The recruiting methods being used in the cybersecurity industry are so dire that they pose a national security threat.
In an exclusive interview with Infosecurity Magazine at the (ISC)² Security Congress in Orlando, Florida, the founder and CEO of cybersecurity research and staffing firm CyberSN and of BrainBabe, Deidre Diamond, described recruitment in cybersecurity as "a crisis in a crisis in a crisis."
Diamond said: "The way we look for jobs is broken. Our professionals aren’t happy. They don’t love their jobs, but because job searching is so bad, they settle and stick around longer in those jobs.
"Having unhappy employees is an insider threat. I believe it’s a national security issue."
According to Diamond, the difficulties stem from a general ignorance of the scope and variety of jobs available in cybersecurity, coupled with the absence of a shared terminology to describe the many skill sets at play within the industry. Also, chronic under-investment by businesses in their cybersecurity means many cybersecurity professionals are doing three jobs in one.
"Cybersecurity isn’t one job; it’s 35 different job categories and 111 titles," said Diamond.
"On top of the changing and growing roles in cybersecurity, we don’t have the common language it takes to figure out the job, or to figure out what the professional really knows. We don’t know how to sell cybersecurity correctly to anybody, never mind to diverse candidates."
To mitigate the problem, Diamond invested billions in building question-and-answer technology that allows recruitment to be carried out in a different, skills-based way.
Describing the recruitment method practiced by her company, Diamond said: "Resumes don’t matter, and job descriptions don’t matter. We start from scratch, and we ask our own questions, then we build somebody’s profile and we build a job description."
Candidates give a baseline job title they have held and are then asked to list the tasks and projects they have been working on, detailing their functional roles and what percentage of their time is taken up by each role. They are then matched to jobs based on what functional roles are required, taking into account other factors such as salary, location, and remote working options.
Breaking down a job to show the percentage of time spent on each function can widen the number of opportunities open to candidates who might be put off by a job spec that relies on words alone.
Diamond said: "Somebody doing 50% of their time being an analyst and 50% of their time doing incident response could still be interested in an 80:20 split, or in a 40:40 plus something new like malware. That could still be a fit, because malware is really only 20% of the job, and humans are smart and they can learn. When the job is presented correctly, we can make those matches."
Two North American men have pleaded guilty to hacking and extorting Uber and LinkedIn’s Lynda.com business, compromising data on tens of millions of users in the process.
Brandon Charles Glover, 26, of Winter Springs, Florida, America, and Vasile Mereacre, 23, of Toronto, Canada, pleaded guilty to one charge each of conspiracy to commit extortion involving computers. They will likely face a five-year stretch in jail and fine of $250,000 as a result.
The two are said to have used a custom-built GitHub account checker tool to try a number of already breached corporate credentials and see if they unlocked accounts on the developer site. After accessing several accounts belonging to Uber employees, they found AWS credentials which unlocked the online taxi firm’s AWS S3 data stores.
Using an encrypted ProntonMail address, they then contacted Uber’s CSO, claiming to have found a vulnerability in its systems and demanding payment in return for deletion of the compromised customer and driver data — which ran into 57 million records.
Uber eventually agreed, paying them the requested $100,000 in Bitcoin through its HackerOne account and then covering up the incident, until a new CEO decided to come clean in 2017.
Emboldened by their success, Glover and Mereacre then obtained access to 90,000 Lynda.com accounts via the online education firm’s AWS S3 account, and tried the same extortion trick, according to court documents.
However, this time the firm went public with the breach.
The two incidents almost read like a case study in the right and wrong ways to handle a breach-related extortion demand.
In the case of Uber, it ended up settling with the US government to the tune of $148m, whilst paying a £385,000 fine to the UK’s Information Commissioner’s Office (ICO). It’s lucky to have escaped the wrath of GDPR regulators, given that 2.7 million British customers and drivers were affected by the breach.
