My Security Thoughts – The Smart Grid & The Danger to You by @mhbjr
Just happened to run across some papers talking about the Smart Grid. Wikipedia has the following for the smart grid:
A smart grid is a modernized electrical grid that uses analogue[1] or digital information and communications technology to gather and act on information, such as information about the behaviors of suppliers and consumers, in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity.[2] Electronic power conditioning and control of the production and distribution of electricity are important aspects of the smart grid.
Ok if we look at this we see the words ‘to gather and act on information, such as information about the behaviors of suppliers and consumers’. Without looking at the rest of the wording I am given to pause. The utility industry needs to gather and act on information about me? The hairs on the back of my next are starting to raise but let’s keeps riding this train.
At a past conference of security professionals, I started a small argument between a presenter and some utility industry personnel when I asked when the smart grid is ubiquitous who owns the consumer’s data/information? In the end the best answer I received was that it depends. It could be owned by the state, the utility, or a combination of both. The one entity that they agreed would not own that data is the consumer.
Some may say so what, utilities have my data on electric usage in my home. Well based on the smart grid proposals and the ability of appliances to gather information, those with access to your data will be able to determine how many TVs, computers, etc. are in your home.
Side Note: Since I mentioned TVs in the previous paragraph, there is a big stink brewing about how some Samsung TVs handle the voice recognition. It sounds like they are capturing the conversations in your residence and giving it to 3rd parties. Read more here: http://techcrunch.com/2015/02/10/smarttv-privacy/#SYTjBb:Hcg
Now back to the original thread: They will be able to ascertain when you get up, enter the shower, leave for work, and time you return home on any given day. This data will provide the number of residents and what age category they can be placed.
Let us look at a single female or single mother with small children, a criminal will be able to determine when is the best time to commit a robbery or even worse a stalker or rapist the best time to carry out their evil deed. Types of alarm systems may be noted due to their power consumption giving better planning for break-ins.
This will give an advantage to those planning a crime in that they do not have to perform as much on site surveillance. They can purchase the data from the local utility that is willing to do a lot of the legwork for them, commendable (that was sarcasm).
I have also done some study on the national electric grid in the past. Control of the electrical generators and substations that make up the national electric grid are called Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems were not designed with security as one of the requirements as a top priority. These systems have been hacked.
There have been a number of presentations on hacking the new smart grid systems. The smart grid systems have as one of their components the SCADA systems. In my humble opinion we are opening up the attack fabric or the number of ways that an individual can get to the control systems. I do not feel comfortable with this direction.
I am not going to dwell on the dark side for too long because there are other aspects of this I would like to cover. When you read the Wikipedia entry the word behavior or behaviors appears in this part only. The word consumer is spread throughout the entry. It is my take that government and the utility industry are selling the smart grid as a way to give consumers more control of their electricity usage. The spin I see is, consumers look here you can have more control, your appliances will be smarter, you will save, save, save.
It is my belief that consumers will see a saving when compared to the charges that will occur if you don’t utilize the smart grid. In other words, if you don’t use the new equipment then you will pay an increased cost but it will be less when you use smart grid technology. Now what we need to do is track the average cost now of those who don’t have smart grid compatible equipment and appliances and compare that with their average cost after getting smart grid compatible equipment.
Businesses are not in the business of saving consumers money. The utilities are notorious for getting all the fees they can from consumers, businesses, and even the government. We in the Washington, DC metro area even have to pay a certain price for the utilities to get the power back on. I am paying when I am not receiving anything. Also what utility has gone out of business, stock investment?
In ending this thread, it is my belief that we will buy into the smart grid because it has a lot of blinking lights, pushes pseudo control to the consumer, while giving more information about us to entities we can’t imagine.
What do you think?
CompTIA Security+ SY0-401 vs. SY0-301 Changes by @InfosecEdu
A new version of the popular CompTIA Security+ certification is out, and the content it covers has expanded significantly over the past three years. The six domains the exam covers remain the same, but four new sections were added to deal with cloud computing, incident response, mobile devices and network-enabled devices that could accidentally become part of your network. Two more new sections increase coverage of physical security and application of the “CIA triad” (confidentiality, integrity and availability).
In addition to these six new sections, dozens of other changes were made to existing sections to cover evolving malware, business continuity, big data, secure file transfer and other issues. The new SY0-401 “Certification Exam Objectives” document (which replaces 2010’s SY0-301 of the same name) also adds dozens of terms to its glossary and adds new but incomplete advice on suggested classroom equipment.
New Section: Implications of Integrating with Third Parties
A brand new section in SY0-401’s compliance and operational security domain was added to deal with business use of cloud services. The new section is entitled “summarize the security implications of integrating systems and data with third parties” (2.2) and contains ten topics.
Three new technical topics in this section are onboarding and offboarding business partners, social media networks and applications and data backups. Five new policy and risk topics are privacy considerations, risk awareness, unauthorized data sharing, data ownership and security policy and procedures.
Finally, there are two topics devoted to legal agreements and contracts. One, entitled “interoperability agreements,” covers service level agreements (SLA), blanket purchase agreements (BPA), memorandum of understanding (MOU) and Interoperability Solutions for (European Public) Administration (ISA). The second topic is entitled “review agreement requirements to verify compliance and performance standards” and contains no subtopics.
New Section: Incident Response
SY0-301’s one line entry about “Incident response” has been replaced with a whole new section (2.5) with eleven topics in SY0-401’s compliance and operational security domain. The new section begins with preparation, followed by first responder, incident identification and incident isolation (including quarantine and device removal). Next comes escalation and notification, mitigation steps, damage and loss control and data breach. Finally, lessons learned, reporting, recovery and reconstitution procedures are covered.
