Citadel trojans are targeting popular password manager services

Recent news on Citadel trojans being used to capture master passwords from password manager services like LastPass, RoboForm and Dashlane is a reminder that the SSO (single sign-on) technology these services use has an Achilles heel: a single point of failure. Master passwords are like the keys to the kingdom: if they’re compromised, so is everything else behind them. If that happens, as a password manager user you may be worse off than if you’d stuck with common practices that security experts love to chasten users with as unsafe (I won’t list them all here … you know, things like using the same password over and over again, etc.). That’s because now, the attacker knows all of the sites that you frequent and the password for every one of them, all packaged in a single, convenient display. You’re done. Consumer-focused password managers are great for simplifying your life as a user while in one sense upping security and usability, because they easily enable you to set a unique and complex password for every individual website you visit. I use Dashlane myself and find it pretty satisfactory, but now have to worry about being keylogged. I can’t trust my antivirus 100 percent to pick that up. Password manager services will now have to get more sophisticated with their authentication processes: upgrades like multi-factor authentication, out-of band messaging, transaction signing, and using behavioral analytics on the authentication transaction all come to mind. On the endpoint side, use of behavioral analytics on the anti-malware application could also help. Things could get pretty ugly in the meantime.

(via Peerlyst)

New Host Card Emulation white paper from Smart Card Alliance


The Smart Card Alliance has published a new white paper on HCE titled HCE 101, which does a good job of analyzing the security pros and cons of HCE vs. "traditional" NFC, and of generally explaining how HCE works. Well worth a read if you're following the progress of this disruptive technology, which I'm doing with a view to how it's changing the payments space.

via Smart Card Alliance

Locks, keys, and passwords have all seen their heyday


When I first started paying attention to smartphone-based locks, I was worried about them being hacked and their batteries going dead. Still am. I initially thought that we would still be defaulting to physical locks and keys for some time to come. But it turns out that those are compromised as well, with usable replicas of some of the most secure keys - so-called bump keys -- now able to be 3D printed.

With passwords falling out of favor at the same time (for good reason), we're going to have to reinvent how we securely access things, both physical and virtual, in the future. Very interesting times are ahead for authentication and access management technology. I guess we'll end up with an electronic something or other with wearables, biometrics, device fingerprinting and data analytics somewhere in the mix, but I expect a good bit of trial, error, security incidents, and maybe a startup bubble between now and then. The key (as it were) will be to strike that magic and elusive balance between security, usability, speed, and cost.

via Wired

The short but dramatic history of critical infrastructure cyber incidents


A descriptive list of all documented (read: publicly disclosed) cyber incidents affecting critical infrastructure facilities to date appears in a new draft revision of NIST's Guide to Industrial Control Systems (ICS) Security (Special Publication 800-82). It's a good read, and  I've cut 'n' pasted the list from the report here below. With only 14 incidents included, the list isn't long but the business and public trust impact of each event is nontrivial. It's the best reminder I've seen of why we need to pay attention to CIP.

Incidents are divided into four categories: adversarial, accidental, structural, and environmental.

(Interestingly, the entry on Stuxnet is free of any detail. That might be because it's too politically sensitive for a US Federal government publication: it's well known that Stuxnet targeted nuclear facilities in Iran and is attributed to US and Israeli government action. It's considered by many, including me, to be the seminal critical infrastructure cyber event to date. If you're not familiar with Stuxnet, there's plenty of good media coverage about it -- for example here, and here).

Without further ado, the list:


Worcester Air Traffic Communications

In March 1997, a teenager in Worcester, Massachusetts disabled part of the public switched telephone network using a dial-up modem connected to the system. This knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. Also, the tower’s main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also knocked out phone service to 600 homes and businesses in the nearby town of Rutland.

Maroochy Shire Sewage Spill

In the Spring of 2000, a former employee of an Australian organization that develops manufacturing software applied for a job with the local government, but was rejected. Over a two-month period, the disgruntled rejected employee reportedly used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system. He altered electronic data for particular sewerage pumping stations and caused malfunctions in their operations, ultimately releasing about 264,000 gallons of raw sewage into nearby rivers and parks.


