New York U.S. Attorney Preet Bharara
said that the 2013 hack of the Bowman Avenue Dam in Rye Brook, N.Y., was a "frightening
new frontier" of cybercrime that's "scary to think about."
The lead investigator of the case said it was a "game-changing
event." U.S. officials believe that hackers were probing for
weaknesses in hopes of hitting bigger targets later.
Authorities are worried about these
attacks because the threat is growing exponentially, and despite years of
warnings America's private sector has been woefully slow to adapt. About 6.4
billion devices and control systems will be connected to the Internet in 2016,
a 30 percent spike over 2015, according to a new report. By 2020,
nearly 21 billion will be online.
The rise of what the cyber community
calls "the Internet of Things" (IoT) -- the way in which objects,
equipment and buildings are now linked to the web and each other and send and
receive data - has ushered in a new era of security vulnerabilities. Hackers
can remotely seize control of a spectrum of critical public and private
infrastructure. Many of these targets are run by Industrial
Control Systems that were designed before cybersecurity became crucial.
Hamid Firoozi, the Iranian hacker
charged earlier this month with breaking into the control system of a New York
dam, reportedly used a simple, legal search engine that surfs for and
identifies unguarded control systems online. Firoozi was one of seven men who
work for a pair of private Iranian cyber-security firms that do work for the
Iranian government, including its elite military unit, the Islamic Revolution
Guard Corps, The men were charged with hacking the financial sector as well as
the dam.
While foreign nation-state hacking into
U.S. infrastructure is common and growing in scope and sophistication, the dam
hack is significant because prosecutors say it's the first time a simple,
search engine-driven hack of a piece of U.S. infrastructure has surfaced as the
tool of choice. It's also the first time federal indictment tied a foreign
state to the hacking of critical U.S. assets.
"This
stuff has been happening undetected for years"
It's particularly concerning because
the so-called "water sector" -- bridges, tunnels, dams -- is one of
the most vulnerable sectors of the U.S. economy. If the small Bowman dam had
been breached, some homes in a tony New York suburb would have been flooded,
but no lives would've been lost. Officials were more concerned that the hack
was a test run.
Researchers said that many
infrastructure systems require just a default username and password (like
"admin" and "admin") to access. Others have no password
security at all. With the growing popularity of search engines dedicated to
locating exploitable "open ports," or unprotected access points -- a
practice known as "Google
dorking" because hackers can use Google to find the ports --
authorities believes cyber-attacks on U.S. infrastructure will continue to
increase for some time.
"This stuff has been happening
undetected for years, and now this is one of the first time that it's surfaced
publicly," said former F.B.I. computer crime investigator Mike Bazzell.
"We're getting close to a threshold where something must be done," he
said. "The more this type of activity becomes popular and well-known, it
will get worse before it gets better."
Who Is Vulnerable?
The threat of cyber-attacks spans every
sector of the U.S. economy, experts said.
In recent years, independent "white-hat"
security researchers have shown they can access cities' traffic control systems
and license plate reader networks, sports stadiums, car washes, a hockey rink
in Denmark, a Texas water plant, the particle-accelerating cyclotron at the
Lawrence Berkeley National Laboratory, even an Olympic arena.
In 2013, researcher Billy Rios, a
former Google cyber-security expert who studies emerging threats to industrial
control systems and critical infrastructure, found that the control systems for
about a dozen pro and college sports stadiums in the U.S. were easily
accessible to hackers. Three years later, he told NBC News, "I'd say 80
percent of my stadiums are still online" and vulnerable.
In 2014, Rios identified an open
control system inside Russia's Sochi Fisht Olympic Stadium and notified
authorities. The vulnerability was fixed the day before opening ceremonies for
the Winter Games.
John Matherly -- a researcher who built
the search engine Shodan to identify unsecured servers online -- recently
probed a leading automatic license plate reader system in wide use by law
enforcement agencies nationwide. He realized he could tap into a Louisiana
town's LPR system, siphon off tens of thousands of images a week, and even
"tell [it] to send the pictures elsewhere." Fellow researchers
subsequently identified unsecured LPR systems in ten U.S. states.
Most leading researchers -- including a
group called I Am The Cavalry that was formed to call attention to these
dangerous vulnerabilities -- work with federal agencies to contact vulnerable
facility or infrastructure owners in both the public and private sectors.
They are also urging private sector
leaders to create "bug bounty" programs that explicitly permit
hackers to probe their systems for vulnerabilities and rewards those who find
flaws.
Private sector companies own 85 percent
of U.S. critical infrastructure, said Frank J. Cilluffo, former White House
special assistant to the president on homeland security.
The
seven Iranian hackers are wanted by the FBI. FBI
Who Are the "Bad
Actors"?
