Cyber Research

Cyber News

Cyber Info


 July, 2016







 In this issue



*         Clever Attack Uses the Sound of a Computer’s Fan to Steal Data

*         IoT botnet: 25,513 CCTV cameras used in crushing DDoS attacks

*         European Commission approves new investment in cybersecurity

*         Criminals winning 'cyber arms race' – UK National Crime Agency

*         Latest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Clever Attack Uses the Sound of a Computer’s Fan to Steal Data

July 2, 2016

In the past two years a group of researchers in Israel has become highly adept at stealing data from air-gapped computers—those machines prized by hackers that, for security reasons, are never connected to the internet or connected to other machines that are connected to the internet, making it difficult to extract data from them.

Mordechai Guri, manager of research and development at the Cyber Security Research Center at Ben-Gurion University, and colleagues at the lab, have previously designed three attacks that use various methods for extracting data from air-gapped machines—methods involving radio waves, electromagnetic waves and the GSM network, and even the heat emitted by computers.

Now the lab’s team has found yet another way to undermine air-gapped systems using little more than the sound emitted by the cooling fans inside computers. Although the technique can only be used to steal a limited amount of data, it’s sufficient to siphon encryption keys and lists of usernames and passwords, as well as small amounts of keylogging histories and documents, from more than two dozen feet away. The researchers, who have described the technical details of the attack in a paper (.pdf), have so far been able to siphon encryption keys and passwords at a rate of 15 to 20 bits per minute—more than 1,200 bits per hour—but are working on methods to accelerate the data extraction.

“We found that if we use two fans concurrently [in the same machine], the CPU and chassis fans, we can double the transmission rates,” says Guri, who conducted the research with colleagues Yosef Solewicz, Andrey Daidakulov, and Yuval Elovici, director of the Telekom Innovation Laboratories at Ben-Gurion University. “And we are working on more techniques to accelerate it and make it much faster.”

The Air-Gap Myth

Air-gapped systems are used in classified military networks, financial institutions and industrial control system environments such as factories and critical infrastructure to protect sensitive data and networks. But such machines aren’t impenetrable. To steal data from them an attacker generally needs physical access to the system—using either removable media like a USB flash drive or a firewire cable connecting the air-gapped system to another computer. But attackers can also use near-physical access using one of the covert methods the Ben-Gurion researchers and others have devised in the past.

One of these methods involves using sound waves to steal data. For this reason, many high-security environments not only require sensitive systems be air-gapped, they also require that external and internal speakers on the systems be removed or disabled to create an “audio gap”. But by using a computer’s cooling fans, which also produce sound, the researchers found they were able to bypass even this protection to steal data.

Most computers contain two or more fans—including a CPU fan, a chassis fan, a power supply fan, and a graphics card fan. While operating, the fans generate an acoustic tone known as blade pass frequency that gets louder with speed. The attack involves increasing the speed or frequency of one or more of these fans to transmit the digits of an encryption key or password to a nearby smartphone or computer, with different speeds representing the binary ones and zeroes of the data the attackers want to extract—for their test, the researchers used 1,000 RPM to represent 1, and 1,600 RPM to represent 0.

More Air-Gap Hacks

·         Stealing Data From Computers Using Heat

·         Researchers Hack Air-Gapped Computer With Simple Cell Phone

·         How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data

The attack, like all previous ones the researchers have devised for air-gapped machines, requires the targeted machine first be infected with malware—in this case, the researchers used proof-of-concept malware they created called Fansmitter, which manipulates the speed of a computer’s fans. Getting such malware onto air-gapped machines isn’t an insurmountable problem; real-world attacks like Stuxnet and Agent.btz have shown how sensitive air-gapped machines can be infected via USB drives.

To receive the sound signals emitted from the target machine, an attacker would also need to infect the smartphone of someone working near the machine using malware designed to detect and decode the sound signals as they’re transmitted and then send them to the attacker via SMS, Wi-Fi, or mobile data transfers. The receiver needs to be within eight meters or 26 feet of the targeted machine, so in secure environments where workers aren’t allowed to bring their smartphones, an attacker could instead infect an internet-connected machine that sits in the vicinity of the targeted machine.

Normally, fans operate at between a few hundred RPMs and a few thousand RPMs. To prevent workers in a room from noticing fluctuations in the fan noise, an attacker could use lower frequencies to transmit the data or use what’s known as close frequencies, frequencies that differ only by 100 Hz or so to signify binary 1’s and 0’s. In both cases, the fluctuating speed would simply blend in with the natural background noise of a room.

