Category: IT Security

New macOS Too Secure?

Posted on by Rob Burdett

The new security called ‘System ‘Integrity Protection’ (SIP) behind macOS High Sierra is proving so secure that it appears to be stopping users from being able to delete (third-party) apps with ease.

What’s The Issue?

The process behind the SIP was first introduced to users during the ‘El Capitan’ version of macOS (10.11) in late 2015, and has a unique advantage in relation to macOS’s overall security infrastructure.

However, the SIP framework follows Apple Software Update processes that are so strict that it is impossible with the new macOS environment for runtime attachments or code injection infiltration to occur within an Apple Software Update setting.

All this means that not only will users find it less easy to delete certain third-party software / apps, but also that the past bugs may be made exempt by the ‘rootless’ SIP framework, and could, therefore, become a future risk.

Why?

Apple is essentially undertaking a simple bunkerisation / sandboxing of app behaviour within the macOS environment from a binary level in order to prevent third-party developers who have not sold their wares through the macOS App Store from being deleted with ease. Therefore, the only software affected by this security change is software developed outside of Apple.

Sealed

The ‘sealed’ nature of the software environment in iOS means that ‘permissionless’ app distribution on an iPad or iPhone can’t really happen and actually goes against the terms and conditions of use. The only way around it would be to ‘jailbreak’ the device, which would also wave the owner’s right to a legal warranty. However, the macOS App Store allows for permissionless app distribution in the context of online software distribution.

What Does This Mean For Your Business?

Security is a priority to businesses today, particularly with the proliferation of potentially devastating malware and phishing scams. With Android phones, for example, there have been some problems and scares recently with 36 fake, malicious apps turning up in Google Play, and with a fake version of WhatsApp being downloaded from Google Play by more than one million unsuspecting people. Apple systems have always been seen as a more secure option, a benefit that is very much valued by Apple users. Any move to protect the Apple environment is, therefore, something is likely to be valued and understood by many users, and any talk of potential ‘security’ problems causes alarm among the Apple community.

The problem, in this case, isn’t really that there is any kind of immediate security flaw as such, but that there is a more of a new user annoyance in relation to personal choice, as the High Sierra system allows third-party app installation but not its own singular removal. One possible potential security risk is that a user could be tricked into installing a virus or phishing app which is then protected by the sealed SIP framework.

It is, however, possible to restart the system in ‘recovery mode’ and delete any offending app because ‘recovery mode’ suspends any SIP framework protection during the ‘recovery’ boot-up mode sequence.

New Law Tackles Digital Ticket Touts

Posted on by Rob Burdett

The UK Government has announced that cyber touts caught using specialised software called ‘bots’ to purchase tickets in bulk for re-sale at inflated prices on secondary websites, could soon face unlimited fines.

Bots Ban This Year

The UK Government stated at the end of December that it planned to make this year a great year for music and sports fans by passing new legislation to ban ticket tout bots. The proposed legislation will be designed to deter ticket touts from exploiting automated software to bulk-buy tickets thus bypassing ticket limits imposed by the management team behind the events.

The fact that the UK government has now notified the European Commission is further evidence that it now wants to press ahead with the bots ban as soon as possible.

Digital Economy Act

The UK already has the Digital Economy Act (2017) in place, and the new legislation will be added as a provision to this existing Act. The DEA (2017) already has additional requirements on ticket sellers to provide a bespoke ticket numbering system.

The changes will also mean a revision of the Consumer Rights Act in order to help clarify the restrictions imposed on secondary re-selling of tickets.

Examples

Recent examples of the reason why the government wants to push ahead with the legislation include concert tours by Adele and Ed Sheeran, where bots were used by touts to purchase large quantities of tickets before re-selling them at inflated prices, thereby leaving fans feeling let down and excluded. Also, for the Broadway hit show Hamilton in London’s West End, touts’ use of bots has led to tickets being sold for upward of £6,000.

