New Data Affirms Cyber Threat for Industrial Control Systems

Recent CyberX report finds that plain-text passwords, direct internet connections, and weak anti-virus protections place industrial control systems at risk for cyber attacks

by Phil Neray, VP of Industrial Cybersecurity, CyberX

“Press Here to Kill Everybody,” the provocative title of Bruce Schneier’s new book, gets right to the heart of the risks involved in industrial cybersecurity. Destructive malware such as WannaCry and NotPetya, as well as targeted attacks such as TRITON and Industry, have shown the potential impact of cyber attacks on our industrial control systems (ICS). The costly production outages and clean-up costs alone put companies at great risk, but even those are overshadowed by the potential impact of catastrophic safety and environmental incidents.

Though positive steps have lately been taken to secure our ICSs, new data from CyberX, the IIoT, and ICS security company, finds that these systems are still soft targets for adversaries. The data behind our 2019 “Global ICS & IIoT Risk Report,” released on October 23, shows that major security gaps remain in key areas such as plain-text passwords, direct connections to the internet and weak anti-virus protection.

We also found the prevalence of Windows XP and other legacy Windows systems has decreased year-over-year — driven top-down by management in the aftermath of NotPetya’s financial damage — but we’re still finding unpatchable Windows systems in 53 percent of all industrial sites.

Unlike questionnaire-based surveys, our report analyzes real-world traffic from production ICS networks, making it a more accurate representation of the current state of ICS security. The report is based on data collected over the past 12 months from more than 850 production ICS networks, across six continents and all industrial sectors including energy and utilities, manufacturing, pharmaceuticals, chemicals, and oil and gas.

Among the key findings of our report, we found that 69 percent of industrial sites have plain text passwords traversing the network. Lack of encryption in legacy protocols like SNMP and FTP exposes sensitive credentials, making cyber-reconnaissance and subsequent compromise relatively easy.

Whether for convenience or inattention, 40 percent of industrial sites have at least one direct connection to the public internet. With digitization as a key business driver, operational technology (OT) networks are now also increasingly connected to corporate IT networks, providing additional digital pathways for attackers.

According to our findings, at least 57 percent of industrial sites are still not running any anti-virus protections that update signatures automatically, leaving the programs largely ineffective, and 16 percent have at least one Wireless Access Points (WAP). Misconfigured WAPs can be accessed by unauthorized laptops and mobile devices, and sophisticated malware such as VPNFilter target access points such as routers and VPN gateways, enabling attackers to capture MODBUS traffic, perform network mapping, destroy router firmware and launch attacks on OT endpoints.

As we continue to both assess past attack methods and the current state of our networks and vulnerabilities, a path towards remediation and protection becomes clearer. Not everything can be protected at once, but ruthless prioritization is required. In the report, we lay out a series of eight steps towards protecting an organization’s most essential assets and processes. These include continuous ICS network monitoring to immediately spot attempts to exploit unpatched systems before attackers can do any damage; threat modeling to prioritize mitigation of the highest consequence attack vectors; and more granular network segmentation.

Analyzing the data for the second time in two years also gave us an opportunity to compare data and look for trends, and perhaps the most important conclusion we reached after looking at the delta between last year’s report and this year’s report is that the delta itself is small, and the industry may not have changed much over the course of the past year. Other than the drop of industrial sites using legacy Windows systems from 76 percent last year to 53 this year, the rest of our data changed in relatively small increments.

In comparison to last year, where the median overall risk-readiness score across all industrial verticals was 61 percent, our latest research puts the score at 70 percent. These results, however, fall short of CyberX’s minimal recommended readiness score of 80 percent. With this year’s report, the risk-readiness score by industry is 67 percent for manufacturing, 68 percent pharmaceuticals and chemicals, 79 percent for energy and utilities, and 81 percent for oil and gas.

As these numbers suggest, awareness about the need for stronger ICS defenses is growing, but there’s still a lot of work to be done. When looking at the scope of the current ICS security situation and its many complexities, it bears remembering that we are attempting to close a 25-year gap between OT and IT security practices.

The 25 Passwords Leaked Online in 2018

SkOUT Secure Intelligence has released the top 25 passwords that were leaked online in 2018.

The top 25 included perennial favorites such as ‘123456’ and “password” at number one and two places, respectively, as the most common. This was followed by ‘123456789’, ‘12345678’ and ‘12345’, rounding out the top five. The list also included other obvious passwords such as “admin” and “qwerty”. New entrants to the top 25 obvious passwords include the “Princess” and “Donald”, which SkOUT says is a reference to President Donald Trump.

The 25 most commonly used passwords of 2018

  1. 123456 (Unchanged)
  2. password (Unchanged)
  3. 123456789 (Up 3)
  4. 12345678 (Down 1)
  5. 12345 (Unchanged)
  6. 111111 (New)
  7. 1234567 (Up 1)
  8. sunshine (New)
  9. qwerty (Down 5)
  10. iloveyou (Unchanged)
  11. princess (New)
  12. admin (Down 1)
  13. welcome (Down 1)
  14. 666666 (New)
  15. abc123 (Unchanged)
  16. football (Down 7)
  17. 123123 (Unchanged)
  18. monkey (Down 5)
  19. 654321 (New)
  20. !@#$%^&* (New)
  21. charlie (New)
  22.  aa123456 (New)
  23. donald (New)
  24. password1 (New)
  25. qwerty123 (New)

“A good password is the first line of defence between your data and an attacker, so it is vitally important that you make password security a priority in your personal and business life,” said Skout chief technology officer Jessvin Thomas. “If you are guilty of reusing, rotating, or using notoriously weak passwords, you are making yourself or your business an easy target for attackers.”

