Author Archives: brianhonan

Official Google Twitter account hacked in Bitcoin scam

The epidemic of Twitter-based Bitcoin scams took another twist this week as attackers tweeted scams directly from two verified high-profile accounts. Criminals sent posts from both Google’s G Suite account and Target’s official Twitter account.

Cryptocurrency giveaway scams work by offering money to victims. There’s a catch, of course: They must first send a small amount of money to ‘verify their address’. The money in return never shows up and the attackers cash out.

Authenticity is a key factor in these scams. Accounts with verified status shown by a blue tick carry more of that. So it makes sense for attackers to hack verified accounts and then use them to impersonate very high profile people with lots of followers. Elon Musk and Ethereum founder Vitalik Buterin have both been targets for imposters.

On Tuesday, criminals went one better, managing to compromise the official account of Google’s G Suite. This gave them an authentic platform to address the account’s 822,000 followers as Google itself, rather than impersonating it with another hacked account.

The Bitcoin giveaway scam quickly followed, claiming that G Suite was now accepting cryptocurrency payments and offering a total of 10,000 Bitcoins (BTC) to “all community”. The scammers asked for between 0.1 and 2 BTC, and promised to return ten times the amount sent. They also added a bonus: send 1 BTC or more and get an additional 200% back.

Well, with an offer like that, who could say no? Thankfully, everyone. A quick look at the address posted in the scam revealed no transactions at the time of writing. This is probably because Google removed the post quickly after spotting what had happened.

The same couldn’t be said for readers of Target’s Twitter feed, which was hit by a similar attack the same day. The address used in the Target hack was also used in an attack earlier this week on Elon Musk. Unlike the Target and G Suite accounts, though, Musk’s wasn’t hacked. Instead, the criminals hacked the @farahmenswear Twitter account, which has verified status, and then changed the name on the account to resemble Musk’s.

Altogether, the Musk/Target scammers scooped 5.86 BTC, amounting to $32,700 as of yesterday’s exchange rate. Yesterday afternoon, the crooks began cashing out, sending money from the scam Bitcoin address to others.

These are the latest in a long string of cryptocurrency frauds perpetrated on Twitter that the company has struggled to contain. It banned the use of Elon Musk handles in July, in a bizarre game of whack-a-mole which parodists and criminals alike – including this week’s scammer – easily won by using slightly different characters in Musk-like names.

In September, CEO Jack Dorsey testified before Congress that blockchain technology itself may be a solution to the rampant scams on the network. He said:

So blockchain is one that I think has a lot of untapped potential, specifically around distributed trust and distributed enforcement, potentially.

We haven’t gone as deep as we’d like just yet in understanding how we might apply this technology to the problems we are facing at Twitter but we do have people within the company thinking about it today.

That’s a statement of interest, not a solution.

Account owners have their part to play, too. It isn’t clear whether Google and Target were using two-factor authentication, which Twitter launched in basic form in 2013 and updated to support Authenticator apps in 2017. If they were, then the hackers somehow got around it. If they were not, then why not?

While Twitter continues to try and work this problem out, it’s advisable for everyone who uses Twitter (and any other site that has the option) to turn on 2FA – and avoiding giving money to strangers!

from Naked Security – Sophos

DARPA uses a remote island to stage a cyberattack on the US power grid

There was the sound of breakers tripping in all seven of the grid’s low-voltage substation, and then, the station was plunged into darkness. It was the worst possible scenario: swaths of the country’s grid had already been offline for a month, exhausting battery backups at power plants and substations alike.

What would you do if you were in that utility command center? Turn up everything all at once? Turn up smaller pieces of the grid and put them into a protected environment to run cyberforensics and thus keep them from potentially spreading whatever malware was used in the attack?

Those are the kinds of questions that are typically confined to a lab setting. But earlier this month, on a small island 1.5 miles off the shore of Long Island, the Defense Advanced Research Projects Agency (DARPA) brought the dreaded scenario to life.

Plum Island – at 840 acres, it’s about the same size as Central Park, in Manhattan – is officially called the Plum Island Animal Disease Center. Currently run by the Department for Homeland Security (DHS), the federal facility comprises 70 mostly decrepit buildings.

The island has its own fire department, power plant, water treatment plant and security. The center was originally created in 1954, in response to outbreaks of foot-and-mouth disease in cattle. DHS took over control of Plum Island in 2003, due to the research center’s critical role in protecting the nation’s livestock from infectious animal diseases.

It’s a mixture of industrial infrastructure and isolated, unpeopled, wind-swept, undeveloped acreage with unparalleled views, as the government described in its sales listing when it tried to offload the property.