Live Sport And Music At A Fair And Reasonable Price

The Rt Hon. Matt Hancock MP, the Minister of State for Digital, Culture, Media and Sport, believes this new statutory clampdown will help fans see live sport and music at a fair and reasonable price. He has stated that the government plans to work together with improvements by industry, to help make the market more transparent and improve Britain’s thriving live events scene.

Industry Collaboration – A Future Partnership?

The government hopes that industry can be more innovative to help deal with the ticket tout bot problem. The Department for Digital, Culture, Media & Sport (DCMS) cites pioneering examples from DICE, the UK software giant, using mobile technology to ‘lock-in’ tickets to user accounts to circumvent the possibility of touts acquiring digitally locked tickets.

Well-known musicians who have been hit by touts have also launched a partnership to sell tickets that cannot be sold on at a profit. For example, Twickets.co.uk has support from big names like Ed Sheeran and others.

Also, GUTS, a Dutch start-up is using Blockchain, the technology behind Bitcoin, to create a system that makes it impossible to sell on tickets for a profit. The hope is that a legislative drive, along with industry-based innovation, can help make fans experience of live music and sport more enjoyable and preferably a lot less expensive.

What Does This Mean For Your Business?

The buying-up and re-selling (at hugely inflated prices) of music and sport event tickets has only benefitted the touts and has had a serious downward effect on the profits of promoters, artists and sporting stars as fans have felt disillusioned, ripped-off and abandoned. The image of some major artists (and therefore, the value of their brands) and the loyalty of fans has also been affected because the activities of touts has a rub-off effect on the artists themselves.

This move by the government is an important and long-overdue move in the right direction for the live entertainment industry. Although introducing a change to law in itself will not stop the activity of technology-toting touts overnight, if used in partnership with innovations in the industry such as locked-in tickets and the use of Blockchain technology, and coupled with the very public support for systems where fans can buy tickets at fair prices e.g. Ed Sheeran’s public support for Twickets.co.uk, the activity of touts could be limited. In short, this will benefit the industry and the fans.

All iPhones, iPads and Macs Affected by 2 Major Bugs – Meltdown and Spectre

Posted on by Rob Burdett

Two major security flaws which are present in nearly all modern processors / microchips mean that most computerised devices are potentially vulnerable to attack, including all iPhones, iPads and Macs.

What Security Flaws?

The 2 hardware bugs / flaws in nearly all computer processors made in the last 20 years are known as ‘Meltdown’ and ‘Spectre’. The 2 flaws could make it easier for something like a malicious program to steal data that is stored in the memory of other running programs.

Meltdown

Meltdown, discovered by researchers from Google’s Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, affects all Intel, ARM, and other processors that use ‘speculative execution’ to improve their performance (most of the modern global market). Speculative execution is when a computer performs a task that may not be actually needed in order to reduce overall delays for the task – a kind of optimisation.

Meltdown could, for example, leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre

Spectre, which affects Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

Apple Systems and Devices Affected

Apple is reported to have said that all Mac systems and iOS devices are affected, although the Apple Watch is not believed to be affected by it.

No Known Exploits Yet

It should be said that researchers have uncovered the existence of the flaws, and while the potential for exploitation is there, there have been no known exploits to date. In the light of the wide publicity that the existence of the flaws has received, this could change.

What’s Being Done?

Intel has announced that that it is working with AMD, ARM, other technology companies and some operating system vendors to find a fix. Intel and ARM are also planning to release patches for the flaws in upcoming software updates from them and operating system makers.

Google has said that the flaw didn’t exist in many of its products, and it has mitigated the issue in those products where it was present. Google has also said that an upcoming browser update (Chrome 64) will offer further protection when it is rolled out on 23 January.

Microsoft has released an emergency patch for all Windows 10 devices with other updates for other Windows versions scheduled for release within days. Amazon is reported to have said that its whole EC2 fleet is now protected.
Apple has issued a partial fix in macOS 10.13.2 and will continue to fix the issue in 10.3.3.

What Does This Mean For Your Business?

It is highly likely that your devices are affected by the flaws because they are hardware flaws at architectural level, more or less across the board for all devices that use processors. The best advice is to install all available patches without delay and make sure that you are receiving updates for all your systems, software and devices.

