Monday, August 06, 2018

Wall Street Journal reports administration scurrying now over cyber threats to power grids, which could involve home or small business users as honeypots



In early July, I happened to log on to my Dominion Power account to try to pay a bill, and got a bizarre error from the website.  The next day it worked, but maybe that’s a preview to the substance of this Wall Street Journal article by Rebecca Smith, “U.S.Steps Up Grid Defense: To fight cyberattacks on critical utilities, officials push for stronger penalties,” Online, the article is quite high profile (though with a subscription paywall) and illustrated.

The main threat seems to be that foreign hackers (Russia, China, Iran, North Korea, possibly radical Islam) get access through suppliers or small utilities, who then trade software across “air gaps” with thumb drives.  Despite the air gap from the public Internet, the security environment for major electric utilities and for grid companies (for the three major grids) is very complicated and could be breached. Small utilities and suppliers don’t have the advanced security to protect themselves from state hackers.


Another threat seems to be corporate and even home routers, which seem to be a set of “mouseholes” for malware to hide. 

The article suggests that malware (like Dragon Fly or Energetic Bear) could be hiding in utility control systems called SCADA (which, to be emphasized, aren’t directly accessible from your computer or phone). There are reports that this malware has lived on some utilities' systems since 2012. 

The article suggests that Spear-phishing, watering hole attacks on trade websites, or airgap crossing are the main methods.

The article even goes so far to as to suggest that the government is concerned about mass internal migrations should a protracted regional power failure occur (the August 2003 failure in the northeast lasted about a day).

Do ordinary users at home add to the risk?  Possibly, through home routers (which should be turned off and back on occasionally so the security updates take hold, although large cable companies probably do this anyway).  Another possibility that got mentioned shortly after 9/11 and forgotten was steganography, where instructions for terror attacks or malware are placed on innocuous amateur sites. Another possibility would be to place criminal malware like child pornography on sites to try to fame ordinary civilians, as an intimidation tactic from foreign enemies.  So far the closest that has happened has been occasional defacing of a few websites (like random restaurants) or Sony.  (There had been scattered reports (as far back of 2013) of ransomware that threatened to load c.p. on a user's computer (at one time possession would have been a strict liability offense)).  A few politically-oriented sites (in the eyes of the beholder) may have been targeted. Recently (in May and June) a major Wordpress blog (which admittedly had used an old insecure template theme) set up to advise asylum seekers was hacked, but finally secured properly and is back up. (Fortunately it had good backups  -- and backup technology would be worth another big blog post.) 

Ted Koppel (video above) wrote a book called “Lights Out” about all of this (reviewed on Books, Nov. 15, 2015).

This article doesn’t even consider EMP and solar storms, which I’ve discussed elsewhere.
  
As someone who dealt with the draft a half century ago, foreign enemies pose novel moral dilemmas for how individuals can be expected to behave.

Wednesday, July 25, 2018

Phishing scam presents stolen passwords in subject line, demands payment for watching porn caught on videocam



Business Insider, in a story by Kif Leswing, reports on a vicious new scam where the victim gets a phishing email with one of his passwords in the subject line. The email then tries to blackmail the person, saying it has videocam of the person watching porn, and demands payment in bitcoin.


In actual fact, the password has probably been stolen from the dark web, and may have come from one of the many major corporate hacks. The attacker does not actually have a video.

But of course you can block the camera on your computer.

Monday, July 23, 2018

US-CERT warns on Emotet Malware, major hazard for financial institutions



US-CERT has sent out an alert on “Emotet Malware”, bulletinTA18-201A, which is aimed at financial institutions and bank and securities accounts. 

It is mainly aimed at financial companies (including payment spheres and PayPal) and is often spread through phishing and affected attachments.  But it could apparently steal from consumer accounts.

Consumers should, as always, watch balances on line and pay attention to whether automated payments and the like process properly. 
  
But this report appears to apply most directly to employees of financial institutions.

Sunday, July 15, 2018

Site allows you to check if your email passwords have been stolen



“Pardon the interruption, your passwords are leaking”.  It’s a kind of incontinence.
   
So Geoffrey Fowler writes in the Washington Post Business, “StolenPassword, Here’s What to Do About It?” 

He gives a site “Have I Been Powned” here. 

One of my emails was found on seven sites that had been breached, but not on any dark web sites themselves.
  
Fowler recommends changing every password every 90 days with 2-step authentication and the use of really long hashed (like MF5) passwords with a professional app.

Tuesday, July 10, 2018

"Dbsync" files with 0 bytes loaded by some adware on some sites



A recent Salon article stalled when I was scrolling in Google Chrome in Windows 10.  When I viewed it in Mozilla, it scrolled fine but Mozilla asked me if I wanted to download called “dbsync” with zero bytes.  I let it go. 

Afterwards I restarted and ran a full scan in Trend Micro and it came up clean.  The file seems like a pivot got adware, which is probably not malicious but would be removed as “bloatware” by some security products.
  
On Google searches, Trend warns of some fraudulent anti-virus products that claim they will removed dysync.

Thursday, July 05, 2018

US Cert would do well to publish more on SQL Injection issues



I wanted to take a moment and gather some material from US-CERT in Pittsburgh on SQL Injection attacks.

The main primer dates back to 2012, and has link here. Note that CERT reports a large number of attacks in 2008 through Microsoft IIS. The recommendations in the paper relate mainly to larger organizations and tend to suggest theft of user PII is the biggest danger.

In 2016 CERT warned that SQL injection attacks might be attempted by foreign adversaries on voter databases, here

NICCS offers tuition-based classes for companies on preventing SQL injections.  Usually these mean employers send tech support staff to cities (like Seattle) for travel for several days.  

The scale of the training required makes security a difficult matter for individual bloggers to handle on their own.  Wordpress and Automattic need to remain aggressive in fixing vulnerabilities that seem to be found at times, and bloggers should upgrade to latest versions quickly when offered. This is more true now than it was a few years ago because of the tense political climate, domestically and worldwide.
  
  
Blogger has never attracted attention for vulnerabilities like this because it uses a totally proprietary database.

Wednesday, June 27, 2018

Wordpress password change on hosted sites needs a little SQL knowledge


If you blog on Wordpress on a hosted platform, the procedure for changing a user password is more complicated than with a free blog. It’s a good idea to do this at some unpredictable intervals.
  
Generally, you go into MyPhPAdmin, look for the database that corresponds to the blog (you need to look in the File Manager if you have more than one), look for the tables, lock for the user table, and then enter a new password and then choose an encryption method (usually MD5) from a drop down. BlueHost is pretty typical.
  
  
The actual physical password is encrypted, not what you enter on the Wordpress login screen.
I don’t get why on thus video you need to regenerate it on Wordpress itself, but I’ll look into it.