior Security Intelligence Director, Bill Woods, took a bite out of cybercrime as he looked back at his time with the FBI and walked us through ways we can protect ourselves from cybercriminals.
No matter what we’re facing as a global community, we will not rest in its quest to relentlessly protect all that matters. Remember to join us for our engaging Online Safety Sessions and spread the word to families you know.
Can’t make a session? You can catch session replays on the Life at McAfee YouTube Channel.
The post McAfee’s Award-Winning Online Safety Program Goes Virtual appeared first on McAfee Blogs.
By Gurjeet, Software Engineer, Canada
“We should protect Mother Earth. If we don’t take care of her, she won’t take care of us.”
This was my kindergartner’s response when I asked what he was doing while I watched him carefully dispose of forgotten candy wrappers outside of the school.
His answer led me to down an unexpected path to become a member of McAfee’s Green Team in the Waterloo office.
Inspired to Go Green
After that day in the schoolyard, I joined my son’s cleanup efforts, rather than idly waiting in the school pickup zone. Soon, other parents rolled up their sleeves to help improve our children’s environment.
Inspired by the momentum, I reexamined my household’s plastic consumption and recycling habits.
I felt pretty good—after all, I was doing my part to better our environment—until I read my colleague’s LinkedIn post:
“Who uses their trash bin at their desk? Consider using the bin in a break room or hallway to decrease your plastic consumption.”
He was right. I often used the bin at my desk, which is emptied nightly, regardless if it only held one item. I was contributing to plastic consumption at the office. My colleague’s simple act of raising awareness struck a chord with me. I could do more. By doing small things, I could make a big difference at McAfee.
The next day, I approached my colleague and we collaborated to launch Waterloo’s Green Team.
Actions in Year One
Excited by the possibilities, we gathered a few other team members and identified small changes we could make for a big impact. Outside of raising awareness, we narrowed our focus to three:
- Decreased plastics: Our Waterloo office was dependent on paper and plastic products. We replaced plastic cutlery and cups with real spoons, forks, plates, glassware and coffee mugs.
- Added bin stations and labels: To my colleague’s point, the trash bins would be emptied at each individual desk, even if there was only one item. We removed individual bins and invested in recycling and trash stations at convenient locations throughout the building. We also created signage that better defined what could be added to each bin.
- Gifted reusable tote bags: To decrease the amount of plastic coming in from outside the building, such as disposable lunch bags, and encourage others to do the same, we offered reusable tote bags to our Waterloo team members.
Our grassroots efforts during the first year was just the start. We continue to plan for the year ahead, and as McAfee launches additional green teams around the world, we plan to collaborate to make an even greater impact.
One person can make an impact. Small changes add up. These are my biggest takeaways.
My son’s small action in the schoolyard reverberated throughout my household, and eventually McAfee, when I found passion and purpose that I didn’t realize I had. You can make a difference.
My unexpected journey also held unexpected lessons. While incredibly rewarding, my day job as a software engineer doesn’t afford many opportunities to organize events, speak in public or mobilize people. Through my involvement in the Green Team, I uncovered skills I didn’t know existed.
I’m proud to work for a company that supports employees in their passions, especially when it’s for a more sustainable future for us all.
Interested in joining a company that supports green initiatives? Search our openings.
Diebold Nixdorf, a major provider of automatic teller machines (ATMs) and payment technology to banks and retailers, recently suffered a ransomware attack that disrupted some operations. The company says the hackers never touched its ATMs or customer networks, and that the intrusion only affected its corporate network.
Canton, Ohio-based Diebold [NYSE: DBD] is currently the largest ATM provider in the United States, with an estimated 35 percent of the cash machine market worldwide. The 35,000-employee company also produces point-of-sale systems and software used by many retailers.
According to Diebold, on the evening of Saturday, April 25, the company’s security team discovered anomalous behavior on its corporate network. Suspecting a ransomware attack, Diebold said it immediately began disconnecting systems on that network to contain the spread of the malware.