Although closing hardware flaws using software patches is a big job for manufacturers and software companies, it is the only quick answer to a large-scale problem that has been around but apparently ‘under the radar’ for a long time.

Regular patching is a good basic security habit to get into anyway. Research from summer 2017 (Fortinet Global Threat Landscape Report) shows that 9 out of 10 impacted businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and there are already patches available for them.

Dodgy Apps in Google Play

Posted on by Rob Burdett

Security researchers have discovered 36 fake and malicious apps for Android that can harvest your data and track your location, masquerading as security tools in the trusted Google Play Store.

Hidden

The 36 malicious apps were, on the surface, the kind of security apps that are commonly downloaded by (Android) smartphone users to protect their device and data from cyber attacks and hackers. Ironically, the apps, which had re-assuring names such as Security Defender and Security Keeper, and which performed some legitimate tasks on the surface, such as cleaning junk, saving battery, scanning, and CPU cooling, were found to be hiding malware, adware and even tracking software.

Once the apps were launched, researchers discovered that they would not appear on the device launcher’s list of applications, and the shortcuts would also not be shown on the user’s phone screen.

The malicious app makers are thought to have known that the “hide” function would not work on some devices (e.g. Google Nexus 6P, LGE LG-H525n and ZTE N958St.) because the hide was designed not to run on them. They may also have done this to avoid attracting the attention of Google Play’s inspection / checking system.

False Notifications, Fake Alerts, and Adverts

The fake apps were even found to have been designed to deliver false, often convincing, but sometimes alarming security notifications, warnings and pop-up windows to the user. For example, users would be shown pop-ups to show them that fake security issues had been resolved. Also, if the user installed another app, then it would be reported as suspicious.

Users of these fake apps could also fall victim to an aggressive barrage of advertisements with each action, because the app may have been designed for display and click fraud.

Asked To Sign – But Collecting Data

In some cases, in an abuse of privacy, the malicious apps were found to ask users to sign and agree to an end-user licence agreement (EULA) relating to the information to be gathered and used by the app. In fact, the hidden aspects of these apps were found to be able to collect large amounts of device and user information, such as Android ID, model and brand of the device, screen size, language, location, and data on the other installed apps e.g. Facebook.

Removed

It has been reported that, since the researchers alerted Google to the presence and nature of the apps in December, they have now been removed from Google Play.

Not The First Time

Unfortunately, this isn’t the first time that fake apps have been found in the Google Play Store. Last November, a fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people before it was discovered to be fake.

What Does This Mean For Your Business?

What is a little shocking about this story is that Google Play is a trusted source for apps, and it is particularly ironic that in this case that users could have downloaded the apps as a security measure to protect them, only to find that they did the opposite.

Although the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Google (in this case) didn’t spot the hidden aspects of the apps.

The fact that many of us now store most of our personal lives on our smartphones makes reports such as these all the more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents e.g. the reputation of Google Play Store.

To minimise the risk of falling victim to damage caused by fake apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious / suspect app.
It may also be time for Google Play Store to review its systems and procedures for checking the apps that it offers.

Cloud Companies The Next Big Target For Ransomware

Posted on by Rob Burdett

The latest Massachusetts Institute of Technology (MIT) Review has predicted that ransomware targeting cloud services will be one of the biggest cyber-crime threats of this year.

What Is Ransomware?

Ransomware is a form of malware that typically encrypts important files on the victim’s computer. The victim is then given a ransom demand, the payment of which should mean that the encrypted files can be released. In reality, some types of ransomware delete many important files anyway, and paying the ransom does not guarantee that any files will be released.

Huge Data Sources

One of the main reasons why the MIT puts the ransomware aimed at cloud services in the top 6 cyber threats for 2018 is because attacking a single cloud services company can give criminals access to huge amounts of data being stored and handled for multiple companies and organisations.

The MIT predictions, however, point to smaller, more vulnerable cloud providers who are more likely to pay as being a more likely target than the apparently well-protected larger CSPs such as Google, Amazon, and IBM.

