Thursday 16 January 2014

UK critical infrastructure at risk from SCADA security flaw

Sellafield nuclear power plant in northern England
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has called for businesses involved in critical infrastructure to be extra vigilant as it investigates a potential critical flaw in a commonly used SCADA system.
ICS-CERT issued the warning in a security advisory after security researcher Luigi Auriemma uncovered a vulnerability that left many of the world's SCADA systems at risk.
"ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product," said the advisory.
"IntegraXor is currently used in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia. ICS-CERT recommends that users take defensive measures to minimise the risk of exploitation of these vulnerabilities."
Specifically the security team recommended that SCADA users "minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet. Locate control system networks and devices behind firewalls, and isolate them from the business network."
Trend Micro security expert Rik Ferguson told V3 that the vulnerability listed in the advisory is particularly dangerous as it could theoretically be exploited by hackers to launch a variety of attacks, including denial of service.
"According to the researcher, and also to the proof of concept that he has released, this vulnerability results most often in a denial of service condition, which should be concerning enough in itself for the kinds of production environments in which Ecava IntegraXor operates," he said.
"However, Auriemma has also said that in certain conditions the vulnerability can lead to arbitrary execution of code, which could have far more serious ramifications, opening the door to further compromise."
ICS-CERT confirmed it has contacted Ecava, the company that makes the system, and is working to identify and fix the flaw.
Attacks on critical infrastructure systems have been a growing problem facing businesses and governments. The danger was showcased in 2011 when the notorious Stuxnet malware was discovered targeting Iranian nuclear plants.
The Stuxnet malware subsequently spread and has been discovered in numerous locations, including a Russian nuclear power plant. Security experts have since warned that it is only a matter of time before the Stuxnet malware hits the UK.

Microsoft extends Windows XP anti-malware support to July 2015

Microsoft Windows XP screen
Microsoft has announced it will continue offering anti-malware updates to Windows XP users until July 2015, over a year after it officially cuts support for the decade-old operating system.
Microsoft revealed its plans to prolong anti-malware support for XP in a post on its Threat and Response blog, confirming that the move is an interim solution designed to help businesses securely migrate their systems to run a newer Windows version.
"To help organisations complete their migrations, Microsoft will continue to provide updates to our anti-malware signatures and engine for Windows XP users through 14 July 2015. This does not affect the end-of-support date of Windows XP, or the supportability of Windows XP for other Microsoft products, which deliver and apply those signatures," read the post.
"Our goal is to provide great anti-malware solutions for our consumer and business customers. We will continue to work with our customers and partners in doing so, and help our customers complete their migrations as Windows XP end of life approaches."
For enterprise Windows XP users the extension applies to several critical security services including Microsoft System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP.
The move is a backtrack by Microsoft, which announced plans to pull support for its Security Essentials anti-malware tool from XP earlier in January.
Microsoft warned that even with the extended support, Windows XP users will still be at significant risk after the official April cut-off.
"Our research shows that the effectiveness of anti-malware solutions on out-of-support operating systems is limited. Running a well-protected solution starts with using modern software and hardware designed to help protect against today's threat landscape," read the post.
The announcement follows widespread outcries from the XP community regarding the support cut-off. Despite being a decade old, many businesses and companies still prefer XP to newer Windows versions and view the cut-off as a tactic by Microsoft designed to force them to adopt Windows 8.
"Microsoft can force me off XP but, there is no way they can force me into the abomination that is Windows 8. It's past time I converted all my computers to Linux," wrote one particularly angered V3 reader.
The announcement follows the discovery of several vulnerabilities in Windows XP. Microsoft issued fixes for an "important" vulnerability in Windows XP as a part of its regular Patch Tuesday earlier this week.

Local government warned to trust nobody and sack overzealous cyber security staff

malware virus security threat breach
The government's independent cyber security advisory has warned local government IT managers of the need for more intelligent security systems for online public services, telling them to "trust nobody".
Speaking at the Government ICT conference in London, technical director for the National Technical Authority for Information Assurance (CESG) Ian Levy told delegates that firewalls only go so far and that staff trying to install too many security solutions without justification should be sacked.
"More security is not always better: it's got to be proportionate and appropriate security," he said. "If people are telling you to put security in your systems but they can't explain why, sack them. If people are saying ‘Cheltenham [base of CESG] are saying put this security in your system', email me and I'll tell you to sack them."
Levy said that because the scope and risk of serving such a large and unknown customer base is so enormous, security has to match it.
"Trust nothing," he said. "This is fundamentally different to building a corporate system because the people I'm transacting with I have no trust relationship with. They're not my employees, they're not people I can talk to down the pub, it's a bunch of 60 million people out there on the internet who may or may not be who they say they are."
He told system administrators to assume "every single endpoint is infected with the worst possible malware" and that "all users are dumb at some point", adding that the only way of fending off attacks is with business intelligence that understands how users are supposed to behave. "Once a credential is issued, you have to assume it's compromised," he said.
Levy said his team had monitored a botnet for 11 hours in 2013 and spotted over 1,600 compromised Gov.uk transactions being logged, proving that there is a widespread problem with the general public's internet use.
"It's not about usernames and passwords," he continued. "It's not about firewalls, it's about business intelligence. It's about understanding how your business transactions work and the footprints they leave on your service. It's a fundamentally different type of security."
As local government services increasingly head to the web and away from paper-based systems, with central government leading the way with its Gov.uk initiative, protection from fraudulent activity has become ever more important. That, combined with stricter regulations on public sector IT in areas such as stricter BYOD policies, has brought cyber security to the fore in local government.