In short, you couldn’t ask for a better spot to stage an attack on the electric power grid, according to Stan Pietrowicz, a researcher at Perspecta Labs who’s working on a network analysis and threat detection tool that can be used in so-called “black-start” situations, when power has to be restored to a dead grid. Wired quotes him:

We had 18 substations, two utilities, two command centers, and we had two generation sources that we had to bring up a crank path and synchronize. It had a realism that you don’t really find in lab environments that made you rethink the approach.

A cranking path is a portion of the electric system that can be isolated and then energized to deliver electric power from a generation source to enable startup of other generating units.

The week-long exercise, dubbed “Liberty Eclipse,” was designed to throw everything imaginable at a group of DARPA-funded research projects known as Rapid Attack Detection, Isolation and Characterization Systems (RADICS). The aim of the three-year-old RADICS program is to ensure that US utilities can bounce back from a blackout brought on by a cyberattack.

And the aim of the Liberty Eclipse project was to uncover gaps in RADICS defenses under dire, black-start conditions, in which a cyberattack wrestles the power grid to its knees and forces operators to start from scratch.

Walter Weiss, a program manager for the exercise, told reporters that nobody has ever done this before.

As described by EE News – a news outlet focused on energy and the environment – this wasn’t just a simple staging of a cyberattack. The project planners tossed a variety of wrenches into the mix, including a steady onslaught of simulated cyber and physical attacks. For example, at one point, they introduced a data “wiper,” modeled on real-world cases of ransomware, which could send grid operators back to square one if they weren’t careful.

According to Wired, Plum Island’s weather also played a role. Rainy days and high winds made it difficult to take the ferry back and forth to the island and hampered physical work on the grid. The conditions also showed the limitations of one of the recovery tools being developed to survey the grid from above: balloons carrying lightweight electromagnetic radiation detectors that could be launched during a blackout to seek out simple indicators of live power, such as Wi-Fi hotspots from home routers and electromagnetic signals that could show where electrons are actually flowing.

The balloons couldn’t cut it, and the red-team hackers running the attacks never let up while those balloon-born sensors were being buffeted. Wired:

One day, the researchers were instructed to pack overnight bags in case they couldn’t come back from the island until morning. The balloons weren’t reliable in the bad weather, so some of the researchers tried flying the sensors on a kite instead. That proved impractical with the winds. And all the while, the so-called red team kept hacking away.

According to Weiss, DARPA is working on a public after-action report that will cover any major weaknesses found in the RADICS program and map out next steps. The Department of Energy (DOE) is also drafting its own set of takeaways: according to EE News, it completed a related tabletop exercise last month and joined in on the exercise at Plum Island. Others who trekked out to the island included dozens of representatives from major utilities and industry groups.

Successful cyberattacks are real

Real-world scenarios of power grids being crippled by hackers aren’t purely hypothetical: the Ukrainian power grid was attacked in December 2015, affecting 20 substations and leaving about 230,000 people without electricity for hours.

The SANS Institute categorized the outage as a coordinated cyberattack. Malware didn’t directly cause the outage, SANS said, but it did give the attackers a foothold into the grid’s command and control, and malware was also used to thwart recovery.

The Ukrainian power grid was attacked again in December 2016, when remote terminal units (RTUs) controlling circuit breakers at Ukrenergo‘s Pivnichna power substation near Kiev suddenly shut down.

The two attacks had striking similarities, including the same BlackEnergy 3 malware, initiated by malicious spear-phishing attachments that had reportedly bounced around inside state organizations for months.

What was particularly worrisome in the case of the Ukrainian outages was the prospect that the attackers could have been using Ukraine as a playground as much as a battlefield: after all, experts pointed out, the country uses the same equipment and security protections from the same vendors as everybody else around the world.

Marina Krotofil, a researcher from Honeywell Industrial Cyber Security Lab who worked on the investigation:

 If the attackers learn how to go around those tools and appliances in Ukrainian infrastructures, they can then directly go to the west.

The fact that successful attacks have already been carried out makes testing out attacks in real-world settings vital: bring on the wind, the rain, and the darkness, and then take away the sensors that enable operators to figure out what the hell is going on. Pietrowicz:

Most of the exercise was really about trying to figure out what was going on and deal with the conditions. It wasn’t a hit and run – while we were cleaning things up the adversary was countering our moves. There was one instance on the third day of the exercise where we almost had the crank path fully established and the attacker took out one of our key substations. It was sort of a letdown and we had to just keep going and figure out our next viable path. Even that small victory got taken away from us.

The participants on two teams, each of which was struggling to start up a grid labelled as a top priority, succeeded in black-starting the grids. Overall, mission accomplished. But participants said that the true insights didn’t come from the successes. Rather, it was the setbacks along the way that gave the most valuable insights.

