U.S. Gives Cyber-security Advice to Critical Infrastructure Operators—But No Rules
Photo: Luke Sharrett/Bloomberg/Getty Images
The U.S. government, finally realizing that it has to take action to ensure a minimum level of cybersecurity in networks that manage the nation’s energy, water and financial services, presented the Framework for Improving Critical Infrastructure Security on Wednesday. The document, which was put together by industry and government experts, is a compilation of cybersecurity standards and best practices; it is the result of the year-old Executive Order 13636, under which President Barack Obama directed operators of critical infrastructure to provide guidance for defending their networks.
“While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity,” Obama said in a statement. “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”
The 41-page document describes itself as a complement to industries’ existing risk management practices. What remains to be seen is whether this “guidance” will make firms that have minimal safeguards in place immediately take action to update or reconfigure their systems. Something tells me that a book of suggestions without force of law will not do the trick.
Industrial Control Systems Unguarded
Security researchers have been taking creators of industrial control systems and devices like programmable logic controllers to task for the abject lack of security controls that would prevent networks and the facilities they run to be taken over by hackers. But many products and systems remain insecure. That was the focus of a talk by researcher Jonathan Pollet, founder of Red Tiger Security, at the Kaspersky Security Analyst Summit in Punta Cana, Dominican Republic, on Tuesday.
Referring to the maddening state of play in industrial cybersecurity, he said, “It’s like hacking in the 1980s and 1990s,” when IT software and hardware vendors typically buried their heads in the sand, hoping that researchers presenting vulnerability reports would eventually go away if the companies ignored them long enough. According to a Kaspersky Threatpost article, Pollet recalls, “being at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went home, got his laptop, returned and was able to debug the software, find the problem and fix it and get the ride going again.”
Did he have credentials giving him access to the system? No. Did he face much difficulty in reconfiguring the control system for a machine that thousands of people would ride that same day? Nope. Now imagine that scenario if Pollet’s intentions had been nefarious.
That anecdote was but one example of the widespread lack of authentication, failure to use encryption, and lack of monitoring in critical systems—even after security holes are reported. Pollet said that when he does hear from industrial control and automation vendors, they present excuses such as protocols aren’t ready or that security is difficult to build in.
“All these excuses aren’t really excuses,” he said during his talk. “With the current software and hardware we have, there’s no reason we can’t have these systems secured.”
Automakers Keep Cybersecurity Discussions in Park
In another talk at this week’s Kaspersky Security Analyst Summit, security researchers Charlie Miller and Chris Valasek reported that a year after they published a detailed paper showing a series of cyberattacks that enabled them to control the steering, braking and other functions in some cars, they’ve heard nary a word from automakers about the exploits. In other words, Miller and Valasek have had neither the opportunity to explain which weakness the attacks take advantage of, nor the chance to help design systems to prevent or at least detect intrusions. Miller, referring to the automobile manufacturers, said, “We have no idea what they’re doing. They could be building something, but it could be years down the line.”
By the Power Vested In Me by Me, Myself, and I…
Dozens of phony SSL certificates spoofing legitimate ones for banks, e-commerce sites, ISPs, and social networks, were discovered this week. The unsigned certificates could put people who use apps or other software that access the Internet—but don’t necessarily check the legitimacy of SSL certificates—at risk for man-in-the-middle attacks. Netcraft, a British security firm, provided details about the bogus certs on its blog.
Apparently the various certificates have different purposes. For example, a fake YouTube cert blocked residents of Pakistan from accessing the site, a phony iTunes cert was a linchpin in an online scam, and a fraudulent Facebook cert redirected users to a phishing site.
Data Breach Roundup: January 2014
Many data breaches that occurred in January highlight the importance of user education. Knowledgeable users are less likely to engage in behavior that poses security risks.
Each month, eSecurity Planet looks back at the data breaches we’ve covered over the past 30 days or so, providing an admittedly unscientific but (we hope) interesting overview of the current breach landscape.
