Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Emerging Ransomware Protections

When it comes to protecting information and preventing ransomware attacks, common sense behavior such as frequent backups, avoiding questionable attachments and macro execution, and frequent patching can go a long way. However, there are some other ways to further prevent the financial loss—or at least the frustration—associated with ransomware.

For some background, ransomware is, well, exactly what it sounds like: malware that holds your computer’s data at ransom. Through a bit of social engineering, an unsuspecting group or individual can encrypt entire drives and demand payment for decryption keys. In addition, even if those affected do pay the ransom, there is never a guarantee that their data will be fully restored. 

Ransomware variants, such as Locky and Cryptolocker, typically originate from corrupted email attachments. Some other variants however, such as Dogspectus, quietly install themselves onto devices, through no fault of the user, via malicious advertisements (malvertising). Regardless of the method, once a device is infected, local files are encrypted, and a notification is sent to the user indicating that a decryption key will be provided upon payment.

Through the evolution of threats like ransomware, the state of the cyber landscape is becoming more predictable—with attacks such as these shifting from less of an “if” to more of a “when”. And while cyber liability insurance is nothing new, many coverage providers have yet to fully address the elephant in the room that is ransomware, which has become an undeniable threat, with damages exceeding $1 billion in 2016 alone.

However, ransomware insurance itself is still somewhat niche, often being offered at a significant cost, which can unfortunately outweigh its value. This insurance is also occasionally offered as third-party coverage, resulting in insurance loopholes which in the end can leave people unprotected. 

And while organizations may benefit from ransomware insurance, the importance of protecting yourself on an individual level is also important. For some additional support, companies like Kaspersky and Symantec provide ransomware decryption tools free of cost. Not all keys have been cracked, but the makers of these products are fighting back to save users a lot of headaches and money.

Hopefully the influx of ransomware attacks catches the attention of not only insurance providers sooner rather than later, but also more companies like Kaspersky and Symantec, in an effort to fight against this growing threat and protect individual users and organizations as a whole.

Learn More:
https://www.aig.com/business/insurance/cyber-insurance
https://noransom.kaspersky.com
https://www.irs.gov/pub/irs-pdf/p4557.pdf
https://support.symantec.com/en_US/article.HOWTO124710.html

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

APP-iNTEGRATED DDOS PROTECTION

Amazon recently took a revolutionary step forward with the introduction of AWS Shield. Launched in December, AWS Shield grants free Distributed Denial of Service (DDoS) protection to all Amazon Web Services (AWS) customers. Typically, DDoS attacks are difficult to prevent because attackers have no interest in infiltrating networks, confiscating data, or even receiving a response. Yet, without the effort of cracking anything, they still have the ability to interrupt applications, servers, or entire systems. In order to aid in the prevention of successful DDoS attacks, upon its release, Amazon automatically integrated AWS Shield into all existing AWS web apps, without any extra effort on part of their users.

Competing with companies such as Cloudflare, F5, and Verisign, AWS Shield vows to protect against over 96 percent of the most well-known DDoS attacks. Some of these include reflection attacks, SYN and ACK floods, UDP floods, and even application layer attacks such as HTTP, GET, and POST floods. 

AWS Shield also offers an advanced (paid) version with more customization options on part of the user. This allows them to develop their own rules in order for a more tailored experience. The advanced version also protects against larger and more complex attacks and comes with instant, customizable rulesets, mitigation assistance, post-mortem analyses, reporting, protection on layers 3, 4, and 7, and the benefit of SLAs and 24x7 support. Furthermore, because of its integration with Amazon CloudFront Content Delivery Network (CDN), AWS Shield can even be used outside of AWS.

For decades, DDoS attacks have been one of the most challenging threats facing security professionals; and for a while, it seemed as if there was no solution in sight. However, with third-party services, and now with an entire hosting platform offering solutions, will we soon see the death of the DDoS attack?

Learn More:
https://aws.amazon.com/shield

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

WHAT IS SHODAN?

Shodan.io is a unique search engine dedicated to indexing internet facing devices. Created by developer John Matherly in 2009, Shodan is different than Google in that it allows users to easily sort through and view information such as exposed network devices and servers, IoT, live video feeds (CCTVs, nanny cameras, etc.), and databases. It has sections devoted to vulnerable devices utilizing default credentials (think admin:admin), lists of exploits and the brands affected by them, and filters for location, specific vulnerabilities, services, and types of devices. There is even a section dedicated to exposed ICS/SCADA systems.

With all of these publicly available devices, it's no wonder that the Mirai botnet (the one that took down DynDNS via an IoT-based DDoS in 2016) was so successful. But with that in mind, it is interesting to consider the purpose or the benefits of a product such as Shodan. After all, there are countless sensationalist articles on how hackers are using it to watch you through your teddy bears, smart TVs, and toasters. So what’s its purpose?

Shodan’s primary user base consists of security researchers. Therefore, Shodan is doing exactly what it was developed to do: aid researchers/white hats in making the internet more secure. But, with capabilities such as these, Shodan can also be used for malicious purposes. However, there is one major change users can make in order to ensure a more secure experience:

CHANGE YOUR PASSWORDS.

It’s that easy. Remember the devices mentioned above with default credentials? They’re a huge problem and make up an unfortunate chunk of the information returned by Shodan. Anything connected to the internet should be protected with a strong password, not the default—this especially includes corporate networks and anything affiliated with SCADA. Making simple changes to harden a device will obscure it from Shodan and, in general, keep it more secure.

Thankfully some device developers are beginning to force users to create their own passwords upon setup, thus avoiding the default password conundrum. Now if only our home routers and SCADA systems admins did the same. So gather your tinfoil hats and pitchforks, the internet is most definitely watching and listening, but if you’re vigilant, you can avoid ending up on Shodan’s search engine of shame.