DARPA plans to run another, even more sophisticated version of the exercise on Plum Island in May, with potentially more of the same to come after that. RADICS’s Weiss told reporters that he hopes that ultimately, the DOE will take over the exercises and incorporate them into preparedness training for government workers and utilities.

from Naked Security – Sophos

France: Let’s make the internet safer! US: ‘How about NO?!’

The US, China and Russia are some of the big names that are missing from the list of signees of the Paris Call for Trust and Security in Cyberspace: an initiative designed to establish international etiquette with regards to the internet, including coordinating disclosure of technical vulnerabilities.

French President Emmanuel Macron announced the agreement on Monday at the annual UNESCO Internet Governance Forum in Paris.

The document proposes rules of engagement for a slew of internet-related challenges, including cooperating to fend off interference in elections, online censorship and hate speech, intellectual property theft, malware proliferation and cyberattacks, and the use of cyberweapons to hack back… or, in the parlance of the US military, “offensive hacking,” as in, what the Department of Defense gave itself the power to do in the new military strategy it set forth in September.

The document has been endorsed by more than 50 nations, 90 nonprofits and universities, and 130 private corporations and groups.

You can see why the accord’s attitude about cyberwarfare wouldn’t fly with a lot of countries. Besides the US, some of the nations that abstained from signing on, including China and Iran, have active cyberwar programs. As we reported last week, Iran unravelled the CIA’s secret online network years ago with simple online searches, leading to informants being left vulnerable to exposure and execution worldwide.

Wired characterized the Paris Call as “lacking teeth,” with no legal requirements for governments or corporations to adhere to its principles.

It’s mostly a symbol of the need for diplomacy and cooperation in cyberspace, where it’s hard to enforce any single country’s laws.

Even some of the groups that support the Paris agreement say it’s not perfect. Access Now, an international non-profit dedicated to a free and open internet, pointed out that the accord, in promoting cooperation between industry and law enforcement when it comes to fighting cybercrime, could mean a few things, not all of them good.

Would such cooperation entail weakening encryption to enable backdoors, for example? …a crippling of security for which law enforcement has been strenuously campaigning? Access Now certainly thinks so:

Judicial orders should be the basis for any assistance between providers and law enforcement. Cooperation, on the other hand, can be interpreted to mean informal exchange of data or the intentional weakening of platforms to enable law enforcement access. As such, “cooperation” is not the proper framework for the relationship between law enforcement and companies.

The Paris Call also refers to the Budapest Convention: a cybercrime treaty that has been criticized for its broad definition of what constitutes “crime.” We can look to the US for a recent example of how that can play out: in February, the US state of Georgia drew up what critics called a “misguided” bill that could have criminalized security research.

Then too, Access Now said, the Council of Europe is developing an additional protocol that would extend law enforcement’s ability to reach data stored across borders. But will it be crafted with an eye toward protecting human rights? Or will repressive regimes be given greater latitude to unmask activists, journalists, and/or persecuted groups, such as LGBTQ people or dissidents?

In spite of these reservations, plus concern about the potential limiting of the free flow of information online in the case of zealous intellectual property protections, Access Now signed on. Others that signed on to the Paris Call include technology companies such as Microsoft, Oracle, Facebook, IBM, and HP.

Wired quoted Microsoft President Brad Smith, who also gave a speech on Monday in Paris. Smith:

It’s an opportunity for people to come together around a few of the key principles: around protecting innocent civilians, around protecting elections, around protecting the availability of the internet itself. It’s an opportunity to advance that through a multi-stakeholder process.

This is characteristic of the new responsibilities that corporations such as Microsoft are shouldering when it comes to keeping the internet secure. Wired quoted Megan Stifel, the cybersecurity policy director at Public Knowledge, a nonprofit that also signed on to the Paris Call:

If you look over the past three or four years, we’ve really seen a groundswell of private leadership. The private sector is now willing to say that we can and we will do more.

One of many examples of nation-like behavior coming from corporations is the war room that Facebook set up last week in an effort to fight misinformation on a global level and to protect election integrity. Microsoft, for its part, disrupted alleged Russian Fancy Bear election meddlers in August.

Of course, it’s in corporations’ best interests to have a safer, more predictable internet, and to avoid getting dragged in front of Congress to answer for it when it’s less than safe. Drew Mitnick, policy counsel at Access Now, said that the Paris Call might not be perfect, but it’s a step in the right direction, and for the time being, we can look forward to Paris Call 2.0:

The document is imperfect but it arrives as other governments, that did not endorse the Paris Call, have shown a competing vision for cybersecurity grounded instead in state sovereignty and control.

Look for Paris Call 2.0 to come next year, when it reconvenes in Germany.

from Naked Security – Sophos