Very interesting research paper with a scary title “Solar Superstorms: Planning for an Internet Apocalypse“. It is about a Black Swan event which has actually already happened in 1859, a major solar Corona Mass Ejection (CME) which has some chance to happen in the next future. Without entering in any detail (the research paper is quite readable) the main point is that if a CME of 1859’s magnitude would hit earth today, the consequences would be catastrophic. Apart from the impacts on the electric grid, and in particular to the long distance power distribution (but power operator should be aware of this threat), the research paper points out that there would be severe damages to satellites, in particular low-orbit ones, with possible total failure of satellite communication including GPS, television broadcasting and data (internet) transmission. But equivalently at risk are long distance communication cables, more noticeable submarine optical fibre cables. Actually, optical fibres per se would not be affected, but optical repeaters along the fibres at distances of 50 – 150 km at the bottom of the oceans would burn out and stop almost all communication between continents.
I remember years ago discussing a similar scenario with some physicist friends and wondering if it could have been a threat or not. It seems that it can be, but is the cost of mitigating this threat worth it? Should we act today?
Artificial Intelligence (AI), in all its different fields from Machine Learning to Generative Adversarial Networks, has been subject to a study (here the link to the paper), or probably better an evaluation, by a group of Subject Matter Experts (SMEs) to identify the most risky scenarios in which attackers could use it, abuse it or defeat it. The scenarios include cases in which AI is used for security purposes and an attacker is able to defeat it, or AI is used for other purposes and an attacker is able to abuse it to commit a crime, or an attacker uses AI to build a tool to commit a crime.
Overall the SMEs have identified 20 high level scenarios and ranked them by multiple criteria including the harm / profit of the crime, and how difficult it could be to stop or defeat this type of crime.
It is very interesting to see which are the six scenarios considered having highest risk:
- Audio/video impersonation
- Driverless vehicles as weapons
- Tailored phishing
- Disrupting AI-controlled systems
- Large-scale blackmail
- AI-authored fake news.
More details can be found in the above mentioned paper.
Comparing current reported cyber/IT security threats, attacks and incidents to what happened a few years ago, it seems to me that something has surely changed (I must warn that these conclusions are not based on statistics but on reading everyday bulletins and news).
On one side, security surely has improved: vulnerabilities are reported and fixed, patches are applied (at least more often), security policies, standards and practices are making a difference. Still managing password and properly configuring systems and services exposed on Internet remain very difficult tasks too often performed without the required depth.
But security has improved, which also means that attackers have been moving to easier and more lucrative approaches which have to do mostly with the “human interface”. In other words: fraud.
The first example is ransomware, that is the attacker is able to access the victim system, copy vast amount of data, then encrypt it or remove it and finally ask a ransom not only to return the data but also to avoid making it public on Internet. Since everybody is getting better in making backups, here the important point is the “making it public on Internet” so that the ransom is asked more to prevent sensitive data to be published than to restore the systems.
The second example is Targeted Phishing attacks, Business Email Compromise and similar scams in which the attacker impersonate a well known or important person by writing emails, letters, making phone calls etc. to convince typically a clerk but in some cases also a manager, to send a large amount of money to the wrong bank account.
Neither of these two types of attacks is new, but now they are filling the news daily. Even if cyber/IT security can still improve tremendously, there have been and there are notable security improvements which makes it that attacks are aimed more often to the weakest link: the human user.
Not a feat for everybody, but hacking satellites either connecting directly to them or by intrusion on the ground computers that manage them, could have dire consequences: from shutting them down, to burning them in space, spiralling them to ground or turning them into ballistic weapons.
Even if news have not been really confirmed and details are sketchy, it seems that some incidents already happened, starting from 1998, see the ROSAT satellite history, and more recent events as described here, here, here and here for a recent review.
Independently from the confirmation of the incidents, controlling by remote satellites, in particular small ones built also with off-the-shelves / commodity components, coupled with the difficulty (if not impossibility) of applying security patches, can make their “Cybersecurity” risks quite relevant, and effective counter-measures quite difficult. On the other side, due to the costs of building and sending a satellite in space, it is likely that these “Cybersecurity” risks are considered and effectively managed in the planning and developing phases of a satellite life-cycle, or at least so we hope.