“The human ear can barely notice [this],” Guri says.

The receiver, however, is much more sensitive and can even pick up the fan signals in a room filled with other noise, like voices and music.

The beauty of the attack is that it will also work with systems that have no acoustic hardware or speakers by design, such as servers, printers, internet of things devices, and industrial control systems.

The attack will even work on multiple infected machines transmitting at once. Guri says the receiver would be able to distinguish signals coming from fans in multiple infected computers simultaneously because the malware on those machines would transmit the signals on different frequencies.

There are methods to mitigate fan attacks—for example, by using software to detect changes in fan speed or hardware devices that monitor sound waves—but the researchers say they can produce false alerts and have other drawbacks.

Guri says they are “trying to challenge this assumption that air-gapped systems are secure,” and are working on still more ways to attack air-gapped machines. They expect to have more research done by the end of the year.

More info https://www.wired.com/2016/06/clever-attack-uses-sound-computers-fan-steal-data/

IoT botnet: 25,513 CCTV cameras used in crushing DDoS attacks

July 3, 2016

Researchers discovered over 25,000 hacked internet-connected CCTV cameras being used in DDoS attacks to hammer websites; the denial-of-service botnet could deliver a whopping 50,000 HTTP requests per second.

Over 25,000 hacked internet-connected CCTV cameras are being used for a denial-of-service botnet, according to researchers from the security firm Sucuri.

The discovery came after Sucuri mitigated a DDoS attack against a jewelry store site; it had been generating 35,000 HTTP requests per second. But after bringing the website back up, researchers said the attacks increased to nearly 50,000 HTTP requests per second. When the attack continued for days, the researchers discovered the attack botnet was leveraging only IoT CCTV devices, which were located across the globe.

Although this is not the first CCTV-based DDoS botnet discovered (900 had been used in attacks last year), it is the largest yet to be discovered.

“It is not new that attackers have been using IoT devices to start their DDoS campaigns,” Sucuri wrote. “However, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.”

The researchers determined 25,513 unique IP addresses were being used to generate the DDoS attack. One hundred five countries had compromised CCTV devices used in the attack. Twenty-five percent of the malware-infected devices were located in 95 different countries, but the top 10 countries with the most compromised CCTV devices accounted for 75 percent of locations. Those countries were:

Another interesting aspect of the attack was that about 5 percent of the IPs came from IPv6. Sucuri said, it doesn’t “see many DDoS attacks leveraging IPv6 yet, [but] that’s a change we expect to keep happening as IPv6 becomes more popular.”

Forty-six percent of the CCTV cameras used in the attack had default H.264 DVR logos, but the entire vendor distribution looked like this:

CCTV DDoS botnet by vendor

While the researchers cannot say for certain how more than 25,000 IoT CCTV devices were compromised, they suspect the devices “might have been hacked via a recently disclosed RCE vulnerability in CCTV-DVR.” Back in March, security researcher Rotem Kerner discovered a RCE flaw affecting DVR devices used by CCTV cameras sold by more than 70 vendors.

The DDoS attack “was a variation of the HTTP flood and cache bypass attack.” It leveraged random referrers and user-agent combinations in an attempt to emulate normal browser behavior in order to make it more challenging to identify and block the malicious requests. Engadget, Google and USA Today were the most popular referrers and the most popular browsers were the user-agents.

Sucuri wrote:

Unfortunately, as website owners, there is not much you can do to get those 25,000+ CCTVs fixed and protected. You also can’t do much to fix the millions of vulnerable devices on the internet that can be used as botnets and DDoS amplification methods.

The security firm said it is “in the process of reaching out to the networks that have these unprotected and compromised cameras, but that’s just one small piece of the problem. Once the cameras are patched, the attackers will find other easily hacked devices for their botnets.”

Read more at http://www.networkworld.com/article/3089298/security/iot-botnet-25-513-cctv-cameras-used-in-crushing-ddos-attacks.html?google_editors_picks=true

European Commission approves new investment in cybersecurity

July 4, 2016.

The European Commission signed an agreement today that'll have member states funding and working together with private groups on cybersecurity. The specifics are a little vague right now, but the gist is this: the EU has put together €450 million, which will be distributed in the coming years to businesses, universities, and other researchers who are interested in investigating pressing cybersecurity problems. The commission says the measure is designed to "nurture cybersecurity industrial capabilities and innovation in the EU."