In August 2003, the Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours. In addition, the plant’s process computer failed, and it took about six hours for it to become available again. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked.

Zotob Worm

In August 2005, a round of Internet worm infections knocked 13 of DaimlerChrysler’s U.S. automobile manufacturing plants offline for almost an hour, stranding workers as infected Microsoft Windows systems were patched. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware, and Michigan were knocked offline. While the worm affected primarily Windows 2000 systems, it also affected some early versions of Windows XP. Symptoms include the repeated shutdown and rebooting of a computer. Zotob and its variations caused computer outages at heavy-equipment maker Caterpillar Inc., aircraft-maker Boeing, and several large US news organizations.

Stuxnet Worm

Stuxnet is a Microsoft Windows computer worm discovered in July 2010 that specifically targets industrial software and equipment. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only specific SCADA systems that are configured to control and monitor specific industrial processes.

Brute Force Attacks on Internet-Facing Control Systems

On February 22, 2013 ICS-CERT received a report from a gas compressor station owner about an increase in brute force attempts to access their process control network. The forensic evidence contained 10 separate IPs and additional calls of a similar nature from additional natural gas pipeline asset owners, which yielded 39 additional IPs of concern. Log analysis showed a date range from January 16, 2013 but there have been no reports since March 8, 2013.

US Power Utility Compromised

On October 2012 a US power utility’s ICS was infected with the Mariposa virus when a 3rd-party technician used an infected USB drive to upload software to the systems. The virus resulted in downtime for the systems and delayed plant restart by approximately 3 weeks.

Intrusion in Energy Industry Vendor Systems

On September 26, 2012 a company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada, and Spain.


Saudi Aramco, which is the world’s 8th largest oil refiner, experienced a malware attack that targeted their refineries and overwrote the attacked system’s Master Boot Records (MBR), partition tables and other random data files. This caused the systems to become unusable.

State Crime Lab Building Control System Accessed

In January 2012, the building control system of a state’s government crime lab was remotely accessed by a hacker. Evidence of the attack was posted as a YouTube video by a user with the name @antisec.


CSX Train Signaling System

In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the east coast of the US. The virus infected the computer system at CSX Corp’s Jacksonville, Florida headquarters, shutting down signaling, dispatching, and other systems. According to Amtrak spokesman Dan Stessel, ten Amtrak trains were affected in the morning. Trains between Pittsburgh and Florence, South Carolina were halted because of dark signals, and one regional Amtrak train from Richmond, Virginia to Washington and New York was delayed for more than two hours. Long-distance trains were also delayed between four and six hours.

Northeast Power Blackout

In August 2003, failure of the alarm processor in First Energy’s SCADA system prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. Additionally, effective reliability oversight was prevented when the state estimator at the Midwest Independent System Operator failed due to incomplete information on topology changes, preventing contingency analysis. Several key 345 kV transmission lines in Northern Ohio trip due to contact with trees. This eventually initiates cascading overloads of additional 345 kV and 138 kV lines, leading to an uncontrolled cascading failure of the grid. A total of 61,800 MW load was lost as 508 generating units at 265 power plants tripped.

Taum Sauk Water Storage Dam Failure

In December 2005, the Taum Sauk Water Storage Dam suffered a catastrophic failure releasing a billion gallons of water. The failure of the reservoir occurred as the reservoir was being filled to capacity or may have possibly been overtopped. The current working theory is that the reservoir's berm was overtopped when the routine nightly pump-back operation failed to cease when the reservoir was filled. According to the utility, the gauges at the dam read differently than the gauges at the Osage plant at the Lake of the Ozarks, which monitors and operates the Taum Sauk plant remotely. The stations are linked together using a network of microwave towers, and there are no operators on-site at Taum Sauk.

Bellingham, Washington Gasoline Pipeline Failure

In June 1999, 900,000 liters (237,000 gallons) of gasoline leaked from a 16” pipeline and ignited 1.5 hours later causing 3 deaths, 8 injuries, and extensive property damage. The pipeline failure was exacerbated by control systems not able to perform control and monitoring functions. “Immediately prior to and during the incident, the SCADA system exhibited poor performance that inhibited the pipeline controllers from seeing and reacting to the development of an abnormal pipeline operation.” A key recommendation from the NTSB report issued October 2002 was to utilize an off-line development and testing system for implementing and testing changes to the SCADA database.


