Tag Archives: ThirdCertainty

‘Smart Cities’ Are Wide Open to Hackers

A monster storm is on a collision course with New York City, and an evacuation is underway. The streets are clogged, and then it happens. Every traffic light turns red. Within minutes, the world’s largest polished diamond, the Cullinan I, on loan to the Metropolitan Museum of Art from the collection of the British crown jewels, is whisked away by helicopter.

While this may sound like the elevator pitch for an action film, the possibility of such a scenario is more fact than fiction these days.

Cesar Cerrudo is the chief technology officer at IOActive Labs, a global security firm that assesses hardware, software and wetware (that is, the human factor) for enterprises and municipalities. A year ago, Cerrudo made waves when he demonstrated how 200,000 traffic sensors located in major cities around the U/S. — including New York, Seattle, Washington, D.C., and San Francisco — as well as in the U.K., France and Australia, could be disabled or reprogrammed because the Sensys Networks sensors system that regulated them was not secure. According to ThreatPost, these sensors “accepted software modifications without double-checking the code’s integrity.” Translation: There was a vulnerability that made it possible for hackers to reprogram traffic lights and snarl traffic.

A widely reported discovery, first discussed last year at a “black hat” hacker convention in Amsterdam, highlighted a more alarming scenario than the attack of the zombie traffic lights. Researchers Javier Vazquez Vidal and Alberto Garcia Illera found that it was possible, through a simple reverse engineering approach to smart meters, for a hacker to order a citywide blackout.

The array of attacks made possible by the introduction of smart systems are many. With every innovation, a city’s attackable surface grows. The boon of smart systems brings with it the need for responsibility. It is critical for municipalities to ensure that these systems are secure. Unfortunately, there are signs out there of a responsibility gap.

According to the New York Times, Cerrudo successfully hacked the same traffic sensors that made news last year, this time in San Francisco, despite reports that the vulnerabilities had been addressed after the initial flurry of coverage when he revealed the problem a year ago. It bears saying the obvious here: Cerrudo’s findings are alarming.

The integration of smart technology into municipalities is a new thing. The same Times article notes that the market for smart city technology is expected to reach $1 trillion by 2020. As with all new technology, compromises are not only possible, but perhaps even likely, in the beginning. The problem here is that we’re talking about large, populous cities. As they become ever more wired, they become more vulnerable.

The issue is not dissimilar from the one facing private-sector leaders. Organizations must constantly defend against a barrage of advanced and persistent attacks from an ever-growing phalanx of highly sophisticated hackers. Some of them work alone. Still others are organized into squadrons recruited or sponsored by foreign powers — as we have seen with the North Korean attack on Sony Pictures and the megabreach of Anthem, suspected to be at the hand of Chinese hackers — for a variety of purposes, none of them good.

The vulnerabilities are numerous, ranging from the power grid to the water supply to the ability to transport food and other necessities to where they are needed. As Cerrudo told the Times, “The current attack surface for cities is huge and wide open to attack. This is a real and immediate danger.”

The solution, however, may not be out of reach. As with the geometric expansion of the Internet of Things market, there is a simple problem here: lack of familiarity at the user level — where human error is always a factor — with proper security protocols. Those protocols are no secret: encryption, long and strong password protection and multifactor authentication for users with security clearance.

While the protocols are not a panacea for the problems that face our incipiently smart cities, they will go a long way toward addressing security hazards and pitfalls.

Cerrudo also has advocated the creation of computer emergency response teams (CERTs) “to address security incidents, coordinate responses and share threat information with other cities.” While CERTs are crucial, the creation of a chief information security officer role in municipal government to quarterback security initiatives and direct defense in a coordinated way may be even more crucial to the problems that arise from our new smart cities. In the pioneering days of the smart city, there are steps that municipalities can take to keep their cities running like clockwork.

It starts with an active approach to security.

This article was written by ThirdCertainty contributor Adam Levin. Levin is chairman and co-founder of Credit.com and Identity Theft 911. His experience as former director of the New Jersey Division of Consumer Affairs gives him unique insight into consumer privacy, legislation and financial advocacy. He is a nationally recognized expert on identity theft and credit.

2015 Is Watershed for Healthcare Hacking

Predictions that 2015 would be a watershed year for stolen healthcare records are bearing out.

Health insurer Premera Blue Cross has disclosed that a cyber attack that commenced in May 2014 resulted in exposure of medical data and financial information of 11 million customers. Stolen records included claims data and clinical information, as well as financial account numbers, Social Security numbers, birth dates and other personal data. The Premera breach appears to involve a record number of victims.

