Sunday, March 29, 2020

What I'm Reading (or Watching) 3/29/2020 - Another Industrial Protocol and China Fudging Numbers

Books -

Network Forensics Tracking Hackers Through Cyberspace

Wired for War: The Robotics Revolution and Conflict in the 21st Century

Blogs / News -

The Startup - The Strategic Seventeen: Zero Trust -
Developed a decade ago, the Zero Trust framework has recently gained more attention due to the collective castle walls of many organisations crumbling and the owners of information systems and data becoming usurped by malicious entities. There is plenty of proof and anecdotal evidence to assure us that cybersecurity incidents are a matter of “when” and not “if”. When you look at it, threat actors tend to come in three varieties: Malicious Outsiders, Malicious Insiders, and Well-Intended Insiders.
The Startup - The Essential Eight -
In February of 2017, The Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) published an update to their “Top 4” Strategies to Mitigate Cyber Security Incidents by revising the list to include four more crucial strategies. The “Essential Eight” has received considerable attention over the past several years although I have encountered many organisations that are unsure where to begin. In this article, I will try to give you a bit of a kick-start to help you get going in the right direction. You are not alone…. if you need help, please ask for it since we’re all on the same side!
The original ASD/ ACSC Top 4 included Application Whitelisting, Patching Applications, Restricting Administrative Privileges, and Patching Operating Systems. The Essential Eight now includes those four plus Disabling Untrusted Microsoft Office Macros, Using Application Hardening, Multi-Factor Authentication, and Daily Backups of Important Data.
Hack in the Box -  How to Clean and Disinfect Yourself, Your Home, and Your Stuff -

The Economist - China goes back to work -
Officials boast that things are almost normal again. Fully 98% of all listed companies have resumed work, says the securities regulator. Around the country 89% of big investment projects, from airport expansions to the laying of gas pipelines, are also under way, according to a planning commission. “Roaring Chinese factories in full swing”, Xinhua, a state news agency, proclaimed on March 21st.
The reality is less exuberant. When any measure becomes an official target, it is susceptible to distortion—a phenomenon known as Goodhart’s law. It has been amply demonstrated in China over the years. In this case an obsession with the “work resumption rate” has invited fiddling. Some low-level officials have told firms to embellish their recoveries, reports Caixin, a magazine. To prevent such trickery, the central authorities started checking electricity data. The logical next step? Some companies were told to consume more power by turning on idle equipment.

Other -

Wikipedia - HART Protocol -
The HART Communication Protocol (Highway Addressable Remote Transducer) is a hybrid analog+digital industrial automation open protocol. Its most notable advantage is that it can communicate over legacy 4–20 mA analog instrumentation current loops, sharing the pair of wires used by the analog-only host systems. HART is widely used in process and instrumentation systems ranging from small automation applications up to highly sophisticated industrial applications.
According to Emerson,[1] due to the huge installation base of 4–20 mA systems throughout the world, the HART Protocol is one of the most popular industrial protocols today. HART protocol has made a good transition protocol for users who wished to use the legacy 4–20 mA signals, but wanted to implement a "smart" protocol.
The protocol was developed by Rosemount Inc., built off the Bell 202 early communications standard in the mid-1980s as a proprietary digital communication protocol for their smart field instruments. Soon it evolved into HART and in 1986 it was made an open protocol. Since then, the capabilities of the protocol have been enhanced by successive revisions to the specification.

Summary of Modbus, DNP3 and HART

I am going to keep posting these little summaries until I have covered the following protocols:

Modbus (covered)
DNP3 (covered)
HART (covered)
EthernetIP / Common Industrial Protocol
IEC 61850
Siemens S7Comms

mainly because my GICSP is up for renewal this year and this just helps me refresh

Saturday, March 28, 2020

Not much caught my eye today EXCEPT DefCon is starting a book club

details here

Enter the #defconbookclub! Starting In April, we’re inviting you to join us - we’ll all read a book together and discuss it in its own Forum thread. 