Twitter has announced a ban on political advertising ahead of crucial elections in the UK and US over the coming year, turning up the heat on Facebook to tackle micro-targeting campaigns on social media.
At Infosecurity Europe earlier this year, author Jamie Bartlett warned that elections will increasingly be fought online, with small groups of swing voters micro-targeted by personalized ads. This strategy threatens to undermine the legitimacy of results, he argued, and could be further tainted by dubious use of private data, as per the Cambridge Analytica scandal.
Across several posts on the social platform he co-founded, CEO Jack Dorsey, explained that the firm’s final policy would be published on November 15 and enforced a week later.
“We’ve made the decision to stop all political advertising on Twitter globally. We believe political message reach should be earned, not bought. A political message earns reach when people decide to follow an account or retweet. Paying for reach removes that decision, forcing highly optimized and targeted political messages on people. We believe this decision should not be compromised by money,” he said.
“While internet advertising is incredibly powerful and very effective for commercial advertisers, that power brings significant risks to politics, where it can be used to influence votes to affect the lives of millions.”
Although tacitly admitting that the decision would probably have a minimal impact on the firm, given its relatively minor role in a much larger political advertising ecosystem, Dorsey couldn’t resist piling the pressure on Facebook.
“For instance, it‘s not credible for us to say: ‘We’re working hard to stop people from gaming our systems to spread misleading info, buuut if someone pays us to target and force people to see their political ad…well...they can say whatever they want!’,” he argued.
Dorsey also called for “more forward-looking” political advertising regulation, although admitting this would be difficult to craft.
The news was welcomed by non-profit the Open Knowledge Foundation, which called on Facebook to follow suit.
“It will go a considerable way to preventing the spread of disinformation and fake news, and help to resuscitate the three foundations of tolerance, facts and ideas,” argued CEO, Catherine Stihler.
“It is imperative that we do not allow disinformation to blight this year’s UK General Election, forthcoming elections across Europe, and next year’s US Presidential election. Facebook must act on the growing demands for greater transparency.”
Socialbakers CEO Yuval Ben-Itzhak also praised the move as part of Twitter’s efforts to clean up its platform.
“By banning political advertising on the platform, Twitter's leadership is taking an important stance,” he added.
“Validating each ad at scale is technically challenging to say the least, so by banning politically-motivated ads the platform stands a better chance of remaining digital pollution-free for its advertisers and users.”
However, Tom Gaffney, security consultant at F-Secure, argued that the real problem for Twitter is fake accounts which are used to amplify often extreme views and misinformation, and trolling, which can also be used to spread rumors.
“Since many fake and troll accounts are controlled at least partially by real people, it is very difficult to create algorithmic methods to detect them” he concluded.
“Despite Twitter’s own efforts, it is clear that the platform is still burdened by the presence of fake accounts and that many manipulation tactics are still very viable. In order to build better detection methods, more research is needed to understand how the people behind these accounts operate.”
The next generation of cybersecurity specialists must look at ways to ensure better security for our whole lifetime.
Speaking at Bsides Belfast, Duo Security advisory CISO Wendy Nather looked at the concept of “how do we live securely from cradle to grave.” In her closing keynote, Nather recalled the efforts she had to go to educate her family on internet use, and her parents on gaining power of attorney over their estate.
“We are conditioned by the interface and this can be exploited and leveraged against us,” she said, explaining that some of us have only used computers at work, and now we are “exposed from birth” and are given accounts from school to college to work. “We get more logins and government accounts and bank accounts, and online shopping,” she said, adding that “the stupidest thing we did as technologists” was to determine that credentials can be stored in the brain.
“As you get old you get incapacitated, and people may be disabled and may need assistance – how can you let someone run your life for you?” Nather asked, arguing that this is something we have to think about now, and that this is something we need that “goes across all accounts from birth to death.”
She called on delegates to consider this, and to create an “intermediary to cover the digital lifespan.” She praised the uptake of password managers and Webauthn “and the emerging root of trust that is the phone,” but this is expensive and fragile, “and not what we need to cover our entire lifespan.”