The whole NIST document is worth a read if you're interested in cyber security of critical infrastructure. It's one of the definitive write-ups on this topic. Link here is to Revision 1, the latest official version. But the new draft, Revision 2 which is where I found the above incident list, is  more interesting and relevant because it's updated to cover the current threat landscape. NIST  was accepting public comments on Revision 2 until 18th July 2014, so I assume the final version is in the works and will be out soon. I'll plan to post the link here once it's published.

IoT security state of play: can we learn from history?

Originally posted on Peerlyst on 24th August 2014 In mid-2014 as Peerlyst gets off the ground, one of the biggest challenges facing the security profession is how to secure the Internet of Things. The phenomenon that’s automating everything from artificial dust motes to container ships is about to move into explosive growth mode, if that isn’t already the case. It’s great news for entrepreneurs and the global economy, but for security types this gigantic silver cloud has a distinctly dark lining. That’s because the IoT, with 40 billion devices projected to have IP addresses by 2020, is exponentially growing our attack surface. At the same time, the general level of IoT security is somewhere on a scale between embarrassing and zero. Exceptions apply, of course; the topic is now on the agenda at RSA, Black Hat, and DEF CON, and even the biggest security vendors are starting to pay attention. That’s all positive – but in terms of actual, tested and auditable security controls for IoT systems which are either implemented or on the planning horizon – we’re really looking at very little.

If we take off our white hats for a second and peer into the mysterious world of business, it’s not too hard to see why things are this way. Unless you’re someone with a keen, security-focused mind (which I expect that you are since you’re reading this), it’s more likely than not that as someone who’s bringing cutting-edge products to market, you don’t give a high priority to security until the day you get hit. That’s just human nature, and it’s also history. Think about how the mobile commerce security landscape evolved: technology first, then hypothetical threats, then credible threats, then security response. Or desktop-based e-commerce before that. The same exact thing happened.

To cite just one current example of history repeating, industrial control systems were never designed to be put on the Internet. As stand-alone systems, they were at least secure by obscurity. When they started being merged into the cyber universe, the driver was business efficiency – enterprise users’ ability to monitor their factory’s hydraulic pumps from the comfort of their own bedrooms. Nobody, including Iranian nuclear engineers, gave a thought to threats like Stuxnet, son of Stuxnet, and grandson of Stuxnet. But I bet you that now, Iran has one of the best SCADA security programs on the planet. That’s just how it always goes.

With that in mind, here’s how I think security of the IoT will play out:

Phase 1 (the past 4-5 years): IoT products and systems are brought to market with minimal security built in. All eyes (except for the keen, security focused ones) are on innovation, financial upside, and the wow factor. An incident happens here and there, but hey, cyber attacks only happen to other people. It’s quickly forgotten and Industry goes back to building the dream.

Phase 2 (where we are today): IoT deployments pick up steam. More security experts point out the risk. Researchers find exploits and show them off at DEF CON. Specialized security products are introduced, and standards groups start to form. But they’re mostly preaching to the choir, and we still haven’t seen any catastrophic cyber event in the IoT world.

Phase 3 (the next few years): IoT is now mainstream, and the inevitable wakeup call happens. Great-grandson of Stuxnet (wielded by great-grandson of Al Qaeda) takes out a power plant, derails a high-speed train, or makes some chemical factory explode. This will happen in Europe, North America, or some other developed part of the world. Now Industry wants security, and it wants it now. If you’re a security professional and have invested in acquiring skills related to IoT protection (SCADA/ICS and sensor network security, real time threat intelligence, etc.), this is when you’ll find yourself … busy.

Phase 4: “Security” will step up to the situation, and at some point it might reach equilibrium and we’ll have a “secure enough” IoT. Or, it might not and we’ll continue living in a world of perpetual cat and mouse like we are today with retailer data breaches. I don’t want to try to predict that far ahead (but please feel free to do so yourself in the Comments, if you have a take on it).

My point is, as Sting once put it, history will teach us nothing.