Records for some 80 million people were stolen from the nation’s No. 2 insurer Anthem, and records for 4.5 million people were hacked from Community Health Systems, parent of 206 hospitals in 29 states, disclosed last summer. But the Anthem and CHS breaches involved the theft of personal data only, not medical records.

More: 7 steps to take if your healthcare records are in the wild

Personal and medical records are the building blocks for the worst forms of identity theft. With Premera, “hackers not only got the skeleton keys to lives, they got the key ring and the key chain,” says Adam Levin, chairman and co-founder of identity and data risk management consultancy, IDT911, which sponsors ThirdCertainty. “Members and employees whose data was exposed – especially their SSNs – will be forced to look over their shoulders for the rest of their lives.”

Seattleites hit hard

More than half of the victims — about 6 million Premera patrons – reside in Washington state, including employees of Amazon, Microsoft and Starbucks. These companies now are prime targets for spear phishing attacks. It doesn’t take much imagination for a criminal to use stolen data to create spoofed accounts to come across as a trusted colleague to send viral email and social media posts to fellow employees as a way to breach any of these corporate networks.

On a lower rung of criminal activity, a whole generation of scammers who’ve mastered fraudulent online transaction using stolen credit card account numbers are ready to move to the next level, observes Lisa Berry-Tayman, senior privacy and governance advisor at IDT911 Consulting.

“Criminals learn,” Berry-Tayman says. “The credit card thief steals the data, charges until the account is closed and the money is gone. To steal more money over a longer period of time, he or she must think bigger, and bigger is identity theft. Why just spend their money for a finite period of time when you can become them and spend their money for years and years?”

The healthcare industry has arisen as a target because it has moved aggressively to get rid of paper records and to collect, store and make use healthcare data in digital form. The goal: to boost productivity. Trouble is the healthcare industry, like many other industries, continues to make the digital push, including intensive use of the Internet cloud, without adequately accounting for security basics, security experts argue.

Healthcare data at riska three-part series: Why medical records are easy to hack, lucrative to sell

“Today’s Premera breach news once again demonstrates the failure of flawed, outdated assumptions, an over-reliance on guard-the-entry-point security and simplistic single-key encryption schemes,” says Richard Blech, CEO of encryption technology company Secure Channels. “This is a quaint and dangerous approach to a 21st century problem.”

Trent Telford, CEO of data security company Covata, agrees. “For many of these companies, data security has been an afterthought or something they did not deem necessary,” Telford says. “However, this breach again highlights how vulnerable the health care and insurance industries are to attacks. People are entrusting these organizations with their personal information, and it is the responsibility of corporations to take appropriate steps to ensure it is protected – this must include data encryption.”

Common culprits?

Premera is keeping details of how the breach was carried out close to the vest. The FBI and IT forensics specialist Mandiant, a division of FireEye, are investigating. A good guess is that Premera was the focus of a targeted attack, says Josh Cannell, malware intelligence analyst at Malwarebytes Labs.

“A vast majority of cyberattacks targeting enterprise networks originate by attackers gaining access to internal networks through social engineering techniques like phishing/spear phishing e-mails that closely resemble something employees are familiar with,” Cannell says. “Once attackers have an access point inside an enterprise network, they can then use privilege escalation techniques and install malware to maintain a presence on the network.”

Cannell says it’s plausible the same hacking collective hit Anthem and Premera. “Since the attack happened around the same time as the Anthem breach, and was targeting a similar organization, it seems reasonable to say the threat likely originated from the same actors,” Cannell says.

Geopolitical Goals for Healthcare Hacking?

Did China orchestrate the massive hack of Anthem, the nation’s No. 2 healthcare insurer, to steal intellectual property it needs to jump start a domestic healthcare system?

That’s one scenario being discussed by the security community and would fit the pattern of not just China, but other nations, stepping up cyber attacks to pursue geo-political goals.

CrowdStrike’s 2014 Global Threat Report details how China remains by far the most active nation conducting cyber espionage campaigns. Hot on China’s heels, in terms of executing concerted hacks for nationalistic gain, are Russia, Iran and North Korea, the nation President Obama blamed for the Sony Pictures hack.

“China is a giant vacuum cleaner for intelligence,” Adam Meyers, CrowdStrike’s vice president of intelligence, tells ThirdCertainty. “They’re targeting dozens and dozens of organizations, going after intellectual property and trade secrets.”

3C’s  newsletter: Free subscription to fresh analysis of emerging exposures

One particularly active Chinese hacking collective, dubbed Hurricane Panda, specializes in cracking the networks of Internet services, engineering and aerospace firms. Hurricane Panda uses “an arsenal of exploits” and has pioneered ways to slip into a network, then stealthily escalate privileges to roam deeper.

