802 Secure cited in the Gartner report, OT Security Best Practices

802 Secure was cited in the Gartner report, “OT Security Best Practices”, as an OT (Operational Technology) vendor for asset management and security monitoring.
“This report is further evidence that our technology provides value to manufacturing, critical infrastructure, and many other sectors that use IoT and IIoT to support their mission critical initiatives and services; and 802 Secure’s visibility and security monitoring for these infrastructures” said Mike Raggo, CSO, 802 Secure, Inc.
About Gartner: “Gartner is a trusted advisor and an objective resource for more than 15,000 organizations in 100+ countries.”
To access the report, please use the following link to the report https://www.gartner.com/document/code/352264

For more information please contact 802 Secure, Inc. at info@802secure.com or by visiting our website at www.802secure.com.

 

802 Secure’s CSO, Mike Raggo, presenting at ISC2 Security Congress Oct. 10, 2018

802 Secure’s CSO, Mike Raggo, will be presenting at the ISC2 Security Congress on Oct. 10th in New Orleans.
“(ISC)² Security Congress brings together over 2,000 industry colleagues, offers 100+ educational and thought-leadership sessions, and fosters collaboration with other forward-thinking companies. The goal of our cybersecurity conference is to advance security leaders by arming them with the knowledge, tools, and expertise to protect their organizations. (ISC)² members are eligible for special discounted pricing and will have opportunities to attend exclusive member events.”
Topic:
IoT and IIoT Wireless Network Threats and Countermeasures
When:
Oct. 10, 2018 at 1:45PM CST
Where:
New Orleans Marriott
2nd Floor, Galerie 1
555 Canal Street
New Orleans, Louisiana 70130 USA
For more information or a copy of the presentation, please contact 802 Secure, Inc. at info@802secure.com or by visiting our website at www.802secure.com.

Russian WiFi cyber-attack foiled by Dutch intelligence

On October 4, 2018, BBC news https://www.bbc.com/news/world-europe-45747472 reported that an alleged Russian group’s efforts to perform a cyber-attack on the Organisation for the Prevention of Chemical Weapons (OPCW) were foiled by Dutch law enforcement.

According to the report, the Russians attempted to perform the cyber-attack by weaponizing a rented car by hiding WiFi attack tools and gear in car while parked across the street at a hotel, while also allegedly circling the facility. In the article this was referred to as “close access” and “capturing signals over WiFi antennas”.

The following is a screenshot from the BBC page of the equipment used. 

You’ll notice that are a variety of tools common to the WiFi hacking world including long range high-gain WiFi antennas, battery backup and power inverter (common to WiFi “war driving”), and what looks to be a WiFi Pineapple kit (common to WiFi hackers and testing).

Performing a localized cyber-attack such as this is quite easy to conduct. There are a variety of steps that can be performed to attempt to breach a WiFi infrastructure at a facility. This involves targeting both the WiFi access points as well as employee’s devices, including WiFi-enabled laptops, mobile devices and now IoT connected devices.

Let’s explore a list of techniques:

Targeting the WiFi infrastructure and Wireless LAN itself – Attackers will target the weak points of a WiFi network, these include:

