Nuclear power plants, like other critical infrastructure, are more vulnerable than ever to cyber attacks. In recognition of this fact, the Department of Homeland Security and the Federal Bureau of Investigation issued a joint report on nuclear cyber attacks with an urgent amber warning, indicating the second highest level of threat.

Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user’s login information, such as username and passwords.

Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/security/web-trackers-exploit-flaw-in-browser-login-managers-to-steal-usernames/

Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain.

This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers, login managers that allow browsers to remember a user’s username and password for specific sites and auto-insert it in login fields when the user visits that site again.

Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user’s login information, such as username and passwords.

The trick is an old one, known for more than a decade [1, 2, 3, 4, 5], but until now it’s only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks.

Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information.

Fortunately, none of the two services collected password information, but only the user’s username or email address —depending on what each domain uses for the login process.

The two services are Adthink and OnAudience

In this particular case, the two companies were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advertising profile.

Advanced persistent threat (APT) attacks against critical infrastructure are on the rise and companies and users need to learn how to find anomalies in their network and be proactive before serious damage can be inflicted.

It is no secret the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a warning for critical infrastructure organizations regarding advanced persistent threat (APT) attacks. The main question for users is how to tell if the bad guys are in the system.

“There are indications they are looking for things inside the networks themselves,” said Dana Tamir, vice president of market strategies and security provider, Indegy. “It is very easy to mask their activities. It seems everyone has privileged access. Everyone with gained access to the network can do anything they want. The way we look for things is we first look for anomalies that appear to be suspicious and out of the ordinary. For example, communication between two assets that have never communicated before, or a command that doesn’t meet the kind activity ever done on the network, or the use of new protocols never used before. In addition, we use rule-based policies that determine what is acceptable activities.”

The alert on the US-CERT site warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.”

Attackers have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the server message block (SMB) protocol. This sends the user’s credential hash to the remote server, where “The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”

Watering holes are also used to gather credentials.

“The threat actors compromise the infrastructure of trusted organizations to reach intended targets,” the report said. “Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.”

When credentials have been gained, the attackers use these to access victims’ networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server.

“This alert shows adversaries are getting into networks and they are getting in deeper and deeper,”

These kinds of warnings and attacks are becoming a bit better known these days, but the question also remains if users are secure.

“Surprising? No. Critical infrastructure presents high value targets that if exploited can produce significant political or financial gain—more than retail or financial industry targets we tend to see in the news,” said David Zahn, GM of the cybersecurity business unit at PAS. “The reason is that the industrial control systems that sit at the end of the industrial facility’s kill chain control in many cases volatile process. This means that an attack can cause physical consequences including injury to plant personnel, community, environment, or production capability.”

Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.

The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.

Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

The affected device supports a service type named `DeviceUpgrade`, which is supposedly carrying out firmware upgrade actions. By injecting shell meta-characters “$()” in two elements with which the upgrade is carried out, a remote administrator could execute arbitrary code on the affected devices.

Detecting Compromises Requires Monitoring a Series of Activities Over Time

In the wee hours of April 15, 1912, the unthinkable happened to the unsinkable. The RMS Titanic sank. She and more than 1,500 souls perished in the icy waters of the North Atlantic.

A century later, I sat watching the tragedy unfold as I made my own transatlantic passage aboard an Icelandair flight. I’d thought a three-and-a-half-hour film might make the trip pass faster. Instead, it only made me wonder: How stunning is Kate Winslet? And how safe is modern travel?

In its day, the Titanic had been a high-tech marvel. A product of Industrial Revolution innovations, it was grand, luxurious and in hindsight, not as safe as advertised. Its ill-fated passengers fell victim not only to an unforgiving sea, but to human error, outdated maritime safety laws, technological hubris and pernicious vanity.

Today, we expect more, no? At the very least, I don’t expect to run into an iceberg. You know, once I win the lotto and sign up for a luxury cruise.

What I found curious, though, was that while the documentary detailed safety test after safety test, not once did it mention cybersecurity. Of course, that doesn’t mean there wasn’t a plan in place, but it did get me thinking, especially after reading about how hackers can exploit load-balancing software to capsize large vessels.

It’s All Fun and Games Until Someone Can’t Play Shuffleboard: Confidentiality vs. Integrity vs. Availability

Sure, taking over control systems to capsize a ship is extreme, but is it out of the question? It’s not like we haven’t seen hacks happening in the shipping industry. For example, the recent data breach at UK shipper Clarksons and last summer’s NotPetya ransomware attack on shipping giant Maersk. What if hackers decide to take things up a notch?

While a confidentiality breach of a data system – for example, a hacker getting his hands on a passenger manifest – could mean damage to corporate brand, reputation and profits, an integrity or availability breach of a critical onboard navigation, power or cargo management system could prove disastrous. Data theft isn’t fun or a game, but data manipulation or inaccessibility that could result in loss of safety trumps all.

Can we be too careful? Remember that iceberg … Hubris, as we know from the Titanic, can be dangerous.