Learn More:
https://www.shodan.io
https://www.webopedia.com/TERM/S/SCADA.html
https://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

WPS is Still Problematic

About a decade ago a small button marked “WPS” started to appear on home routers. You may have also seen it on your personal mifi devices. This feature is known as Wifi Protected Setup (WPS) and it allows users to override the process of entering SSID credentials, and instead access wireless networks with either an eight-digit pin or the simple press of the button.

WPS is often enabled out of the box, with settings modifiable from the device’s admin control panel. When accessing a home network, typically once a device is connected, the credentials are stored and do not have to be entered again. So, is this process really that much of an inconvenience that we need to shorten it even further? Have we reached this level of first world problems where typing ~20 characters one time is just too much to ask? Apparently so.

The WPS pin option is vulnerable to remote brute-force attacks. Surprise! An eight-digit pin is easier to crack than a passphrase. And despite this being published by CERT in 2011, not much has changed since then, with WPS available on newly developed routers and mifis—this is still a very real threat.

While it could take a brute force program many lifetimes to crack a password such as “DanieLLe00%is$$AwesoMe087!!” it would take the same program just a couple of hours to do this with a WPS pin. In addition, most routers and mifis do not lock users out after too many WPS pin attempts. 

Another reason the WPS pin is so easy to crack is because it’s actually not strictly eight digits. WPS pins are authenticated through a two-step process, which can indicate to a brute force program, such as Reaver, if the first four digits are not correct. With this confirmation, there is no reason to continue trying that sequence. This further simplifies the brute-force process, forcing the program to make only 10,000 attempts for four digits instead of 100,000,000 attempts for eight.

One program that is particular effective at doing this is called Reaver. Reaver can be configured in less than five minutes and it doesn’t take a security professional master it. Once a wireless network is chosen, Reaver goes to work, and within a few hours the WPS pin is cracked. It’s that simple.

The easiest way for users to protect themselves against a WPS attack is to disable WPS completely. While balancing security and convenience can sometimes be a challenge, when it comes to the lax security associated with WPS, the cost of this convenience is clear.

Learn More:
https://www.kb.cert.org/vuls/id/723755
https://lifehacker.com/5873407/how-to-crack-a-wi-fi-networks-wpa-password-with-reaver

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Dridex Evolves and Incorporates Atombombing

In 2014, the Dridex Trojan appeared on the scene when an onslaught of spam emails containing infected macro-enabled attachments were sent to unsuspecting users throughout the UK. An evolved version of ZeuS, Dridex’s primary focus at the time was to steal banking credentials. If the attachment in the malicious email was executed, Dridex would monitor users accessing banking informations through keylogging, site injections, and even screenshots—with successfully stolen data often sent to and sold on dark web marketplaces.

By 2015, Dridex had gone international and was also targeting credentials for corporate networks in order gain access to internal systems and steal confidential information. And last year, Dridex began to both target Bitcoin wallets and was also linked to Cerber ransomware attacks.

This year it has evolved even further, with a new code-injection capability that exploits Windows atom tables. Atom tables are used to link data strings and their complementary identifiers. This new capability, known as AtomBombing, deceives healthy applications or processes into retrieving the malicious code from the atom table and then executing it. 

And here’s the clincher, currently security researchers see no fix in sight, as AtomBombing functions more organically within Windows than typical malware. It doesn’t build upon on defective code, it instead assimilates itself into the atom tables’ core functionality, which makes this difficult, if not impossible to patch. 

Dridex implements some features from AtomBombing in order to more easily go undetected, circumvents antivirus and malware prevention software, and executes payloads. Avoiding typical techniques that might flag these solutions, such API calls, allow for this version of Dridex to draw less attention to itself and work more effectively. 

Antivirus companies are currently working towards detection mechanisms for the newest version of Dridex. It is always recommended that users practice good security hygiene, verify the source from which an email was sent, avoid clicking links or downloading attachments that come from unknown sources, and regularly maintain system and software updates and patches. 

Learn More:
https://www.webopedia.com/TERM/D/dridex-malware.html
https://www.securityweek.com/atombombing-windows-vulnerability-cannot-be-patched
https://securityintelligence.com/dridexs-cold-war-enter-atombombing

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

BLUEJACKING

You may have seen the episode from the first season of Mr. Robot where Elliot gains remote access to a wireless keyboard inside a police car in an effort to infiltrate a nearby prison network. While this scene does move quickly and glazes over a lot of specifics, it makes a valid point: wireless devices connected via Bluetooth come with a certain level of risk. 

Bluetooth forms a P2P connection in order to allow for wireless communication between devices. Through this connection, Bluetooth can be used to link mobile devices to a car’s speaker system, tether a laptop to your cellular data network, connect keyboards, mice, headphones, and much more. However, through the use of open source tools, anyone who is remotely tech savvy can start sniffing Bluetooth packets. Tools such as BTScanner and Carwhisperer can be used to listen in on telephone calls, control SMS, keyboard, and mouse functionality, even unlock your front door, all as long as they are within a 300-foot radius.

Bluetooth is secured with a pin, which is often standardized by manufacturers. Pins can be changed on some, but not all devices. Tools used to spy on Bluetooth communication can often identify the manufacturer of a device based just a few bytes from its address. From there, the default pin, which is often 0000, 1111, or 1234, can easily be deduced.

However, Bluetooth users do have a few ways to defend themselves against these types of attacks. First, if your device allows it, it is recommended that you change the default pin to something more difficult to guess. Manufacturers are also encouraged to configure their devices with more unique pins than those listed above. In fact, many devices found inside motor vehicles are already doing this. Switch Bluetooth off when it’s not in use. Some devices also have an option to go to sleep if a certain amount of time has passed since its last approved connection. Enable this option, if it’s available. 