  • WiFi networks deployed without encryption or those with weak passwords and weak encryption (e.g. WEP)
  • WiFi networks that are cryptographically stronger yet still vulnerable to weak passwords and schemes (e.g. WPA-PSK, known common passwords, PSK capture and recovery, WPS-PIN)
    • Open Guest network with no password.
      • Networks allowing peer-to-peer communication can be leveraged to target other users of that same network, especially employees. If an employee laptop or mobile device is on the Guest network the attacker now has network access to scan the device to identify a vulnerability to exploit.
        • Mobile devices, especially jailbroken or rooted devices are low-hanging fruit
          • For example, Apple devices have a default built-in admin account – Username: root, Password: alpine. Normally this account is not accessible unless the device is jailbroken. This exposes services such as Secure Shell (ssh) on TCP ports 22 or 2222. If an attacker scans the network and finds an iOS device “and” finds either port open it’s almost a sure bet that the device is jailbroken. Users may not be aware of the default passwords thus never changing them. An attacker can then login as root and gain access to the device and some of its data (this varies based on the iOS version). 
        • Laptops that don’t have the latest patches can be vulnerable to remote and in-line attacks from tools such as Metasploit, BeEF, sslstrip and others whereby the attacker can identify and exploit vulnerabilities. They can then gather information from the system, plant command and control backdoors and use it a beachhead onto the network to which it’s connected, including any Virtual Private Networks it may connect to.
      • In some cases, we’ve found where the Guest network is also accidentally bridged to the Corporate network, thus allowing backdoor access to the entire network
  • Targeting employee devices – Beyond targeting employee devices on the Guest network other attack techniques are available:
    • Many tools such as Karma, Hostapd-mana, or a WiFi Pineapple <link and picture> can be used to spoof a legitimate network. This could be either the infrastructure’s SSID to lure employees into connecting to this “Evil Twin”
    • Another method is to listen to the WiFi networks the device is scanning for. These are previous networks the device had connected to and stored on the device for ease of connectivity as they transition from home to the office to the coffee shop, etc.
      • Tools such as Karma, Hostapd-mana or a WiFi Pineapple can be use to respond to these requests, and encourage the employee’s device to connect to this fake network. Once connected, the attacker can then target the local device on his/her hacker network to exploit it and gain access to its data, or use it’s cellular connection to connect to the organization’s network
      • A more forceful and similar approach involved sending a deauthentication or disassociate packet (or series of packets) at a connected device to knock it off the organization’s network, and lure the device to connect to the attacker’s fake network because the antenna strength is stronger (a default option in most devices is to connect to the desired network with the strongest antenna strength).
    • An newer technique is to target an employee’s mobile device when connected in their car via a WiFi hotspot. Many of these automobile WiFi hotspots are open or have default passwords (there are published lists of these on the web). Attacker can join that same automobile network and use that to target the employee’s mobile device on the same network

 

While there are even more techniques than what are outlined in this blog, the point here is that this news validates the threat is real and, in this case, the target is a facility that could put people’s lives in danger either directly or indirectly. As the world continues to be more connected through IoT, the wireless attack surface grows greater providing a rich target for attackers. Ensuring your facilities and networks have Wireless Surveillance, Device Fingerprinting, Behavior Analytics, Attack Detections, and multiple layers of protection through Air Isolation, Wireless Deceptive Networking, and Shared Adversarial Intelligence is key to minimizing these threats and avoiding a breach.

 

The Shared Adversarial Intelligence is key, because blacklists of individuals such as this can be used to identify known bad actors in the vicinity of an organization’s facility is typically the 1st “trip wire” by which an organization can receive an alert of an adversary nearby. This is exactly what we do with our Deceptive Networking at 802 Secure for our customers.

 

Threats such as this also target bluetooth devices and communications. Also, fake cell towers have been documented around the Washington, DC and Las Vegas areas. As demonstrated at the DEF CON hackers conference, standing up a “mini-cell” is quite easy, provide the means to lure cellphones and perform Man-in-the-Middle (MiTM) attacks, and options to downstep signals from LTE to GSM and lower to conduct such attacks. This is something 802 Secure detects with our AirCell product that’s part of our AirShield sensor and SaaS.

 

Considering the GRU’s close proximity to OPCW underlines the notion that there is intelligence to be gathered through close access to wireless networks not accessible remotely over the Internet. This alternative approach clearly points out that this could have been a backdoor for access to the wireless network for any company. Adversaries are fully weaponized to perform wireless attacks to gain access to intellectual property, classified data, or fundamentally disrupting the day-to-day operation of an organization by impacting all communications and operations. Ensure you’re prepared to identify any type of adversary looking to breach your wireless networks, whether they be WiFi, Bluetooth, Cellular and more.

802 Secure CEO, Garry Drummond, to participate in Smart Cities Panel

802 Secure’s CEO, Garry Drummond, will be participating in a panel at the Cybersecurity Symposium for Smart Cities 2018 on Oct. 3rd.

“As our nation continues to grow Smart Secure Cities and Communities, the backbone of the economy, small and medium businesses and governments (SMB-G) face an explosion of opportunities and challenges. Two most daunting challenges are the digital divide and cybersecurity. This 1-day Symposium empowers SMB-G’s to catapult into successes with best practices, professional volunteers, and demonstrations of leading solutions.” – Cybersecurity Symposium for Smart Cities 2018

Mr. Drummond will participate in the Wireless Technologies & Security Panel at 4:05PM. Details can be found at https://adaptablesecurity.org/cybersecurity-symposium-for-smart-cities-schedule/.

When: Oct. 3, 2018 at 4:05PM
Where: Fairmont Hotel, 170 S Market St, San Jose, CA 95113

To attend, visit the https://adaptablesecurity.org/cybersecurity-symposium-for-smart-cities/ site to register.

