Citadel trojans are targeting popular password manager services

Recent news on Citadel trojans being used to capture master passwords from password manager services like LastPass, RoboForm and Dashlane is a reminder that the SSO (single sign-on) technology these services use has an Achilles heel: a single point of failure. Master passwords are like the keys to the kingdom: if they’re compromised, so is everything else behind them. If that happens, as a password manager user you may be worse off than if you’d stuck with common practices that security experts love to chasten users with as unsafe (I won’t list them all here … you know, things like using the same password over and over again, etc.). That’s because now, the attacker knows all of the sites that you frequent and the password for every one of them, all packaged in a single, convenient display. You’re done. Consumer-focused password managers are great for simplifying your life as a user while in one sense upping security and usability, because they easily enable you to set a unique and complex password for every individual website you visit. I use Dashlane myself and find it pretty satisfactory, but now have to worry about being keylogged. I can’t trust my antivirus 100 percent to pick that up. Password manager services will now have to get more sophisticated with their authentication processes: upgrades like multi-factor authentication, out-of band messaging, transaction signing, and using behavioral analytics on the authentication transaction all come to mind. On the endpoint side, use of behavioral analytics on the anti-malware application could also help. Things could get pretty ugly in the meantime.

(via Peerlyst)

The short but dramatic history of critical infrastructure cyber incidents


A descriptive list of all documented (read: publicly disclosed) cyber incidents affecting critical infrastructure facilities to date appears in a new draft revision of NIST's Guide to Industrial Control Systems (ICS) Security (Special Publication 800-82). It's a good read, and  I've cut 'n' pasted the list from the report here below. With only 14 incidents included, the list isn't long but the business and public trust impact of each event is nontrivial. It's the best reminder I've seen of why we need to pay attention to CIP.

Incidents are divided into four categories: adversarial, accidental, structural, and environmental.

(Interestingly, the entry on Stuxnet is free of any detail. That might be because it's too politically sensitive for a US Federal government publication: it's well known that Stuxnet targeted nuclear facilities in Iran and is attributed to US and Israeli government action. It's considered by many, including me, to be the seminal critical infrastructure cyber event to date. If you're not familiar with Stuxnet, there's plenty of good media coverage about it -- for example here, and here).

Without further ado, the list:


Worcester Air Traffic Communications

In March 1997, a teenager in Worcester, Massachusetts disabled part of the public switched telephone network using a dial-up modem connected to the system. This knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. Also, the tower’s main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also knocked out phone service to 600 homes and businesses in the nearby town of Rutland.

Maroochy Shire Sewage Spill

In the Spring of 2000, a former employee of an Australian organization that develops manufacturing software applied for a job with the local government, but was rejected. Over a two-month period, the disgruntled rejected employee reportedly used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system. He altered electronic data for particular sewerage pumping stations and caused malfunctions in their operations, ultimately releasing about 264,000 gallons of raw sewage into nearby rivers and parks.


In August 2003, the Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours. In addition, the plant’s process computer failed, and it took about six hours for it to become available again. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked.

Zotob Worm

In August 2005, a round of Internet worm infections knocked 13 of DaimlerChrysler’s U.S. automobile manufacturing plants offline for almost an hour, stranding workers as infected Microsoft Windows systems were patched. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware, and Michigan were knocked offline. While the worm affected primarily Windows 2000 systems, it also affected some early versions of Windows XP. Symptoms include the repeated shutdown and rebooting of a computer. Zotob and its variations caused computer outages at heavy-equipment maker Caterpillar Inc., aircraft-maker Boeing, and several large US news organizations.

Stuxnet Worm

Stuxnet is a Microsoft Windows computer worm discovered in July 2010 that specifically targets industrial software and equipment. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only specific SCADA systems that are configured to control and monitor specific industrial processes.

Brute Force Attacks on Internet-Facing Control Systems

On February 22, 2013 ICS-CERT received a report from a gas compressor station owner about an increase in brute force attempts to access their process control network. The forensic evidence contained 10 separate IPs and additional calls of a similar nature from additional natural gas pipeline asset owners, which yielded 39 additional IPs of concern. Log analysis showed a date range from January 16, 2013 but there have been no reports since March 8, 2013.

US Power Utility Compromised

On October 2012 a US power utility’s ICS was infected with the Mariposa virus when a 3rd-party technician used an infected USB drive to upload software to the systems. The virus resulted in downtime for the systems and delayed plant restart by approximately 3 weeks.

Intrusion in Energy Industry Vendor Systems

On September 26, 2012 a company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada, and Spain.


Saudi Aramco, which is the world’s 8th largest oil refiner, experienced a malware attack that targeted their refineries and overwrote the attacked system’s Master Boot Records (MBR), partition tables and other random data files. This caused the systems to become unusable.

State Crime Lab Building Control System Accessed

In January 2012, the building control system of a state’s government crime lab was remotely accessed by a hacker. Evidence of the attack was posted as a YouTube video by a user with the name @antisec.