Unlike the prevention of some other types of wireless threats, basic prevention of Bluetooth attacks can be a very uncomplicated process. Researching which devices are more at risk for this type of attack and regular monitoring of wireless bills and data usage are also satisfactory methods of prevention and detection.

Learn More:
https://packages.debian.org/sid/net/btscanner
https://trifinite.org/trifinite_stuff_carwhisperer.html

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

browser password storage security

Most modern browsers offer users the option to store passwords for convenience. However, like with many other aspects of technology, users are faced with a decision between security and ease of use. “Do you want Chrome/Firefox/Safari/Opera to save your password?” Before agreeing, there are a few things you might want to consider:

Opera – In 2016, an attack directed at Opera exposed login credentials and other personal information stored within Opera browsers for over 1.7M users.

Features – It’s important to recognize that password management is a component or a feature—not necessarily the focus—of most browsers.

Security – Security mechanisms that protect stored password information differ from browser to browser. Firefox offers a master password option for encryption, while Chrome utilizes the OS user password for this.

External apps – Dedicated password management applications, such as 1Password, LastPass, or Bitwarden, offer an extra layer protection.

Malware – Browser password storage may be more susceptible to malware built to act as the user, browser hooks, keyloggers, and so on. LastPass offers a virtual keyboard for master password entry to help avoid keyloggers.

Updates – Check your settings to ensure your browsers are configured to automatically update. Most do this by default.

Authentication – Always use two-factor or multi-factor authentication (2FA/MFA) when available.

It is also important to consider which type of data you are trying to protect. If you can do it, the safest place to store a password is in your brain. It could be beneficial to remember unique passwords for important things—such as your email and bank account—and auto-generate and store passwords for everything else with a password manager protected by a very strong master password and 2FA/MFA. Auto-logout can also be configured for external password managers. Avoid using the same password in more than one location.

At present, there are no perfect password management solutions and using any type of password management service is still a risk. However, the added layer of protection from both a dedicated service and 2FA/MFA offer users an option which many security professionals consider to be an accepted risk.


Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Amazon Go - Can Others Keep Up?

Recently in Seattle, Amazon Go, a physical grocery store owned by Amazon was opened up for beta testing. Currently available only to Amazon employees, the company has kept somewhat quiet on exactly how the underlying technology within the store functions, with some information available within their patents and FAQ.

In order to ensure accuracy, Amazon Go is rumored to take advantage of several different technologies: weighted sensors, RFID, cameras, microphones, and other recording technology, facial recognition, skin tone analysis, purchase history, computer vision, sensor fusion, and even AI and machine learning. Utilizing the data collected, purchases are more accurately synced to the correct account and users are billed for items taken.

Some are already showing apprehension about being tracked by such methods in a store; however, much of this is already in place in on Amazon.com and other online retail giants—the physical tracking just takes it one step further. Users are already tracked and targeted with products based on their search and purchase histories within online stores and throughout the internet via ad networks.

Another thought to consider is that in the execution of such a seamless and futuristic shopping experience, Amazon is indirectly pressuring other retail and grocery giants to follow suit or get left in the dust. This begs the question, can other grocery stores handle this magnitude of data protection and security? The simple answer is: not alone. Maybe for this reason, partnerships similar to what we’re seeing within the autonomous vehicle industry (GM and Lyft, Toyota and Microsoft, etc.) will soon be reflected in retail. “Whole Foods, brought to you by Amazon” could be closer than we realize.

Without partnerships such as this, it is doubtful that typical grocery and other retail locations will have the capacity to keep up with competition once Amazon Go locations become more commonplace. Either way, these changes could take retailers one step past the threat of POS Malware to headlines such as, “Grocery Chain DDoSed” or “Retail Giant Temporarily Closes, Users Issued New Authentication After Data Breach”.

On a smaller scale, if someone were to get ahold of a single user’s login credentials and use someone else’s account to shop, would the physical recognition technologies prevent this? Can several users in a household all use the same account without confusing the system? Also, what is to prevent an attacker from carefully and physically scoping out the store itself in order to find ways to sidestep or exploit systems in place?

While new technological innovations increase efficiency and convenience, an inadvertent consequence is an encouragement for criminal innovation. For now, the world will just have to wait and see the positive and negative influences that Amazon Go might have on the future of retail technology.  

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Malvertising and Social Engineering

While it’s been around since MySpace was a part of our everyday lives, malvertising has evolved and become more sophisticated—especially within the last few years. By definition, malvertising is exactly what it sounds like: malicious advertisements which infect browsers, plugins, and systems.

Malicious ads can appear anywhere on the internet, regardless of how safe a website may seem, and their attacks can be executed in numerous different ways. With the ability to hide in something as small as a pixel, hook a browser and view clear text communications, and now target networking devices such as home routers, the importance of exercising caution is becoming more clear.

And while social engineering is not a spectacularly new or uncommon technique, malvertising provides attackers with another vehicle for it. Advertisement networks have the ability to determine a user’s operating system, view cookies, geo-location, and so much more. The purpose of these features is to provide targeted advertisements; however, this can also be used to direct phony tech support or other criminal schemes at users. If someone can view your private communications, they can also gather more than enough data to impersonate you or your contacts and steal critical information.

As browser developers begin to phase out vulnerable plugins such as Java and Flash, some threats—such as drive-by downloads—will become less common. However, future alternatives to these technologies as far as strengths and weaknesses are concerned, are yet to be determined. More preventative methods need to be employed by advertising networks, as cutting this opportunity off at the source is ideal.

Ad blocking software is only a piece of the puzzle and isn’t a perfect solution. Users should never browse as administrator and systems, browsers, and plugins should be frequently patched. Browser settings can also be configured to alert users before a plugin is run and infrequently used plugins should be uninstalled or turned off. This gives the user more control and greatly reduces risk.

