Software can affect the performance of hardware. Under the right (or wrong) circumstances, malware can cause the hardware to become physically damaged – as the cyberattack on Iran’s centrifuges provided in 2010, and which an errant coin-mining malware is demonstrating right now. Will intentional or unintentional damage to IoT devices be next?

Back in late 2009 and early 2010, a computer worm labeled Stuxnet targeted the centrifuges used by Iran to refine low-grade nuclear material into weapons-class materials. The Stuxnet worm, which affected more than 200,000 machines, was estimated to physically damage 1,000 centrifuges.

How did it work? The Stuxnet virus checked to see if it was running on the right type of machine (i.e., a centrifuge of the specific type used by Iran), and if so, says Wikipedia:

The worm worked by first causing an infected Iranian IR-1 centrifuge to increase from its normal operating speed of 1,064 hertz to 1,410 hertz for 15 minutes before returning to its normal frequency. Twenty-seven days later, the worm went back into action, slowing the infected centrifuges down to a few hundred hertz for a full 50 minutes. The stresses from the excessive, then slower, speeds caused the aluminum centrifugal tubes to expand, often forcing parts of the centrifuges into sufficient contact with each other to destroy the machine.

From centrifuges to coin mining

The Stuxnet attacks were subtle, specific, and intentional. By contrast, the Loapi malware, which appeared in December 2017, appears to cause its damage inadvertently. Loapi, discovered by Kaspersky Labs, installs itself on Android devices using administrator privileges, and then does several nasty things, including displaying ads, acting as a zombie for distributed denial-of-service (DDoS) attacks, and mining Monero crypto-coin tokens.

The problem is that Loapi is a little too enthusiastic. When mining coins, Loapi works so hard that the phone overheats – and cooks the devices. Whoops. Says Neowin.net:

In its test, the firm found that after just two days, the constant load from mining caused its test phone’s battery to bulge, which also deformed the phone’s outer shell. This last detail is quite alarming, as it has the potential to cause serious physical harm to affected handset owners.

Damaging the Internet of Things

If malware gets onto an IoT device… who knows what it could do? Depending on the processor, memory, and network connectivity, some IoT devices could be turned into effective DDoS zombies or digital coin miners. Network security cameras have already been infected by spyware, so why not zombieware or miningware? This could be a significant threat for plug-in devices that are not monitored closely, and which contain considerable CPU power. Imagine a point-of-sale kiosk that also mined Bitcoin.

The possibility of damage is a reality, as is shown by Loapi. It’s possible that malware could somehow damage the device inadvertently, perhaps by messing up the firmware and bricking the machine, or by overloading the processor and memory to the point where it overwhelms on-board cooling mechanisms.

Then there’s the potential for intentional damage of IoT devices, either in a large scale or targeting a specific organization. This could be leveraged for extortion by criminal gangs, or for the destruction of public infrastructure or private enterprise by cyberterrorists or state-sponsored actors. If the creators of Stuxnet could damage centrifuges nearly a decade ago, it’s a sure bet that researchers are working on other attacks of that sort. It’s a sobering thought.

Man-in-the-Middle (MITM or MitM) attacks are about to become famous. Famous, in the way that ransomware, Petya, Distributed Denial of Service (DDoS), and credit-card skimmers have become well-known.

MITM attacks go back thousands of years. A merchant writes a parchment offering to buy spices, and hands it to a courier to deliver to his supplier in a far-away land. The local courier hands the parchment to another courier, who in turns hands it to another courier, and so-on, until the final courier gives the parchment to the supplier. Unbeknownst to anyone, however, one of the couriers was a swindler who might change the parchment to set up a fraud, or who might sell details of the merchant’s purchase offer to a competitor, who could then negotiate a better deal.

In modern times, MITM takes advantage of a weakness in the use of cryptography. Are you completely sure who you’re set up that encrypted end-to-end message session with? Perhaps it’s your bank… or perhaps it’s a scammer, who to you looks like your bank – but to your bank, looks like you. Everyone thinks that it’s a secure communications link, but the man-in-the-middle sees everything, and might be able to change things too.