CSX Train Signaling System

In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the east coast of the US. The virus infected the computer system at CSX Corp’s Jacksonville, Florida headquarters, shutting down signaling, dispatching, and other systems. According to Amtrak spokesman Dan Stessel, ten Amtrak trains were affected in the morning. Trains between Pittsburgh and Florence, South Carolina were halted because of dark signals, and one regional Amtrak train from Richmond, Virginia to Washington and New York was delayed for more than two hours. Long-distance trains were also delayed between four and six hours.

Northeast Power Blackout

In August 2003, failure of the alarm processor in First Energy’s SCADA system prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. Additionally, effective reliability oversight was prevented when the state estimator at the Midwest Independent System Operator failed due to incomplete information on topology changes, preventing contingency analysis. Several key 345 kV transmission lines in Northern Ohio trip due to contact with trees. This eventually initiates cascading overloads of additional 345 kV and 138 kV lines, leading to an uncontrolled cascading failure of the grid. A total of 61,800 MW load was lost as 508 generating units at 265 power plants tripped.

Taum Sauk Water Storage Dam Failure

In December 2005, the Taum Sauk Water Storage Dam suffered a catastrophic failure releasing a billion gallons of water. The failure of the reservoir occurred as the reservoir was being filled to capacity or may have possibly been overtopped. The current working theory is that the reservoir's berm was overtopped when the routine nightly pump-back operation failed to cease when the reservoir was filled. According to the utility, the gauges at the dam read differently than the gauges at the Osage plant at the Lake of the Ozarks, which monitors and operates the Taum Sauk plant remotely. The stations are linked together using a network of microwave towers, and there are no operators on-site at Taum Sauk.

Bellingham, Washington Gasoline Pipeline Failure

In June 1999, 900,000 liters (237,000 gallons) of gasoline leaked from a 16” pipeline and ignited 1.5 hours later causing 3 deaths, 8 injuries, and extensive property damage. The pipeline failure was exacerbated by control systems not able to perform control and monitoring functions. “Immediately prior to and during the incident, the SCADA system exhibited poor performance that inhibited the pipeline controllers from seeing and reacting to the development of an abnormal pipeline operation.” A key recommendation from the NTSB report issued October 2002 was to utilize an off-line development and testing system for implementing and testing changes to the SCADA database.


The whole NIST document is worth a read if you're interested in cyber security of critical infrastructure. It's one of the definitive write-ups on this topic. Link here is to Revision 1, the latest official version. But the new draft, Revision 2 which is where I found the above incident list, is  more interesting and relevant because it's updated to cover the current threat landscape. NIST  was accepting public comments on Revision 2 until 18th July 2014, so I assume the final version is in the works and will be out soon. I'll plan to post the link here once it's published.

The drone downers: taste of things to come

The day after I blogged about how people are going to be out there shooting down down drones before long, Motherboard published a piece about a new ad campaign for a shotgun suppressor, marketed by Utah company SilencerCo. The campaign features none other than Johnny Dronehunter, Defender of Privacy, as it's main protagonist. While fictitious, the fact that SilencerCo chose to use this theme is a revealing reflection of American attitudes about privacy, and the perceived threat that emerging surveillance technology poses to the same. Here's the video trailer featuring Johnny:


Motherboard had reported earlier on Gnat Warfare, an Arizona company that lets people shoot at drones on a roving gun range, for $4,000 a pop. More expensive than clay pigeon shooting, but looks like more fun.

In addition to good old fashioned gun violence, there will also be cyber attacks directed against drones, like the one that Iran claimed it used to down a US surveillance UAV in 2011. The US asserted that the cyber attribution was a bluff, but who really knows? In any case ,operators of surveillance drones (may they use them wisely) will need to protect them against both physical and cyber threats.  Actually, it doesn't really matter what benevolent or nefarious purpose the drone is being used for, or whether the operators are military or civilian. They'll still be dealing with the same basic set of threats. Journalists, amateur photographers, and would all do well to give this due consideration.

(via Motherboard)

Autonomous taser drones. EMP drones.

A Texas company, Chaotic Moon, has come up with a self-piloting drone that can deliver taser attacks. It's aptly named Cupid. Future versions of this technology, which the company is said to already be working on, will pack pepper spray and EMP guns. I can imagine all kinds of other onboard weapons on these things: lasers, gatling guns, poison darts, tear gas, etc.


I think a lot of small drones are going to get shot down, especially the weaponized ones. Folks targeted by stunner drones aren't exactly going to welcome them with open arms. Drones will need ways to protect themselves, otherwise people are just going to take them out, wholesale. So I think they'll eventually have self-defense capabilities, either built-in or in the form of separate robots (or humans) that provide backup. No idea what that will look like ... maybe onboard motion detectors along with facial recognition and a predictive algorithm that senses when someone is pointing a weapon at the drone, and pre-emptively zaps them.