Cyber Weekly Roundup – February 23, 2017

Weekly Roundup

Cyber Weekly Roundup – February 23, 2017

1.) IoT Attack Against a University Network (February 17, 2017)
https://www.schneier.com/blog/archives/2017/02/iot_attack_agai.html

Summary: Using over 5,000 hijacked IoT devices at an undisclosed university, hackers attacked the very network where these devices were located. Analysis of the university firewall revealed each device was making hundreds of DNS lookups every 15 minutes for seafood restaurants to attempt to slow down the network. The attack was remedied by cybersecurity professionals.

Why it matters: While this is the first publicly reported incident of an IoT Network being used to attack its own LAN, these types of attacks will no doubt become more common in the future. IoT is going to become a bigger vector for denial of service attacks since manufacturers currently pay so little attention to securing these devices – the cost to make a $50 security camera or other device risk tolerant is just not cost effective for the manufacturer. As this article demonstrates, while it may not be cost effective for the user to secure the device based on cost, the risk it imparts to the rest of the network is enough to make organizations consider securing the devices. Until vendors figure out a better solution to securing these devices, this article makes the right recommendations – place these IoT devices on a different network than the rest of your IT, limit who can access them (especially from the internet), and have the option to cut that network off from the rest of your LAN if it is used as an attack vector.

2.) Bruce Schneier: Public-service technologists are needed to tame the IoT (February 15, 2017)
http://www.cio.com/article/3170786/security/bruce-schneier-public-service-technologists-are-needed-to-tame-the-iot.html

Summary: In a presentation delivered at the RSA Conference 2017, cryptographer Bruce Schneider called on security experts to help drive for regulation against IoT devices before more serious attacks strike that range from severe service outages to loss of human life. In his speech, Schneider suggested that by creating civic-minded technologists to help the government craft policy on IoT and its markets, the government will be able to craft policy that correctly handles the moral, political, and ethical issues associated with IoT.

Why it matters: No one likes regulation in their business, as regulation can stifle the innovation and competition which is hallmark to a successful capitalist economy. That said, as the internet moves from being a method to sharing information to a pathway that controls the objects in our everyday lives, the risks of the scale and impacts of an attack have increased. There are regulations for many devices that have a direct effect on human life such as planes and cars, and IoT devices (especially medical devices that give a direct path of attack to human life) will likely see more regulation soon, especially if the market does not come up with an effective solution to curtail the problem. As regulation and standards for these devices are formalized, policy makers must decide how to handle those devices which are already in use – these billions of devices will represent a large attack surface across the internet that will be in use for years to come, and unless some form of central management is developed to secure these devices, the threat from IoT will persist long after regulation is created. Until these questions are sorted out, organizations and users should ask themselves the simple question of “does this really need to be accessible via the network (LAN or Internet)?” before purchasing IoT devices.

3.) Understanding differences between corporate and consumer Gmail threats (February 16, 2017)
https://security.googleblog.com/2017/02/understanding-differences-between.html

Summary: In a summary of their full presentation given at RSA Conference 2017, Google presented metrics regarding the diversity of threats faced by consumer vs. corporate email account services offered by Google. The goal of the presentation was to help the security community understand the nuances in the types of threats faced by each industry, and recommendations on how to protect their accounts from compromise.

Why it matters: While the findings are interesting, this presentation really highlights the importance of information sharing in the cybersecurity community. For a company like Google, sharing anonymized data that shows the trends in how attackers choose their targets can help the industry as a whole better assess their risk, and therefore spend appropriately to mitigate these risks.

4.) Microsoft delays Patch Tuesday as world awaits fix for SMB flaw (February 14, 2017)
https://arstechnica.com/information-technology/2017/02/microsoft-delays-patch-tuesday-as-world-awaits-fix-for-smb-flaw/

Summary: Due to a “last-minute issue that could impact some customers,” Microsoft opted to delay the release of an entire month’s worth of security updates for Windows and its other products. While Microsoft has delayed individual patches in the past, due to their recent adoption of bundling their patches as an all-or-nothing update, this change forced Microsoft to delay every update for the month. Microsoft normally releases patches on the second Tuesday of every month (known as “Patch Tuesday” by the IT industry). This delay is further complicated due to an in-the-wild zero day flaw in Microsoft’s File Sharing Protocol, SMB, which allows remote hosts to crash a host system if the correct conditions are met.

Why it Matters: Microsoft’s new patching structure has been both criticized and commended due to it forcing users to install a single bundled patch instead of letting them choose individual updates. While it forces a more secure configuration, it does not afford users the opportunity to decline particular updates that may not work in their operating environment. In addition to this risk to the user, today’s delay illustrates the risk taken by Microsoft in adopting this policy – if a single update does not meet their standards for release, they are not able to release any patches.

Microsoft must have balanced the risk of this approach with the benefits of collapsing their patch cycle into a single update and found that the benefits still outweighed the risks. Given the zero-day as part of this patch set, however, this decision does beg the question of whether or not the risk outweighs the benefits. Would a zero-day in-the-wild exploit allowing for remote code execution change the risk-benefit model so that it is intolerable to Microsoft? It’s definitely a story to keep an eye on, to see how long it takes Microsoft to delay their patch cycle, and how often it occurs.

5.) Ransomware Demo Holds Industrial Systems Hostage (February 15, 2017)
https://www.infosecurity-magazine.com/news/ransomware-demo-holds-industrial/

Summary: “Security researchers have highlighted the weaknesses inherent in industrial control systems by designing a new strain of ransomware to compromise the programmable logic controllers (PLCs) used in many manufacturing plants, water treatment facilities, and building management systems.”

Why it matters: Traditionally thought of as a target for nation state hackers such as the attacks against the Ukrainian power grid (https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/), this research illustrates how “financially-motivated” cybercriminals can target industrial control systems with a critical requirement for constant availability. Attacking these sorts of systems seems like a logical progression for cyber criminals – the increased use of ransomware against users and organizations, those groups who want to continue a healthy flow of profit will no doubt diversify their attacks to move beyond workstations and traditional servers, as well as specialize into targeting higher value targets such as SCADA and ICS. The need to keep these systems online may result in a payout that is dramatically more, making the time spent in preparing for such an attack worth it.

6.) The need for a Digital Geneva Convention (February 14, 2017)
https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.001z1298g1fudoz11wk28fc5jiqer

Summary: During this year’s RSA USA Conference, Microsoft’s President, Brad Smith, recommended a set of rules similar to the Geneva Conventions of 1949 to protect civilians caught from nation-state hacking, as well as set up rules of conduct regarding vulnerability disclosure and how the private sector contributes to nation-state cyber operations. In order to uphold these agreements, Mr. Smith suggested the creation of an independent organization to investigate and make evidence of nation-state attacks available, such as the Atomic Energy Agency that works to deter nuclear weapons.

Why it matters: With the nature of cyber attacks and cyber operations extending beyond one nation’s borders, the establishment of international laws governing the “rules of engagement” may go a long way in normalizing the way these operations are conducted to minimize reputation damage or otherwise to civilians. While recent publications such as the Tallinn Manual 2.0 have attempted to retrofit current international law to cyber operations, Mr. Smith’s suggestion to create a new set of accords specifically tailored to cyberspace will undoubtedly develop in the coming years – whether due to outcry for such standards, or in reaction to a more serious cyber event that leads to loss of life.