Smart Irrigation System Botnets Threaten Public Water Supply

smart irrigation system

Smart irrigation system vulnerabilities could pose risks to the public water supply, warned researchers from Israel-based Ben-Gurion University of the Negev.

The researchers found that attackers could employ a botnet of smart irrigation systems used by city and local governments to remotely turn watering systems on and off at will. This would enable attackers to empty public water supplies held in towers and reservoirs.

The researchers demonstrated how a bot running on a compromised device can detect a smart irrigation system connected to its local area network in less than 15 minutes. The bot can turn on watering of each smart irrigation system using a set of session hijacking and replay attacks.

“By simultaneously applying a distributed attack that exploits such vulnerabilities, a botnet of 1,355 smart irrigation systems can empty an urban water tower in an hour and a botnet of 23,866 smart irrigation systems can empty flood water reservoir overnight,” said Ben Nassi, one of the researchers who conducted the study.

The researchers examined three popular smart irrigation systems: GreenIQ, BlueSpray, and RainMachine. “We have notified the companies to alert them of the security gaps so they can upgrade their smart system’s irrigation system’s firmware,” said Nassi.

“Although the current generation of IoT devices is being used to regulate water and electricity obtained from critical infrastructures, such as the smart-grid and urban water services, they contain serious security vulnerabilities and will soon become primary targets for attackers,” he added.

Countermeasures to Stop Attacks

For countermeasures, organizations running these smart irrigation systems should consider monitoring unusual water consumption in urban water services. Once unusual activities is detected, the organizations can stop the water distribution. Unfortunately, this also prevents people from getting water, which is not a long term solution.

The organization can upgrade from HTTP to HTTPS in their communications. This would prevent attackers from spoofing TCP packets.

Also, organizations can disable SSH because it is not needed to communicate with a smart irrigation system when a cloud serves as a mediator. This will prevent attackers from executing a code on a smart irrigation system by detecting weak passwords, the researchers concluded.

More than 4M PHI Records Exposed by Firebase Mobile App Vulnerability

mobile app vulnerabilityA mobile app vulnerability in Google Firebase is exposing protected health information (PHI) and other sensitive data.

Mobile app security firm Appthority found more than 2,300 unsecured Firebase databases and 3,000 iOS and Android apps with this security flaw.

Users have downloaded Android versions of these apps more than 620 million times.

The mobile app vulnerability exposed more than four million PHI records, such as chat messages and prescription details.

All told, the vulnerability exposed more than 100 million sensitive records, including 2.6 million plain text passwords and user IDs, 25 million GPS location records, and 50,000 financial records.

Firebase is a backend database technology for mobile apps, but it does not secure user data by default, explained Appthority.

Developers must secure all tables and rows of data to avoid data leaks. Attackers can easily find open Firebase app databases and gain access to millions of private mobile data app records.

Firebase Wears HospitalGown

The Firebase data exposure is a new variant of HospitalGown that occurs when mobile app developers fail to require authentication to a Google Firebase cloud database.

HospitalGown exposes an enterprise to Big Data exfiltration, leakage of personally identifiable information, and data theft.

Apps suffering from the HospitalGown flaw are doing what they are supposed to do. They don’t compromise the device and aren’t being attacked.

These apps are available on reputable sites like Google Play and the Apple App Store. Apps with this mobile app vulnerability likely pass all mobile app reputation tests.

Massive amounts of data come from these apps. In total, Appthority found the HospitalGown vulnerability exposed almost 43 terabytes of data and affected 1,000 apps.

A thousand apps leak terabytes of data, all due to simple human error: failure to secure the backend data stores.

Certain Volkswagen Connected Cars Are Vulnerable to Hackers

connected car

Hackers could gain control of systems in Volkswagen connected cars through vulnerabilities in the in-vehicle infotainment systems, researchers at Computest have discovered.

The vulnerabilities in the connected cars—2015 Volkswagen Golf GTE and Audi A3 e-tron—cannot be fixed remotely. Owners must bring their vehicles into the dealer to get the firmware upgrade. This means owners will continue to be vulnerable to the attack until they bring their cars in.

The researchers, Daan Keuper and Thijs Alkemade, exploite vulnerabilities in the infotainment system manufactured by Harman. They were then able to gain control of the central screen, speakers, and microphone. “This is a level of access that no attacker should be able to achieve,” the researchers opined.