"€1.8 billion in new cybersecurity investment is expected by 2020"

The recently founded European Cyber Security Organization will work together with everyone from tech companies to local governments to determine where the funding should go. The current plan is for the partnership to put out its first call for proposals in early 2017. The commission expects that, throughout the course of this partnership, private sources will end up investing in cybersecurity "three times more" than the initial €450 million in public contributions, for a total of up to €1.8 billion in new investment by 2020.

The commission identifies a number of areas that the partnership might focus on, including securing identities online, training workers on cybersecurity best practices, and developing new protections for cloud infrastructure. "Cybersecurity incidents cause major economic damage of hundreds of billions of euros each year to European businesses and the economy at large," the commission writes in a memo. It notes that over €600 million has already been directed to cybersecurity projects, but that "more work is needed to address the increasing number and complexity of cyberthreats."

Investing in new cybersecurity projects is only one part of the commission's plan to address those growing threats. The Network and Information Security Directive, which will likely be adopted by the European Parliament tomorrow, is meant to encourage communication throughout Europe in the event of a cyberattack. "We call on member states and all cybersecurity bodies to strengthen cooperation and pool their knowledge, information, and expertise to increase Europe's cyber-resilience," Günther Oettinger, the commissioner for digital economy and society, says in a statement.

One of the specific steps the commission outlines is making it easier to offer cybersecurity solutions throughout the EU. It hopes to establish a certification framework that'll allow products and services to be certified once and then offered in any member state.

More Info http://www.theverge.com/2016/7/5/12094438/european-union-cybersecurity-public-private-partnership


Criminals winning 'cyber arms race' – UK National Crime Agency

July 7, 2016.

Businesses and law enforcement agencies are losing the "cyber arms race" with online criminals, the UK's National Crime Agency has warned.

The technical capabilities of criminal gangs are outpacing the UK's ability to deal with their threat, the NCA added.

It said there were 2.46 million "cyber incidents" last year, including 700,000 frauds - with the biggest threat coming from "a few hundred" criminals.

The government is to spend £1.9bn over the next five years on cyber-defences.

The  NCA's annual assessment of cybercrime found a key threat to the UK comes from international gangs.

Some are so well-developed they run call centres and employ translators.

'Enduring challenge'

"Cybercriminals targeting the UK include international serious organised crime groups as well as smaller-scale, mostly domestic, criminals and hacktivists," it said.

"The NCA assesses that the most advanced and serious cyber crime threat to the UK is the direct or indirect result of activity by a few hundred international cyber criminals, typically operating in organised groups, who target UK businesses to commit highly profitable malware-facilitated fraud.

"These cyber-attacks include attacks directly targeting business systems and attacks against individuals."

The NCA said the "accelerating pace of technology and criminal cyber-capability development" currently outpaces the UK's collective response to cybercrime.

"This 'cyber arms race' is likely to be an enduring challenge, and an effective response requires collaborative action from government, law enforcement, industry regulators and, critically, business leaders," the report added.

The NCA says the true scale of criminality is likely to be far bigger because of what it calls "a serious problem" of under-reporting.

It urged businesses to report when they are victims of cybercrime and to share more intelligence, "both with law enforcement and with each other".

In response to the threat, the UK government plans a new National Cyber Security Centre, as well as working with internet service companies to block online attacks.

Read more: http://www.bbc.com/news/uk-36731694



Latest Cyber Security News

Individuals at Risk

Identity Theft

Mass General Hospital Confirms 3rd-Party Breach Compromised Information of ~ 4,300 Dental Patients: A breach at Massachusetts General Hospital has potentially compromised the information of roughly 4,300 dental patients, the hospital warned Wednesday. ThreatPost, June 30, 2016

9.2 Million More US Healthcare Records Go Up for Sale on the Dark Web: The Dark Overlord is lording it over the US healthcare industry once again. The hacker is offering a fresh trove of 9.2 million patient records on a Dark Web marketplace, for 750 Bitcoin (about $477,000). InfoSecurity, June 27, 2016

Cyber Privacy

Facebook wins appeal, CPP warns of “massive violations of privacy”: Facebook has collared Belgium’s privacy watchdog: it’s won an appeal in a privacy case and can now resume tracking any Belgian it wants to, including people who’ve never registered for an account and those who aren’t logged in. NakedSecurity, July 1, 2016

