computer

FRAUD & SECURITY ISSN 1361-3723 July 2018 www.computerfraudandsecurity.com

Featured in this issue: Contents

Assessing website password practices – over a NEWS decade of progress? Financial organisations must show they’re ready for disasterVisit us @ 1 very now and again we get a guidance and policy enforcement on Big names in major breaches 3 www.biometrics-today.com Eflurry of headlines proclaiming a series of leading websites and com- FEATURES the passing of passwords, yet they pares them with three earlier studies. A Assessing website password practices – are still with us and still being bro- consistent finding in all prior cases was over a decade of progress? 6 World Password Day 2018 saw Microsoft suggesting ken and breached. that sites were doing less than might that it would deliver a “world without passwords”. Steven Furnell of the University But we’ve beenVisit here before. usIndeed, the fact that we be expected. So, 11 years on from the even have a World Password Day rather@ implies that of Plymouth, UK and Edith Cowan original study, what’s changed and passwordswww.membrane-technology.com are not as dead as past announcements and headlines would have us believe. Steven Furnell of the University, Australia presents the have things got better? University of Plymouth, UK and Edith Cowan University, results of an assessment of password Full story on page 6… Australia presents the results of an assessment of password guidance and policy enforcement on a series of leading websites and compares them with similar studies from 2007, 2011 and 2014. The findings have The role of crypto-currency in cybercrime been revealing in terms of the approaches taken by the sites and particularlyVisit the extent us to which @ they support he market for crypto-currencies rency. And alternative currencies also play their users in achieving good practice. A consistent Thas been incredibly volatile and a major role in ransomware attacks, being finding in all prior cases was that sites were collectively doing rather less than might be expected. So, 11 years these peaks and troughs have made the payment method of choice. The chief on from the original study, what’s changed and have crypto-currency value a popular media defence, says Aaron Higbee of Cofense, things got any better? topic. Hackers, too, have taken notice. is education. Phishing is a key element in The role of crypto-currency in cybercrime 13 The market for crypto-currencies has been incred- We have seen a recent sharp rise in these attacks and businesses need to help ibly volatile andVisit these peaks andus troughs @ have made crypto-jacking attacks, exploiting the power their employees to spot phishing attacks. crypto-currency value a popular media topic. Hackers, too, have taken notice. We have seen a recent sharp of victims’ computers to mine crypto-cur- Full story on page 13… rise in crypto-jacking attacks, exploiting the power of victims’ computers to mine crypto-currency. And alter- native currencies also play a major role in ransomware Critical infrastructure: understanding the threat attacks, being the payment method of choice. The chief defence against this growing threat, says Aaron Higbee ith nation state cyber-meddling exactly news to security specialists. But now of Cofense, isVisit education. Phishing us is a key element in now an acknowledged prob- these attacks and businesses need to help@ their first line W politicians and the general public are waking of defence – their employees – to spot phishing attacks. www.networksecuritynewsletter.com lem, there’s growing concern about up to the potential havoc that hackers could Critical infrastructure: understanding the threats to critical national infra- wreak. As Scott King of Rapid7 explains in the threat 16 structure (CNI). With nation state cyber-meddling now an acknowledged this interview, the threats are real, but not problem, there’s growing concern about the threats to The vulnerability of the systems that necessarily in the way people imagine. critical national infrastructure (CNI). The vulnerability of systems thatVisit underpin the functioning us of @ society isn’t underpin the functioning of society isn’t Full story on page 16… exactly news to security specialists. But now politicians and the generalwww.sealingtechnology.info public are waking up to the potential carnage that hackers could wreak. As Scott King of Financial organisations must show they’re ready Rapid7 explains in this interview, the threats are real, for disaster but not necessarily in the way people imagine. t the beginning of July, the Bank of individual firms and financial market Editorial 2 of England (BoE) and Financial Visit us A infrastructures, or cause harm to con- Report analysis @ 4 Conduct Authority (FCA) gave notice sumers and other market participants Newswww.filtrationindustryanalyst.com in brief 5 to the UK’s financial institutions that in the financial system,” said Andrew Calendar 20 they had three months in which to Bailey, chief executive of the FCA, and produce reports on how they avoid Jon Cunliffe, deputy governor of the IT failures and mitigate cyber-attacks. BoE, in a joint statement at the launch “Operational disruption can impact of the discussion paper. Visit us @ financial stability, threaten the viability Continued on page 3... www.computerfraudandsecurity.com

