Some infosec stories that have been keeping security lead Ian Trump awake at night… this month’s theme is mostly around planes, trains and automobiles.
Is it getting better, or is it getting worse? This is the question I will try to answer as I survey the absolute carnage of the information security industry on a monthly basis.
This month’s exploration highlighted some cause for concern in the travel sector and thus a broad theme of Planes, Trains and Automobiles emerged. I've also added a little bit of coverage on the harsh advice for retailers that are slow in rolling out chip and pin, as well as a little note about my favorite cyber punch-bag, Adobe Flash.
Part of the US Federal Aviation Administration (FAA) network was infected with malware earlier this year. Rather than be upfront about the disclosure, the incident was disclosed as part of the due-diligence process regarding a contract. The language chosen is remarkably vague: "Due to a recent cyber attack, the FAA requires additional planning time to determine the impact to the competitive procurement's requirements." It’s very possible this is fall out from an Iranian cyber attack known as "Operation Cleaver" that took control of airports in three different countries and compromised more than 50 organizations across more than a dozen countries, including the United States.
I tend to try and save my credit card for real emergencies when traveling. Real emergencies, do not include luggage fees and food while traveling. For these, I try to pay cash. Many airports and some airlines are trying to go cash free; especially United, which seems to not trust its employees with any sort of money and requires a complicated process to pay for baggage fees by laundering cash into a payment card. It’s no wonder researcher into the cyber criminals using the NewPosThings point-of-sale malware identified command and control connections to IP addresses linked to airports. You have a zero percent chance of fraudulent credit card transactions if you try not to use a credit card.
Of course, this month’s coverage of Planes would not be complete without a mention of Chris Roberts of One World Labs, who tweeted a joke about plane security and was then detained by the FBI for several hours after that flight landed. Three days later, Chris Roberts was prevented from boarding a United Airlines flight from Denver to San Francisco.
The Electronic Frontier Foundation (EFF) lawyer remarked that as a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Indeed, he was headed to RSA to speak about security vulnerabilities in a talk called 'Security Hopscotch' when has was attempting to board the United flight.
There is no doubt in my mind Chris exercised poor judgment, joking about flight safety while in mid-flight, but he was probably frustrated at having warned the Airline Industry for years of the vulnerabilities in their systems. As a result of this cyber-mediagasm the FBI officially warned airlines to “be aware of unusual computer activity on planes.”
It’s no surprise that security researchers discussing the introduction of the European Traffic Rail Management System (ETRMS) suggest it could be vulnerable to being hacked, hijacked and crashed. The system is designed to replace aging signal lights, using computers to transmit critical information live from the tracks. Let’s hope we balance reasonable cyber security controls with the physical threat posed from Squirrel attacks, such as this one documented on the 1st of April in Santa Clara , CA. A power outage, which affected 5,420 customers, was reported shortly before 6:30 p.m., according to the local power utility. A squirrel had wiggled its way into a transformer at a substation and caused the power outage. The squirrel was killed as a result of this unauthorised penetration test. Props to attrition.org.
The original gangsters of car hacking, Charlie Miller and Chris Valasek, are back at Black Hat discussing automotive security (or the lack there of). They state: “The ambiguous nature of automotive security leads to narratives that are polar opposites: either we're all going to die or our cars are perfectly safe.” In what will prove to be both a sensational and exciting demonstration, Charlie and Chris will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle.
On October 1, 2015, liability for payment card fraud will shift from card companies to retailers, if the retailers have not upgraded their terminals to accept chip-based payment cards. Alan Paller founder and research director of the SANS Institute comments: “The credit card companies earn about $0.75 for each fraudulent transaction. My estimate is that it adds up to $75 million each year. The cost of the fraud falls on the merchants who not only do not get paid for the goods they ship but also have to pay the credit card companies.” Clearly there is a growing opinion that credit card companies may actually be somewhat responsible for credit card fraud.
FireEye Labs recently detected a series of zero-day attacks called “Operation Russian Doll” that exploited zero-day vulnerabilities in Adobe Flash and a brand-new vulnerability in Microsoft Windows. The solid research of the FireEye team assesses that APT28 is probably responsible for this activity. While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will mitigate the risk. Increasingly, the business case for Adobe Flash is suspect, there is a 0% chance of infection from an Adobe Flash zero day if you don’t have Adobe flash installed – why make cyber-crime easier?