Friday, March 27, 2020

What I'm Reading 3/27/2020 - More APT fun

Books -

Network Forensics Tracking Hackers Through Cyberspace

Wired for War: The Robotics Revolution and Conflict in the 21st Century

Blogs / News - 

Threatpost - Emerging APT Mounts Mass iPhone Surveillance Campaign -
A recently discovered, mass-targeted watering-hole campaign has been aiming at Apple iPhone users in Hong Kong – infecting website visitors with a newly developed custom surveillance malware. The bad code – the work of a new APT called “TwoSail Junk” – is delivered via a multistage exploit chain that targets iOS vulnerabilities in versions 12.1 and 12.2 of Apple’s operating system, according to researchers.
As I read it Kaspersky believe this APT is Chinese in origin with ties to other older Chinese APTs.

SEL Inc - Solving Performance and Cybersecurity Challenges in Substation and Industrial Networks With Software-Defined Networking -

Academic paper but interesting

Wired - An Elite Spy Group Used 5 Zero-Days to Hack North Koreans -
Cybersecurity researchers at Google's Threat Analysis Group revealed on Thursday that an unnamed group of hackers used no fewer than five zero-day vulnerabilities, or secret hackable flaws in software, to target North Koreans and North Korea-focused professionals in 2019. The hacking operations exploited flaws in Internet Explorer, Chrome, and Windows with phishing emails that carried malicious attachments or links to malicious sites, as well as so-called watering hole attacks that planted malware on victims' machines when they visited certain websites that had been hacked to infect visitors via their browsers.
Google declined to comment on who might be responsible for the attacks, but Russian security firm Kaspersky tells WIRED it has linked Google's findings with DarkHotel, a group that has targeted North Koreans in the past and is suspected of working on behalf of the South Korean government.
Art of Manliness - How to Clean Your Entire House in 30 Minutes

Medium - The five pillars of cyber security -
Protecting our critical infrastructure is essential. Such is our reliance on the efficient supply of power that any loss of electricity would carry heavy implications for a wide range of vital services. The new IEC report advocates using a risk-based systems approach founded on best practices, as well as the ability to demonstrate the effective and efficient implementation of the security measures. This means combining the right international standards with conformity assessment to assess the components of the system, the competencies of the people designing, operating and maintaining it, and the processes and procedures used to run it. In a world where cyber threats are becoming increasingly common, being able to apply a specific set of international standards combined with a dedicated and worldwide certification programme, is a proven and highly effective approach to ensuring long-term cyber resilience.
Wired - The Secret History of a Cold War Mastermind -
That alternative plan is at the core of the legend of Gus Weiss. The best-known version of the tale goes like this: High up on the Soviet tech shopping list was software to regulate the pressure gauges and valves for the critical Siberian gas pipeline. According to Tim Weiner’s Legacy of Ashes, the Soviets sought the software on the open market. American export controls prohibited its sale from the US. However, a small industrial software company located in Calgary called Cov-Can produced what the Soviets wanted. As Weiner writes, “The Soviets sent a Line X officer to steal the software. The CIA and the Canadians conspired to let them have it.”
The faulty software “weaved” its way through Soviet quality control. The pipeline software ran swimmingly for months, but then pressure in the pipeline gradually mounted. And one day—the date remains unclear, though most put it in June 1982—the software went haywire, the pressure soaring out of control. The pipeline ruptured, igniting a blast in the wilds of Siberia so massive that, according to Thomas C. Reed’s At the Abyss, “at the White House, we received warning from our infrared satellites of some bizarre event out in the middle of Soviet nowhere. NORAD feared a missile liftoff from a place where no rockets were known to be based. Or perhaps it was the detonation of a nuclear device. The Air Force chief of intelligence rated it at three kilotons.”
The pipeline explosion is said to have cost Moscow tens millions of dollars it could ill-afford to waste.
The Gus Weiss Monograph mentioned in the article is here 