Sources told KrebsOnSecurity that Diebold’s response affected services for over 100 of the company’s customers. Diebold said the company’s response to the attack did disrupt a system that automates field service technician requests, but that the incident did not affect customer networks or the general public.
“Diebold has determined that the spread of the malware has been contained,” Diebold said in a written statement provided to KrebsOnSecurity. “The incident did not affect ATMs, customer networks, or the general public, and its impact was not material to our business. Unfortunately, cybercrime is an ongoing challenge for all companies. Diebold Nixdorf takes the security of our systems and customer service very seriously. Our leadership has connected personally with customers to make them aware of the situation and how we addressed it.”
NOT SO PRO LOCK
An investigation determined that the intruders installed the ProLock ransomware, which experts say is a relatively uncommon ransomware strain that has gone through multiple names and iterations over the past few months.
For example, until recently ProLock was better known as “PwndLocker,” which is the name of the ransomware that infected servers at Lasalle County, Ill. in March. But the miscreants behind PwndLocker rebranded their malware after security experts at Emsisoft released a tool that let PwndLocker victims decrypt their files without paying the ransom.
Diebold claims it did not pay the ransom demanded by the attackers, although the company wouldn’t discuss the amount requested. But Lawrence Abrams of BleepingComputer said the ransom demanded for ProLock victims typically ranges in the six figures, from $175,000 to more than $660,000 depending on the size of the victim network.
Fabian Wosar, Emsisoft’s chief technology officer, said if Diebold’s claims about not paying their assailants are true, it’s probably for the best: That’s because current versions of ProLock’s decryptor tool will corrupt larger files such as database files.
As luck would have it, Emsisoft does offer a tool that fixes the decryptor so that it properly recovers files held hostage by ProLock, but it only works for victims who have already paid a ransom to the crooks behind ProLock.
“We do have a tool that fixes a bug in the decryptor, but it doesn’t work unless you have the decryption keys from the ransomware authors,” Wosar said.
BleepingComputer’s Abrams said the timing of the attack on Diebold — Saturday evening — is quite common, and that ransomware purveyors tend to wait until the weekends to launch their attacks because that is typically when most organizations have the fewest number of technical staff on hand. Incidentally, weekends also are the time when the vast majority of ATM skimming attacks take place — for the same reason.
“After hours on Friday and Saturday nights are big, because they want to pull the trigger [on the ransomware] when no one is around,” Abrams said.
Many ransomware gangs have taken to stealing sensitive data from victims before launching the ransomware, as a sort of virtual cudgel to use against victims who don’t immediately acquiesce to a ransom demand.
Armed with the victim’s data — or data about the victim company’s partners or customers — the attackers can then threaten to publish or sell the information if victims refuse to pay up. Indeed, some of the larger ransomware groups are doing just that, constantly updating blogs on the Internet and the dark Web that publish the names and data stolen from victims who decline to pay.
So far, the crooks behind ProLock haven’t launched their own blog. But Abrams said the crime group behind it has indicated it is at least heading in that direction, noting that in his communications with the group in the wake of the Lasalle County attack they sent him an image and a list of folders suggesting they’d accessed sensitive data for that victim.
“I’ve been saying this ever since last year when the Maze ransomware group started publishing the names and data from their victims: Every ransomware attack has to be treated as a data breach now,” Abrams said.
Android developers using Google’s Firebase application development platform are being warned to check their configurations after security researchers discovered thousands of apps are leaking sensitive data.
News website Comparitech says a team analyzed 155,066 apps on the Google Play store, of which 11,730 had publicly exposed databases. Of those 4, 282 apps were leaking sensitive information including email addresses, user names, passwords, full names credit card data and photos of government-issued IDs.
In addition, of the 11,730 with publicly-exposed databases, 9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.
The story says Firebase is used by an estimated 30 per cent of all apps on the Google Play Store. If the tested apps are representative, an estimated 0.83 per cent of all Android apps on Google Play leak sensitive data through Firebase, says Comparitech. That would work out to roughly 24,000 apps.