If a user is especially concerned, they can use a sandbox browser such as AirGap, Browser in the Box, Sandboxie, or Spoon.net. Sandboxes wipe web history once shut down and allow a level of segregation between the sandbox and the user’s main computer. Virtual machines can also be used in a similar way. This segregation dramatically decreases the chance that a user’s machine will be compromised.

Being able to recognize the signs of social engineering is also important. Be sure to always question the source if someone has contacted you and never willingly give out personal information. If this information is requested or services offered seem too good to be true, this should set off some red flags.

Often within the security industry, once a problem is fixed it doesn’t completely go away; attackers simply get creative and make the problem more complex. It will be interesting to see if advertisement networks can overcome this hurdle and make malvertising and the negative effects associated with it a thing of the past.

Learn More:
https://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/
https://www.cynet.com/blog-facebook-originull/
https://www.securityweek.com/malvertising-campaign-targets-routers
https://en.wikipedia.org/wiki/Drive-by_download

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Tesla’s Gigafactory and the Future of Sustainable Energy

With less than one-third of total facility construction complete, mass production at Tesla’s Reno-based Gigafactory (GF1) has begun. Through a partnership with Panasonic, and staff numbers projected to exceed 6,500 by 2018, Tesla anticipates that GF1 will more than double the capacity of the world’s lithium-ion battery production. Because of its North American location, GF1 also introduces a new variable to the international market for battery cell production, which is currently dominated by Asian manufacturing companies.

Tesla’s GF1 is powered entirely by sustainable energy and releases zero carbon emissions. This feat is achieved through the use of ground-mounted solar installations, and what will be a record-breaking rooftop solar array. An 11.5 MW array located in India is currently the world’s largest; however, at 70 MW, Tesla’s rooftop array will be over six times its size.

In addition, waste heat will be recovered from production machines and recycled to provide a large portion of GF1’s central heating system. It will also be equipped with on-site water treatment facilities that will reduce fresh water usage up to 80 percent, and a battery cell recycling program.

Once construction is complete, GF1 will be the second largest building in the world by volume (~13 million m^3), second only to Boeing’s Everett, Washington facility (~13.3 million m^3); and at 5.5 million ft^2, it will have the largest physical footprint.

Tesla’s CEO, Elon Musk, has stressed that GF1 should be thought of as a product in itself—with an astute attention to detail at the forefront of its design. Automation is in abundance, and flexibility and scalability are key. Musk has also indicated that once complete, the facility could again expand 50-100 percent in size. In addition, a decision regarding the exact location of a European gigafactory (GF2) is expected later this year.

Not only is GF1 a revolution in its own regard, it has the potential to advance production and sustainable energy capabilities throughout the world. GF1 was created with the intent of being replicated both by Tesla and other large corporations. It is predicted that it would take just 100 gigafactories to eradicate the world’s reliance on fossil fuels and transition it to sustainable energy. While Tesla does not have the capability to do this on its own, if other companies follow suit, a transition towards a healthier planet could be significantly accelerated.

Learn More:
https://electrek.co/2017/01/10/tesla-gigafactory-1-model-3-battery-pack-rooftop-solar/
https://www.youtube.com/watch?v=iZm_NohNm6I

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

In-Flight Entertainment security

With holiday travel around the corner, many news outlets are covering In-Flight Entertainment (IFE) system vulnerabilities. Right before many of us are about to step onto airplanes, the media is rehashing the news from early 2015 about Chris Roberts, who claimed to have broken into an IFE on a United Airlines flight (this was debunked) in relation to recent discussions about more minor IFE vulnerabilities affecting personal financial data.

Many companies operate their own bug bounty programs, or employ experts like those at HackerOne, to conduct this research for them. However, these practices don’t always impede compelled security vigilantes from conducting independent research.

Not only does this behavior skirt the boundaries of legal and illegal, there’s another line that those with good intentions must realize should never be crossed. It is without a doubt unethical for researchers to conduct unsanctioned investigations—especially when said investigations could put lives at risk. This behavior conflicts the basic morality that these researchers are often entrusted to uphold. And if this information somehow goes public, exaggerations and fear mongering will begin.

To ease fears and obtain a better understanding of this situation, let’s take a look at how the IFE actually works. A server located on commercial aircrafts known as the System Control Unit (SCU) maintains an individual connection between it and each passenger’s Seat Display Unit (SDU) throughout the cabin. Modern SDUs are typically touchscreen and often run on Linux or Android operating systems. Credit card reader may be located here or within the Personal Control Unit (PCU) handheld device.

The Cabin Management System (CMS) is what flight attendants use to adjust the atmosphere within the cabin. This system is often connected to the IFE. Because of this, theoretically, elements such as speed, altitude displays, or even cabin lights, could potentially be manipulated in the cabin—not the cockpit. This has yet to happen, and still, all flight control systems are separate.

Pilot communications with the ground are also separate, occurring via the Aircraft Communications Addressing and Reporting System (ACARS). Airbus and Boeing also segregate Satellite Communications (SATCOM) from all other systems and have banned the distribution of SATCOM information. Both companies have also stated that their planes are constructed with flight controls and IFE systems completely isolated (including in-flight wifi), with pilots always acting as physical superusers over flight control systems.

According to a senior federal law enforcement official, no conclusive data exists which indicates a passenger can utilize an IFE system to gain access to any component of flight control mechanisms. In addition, United Airlines has stated that they are confident Roberts’ claims are unfounded.

So sit back, relax, and take the thought of your flight being hijacked by the person next to you rapidly pressing on the IFE off of your mind. They’re probably just playing Candy Crush.

Disclaimer: Never attempt to tamper with an IFE system or claim to have manipulated flight controls unless you’re interested in ending up on the No Fly list. The FAA has a zero-tolerance policy for perceived threats. It’s not worth the risk, just ask Chris Roberts.