My Activity: a tool to see what Google knows about you: How much does Google really know about us? Well, let’s see… how deep is the ocean, and how high is the sky? Probably both are a bit tighter than the ever-expanding capacity of Google’s maw. NakedSecurity, July 1, 2016

Cyber Danger

Cracking Android’s full-disk encryption is easy on millions of phones – with a little patience: Android’s full-disk encryption on millions of devices can be cracked by brute-force much more easily than expected – and there’s working code to prove it. TheRegister, July 1, 2016

1.2 million infected: Android malware ‘Hummer’ could be biggest trojan ever: Security researchers recently issued warnings against a trojan family known as Hummer, which affects more than a million phones by installing malware and unwanted apps. TechRepublic, June 30, 2016

Don’t fall for this Android malware that pretends to be Uber, Facebook, or WhatsApp: Security researchers from FireEye recently uncovered a new piece of Android malware that can mimic the look and feel of app interfaces from the likes of Uber, WhatsApp and Google Play. The malware reportedly struck first in Denmark and is now making its way through a handful of other European countries, including Italy, Germany and Austria. BGR, June 29, 2016

Cyber Update

FOXIT PATCHES 12 VULNERABILITIES IN PDF READER: Foxit patched a dozen vulnerabilities in its PDF reader software this week, more than half of which could allow an attacker to directly execute arbitrary code on vulnerable installations of the product. ThreatPost, June 30, 2016

Critical Symantec update as cybercriminals can exploit vulnerabilities just by sending email: A Google security researcher has found high severity vulnerabilities in enterprise and consumer products from antivirus vendor Symantec that could be easily be exploited by hackers to take control of computers. PCWorld, June 29, 2016

Information Security Management in the Organization

Information Security Governance

It’s Time To Think Of Cybersecurity As A Business Enabler: Last year, CIO, CSO and PricewaterhouseCoopers released a new Global State of Information Security survey, which polled more than 10,000 executives from 127 countries about IT security. The results were a mixed bag, with security incidents up 38% over 2014 but corresponding budgets rising only 24%. Forbes, July 1, 2016

Boost your security: Get IT and HR to collaborate: Ask what department is responsible for data security in an organization and the most likely answer is, “IT.” But some experts are saying it shouldn’t be IT alone – that better security requires a closer collaboration with Human Resources (HR). CSO, June 27, 2016

Cyber Warning

Anatomy of an exploit: the Microsoft Word bug that just won’t die: If you’re a regular reader, you’re probably familiar with our technical papers on the topics of exploit kits and malware attacks that rely on booby-trapped Word documents. NakedSecurity, July 1, 2016

Meet Jigsaw, the ransomware that taunts victims and offers live support: The crypto ransomware racket is a booming business that generates lots of revenue, so it only makes sense that the scourge is growing. And with new titles entering the market on almost a weekly basis, how do the criminals behind them make their malware stand out? ars technica, June 28, 2016

Microsoft Office 365 hit with massive Cerber ransomware attack, report: Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted. SCMagazine, June 27, 2016

How Oracle’s business as usual is threatening to kill Java: Stop me if you’ve heard this one before: Oracle has quietly pulled funding and development efforts away from a community-driven technology where customers and partners have invested time and code. It all seems to be happening for no reason other than the tech isn’t currently printing money. ars technica, June 27, 2016

Cybercriminals up their game with new easier-to-deploy lower-cost ransomware: A new ransomware program making the rounds uses a simple, yet effective technique to make user files inaccessible: locking them in password-protected ZIP archives. PCWorld, June 27, 2016

Cyber Defense

Study shows most IT departments lack suitable controls over user activity in IT infrastructure: A majority of organizations report that they lack visibility into their cloud infrastructure, file shares, user activity and mobile devices, greatly impacting data security and system uptime, according to Netwrix. HelpNetSecurity, July 1, 2016

Study analyzes cybercriminal actions after they get on network. Who is running Nmap?: Hackers almost exclusively use standard network admin tools to move around a compromised network once they’ve broken in using malware or other hacking techniques. TheRegister, June 30, 2016

CISO challenges: Addressing cybersecurity blind spots: Every enterprise has cybersecurity blind spots that it fails to recognize and address. Sean Martin explains what they are and how they create more CISO challenges. TechTarget, June 30, 2016

