360 Degree Cyber Security, LLC

Author Archive:Chris Wolski

Lost control of traffic control systems

March 24, 2018 – In this day and age, we mostly understand the requirement to protect information whether it is personal, or business related.  Positions related to information security can be found around the country typically in organizations larger than a small enterprise.  This included government organizations at all levels; federal, state, county, & municipal.

These organizations not only have the responsibility of protecting personally identifiable information of their citizens, but may also have additional standards/requirements they need to follow such as

  • PCI/DSS
  • HIPAA/HITECH
  • FERPA

If the organization is solely seeking to just meet the requirements, then they may be missing additional areas that need to be protected.  The Information Security Officer needs to transition to being a Security Officer responsible for securing all things digital, especially if they are critical for normal daily life.

Elements of critical infrastructure, such as the water supply and waste water have been in the news.  Some of the other services some municipalities provide and should be concerned with protecting are the transmission of electricity, Cable TV, and Internet services if they are services that they are responsible for providing.

As government agencies increasingly depend on devices that offer some advantage to remotely managing or gathering information from, more are being placed on the Internet.  One such device is the traffic controller.  These devices are found at individual intersections and can be linked together to improve traffic flow.

Traffic control systems are a form of an industrial control system.  They don’t operate at the speeds found in manufacturing systems, but they do operate in a similar manner.  They take inputs from road and optical sensors, adjust as programmed, and trigger events such as changing the lights from red to green.

So, what would happen if those control systems are left open to the world?  Well it could lead to scenes found in such movies as Live Free, Die Hard, or The Italian Job.  Recent research into traffic control systems led to the discovery of over 250 traffic control systems on the Internet in the United States and Canada.  Of those discovered, I was able to locate 25 in Canada and 24 in the United States that were open where the username and password were disabled.

Devices were found that controlled major intersections on a main thoroughfare where a highway intersected the road in two large cities.  Eleven out of 15 traffic control systems were found on a single major road through a city in California.  Several were discovered that belonged to a city in Texas.

What was concerning about the city in Texas, was that the city would not have known if those handful of devices were not open to the Internet.  Based on the IP address, there are assumptions that can be made about other IP addresses in the same address range that are protected by a login prompt.  This may represent all the traffic control systems in the city.

The traffic controls discovered are modular in nature.  Seeing that most of the Texas devices are protected with a username and password, it would seem those that are open to the Internet are that way probably due to maintenance where a module was replaced.

These findings were reported to the U.S. municipalities where these traffic control systems are located.  This was to allow them the opportunity to secure the system.  Hence the lack of specific details in this article.

Protecting traffic control systems from outside access is just as important as protecting all the information that the government organizations are responsible for protecting due to standards and regulation.  Traffic control systems are just as critical as water, sewage, and electricity and should be protected just the same.

Suggestions for organizations that manage traffic control systems:

  • Periodically scan Internet addresses of traffic control systems known to belong to the government organization to identify which ones are open.
  • Add traffic control systems to a security inventory, in addition to the standard information (model, serial number, etc.) annotate the IP address and port of any web portal the system has enabled.
  • Add traffic control systems to a change control process.
  • After any maintenance, remotely test connect to the device to ensure that login is required and that it is not the default login credentials

After all, who likes sitting in in traffic now?  Imaging what would happen if someone wanted to make it worse by remotely controlling the traffic control system from elsewhere in the world?

Ready or not?

February 27, 2018 – Last week, the city of Allentown was hit with Emotet, malware that started as a banking trojan.  Reports indicate that the initial entry into their municipal business environment occurred via phishing.  Once the malware was downloaded and installed, it began to replicate itself across the city government’s network infecting devices and stealing login credentials.  This has resulted in the city’s financial system being offline, the city’s camera surveillance being taken offline, and the city’s police department being disconnected from the Pennsylvania law enforcement network.

 It is estimated that the cost to remediate this attack will be close to $1 million. This same malware has infected other government and public-school facilities.  In fact, this past January, the same malware cost the Rockingham, North Carolina school district $314,000 to recover from the infection.

 What is Emotet?  Emotet is malware that started out as a banking trojan three years ago.  It was originally designed to sniff network traffic for user login credentials.  Over the last three years, the malware has morphed to allow for custom modules to be added.  Last year, the malware started to use the EternalBlue exploit developed by the NSA and later leaked to the public.  This exploit allows the malware to spread across Windows networks on devices that have not been patched.  The malware is not easily blocked as it can be delivered via .js, .pdf, and .doc/.docx files.

 What can be done?  Ensure that you are auditing your patching to verify that patches are being applied as they should.  Not saying that this malware spread via the EternalBlue exploit, however as a method that it does spread by, are you ready to prevent it from spreading.

Why perform a patch audit?  Sometimes patches may be pushed in an automated fashion, but for whatever reason just don’t make it on to a system and may require a more hands on approach. 