For more information, please contact 802 Secure, Inc. at info@802secure.com or by visiting our website at www.802secure.com.

New IoT Security Bill in California

Recently, California Governor Jerry Brown approved a bill meant to secure Internet of Things (IoT) devices and protect end-users and consumers. The Senate Bill No. 327, beginning on January 1, 2020, outlines the following:
“(a) A manufacturer of a connected device shall equip the device with a reasonable security feature or features that are all of the following:
        (1) Appropriate to the nature and function of the device.
        (2) Appropriate to the information it may collect, contain, or transmit.
        (3) Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
(b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
        (1) The preprogrammed password is unique to each device manufactured.
        (2)The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.”
Breaking this down and interpreting all of this in a CIA (Confidentiality, Integrity, and Availability) context:
  • Security features should be employed that protect the data it collects, contains, or transmits. This implies both data-at-rest and data-in-motion, and thus encryption-at-rest and encryption-in-motion.
  • Additional security features that protect the device from unauthorized access, destruction, use, modification or disclosure. Our interpretation of this is that all accounts should have a strong password (and no defaults), unnecessary services disabled that could create low hanging fruit for an attacker (e.g. clear-text http access via port 80, no telnet or ftp, etc.). Additionally integrity checking and logging to inform the owner of modification (e.g. a virus or malware).
  • A preprogrammed password unique to each device manufactured, is obviously included to ensure there are no common default passwords known to the device that could be exploited by local wireless access, Internet-based, and malware infestation attacks.
  • And forcing the user to change the password upon 1st use of the device.

In the context of your organization, you may have IoT and/or IIoT deployed such as SmartTVs, Surveillance cameras, motion sensors, and other IoT devices and networks deployed. But you may also have Shadow IoT in your building as well, such as wireless SD cards, wireless thumb drives, a recent HVAC upgrade that including new WiFi-enabled thermostats, IoT-enabled appliances in the employee kitchen, etc. Our recent threat report outlines many of these risks that are key to ensuring the security stance of your organization and company’s network.

  • Discover all of your IoT Assets – both known and unknown (Shadow IoT)
  • Assess the security posture of those devices.
    • This includes their wireless connectivity to the WLAN, IoT hub (Z-Wave, Zigbee, etc.), and between one another (Machine-to-Machine) to ensure these devices are employing encryption and authentication controls.
    • The same goes for Shadow IoT, as these devices are an extension of your network, whether connected to the network or autonomous.
  • Monitor for risks and threats that could lead to data exfiltration or a breach. Examples of this include:
    • Wireless printers connected to the wired network, yet the wireless configuration remains unconfigured and still in “SETUP” mode
    • Newly deployed facilities controls such as wireless surveillance cameras or new IoT-enabled thermostats
    • Wireless SD cards and wireless thumb drives used with employee laptops that allow out-of-band wireless access to the storage device
  • Protect against IoT attacks with Air Isolation and Deceptive Networking
    • Deceptive networking can provide low hanging fruit to an attacker, and when lured into the deceptive network one can gain intel on the adversary as well as an early warning alert of an adversary nearby
    • Air Isolation can allow wireless connections to be terminated over the air, either automated or manually, to know the adversary off a wireless network

Regarding the new bill, Bruce Schneier stated it best: “It probably doesn’t go far enough — but that’s no reason not to pass it.” We need to start somewhere and this is a good first step in the right direction that directs manufacturers to take responsibility with including fundamental security controls in the devices they’re selling to consumers and companies. Getting there will be a herculean task as the IoT market is incredibly fragmented across manufacturers and the supply chain globally. In addition, with the plethora of operating systems, protocols, and frequencies used by IoT devices; protecting devices across this broad wireless threat landscape is no easy task.

The best approach is to begin fortifying your company’s IoT strategy by addressing both IoT and Shadow IoT risks through discovery. 95% of IoT is wireless, therefore visibility can begin with our AirShield sensor that provides visibility into all of your IoT and IIoT assets, something that simply is not fully visible from your wired network or WLAN infrastructure. This broader view with AirShield will give you a far more comprehensive view into all of your IoT, including Shadow IoT. The following is a link outlines threats we see systemically across our entire customer-base https://www.802secure.com/iot-cloud-security-report-2017/.

For more insights, checkout our presentation at RSA on IoT Data Exfiltration

And remember, you can’t protect what you can’t see…