ISSN 1361-3723/18 © 2018 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutionsVisit that wish to make us photocopies @ for non-profit educational classroom use. www.pumpindustryanalyst.com EDITORIAL

Editorial Office: Elsevier Ltd cell site location information (CSLI) The Boulevard,Editorial Langford Office: ElsevierLane, Kidlington, Ltd Editorial which showed that he was in the The Oxford,Boulevard, OX5 Langford 1GB, United Lane, Kingdom Kidlington, hings seem to have taken a location of each robbery when it hap- Oxford,Fax: OX5 +44 1GB, (0)1865 United 843973 Kingdom turn for the better lately with E-mail:Tel: [email protected]+44 1865 843239 T pened. The Supreme Court, however, Web: www.computerfraudandsecurity.com regard to privacy. And no, I’m not ruled this was a breach of the Fourth talking about the EU’s General PublishingPublisher: Director: Greg BethanValero Keall Amendment protection against unrea- Data Protection Regulation (GDPR), Editor:E-mail: [email protected] Mansfield-Devine sonable search. This is a major change although that will have focused E-mail:Editor: [email protected] Steve Mansfield-Devine in the law because it’s the first time E-mail: [email protected] the minds of many organisations Editorial Advisors: the amendment has been applied to in the right direction. Silvano OngettaEditorial, Italy; Advisors: Chris Amery , UK; something other than physical evi- JanSilvano Eloff , OngettaSouth Africa;, Italy; Hans Chris Gliss Amery, Germany;, UK; The US Supreme Court has handed David Herson, UK; P. Kraaibeek, Germany; dence. Jan Eloff, South Africa; Hans Gliss, Germany; down a somewhat surprising ruling WayneDavid Madsen Herson, ,Virginia, UK; P. Kraaibeek USA; Belden, Germany; Menkus , The court emphasised that its rul- WayneTennessee, Madsen USA; ,Bill Virginia, Murray USA;, Connecticut, Belden Menkus USA; , that will have major implications for Donn B. Parker, California, USA; Peter Sommer, ing applies only to the specific issue Tennessee, USA; Bill Murray, Connecticut, USA; how some data is used. In the case DonnUK; Mark B. Parker Tantam, California,, UK; Peter USA; Thingsted Peter Sommer, Denmark;, UK; of location data and that it does not HankMark Wolfe Tantam, New, UK;Zealand; Peter Charles Thingsted Cresson, Denmark; Wood, of Carpenter vs the United States, USA; Bill J. Caelli, Australia extend to “conventional surveillance Hank Wolfe, New Zealand; Charles Cresson Wood, the court effectively overturned the USA; Bill J. Caelli, Australia techniques and tools, such as security Production Support Manager: Lin Lucas so-called ‘third-party doctrine’ – the E-mail: [email protected] cameras; does not address other busi- Production Support Manager: Lin Lucas assumption that when you hand your SubscriptionE-mail: Information [email protected] ness records that might incidentally An annual subscription to Computer Fraud & Security private information to a third party, Subscription Information reveal location information; and does includes 12 issues and online access for up to 5 users. An annual subscription to Computer Fraud & Security includes such as an online service, that you can Subscriptions run for 12 months, from the date not consider other collection tech- 12 issues and online access for up to 5 users. payment is received. no longer have any reasonable expec- Prices: niques involving foreign affairs or E1139 for all European countries & Iran tation of privacy with regard to that More information: www.elsevier.com/journals/institu- national security”. US$1237 for all countries except Europe and Japan tional/computer-fraud-and-security/1361-3723 information. ¥151 620 for Japan CSLI is “detailed, encyclopaedic,