 

Reference:

https://www.washingtontimes.com/news/2018/feb/21/malware-infection-posed-cost-1-million-allentown-p/

Major security flaw in Apple devices running High Sierra is easily exploited.

November 28, 2017 – If you have Apple devices running High Sierra, there is a critical vulnerability that will allow anyone to access the device if they can get their hands on it.  All that needs to be done is log in as guest.  Then via System Preferences>Users & Groups>Click the lock to make changes. Then use “root” with no password. Try it for several times. When the problem is exploited, the user is authenticated into a “System Administrator” account and is given full ability to view files and even reset or change passwords for pre-existing users on that machine.

The following can be done to prevent the problem from occurring prior to Apple releases the fix.

DISABLING GUEST USER ON MACOS HIGH SIERRA
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Guest User
Step 4 | Uncheck Allow guests to log in to this computer
CHANGING ROOT PASSWORD ON MACOS HIGH SIERRA
Step 1 | Launch System Preferences
Step 2 | Select Users & Groups
Step 3 | Select Login Options
Step 4 | Select Join next to Network Account Server
Step 5 | Select Open Directory Utility
Step 6 | Click the lock and enter your password to make changes
Step 7 | In the menu bar of Directory Utility, select Change Root Password
Step 8 | Create a strong, unique password

Dell Recovery and Backup Service Compromised

October 25, 2017 – Brian Krebs, a known and respected journalist that covers cyber, reported that Dell Inc. had lost control of a the web address that is used by the Dell Backup & Recovery service installed on just about every Dell computer produced. There are indications that during a few weeks this past summer, a malicious group took control of the address and may have pushed malware via the service. The suspected time frame was between June and July 2017.

During the period of loss of control, the website address was being directed to a leased server on Amazon that was and currently continues to be known as hosting malicious content.

The software that performs the service comes pre-installed on Windows systems according to the Dell support forums.

If you are using a Dell computer that has the Dell Backup & Recovery service running on it, ensure your malware/anti-virus software is up-to-date, and be wary of any calls or pop-ups on your computer claiming to be Dell tech support, even if they provide you with the correct service tag. If you receive a call or pop-up, call Dell directly.

For Krebs’ full report see https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/

 

Malware Outbreak – Bad Rabbit

October 24, 2017 – A piece of malware called “Bad Rabbit” is reportedly making its rounds around Eastern Europe and Russia. However, the United States Computer Emergency Response Team (US-CERT) has reported they have “received multiple reports of Bad Rabbit ransomware infections in many countries around the world.”

The ransomware infection is being distributed via a pop-up in the user’s browser that says the version of Adobe Flash Player installed is out of date. Once the fake update is downloaded, it will move from computer to computer encrypting the files and stealing info in memory.

This malware preys on a weakness in Windows operating systems using a method discovered and used by the National Security Agency. This weakness (aka vulnerability) became public when it was stolen and then leaked to the world as “EternalBlue”.

The vulnerability utilizes a communication method that is used between Windows based computers called Server Message Block version 1. As this method of communication is the oldest version in use, there were a significant amount of computers that were easily attacked in April/May of 2017. This is evidenced by the WannaCry and the Petya/notPetya malware that took control of over 230,000 computers in 150 different countries. If it was not for an alert cyber security researcher that found a method of killing the malware, this number would have been much higher. Organizations that were affected include FedEx, British hospital system, and French auto manufacturer Renault, to name a few.

A fix for the vulnerability was sent out in March by Microsoft. The computers that did not apply the fix were left vulnerable. As of this date, there are still computers vulnerable as they have not received the fix.

What can you do? Ensure your computers are up to date on patches. This can be done by using Windows Update on your computers or by using a patch management system.

If there are any questions, please do not hesitate to reach out to me.

Be Proactive – Not Reactive

October 15, 2017 – Cybersecurity is not ONLY about responding to a ransomware or hacker but being prepared to prevent it from happening. When you are prepared to prevent an attacker for entering your computers or network, you make it difficult for them to be successful. For an attacker that means they will have to spend more time trying to get what they want. If it is simply to hold your computer and information for ransom, then they will likely move on. If it is your information that they want, they will expend the extra time to get it. But who said you had to make it easy?

So, what can you do? Well, a lot. But don’t despair. It may not cost you a lot to implement. Let’s follow the National Institute for Standards & Technology (NIST) Cyber Security Framework. In the framework there are two areas that are easily addressed. Identify and Protect.

Identify

Asset Management – Get a list of EVERYTHING that processes information electronically. It could be a security camera connected to your network, your computers & servers, a printer, all you network devices, etc. Record what it is, what operating system (Windows, Linux, macOS, etc) and what software is installed on it (Office 2016, Adobe Reader, Adobe Flash, and the other programs you use). If it is a device like a printer or a security camera, record the brand and determine the firmware version.