Cilluffo, now director of George
Washington University's Center for Cyber and Homeland Security, told Congress
last month about the ease with which bad actors are launching cyber-attacks on
critical infrastructure. In many cases, he said, "virtually anyone with a
measure of skills and a special interest can cause harm."
He said the private sector has been
overwhelmed by the growth of cyber-attacks.
"It's not that they're necessarily
ignoring" their security vulnerabilities, Cilluffo said. "It's the
fact that they've got a whole lot of vulnerabilities they are going to need to
backfill before they can get to all of them."
Most nation-states have far more
sophisticated cyber capabilities than those required for the search engine
hacking to gain control of vulnerable U.S. infrastructure targets. Individual
hackers without any ties to groups are capable of these simple hacks.
While authorities believe nation states
have mounted numerous attacks on infrastructure and thousands of "dry
run" drills in the past, these intrusions can be hard to detect in real
time and often go unreported by their targets. Investigators just happened to
notice the dam intrusion while monitoring for cyber-attacks in the financial sector.
But in his testimony, and in an
interview with NBC News, Cilluffo said that at least four countries are major
players in hacking, or supporting hacks, of U.S. targets -- China, Iran, North
Korea and Russia, with Russia the source of the most sophisticated intrusions.
Eighty percent of worldwide cybercrime
emanates from Eastern Europe, according to Europol Director Robert Wainwright.
In 2009, cyber-criminals from Russia or China breached the U.S. electric grid,
leaving software programs behind, according to the Wall Street Journal. Experts
say some hacks may be conducted by Russian organized crime at the behest of the
state security service, the FSB.
China is believed to have been
responsible in December, 2014 for the largest breach of U.S. federal employee
data -- compromising personal data on 4 million current and former employees,
according to U.S. officials. The increasing sophistication and capabilities
have prompted authorities to charge that Chinese cyber-espionage has risen to the
level of a strategic threat to the U.S. national interest.
In January, 2013, Iran launched a
concerted series of cyber-attacks against American financial institutions,
including Bank of America, J.P. Morgan Chase and others. Cilluffo cites a 2015
British tech research firm study which says that under President Hassan
Rouhani, Iran's cyber budget has grown twelve-fold.The recent indictment of the
alleged Iranian dam and financial industry hackers made pointed reference to
their apparent ties to various Iranian state agencies.
While North Korea is not known for U.S.
infrastructure attacks, it has been accused of hacking power plants, banks and
news organizations in South Korea, whose minister of defense said last year
that North Korea has a force of "about 6,000 cyber-agents."
While Cilluffo said foreign terrorist
organizations have yet to demonstrate a capacity for the sort of sophisticated
attacks believed to have been launched by the nation-states above, he notes
that the growing "arms bazaar of cyber weapons" available for
purchase or rental, the obvious social media savvy of groups like ISIS/ISIL,
makes it likely only a matter of time before they are capable of launching
potentially devastating attacks on U.S. assets.
"Straight Shot
to the Internet"
The age of the IoT has created a new
generation of "connected" devices that communicate over the Internet
- like "smart homes" whose appliances can be controlled remotely with
an app. The term also applies to businesses and municipalities which are increasingly
taking their operations online. As aging infrastructure moves from old radio
and satellite systems to 4G cellular networks, hundreds of thousands of systems
worldwide are suddenly visible - and hackable.
Unlike computer software flaws, there
is often no easy way to universally patch vulnerabilities in complex Industrial
Control Systems or effectively warn customers.
"You have these big control
systems that have a straight shot to the Internet - that's the fundamental
security flaw," said researcher Tod Beardsley.
The legal landscape can be confusing
and remains largely untested in U.S. courts. White hat researchers said they
never actually breach vulnerable systems - they stop at the open doors. They
also use proprietary software to further identify the types of facility they
are seeing.
Yet they contend that both the Computer
Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) are
broadly written and afford prosecutors wide latitude in how to interpret them.
"Fear
of civil or criminal prosecution under these vague laws can have a chilling
effect on the kind of services we could provide," said researcher Joshua
Corman.
Having worked for years to identify
these vulnerabilities, these experts don't want to be the ones who end up
testing case law by drawing the wrong kind of attention.
"We have this coming tsunami of
IoT devices that are password defaulted, and it can be technically illegal to
point them out!" Beardsley said.
That could soon change.
At a conference in February, Corman and
colleagues urged federal prosecutors and all 50 state attorney generals to
better protect altruistic researchers from prosecution.
They are also urging private sector
leaders to create "bug bounty" programs that explicitly permit
hackers to probe their systems for vulnerabilities and rewards those who find
flaws.
Both General Motors and the Pentagon
recently announced bug bounty programs.
"We do need to carve out some
immunity for white hat hackers who, as long as their intent is pure, warrant a
re-examination of the ways [the laws] are written," Cilluffo agreed.
Corman is hopeful.
"We're really ready and willing to
help, if we're allowed to."
Culled from NBC
News
No comments:
Post a Comment