To get some perspective on the current range of threats and recent breaches, eSecurity Planet spoke with Giovanni Vigna, co-founder and CTO of Lastline and a professor at the University of California, Santa Barbara.
Regarding the recent high-profile data breaches at Target andNeiman Marcus, Vigna says it’s worth noting that retailers in general are particularly vulnerable to such attacks."They’re super-dispersed, they have sometimes hundreds and hundreds of separate offices and separate point-of-sale devices – and all of these are very difficult to protect in an integrated way," he says.
Any effective security solution for a retailer, Vigna says, needs to be able to monitor all point-of-sale devices from a central location.
"The idea that POS and terminals are just devices and cannot be compromised, that’s gone out the window. They’re Windows machines that can be hacked, like any others," he says. "The problem is that for certain industries, investment in this type of security is very difficult to motivate, because there are very, very tight margins."
Importance of User Education
At the same time, several other types of breaches – laptop thefts, employee error, and insider breaches – are far more low-tech.
"We call it PEBKAC – problem exists between keyboard and chair," Vigna says. "Oftentimes, security issues come down to the person, and I think there’s an incredibly important and incredibly underestimated value in educating people on security. If you go to a company, you’ll get trained on pretty much everything – sales, strategies – but how much training in security will you get?"
That training, Vigna says, can be as simple as ensuring the implementation of basic policies, like requiring the use of two-factor authentication.
"You can have all the security you want, but if somebody leaves their laptop unencrypted, someone can just pick it up and have full access to everything – especially with long-lasting, single sign-on access, where if I have your Twitter password, now I can use Twitter authentication to move to all these other services," he says. "People don’t realize how having a person’s device, even a cell phone, can really break the security of a whole company."
For mobile devices in particular, Vigna says it can make a huge difference simply to implement password protection, along with the ability to wipe a device if it’s stolen. "You have to understand that if somebody is NSA-level motivated to break into your company, they will … but you can do a lot to prevent the generic, opportunistic attack of the guy who just steals a laptop," he says.
Still, Vigna says, corporate culture can make that very difficult to implement. "I’ve seen situations in which the techies say, 'Hey, if we put Google Authenticator on our Gmail, we completely solve the problem of stolen Gmail accounts – can we please do that?' And it’s management that says, 'No, I don’t know how to set it up, I don’t want to have to put in a number – no, absolutely not.'"
And that’s what has to change, he says.
"Even the best security tool cannot solve the problem if we are not able to, as a culture, provide the user with the sensitivity and the type of attention to what’s happening in the cyber world that we have in the physical world," Vigna says.
A person who would be cautious when walking through an empty parking lot at night often will not exhibit the same caution when dealing with potential cyber threats, he says. "Unfortunately, the cyber world is very new to a lot of us, and that type of culture has not percolated down to people enough. So when they see an attachment, their first thought isn’t, 'What is this attachment?' Their first thought is, 'I’m going to click on it.' And until we change that culture, you can have a lot of good security, but you’ll always find somebody who shoots themselves in the foot."
Among the data breaches that occurred in January:
An undisclosed number of Burlington, Vt. residents’ Social Security numbers were mistakenly published online as part of an agenda item posted on the city council’s website; Nebraska’s Sidney Regional Medical Center notified employees and job applicants that their personal information had been made available online by mistake; and theU.S. Department of Veterans Affairs eBenefits website briefly provided site visitors with access to other users’ personal, medical and financial information due to a “software defect.”
Third party vendors were also a source of such breaches. EasyDraft, which processes payments for Bright Horizons Family Solutions, notified current and former Bright Horizons customers that their names and bank account details were mistakenly made available online; and Virginia’s Loudoun County Public Schools said an error by third-party provider Risk Solutions International made students’ and staff members’ personal information accessible online.