500 Million Personal Records were Stolen in 2018

According to an annual report by the Identity Theft Resource Center, the number of U.S. data breaches tracked in 2018 decreased from last year’s all-time high of 1,632 breaches by 23 percent (or 1,244 breaches), but the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126 percent from the 197,612,748 records exposed in 2017 to 446,515,334 records this past year.

Another critical finding was the number of non-sensitive records compromised, not included in the above totals, an additional 1.68 billion exposed records, said The 2018 End-of-Year Data Breach Report. While email-related credentials are not considered sensitive personally identifiable information, a majority of consumers use the same username/email and password combinations across multiple platforms creating serious vulnerability.

“The increased exposure of sensitive consumer data is serious,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “Never has there been more information out there putting consumers in harm’s way. ITRC continues to help victims and consumers by providing guidance on the best ways to navigate the dangers of identity theft to which these exposures give rise.”

Colin Bastable, CEO of cybersecurity test and training company, Lucy Security, told Security magazine: “Third-parties are significant multipliers in the risks faced by consumers and businesses: the fewer moving parts we have between us and our data, the safer we are. By making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk. By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blind-sided: you reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised. Many business cloud applications use APIs to integrate with corporate email and other systems – each connection multiplies our risks of loss from being hacked.”

He added: “Using email addresses as usernames is to be avoided whenever possible. Organizations don’t do this to help consumers, but to reduce the support burden and lost business from forgotten usernames. Convenience is a double-edged sword – if it’s easy for you, it’s easier to attack you. Last, from an organizational perspective, the technologies already exist to protect data. We have encryption, tokenization, MFA, anti-malware software, firewalls and so on, but attacks keep succeeding at increasing rates. Therefore, we can conclude that cybersecurity technology is never going to solve this problem. In February 2020, reports will show that 2019 was another stellar growth year for hackers. Businesses, Consumers, Governments, Militaries, NGOs and Politicians will all be hacked this year as never before: your job is to make sure that you, your family and your organization are not one of them. If you don’t have to hold consumer data – don’t. Train your people relentlessly, and run “what-if?” scenarios for the 20% of them who will click on a phishing link.  Test systems and people in a holistic model, and let someone else be the victim.”

Three UK’s brief homepage error reveals customer data

  • The mobile operator’s website homepage showed other customer details when searched by visitors.
  • Upon informing, Three UK patched the issue within hours but failed to provide details of the impact.

On Friday, British telecom company Three UK had some of its customers’ data leaked out for a while, after a few visitors noticed that the company’s website homepage erroneously displayed other private customers’ data.

A visitor by the name Chris tweeted that he found out different customer details popping up on the site’s homepage. The data included customer names, their postal addresses, phone numbers, email addresses, amongst others and were shown randomly.

“When you load their site over your mobile internet connection, it recognizes you and automatically logs you in. I was doing this on my home Wi-Fi (which isn’t Three), so it should’ve required me to log in manually when I first went to their site. I guessed it might’ve either redirected me to a session for a valid user who was accessing at the same time, or some blip which didn’t recognize me and just assigned another user’s ID instead.” he told The Register.

Fixes issue within hours

After Chris’ tweet, the telecom company immediately responded that it was working on the issue. It took down the site for a couple of hours and patched the flaw.

However, Three UK has not disclosed the scale of the temporary breach following the fix. Information Commissioner’s Office, which oversees data privacy and information rights in Britain, told media that Three UK has informed them of the incident.

A total of four visitors reported Three UK of this issue. Interestingly the only difference was, they could get the details without even logging in.

Airbus Suffers Data Breach, Some Employees’ Data Exposed

European airplane maker Airbus admitted yesterday a data breach of its “Commercial Aircraft business” information systems that allowed intruders to gain access to some of its employees’ personal information.

Though the company did not elaborate on the nature of the hack, it claimed that the security breach did not affect its commercial operations. So, there’s no impact on aircraft production.

Airbus confirmed that the attackers unauthorized accessed some data earlier this month, which the plane manufacturer claimed was “mostly professional contact and IT identification details of some Airbus employees in Europe.”

“Investigations are ongoing to understand if any specific data was targeted; however we do know some personal data was accessed,” Airbus said in its press release published on Wednesday.

After detecting the security breach, the plan manufacturer started an investigation to determine the origin of the hack and to understand the full scope of the data breach and if any specific data was targeted.

The company has begun taking “immediate and appropriate actions to reinforce existing security measures,” which were not enough to keep the hackers out of their systems, “and to mitigate its potential impact” so that it can prevent similar incidents from happening in the future.

The company has also instructed its employees to “take all necessary precautions going forward,” to strengthen their security defenses.

Airbus also said it was in contact with the relevant regulatory authorities and the data protection authorities pursuant to the European Union’s new GDPR (General Data Protection Regulation) rules.

Airbus is the world’s second-largest manufacturers of commercial airplanes, after Boeing which was also hit by a cyber attack (a variant of the infamous WannaCry ransomware) in March last year that “affected a small number of systems” with no impact on production.

India’s largest bank SBI leaked account data on millions of customers

India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.

The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.

But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.

It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.

SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back the current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.

It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.

The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.

The bank sent out close to three million text messages on Monday alone.

The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.

We verified the data by asking India-based security researcher Karan Sainito send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.

“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ridesharing app.

Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud,” he said.

SBI claims more than 500 million customers across the glob,e with 740 million accounts.

Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system. (UIDAI often uses the term “fake news” to describe coverage it doesn’t like.)

TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector. The database was secured overnight.