Thursday, March 26, 2020

What I'm reading 3/26/2020 - The I'm Feeling Lazy Today Edition

Fifth Domain - Who should be responsible for critical infrastructure’s cybersecurity? -
 New research from industrial cybersecurity company Claroty found that the overwhelming majority of IT professionals believe the government should be responsibility for securing critical infrastructure.
According to Claroty’s new report, “The Global State of Industrial Cybersecurity," 87 percent of U.S. respondents said that it’s the federal government’s responsibility to ensure the security of critical infrastructure, the lowest number among the five countries polled.

ZDNet - Palo Alto Networks intros new security features in Prisma Cloud -
Palo Alto Networks on Wednesday announced new features for Prisma Cloud, the company's Cloud Native Security Platform (CNSP). New features in this latest release focus on giving DevOps and SecOps teams more visibility and improved security across the technology stack. 

Fifth Domain -  One senator wants vendors to ensure their internet connectivity devices are secure -
 Sen. Mark Warner is urging several network device vendors to ensure their products remain secure as millions of Americans work from home to slow the spread of the new coronavirus.
In his letters to Google, Netgear, CommScope, Asus, Belkin and Eero, the Virginia Democrat specifically expressed concern about wireless access points, routers, modems, mesh network systems and “related connectivity devices.”

Endgadget - Chinese digital spying is becoming more aggressive, researchers say -
Chinese government contractors carrying out cyber attacks is nothing new, but the scope of these current initiatives is concerning. Companies in about 20 countries are being targeted, and APT41 is carrying out subsequent attacks frequently: "This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years," says FireEye. "This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage." Whether the attackers are purposely taking advantage of a reduced cybersecurity workforce during the coronavirus pandemic or the timing is just a coincidence remains to be determined.
APT-41 again

Wednesday, March 25, 2020

What I'm Reading 3/25/2020 - Coronavirus and Chinese Hackers... Again

Books -

Network Forensics Tracking Hackers Through Cyberspace

Blogs / News - 

Fifth Domain - Trump administration must produce 5G security strategy under new law -
  President Donald Trump signed a 5G security bill March 23 that requires the executive branch to develop a strategy to secure and protect 5G and future generation networks.
The new law, titled the Secure 5G and Beyond Act, comes as the United States government struggles to convince close allies not to use what it considers risky telecom suppliers, such as Huawei, as they build their 5G networks and workers across the United States work from home due to the new coronavirus. The fifth-generation network is expected to speed up connectivity for connected users.

City Lab - When Cities Went Electric -
The point of the White City and the Chicago World Fair of 1893 was to incorporate electricity into everything, so that people could see with their own eyes how their lives were going to change and how the world was going to look. Until then, electricity was kind of invisible, so it seemed mysterious and was something most people had never seen. Around 92 million people went to the fair. There were things like electric fountains that danced and had colored lights. There was a moving walkway, the kind you see in airports today, which no one had ever seen before. There was an electric kitchen; no one had ever seen that. They’d describe these things as such pie-in-the-sky. The goal was that everything would be powered by electricity, and they succeeded. It all worked very seamlessly and was kind of invisible. And it meant the fair could be open at night.          
Dark Reading - How Attackers Could Use Azure Apps to Sneak into Microsoft 365 -
The Varonis research team encountered this vector while exploring different ways to exploit Azure, explains security researcher Eric Saraga. While they found a few campaigns intended to use Azure applications to compromise accounts, they discovered little coverage of the dangers. They decided to create a proof-of-concept apps to demonstrate how this attack might work. It's worth noting they did not discover a flaw within Azure, but instead detail ways its existing features could be maliciously used. 

