Cyber Weekly Roundup - April 13, 2017 - NetCentrics

Weekly Roundup

Cyber Weekly Roundup – April 13, 2017

By Andrew Paulette

1.) Securing Driverless Cars From Hackers Is Hard. Ask the Ex-Uber Guy Who Protects Them (April 12, 2017)

https://www.wired.com/2017/04/ubers-former-top-hacker-securing-autonomous-cars-really-hard-problem/

Summary: Two years ago, Charlie Miller and Chris Valasek pulled off a demonstration that shook the auto industry, remotely hacking a Jeep Cherokee via its internet connection to paralyze it on a highway. Since then, the two security researchers have been quietly working for Uber, helping the startup secure its experimental self-driving cars against exactly the sort of attack they proved was possible on a traditional one. Now, Miller has moved on, and he’s ready to broadcast a message to the automotive industry: Securing autonomous cars from hackers is a very difficult problem. It’s time to get serious about solving it.

Why it matters: This article serves as a great write up not only for the upcoming challenges in securing self driving cars, but really highlights the importance of securing any device where some form of AI is bolted on to an existing product. As the article suggests, attempting to approach security as an afterthought or use ‘stovepipe’ solutions (implementing an individual fix for  each newly discovered risk that is not integrated into a larger security ecosystem) is not the best approach.  Instead, this new form of technology offers the unique opportunity for industry to design robust security controls from the creation of these products, something which would lead to a more secure design overall for these vehicles.  Only time will tell if automotive makers will take the steps necessary to secure these vehicles before a serious security incident occurs.

2.) How the FBI Took Down Russia’s Spam King—And His Massive Botnet (April 11, 2017)

https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/

Summary: One of the world’s most notorious spammers appears to have been tripped up by a basic cybersecurity no-no, according to the FBI: He used the same log-in credentials to both run his criminal enterprise and also log into sites like iTunes.

Why it matters: An interesting read that serves as an overview of how U.S. law enforcement builds cases against international cybercrime. Of note in this article is how a simple failure in Lavashov’s operational security (reusing the same passwords for multiple sites which served as a fingerprint for his activities) gave the  concrete evidence necessary to build a case against Lavashov, which led to his arrest. This case serves as a reminder to cybersecurity professionals working for national governments of the risks of not following best security practices.

3.) Microsoft Word 0-day used to push dangerous Dridex malware on millions (April 10, 2017)

https://arstechnica.com/security/2017/04/microsoft-word-0day-used-to-push-dangerous-dridex-malware-on-millions/

Summary: Booby-trapped documents exploiting a critical zero-day vulnerability in Microsoft Word have been sent to millions of people around the world in a blitz aimed at installing Dridex, currently one of the most dangerous bank fraud threats on the Internet.

Why it matters: While already patched by Microsoft, this zero-day exploit serves as a  reminder that ultimately, user training is necessary to reduce the risk from any type of phishing attacks. Even once this vulnerability is patched, macro-enabled attacks against users  will continue – instead of relying solely on technical controls built into the OS and other security products, companies need to ensure their users are appropriately trained to question unsolicited attachments sent via email, especially if they contain information that seems to entice the user to open the file.

4.) That Dallas Siren Hack Wasn’t Novel—It Was Just Really Loud (April 10, 2017)

https://www.wired.com/2017/04/dallas-siren-hack-wasnt-novel-just-really-loud/

Summary: The sound of Dallas’s 156 emergency sirens blaring in unison unsettled many of the city’s residents. They sounded about 15 times in all, with each signal lasting 90 seconds—all the while, with no tornado in sight. They were instead triggered by unknown hackers, who also managed to poignantly (if unintentionally) raise awareness about the threat of infrastructure insecurity. Emergency systems get hacked all the time. This one just happened to wake people up.

Why it matters: This article serves as a resounding (pun intended) reminder of the risk that network connected ISC/SCADA devices pose. While the nature of this attack is somewhat unique  due to the higher degree of separation from network connectivity, the fact that attempts to hack ISC and SCADA devices are increasing is of great concern.  These attacks can also have additional consequenes – in the case of this siren hack, 911 experienced higher call volumes which potentially could have hampered other emergency service calls.

It’s time for a proper risk assessment to be performed to determine the benefits versus the risks for those infrastructure control systems which are network connected to determine what measures need to be taken to properly mitigate risks, and if even after this mitigation, the risk to the public is worth the benefits that come with network connectivity.