Disaster Aversion: Let History Be a Lesson

When the Titanic sank, there was – and still is – much retrospective talk about what happened, who was to blame and how the tragedy could have been prevented. The iron and rivets were too weak; the bulkheads, too short; the lifeboats, too few. But should’ves, could’ves, would’ves aside, the Titanic taught a hard-knocks, clichéd lesson: Better to be safe than sorry.

Hard to call it a bright side, but the disaster did at least lead to review and reform of maritime regulations; changes to ship design, lifeboat requirements, wireless operations, ice field navigation; and ultimately, safer travel at sea.

Today, that safety extends to implementing sound cybersecurity practices. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution.

Detecting compromises requires monitoring a series of activities over time. Unfortunately, most security tools only have visibility into a certain set of activities and cannot see and comprehend the entire kill chain. With a network visibility solution, companies can see all the data across their infrastructure to help identify weaknesses and improve their security posture. Put simply, it helps optimize existing prevention and detection security tools by simplifying, consolidating and sharing relevant data with them at the right time so they can more quickly expose malware and accelerate threat response and mitigation.

IoT security and semiconductor industry growth were two of hottest tech-related topics in 2017. Every few weeks, we learned about next-generation IoT hacks, new security-related legislation, and exciting advances in processor technology. Here are a few interesting news items from the past month.

A DoS Attack at Your Door

Amazon Key is a new delivery service that enables a delivery person to enter your home and drop off a package. For $250, you get a digital keypad and a Wi-Fi-connected Amazon Cloud Cam for live streaming each delivery. But wouldn’t you know: Just a few weeks after the service’s launch, a security testing company discovered a way for a hacker to disable the camera while someone enters your home.

Jail Time for Execs Hiding Data Breaches?

Earlier this year, we wrote about the Internet of Things Cybersecurity Improvement Act of 2017, which would establish security requirements for IoT devices procured by government agencies. In late November, US Senate Commerce Committee members revisited the security issue with the introduction of the Data Security and Breach Notification Act, which would establish national data breach reporting standards. If the bill passes, corporate executives will have 30 days to report data breaches or possibly face up to five years in prison.

Most online 2017 holiday gift guides have one thing in common: IoT gadgets. Wi-Fi video doorbells, wearable health monitors, phone-controlled toy robots, and “smart” ovens are just a few of the thousands of Internet-connected products being offered this holiday season. Such gifts might seem like safe products to give or receive, but reports about recent IoT hacks have shown us that most, if not all, Internet-connected devices are potential targets for hackers.

A few notable 2017 security hacks, breaches, and threats:

Smartwatch Eavesdropping: In November, a German regulator banned the sale of a kids’ smartwatch

IoTroop: Qihoo 360 and Check Point Research recently reported that the IoTroop botnet, also known as “Reaper,” was hijacking IoT devices, such as routers and IP cameras, around the globe at an extremely rapid rate.

Pacemaker Recall: The FDA announced in August that Abbott’s RF-enabled implantable pacemakers contain embedded devices that are vulnerable to wireless attack.

CAN Bus Hack: In August 2017, TrendMicro reported that security research team found that it is possible to turn off a vehicle’s key automated components

Casino Fish Tank Hack: In July, we learned that attackers tried to steal data from a Las Vegas casino by hacking into one of its “smart” fish tanks.

As you will notice by reading through the articles we posted, too many of today’s IoT devices were designed with limited or no security, making those devices vulnerable.

Link copied…

Tech

As Videogame Hackers Try to Ruin Christmas, Watchdogs Are on Patrol
Merry band of security buffs spend holidays on alert to make sure cyber-Grinches don’t spoil the fun
https://www.wsj.com/articles/web-warriors-hunt-hacker-grinches-to-save-christmas-1513938603

Earlier this month, three men pleaded guilty to writing software, called Mirai, that is used in many of these attacks. Last year, the men released Mirai’s source code, federal prosecutors say. And that action ushered in a new era of extremely large botnet attacks.

In October 2016, Mirai was used to flood internet service provider Dyn with unwanted network traffic, an event that ground the internet to a standstill for many Americans.

“Mirai scared us to death,” said Dale Drew, chief security strategist with CenturyLink Inc., who is among Ms. Nixon’s fellow botnet fighters.

The battle against such botnets is a year-round effort, but it heats up during the holidays. Last year, just before Christmas, a group calling itself R.I.U. Star Patrol claimed on Twitter to have launched an online attack against Yahoo’s Tumblr Service and, in a YouTube video, threatened to repeat the event on Christmas Day.

However, the researchers disrupted Star Patrol before it could launch the Christmas Day attack.

Researchers believe they may have thwarted a similar plan about two weeks ago. That was when another massive 650,000-unit botnet called Satori—which used code from Mirai—was taken down hours after the security firm Akamai Technologies Inc. published a report identifying its command-and-control server. Ms. Nixon and Mr. Drew said fellow researchers then reached out to the internet service provider asking it to take the server offline.

That takedown seems to have disrupted Satori for now.