Stanford University - N95 Masks can be sterilized 

CNN - FDA says it is expediting the use of a blood plasma treatment as New York begins to roll out new clinical trials -
The US Food and Drug Administration on Tuesday said it is expediting the use of a blood plasma treatment for patients seriously ill with the coronavirus, making it easier for doctors to try another tool to attack the illness.
The FDA said in a news release that it is "facilitating access" for patients with life threatening infections to blood plasma taken from a person who recovered after once testing positive for the virus.
The New York State Department of Health is also rolling out clinical test trials for anti-malaria drug Hydroxychloroquine and the antibiotic Azithromycin. The patients who are hospitalized with moderate or severe coronavirus will be eligible to receive the treatment. 
Related -  Tech Crunch - New study casts doubt on hyrdoxychloroquine’s effectiveness in treating coronavirus -
In a prime example of why President Trump shouldn’t be endorsing any unproven potential treatments for the novel coronavirus behind the current global pandemic, a new small-scale study by researchers in China indicates that the antimalarial drug hydroxychloroquine actually isn’t any more effective than standard, existing best practice for conventional care of patients with the virus.
I don't want to attribute motives to people where they may not be present, but the tone of this article comes off as almost gleeful that this treatment may not be effective.

Also Related - Al Jazeera - Doctor's Note: Can herd immunity solve coronavirus? -
To stop the spread of measles in the United Kingdom, for example, there needs to be a 95 percent vaccine take-up to reach herd immunity. In the case of coronavirus, the UK's Chief Scientific Adviser has stated that it needs to be around 60 percent. This value is derived by scientists through some very complex modelling of the virus and determining how contagious it is.  
While coronavirus has proved so far to be a fairly mild infection for the majority of young , healthy people, for the elderly or those with underlying health problems, it can be serious and potentially fatal. It is this group we are trying to protect with herd immunity.
Threatpost - Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign -
Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in “one of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.”
“While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,” wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a Wednesday analysis.
Related - Cyberscoop - Chinese hackers hit Citrix, Cisco vulnerabilities in sweeping campaign -
“Based on our current visibility it is hard to ascribe a motive or intent to the activity by APT41,” Glyer told CyberScoop. “There are multiple possible explanations for the increase in activity including the trade war between the United States and China as well as the COVID-19 pandemic driving China to want intelligence on a variety of subjects including trade, travel, communications, manufacturing, research and international relations.”
Endgadget - An enterprise SSD flaw will brick hardware after exactly 40,000 hours -
Hewlett Packard Enterprise (HPE) has warned that certain SSD drives could fail catastrophically if buyers don't take action soon. Due to a firmware bug, the products in question will be bricked exactly 40,000 hours (four years, 206 days and 16 hours) after the SSD has entered service. "After the SSD failure occurs, neither the SSD nor the data can be recovered," the company warned in a customer service bulletin.
Ars Technica - Never-before-seen attackers are targeting Mideast industrial organizations -
Researchers have unearthed an attack campaign that uses previously unseen malware to target Middle Eastern organizations, some of which are in the industrial sector.
Researchers with Kaspersky Lab, the security firm that discovered the campaign, have dubbed it WildPressure. It uses a family of malware that has no similarities to any malicious code seen in previous attacks. It's also targeting organizations that don't overlap with other known campaigns.