(Prices valid until 31 December 2011) Permissions may be sought directly from Elsevier Global Rights This led to the situation where To subscribe send payment to the address above. and effortlessly compiled” and is auto- Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 mobile phone operators were selling Tel:843830, +44 (0)1865fax: +44 1865 843687/Fax: 853333, email: +44 [email protected]. (0)1865 834971 You matically collected, requiring no action Email:may also [email protected], contact Global Rights directly through Elsevier’s home page customer information – including on the part of the subscriber. This or(www.elsevier.com), via www.computerfraudandsecurity.com. selecting first ‘Support & contact’, then ‘Copyright detailed real-time data about location Subscriptions& permission’. runIn the for USA, 12 months,users may from clear the permissions date payment and make is places it in a different category to, say, received.payments Periodicals through the postage Copyright is paid Clearance at Rahway, Center, NJ Inc., 07065, 222 – to law enforcement agencies (LEAs), Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 call records or financial transactions. USA. Postmaster send all USA address corrections to: Computer often through companies established Fraud8400, & fax: Security, +1 978 365 750 Blair4744, Road, and in Avenel, the UK throughNJ 07001, the CopyrightUSA The court referred to CSLI as “near Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; purely to market this data trove. Permissions may be sought directly from Elsevier Global Rights perfect surveillance” allowing users fax: +44 (0)20 7631 5500. Other countries may have a local repro- Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 Indeed, it seems that there is a thriving graphic rights agency for payments. of the data to “travel back in time to 843830, fax: +44 1865 853333, email: [email protected]. You reseller market for this data: before it may also contact Global Rights directly through Elsevier’s home page retrace a person’s whereabouts, subject Derivative Works (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Subscribers may reproduce tables of contents or prepare lists reaches an LEA, the information has & permission’. In the USA, users may clear permissions and make only to the five-year retention policies of articles including abstracts for internal circulation within their payments through the Copyright Clearance Center, Inc., 222 Rosewood sometimes been sold and resold mul- institutions. Permission of the Publisher is required for resale or of most wireless carriers.” This means Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 distribution outside the institution. Permission of the Publisher tiple times. It’s effectively a market for 750 4744, and in the UK through the Copyright Licensing Agency Rapid CSLI deserves special protections, the is required for all other derivative works, including compilations Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P and translations. real-time surveillance data. 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other court argued in its report. In addi- countries may have a local reprographic rights agency for payments. One company, LocationSmart, even Electronic Storage or Usage tion, mobile phones are “indispensable Derivative Works Permission of the Publisher is required to store or use electronically offered a ‘try before you buy’ page on Subscribers may reproduce tables of contents or prepare lists of arti- to participation in modern society”, any material contained in this journal, including any article or part of cles including abstracts for internal circulation within their institutions. an article. Except as outlined above, no part of this publication may its website that, it turned out, allowed Permission of the Publisher is required for resale or distribution outside which cut off the argument that peo- be reproduced, stored in a retrieval system or transmitted in any form the institution. Permission of the Publisher is required for all other you to look up the real-time location or by any means, electronic, mechanical, photocopying, recording or ple can opt to avoid surveillance by derivative works, including compilations and translations. otherwise, without prior written permission of the Publisher. Address of any mobile phone with a number Electronic Storage or Usage not having a phone. permissions requests to: Elsevier Science Global Rights Department, Permission of the Publisher is required to store or use electronically at the mail, fax and email addresses noted above. issued by one of the major carriers. any material contained in this journal, including any article or part of How this will play out is the subject an article. Except as outlined above, no part of this publication may Since the New York Times broke Notice of much debate, but it certainly swings be reproduced, stored in a retrieval system or transmitted in any form No responsibility is assumed by the Publisher for any injury and/ the story about this lucrative busi- or by any means, electronic, mechanical, photocopying, recording or the pendulum towards greater privacy. or damage to persons or property as a matter of products liability, otherwise, without prior written permission of the Publisher. Address negligence or otherwise, or from any use or operation of any meth- ness, those carriers – AT&T, Sprint, permissions requests to: Elsevier Science Global Rights Department, at It would seem likely that those inter- ods, products, instructions or ideas contained in the material herein. the mail, fax and email addresses noted above. T-Mobile and Verizon – announced Because of rapid advan­ces in the medical sciences, in particular, mediary companies selling the location Notice independent verification of diagnoses and drug dosages should they were severing ties with these data No responsibility is assumed by the Publisher for any injury and/ data may be out of business, or at least be made.Although all advertising material is expected to conform or damage to persons or property as a matter of products liability, to ethical (medical) standards, inclusion in this publication does resellers. That, of course, doesn’t pre- negligence or otherwise, or from any use or operation of any meth- have less to offer (it remains to be seen not constitute a guarantee or endorsement of the quality or value ods, products, instructions or ideas contained in the material herein. vent them from carving out new deals, of such product or of the claims made of it by its manufacturer. if other data, such as call records, will Because of rapid advances­ in the medical sciences, in particular, inde- or even selling the data directly. pendent verification of diagnoses and drug dosages should be made. continue to be traded). And LEAs will Although all advertising material is expected to conform to ethical 12986 This trade came to the attention (medical) standards, inclusion in this publication does not constitute a now have to show probable cause to Digitally Produced by of the Supreme Court because of the guarantee or endorsement of the quality or value of such product or a judge in order to obtain a warrant of the claims madeMayfield of it by its Press manufacturer. (Oxford) Ltd case of Timothy Carpenter, who was before accessing the information. sentenced to 116 years for a series of 02065 Pre-press/Printed by Mayfield Press (Oxford) Limited armed robberies. The police obtained – Steve Mansfield-Devine

