New Laws for Security in the UK Energy Industry

Due to the rapid development and advancement of technology, laws have had a hard time keeping up with modern practices and problems. Increasingly more industries have started to include some connection to the Internet of Things, thus providing more opportunities for hackers to attack. One such industry is the energy industry. Currently, the UK is in the process of developing laws to ensure a certain amount of security is implemented by energy companies. These laws will require that the energy companies put particular measures in place in order to protect sensitive personal data. One aspect of these laws is that the process for reporting a company’s compliance will be more involved, and require the company to show how they are meeting the requirements, not just say that they are. Consequences of not complying with these regulations will be in the form of fees based on either a flat rate or an amount based off of their global turnover depending on the size of the company.

While this does place more burden on the companies in terms of forcing them to invest in security properly, one aim of these laws is actually beneficial to them. These laws aim to increase public trust in industries using network connections. This past year, the UK has seen a great increase in attacks compared to previous years, which has taken a toll on the confidence the public has in online security. Therefore, this law hopes to help push companies to increase their protection and save them from attacks which will not only lead to stolen customer data but also to a drop in public confidence.

~Rebecca Medina

Source: http://www.powerengineeringint.com/articles/print/volume-26/issue-2/features/the-cybersecurity-laws-you-must-know.html

Tesla’s Cloud Server Hacked to Mine Cryptocurrency

Tesla has fallen victim to the recent wave of cryptojacking, or the use of someone else’s computing power to mine for cryptocurrencies. Last month, the cloud monitoring and defense firm Red Lock discovered the mining malware was being run on Tesla’s AWS infrastructure. Red lock discovered the hack while scanning for misconfigured cloud servers. They discovered that an open server that was running a Kubernetes, an administrative console for cloud application management, which was mining cryptocurrency.

How did this breach occur? The Kubernetes console wasn’t password protected, meaning that it could have actually been accessed by anyone. One of the containers within that console contained login credentials for  Tesla’s AWS cloud environment. From that point the attackers just logged in and deployed their mining scripts. It is unknown how long the mining was going on for, as the attackers hid themselves well. Since the mining occurred on a large cloud server, where power consumption is already quite high, the mining didn’t cause a significant change that would alert suspicion. The attackers also used their own mining server, communicated over an unusual IP port, encrypted all communications, and used a proxy server.

However, Tesla claims that customer privacy or vehicle safety was not compromised in any way. They also said that the impact seemed only to be in engineering test cars only. The hack was submitted by Red Lock through Tesla’s bug bounty program and they were awarded just over $3,000 which they donated to charity.

What can we make of this? Because of the sophistication of these attacks, you can assume that since hackers are “lazy” that the basic security measures are doing their jobs. But this also means that with the rise of cryptocurrency value, the payoff is becoming worth it to invest so much resources and effort to pull off a sophisticated hack on a major corporation. Organizations with cloud servers are being targeted more than ever and not all of them are prepared for it.

Owen Ryan

Sources:

https://www.wired.com/story/cryptojacking-tesla-amazon-cloud/

http://www.bbc.com/news/technology-43140005

Breach in Equifax

Equifax is one of three credit report agency who keeps financial data on many individuals throughout the United States. Between May and July of last year, hackers stole nearly half the U.S populations’ Social Security numbers, birthdays, driver’s licence numbers, and addresses from Equifax. The Wall Street Journal, now reports that stolen data also included tax identification numbers and driver’s license states and issuance dates, as well as some email addresses. The severity of the damage is enormous considering that hackers can use this information to open bank accounts, lines of credit, a home in their name, take car loans, and even take your tax refund without the victim’s knowledge. Furthermore, it makes it easier from them to impersonate you due to the fact that most of the information leaked is nearly impossible to change for all 145 million people.

Equifax was notified by Homeland security before the breach, alerting them that there was a critical vulnerability in their web application software, named Apache Struts, that was used to breach the system. However the person who received this information “forgot” to let the company that the software needed to be patched and updated. It is quite interesting that they still don’t know who hacked Equifax and, even more interesting that barely anyone is even asking the question anymore.