According to Wikipedia,

In cryptography and computer security, a man-in-the-middle attack (MITM; also Janus attack) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

We haven’t heard much about MITM attacks, because, quite frankly, they’ve not been in the news associated with breaches. That changed recently, when Fox-IT, a cybersecurity firm in Holland, was nailed with one. Writing on their blog on Dec. 14, 2017, the company said:

In the early morning of September 19 2017, an attacker accessed the DNS records for the Fox-IT.com domain at our third party domain registrar. The attacker initially modified a DNS record for one particular server to point to a server in their possession and to intercept and forward the traffic to the original server that belongs to Fox-IT. This type of attack is called a Man-in-the-Middle (MitM) attack. The attack was specifically aimed at ClientPortal, Fox-IT’s document exchange web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker’s goal was to carry out a sustained MitM attack.

The company pointed to several weaknesses in their security setup that allowed the attack to succeed. The DNS provider’s password hadn’t been changed since 2013; two-factor authentication (2FA) wasn’t used or even supported by the DNS provider; and heavier-than-usual scans from the Internet, while detected by Fox-IT, weren’t flagged for investigation or even extra vigilance.

How To Prevent MITM Attacks

After a timeline discussion and more technical analysis, Fox-IT offered suggestions on how to handle such incidents, and I quote:

  • Choose a DNS provider that doesn’t allow changes through a control panel but requires a more manual process, considering that name servers are very stable and hardly ever change. If you do require more frequent changes, use 2FA.
  • Ensure that all system access passwords are reviewed regularly and changed, even those which are used rarely.
  • Deploy certificate transparency monitoring in order to detect, track and respond to fraudulent certificates.
  • Deploy full packet capture capabilities with good retention in crucial points of your infrastructure, such as the DMZ and border gateways.
  • Always inform Law Enforcement at an early stage, so that they can help you with your investigations, as we did in our case.
  • Make it a management decision to first understand an attack before taking specific actions to mitigate it. This may include letting an attack continue for a short period of time. We consciously made that decision.

It’s a shame about Fox-IT’s breach, but the company responded correctly and promptly once the breach was detected. This is the first serious instance of a successful MITM attack I’ve heard about in some time – but probably won’t be the last.

Agility – the ability to deliver projects quickly. That applies to new projects, as well as updates to existing projects. The agile software movement began when many smart people became frustrated with the classic model of development, where first the organization went through a complex process to develop requirements (which took months or years), and wrote software to address those requirements (which took months or years, or maybe never finished). By then, not only did the organization miss out on many opportunities, but perhaps the requirements were no longer valid – if they ever were.

With agile methodologies, the goal is to build software (or accomplish some complex task or action), in small incremental iterations. Each iteration delivers some immediate value, and after each iteration, there would be an evaluation of how well those who requested the project (the stakeholders) were satisfied, and what they wanted to do next. No laborious up-front requirements. No years of investment before there was any return on that investment.

One of the best-known agile frameworks is Scrum, developed by Jeff Sutherland and Ken Schwaber in the early 1990s. In my view, Scrum is noteworthy for several innovations, including:

  • The Scrum framework is simple enough for everyone involved to understand.
  • The Scrum framework is not a product.
  • Scrum itself is not tied to specific vendor’s project-management tools.
  • Work is performed in two-week increments, called Sprints.
  • Every day there is a brief meeting called a Daily Scrum.
  • Development is iterative, incremental, and outcomes are predictable.
  • The work must be transparent, as much as possible, to everyone involved.
  • The roles of participants in the project are defined extremely clearly.
  • The relationship between people in the various roles is also clearly defined.
  • A key participant is the Scrum Master, who helps everyone maximize the value of the team and the project.
  • There is a clear, unambiguous definition of what “Done” means for every action item.

Scrum itself is refined every year or two by Sutherland and Schwaber. The most recent version (if you can call it a version) is Scrum 2017; before that, it was revised in 2016 and 2013. While there aren’t that many significant changes from the original vision unveiled in 1995, here are three recent changes that, in my view, make Scrum better than ever – enough that it might be called Scrum 2.0. Well, maybe Scrum 1.5. You decide:

  1. The latest version acknowledges more clearly that Scrum, like other agile methodologies, is used for all sorts of projects, not merely creating or enhancing software. While the Scrum Guide is still development-focused, Scrum can be used for market research, product development, developing cloud services, and even managing schools and governments.
  2. The Daily Scrum will be more focused on exploring how well the work is driving toward the goals planned for the biweekly Sprint Goal. For example – what work will be done today to drive to the goal? What impediments likely to prevent us from meeting the goal? (Previously, the Daily Scrum was often viewed as a glorified status report meeting.)
  3. Scrum has a set of values, and those are now spelled out: “When the values of commitment, courage, focus, openness and respect are embodied and lived by the Scrum Team, the Scrum pillars of transparency, inspection, and adaptation come to life and build trust for everyone. The Scrum Team members learn and explore those values as they work with the Scrum events, roles and artifacts. Successful use of Scrum depends on people becoming more proficient in living these five values… Scrum Team members respect each other to be capable, independent people.”