Other Big Threats For 2018

Other MIT predictions for more common cyber-crime in 2018 include the targeting of electrical grids, transportation systems and other types of national critical infrastructure, cyber-physical attacks to cause disruption and extort money, and the targeting of old systems in transport modes (planes, trains and ships).

Also, another prediction for increased activity is the hijacking of more computing to mine crypto-currencies, and the resulting (potentially devastating) collateral damage if computing resources at hospitals, airports and other similar locations are targeted.

Evolution of Crime and Protection

The last 3 years have seen a rapid evolution of the threat of things like ransomware. 2016 was a huge year for ransomware attacks globally. For example, Kaspersky Labs estimated that in the 3rd quarter of 2016 a ransomware infection occurred every 30 seconds. Intel Security also reported that infections rose by more than a quarter in the first 3 months of the year.

The massive WannaCry ransomware attack of spring 2017 infected the computers of an estimated 300,000 victims in 150 countries worldwide, many of them large, well-known businesses and organisations (including 16 health service organisations in the UK), and has been a massive Internet and data security wake-up call.

Last year also saw AI used by both attackers and defenders, and MIT predicts that 2018 will see greater machine learning models, neural networks and other AI technologies used on a more regular basis by cyber attackers.

What Does This Mean For Your Business?

Cyber attackers are becoming ever-more sophisticated in their attack methods, using the latest technologies, multi-layered attacks, and the use of social engineering. Ransomware is a popular tool because it is often relatively cheap to create and use, it can spread easily (like WannaCry), the attackers can remain anonymous, and it yields the main motivation for many attacks – financial gain. It stands to reason that CSPs would make an ideal target because of the huge amount of data from many companies that is stored with them.

For individual UK businesses and other organisations, it’s a case of always being on the lookout for suspicious emails and updates, keeping security software up to date and regularly backing up critical data. With GDPR due to come into force in May, there is an even greater motivation to pay attention to data and Internet security, and there is a danger and false economy of staying with old operating systems as long as possible.

In order to provide maximum protection against prevalent and varied threats this coming year, businesses should adopt multi-layered security solutions. Businesses should accept that there is a real likelihood that they will be targeted and therefore prepare for this by implementing the most up to date security solutions, virtual patching and education of employees in order to mitigate risks from as many angles (‘vectors’) as possible.

Having workable and well-communicated Disaster Recovery and Business Continuity Plans in place is now also an important requirement.

Extremism Tax

Posted on by Rob Burdett

UK Minister of State for Security, Ben Wallace, has said that Britain may impose new taxes on tech giants like Google and Facebook unless they do more to combat online extremism by taking down any material aimed at radicalizing people or helping them to prepare terror attacks.

Lack Of Co-operation

In an interview with the Sunday Times, Security Secretary Wallace is reported as saying that tech giants appear to have been “less than co-operative”, and are placing too much of the responsibility and cost for tackling extremist material and influence on the UK government (i.e. the taxpayer).

Mr Wallace is reported as saying that although the tech firms appear to be happy to sell people’s data, they seem less happy to give that data to the UK government, thereby forcing it to spend large amounts of money on de-radicalisation programs, surveillance and other counter-terrorism measures.

Tax Threat

Mr Wallace is reported as saying in his interview with the Sunday Times that the government was prepared to look at things like tax as a way of incentivising or compensating the tech giants for their “inaction”.

Vulnerable

Mr Wallace made the point that the UK is “more vulnerable than at any point in the last 100 years.” He highlighted how social media and encrypted messaging services like WhatsApp may be making things easier for attackers, and how taking down online extremist more quickly than is currently happening could save the millions of pounds that are being spent on de-radicalising people (who have been radicalised) rather than preventing radicalisation in the first place.

Echoes of Amber Rudd

Mr Wallace’s reported comments appear to echo many of those of interior minister Amber Rudd, who, just weeks after the second bridge attack, headed a very public campaign to stop the complete end-to-end encryption model used by some social media platforms, and allow ‘back doors’ to be built-in to such systems to allow the government to access them in the name of intercepting communications by extremists / terrorists. Critics have pointed out that a building in back doors would make the platforms vulnerable to hackers.