While some of the data stolen by nation state-backed hackers most likely gets sold for profit, these attackers exist primarily to pursue strategic goals — in China’s case to accelerate the development of domestic infrastructure to serve its massive population, which is rapidly becoming more Westernized.

CrowdStrike’s threat report follows news pointing to Chinese hackers, referred to as Deep Panda, as the culprits behind stealing healthcare personal information for 80 million Anthem plan members and employees.

CrowdStrike is not directly involved in the Anthem investigation. That said, Myers tells ThirdCertainty that his firm has monitored Deep Panda targeting other healthcare organizations in the past.

China is dealing with a rising middle class for the first time in its history, he says. Smoking, drinking and poor eating habits are on the rise, with associated medical conditions sure to follow that are all too familiar in the West.

“They are dealing with diabetes, heart conditions and cancers at a large scale for the first time,” Meyers said. Rather than import healthcare services, China prefers to rapidly build a homegrown system and appears to be willing to steal intellectual property to do so.

“They want to be able serve their own domestic market for heart splints, diagnostic equipment and the like,” Meyers says. Hacking healthcare organizations could give China “the ability to leapfrog the design, test and build phases.”

New attack model

While China may run the most focused cyber spying operation, smaller nations, like Iran and North Korea, are discovering how cyber attacks can tilt the balance in geo-political disputes against a much more powerful adversary, namely the U.S.

In response to economic sanctions imposed by the U.S. to stem Iran’s development of nuclear capability, Iran-backed hacking groups heavily targeted the financial sector in 2013, and in 2014 turned their focus to U.S. aerospace, defense and energy targets, CrowdStrike reports.

And North Korea appears to have derived a model that could stir smaller nations to develop cyber attack strategies to gain political leverage on the global stage. The Sony Pictures hack embarrassed a Fortune 100 company and compelled President Obama to chastise North Korea.

Cyber attacks have become a kind of twisted diplomacy. “It’s a viable way to coerce an adversary into doing something,” Meyers says. “I think we’re going to see this practice continue.”

The Dangers Lurking in Public WiFi

Free WiFi access points (APs) are a great convenience for consumers and can be a productivity booster for business travelers. But they also present ripe opportunities for hackers. ThirdCertainty asked Corey Nachreiner, WatchGuard Technologies’ director of security strategy, to outline this exposure.

3C: What risks do consumers and business travelers take when using WiFi services in public venues such as airports, hotels and coffee shops?

Nachreiner: The exposure is potentially huge. It’s natural for people to congregate and wait in places like airports and hotels and use public WiFi access. So these are ideal locations for attackers to set up faked WiFi APs.

This is possible because SSIDs (wireless networks) used in these locations are widely trusted; names like AT&T Wi-Fi, XFINITY WiFi, Boingo Wi-Fi and Free WiFi. It is easy for an attacker to broadcast a faked AP using these familiar names to entice victims to connect via the attacker’s AP. Furthermore, if your computer has connected to the legit access point in the past, it may automatically connect to the faked one.

Best practices: 4 steps to using public-access WiFi safely

3C: If I connect to the Internet via a faked WiFi connection, do I still get on the web?

Nachreiner: Yes, but now the attacker can see what you’re doing, infect your computer and set up man-in-the-middle attacks that can steal your account credentials and work files.

3C: Does part of this have to do with the venues – the hotels and book shops – not bothering to lock down the free WiFi access?

Nachreiner: Yes. 80% of hospitality WiFi networks don’t require a unique password, and 50% do not secure or monitor their networks. I can share many stories about how easy it is to set up a faked AP in public areas and watch people join.

3C: This exposure has been out there since WiFi started going public more than a decade ago. So how intensively have the bad guys been exploiting this?

Nachreiner: Bad guys are definitely exploiting this. I’m a fairly regular business traveler. I’ve found suspicious and very likely malicious APs on two out of 10 trips. l’ve been on hotel networks where my security tools show other guests on the network trying to connect to my shares.

Whether they were just curious guests or malicious attackers is hard to say. But hotel networks are the perfect place for attackers to find victims.

3C: Right, that’s what happened in the so-called DarkHotel attack.

Nachreiner: Exactly, one of our partners, Kaspersky, discovered attackers targeting the third-party WiFi vendor of a specific hotel. They were seeking intelligence on certain guests they knew would be staying at the hotel. They used the compromised wireless network to infect the computers of their targeted victims.

This was a very sophisticated attack and not the norm. That said, it’s more common to find basic criminals putting up faked hotel network connections to steal information from guests opportunistically.