From the APWG press release: “The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than at any other time in history” (here is the full report).
This is hardly surprising, but it quantifies with numbers the latest news about online frauds, like the “CEO Fraud”, the “Business Email Compromise” (eg. see this FBI announcement) etc.
It just became public that a custom built Linux kernel for embedded devices has been shipped and installed in production with a root debug backdoor open to anyone, see here for the announcement and for example here for some more details.
Besides the gravity of this particular incident and the difficulty of remediating it (I expect that many devices shipped with this kernel will never be updated) a couple of considerations come to my mind:
- first of all the need for IT Security Awareness and Education starting from everybody working in IT : anybody can make a mistake or even a blunder, but there should be safety nets proportional to the risks and IT professional should always be aware of the “security” consequences of what they do;
- the process of “bringing into production” IT products (aka Change Management) should be improved: as of today most of the time the really important test of an IT product is the final User Acceptance Test, which means that it is only important that the features requested by the final users work as expected. But this is not enough, and it is not like this in many other industries, think for example of televisions, refrigerators, cars etc. they all need to pass safety tests and be labelled accordingly otherwise they cannot be sold on the market. Why is it not like this also for IT products? As of today it is difficult to think of security standards, tests and labels common to all IT products, but it should be possible to agree on and adopt some common IT security baseline.
Monitoring outgoing traffic to detect intrusions in IT systems is not a new concept but often it does not seem to be enough appreciated, understood and implemented.
IT security defences cannot guarantee us against every possibile attack, so we must be prepared to the event of an intrusion and to manage the associated incident.
The first step in incident management is to detect an intrusion. Traditional tools like Anti-Virus, Intrusion Detection/Prevention Systems (IDS/IPS) etc. do their job but they can be bypassed. But intrusions can also be detected by monitoring the outgoing traffic.
In my recent personal experience, some intrusions have been detected and stopped because the outgoing traffic was monitored and blocked. Since the deployed malware was not able to call back home, it did not do anything and there was no damage; and since the outgoing traffic was monitored, the intrusion was immediately detected.
But monitoring the outgoing traffic to detect intrusions is becoming more and more difficult. For example attackers are adopting more often stealth techniques like using fake DNS queries. An interesting example has been recently described by FireEye in “MULTIGRAIN – POINT OF SALE ATTACKERS MAKE AN UNHEALTHY ADDITION TO THE PANTRY” . In this case, malware is exfiltrating data by making DNS calls to domains with names like log.<encoded data to exfiltrate>.evildomain.com . Obviously the DNS query fails, but in the logs of the receiving DNS server it is written the name of the requested domain, that is the data that the malware is exfiltrating.
As attackers are getting more creative to hide the back communication between malware and their Command & Control services, IT Security will need to devise more proactive approaches to monitoring and blocking outgoing traffic.
The National Telecommunications and Information Administration (NTIA) of the US Department of Commerce’s Internet Policy Task Force, has announced a Request for Comment on the key issues regarding the deployment of Internet of Things.
This is one of the first steps towards creating some policies and / or regulations on IoT devices, and can be a very good occasion for stating clearly some security baselines.
Organizing my ideas, I came up with this IT Security Cheat Sheet, nothing really important should be missing, but in case drop me a line:
Know your IT assets, often attackers know them better than you do
Implement a strong IAM security programme, people are the first weak point
Establish an IT security baseline and apply it to all your IT assets, no matter what or who
Evaluate IT security risks from a business perspective and implement IT security measures to manage them; do not trust any IT system by default
Detect, manage and solve IT security incidents, they happen even if you do not detect them
Learn from the security incidents and feed the knowledge into the previous steps
Review and re-implement all steps at least yearly (Governance).
The article ‘“Internet of Things” security is hilariously broken and getting worse’ of ARS Technica shows how, using Shodan , one can find pictures from millions of open Webcams on internet.
The issue is not new but the scale of the problem is threatening. As the article nicely points out:
- people do not care about the security or privacy features of the devices they buy
- the important points are cost and easiness to manage (which means it is better if there are no password to access it)
- only to throw away the device the day they find themselves on Shodan or in a picture on a newspaper and say “never again”.
But who is going to do something about it? Who should defend the privacy of people and the security of Internet? Should the IoT market be regulated or self-regulated or something in between?