Monday, August 14, 2017

Incident Respone Plan


It should be noted: if an Incident Response plan is not already in place, do not attempt to create one during an infection. Rather, remove the infected server from the network. Create a plan to systematically return the infected server to its pre-infected production condition before beginning the recovery process. Incident response is not a responsibility that a single person can handle. Recovering a compromised server in a haphazardly fashion can create more system issues and do more damage then the initial compromise.
 
...
...Incident Response Plans should not be created during a security incident nor should one person be assigned to develop an Incident Response Plan. Incident response should be the responsibility of different members from different groups in an organization...
...
 
...During an incident, panic will often set in. Do not let this happen...

----
Source:
SANS Institute InfoSec Reading Room
Source: Malware Analysis: An Introduction
 
 
 
 
 

Wednesday, August 9, 2017

Automotive Cyber Flaws

30 years ago, it could sound like a science fiction scenario but today we are moving slowly towards that point. Today automotive cyber flaw concept is a threat. It is only not that much widdespread.
 
Anything which has an IP address (IoT) is a target candidate of hackers. Naturally the "connected cars" aren't exception for this concept. A car which is connected to internet or to an intranet is defined as "connected car".
Think of that you are the main character of the following scenario: You own a connected car. It's a brand new, smart car. You paid a lot of bucks to buy it.
 
One day in the morning you got into your car and turned the car key as usual. But... Hey! It's not working. You tried it a couple of times but the engine couldn't be started. During that confusion and anger suddenly you noticed a message on the screen of your car. "Your car is compromised. Don't go to the police. The data in your car is encrypted. If you pay us blah blah..."
 
"What? What the hell does it mean now?" After a couple of phone calls you solved the puzzle. Gosh! Yeah! It was your turn to become a carsomware (car + ransomware) victim. The hackers requested 1,000USD to unlock your car. You called your contracted car service and they told you that they have to change the "brain unit" of your car and it will cost you about 2,000USD.
 
Now... The question is: Which choice would you prefer? Hackers' bid or your car service's offer?
This seems to be like a movie scenario today but we are getting closer to such troubles day after day.
 
There can be much more dangerous scenarios in car hacking than not being able to start the engine. Think of what can happen if the brakes of your car suddenly malfunctioned while you were driving with a speed of 120km/h (~75mph) in a crowded traffic.
 
DHS (Department of Homeland Security) warned the automotive industry against the automotive cyber flaws: https://fcw.com/articles/2017/08/03/auto-cyber-cert-rockwell.aspx
 
In one of the conferences In DEFCON 2017 (August 2nd) researchers presented a paper on "automobile system vulnerabilities": https://securingtomorrow.mcafee.com/mcafee-labs/defcon-connected-car-security/
Remarkable lines:
 
"According to Intel however, the 'connected car is already the third-fastest growing technological device after phones and tablets.' "
 
"Our connected cars today generate up to 4,000GB of data per 50Kb every second and using on-board cameras generates 20MB to 40MB per second."
 
"Fundamentally, a car is like a jigsaw puzzle with multiple components, so applying patches to cars the way we would a phone, for example, is not feasible."
 
If you want a cyber threats free car then I would recommend the following one. =))

Tuesday, August 8, 2017

Linux-based Malwares

 
Remarkable expressions about Linıx-based malwares from SANS Institute Infosec Reading Room:
 
5. Conclusions
Despite popular perception, Linux can be vulnerable to a variety of malware. Existing host-based defense such as antivirus software is marginal at detecting or preventing Linux malware threats. Based on organizational risk tolerance additional security controls may be required to prevent or identify Linux malware infections. Utilizing a combination of system hardening techniques and network based controls can provide an additional layer of security. Incident response capabilities may also require adjustment to detect and respond to the growing threat of Linux malware.
 

Wednesday, August 2, 2017

Wind Farms and Ransomware?

Well yes. They are not only composed of three rotating propellers and a very long white body as seen from outside. It can sound weird but they have also operating systems and they are connected to a central management system via a software. Oh! I am talking about wind farms.
 
Wind farms can be handled as IoT devices but because they generate electricity they can be also handled as critical infrastructure. These farms can be defined the less critical part of critical infrastructure concept.
20th of Blackhat conferences was held on 26th-27th July 2017 in Las Vegas this year. In one of the sessions, cybersecurity of the wind farms are asessed according to ransomware attacks: https://www.pcmag.com/news/355223/wind-farms-are-not-ready-for-ransomware
 
It seems that wind farms are not so resistant against cyber attacks and which makes them vulnerable to ransomware attacks. They can be used as a part of DDoS attacks as poorly configured IoT devices or they can be shut down to prevent generating electricity which will cause critical financial loss. Their most important advantage against the cyber attacks is that most of the wind famrs are not connected to internet but there are ways to breach such systems.
Underlined exprerssios from the article above:
 
His team found that these massive devices run a variety of operating systems, some wildly out of date and susceptible to known vulnerabilities. This includes everything from embedded Windows CE, Windows 95, various flavors of Linux, and some real-time OSes.
 
"If you can own one of them you can own them all," said Staggs.
 
Staggs outlined not just a method for attack, but a monetization plan as well. Taking inspiration from ransomware attacks, he imagined a scenario whereby attackers shut down a wind farm and demand payment in order to return it to normal operation. At the current price of electricity, a wind farm loses $10,000 to $30,000 for every hour it's not in operation, he said.
 
Second, simple security measures would completely mitigate the attacks. "If you have something in place where you could VPN traffic between turbine and the substations, it prevents everything I just outlined," said Staggs."