Alliance to improve cyber security

A cross-sector alliance incorporating leading UK organisations has been created in response to government plans to develop a national professional body for cybersecurity.

https://www.theregister.co.uk/2018/07/19/cyber_security_pro_strategy_uk/

Collaborative Alliance aims to shape national cybersecurity standards, drive advances in education and advise the government on policy.

The founding members include BCS, The Chartered Institute for IT, Chartered Institute of Personnel & Development, the Chartered Society of Forensic Sciences, CREST, The Engineering Council, IAAC, The Institution of Analysts and Programmers , The IET, Institute of Information Security Professionals (IISP), Institute of Measurement and Control, ISACA, (ISC)2, techUK, The Security Institute, CIT, and The Worshipful Company of Information Technologists.

The latest (ISC) Global Information Security Workforce Survey predicts a global shortfall of 1.8 million cybersecurity personnel by 2022 and a shortage of 350,000 across Europe. One of the alliance’s key aims is to create a self-sustaining pipeline of talent to fill the skills gap in the UK.

UK’s Huawei handler dials back support for Chinese giant’s kit in critical infrastructure

A UK government-run oversight board has expressed misgivings about the security of telecoms kit from Chinese firm Huawei.

https://www.theregister.co.uk/2018/07/20/huawei_security_appraisal/

An annual report (PDF) from the Huawei Cyber Security Evaluation Centre (HCSEC) concluded that “shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management”.

Huawei kit is widely used on BT’s network backbone so reduced confidence in equipment from the manufacturer has profound implications unless steps are taken to restore full confidence.

HCSEC warned: “Huawei’s processes continue to fall short of industry good practice and make it difficult to provide long term assurance.”

IoT-enabled vacuum cleaner is spying on me

Vulnerabilities in a range of robot vacuum cleaners allow miscreants to access the gadgets’ camera, and remote-control the gizmos.

https://www.theregister.co.uk/2018/07/20/iot_insecurity_robo_vacuum_cleaners/

Security researchers at Positive Technologies (PT) this week disclosed that Dongguan Diqee 360 smart vacuum cleaners contain security flaws that hackers can exploit to snoop on people through the night-vision camera and mic, and take control of the Roomba rip-off.

The first vulnerability (CVE-2018-10987) involves remote code execution. A hacker can discover the vacuum on the same wireless network by obtaining its MAC address, and then send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum. A miscreant must first log onto the device, but this process is trivial because many still have the default username and password combination (admin and 888888).

Attackers need physical access to exploit the second vulnerability (CVE-2018-10988). A microSD card could be used to exploit weaknesses in the vacuum’s update mechanism

Russian hackers penetrate US power stations

https://www.bbc.co.uk/news/technology-44937787

Russian hackers have won remote access to the control rooms of many US power suppliers, the Wall Street Journal reports.

The access could have let them shut down networks and cause blackouts, US officials told the newspaper.

The state-backed hackers won access even though command centre computers were not directly linked to the web.

The attacks succeeded by targeting smaller firms which supply utilities with other services.

Security in medical devices: Finding your starting point

The first of a 3 part blog by Andrew Longhurst, Wittenstein, looking at improving security in medical devices:

http://www.embedded-computing.com/iot/security-in-medical-devices-finding-your-starting-point

Part 1 is a focus on industry standards. Parts two and three will cover the attack surface analysis and wider security mechanisms that can be used to improve security in a medical device

Safety developers are getting used to working to safety standards, but for security, finding a relevant standard can be much more challenging, and is only the start of a long and comprehensive route to creating a secure device. Note that more information is available on this topic in a whitepaper titled Increasing Security in Medical Devices.

 

And that’s now all three LTE protocol layers with annoying security flaws

Infosec wizards show how spies can snoop on website traffic, redirect browsers over 4G

https://www.theregister.co.uk/2018/06/29/4g_security/

Boffins have demonstrated how intelligence agencies and well-resourced hackers can potentially spy on people – by studying and meddling with mobile data flying over the airwaves.

The computer scientists have described in detail novel surveillance techniques that allowed them to identify people within a phone tower’s radio cell, determine which websites they visited from their handsets, and redirect them to malicious webpages by tampering with DNS lookups.

However, the team cautioned that their work so far is experimental, and difficult to perform in real-world scenarios.

The three attacks – explained on a dedicated website– all target the data link layer of LTE, aka Long-Term Evolution, aka 4G, networks.

The identification and website snooping techniques are passive, in that a spy just listens to what’s going out over the airwaves from phones, whereas the webpage redirection attack is an active operation – an agent needs to set up a malicious cell tower to tamper with transmissions. As such, the academics dubbed their DNS spoofing attack “aLTEr.” The website spying works by identifying, to a particular level of certainty, sites by their patterns of traffic over the air.

Only 14% of businesses have implemented even the most basic cybersecurity practices

#IoT #cybersecurity must be a vital and integral part of every organization’s strategic plan.

https://www.techrepublic.com/article/only-14-of-businesses-have-implemented-even-the-most-basic-cybersecurity-practices/

According to a 2018 report from security company Symantec, the number of Internet of Things (IoT) attacks increased from about 6,000 in 2016 to more than 50,000 in 2017, which translates into a 600% rise in just one year. IoT devices are increasingly the attack vector of choice for cybercriminals around the world. IoT is particularly popular for ransomware attacks and illegal cryptocurrency miners.

According to Verizon’s Mobile Security Index 2018, only 14% of the responding organizations said they had implemented even the most basic cybersecurity practices, with an astonishing 32% of these IT professionals admitting that their organization sacrifices mobile security to improve business performance on a regular basis. That general lax attitude toward cybersecurity goes along way toward explaining why IoT attacks have spiked 600% in one year.

Arrow offers provisioning using NXP secure element

Arrow Electronics has expanded its programming facilities in the Netherlands to offer a secure provisioning service that will enable the rapid deployment of IoT edge nodes and gateways using the NXP A71CH secure element trust anchor.
For more information see:

http://www.iotm2mcouncil.org/arrnxop:

The ability to authenticate IoT devices and establish trusted connections to the cloud is becoming increasingly important, particularly with the GDPR legislation and the responsibility it places on organisations to protect data and

Researcher Successfully Hacked In-Flight Airplanes – From the Ground

DarkReading Article

IOActive researcher will demonstrate at Black Hat USA how satellite equipment can be ‘weaponized’

It’s been four years since researcher Ruben Santamarta rocked the security world with his chilling discovery of major vulnerabilitiesin satellite equipment that could be abused to hijack and disrupt communications links to airplanes, ships, military operations, and industrial facilities.

Santamarta has now proven out those findings and taken his research to the level of terrifying, by successfully hacking into in-flight airplane WiFi networks and satcom equipment from the ground. “As far as I know I will be the first researcher that will demonstrate that it’s possible to hack into communications devices on an in-flight aircraft … from the ground,” he says.

He accessed on-board WiFi networks including passengers’ Internet activity, and also was able to reach the planes’ satcom equipment, he says, all of which in his previous research he had concluded – but not proven – was possible. And there’s more: “In this new research, we also managed to get access to important communications devices in the aircraft,” Santamarta, principal security consultant with IO/Active, says.