The article says Google was notified on April 22nd. In response, Google said it’s “reaching out to affected developers to help them address these issues.”
Of the analyzed vulnerable apps, 24 per cent were games, 14,7 per cent were categorized as educational, six per cent related to entertainment, just under 5.3 per cent were business-related and 4.3 per cent were described as travel or local related.
A common Firebase misconfiguration allows attackers to easily find and steal data from storage, according to the article. By simply appending “.json” to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases. Google scrubs these vulnerable database URLs from its search results. However, the article adds, they are still indexed by other search engines like Bing.
App developers can use Firebase for a wide range of functions including authentication, hosting, cloud storage and as a real-time database. Google offers developers guidance on securing data.
As part of the launch of the U.S. space program’s moon shot, President Kennedy famously said we do these things “not because they are easy, but because they are hard.” The same can be said for the people responsible for security at their organizations; it is not a job one takes because it is easy. But it is critically important to keep our digital lives and work safe. And for the CISOs and leaders of the world, it is a job that is more than worth the hardships.
Recent research from Nominet paints a concerning picture of a few of those hardships. Forty-eight percent of CISO respondents indicated work stress had negatively impacted their mental health, this is almost double the number from last year’s survey. Thirty-one percent reported job stress had negatively impacted their physical health and 40 percent have seen their job stress impacting their personal lives. Add a fairly rapid churn rate (26 months on average) to all that stress and it’s clear CISOs are managing a tremendous amount of stress every day. And when crises hit, from incident response after a breach to a suddenly remote workforce after COVID-19, that stress only shoots higher.
Which is why we’re starting this new blog series called “CISO stress-busters.” In the words of CISOs from around the globe, we’ll be sharing insights, guidance, and support from peers on the front lines of the cyber workforce. Kicking us off—the main challenges that CISOs face and how they turn those obstacles into opportunity. The goal of the series is to be a bit of chicken (or chik’n for those vegans out there) soup for the CISO’s soul.
Today’s post features wisdom from three CISOs/Security Leaders:
- TM Ching, Security CTO at DXC Technology
- Jim Eckart, (former) CISO at Coca-Cola
- Jason Golden, CISO at Mainstay Technologies
Ask five different CEOs what their CISOs do and after the high level “manage security” answer you’ll probably get five very different explanations. This is partly because CISO responsibility can vary widely from company to company. So, it’s no surprise that many of the CISOs we interviewed touched on this point.
TM Ching summed it up this way, “Demonstrating my role to the organization can be a challenge—a role like mine may be perceived as symbolic” or that security is just here to “slow things down.” For Jason, “making sure that business leaders understand the difference between IT Operations, Cybersecurity, and InfoSec” can be difficult because execs “often think all of those disciplines are the same thing” and that since IT Ops has the products and solutions, they own security. Jim also bumped up against confusion about the security role with multiple stakeholders pushing and pulling in different directions like “a CIO who says ‘here is your budget,’ a CFO who says ‘why are you so expensive?’ and a general counsel who says ‘we could be leaking information everywhere.'”
- Educate Execs—about the role of a CISO. Helping them “understand that it takes a program, that it’s a discipline.” One inflection point is after a breach, “you may be sitting there with an executive, the insurance company, their attorneys, maybe a forensics company and it always looks the same. The executive is looking down the table at the wide-eyed IT person saying ‘What happened?’” It’s a opportunity to educate, to help “make sure the execs understand the purpose of risk management.”—Jason Golden. To see how to do this watch Microsoft CISO Series Episode 2 Part 1: Security is everyone’s Business
- Show Don’t Tell—“It is important to constantly demonstrate that I am here to help them succeed, and not to impose onerous compliance requirements that stall their projects.”—TM Ching
- Accountability Awareness—CISOs do a lot, but one thing they shouldn’t do is to make risk decisions for the business in a vacuum. That’s why it’s critical to align “all stakeholders (IT, privacy, legal, financial, security, etc.) around the fact that cybersecurity and compliance are business risk issues and not IT issues. IT motions are (and should be) purely in response to the business’ decision around risk tolerance.”—Jim Eckart
Fans of Boehm’s curve know that the earlier security can be introduced into a process, the less expensive it is to fix defects and flaws. But it’s not always easy for CISOs to get security a seat at the table whether it’s early in the ideation process for a new customer facing application or during financial negotiations to move critical workloads to the cloud. As TM put it, “Exerting influence to ensure that projects are secured at Day 0. This is possibly the hardest thing to do.” And because “some business owners do not take negative news very well” telling them their new app baby is “security ugly” the day before launch can be a gruesome task. And as Jason pointed out, “it’s one thing to talk hypothetically about things like configuration management and change management and here are the things that you need to do to meet those controls so you can keep your contract. It’s a different thing to get that embedded in operations so that IT and HR all the way through finance are following the rules for change management and configuration management.”