Tuesday, March 24, 2020

What I am reading 3/24/2020

Books -

Network Forensics Tracking Hackers Through Cyberspace

Blogs / News - 

Help Net Security - Widely available ICS attack tools lower the barrier for attackers -
“As ICS are a distinct sub-domain to information and computer technology, successful intrusions and attacks against these systems often requires specialized knowledge, establishing a higher threshold for successful attacks. Since intrusion and attack tools are often developed by someone who already has the expertise, these tools can help threat actors bypass the need for gaining some of this expertise themselves, or it can help them gain the requisite knowledge more quickly,” FireEye researchers point out.
Cyberscoop -  Kaspersky finds a new APT campaign targeting engineers in the Middle East -
A mysterious set of hackers last year began a targeted campaign to breach industrial organizations in the Middle East, antivirus firm Kaspersky said Tuesday.
Attackers have sought to breach engineers, particularly in a single, unnamed Middle Eastern country, adding to a long history of cyber operations in the region. They’re relying on a strain of malicious software that’s tailored for espionage, and does not appear to match any code the researchers have seen before. Exactly who is behind the effort remains unclear.
CNN-  China to lift lockdown on Wuhan, ground zero of coronavirus pandemic -
China has announced it will lift the lockdown on Wuhan, the city at the epicenter of the coronavirus pandemic, on April 8, marking a significant milestone in its battle against the deadly outbreak.
The easing of travel restrictions follows a significant reduction in new infections in Hubei, with new cases dropping to zero for five consecutive days from March 19 -- down from thousands of daily new cases at the height of the epidemic in February. On Tuesday, the province reported one new case in Wuhan, a doctor at the Hubei General Hospital.
 Stratechery - Compaq and Coronavirus -
That was taken by me, outside of my apartment building; apparently one of my neighbors just returned from America and the police were checking on his home quarantine. In fact, look more closely at what Taiwan has done to contain SARS-CoV-2 to-date — you can reframe everything in a far more problematic way:
  • Restrict international movement and close borders (including banning all non-resident foreigners this week)
  • Integrate and share private data across government agencies and with hospitals.
  • Track private individual movements via their smartphones.
Even the mask production I praised required requisitioning private property by the government, and the refusal of local businesses to serve customers without masks or insist on taking their temperature is probably surprising to many in the West.
And yet, life here is normal. Kids are in school, restaurants are open, the grocery stores are well-stocked. I would be lying if I didn’t admit that the rather shocking assertions of government authority and surveillance that make this possible, all of which I would have decried a few months ago, feels pretty liberating even as it is troubling. We need to talk about this!
DefCon Forums - Book Club

Yahoo - With China gunning for aircraft carriers, US Navy says it must change how it fights -
Just because China might be able to hit U.S. Navy aircraft carriers with long-range anti-ship missiles doesn’t mean carriers are worthless, the service’s top officer said Thursday.
The chorus of doom and gloom over China’s anti-access weapons is too simplistic, Chief of Naval Operations Adm. Michael Gilday said, but that doesn’t mean the Navy should refrain from adjusting the way it fights.
“Let’s look at this like a physics problem,” Gilday proposed. “[People will say]: ‘Hypersonics go really fast and they travel at long ranges. Carriers can only travel [‘X’ distance], so carriers are going to have to go away.’ That’s a very simplistic way to look at the problem.
Github - An introduction to Python and programming for wanna-be data scientists

ZDNet -  Microsoft warns of Windows zero-day exploited in the wild -
The zero-day is located in the Adobe Type Manager Library (atmfd.dll), a library that Microsoft uses to render PostScript Type 1 fonts inside Windows.
Microsoft says there are two remote code execution (RCE) vulnerabilities in this built-in library that allow attackers to run code on a user's system and take actions on their behalf.

Monday, March 23, 2020

What I am reading 3/23/2020

Books - 

Network Forensics Tracking Hackers Through Cyberspace

Making some progress on this one but not as much as I would like.  