2 Computer Fraud & Security July 2018 NEWS

...Continued from front page mation, which seems to have covered Ticketmaster, however, seems to have Organisations in the sector will have nearly all adults in the US, included denied any evidence of a breach. to convince the BoE and FCA that they names, addresses, phone numbers, Dixons Carphone has admitted to have systems and procedures in place to email addresses and even subjects such an “unauthorised access” involving 5.9 weather any service disruption, whether as religion, interests and the number, million payment cards and 1.2 million it’s caused by IT failures or activities by age and gender of any children. Some personal data records. According to the cyber-criminals. records contain more than 400 items company, its research, “indicates that “This is good news,” said Dan Pitman, of information, such as whether the there was an attempt to compromise senior solutions architect at Alert Logic. person smokes or has pets. No Social 5.9 million cards in one of the process- “The concepts of disaster recovery, Security numbers or financial details ing systems of Currys PC World and cyberthreats, business (revenue) conti- were included in the database. Dixons Travel stores. However, 5.8 nuity and so on are intrinsically linked Security researcher Vinny Troia of million of these cards have chip and through business risk, but too often Night Lion Security found the database PIN protection. The data accessed in considered separate by businesses. Banks using the Shodan search tool by search- respect of these cards contains neither and other financial services underpin ing for publicly accessible servers run- PIN codes, card verification values our economy and enable the public ning instances of ElasticSearch databases. (CVV) nor any authentication data and businesses to operate. They have “I’m not the first person to think of enabling cardholder identification or a duty to ensure that disruption from scraping ElasticSearch servers,” he told a purchase to be made. Approximately any source, be it technological, process- Wired. “I’d be surprised if someone else 105,000 non-EU issued payment cards based or malicious, is planned for and didn’t already have this.” which do not have chip and PIN pro- demonstrable to customers, partners and Exactis protected the database after tection have been compromised.” governing organisations.” being contacted by Troia. The breach also exposed the personal The announcement came shortly after Social media aggregation service details (name, address, email address) of a major outage affecting customers of Timehop admitted to a breach affecting 1.2 million people. The firm’s confes- TSB, who were unable to access their the personal information of 21 million sion is here: http://bit.ly/2L1zKBG. accounts online for a week because of a of its users. Attackers exploited access Meanwhile, Typeform, which man- failed IT migration, with some custom- tokens provided by the company’s cloud ages surveys and competitions on behalf ers still unable to use the service after a hosting provider in December 2017. of other firms, suffered a breach that month. Analysis of the problem by IBM, They then created a new administrative has affected brands such as Fortnum & which suggested a lack of testing, was account. This wasn’t discovered until Mason and Travelodge. In most cases, published by the Treasury Committee. the firm noticed a network intrusion on only the customer’s email address was The report said IBM “has not seen evi- 4 July. Information affected includes vulnerable, although additional informa- dence of the application of a rigorous set names, email addresses and phone num- tion was compromised in some instanc- of go-live criteria to prove production bers. The firm claimed that no financial es. Some of the firm’s customers have readiness”. or private messaging information was already said they are severing ties with it. The BoE and FCA have suggested involved. There are full details here: Other organisations affected by the that two days is a reasonable maximum http://bit.ly/2u5bSXk. breach include lesser names such as for disruption to business services. If A couple of major names have been Australian bakery chain Bakers Delight, financial firms fail to convince regulators affected by breaches at third-party sup- banking firm Revolut, the Australian that they have adequate back-up plans pliers. Ticketmaster acknowledged a Republican Movement, data platform and cyber-defences, they may be forced breach affecting around 40,000 custom- Ocean Protocol, software companies to make further investment or increase ers, mainly in the UK, after Inbenta DevResults and PostShift, and even their capital levels to protect customers. Technologies, which hosts a customer Shavington-cum-Gresty Parish Council The discussion paper is available here: support system for the firm, was com- in Cheshire. http://bit.ly/2L0P6JM. promised with malware. Ticketmaster Finally, Adidas has warned US cus- issued a statement saying: “Less than tomers that their information may have Big names in major 5% of our global customer base has been stolen. The company has so far breaches been affected by this incident,” but the been cagey about details, saying simply number could climb much higher. And that: “The limited data includes contact rash of data breaches has affected it subsequently emerged that mobile information, usernames and encrypted Amillions of people and big-name banking firm Monzo had warned passwords. Adidas has no reason to brands, albeit indirectly in some cases. Ticketmaster and Inbenta of a prob- believe that any credit card or fitness Marketing and data aggregation lem back in April. The bank had seen information of those consumers was firm Exactis left 2TB worth of data so many dubious transactions that it impacted.” The size of the breach is – nearly 340 million records – on a requested Mastercard to replace all the unknown, but could reach into the publicly accessible server. The infor- cards issued to Monzo’s customers. millions of records.