Learn more:
https://www.bloomberg.com/news/articles/2015-05-18/hacker-claims-of-plane-takeover-aren-t-credible-official-says
https://abcnews.go.com/US/flight-entertainment-systems-vulnerable-hacking-report-suggests/story?id=44294211
https://threatpost.com/in-flight-entertainment-system-flaws-put-passenger-data-at-risk/122621
https://www.gpo.gov/fdsys/pkg/FR-2008-01-02/html/E7-25467.htm


Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Autonomous Ridesharing – Security Concerns

The Internet of Things (IoT): thermostats, espresso machines, …Volvos? Like it or not, self-driving cars are quickly becoming a reality, with auto manufactures and tech companies alike fervently (and suddenly) working to outdo each other in this field. This new division of technology creates unique challenges guaranteed to plague us all. And with companies racing to release self-driving rideshare vehicles, an entirely new set of concerns emerge.

In order to keep up with competition, traditional vehicle manufacturing companies are shifting their focus towards the production of autonomous vehicles. And with that shift comes responsibilities that extend beyond physical safety.

The introduction of autonomous ridesharing requires lateral thinking on behalf of security professionals, for as long as the cybersecurity industry has existed, research has primarily been focused on stationary devices. While modern security concerns concentrate on the loss of data, autonomous vehicle security shifts to a loss of life. Furthermore, new elements arise when we introduce moving vehicles accessed daily by anyone with a ridesharing app on their phone. After all, solely considering traditional security risks could result in something critical being overlooked.

In addition, manufactures of self-driving cars are buzzing about vehicle-to-vehicle (V2V) communication. V2V allows autonomous cars to communicate with each other in order to improve both the ride experience and rider safety. For example, if an autonomous vehicle encounters something blocking a roadway, it can alert others so they can be prepared. However, as the number of connected autonomous vehicles increases, the attack surface also expands. If this connected network were to get into the hands of a hacker, terrorist, or a rival nation state, cities could be brought to a standstill, or worse, an entire fleet of cars could be turned into weapons.

And what about ransomware? Could a rider entering an autonomous ridesharing vehicle after a malicious user, face a dangerous situation in a car that has been reprogrammed to run red lights or one that refuses to unlock until they pay a ransom? While these sequences of events seem like something out of a science fiction movie, it’s not impossible to consider this might become a reality. No online system can ever be 100% secure, and if even the thought of a vulnerability exists, it will inevitably be exploited.

So what is to stop an attacker from manipulating settings internally or externally on ridesharing vehicles? Will they be programmed to react to or report tampering? While it is impossible to expect the security industry to keep up with the risks, threats, and vulnerabilities it faces on a daily basis, this obligation greatly increases when lives are at stake. Hiring the top security professionals in the industry should be on the forefront of the minds of autonomous auto manufacturers.

Lucky for Uber, they quickly hired the two security professionals responsible for last summer’s memorable remote Jeep Cherokee hack. Perhaps insight such as this will give them an advantage against attackers looking to disrupt this industry—or maybe not. Self-driving cars may be an entirely different beast. Only time will tell.

Learn More:
https://www.researchgate.net/publication/266780575_Potential_Cyberattacks_on_Automated_Vehicles


Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

The Five-hundred-meter Aperture Spherical Telescope (FAST)

While the search for intelligent life outside of Earth seems more like the introduction to a sci-fi novel than reality, real live astrophysicists, engineers, and a lot of funding have actually been dedicated to this endeavor since the end of World War II. More recently in 2016, the Five-hundred-meter Aperture Spherical Telescope (FAST) was completed. And because a main focus on the hunt for extraterrestrials is encompassed by a search for artificially generated radio signals, powerful radio telescopes like FAST are the best tools for the job.

Located approximately 1,200 miles south of Beijing, this telescope is so large and so robust that it is anticipated to be the most powerful in the world for at least the next decade (maybe two). In fact, exceeding the size of 30 American football fields, FAST is also the biggest filled-aperture radio telescope currently in existence.

And after just five years of construction, the creators of FAST have recently teamed up with Breakthrough Listen, a component of Yuri Milner’s Breakthrough Initiatives, and other telescopes around the world to further this venture. However, these massive devices are not simply dedicated to the task of detecting signals from intelligent life. FAST, and other telescopes like it, can also search for faint pulsars, which may be difficult, if not impossible, for lower power devices to detect, and will also aid in the mapping of hydrogen gas throughout the universe.

Another interesting byproduct of this research is how FAST can also be used to identify gravitational waves with low frequencies (think relativity/the curvature of spacetime), how it can further aid scientists in developing their understanding of how the universe came to be (it can see farther), and how it can be even be used to advance other scientific disciplines. FAST will also utilize the Next Generation Archive System (NGAS), which allows for the storage of data collected by the telescope. This system will maintain over three petabytes of data a year from FAST alone. 

The telescope’s location is also critical and comes with it an interesting backstory. The reason that FAST’s location in rural China is so ideal for detecting radio signals, is because it is nearly devoid of radio interference. The reason for this is because a small village was removed from the site before construction and over the course of its development, nearly 10,000 more people were relocated away from the region in order to aid in high quality, interference-free data reception. 

Whether or not the hunt for extraterrestrials will ever come to fruition, the research byproducts and other capabilities of FAST and other highly powerful telescopes will undoubtedly aid in developments within other disciplines of both astrophysics and other sciences. It will be interesting to experience FAST’s contribution to these advancements.

Learn More:
https://fast.bao.ac.cn/en
https://breakthroughinitiatives.org
https://www.eso.org/projects/dfs/dfs-shared/web/ngas

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Nanocrafts, Warp Drive, and the Future of Space Travel

This week NASA announced the discovery of seven Earth-sized planets orbiting TRAPPIST-1—an ultra-cool dwarf star located approximately 39 light years away from Earth. At least three planets in this system are believed to exist within a habitable zone, indicating the potential to support Earth-like life.