This has “got to be more than authentication, and help with security decisions like delegating tasks” and it needs to be granted and revocable, and work with everything you have and be age appropriate to start at school.
“More than identity, we need something that encompasses regulations across the globe and is regulated by a trusted entity with no other agenda than providing this service – it cannot sell data or promote anything else – and it has got to work at speed.”
Nather concluded by urging the audience to do this, adding that this is “the greatest challenge of our generation.”
The UK’s privacy watchdog has raised “serious concerns” about police use of facial recognition technology, and called for the introduction of a statutory code of practice to govern when and how it should be deployed.
There have been numerous complaints from lawmakers, rights groups and members of the public in the past about how police are using the technology in public spaces, with many arguing that trials are being run covertly and that those members of the public covering their faces are assumed to be hiding something.
Big Brother Watch released a report last year claiming live facial recognition (LFR) systems being used by the Met police are 98-100% inaccurate.
Information commissioner Elizabeth Denham argued in a blog post yesterday that the ICO’s investigation into LFR use by the Met and South Wales Police had raised “serious concerns about the use of a technology that relies on huge amounts of sensitive personal information.”
“We found that the current combination of laws, codes and practices relating to LFR will not drive the ethical and legal approach that’s needed to truly manage the risk that this technology presents,” she added.
Denham argued that a recent court ruling in which a judge said South Wales Police force’s use of LFR was lawful, should not be seen as a blanket authorization.
Instead, police forces across the country must follow her first Commissioner’s Opinion, announced yesterday.
This stipulates that police must follow current data protection laws — de facto the GDPR — during trials and full deployment, and that the use of facial images constitutes “sensitive processing” under this legislation. This applies whether an image produces a match on a watchlist or if it is subsequently deleted.
Data controllers must identify a lawful basis for the use of LFR and data protection laws apply to the whole process — “from consideration about the necessity and proportionality for deployment, the compilation of watchlists, the processing of the biometric data through to the retention and deletion of that data.”
In short, the ICO is telling UK police to slow down in their use of LFR, and ensure it is justified and done lawfully.
The watchdog said it would be working with the relevant authorities to produce a statutory and binding code of practice issued by the government on LFR use in public places.
In the US, there has been something of a backlash against LFR of late, with local authorities implementing bans on its use.
Supply chain attacks continue to be a reality for businesses, and are easier for adversaries.
Speaking at Bsides Belfast 2019, Cisco Talos security researchers Edmund Brumaghin and Nick Biasini explained that supply chains begin with a raw material that goes to a supplier, a manufacturer and distributor, and with so many people involved in the process, it is easy for an attacker to step in.
Highlighting cases from the past, including the Gunman project, which revealed the first keylogger created by the Russians in typewriters in US embassies in “the first known interdiction attack.”
“Hardware attacks today don’t exist, and there are reasons for it,” Biasini said, highlighting circuit boards that have chips and traces, and the hundreds and thousands of people whose job it is to strip chips and layers that it would be “extremely difficult and noisy” to compromise one device, and an attacker would need to interfere with all devices on an assembly line.
Looking at software supply chain attacks, Brumaghin said that this is more of a soft target, and pointed at the NotPetya attack, as it compromised the Ukranian M.E.Doc software, as well as the Ccleaner compromise, where the software was targeted with a malicious version made available as a download.
There are also more current cases, such as altered code in Webmin and PHPear, while Biasini said that “a gigantic target” exists in browser extensions as an attacker “can hit a huge amount of systems and do click fraud with little difficulty.”
Biasini also said that open source has become a massive target, as adversaries realize that they do not need to compromise different systems and can focus on anywhere, writing and sharing code. He also called advertising networks “a disaster as so many systems, domains and processes can be infected along the way.”