Stereotyping

Mr Wallace’s reported comments also included a description of tech company staff that appeared to stereotype them as people who “sit on beanbags in T-shirts”. He was quick to create a contrast between this more passive perceived public image, and his perceived reality that the tech giants are in fact “ruthless profiteers” who will “sell our details to loans and soft-porn companies”.

What Does This Mean For Your Business?

This appears to be another effort by the government to put pressure on the tech giants through negative publicity, and this time through threats of new taxation, to highlight what the government sees as their responsibility in playing a role in reducing the terror threat from extremists. Businesses and individuals are obviously likely to be unanimous in their wish for increased national security, the reduction of a terror threat, and in closing avenues which lead to radicalisation and recruitment for extremist / terror activities.

There are, however, other influences and points of view at play here, including the powerful commercial interests and profits of the ‘tech giants’, the need to be seen to resist any forms of censorship and outside interference, and the need to be seen to protect users’ privacy and trust, diplomatic and trade interests and relationships e.g. with the U.S where the tech giants are mainly based, personal data and security implications (with stopping end-to-end encryption), and the influence of freedom and rights campaigners.

The comments of Mr Wallace are likely to be followed by many more from the government in the near future as they attempt to exert some influence over many wealthy, overseas-based but very popular tech companies that play such an important part in the daily lives of many UK citizens.

Beware Android Phone-Melting Malware

Posted on by Rob Burdett

A type of crypto-currency mining malware has been found to overload an android phone with so much constant traffic that its battery physically bulges and bends the phone cover.

Malware Causing Physical Damage

The Android phone-wrecking Trojan malware, dubbed “Loapi”, was discovered by Kaspersky researchers. In tests, after running it for several days mining the Minero crypto-currency, the android phone used in the test was overloaded with activity (trying to open about 28,000 unique URLs in 24 hours) to the point that the battery and phone cover were badly damaged and distorted by the resulting heat.

The Loapi malware is reported to have been found hiding in applications in the Android mobile operating system.

How It Works

Loapi reportedly works by hijacking a smartphone’s processor and using the computing power to mine crypto-currency.

‘Mining’ refers to the process of completing complex algorithms to get rewards of new crypto-currency units e.g. Bitcoin.

Loapi uses Javascript code execution hidden in web pages (usually via advertising campaigns) with WAP billing to subscribe the user to various services. This works in conjunction with the SMS module to send the subscription message.

What makes Loapi particularly dangerous is the amount of device-attacking techniques present in it, and the modular architecture of this Trojan which means that more functionality could be added to it at any time.

Part Of Trend For Mining Scams

It is likely, therefore, that Loapi is loaded onto an android OS when a user visits a web page website where mining software / mining code is running in the background, without the knowledge of the website owners or visitors.

For the scammer who plants the code, they can use the power of multiple computers / devices to join networks so that the combined computing power will enable them to solve mathematical problems first (before other scammers) and thereby claim / generate cash in the form of crypto-currency.

A report by ad blocking firm AdGuard in October this year showed that the devices of 500 million people may be inadvertently mining crypto-currencies as a result of visiting websites that run mining software in the background.

What Does This Mean For Your Business?

Unfortunately, many cyber criminals are now trying to leverage the processing power of computers, smartphones and other devices to generate revenue from mining crypto-currency. Mining software e.g. Coin Hive, has been found in popular websites, and crypto-currency mining scams are now being extended to target cloud-based computing services with the hope harnessing huge amounts of computing power and using multiple machines to try and generate more income.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and this new threat of actually having your phone melted by malware adds another level of risk, including that of fire.

There are some simple measures that your business can take to avoid being exploited as part of this popular scam, although it is unclear how well these will work with the newly discovered Loapi. For example, you can set your ad blocker (if you’re using one) to block one specific JavaScript URL, which could stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, browser extensions are available e.g. the ‘No Coin’ extension for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).