Announcements such as these spark conversations about how long it might take to travel such distances and if technological advancements might one day allow this to become a reality. Currently, the fastest traveling man-made spacecraft is New Horizons. Moving at the speed of 36,373 MPH, it took New Horizons just over nine years to travel the three billion miles to Pluto. However, as impressive as this may sound, it would still take New Horizons approximately 18,000 years to travel just one light year; so over 700,000 years to arrive at TRAPPIST-1.

With the state of our existing technologies, this feat is impossible. So, what are scientists doing to change that? For starters, they’ve set their sights on some slightly more feasible targets. Last year, another Earth-like planet was discovered orbiting Proxima Centauri, a red dwarf located 4.243 light years away from our sun. A few months earlier, a new space travel initiative known as Breakthrough Starshot was announced by Russian entrepreneur Yuri Milner. The project is funded by Milner, and also backed by Stephen Hawking, Mark Zuckerberg, and many more. 

Breakthrough Starshot proposes to propel mini spacecrafts known as nanocrafts or starchips (no larger than a postage stamp) 100,000,000 MPH through space with the use of a 100 gigawatt laser beam. This high speed will allow for the crafts to travel a full light year in just five Earth years. Initially, the plan for this mission was to be aimed at Alpha Centauri (4.367 light years away); however, with the discovery of an Earth-like planet existing within the habitable zone of Proxima Centauri (4.243 light years away), the mission was redirected to focus on a trip to this system. The total trip time would take approximately 20 years, with a four year waiting period for data to return to Earth.

Another initiative comes straight out of Star Trek: warp drive, also known as Faster Than Light (FTL) travel. This option is still somewhat theoretical in that it would require a craft that can essentially bend spacetime in the same manner as gravity, and the technology and type of energy required to do this with a craft (negative energy density), do not exist/have not been discovered yet. The notion behind this was developed by Mexican astrophysicist Miguel Alcubierre and fine-tuned by NASA engineer Harold "Sonny" White. If successfully developed, FTL spacecrafts could travel several light years in a matter of days.

Whether it’s a trip to our closest neighbor, or to something a bit farther such as TRAPPIST-1, or maybe one day outside of our Milky Way, it is an exciting time to experience the advancement of space travel and discovery. However, since technology has yet to give us eternal life, we’ll just have to wait and hope to see if even a fraction of these advancements become a reality within our lifetimes. Fingers crossed.

Learn More:
https://www.nasa.gov/press-release/nasa-telescope-reveals-largest-batch-of-earth-size-habitable-zone-planets-around
https://www.nasa.gov/press-release/nasas-three-billion-mile-journey-to-pluto-reaches-historic-encounter
https://www.universetoday.com/65644/how-far-is-a-lightyear-in-miles
https://www.eso.org/public/archives/releases/sciencepapers/eso1629/eso1629a.pdf
https://phys.org/news/2017-01-alcubierre-warp.html

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Understanding Asymmetric Threats In Cyber Security

In 1990, a 15-year old from Quebec conducted a successful Distributed Denial of Service (DDoS) attack against Yahoo!, Amazon, CNN, Dell, and several other large websites. For these corporations, this attack came out of nowhere, due to the fact that DDoS was a relatively new threat at the time. Fast forward to 2016, while DDoS attacks still occur, most large organizations have employed layers of protection to help prevent them from happening. 

While DDoS is nothing new, modern cyber threats continue to emerge in unexpected ways. Because of this, it is difficult to preemptively defend against them. Traditionally asymmetric threats are real-world warfare instances where a small, unpredictable force, encounters a weakness within a large one, and obtains the ability to overcome it through the exploitation of this vulnerability. 

As in the example above, asymmetric threats can also be attributed to cyber warfare because of the similarly unpredictable battlefield, targets, and threat actors, as well as the vast utilization of unforeseen attack vectors. At the time, nobody could conceive of an attack such as this one happening—especially at the hands of a 15-year old. 

A more current example of an asymmetric threat would be ransomware. Through a bit of social engineering, an unsuspecting group or individual can encrypt entire drives and demand payment for the decryption key. Even if those affected do pay the ransom, there is never a guarantee that the data will be fully restored.

Defending against asymmetric threats is an ongoing challenge regardless of what needs to be protected. The best defense is for security teams to stay vigilant with well-formulated prevention, detection, and mitigation plans. In addition, when it comes to asymmetric threats, more than just networks and systems need to be protected. Security teams should practice distributed defense and multilayer hardening tactics in order to best defend against both standard and asymmetric threats. Organizations must expand outside of these teams to the creation of a security culture, which will in turn create a human multilayer defense system against asymmetric threats.

Learn More:
https://en.wikipedia.org/wiki/Asymmetric_warfare
https://en.wikipedia.org/wiki/MafiaBoy
https://www.fca.org.uk/news/speeches/our-approach-cyber-security-financial-services-firms

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

IIoT: The Other Internet of Things

While it’s less well-known than its not so distant relative the Internet of Things (IoT), the Industrial Internet of Things (IIoT) is rapidly becoming integrated within critical Industrial Control Systems (ICSs) and manufacturing organizations throughout the world. Although IIoT technologies are relatively new—with the term itself coined as recently as 2012—the IIoT is not to be underestimated. In fact, GE predicts it will become a $225 billion market within the next three years.

So what exactly is the IIoT? Despite the fact that the IoT and IIoT sound similar on the surface, one major difference sets them apart: the IoT connects apps to things, while the IIoT connects infrastructure to data.

Even though the IoT does collect and share information, this data is typically used for the purpose of simplifying the daily lives of end users. On the other hand, through the integration of state-of-the-art monitoring systems, smart sensors, and information sharing platforms with legacy infrastructure, the IIoT improves reliability, safety, and analytical capabilities within industrial systems—preventing the need for a costly system overhaul.