In terms of defense, they recommended “covering all of the bases,” including:
- Asset identification
- User access control
- File access control
- User education
- Threat hunting
Also, the speakers advised to document and validate all network connections, document data sent from the client and “scrutinize incoming network connections” and push security to vendors, “as controls don’t just apply to your environment anymore.”
Biasini concluded by stating that supply chains are where an adversary can come in as “if they cannot get in via the front door, they will come in via the supply chain.”
Retired US Navy four-star admiral William McRaven offered guidance on how to succeed in life as he delivered the closing keynote address at the (ISC)² Security Congress in Orlando, Florida.
Drawing from memories of his exceptional 37-year military career, McRaven encouraged the rapt crowd to embrace teamwork, take risks, and be prepared to fail if they want to reach their goals.
McRaven played a key role in thousands of dangerous overseas missions, overseeing the capture of Saddam Hussein and the raid that resulted in the death of Osama bin Laden.
Speaking at the security conference on Wednesday, McRaven shared a number of lessons drilled into Navy SEALs as they go through their almost inconceivably tough initial training, such as "Life's not fair; get over it."
After advising attendees to start every day by making their bed, McRaven said: "Making the bed is recognizing that the little things in life matter. If you can't even make your bed, how are you ever going to lead a complex mission?"
McRaven told the crowd how he broke his back and pelvis in a parachute accident that occurred during a 1,000-foot freefall exercise in the summer of 2001. During the long months of recuperation that followed, McRaven was kept in good spirits through his family's loving care and the frequent visits he received from friends and colleagues.
"Make as many friends as you can, have as many colleagues as you can, and take care of as many strangers as you can, as someday they may come back and take care of you," McRaven advised the audience.
McRaven implored the crowd to never miss the opportunity to inspire someone, because it can have a cascading effect. He shared a particularly uplifting story from his own life, which occurred when he met a young man in the 25th Infantry Unit.
The soldier had recently returned from Iraq after an Explosively Formed Projectile (EFP) entered the vehicle in which he was traveling. The vehicle's other occupants all lost their lives that day. The young soldier lost all four of his limbs.
As McRaven tried to think of something to say to the quadriplegic soldier, he found himself battling with feelings of pity and remorse. To his amazement, the young man said to him: "Sir, I'm 24 years old. I'm going to be just fine."
"I never forgot that," said McRaven. "That young man, that day, inspired me a way that few people have."
Cybersecurity's leading lights were recognized at an award ceremony held yesterday in Orlando, Florida.
The special event, which took place at the Walt Disney World Swan and Dolphin Resort on day three of the (ISC)² Security Congress, was staged to honor the winners of the 2019 Information Security Leadership Awards (ISLA®) Americas.
The ISLA Americas awards recognize outstanding leadership and achievement in workforce improvement among information security and management professionals throughout the private and public sectors in North, Central, and South America.
To be in the running for the award, cybersecurity professionals must have inspired change within the cybersecurity field. Only individuals working in the private and public sectors throughout the Americas, but outside of the U.S. federal government, are eligible for the prestigious accolade.
"Each year, the ISLA Americas ceremony showcases what leaders in our field are doing to help us achieve our vision of inspiring a safe and secure cyber world," said (ISC)² chief operating officer Wesley Simpson.
"The winners are enabling positive change within their organizations and communities, and across the industry."
Tomiko K. Evans picked up an award for Up-and-Coming Information Security Professional for introducing CyberRap to cybersecurity conferences. Evans is CEO and owner of unmanned aerial vehicles (UAV) cybersecurity firm Aerial Footprint, and vice president of information security at Palo Alto Networks.
CISSP Andrés Velázquez took home an ISLA Americas award for Community Awareness for his Crimen podcast. Velázquez is the founder and president of MaTTica, the first forensic lab in the private sector in Latin America.
Another CISSP, Anna Harrison, scooped up the gong for Information Security Practitioner for her efforts to strengthen the nation’s cybersecurity. Harrison, who holds a master's degree in computer science from Mississippi State University, is senior cybersecurity engineer at veteran-owned Alabama business H2L Solutions.