3 July 2018 Computer Fraud & Security NEWS

Report Analysis

Bank of England: Systemic Risk Survey

he Bank of England’s twice-yearly ‘Systemic Risk Survey’ report shows Ta slight increase in the expectation among financial services compa- nies that they will suffer a high-impact cyber-attack. At the same time, those same organisations seem to be extremely confident that they can True, the financial sector is one of the withstand or survive such an attack. But the historical data from past strongest when it comes to cyber-security. reports shows a fast ramping up of concern about both cyber-attacks and However, it does have issues, some of them non-technical risks, particularly in the political sphere. running deep. And when asked what risks are the most challenging to manage, cyber- When asked about key risks to the UK ticularly when it comes to money-rich and attack pretty much equals UK political risk financial system, cyber-attack barely regis- sensitive data-driven sectors like finance. at the top of the table. ters between the first time the survey was To minimise this threat, all organisations, “Due to the significant amount of legacy take, in 2008, and 2014, when more than particularly those in the financial services systems that financial services hold, it is a tenth of organisations finally considered industry, must look to adapt a proactive no surprise that cyber-risks and fraud are it significant. Then concern ramps up until stance, rather than wishing attacks away. rising for these firms,” said Pete Banham, the first half of 2018 when two-thirds of As part of this, the cyber-security commu- cyber resilience expert at Mimecast. those surveyed rated it a key risk. That puts nity need to collaborate to cut cybercrime “Legacy systems make it difficult for finan- it now at the same level as geopolitical risk frequency, severity and impact. Security cial institutions to implement change, let but some way behind ‘UK political risk’ threats cannot be mitigated by any single alone embed new processes and technology (which, in a word, means Brexit), rated at organisation alone. It requires better intel- to help with cyber-security. This is where 91%. ligence sharing and improved co-operation new, challenger financial brands can stand Other risks have headed in the opposite not only with law enforcement but also out from the crowd.” direction. ‘Risk of financial institution fail- with the rest of industry. Sharing best He added: “Impersonation fraud, par- ure/distress’, for example, topped the list in threat detection and protection practices ticularly via email, continues to grow and 2008, at 85%. That’s now down to 11%, will allow a broader and deeper visibility of remain dangerous no matter how up to which may surprise some bank customers network traffic, threats and user behaviour. date the technology. Cyber-criminals rely who have been inconvenienced by more All companies can benefit from taking on the inherent trust in email to launch than one system failure in recent months. these steps to increase their security provi- attacks that wreak havoc for businesses However, the Bank of England runs its sions.” across all industries. There is also a major own stress tests and the results of the The report notes that: “Confidence in supply chain risk, as attackers could 2017 exercise showed that: “For the first the stability of the UK financial system use an employee as a stepping stone to time since the Bank of England launched over the next three years has increased. The launch impersonation attacks against a its stress tests in 2014, no bank needs to proportion of respondents judging them- bank’s suppliers and corporate custom- strengthen its capital position as a result of selves to be fairly confident, very confident ers. More needs to be done to ensure that the stress test. The 2017 stress test shows or completely confident increased to 94% organisations, not just those in the finan- the UK banking system is resilient to deep (+4 percentage points).” cial sector, remain cyber resilient. This simultaneous recessions in the UK and However, while that may be the case for needs to span beyond security and look global economies, large falls in asset prices the country’s financial system as a whole, at continuity, remediation and recovery and a separate stress of misconduct costs.” whether that confidence extends to an to ensure that businesses can get back on Clearly, then, what banks are most con- individual financial organisation’s technol- their feet if something does get through. cerned about is the self-harm inflicted by ogy isn’t recorded. This could be seen as Accountability also shouldn’t be limited Brexit – an external threat largely beyond something of a weakness in the report, to the IT team. As every employee is a their control, as are the risks posed by given that cyberthreats have grown to potential route into the business, ongoing geopolitical developments. The most sig- outweigh issues such as a downturn in the education for all is critical.” nificant area of concern where they can UK economy (rated as a key risk by 33% There is another factor here, too. The take direct measures to protect themselves in 2008, 26% in 2018) or risk of financial risk posed by Brexit to the financial system is cyber-security. market disruption/dislocation (down from is going to be resolved soon, one way or “With the UK’s financial stability at 45% to 16%). another. And geopolitical risks wax and stake, it comes as no surprise that cyber- When asked about the number one wane forever. But the risk of cyber-attack attacks are seen as the second biggest risk threat, UK political risk still topped the list is continually growing, and it’s something after Brexit,” said Kirill Kasavchenko, (53%), but cyber-attack was second (14%) that needs action now. principle security technologist at Netscout with geopolitical risk knocked into third The report is available here: Arbor. “Cybercrime is constantly proving place (11%) and the 19 other categories www.bankofengland.co.uk/systemic-risk- to be a lucrative source of revenue, par- receiving negligible (or no) votes. survey/2018/2018-h1.