Wired for War: The Robotics Revolution and Conflict in the 21st Century

Blogs / News

Even if you’re staunchly anti-ebook, you may want to consider giving them a shot, and here’s why: Several digital retailers and ebook apps are giving away scores of free titles right now. You can stock up your phone, tablet, or even your PC with a free digital library that can easily carry you through these uncertain times, and well into whatever the world looks like once we’re on the other side of it all.
Undeterred by the coronavirus pandemic that has brought most of the US economy to a halt, truck stops remain open, offering truckers a place to eat, rest and refuel on their way to delivering critical supplies to a nation that's hunkering down to slow the spread of COVID-19.
Earlier this week, the US Department of Transportation said truck stops now qualify as an essential business, meaning they are viewed as too vital to shut down.
"In the coming weeks and months, it will be critical that these businesses remain open 24 hours a day," Jim Mullen, acting administrator of the Federal Motor Carrier Safety Administration, the government agency that regulates the nation's trucking industry, wrote in a letter to the National Association of Truck Stop Operators.
 Reuters - Western supply chains buckle as coronavirus lockdowns spread -
While China’s draconian steps to stop the spread of the virus are now allowing its economy slowly to come back online, supply chains are backing up in other parts of the world.
Problems ranging from finding enough truck drivers to restrictions on seafarers and a lack of air freight are hitting the smooth flow of goods, freight logistics operators say.  
Crowds descended on California beaches, hiking trails and parks over the weekend in open defiance of a state order to shelter in place and avoid close contact with others.
California Gov. Gavin Newsom issued a shelter in place order directing the state's nearly 40 million residents to stay home beginning March 20 to help stop the spread of coronavirus.
Instead, many public spaces were packed, prompting officials in some cities to order parks, recreation areas and beaches to close.
 Nikkei Asian Review - Top iPhone assembler Foxconn secures workers at all plants -
Taiwan's Foxconn, the top assembler of Apple's iPhones, said it has secured enough workers to meet "seasonal demand" at all major Chinese plants, stressing a steady recovery from the labor shortage caused by the novel coronavirus epidemic on the mainland.
The company issued a statement Sunday night saying recruitment goals have been reached "ahead of schedule at the plants." This signals progress from early March when Chairman Young Liu told investors that Chinese plants were operating at roughly 50% capacity of normal. 
Fox - There's drug combo to shorten coronavirus, French researchers say -
Researchers in France have issued a statement detailing how a combination of antimalarial medication and antibiotics could be a vital weapon in the battle against coronavirus.
The work by researchers at IHU-Méditerranée Infection in Marseille has garnered global attention, notably from President Trump. Researchers prescribed the antimalarial hydroxychloroquine and the antibiotic azithromycin to patients earlier this month, according to the research, which is published in the International Journal of Antimicrobial Agents. Some experts, however, have also urged caution around the drug combination.
Fifth Domain - What COVID-19 can teach us about cyber resilience -
 The similarity with the COVID-19 outbreak to a cyber campaign is the disruption in logistics and services, how the population reacts, as well as the stress it puts on law enforcement and first responders. These events can lead to questions about the ability to maintain law and order and the ability to prevent destabilization of a distribution chain that is built for just-in-time operations with minimal margins of deviation before it falls apart.
The sheer nature of these second-tier attacks is unsystematic, opportunity-driven. The goal is to pursue disruption, confusion, and stress. An authoritarian regime would likely not be hindered by international norms to attack targets that jeopardize public health and create risks for the general population. Environmental hazards released by these attacks can lead to risks of loss of life and potential dramatic long-term loss of life quality for citizens. If the population questions the government’s ability to protect, the government’s legitimacy and authority will suffer. Health and environmental risks tend to appeal not only to our general public’s logic but also to emotions, particularly uncertainty and fear. This can be a tipping point if the population fears the future to the point it loses confidence in the government.

 CSO - New York's SHIELD Act could change companies’ security practices nationwide -
The potential widespread impact of the SHIELD Act for the country as a whole is contingent on the third requirement that extends the bill's provision to any business that collects or maintains private information on a New York resident. Given the size and importance of New York, it seems likely that all major tech and internet companies hold private information on a New York resident will therefore have to abide by the data security requirements. Just for expediency's sake, any changes that protect New York residents' data will likely extend to the data companies collect and hold for any consumers.
Defense News - Pentagon loosens cash flow for industry, more measures likely coming -
In a memo released Sunday, the department announced that progress payment rates for defense items under contract will increase from 80 percent of cost to 90 percent for large businesses, and from 90 percent to 95 percent for small businesses. The move will allow industry to receive more cash up front than under normal circumstances.