Silent Circle announces Android 'Blackphone' plans to avoid NSA snoops

A man in an alleyway using a mobile phone
Secure communications service provider Silent Circle has announced plans to release a new unmonitorable smartphone, codenamed the Blackphone.
The phone is a joint collaboration between Silent Circle and Geeksphone and is due to appear for the first time at Mobile World Congress (MWC) in Barcelona in February.
Details about the Blackphone remain vague, but it has been confirmed to run using a heavily altered version of Google's Android operating system, named PrivatOS.
PrivatOS will use Silent Circle's custom messaging and communication technologies to let users securely make and receive phone calls, exchange texts, transfer and store files and video chat, without fear that their activities are being monitored or recorded.
Pretty good privacy (PGP) encryption protocol creator and Silent Circle president Phil Zimmermann said the Blackphone will let users have full control over what data is stored and sent from their smartphone.
"I have spent my whole career working towards the launch of secure telephony products," said Zimmermann. "Blackphone provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect."
At the time of publishing Silent Circle had not responded to V3's request for further details about the Blackphone's internal specifications, UK release date or price, though the phone is listed as being available for pre-order from 24 February.
The Blackphone's announcement follows widespread concerns about governments' communication-monitoring operations. The concerns began in 2013 when whistleblower Edward Snowden leaked documents to the press revealing the US National Security Agency's PRISM spy campaign.
The campaign has led many companies to consider more drastic counter-spying measures. Deutsche Telekom announced plans to protect its customers from government spy agencies by changing its processes to route local internet traffic through domestic servers only in October 2013.

NSA enslaved 100,000 computers for worldwide PRISM snooping

nsa-crest
The US National Security Agency (NSA) hacked over 100,000 computers based in countries around the world, installing malicious code to turn them into covert cyber spy tools, according to The New York Times.
The paper reported that the NSA mainly infected the machines after breaking into networks, but that spies also used "secret technology" to access machines not connected to the internet.
The New York Times said the evidence stemmed from leaked NSA documents and statements from a number of unnamed US officials.
The mysterious "secret technology" has been around 2008, the paper said, reportedly using radio waves to hack the offline machines.
"The technology, which the agency has used since at least 2008, relies on a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into the computers," read The New York Times' report.
The NSA used the technology to bug an unspecified number of Chinese and Russian military networks, systems used by the Mexican police and drug cartels, trade institutions inside the European Union and organisations and companies in Saudi Arabia, India and Pakistan.
The documents reportedly showed that the hacked computers can also be used as a platform to launch hostile cyber attacks.
A NSA spokeswoman attempted to justify the campaign to The New York Times, arguing: "NSA's activities are focused and specifically deployed against – and only against – valid foreign intelligence targets in response to intelligence requirements."
At the time of publishing the US Department of Defense (DoD) had not responded to V3's request for comment on the report.
The news is the latest revelation in the ongoing PRISM scandal. News of the NSA's advanced spy campaign broke in 2013 when by ex-CIA analyst Edward Snowden leaked documents to the media proving that the agency is siphoning vast amounts of web user data from firms such as Google, Microsoft and Apple.
The revelation has led to widespread concerns within the business community that the NSA's spying will damage international trade in 2014. The concerns have led US president Barack Obama to consider reducing the NSA's powers.

Google must face justice in UK for Apple Safari privacy failings, rules High Court

Judge's gavel
Google has lost its appeal to block legal action in the UK over a privacy case relating to its use of cookies in Apple's Safari browser.
The firm had attempted to move the case, which started in 2012, to California. But judge Justice Tugendhat at the High Court in London said that the UK courts had "appropriate jurisdiction" to conduct the case.
The case – which has already cost Google nearly $40m after settlements with 38 US states and the US Federal Trade Commission – focuses on whether it deliberately bypassed privacy settings available in Apple's Safari browser by using cookies to present targeted advertisements.
Google insists the tracking was accidental, and following the settlements in 2012 promised it would make technical changes to ensure its cookie technology recognised browser privacy settings.
Nonetheless, the claimants are looking for further justice in the UK, and previously blasted Google as "arrogant" for attempting to block the case.
A Google spokesman said in December that the company was merely looking for clarification on whether the case should be held in the UK. "A case almost identical to this one was dismissed in its entirety two months ago in the US. We're asking the court to re-examine whether this case meets the standards required in the UK for a case like this to go to trial," he said.
Olswang lawyer Dan Tench, who is handling the case, welcomed the news. "It is only right that English claimants should have a case heard in England, and not have to travel to California because it suits Google better. Google has unlimited resources to deal with legal matters. Ordinary Britons do not," he said.
"This was a flagrant, if ultimately unsuccessful, attempt to evade justice. The court saw through it. We now look forward to the discovery process where we expect to find out what really happened at Google to cause it to breach privacy laws."
Claimant Judith Vidal-Hall said: "We want to know how long they have done this for, what they've done with our private data, how much they have made from this, and why they keep flouting privacy laws."
The Press Association reports that Google intends to take the case to the Court of Appeal.