A breach at software provider BigTree Solutions may have exposed credit card information for customers of food delivery services BringItToMe.com and The Bike Waiter; hackers stole more than a million credit and debit card numbers from Neiman Marcus’ point-of-sale systems; and data on approximately 6,000 medical responses was stolen from Washington’s North East King County Regional Public Safety Communication Agency (NORCOM).
Orient-Express Hotels notified an undisclosed number of customers that their names, credit/debit card numbers, expiration dates and security codes may have been exposed when an attacker accessed seven company email accounts; the Puerto Rico College of Physicians and Surgeons was hacked, exposing the personal information of all doctors licensed to practice in Puerto Rico; and unidentified hackers claimed to have leveraged a security flaw in theSnapchat app to access 4.6 million users’ phone numbers and user names.
The encrypted credit or debit card information of 93,389 Staysure customers was stolen when the company’s systems were breached; The Straight Dope message board was hacked, exposing user names, email addresses and hashed passwords; and hackers stole an undisclosed number of donors’ personal and financial information from the U.S. Fund for UNICEF.
An undisclosed number of wichcraft customers’ credit or debit card information was stolen when the company’s servers were breached, and a hacker claimed to have breached the website for the World Poker Tour Amateur Poker League (WPTAPL), and leaked 175,333 email addresses and clear text passwords.
Several hacker groups are still active. ObeySec hackers breached the website for the Directors Guild of Canada and leaked 2,031 user names, email addresses and clear text passwords, and members of Anonymous defacedMonsanto’s Korean website and leaked what appeared to be two user names, email addresses and plain text passwords.
Hackers regularly leverage malware. Hackers may have accessed the personal and medical information of patients atBarry University’s Foot and Ankle Institute after a school laptop was infected with malware, and a malware infection provided attackers with access to the personal and health information of an undisclosed number of customers ofEdgepark Medical Supplies.
Third-party vendors are a common weak point. A breach of a Web portal run by REI Systems for the Department of Homeland Security exposed private documents and financial information for at least 114 companies that bid on a contract in 2013; Easton-Bell Sports notified several customers that their personal and financial information may have been exposed when a third-party vendor’s servers were infected with malware; T-Mobile USA notified customers that their personal information, including names, addresses and Social Security numbers or driver’s license numbers, may have been exposed when a third-party supplier’s servers were hacked; and an undisclosed number of Yahoo Mailpasswords after were reset after the company discovered what it described as “a coordinated effort to gain authorized access” to the accounts, using passwords that it said were “likely collected from a third-party database compromise.
The City of Sumner, Wash., fired a temporary municipal court clerk after she forwarded information on 3,600 people to her personal email account; a Korea Credit Bureau employee was arrested and charged with stealing at least 20 million people’s names, Social Security numbers and credit card numbers; and a former Riverside Health Systememployee inappropriately accessed 919 patients’ medical records, including their Social Security numbers and medical history.
Third-party vendors were the source of insider breaches as well. Colorado’s Department of Health Care Policy and Financing informed 1,918 clients that a temporary employee of a third-party contractor had inappropriately accessed their names, addresses, birthdates and protected health information.
Laptop/Drive Theft or Loss
Barnabas Health patients’ medical information may have been exposed when an unencrypted laptop was stolen; 74,000 current and former Coca-Cola employees, contractors and suppliers’ personal information may have been exposed when several unencrypted company laptops were stolen; and New Mexico Oncology and Hematology Consultants notified 12,354 patients that their protected health information may have been exposed when a laptop was stolen.
Georgia’s Phoebe Putney Memorial Hospital said 6,777 patients’ personal information may have been exposed when an unencrypted computer was mistakenly discarded, and the personal information of 41,437 Unity Health Insurancecustomers may have been exposed when a portable hard drive was lost.
The personal or medical information of approximately 1,800 UC Davis Health System patients may have been exposed when three UC Davis’ physicians’ email accounts were compromised by phishing attacks.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.