CISO challenges: Identifying and addressing common problems: Enterprises often struggle to identify and prioritize the most pressing security concerns and threats. Sean Martin explains the common CISO challenges facing organizations today. TechTarget, June 30, 2016

xDedic: What to Do If Your RDP Server Was Pwned: As many as 250,000 credentials for Remote Desktop Protocol servers around the world may have been offered for sale on the now-shuttered xDedic cybercrime marketplace. If an organization suspects credentials to servers may have been traded by cybercriminals, what can they do to mitigate related risks and avoid a major network intrusion? InfoRiskToday, June 28, 2016

Cyber Law

Why Brexit could cause data privacy headaches for US companies: The impact of the United Kingdom vote to withdraw from the European Union could have far-reaching consequences for international companies, which may need to rethink their data management policies. NetworkWorld, June 28, 2016

Cyber Security in Society

Cyber Privacy

Database of 2.2m suspected terrorists, money launderers leaked online: A database that classifies people, major charities, activists, and mainstream religious institutions as potential terrorists or money launderers was found available to anybody who knew where to look online, with no credentials needed to access it. NakedSecurity, July 1, 2016

700,000 Muslim Match dating site private messages leaked online: Hackers have leaked the personal details of 150,000 users of the Muslim Match website after breaking into the niche dating portal. TheRegister, July 1, 2016

Cyber Fraud

Scientology Seeks Captive Converts Via Google Maps, Drug Rehab Centers: Fake online reviews generated by unscrupulous marketers blanket the Internet these days. Although online review pollution isn’t exactly a hot-button consumer issue, there are plenty of cases in which phony reviews may endanger one’s life or well-being. This is the story about how searching for drug abuse treatment services online could cause concerned loved ones to send their addicted, vulnerable friends or family members straight into the arms of the Church of Scientology. KrebsOnSecurity, June 27, 2016

Cyber Law

ACLU argues Computer Fraud & Abuse Act blocks discrimination research: The American Civil Liberties Union is challenging a key computer crime law, arguing that it violates the Constitution and specifically prevents researchers from identifying systemic discrimination, such as those related to housing and job searches. The Washington Post, June 29, 2016

Health Care

CONFICKER USED IN NEW WAVE OF HOSPITAL IOT DEVICE ATTACKS: Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps are increasingly being targeted by hacker seeking to steal patient medical records from hospitals. Attackers consider the devices soft digital targets, seldom guarded with same security as client PCs and servers within hospitals. ThreatPost, June 30, 2016

Here’s How a Hacker Extorts a Clinic: Security experts are sounding alarms about extortion attempts, where hackers steal data and then threaten to publicly release it unless a fee is paid. Unlike attacks involving file-encrypting ransomware, these kinds of incidents don’t result in total system blackouts, which in recent months have forced hospitals and universities to reveal their woes. BankInfoSecurity, June 29, 2016

Internet of Things

IoT botnet: 25,513 CCTV cameras used in crushing DDoS attacks: Researchers discovered over 25,000 hacked internet-connected CCTV cameras being used in DDoS attacks to hammer websites; the denial-of-service botnet could deliver a whopping 50,000 HTTP requests per second. NetworkWorld, June 28, 2016

Cyber Research

Clever Attack Uses the Sound of a Computer’s Fan to Steal Data: IN THE PAST two years a group of researchers in Israel has become highly adept at stealing data from air-gapped computers—those machines that for security reasons, are never connected to the internet or connected to other machines that are connected to the internet, making it difficult to extract data from them. Wired, June 28, 2016

Cyber Miscellany

Steptoe Cyberlaw Podcast – Interview with ‘Dark Territory’ Author Fred Kaplan: Was Iran’s cyberattack that bricked vast numbers of Saudi Aramco computers justified by a similar attack on the National Iranian Oil Company a few months’ earlier? Does NSA have the ability to “replay” and attribute North Korean attacks on companies like Sony? And how do the last six NSA directors stack up against each other? Those and other questions are answered by our guest for episode 122, Fred Kaplan, author of Dark Territory: The Secret History of Cyber War. Steptoe Cyberblog, June 28, 2016

Chrome DRM bug makes it easy to download streaming video: Security researchers have discovered a vulnerability in the Google Chrome browser that could allow users to bypass itscopy protection system and download content from streaming video services like Netflix and Amazon Prime Video. According to Wired, Google was alerted to the problem on May 24, but is yet to issue a patch. ars technica, June 27, 2016

Steptoe Cyberlaw Podcast – Blockchain Interview with Jamie Smith: With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies. Steptoe Cyberblog, June 23, 2016






Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net