Till today Equifax is still investigating the breach with government officials. However, Sen. Elizabeth Warren released a report this week on the breach, calling on Congress to crack down on credit reporting agencies. “[The breach] showed how a lack of oversight and accountability from credit reporting companies played a key role in the largest credit consumer data breach in history,” Warner said in a statement to The Hill. Despite the damage caused by the cyber-security attack, not much has changed in Congress towards breaking down on credit agencies or improving data security systems.

Sources:

https://www.msn.com/en-us/news/technology/the-equifax-hack-exposed-more-data-than-previously-reported/ar-BBIZAbV?OCID=ansmsnnews11

http://thehill.com/policy/technology/373198-dem-call-for-more-action-on-equifax-hack

https://www.vox.com/policy-and-politics/2018/2/7/16984522/elizabeth-warren-equifax-data-breach-cfpb

-Noor Mohammad

Oracle Identity Manager Hacked through a Critical Flaw

 

Based in Redwood, California, Oracle Corporation is the largest software company whose primary business is database products. Historically, Oracle has targeted high-end workstations and minicomputers as the server platforms to run its database systems. Its relational database was the first to support the SQL language, which has since become the industry standard.

A exploit was found in Oracle’s identity management system. This exploix has been marked as CVE-2017-10151, it has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction.

This CVE is due to a security loophole involving a default account that allows an unathenticated attacker on the same network to compromise the Oracle Identity Manager through HTTP.

The full details of this vulnerability have not yet been released by Oracle.

“This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials,” Oracle’s advisory reads.

The easily exploitable vulnerability affects Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0.

Oracle has already released patches for all versions of the products that were affected by this CVE. all users should update to the latest version of Oracle to patch the vulnerability before a hacker has the chance to exploit it.

Justin Palmer

Sources:

https://thehackernews.com/2017/10/oracle-identity-manager.html

https://www.oracle.com/index.html

 

The Cloud: Is it good or bad?

Is the Cloud good or is it bad? In order to answer this question we need to ask ourselves, what exactly is the cloud? What the cloud really is just a network of servers…or in other words, the internet. When you are at home surfing the internet you are on the cloud and the cloud can be used to do a great many things. You can play games on the cloud, watch movies, listen to music, and now everyone is starting to store personal data in the cloud, on the internet.

There are good and bad things about using the cloud. Some of the good things about the cloud are things like access to your personal or work files, even if you forget to bring them around with you. The game distribution program Steam has started using the cloud to sync video game save files so that if you are using more than one computer you still can pick up where you left off. I personally think that game saves are one of the best uses for the cloud so far, mostly because who is going to want to steal you game saves?

Some of the bad things about the cloud is that your files are simply on the internet, whether companies say they are secure or not and as one of the oldest sayings go “Once it is on the internet it is there forever.” Now this is not always the case, because if the files are being shared privately they can just be deleted, but if they get leaked into the public part of the internet they will likely stay there forever.

The article I read referred to the cloud as an “addiction” and I believe this is the right term to use considering all the companies suddenly trying to switch everything over to the cloud. The problem is what you gain from accessibility and reduced cost, you lose in security. This all depends on how each company works, but is also where the article states that the addiction of the cloud kicks in. “This is the slippery slope, data that might inadvertently go to the cloud or fall under the grip of the cloud addiction: ‘The last bit of data we sent to the cloud seems safe enough, so let’s move up the sensitivity pyramid and save even more money.’ ”

In the end, there really is no full security on the internet, or the cloud, what could help with the security would be to encrypt any important files that a company puts on the cloud. This would ensure that even if some files were taken that at least they wont be easily accessed, if at all. Is the Cloud good or bad might not be the right question then. It ,instead, might be better to ask how far are you willing to go to protect your files and how much security are you willing to compromise for the sake of accessibility and cost.

Reference:

http://www.scmagazine.com/cloud-addiction-at-what-point-does-the-elastic-snap/article/317413/