4 Computer Fraud & Security July 2018 NEWS

In brief Privacy Shield in doubt Lithuanian Government. A Declaration of Dark web arrests A vote in the European Parliament has cast Intent was put forward by the country at a A year-long operation against a number doubt on the continued viability of the session of the EU Foreign Affairs Council of dark web markets, involving the US Privacy Shield agreement that allows US in Luxembourg. Five other countries – Department of Justice, US Immigration and organisations to move personal informa- Romania, Croatia, Estonia, the Netherlands Customs Enforcement’s Homeland Security tion relating to EU citizens to servers in the and Spain – have already signed up to it Investigations unit, the US Secret Service, the US without being liable to the full weight and four more are believed to be ready US Postal Inspection Service and the Drug of EU privacy laws. Privacy Shield was to join by the end of the year. France Enforcement Administration, has resulted implemented when the previous arrange- and Finland are participating in the pro- in multiple arrests and the seizure of goods. ment, Safe Harbor, was thrown out in the ject while Belgium, Germany, Greece and The agencies focused on the (now-defunct) courts following a challenge by activist Slovenia have joined as observers. The ‘EU Silk Road, AlphaBay, Hansa and Dream Max Schrems. Last September, a European Cyber Rapid Response Force’ would employ dark web marketplaces. Agents posed as Commission review noted that there are the services of security firms and specialists money launderers willing to convert crypto- still vacant posts on the Privacy and Civil to create a standing cyber-security unit that currency funds into US dollars in order to Liberties Oversight Board (PCLOB) and could counter major attacks, especially those gain the trust of vendors. In the last four no permanent ombudsman. It also raised emanating from nation states, according to weeks of the operation, the execution of concerns about executive orders concern- Lithuanian Minister of National Defence more than 70 search warrants as part of ing immigration, security and privacy by Raimundas Karoblis. There’s more informa- 100 law enforcement actions across the US President Donald Trump. Now MEPs on tion here: http://bit.ly/2uj2Jd5. led to the seizure of 333 bottles of liquid the civil liberties committee (LIBE) have synthetic opioids, over 100,000 tramadol said that many of these concerns have not NHS under attack… pills, 100g of fentanyl, more than 24kg of been addressed and it voted in favour of In the past three years, the UK’s National Xanax, other recreational and prescription calling on the European Commission to Health Service has suffered more than 18 drugs and 15 pill presses. Agents also seized suspend the arrangement if the US is not days of IT system outages as a result of over 100 firearms, five vehicles bought with compliant by the new review in September. cyber-attacks. A Freedom of Information funds from illegal activities, more than $3.6m (FoI) request by tech firm Intercity in currency and gold bars, nearly 2,000 HMRC voice database revealed Technology revealed that of the 80 NHS Bitcoins and other crypto-currency worth One of the first organisations that could Trusts that had responded to the request, over $20m and Bitcoin mining equipment. potentially fall foul of the new EU General 17% had experienced security-related Around 35 arrests were made, although the Data Protection Regulation (GDPR) is the downtime. Inevitably, a significant propor- operation had targeted 65 people. UK’s tax authority, HM Revenue & Customs tion of these will have been caused by the (HMRC). A Freedom of Information (FoI) virulent but short-lived WannaCry ransom- request filed by Big Brother Watch has ware outbreak, with some NHS organisa- UK firms attacked every three minutes revealed that HMRC has amassed a database tions also having fallen foul of the Locky On average, UK businesses were subjected of 5.1 million voiceprints. People contacting and Zepto variants. to 52,596 cyber-attacks each in the three the organisation by phone are required to months to the end of June – the equivalent record a key phrase as a means of biometric …and leaking data of 578 attempts a day or just over once every identification to be used in subsequent com- A data breach at NHS Digital affecting three minutes, according to Beaming, the munications under a scheme known as Voice 150,000 people has been blamed on a cod- business ISP. Although the rate of attack was ID. ing error. The confidential data related to slightly down on that experienced in the first However, according to Big Brother Watch, people who thought they had opted for the quarter of the year, when businesses received users are not given sufficient information on information to be used only for matters relat- 53,981 attacks each, there was an increase how to opt out of the scheme, or if and when ing to their own care. NHS Digital oversees in the number of attacks targeting remote their data would be deleted. In fact, in the the use of data collected via doctors and NHS desktop services. first 30 days of the scheme operating, since institutions. In many cases, this informa- On average, businesses received 1,655 it started in January 2018, no-one opted tion can be passed – usually, but not always, attempts each to breach remote desktop out, probably because the registration system anonymised – to third parties for use in systems between April and June this year, doesn’t give them the option. HMRC has clinical research. A ‘Type-2’ opt-out is made 8% more than in the preceding quarter. refused to provide details about how data available to patients who don’t want their data Remotely controlled devices such as build- erasure would work. Big Brother Watch has used in this way. However, an error by soft- ing control systems and networked security pointed out that the GDPR requires a posi- ware development firm TPP, to which coding cameras were the most commonly targeted tive opt-in to such schemes. Users can later work had been outsourced, led to these opt- systems. Over the past three months they choose not to use the biometric authentica- outs being ignored in 150,000 cases. “There attracted 41% of all attacks. Businesses tion, but are given no details about how to is not, and has never been, any risk to patient experienced 21,499 attempts each on aver- delete the files. HMRC’s response to the FoI care as a result of this error,” said Jackie age to take control of IoT devices. Beaming also revealed that the department did not Doyle-Price, Parliamentary Under-Secretary believes hackers target IoT devices for use in consult the biometrics commissioner on its of State for Health. “NHS Digital has made distributed denial of service (DDoS) attacks. Voice ID plans. the Information Commissioner’s Office and Q2 was the first full recorded quarter in the National Data Guardian for Health and which Europe was the most common source EU cyber force Care aware.” Type-2 opt-outs have now been of cyber-attacks on UK businesses, with The European Union could set up a cyber- replaced by a national data opt-out meant 43% originating from European locations, response force trained to counter future to simplify the registering of an objection to compared to 34% from Asia and 17% from attacks if it follows up on a proposal by the wider data sharing. North America.