- Negotiate engagement—To avoid the last minute “gotchas” or bolting on security after a project has deployed, get into the conversation as early as possible. This isn’t easy, but as TM explains, it can be done. “It takes a lot of negotiations to convince stakeholders why it will be beneficial for them in the long run to take a pause and put the security controls in place, before continuing with their projects.”
- Follow frameworks—Well-known frameworks like the NIST Cybersecurity Framework, NIST SP800-53, and SP800-37 can help CISOs “take things from strategy to operations” by providing baselines and best practices for building security into the entire organization and systems lifecycle. And that will pay off in the long run; “when the auditors come calling, they’re looking for evidence that you’re following your security model and embedding that throughout the organization.” —Jason
Wouldn’t it be wonderful if every company had a security mindset and understood the benefits of having a mature, well-funded security and risk management program? If every employee understood what a phish looks like and why they should report it? Unfortunately, most companies aren’t laser focused on security, leaving that education work up to the CISO and their team. And having those conversations with stakeholders that sometimes have conflicting agendas requires technical depth and robust communication skills. That’s not easy. As Jim points out, “it’s a daunting scope of topics to be proficient in at all levels.”
- Human firewalls—All the tech controls in the world won’t stop 100 percent of attacks, people need to be part of the solution too. “We can address administrative controls, technical controls, physical controls, but you also need to address the culture and human behavior, or the human firewalls. You know you’re only going to be marginally successful if you don’t engage employees too.” —Jason
- Know your audience—CISOs need to cultivate “depth and breadth. On any given day, I needed to move from board-level conversations (where participants barely understand security) all the way to the depths of zero day vulnerabilities, patching, security architecture.” —Jim
Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to me on LinkedIn and let me know what you thought of this article and if you’re interested in being interviewed for one of our upcoming posts.
The California Consumer Privacy Act is a lesson in missed opportunities. It was passed in haste, to stop a ballot initiative that would have been even more restrictive:
In September 2017, Alastair Mactaggart and Mary Ross proposed a statewide ballot initiative entitled the "California Consumer Privacy Act." Ballot initiatives are a process under California law in which private citizens can propose legislation directly to voters, and pursuant to which such legislation can be enacted through voter approval without any action by the state legislature or the governor. While the proposed privacy initiative was initially met with significant opposition, particularly from large technology companies, some of that opposition faded in the wake of the Cambridge Analytica scandal and Mark Zuckerberg's April 2018 testimony before Congress. By May 2018, the initiative appeared to have garnered sufficient support to appear on the November 2018 ballot. On June 21, 2018, the sponsors of the ballot initiative and state legislators then struck a deal: in exchange for withdrawing the initiative, the state legislature would pass an agreed version of the California Consumer Privacy Act. The initiative was withdrawn, and the state legislature passed (and the Governor signed) the CCPA on June 28, 2018.
Since then, it was substantially amended -- that is, watered down -- at the request of various surveillance capitalism companies. Enforcement was supposed to start this year, but we haven't seen much yet.
And we could have had that ballot initiative.
It looks like Alastair Mactaggart and others are back.