The word “agile” is thrown around too often in business and technology, covering everything from planning a business acquisition to planning a network upgrade. Scrum is one of the best-known agile methodologies, and the framework is very well suited for all sorts of projects where it’s not feasible to determine a full set of requirements up front, and there’s a need to immediately begin delivering some functionality (or accomplish parts of the tasks). That Scrum continues to evolve will help ensure its value in the coming years… and decades.

Criminals steal money from banks. Nothing new there: As Willie Sutton famously said, “I rob banks because that’s where the money is.”

Criminals steal money from other places too. While many cybercriminals target banks, the reality is that there are better places to steal money, or at least, steal information that can be used to steal money. That’s because banks are generally well-protected – and gas stations, convenience stores, smaller on-line retailers, and even payment processors are likely to have inadequate defenses — or make stupid mistakes that aren’t caught by security professionals.

Take TIO Networks, a bill-payment service purchased by PayPal for US$233 in July 2017. TIO processed more than $7 billion in bill payments last year, serving more than 10,000 vendors and 16 million consumers.

Hackers now know critical information about all 16 million TIO customers. According to Paymts.com, “… the data that may have been impacted included names, addresses, bank account details, Social Security numbers and login information. How much of those details fell into the hands of cybercriminals depends on how many of TIO’s services the consumers used.”

PayPal has said,

“The ongoing investigation has uncovered evidence of unauthorized access to TIO’s network, including locations that stored personal information of some of TIO’s customers and customers of TIO billers. TIO has begun working with the companies it services to notify potentially affected individuals. We are working with a consumer credit reporting agency to provide free credit monitoring memberships. Individuals who are affected will be contacted directly and receive instructions to sign up for monitoring.”

Card Skimmers and EMV Chips

Another common place where money changes hands: The point-of-purchase device. Consider payment-card skimmers – that is, a hardware device secretly installed into a retail location’s card reader, often at an unattended location like a gasoline pump.

The amount of fraud caused by skimmers copying information on payment cards is expected to rise from $3.1 billion in 2015 to $6.4 billion in 2018, affecting about 16 million cardholders. Those are for payment cards that don’t have the integrated EMV chip, or for transactions that don’t use the EMV system.

EMV chips, also known as chip-and-PIN or chip-and-signature, are named for the three companies behind the technology standards – Europay, MasterCard, and Visa. Chip technology, which is seen as a nuisance by consumers, has dramatically reduced the amount of fraud by generating a unique, non-repeatable transaction code for each purchase.

The rollout of EMV, especially in the United States, is painfully slow. Many merchants still haven’t upgraded to the new card-reader devices or back-end financial services to handle those transactions. For example, there are very few fuel stations using chips to validate transactions, and so pay-at-the-pump in U.S. is universally still dependent on the mag stripe reader. That presents numerous opportunities for thieves to install skimmers on that stripe reader, and be able to steal payment card information.

For an excellent, well-illustrated primer on skimmers and skimmer-related fraud at gas stations, see “As gas station skimmer card fraud increases, here’s how to cut your risk.” Theft at the point of purchase, or at payment processors, will continue as long as companies fail to execute solid security practices – and continue to accept non-EMV payment card transactions, including allowing customers to type their credit- or debit-card numbers onto websites. Those are both threats for the foreseeable future, especially since desktops, notebooks, and mobile device don’t have built-in EMV chip readers.

Crooks are clever, and are everywhere. They always have been. Money theft and fraud – no matter how secure the banks are, it’s not going away any time soon.

Law enforcement officials play a vital role tracking down and neutralizing cyber criminals. Theirs is a complex, often thankless, mission. Here are some insights shared by two current, and one former,  high-level officials from U.S. law enforcement, who spoke at the NetEvents Global Press & Analyst Summit, in San Jose, Calif., in late September.