You can generally steer clear of dodgy Android apps by sticking to Google Play, by avoiding cloned apps from unknown developers within Google Play, by checking app permissions before you install them, by keeping Android apps up to date (and by deleting the ones you don’t use), and by installing an antivirus app.

Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Kaspersky Tries To Overturn U.S. Directive

Posted on by Rob Burdett

Embattled Moscow-based cyber security firm, Kaspersky Lab, is appealing against a U.S. Government’s ban on its software on the grounds that it is unconstitutional, and that there is no technical evidence.

What Directive?

Back in September, The U.S. Department of Homeland Security (DHS) issued a Directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days. Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions (anti-virus software).

Concerns Over Many Years

The U.S. Directive (ban) came after concerns about possible Russian state interference in the U.S. elections, but Kaspersky have long been the subject of suspicion and concerns by western governments.

In July this year, for example, security researchers claimed to have found a way to force the anti-virus product to assist snoops in stealing data from segmented networks (not connected to the wider internet).

Back in 2015, it was also reported that the US National Security Agency and GCHQ had sought to carry out reverse engineering of Kaspersky anti-virus as far back as 2008 to discover any vulnerabilities.

Long-running fears about Kaspersky have also been fuelled by leaks from the NSA through Edward Snowdon (2013), Hal Martin (2016), and by allegations (printed in the Wall Street Journal) that a Vietnamese NSA contractor was hacked on his home computer by Russian spies via Kaspersky.

Earlier this month Barclays bank in the UK emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

The Appeal

A federal appeal has now been filed by Kaspersky Lab appeal under the Administrative Procedure Act against the U.S. Directive to remove Kaspersky software from civilian government agency networks. According to Kaspersky, the DHS has acted unconstitutionally and has violated Kaspersky Lab’s right to due process by issuing Binding Operational Directive 17-01.

Kaspersky Lab argues that the issuing of the Directive was based on no technical evidence, and the company has repeatedly denied any ties to any government and has said that it would not help a government with cyber espionage.

Damage

Kaspersky Lab has publicly stated that the Directive and the wide-scale media coverage and public / business reaction to it have damaged the company’s position in the market. Sales are reported to be down, Kaspersky has announced the closing of its D.C. headquarters as a direct result of the U.S. government’s public suspicion toward its business, and the company’s founder, Eugene Kaspersky, has said that the company has also suffered damage to its reputation.

Submitting Code

As well as strenuously denying the allegations and launching an appeal, Kaspersky Lab said in October that it would submit the source code of its software and future updates for inspection by independent parties. U.S. officials.

What Does This Mean For Your Business?

For businesses using Kaspersky in the UK, it is worth remembering that although Barclays Bank have stopped using the software, and a U.S. Directive remains in place, no actual evidence of wrongdoing related to espionage / spying, or of the company colluding with the Russian state has been publicly provided.

Businesses will need to take an individual view of any possible risks, taking into account the context of a certain amount of paranoia and the recent focus in the media about Russia following allegations of interference in the US elections.

On a technical and security note, it may not be a good idea anyway to remove Kaspersky anti-virus from a computer without immediately putting a suitable alternative in place. Anti-virus forms an important part of a company / organisation’s basic cyber defences and this, and other software should be kept up to date with patches and updates to enable evolving threats to be combated as part of a wider strategy.

School Heating Hack Risk

Posted on by Rob Burdett

Cyber-security Company, Pan Test Partners, have warned that schools with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off – or worse.

The Problem

The problem is that many electricians and engineers may be lacking in knowledge about cyber security and / or may have linked a school’s HVAC system to Internet controls against the manufacturer’s guidelines. Also, many smart school heating systems may have vulnerabilities in them that hackers may find easy to exploit.

Tested

The researchers at Pan Test Partners tested for potential hacking risks by looking for building management system controllers made by Trend Control Systems via IoT search tool Shodan. This online tool (see https://www.shodan.io) provides a public API and enables anyone to discover which devices are connected to the Internet, where they are located and who is using them.

In a test, it was revealed that it took less than 10 seconds to find more than 1,000 examples of a 2003 model of a school heating system known to be vulnerable when connected to the Internet. The visibility of a known vulnerable system via a public website is a clear example that the risk of school heating systems being controlled remotely by hackers is real.