Advocacy group Californians for Consumer Privacy, which started the push for a state-wide data privacy law, announced this week that it has the signatures it needs to get version 2.0 of its privacy rules on the US state's ballot in November, and submitted its proposal to Sacramento.
This time the goal is to tighten up the rules that its previously ballot measure managed to get into law, despite the determined efforts of internet giants like Google and Facebook to kill it. In return for the legislation being passed, that ballot measure was dropped. Now, it looks like the campaigners are taking their fight to a people's vote after all.
The new proposal would add more rights, including the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation. It would also triples existing fines for companies caught breaking the rules surrounding data on children (under 16s) and would require an opt-in to even collect such data.
The proposal would also give Californians the right to know when their information is used to make fundamental decisions about them, such as getting credit or employment offers. And it would require political organizations to divulge when they use similar data for campaigns.
And just to push the tech giants from fury into full-blown meltdown the new ballot measure would require any amendments to the law to require a majority vote in the legislature, effectively stripping their vast lobbying powers and cutting off the multitude of different ways the measures and its enforcement can be watered down within the political process.
I don't know why they accepted the compromise in the first place. It was obvious that the legislative process would be hijacked by the powerful tech companies. I support getting this onto the ballot this year.
EDITED TO ADD(5/17): It looks like this new ballot initiative isn't going to be an improvement.
Eleven companies, ranging from online marketplaces to news websites, have had their user databases poached
The post Over 160 million user records put up for sale on the dark web appeared first on WeLiveSecurity
The threat landscape is littered with various malware families being delivered in a constant wave to enterprises and individuals alike. The majority of these threats have one thing in common: money. Many of these threats generate revenue for financially motivated adversaries by granting access to data stored on end systems that can be monetized in various ways. To maximize profits, some malware authors and/or malware distributors go to extreme lengths to evade detection, specifically to avoid automated analysis environments and malware analysts that may be debugging them. The Astaroth campaigns we are detailing today are a textbook example of these sorts of evasion techniques in practice.
The threat actors behind these campaigns were so concerned with evasion they didn’t include just one or two anti-analysis checks, but dozens of checks, including those rarely seen in most commodity malware. This type of campaign highlights the level of sophistication that some financially motivated actors have achieved in the past few years. This campaign exclusively targeted Brazil, and featured lures designed specifically to tailor to Brazilian citizens, including COVID-19 and Cadastro de Pessoas Físicas status. Beyond that, the dropper used sophisticated techniques and many layers of obfuscation and evasion before even delivering the final malicious payload. There’s another series of checks once the payload is delivered to ensure, with reasonable certainty, that the payload was only executed on systems located in Brazil and not that of a researcher or some other piece of security technology, most notably sandboxes. Beyond that, this malware uses novel techniques for command and control updates via YouTube, and a plethora of other techniques and methods, both new and old.
This blog will provide our deep analysis of the Astaroth malware family and detail a series of campaigns we’ve observed over the past nine to 12 months. This will include a detailed walkthrough of deobfuscating the attack from the initial spam message, to the dropper mechanisms, and finally to all the evasion techniques astaroth has implemented. The goal is to give researchers the tools and knowledge to be able to analyze this in their own environments. This malware is as elusive as it gets and will likely continue to be a headache for both users and defenders for the foreseeable future. This will be especially true if its targeting moves outside of South America and Brazil.
The post Threat Spotlight: Astaroth – Maze of Obfuscation and Evasion Reveals Dark Stealer appeared first on Cisco Blogs.
If you have been trying to find love on the Zoosk app I’ve got some bad news for you.
Hackers are offering for sale what they claim is the stolen account information of millions of online daters who have used the popular app.
I seem to have spent a fair amount of my time recently talking to a variety of people about “zero days” and the one thing that has really struck me is that almost everyone has a different view on what a “zero day” actually is….so I figured the time had come to try and add a little clarity to the situation.
For those of you really short on time, let’s be clear – zero days do exist, and they can be highly damaging, but there are many other things both easier to fix and with a greater Return on Investment for most organizations. So, step 1 should be to fix things like patching and user education before devoting limited resources to the actually tiny minority of truly zero day attacks.