The winner of the Senior Information Security Professional award was Cassio Goldschmidt, CSSLP, CAP, and head of information security at HVAC software creators ServiceTitan. Goldschmidt earned the accolade for his work in end-to-end security policy enactment and awareness.
This year, a judging committee comprising five seasoned industry professionals representing both North America and Latin America reviewed the nominations and selected the winners based upon specific criteria and eligibility requirements.
Cyber threat intelligence is not being fully exploited, as businesses are often unclear on what it is and how it can be used.
Speaking on day three of the (ISC)² Security Congress in Orlando, Florida, CTI analyst Xena Olsen said vital information about online threats wasn't flowing smoothly from CTI analysts to management and other employees. As a result, key decisions are frequently made without full comprehension of the prevailing security landscape.
Olsen told Infosecurity Magazine: "There are communication issues. Sometimes you get managers that don’t know anything about CTI, so they have to get up to speed. They aren't analysts, so they don't understand how CTI analysts approach data. They don't know what to ask, and they don't know what to look for.
"People in other departments also don't know that they can lean on their own in-house CTI team. They don't even know what they have access to. So, people get confused, and then they don't know who to talk to within the organization."
According to Olsen, there are blockages on both ends of the intelligence pipe, as CTI analysts frequently botch the job of clearly explaining their findings to non-techies and don't sit down with management to work out what information is really needed.
“It takes having honest conversations, and in the corporate world it's a little bit more difficult to achieve that because sometimes people don't like asking questions or admitting that they don't know something,” Olsen told Infosecurity Magazine.
Olsen advised analysts to create a short and simple daily cyber-threat report and weekly threat summary for management. Each threat listed should be given a clear threat ranking pertinent to that particular organization, so management can see at a glance what is going on and how worried they should be about it.
Analysts should also make a quarterly cyber-threat landscape report that includes pictures of phishing emails received and features graphs or heat maps showing what threat actor activity occurred and when.
Olsen advised managers to request data that can be used to make their organizations safer. She said: "You can ask for data on who clicks the most [number of bad links] and who gets infected the most in your organization."
Giving feedback will help managers get the most out of CTI. Olsen added: "If I spent 40 hours preparing a report for you, and you tell me it wasn't useful, then I won't do it anymore, and I will do something else instead."
Building a threat hunting team requires finding people who are prepared to be inquisitive of data, are keen to be the first to find a threat and having the right culture for them to work in.
Speaking at Bsides Belfast 2019, Martin Lee, outreach manager and Technical Lead at Cisco Talos, said that the team at Talos “work on analyzing the intelligence we have got, spot what is different and understand it” as what Talos does is “special and what we do has happened by accident,” as there is no manual on how to manage and function a threat research and intelligence team.
He said that there is a common belief that threat hunting involves “putting data in and mixing it with tools using SIEM, and using procedures to find threats,” when threat hunting should be thought of as a “stack of technology” where you do not need a “secret store of data that only you can access.”
Lee added: “We look for the most significant new threat on the internet, and see our role as to protect the entire internet. We want to hunt down and find the bad guys and be the first people to protect customers and inform the community.”
A lot of threat hunting “is classic engineering,” as if you put processes in at the beginning and follow them, you will come to a predicable end with a clean answer, and Lee called that “the holy grail” situation. In most cases, threat hunting involves looking through indicators of compromise and comparable data, and the resolution is affected by attackers using different domains, different IP addresses and different data.
Lee also said that when there is a successful effort at threat hunting, this can be turned into an automated process.
“We find bad guys, find them first and hunt them down on the internet,” he said. “We have a strong sense of mission and a high degree of success as people want to hunt and encourage each other to keep going, it is not a job, but a lifestyle.”
Lee also said that very little of threat hunting is the common perception of “get a SIEM and go on the dark web” as a SIEM shows the analyst one view, which makes it difficult to ask different and innovative questions of the data.