Based in San Francisco, M.K. Palmore is a senior manager for the Federal Bureau of Investigation’s Cyber Branch. As an FBI Security Risk Management Executive, Palmore leads teams that help identify threat actors, define attribution and carry out arrests.

Palmore says financially-motivated threat actors account for much of the current level of malicious cyber activity. Nation-state sponsored hackers, ideologically-motivated hacktivists, and insider intruders also are causing significant damage and disruption.

“We’re talking about a global landscape, and the barrier to entry for most financially-motivated cyber-threat actors is extremely low,” Palmore says. “In terms of who is on the other end of the keyboard, we’re typically talking about mostly male threat actors,  between the ages of, say, 14 and 32 years

Dr. Ronald Layton is Deputy Assistant Director of the U.S. Secret Service. Layton observes that the technological sophistication and capabilities of threat actors has increased. “The toolsets that you see today that are widely available would have been highly classified 20 years ago,” Layton says. “Sophistication has gone up exponentially.”

The rapid escalation of ransomware is a telling marker, Layton says; ransomware rose from the 22nd most popular crime-ware application in 2014, to number five in 2017. Says Layton: “In 2014, the bad guys would say, ‘I’m going to encrypt your file unless you pay me X amount of dollars in Bitcoin.’ End-users got smarter, and just said, ‘Well, I’m going to back my systems up.’  Now ransomware concentrates on partial or full hard-disk encryption, so backup doesn’t help as much. Sophistication by the threat actors has gone up, and the ability to more quickly adjust, on both sides, quite frankly, has gone up.”

Read more – and watch the video – in “Law enforcement’s view of cyber criminals — and what it takes to stop them,” published on The Last Watchdog.

Isn’t this rich? I get these occasionally and they always elicit a chuckle, especially when they refer to “mafias.” Don’t reply to these emails. Delete them instead.

From: “Mrs. CYNDY BANKSl” email hidden; JavaScript is required

Date: December 4, 2017 at 5:57:15 AM MST

Subject: YOU ARE ADVISED TO STOP CONTACTING THEM!!!

Reply-To: email hidden; JavaScript is required

Great News, YOU ARE ADVISED TO STOP CONTACTING THEM!!!

I am Mrs. CYNDY BANKS, I am a US citizen, 42 years Old. I reside here in Spring City, Pennsylvania. My residential address is as follows. 3663 Schuylkill Rd# 1, Spring City, Pennsylvania, United States, am thinking of relocating since I am now rich. I am one of those that took part in the Compensation in Troy Illinois many years ago and they refused to pay me, I had paid over $52,000 while in the United States trying to get my payment all to no avail.

I decided to travel down to Troy Illinois with all my compensation documents and i was directed to meet Mr.James Richard he is among the member of the COMPENSATION AWARD COMMITTEE, I contacted him and he explained everything to me. He said whoever is contacting us through emails are fake because the Inheritance/Compensation Law clearly states that the beneficiary/recipient is exempt from paying any out of pocket fees or charges to receive said funds.

Mr.James Richard took me to the paying bank for the claim of my Compensation payment. Right now I am the happiest woman on earth because I have received my compensation funds of $9,500,000.00 (nine million five hundred thousand dollars).

Moreover, Mr.James Richard showed me the full information of those that are yet to receive their payments and I saw your name and email address as one of the beneficiaries that is why I decided to email you to stop dealing with those people, they are not with your funds, they are only making money out of you. I will advise you to contact Mr.James Richard you have to contact him directly on this information below.

COMPENSATION AWARD HOUSE

Name: Mr.James Richard

Email:james.richard1155@gmail.com

Listed below are the name of mafias and banks behind the non release of your funds that I managed to sneak out for your kind perusal.