And for those of you with a little more time on your hands, let’s examine why that last paragraph recommends what it does. First things first, we should talk about vulnerabilities and exploits because whilst the 2 are clearly linked they are, of course, very different. In simple terms a vulnerability is a weakness or error in a piece of code. An exploit is a separate piece of code that takes advantage of that vulnerability to enable the bad guys to achieve their goals.
The term “zero day” is valid in both contexts. It’s typically used in reference to an exploit – but not always – and in my experience, that creates some of the confusion. As a side note, in the fast-moving world of IT security and malware, confusion among security teams can only ever be a bad thing for those of us working hard to stop the bad guys from profiting. I will try to be clear in which context I’m using it throughout this blog.
So, let’s take a look at some of the more common interpretations of “zero day” and examine which ones are valid:
1) “No signature exists in my current antivirus so it can’t detect this ‘zero day’ malware.”
There are more than 725,000 new malware files released each day, but the vast majority of this is simply recompiled versions of existing malware with a new file hash. A new hash does not equal zero day malware.
2) “I’ve never seen a piece of malware get delivered like that before”
Cyber criminals are always looking for a new way to deliver their payloads and they can be pretty creative, but the moniker zero day should be reserved for malware itself and not the method of distribution.
3) “There is a vulnerability in my system which I haven’t yet got around to patching.”
There are many reasons why patches are not always immediately applied (some of them are even acceptable!) but if a piece of malware ends up exploiting a known and unpatched vulnerability, that doesn’t retroactively turn this (possibly quite old) piece of malware into a zero day version.
4) “There is a whole new type of malware”
This must surely count as a ‘zero day’ right? I’m going to argue that it doesn’t. A new type of malware is likely to mean the cyber criminals have different goals. When crypto-malware (or ransomware as it’s commonly known) began to hit people in force, this indicated that the bad guys had come up with a new way to make money – extortion. But the vulnerabilities being exploited to execute their code and the mechanisms of delivering that code to their victims’ machines were the same as before….and on that basis I wouldn’t count it as ‘zero day’.
5) “I’m aware of a newly discovered vulnerability but there is no patch currently available to fix it” (or potentially such a recent patch that there has not been an opportunity to test it within my organization)
In reality this is a rare event, however I would argue that in the event there is no patch available and therefore no way to update systems to protect against the vulnerability that this can be considered to be a ‘zero-day’ vulnerability.
6) “An unknown vulnerability has been discovered and exploited by the bad guys”
In this example nobody except the cyber criminals is even aware a vulnerability exists – and therefore nobody is even trying to fix it. THIS is a true ‘zero day’ threat….fortunately though they are actually pretty rare.
So, what does all this mean from a security perspective?
That’s going to be the subject of my next blog, so watch this space…..
A hacking group known as ShinyHunters is claiming to be responsible for the security breach, and is offering to sell stolen customer records for US $3,500 via an underground web marketplace.
Read more in my article on the Hot for Security blog.
After being targeted by an Android DDoS app, ESET seized the opportunity to analyze the attack and to help put an end to it
The post Breaking news? App promises news feeds, brings DDoS attacks instead appeared first on WeLiveSecurity
The United States Marshals Service announced a data breach involving the personal information of its former and current prisoners. In a data breach notification letter obtained by ZDNet, the U.S. Marshals Service revealed that it had first learned of the security incident in late 2019. On December 30, 2019, the United States Marshals Service (USMS), […]… Read More
The post U.S. Marshals Announced Data Breach of Prisoners’ Information appeared first on The State of Security.
“Alexa, turn on the TV.”
”Get it yourself.”
This nightmare scenario could play out millions of times unless people take steps to protect their IoT devices. The situation is even worse in industrial settings. Smart manufacturing, that is, Industry 4.0, relies on tight integration between IT systems and OT systems. Enterprise resource planning (ERP) software has evolved into supply chain management (SCM) systems, reaching across organizational and national boundaries to gather all forms of inputs, parting out subcomponent development and production, and delivering finished products, payments, and capabilities across a global canvas.