New Section: Physical Security
Limited coverage of physical security in SY0-301 has been replaced with an new “physical security and environmental controls section” (2.7) in SY0-401’s compliance and operational security domain. All of the existing environmental controls, including HVAC and EMU shielding are the same as the previous version. All of the of the old physical security controls, such a hardware locks and mantraps, were also carried forward.
The new content creates two new top-level topics physical security and control types. New physical security controls include proper lighting, signs, guards, barricades, biometrics, protected distribution (e.g., cabling), alarms and motion detection. Control types cover theoretical security design and are listed as deterrent, preventative, detective, compensating, technical and administrative. (CISSP and other security students may find this section strange because they are used to using these control types to design security for any system, not just physical systems.)
New Section: Confidentiality, Integrity, Availability and Safety Controls
SY0-401’s fleshes out brief mention of the “CIA triad” (confidentiality, integrity and available) from previous versions in a new section (2.9) in the compliance and operational security domain.
There are four major topics in this section (confidentiality, integrity, availability and safety) but most of the subtopics in this section are covered in more depth elsewhere. For example, confidentiality topics include encryption, access controls and stenography, two of which are covered elsewhere.
The full list of integrity topics found here includes hashing, digital signatures, certificates and non-repudiation. Availability topics include redundancy, fault tolerance and patching. Finally, safety topics cover fencing, lighting, locks, CCTV, escape plans, drills, escape routes and testing controls.
New Section: Mobile Security
A new mobile security section (4.2) is a welcome addition to the application, data and host security domain. A handful of topics such as device encryption and GPS were covered in SYO-301, but SY0-401 adds dozens more and organizes the content into device security, application security and BYOD concerns.
The new device security category includes information about full device encryption (“full” is new), remote wiping, lockout, screen-locks, GPS, application control, storage segmentation, asset tracking, inventory control, mobile device management, device access control, removable storage and disabling unused features.
The new application security category includes information about key management, credential management, authentication, geo-tagging, encryption, application whitelisting and transitive trust and authentication.
Finally, the new BYOD concerns category includes information about data ownership, support ownership, patch management, antivirus management, forensics, privacy, on-boarding and off-boarding, adherence to corporate policies, user acceptance, architecture and infrastructure considerations, legal concerns, acceptable use policy and on-board camera and video.
New Section: “Static Environment” Risk Mitigation
The new “static environment” section (4.5) in the application, data and host security domain requires some explanation. The term tries to encompass all the legacy devices, “smart” hardware, handheld game units, stationary bicycles, icemakers, car-borne computers and other network-enabled technology that may be entering or interacting with your business network. Since you generally have little or no control over the technology itself, CompTIA refers to the technologies as participating in a “static environment.”
Environment topics specifically called out in this section include SCADA (“supervisory control and data acquisition”; common in industrial automation), embedded (including printers, smart TVs and HVAC controls). Android, iOS, mainframe, game consoles and in-vehicle computing systems.
Read the rest at the InfoSec Institute
Lenovo “Superfish” Adware Vulnerable to HTTPS Spoofing
From US-Cert eMail:
National Cyber Awareness System:
Systems Affected
Lenovo consumer PCs that have Superfish VisualDiscovery installed and potentially others.
Overview
“Superfish” adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.
Description
Starting in as early as 2010, Lenovo has pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements. In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for “Superfish.” All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic “man in the middle” attack. Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with. Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed. This means websites, such as banking and email, can be spoofed without a warning from the browser.
Although Lenovo has [1] stated they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.
The underlying SSL decryption library from Komodia has been found to be present on other applications, including “KeepMyFamilySecure.” Please refer to CERT [2] Vulnerability Note VU#529496 for more details and updates.
To detect a system with Superfish installed, look for a HTTP GET request to:
The full request will look like:
http://superfish.aistcdn.com/
Where [ACTION] is at least 1, 2, or 3. 1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.
Impact
A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.
Solution
Uninstall Superfish VisualDiscovery and associated root CA certificate
Uninstall any software that includes the Komodia Redirector and SSL Digestor libraries. In the case of Lenovo PCs, this includes Superfish Visual Discovery.
It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on [3] deleting and [4] managing certificates in the Windows certificate store. In the case of Superfish Visual Discovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”
Mozilla provides similar [5] guidance for their software, including the Firefox and Thunderbird certificate stores.
References
- [1] Lenovo Statement on Superfish (external link)
- [2] CERT VU#529496 (external link)
- [3] Delete a Certificate (external link)
- [4] View or Manage a Certificate (external link)
- [5] Deleting a root certificate (external link)
Revision History
- February 20, 2015
President Obama at the Cybersecurity Summit
President Obama at the Cybersecurity Summit
President Obama talked about cybersecurity and consumer protection. In his remarks he said the U.S. was in a “cyber arms race” and called cyberspace the new “Wild West.” At the end of his speech he signed an executive order intended to make cybersecurity threat information sharing easier for government and private industry, through the creation of regional data centers.
The president made his remarks at the first White House Summit on Cybersecurity and Consumer Protection, held at Stanford University.
White House Summit on Cybersecurity and Consumer Protection [Live Stream]
White House Summit on Cybersecurity and Consumer Protection
Phishing email scam targets Anthem customers affected by recent cyberattack
Phishing email scam targets Anthem customers affected by recent cyberattack