1) Prof. Charles soludo
2) Senator David Mark
2) Micheal Edward
3) Chief Joseph Sanusi
3) Sanusi Lamido
4) Dr. R. Rasheed
5) Mr. David Koffi
6) Barrister Awele Ugorji
7) Mr. Roland Ngwa
8) Barrister Ucheuzo Williams
9) Mr. Ernest Chukwudi Obi
10) Dr. Patrick Aziza Deputy Governor – Policy / Board Member
11) Mr. Tunde Lemo Deputy Governor – Financial Sector Surveillance/Board Member
12) Mrs. W. D. A. Mshelia Deputy Governor – Corporate Services / Board Members
13) Mrs. Okonjo Iweala
14) Mrs. Rita Ekwesili
15) Barr Jacob Onyema
16) Dr. Godwin Oboh: Director Union Bank Of Nigeria.
17) Mr. John Collins: Global Diplomat Director.
18) Foreign fund diplomatic courier
19) Barr. Becky Owens
20) Rev. Steven Jones
21) Mr. Alfred james
22) Mrs. Sherry Williams
23) Mr. Scott Larry

You really have to stop dealing with those people that are contacting you and telling you that your fund is with them, it is not in anyway with them, they are only taking advantage of you and they will dry you up until you have nothing. The only money I paid after I met Mr.James Richard was just $450 for the delivery charges, take note of that.

(NOTE: TELLING YOU TO PAY FOR ANY DELIVERY OR COURIER CHARGE IS ALL NOTHING BUT LIES, I REPEAT THE ONLY MONEY YOU WILL HAVE TO PAY AND WHICH I ALSO PAID IS $450 FOR THE DELIVERY CHARGES IMPOSED BY THE GOVERNMENT AND YOUR PACKAGE CONTAINING YOUR CERTIFIED BANK DRAFT CHEQUE WILL BE REACHING YOU THROUGH THE EXPRESS COURIER SERVICE).

Once again stop contacting those people, I will advise you to contact Mr.James Richard so that he can help you to deliver your funds instead of dealing with those liars that will be turning you around asking for different kind of money to complete your transaction

I’ve seen a flurry of these messages recently; by a flurry, I mean 34 in the past two days. The emails come with a variety of texts on the same theme, with randomized “from” email addresses, sender names, salutations, credit-card brand references, and dollar amounts.

The common element: An email attachment. It’s a corrupted Microsoft Word document that contains nasty malware that will do bad things to your computer. (The bad things vary depending which versions of Microsoft Word you have installed.) Don’t open it!

There’s not much that can be learned from examining the email headers. They originated from all over the world. The first of the two shown here entered the Internet’s email stream in South Korea, another from the Netherlands.

If you see messages like this, delete them. Don’t respond. Never open attachments from messages if you don’t know and trust the sender… and even then, be wary.

SysSecOps is a new phrase, still unseen by many IT and security administrators – however it’s being discussed within the market, by analysts, and at technical conferences. SysSecOps, or Systems & Security Operations, describes the practice of combining security groups and IT operations groups to be able to make sure the health of enterprise technology – and having the tools to be able to respond most effectively when issues happen.

SysSecOps concentrates on taking down the info walls, disrupting the silos, that get between security groups and IT administrators. IT operations personnel are there to make sure that end-users can access applications, and that important infrastructure is running at all times. They want to optimize access and availability, and require the data required to do that job – like that a new employee needs to be provisioned, or a hard disk drive in a RAID array has actually stopped working, that a new partner needs to be provisioned with access to a secure document repository, or that an Oracle database is ready to be moved to the cloud. It’s everything about innovation to drive business.

Very Same Data, Various Use-Cases

Endpoint and network monitoring details and analytics are clearly customized to fit the diverse needs of IT and security. However, the underlying raw data is in fact the exact same. The IT and security groups simply are looking at their own domain’s issues and scenarios – and doing something about it based upon those use-cases.

Yet in some cases the IT and security groups have to interact. Like provisioning that brand-new organization partner: It must touch all the ideal systems, and be done securely. Or if there is a problem with a remote endpoint, such as a mobile phone or a mechanism on the Industrial Internet of Things, IT and security might have to work together to identify exactly what’s going on. When IT and security share the exact same data sources, and have access to the very same tools, this job becomes a lot easier – and hence SysSecOps.

Envision that an IT administrator spots that a server hard drive is nearing full capacity – and this was not anticipated. Perhaps the network had actually been breached, and the server is now being utilized to steam pirated films throughout the Web. It happens, and finding and resolving that issue is a task for both IT and security. The data gathered by endpoint instrumentation, and showed through a SysSecOps-ready tracking platform, can assist both sides working together more effectively than would happen with conventional, distinct, IT and security tools.

SysSecOps: It’s a brand-new term, and a brand-new idea, and it’s resonating with both IT and security groups. You can discover more about this in a brief 9 minute video, where I talk with numerous market specialists about this subject: “Exactly what is SysSecOps?