As for the dark web, he acknowledged that there is malicious activity in the dark web “as you can find bad guys discussing [things] before they happen,” but the set of things that happen versus things discussed on the dark web often means “a lot of it can just be noise and people discussing things that may not happen.”
He said that “more important than tooling is people with skills” who will thrive in the right culture as you “can kill people with tooling if you have the wrong culture.” Also, you need to have some idea of what you want to find, and if you have no idea what you are looking for, you will never find it.
Lee recommended building a strategy on what you’re hoping to find and what you would like to find, and decide what you would do with it and how to improve the goals of an organization. Also, use tools that allow you to ask questions of data easily, and hire people who are curious of things “and get to the root cause of what is going on.”
A major cyber-attack on Asia’s ports could end up costing the global economy as much as $110bn due to business interruption and other knock-on impacts, according to a new report.
Backed by Lloyd’s of London, the University of Cambridge and other organizations, the report was developed by the Singapore-based Cyber Risk Management (CyRiM) project.
It paints a hypothetical picture of a computer virus, dubbed ‘Shen,’ which exploits a vulnerability in port management software from a major shipping management company. It’s not made clear whether the virus is ransomware, but the effect is to infect systems on-board ageing ships, and then to “scramble” key database records at major ports in the region.
“While cyber-attacks have impacted individual ports in the past, an attack on systematic vulnerabilities across ports on this scale has never been seen,” the report claimed. “However, the combination of ageing shipping infrastructure and global complex supply chains, makes the shipping industry vulnerable to extreme losses.”
In this scenario, not only port owners themselves, but a range of supply chain organizations including logistics companies, cargo owners, ship owners, ship management companies and port management system providers would be affected.
Every country which operates bilateral trade with the affected ports would suffer heavy losses, due to delayed delivery and the impact on perishable items waiting to be shipped. For example, port closures in Japan would directly affect the US, China, Taiwan, South Korea and Hong Kong, the report said.
The heaviest losses were predicted to affecte the transport and aviation sectors, followed by manufacturing, retail and then real estate.
An attack affecting 15 Asian ports would range from $41-$110bn, the report claimed.
However, CyRiM warned that, 92% of total economic costs are currently uninsured, leaving an insurance gap of $101bn.
“Cyber-risk is one of the most critical and complex challenges facing the Asia Pacific maritime industry today. As this risk grows with the increasing application of technology and automation in the industry, collaboration and future planning by insurers and risk managers is critical,” argued Lloyd’s Singapore country manager, Angela Kelly.
“With nine out of 10 of the world’s busiest container ports based in Asia, and high levels of underinsurance in the region, this exposure must be addressed.”
Facebook has been forced to take action again to remove illegal Russian attempts to influence its users — this time in African countries.
The “coordinated inauthentic behavior” has been linked to notorious Russian financier Yevgeniy Prigozhin, already indicted by the US for funding the Kremlin-linked Internet Research Agency (IRA), which was involved in information warfare efforts ahead of the 2016 US Presidential election.
Facebook removed three separate networks originating in Russia and which targeted Madagascar, Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire, Cameroon, Sudan and Libya.
The first involved the take-down of 35 Facebook accounts, 53 Pages, seven Groups and five Instagram accounts focusing on users in Madagascar, the Central African Republic, Mozambique, Democratic Republic of the Congo, Côte d’Ivoire and Cameroon.
At least one of the Pages accrued around 475,000 followers, and around $77,000 in advertising was spent.
The next campaign centered around 17 Facebook accounts, 18 Pages, 3 Groups and six Instagram accounts, accruing over 457,000 followers. They re-posed Sudanese state news and Russia propaganda from RT and Sputnik.
Finally, Facebook removed a network of 14 Facebook accounts, 12 Pages, one Group and one Instagram account that originated in Russia and focused on Libya.