Some real-world examples of the IIoT include the integration of smart grids with existing electrical substations and the addition of sensors to monitor the volume of gas flowing through refinery flare stacks. Enhancements such as these have already saved millions of dollars through improved industry compliance, productivity, and performance.

Of course, introducing interconnectivity to previously air-gapped infrastructures expands the attack surface. And while some of these issues may be expected and analogous to IT security, many are also completely unique. In fact, these industries have already experienced cyber attacks developed specifically with the purpose of disrupting critical industrial controls, such as Blackenergy and Stuxnet.

On a high note, due to the sensitive nature of the information flowing throughout the IIoT, devices are developed with much more security in mind than those on the IoT. Data flow is strictly controlled, traveling almost entirely upstream to the cloud and with limited interaction and ability to push back down. However, in many ways these industries are playing catch up due to a history of air-gapped systems and the use of a great deal of legacy infrastructure.

The IIoT is modernizing and changing the face of industry as we know it. While many benefits can be gained from the increase in efficiency, industrial security professionals must be mindful of both standard IT security and a new breed of industry-focused digital weapons. The true cost of efficiency is much higher within the IIoT, and integrations must be considered with utmost care.

Learn More:
https://www.tripwire.com/state-of-security/featured/5-key-challenges-for-the-industrial-internet-of-things-iiot/
https://www.securityweek.com/blackenergy-group-uses-destructive-plugin-ukraine-attacks
https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Betty White: Older Than Sliced Bread, Younger Than the First Wireless Exploit?

This week, America’s sweetheart Betty White, would’ve turned 100 years-old. Born on January 17th, 1922, Ms. White lived through some remarkable technological advances. One that some are familiar with in particular, is the fact that she is older than sliced bread. Social norms associated with discussing someone’s age aside, while Betty may be older than sliced bread, she was significantly younger than the first wireless attack.

Yes, you read that correctly.

In 1903, during a public demonstration of inventor Guglielmo Marconi’s wireless telegraphy system at the Royal Academy of Sciences in London, another inventor, Nevil Maskelyne, intercepted Marconi’s signal, sending Morse code through his receiver, denouncing Marconi’s work, and referring to Marconi and his demonstration partner as “rats”. Along with many other inventors of the time, a disgruntled Maskelyne felt slighted by specifics found in Marconi’s patents, which he believed restricted his ability to patent his own work.

Before the attack, Marconi claimed that his system was completely secure, and despite the fact that the data was going to travel over 300 miles through the air, it would remain intact and unobstructed. Maskelyne, the world’s first tech troll, was intent on proving otherwise. Wireless telegraphy, also known as early radio, transmitted Morse code to receivers via electromagnetic waves. What Marconi believed to be an encrypted transmission—protected by the security of specific radio channels—was actually more akin to modern broadcast radio. Without any form of authentication, people can tune into any station and receive its broadcast. Maskelyne disproved and embarrassed Marconi by clarifying that wireless telegraphy was, in fact, not private at all.

To achieve this, Maskelyne configured a simple transmitter near the academy, which broadcasted signals so powerful that, if someone were to replicate it with modern-day radio, every analog transmission within several miles’ radius would be affected and sensitive equipment would be damaged. Maskelyne wasn’t concerned with specific frequencies, instead he made this transmission as broad as possible in order to increase the chances of disrupting Marconi’s demonstration. In addition, Maskelyne’s signals were so strong, they even interfered with the lamp and electricity inside Marconi’s projector.

Typically, wireless exploits are considered to be a modern threat, only affecting the most state-of-the-art technologies. However, Nevil Maskelyne proved he was far ahead of his time, successfully carrying out the first wireless exploit 114 years ago—well before our beloved Betty White was born. So, while many are focused on the fact that she was older than sliced bread, a lesser known, but much more impressive bit of information lingers: Betty White was younger than the first wireless exploit. And that’s a fact.

Learn More:
https://en.wikipedia.org/wiki/Betty_White
https://en.wikipedia.org/wiki/Sliced_bread
https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

NASA VPNs the DSN

NASA’s Deep Space Network (DSN) has been providing astrophysicists with the ability to communicate with spacecraft missions since 1958. As time and technology have advanced, the DSN, which is essentially a collection of terrestrial communication facilities operating on uncommon frequencies, has received enhancements to bolster its long-range data transmission capabilities.

The DSN allows us to receive communications originating from something as close as the International Space Station to the farthest man-made object from Earth—Voyager 1. In 2013, NASA confirmed that Voyager 1 had left the reaches of our solar winds and officially entered interstellar space. And after over 39 years in space, it is now over 12 billion miles away from Earth—but thanks to the DSN, communication has been maintained. Enhancements to the DSN also allow NASA to communicate with devices like the Voyager missions for much longer—and in more ways—than was initially believed possible. For example, Voyager 2—currently over 10 billion miles away from Earth—still receives upgrades and fixes.

However, maintaining communication is no longer NASA’s sole focus. With interests on the ground shifting more towards data protection, the DSN recently received a cybersecurity facelift. NASA has partnered with AT&T to develop a Virtual Private Network (VPN) for its DSN. This project was recently completed.

A VPN creates an encrypted tunnel between different locations, which allows for much faster and more secure communications. It is highly important for NASA to implement this technology to protect against malicious actors. Without a VPN, the network could more easily be infiltrated and critical data could be compromised. In addition, in conjunction with upcoming hardware upgrades and network expansion plans, this VPN will also aid in tripling the current data transmission rates within the DSN.

Unfortunately, NASA has already fallen victim to a number of cyber attacks, many of which were Advanced Persistent Threats (APTs) originating from other nation states. Login credentials were confiscated and used by unauthorized individuals to alter configurations and even acquire full access and control of internal systems. Another attack targeting NASA resulted in the theft of International Space Station control codes, which were hosted on a stolen mobile device.