At the same time, the researchers said that they were not able to directly affect driving behavior or any safety systems because of the control area network (CAN) gateway.

“A remote adversary is new territory for most industrial component manufacturers, which, to be mitigated effectively, requires embedding security in the software development lifecycle,” they observed.

“This is easier in an environment with automatic testing, continuous deployment and possibility to quickly apply updates after release. This is not always possible in the hardware industry, due to local regulations and the ecosystem. It often requires coordination between many vendors. But, if we want to protect future cars, these are problems we have to solve,” they concluded.

DHS Falls Short in Achieving its Cybersecurity Mission, Says GAO

mainframe computers

The Department of Homeland Security (DHS) has fallen short in fulfilling its mission to lessen cybersecurity risks on federal and private-sector computer systems and networks, judged the Government Accountability Office (GAO) in a recent report.

In particular, DHS has failed to develop metrics to measure and report on the effectiveness of its cyber risk mitigation activities or the IT security posture of the eight critical infrastructure sectors for which it is the lead federal agency, the report found.

The department’s National Cybersecurity and Communications Integration Center has failed to develop metrics and methods to evaluate its performance against statute-defined implementing principles.

Also, DHS’s National Cybersecurity Protection System had only partially met its objectives of detecting and preventing intrusions, analyzing malicious content, and sharing threat information.

The department has not identified all of its cybersecurity position, has not assigned codes to filled and vacant positions, and has not determined critical skill requirements for those positions.

“Until DHS fully and effectively implements its cybersecurity authorities and responsibilities, the department’s ability to improve and promote the cybersecurity of federal and private-sector networks will be limited,” the GAO concluded.

SamSam Ransomware Attackers Cover their Tracks

Bitcoins

Attackers behind SamSam ransomware use two tactics to penetrate and organization. They target vulnerabilities in a target organization’s systems to gain access its network or they launch brute-force attacks against weak passwords of the remote desktop protocol (RDP).

This is according to an analysis by security firm SophosLabs.

“Unlike most of the well-known ransomware families, which attack randomly, SamSam is used against specific organizations, those most likely to pay to get their data back, like hospitals or schools,” SophosLabs researchers said in a white paper

Once the attackers get in, they look for additional victims through network mapping and credential theft. Then, the attackers manually deploy SamSam on targeted systems using PSEXEC and batch scripts.

The attackers cover their tracks, so security pros have trouble determining the initial infection point and the some of their steps inside the network. They also delete attack files, including the SamSam payload, and change the deployment methodology.

Adobe Flash Is Bane of IT Security Professionals’ Existence

computer vulnerabilityAdobe Flash has been the bane of IT security pros for years. Adobe has tried to keep ahead of Flash vulnerabilities by getting patches out in timely manner. Unfortunately, Flash security problems continue.

One example is a Flash zero-day exploit uncovered by Kaspersky Lab that enables attackers to deliver FinSpy malware disguised in a Microsoft Office document.

The FinSpy malware and other FinFisher products are made by Gamma International and sold to governments and other law enforcement agencies to conduct surveillance. The latest version includes added anti-analysis techniques that make it hard to analyze the malware.

Kaspersky suspects that the attackers are part of the BlackOasis cyberattack group because of similarities in this most recent payload with other attacks carried out by the group. Kaspersky also suspects that another FinSpy attack uncovered by FireEye in September is the work of BlackOasis because the attackers used the same command and control server.

The security firm explained that the Flash exploit is a memory corruption vulnerability enabling attackers to gain arbitrary read/write operations within memory.

BlackOasis targets include people involved in Middle Eastern politics, including UN officials, opposition activities, and regional news correspondents.

“We estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies,” Kaspersky researchers wrote in a SecureList blog post.

“One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace,” they noted.

“We believe the number of attacks relying on FinFisher software, supported by zero-day exploits such as the ones described here will continue to grow,” they concluded.

The Kaspersky researchers advised organizations to disable Flash, although this may difficult to do and disable applications that rely on Flash, and to deploy a multi-layered approach to security, including strict access policies, anti-virus software, network monitoring, and application whitelisting.

Kaspersky informed Adobe about the Flash exploit, and the company released a patch.