As per the other campaigns, they often posted a mix of local and global news from local and Russian sources, on multiple sides of political debate, and from authentic and fake accounts. In this case, the accounts and Pages gained over 241,000 followers and around $10,000 was spent on ads.
“Although the people behind these networks attempted to conceal their identities and coordination, our investigation connected these campaigns to entities associated with Russian financier Yevgeniy Prigozhin, who was previously indicted by the US Justice Department,” said Facebook head of cybersecurity policy, Nathaniel Gleicher.
“We’re taking down these Pages, Groups and accounts based on their behavior, not the content they posted. In each of these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves, and that was the basis for our action.”
Spend less energy focusing on advanced attacks and zero-days, as attacks remain the same and cybersecurity needs to focus more on producing and enabling better professionals.
Speaking in the opening keynote at BSides Belfast 2019, BH Consulting CEO Brian Honan said that, as we mark the 50th anniversary of the internet, we have to realize that whilst we were once unconnected, we now have huge dependency on the internet and this has led to economies and democracies being under attack. With the Cambridge Analytica case still in the mind, and with a UK election likely for December, Honan suspected that we will see more online influence.
Looking at cyber-attacks, Honan said that data suggests that we are seeing “more of the same,” as in the 1980s we were talking about viruses as the main threat, “and that is the same now, but we call it ransomware” - and business email compromise and ransomware have been around for years.
“Criminals use the same techniques as they work, and the biggest risk is the common run of the mill cyber-attack that is known to work,” he argued. “Attackers are not using zero-days and advanced cyber-attacks, they are using email and phones to break into companies.”
This has led to a culture of repeating the same mistakes over and over again, and we are not learning from them. Honan called for an end to “victim blaming” as if we “keep making the same mistakes, then there is an insecure future ahead.” He also called for more transparency into incident response reports, as too often investigations are not revealed.
Drawing comparisons with the aviation industry, Honan highlighted the frequent checks and tests on planes, and the fact that pilots need to be qualified and trained to fly, and “rigorous procedures” are followed. “However, we don’t do that in IT, as we launch things on the internet and hope they will work and if they don't, we fix the problem in the next release. You cannot do that at 10,000 feet.”
Concluding, Honan called for better collaboration as “business people demand better security” now, as we now talk to boards “and not geeks.
“Don’t stand alone, work outside industry and your community to fix problems, and make sure we embrace the business side and talk to them and continue hacking stuff to improve the systems we rely on,” he said.
A malware infection at one of India’s nuclear power plants has been confirmed by its owner, with researchers speculating that it is North Korean in origin.
News began circulating on social media earlier this week that the Kudankulam Nuclear Power Plant (KNPP) may have been hit by an attack. A third party contacted cyber-intelligence analyst Pukhraj Singh who in turn notified the country’s National Cyber Security Coordinator on September 3, he said.
He added that the malware in question was later identified by Kaspersky as Dtrack.
Although initially KNPP officials said an attack on the plant was “not possible,” they changed their tune in a letter dated Wednesday.
The government-owned Nuclear Power Corporation of India (NPCIL) released a statement saying the original reports had been correct, and handled by CERT-In when the organization was notified on September 4.
“The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network used for administrative purposes,” it clarified. “This was isolated from the critical internal network. The networks are being continuously monitored. Investigation also confirms that the plant systems are not affected.”
Dtrack was first revealed in late September by Kaspersky as linked to the infamous Lazarus Group. It discovered over 180 samples of the malware, which is said to take advantage of weak network security, password management and a lack of traffic monitoring to deploy information stealing and remote access capabilities to victim systems.
It’s unclear what the attacker’s goals were in this raid — whether it was an accidental infection, a deliberately targeted multi-stage IP-stealing mission, or something more sinister still.
However, at the time of discovery, Singh tweeted about a causus belli (act of war) in Indian cyberspace. He later clarified this was a reference to a second, as-yet-unnamed, target.
“Actually, the other target scared the sh*t out of me. Scarier than KKNPP in some ways,” he said.