Hackers fueled by conspiracy theories that NASA is withholding significant information about everything from international terrorist organizations to alien life on Earth, have also targeted the organization’s website and networks.

It’s becoming essential that everyone from individuals to large corporations and government entities enhance the security protecting their information. While NASA—an organization that has already been targeted a significant number of times—is essentially playing catch up with the recently added DSN VPN, it is encouraging to see them taking the appropriate steps forward to protect critical systems and information from here on out. With cyberattacks on the rise, no one is safe and erring on the side of caution (and borderline paranoia) might be the way of the future.

Learn More:
https://www.jpl.nasa.gov/news/news.php?release=2010-151
https://oig.nasa.gov/congressional/FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2.pdf
https://www.space.com/14750-stolen-nasa-laptop.html
https://www.huffingtonpost.co.uk/entry/anonymous-claim-nasa-hack-over-islamic-state-information_uk_56f26dc3e4b0f4c81e86f17b
https://en.wikipedia.org/wiki/Gary_McKinnon

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Watson: NASA’s Newest Hire

While NASA’s relationship with IBM is nothing new, a recent partnership with IBM’s Watson could help propel NASA research beyond its current human limitations. Watson—developed by IBM’s DeepQA project—is the computer system famously known for defeating Jeopardy champion Ken Jennings in 2011.

One may presume that Watson is nothing more than a fancy search engine; however, Watson functions very differently than a search engine, in that it can more realistically parse natural language. Querying a search engine with too much information causes it to return several pages of potential results that may or may not be what a user needs; on the contrary, like human interaction, the more data you provide Watson, the more relevant and precise its response.

NASA isn’t the first organization to employ Watson for research efforts either. This system is already spearheading cancer research projects within the healthcare industry. Just like healthcare, combing through thousands of aerospace research documents can also become tedious for humans. However, Watson acts as a research development advisor—analyzing and providing feedback on documentation written in several different languages, deconstructing complex mathematical equations, and conveying all of this data in a concise and easily digestible format for human consumption.

NASA conducted two pilot programs with Watson. The first examined its capacity to consume 130,000 documents on the topic of nanotube technology and the second concentrated on Watson’s ability to clearly communicate its findings to NASA engineers and researchers. The results of these pilot programs were validated by Subject Matter Experts (SMEs) and it was concluded that Watson made connections, which would have likely been overlooked by human researchers. In addition, these pilots assisted in the development of a more straightforward User Interface (UI) for the system.

In the future, NASA anticipates Watson can help them answer questions and solve spaceflight science problems in real-time—aiding the organization in making vital decisions mid-flight that could both save millions of dollars in equipment and human lives.

Learn More:
https://www.ibm.com/watson/
https://km.nasa.gov/putting-cognitive-computing-to-work-at-nasa-langley/

Read More
Danielle Pucciarella-Galkova Danielle Pucciarella-Galkova

Cybercrime and Taxes

It’s tax season again! Time to gather your receipts and W-2s and brace for phishing attacks? Last year, the IRS saw a wave of W-2 phishing scams, which effectively hit over 40 organizations in Q1 alone. This year, cybercriminals have become more sophisticated, issuing a couple different multifaceted attacks—the first of which is known as a double barrel attack.

Last year’s W-2 scams consisted of attackers using techniques—like typosquatting—to masquerade as C-level executives, and request information from HR staff, in order to scam individual employees out of their tax refunds. This year’s double barrel attack combines this effort with an attempt to also extort money from the organizations themselves. A successful attempt to retrieve W-2 data is often followed with a request for wire transfer from the same impersonated executive. Attackers are essentially hitting companies with a digital one-two punch.

Another tax scam gaining momentum this year has been directed at tax preparation companies and accountants. Fraudulent emails containing malicious attachments are sent in request for assistance with tax preparation. When the attachment is opened, the machine is compromised, and customer data is exposed. From there, attackers use this information to file the customers’ tax returns and steal their refunds.

The IRS is calling this wave of attacks the most dangerous that they’ve seen in a while. And although attempts to retrieve tax refunds and fraudulent wire transfers are bad enough, stolen W-2s have been found for sale on the dark web in exchange for Bitcoin. And with this attack, nothing is sacred: schools, tribal organizations, nonprofits, and healthcare organizations have all been targeted.

So, what does this mean for security professionals in charge of preventing these sorts of attacks from affecting their companies? And what about individuals? As far as corporate security is concerned, employee training is key. A casual and easy-to-digest training is the best way to convey the severity of this threat (and phishing, in general) and ensure users remain on high alert. Strong Sender Policy Framework (SPF) records and other phishing prevention tactics will also aid in the prevention of unauthorized or spoofed communications.

Professional tax preparers should ensure they have strong passwords across all systems, utilize two-factor or multi-factor authentication (2FA/MFA) where available, and confirm that their systems are patched and running an updated virus scan system. Employees at these locations should also be warned about this new wave of threats and taught how to recognize spear phishing and unusual tech behavior. Individuals submitting their taxes to a professional accountant or tax preparation firm should not be afraid to ask questions of this organization to ensure their data will remain secure. And finally, fear not! If something does happen, the IRS has a mitigation process in place in order to ensure tax refund fraud is corrected and the funds are sent to the correct individual (see identity theft link below).

Learn More:
https://www.irs.gov/uac/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s
https://www.irs.gov/uac/dangerous-w-2-phishing-scam-evolving-targeting-schools-restaurants-hospitals-tribal-groups-and-others
https://www.irs.gov/pub/irs-pdf/p4557.pdf
https://krebsonsecurity.com/2017/01/shopping-for-w2s-tax-data-on-the-dark-web
https://www.identitytheft.gov

Read More