Protect

Maintenance – Update your software and firmware when new version are available as they may address security flaws in the software. For Windows and other applications, updates are provided monthly. Others, not so often. Check with the developer and see if they have an email list you can join to be notified when there are updates.

The longer a security flaw remains in your software or firmware the easier you make it for an attacker to be successful in taking or ransoming your information. But by doing these two things, you have done a lot to protect your information and taken a proactive stance in preventing an attack from being successful.

If you need assistance, let us know.  We’ll be glad to help you become proactive!

Secure Delaware Workshop 2017

October 11, 2017 – was our third time as a sponsor of the Secure Delaware Workshop that was held at Dover Downs.  The conference was very well attended, it appeared that there were more people here this year than last.

There were quite a few students from Delaware Technical Community College (DTCC) and Delaware State University.  We really enjoyed talking with them and seeing the gleam in their eyes as they contemplate a cybersecurity career after finishing their classes.  We spoke to aspiring women and men hungry to learn more about the industry.

We also met with a number of small businesses and a few of the Delaware municipalities to discuss their concerns and the potential opportunity to address risks to their information and industrial controls.

To cap it off, Chris was a member of a panel that discusses malware with the CIO and CISO from the Commonwealth of Pennsylvania.  A comprehensive review of state, financial and small business/municipality requirements and actions that can be taken to prevent/remedy malware attacks.  The panel was hosted by Greg Lane from the State of Delaware.

Here are some photos.

Delaware’s Updated Privacy Law

August 23, 2017 – BLUF: We highly recommend that you contact an information security professional regarding this legislation.  If not us, find someone who can help you determine if you are doing what needs to be done to stay within the guidelines of this legislation.

On 17 August, 2017, Governor Carney signed legislation that improved cybersecurity protections for the citizens of Delaware and goes into effect in April. It improved on the original cybersecurity legislation written nearly a decade ago. House Substitute 1 for House Bill 180 (http://legis.delaware.gov/BillDetail?legislationId=26009) provides for additional protection requirements where personal information may be compromised as the result of a breach. In the event of a breach of personal information, the legislation requires notifications and free credit monitoring services whose social security information was potentially disclosed via the breach.

The updated legislation now includes a definition that is used to determine if a breach of security has occurred. A breach has occurred when “a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.” Reporting of a breach is left to the holder of the data to have the integrity to come forward and announce that they have had a breach. The key word in the legislation is determination. It has to be determined that breach occurred before any reporting is required. Who determines? Who makes the call? At any rate, the organization has 60 days to make notifications (as long as it does not ruin a police investigation) from the date of determination.

The legislation also introduces encryption to the lexicon. It states that it is required but it don’t provide minimum-level of encryption. The only statement is that it is “rendered unusable, unreadable, indecipherable through a security technology or methodology generally accepted in the field of information security. This is a problem, depending on the source that you query for, the organization could end up with an encryption standard that is reversible. Some developers, roll their own crypto algorithms that are found to contain faults.

The legislation states that organizations must protect by encryption personal information, which is defined as a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual

  • Social Security Number
  • Driver’s license, state, or federal identification card
  • Account number, credit card number or debit card number in combination with any security code, access code or password that would permit access to a resident’s financial account
  • Passport number ***added***
  • Username or email address in combination with a password or security question and answer that would permit access to an online account ***added***
  • Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional or deoxyribonnucleic acid (DNA) profile. ***added***
  • Health insurance policy number, subscriber information number, or any other unique identifier used by a health insurer to identify the person. ***added***
  • Unique biometric data generate from measurements or analysis of human body characteristics for authentication purposes. ***added***
  • An individual taxpayer identification ***added***

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

 

Large scale phishing campaign targeting user’s Google accounts

May 3, 2017 – There is a large scale phishing attack going on right now to attempt to steal a user’s credentials associated with Google.  Users should be wary of any email that states someone has sent them a Google document.  The email will be similar to the one shown below

The emails appear to be coming from an email address like with a long string of the same letters prior to the domain.  It is spreading rapidly across the Internet and has hit several areas.  It is not limited to any one industry.
Any questions, feel free to reach out to us.
info@360cybersec.com

360 Degree Cyber Security, LLC certified by the State of Delaware as Service Disabled Veteran Owned Business Enterprise

PRESS RELEASE

by Chris Wolski, CEO 360 Degree Cyber Security, LLC

On March 24, 2017, the State of Delaware Office of Supplier Diversity certified 360 Degree Cyber Security, LLC as a Service Disabled Veteran Owned Business Enterprise.  This help increase our visibility among State agencies and other prospective clients and enhance your competitive advantage.  We are looking forward to growing by providing top-notch cyber security and information security to state agencies and those organizations that use the state’s registry of SDVOBE for finding businesses.

info@360cybersec.com
360 Degree Cyber Security, LLC
302-659-7020
Toll Free: 1-866-659-7020