Each of these synergies fulfills a rational business goal: optimize scarce resources across diverse sources; minimize manufacturing, shipping, and warehousing expense across regions; preserve continuity of operations by diversifying suppliers; maximize sales among multiple delivery channels. The supply chain includes not only raw materials for manufacturing, but also third party suppliers of components, outsourced staff for non-core business functions, open source software to optimize development costs, and subcontractors to fulfill specialized design, assembly, testing, and distribution tasks. Each element of the supply chain is an attack surface.
Software development has long been a team effort. Not since the 1970s have companies sought out the exceptional talented solo developer whose code was exquisite, flawless, ineffable, undocumented, and impossible to maintain. Now designs must be clear across the team, and testing requires close collaboration between architects, designers, developers, and production. Teams identify business requirements, then compose a solution from components sourced from publically shared libraries. These libraries may contain further dependencies on yet other third-party code of unknown provenance. Simplified testing relies on the quality of the shared libraries, but shared library routines may have latent (or intentionally hidden) defects that do not come to life until in a vulnerable production environment. Who tests GitHub? The scope of these vulnerabilities is daunting. Trend Micro just published a report, “Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis,” that surveys the Industry 4.0 attack surface.
Within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. Industrial robots provide a clear example. Industrial robots are tireless, precision machines programmed to perform exacting tasks rapidly and flawlessly. What did industry do before robots? Factories either relied on hand-built products or on non-programmable machines that had to be retooled for any change in product specifications. Hand-built technology required highly skilled machinists, who are expensive and require time to deliver. See Figure 1 for an example.
Non-programmable robots require factory down time for retooling, a process that can take weeks. Before programmable industrial robots, automobile factories would deliver a single body style across multiple years of production. Programmable robots can produce different configurations of materials with no down time. They are used everywhere in manufacturing, warehousing, distribution centers, farming, mining, and soon guiding delivery vehicles. The supply chain is automated.
However, the supply chain is not secure. The protocols industrial robots depend on assumed the environment was isolated. One controller would govern the machines in one location. Since the connection between the controller and the managed robots was hard-wired, there was no need for operator identification or message verification. My controller would never see your robot. My controller would only connect to my robot, so the messages they exchanged needed no authentication. Each device assumed all its connections were externally verified. Even the safety systems assumed the network was untainted and trustworthy. No protocols included any security or privacy controls. Then Industry 4.0 adopted wireless communications.
The move, which saved the cost of laying cable in the factory, opened those networks to eavesdropping and attacks. Every possible attack against industrial robots is happening now. Bad guys are forging commands, altering specifications, changing or suppressing error alerts, modifying output statistics, and rewriting logs. The consequences can be vast yet nearly undetectable. In the current report on Rogue Robots, our Forward-looking Threat Research team, collaborating with the Politecnico di Milano (POLIMI), analyzes the range of specific attacks today’s robots face, and the potential consequences those attacks may have.
Owners and operators of programmable robots should heed the warnings of this research, and consider various suggested remedies. Forewarned is forearmed.
The Rogue Robots research is here: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/rogue-robots-testing-industrial-robot-security.
The new report, Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis, is here: https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems.
What do you think? Let me know in the comments below, or @WilliamMalikTM.
The post Securing Smart Manufacturing appeared first on .
Joff Thyer // Introduction If there is anything that the start of 2020 has taught us, it is that Internetworking services are in higher demand than ever before. IPv4 is exhausted, and by that I mean there is none, it is tired, worn out, overused, abused, and beyond its end of life. Besides our heroic […]
The post Securely Deploying IPv6 in 2020 Part 1: Internet Facing Perimeter appeared first on Black Hills Information Security.
Digital attacks continue to exploit coronavirus 2019 (COVID-19) as part of their malicious operations. On May 5, 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) along with the United Kingdom’s National Cyber Security Centre (NCSC) published a joint alert in which they revealed that they had witnessed APT actors targeting […]… Read More