Not Just Schools

The same / similar heating systems may also be used in buildings used by retailers, government offices, businesses and even military bases, thereby highlighting a much wider potential risk.

Incentive

Security commentators have pointed out that there would be very little incentive for hackers to access school systems because many hacks are carried out for financial gain.

The risks could, however, increase in future as more devices and systems become part of the IoT.

What Does This Mean For Your Business?

It is possible that some businesses may be in buildings where the heating systems are exposed to a hacking risk. Risks could be reduced if companies used skilled IT workers who are aware of the potential risks and if systems are checked properly after installation.

To make heating systems really secure they should also be configured behind a firewall or virtual private network, and they should have the latest firmware and other security updates.

It is also important to note that some responsibility rests with the manufacturers of heating and other smart building systems to design security features into them because even if a device is not directly connected to the internet, there may be an indirect way to access it.

This story also highlights the wider challenge of tackling security for IoT devices and products. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.

It has also been noted that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products (who don’t run checks and audits), it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.

WannaCry Came From North Korea Say Experts

Posted on by Rob Burdett

 

The UK’s National Cyber Security Centre (NCSC) led investigation into the origins of the WannaCry ransomware attack that crippled NHS systems last month has concluded that it came from a hacking group in North Korea.

What Happened?

The WannaCry global cyber attack back in May spread worldwide, claiming victims in 150 countries and leading to around 130,000 ransomware infections of computers. The attack also made the headlines in the UK because it temporarily crippled NHS computer systems.

WannaCry was made to exploit a vulnerability on an NSA-developed hacking tool called ‘Eternal Blue’. The rapid, global spread of WannaCry was eventually thwarted when UK security researcher Marcus Hutchins registered and took over the domain that was written into the ransomware’s core code.

Lazarus

The recent NCSC investigation has concluded that WannaCry was made and distributed by the North Korea-based hacking group known as Lazarus. This is believed to be the same group that targeted Sony Pictures with a hack in 2014 over the release of the film ‘The Interview’ that satirised the North Korean leadership. The Lazarus group is also believed to have targeted a South Korean supermarket chain.

Indiscriminate

It is believed that the WannaCry ransomware attack was indiscriminate, and the fact that the (old) NHS systems were particularly badly affected may have made it appear that it was targeted.

Traced

Initial reports from cyber security experts ruled out Russian-based hackers and focused on the fact that the code showed that it may have been created on a machine in a +9 GMT timezone.

A study and reverse-engineering of the WannaCry code, combined with some overlaps with previous code developed by the Lazarus group, plus taking into account wider evidence gathered by GCHQ’s NCSC, have led experts to confirm that WannaCry was the product of the North Korean Lazarus group. It is believed that America’s NSA did not contribute heavily to the investigation because the U.S. was not hit as badly as the UK by the attack.

Was It Worth It?

The motivation of the group has been called into question since the amount of ransom paid by victims is thought to only have been around £40,000, and none of the money has been collected by the group. Also, unlike many other hacking groups, Lazarus doesn’t claim responsibility for its attacks, does not release communiqués, and does not tweet about its exploits.
IT security commentators have, therefore, concluded that WannaCry is likely to have been an attack that was far more successful and widespread than the group had intended or expected.

What Does This Mean For Your Business?

In the wake of WannaCry’s rapid and extensive spread, Internet and data security, particularly with GDPR due to come into force next year, must surely now be given high priority by businesses and must be championed at board level. The danger and false economy of staying with old operating systems as long as possible was painfully exposed in this attack. For businesses, where an attack comes from is not as relevant and important as knowing that protection is in place.

Businesses need to take a range of measures to ensure that they are well defended against known cyber threats, and prepared for the aftermath, should defences be breached. Preparations could include making sure that all the latest updates and patches are installed on systems and that anti-virus software is up to date, all important data is regularly and securely backed-up, all staff are trained to spot and deal correctly with potential threats, and workable Disaster Recovery and Business Continuity Plans are in place.