5 July 2018 Computer Fraud & Security FEATURE Assessing website password practices – over a decade of progress? Steven Furnell Steven Furnell, Centre for Security, Communications and Network Research, University of Plymouth, UK; Security Research Institute, Edith Cowan University, Perth, Australia

World Password Day 2018 saw Microsoft suggesting that it would deliver a “world without passwords” and BlackBerry proposing that they would be replaced by adaptive authentication (based on the buzzwords du jour of artificial intelligence a description has been added because and machine learning).1,2 Yet at the same time we had the irony of Twitter asking the Alexa listing did not include one). 330 million subscribers to change their passwords, having discovered a bug in the Of these, Amazon, Facebook, Google, 3 firm’s internal systems that resulted in them being stored in unencrypted form. Microsoft and Yahoo had featured in all Every now and again we get a flurry of ticularly the extent to which they support of the earlier versions of the study, while headlines proclaiming the passing of pass- their users in achieving good practice. A Twitter and Wikipedia both appeared words. Bill Gates said they were dead in consistent finding in all prior cases was that in the last couple. This left Instagram, 2004.4 In 2013, the FIDO (Fast Identity sites were collectively doing rather less than Netflix and Reddit as the newcom- Online) Alliance told us we could replace might be expected. So, 11 years on from ers, replacing LinkedIn, Pinterest and them, and it is happening again in 2018 the original study, it is worth seeing what’s WordPress from the 2014 study. with launch of the FIDO2 Project, which changed and if things are any better. As with the prior runs of the study, the continues the aim to end our dependency sample of just 10 sites is not presented on this vulnerable approach.5,6 However, Site selection and as being statistically significant. Its aim is the fact that we even have a World assessment methodology rather to capture a group of leading and Password Day rather implies that pass- well-recognised services, whose password words are not as dead as past announce- As in the previous studies, the candidate practices consequently affect a sizeable ments and headlines would have us sites were identified from the Alexa global community of users (who may in turn use believe. In fact, if you listen in the right list of ‘The top 500 sites on the web’ (see: their experiences of these sites to influence places, rumours are rife that passwords are www.alexa.com/topsites). The sample their password choices in other contexts). still used as the principal (or even sole) was taken in early June 2018 and focused Similarly, other online providers may see authentication method on the vast major- on the top 10 unique English language these market-leading sites as the examples to ity of systems, sites and services. sites (a choice largely motivated by the follow when deciding upon the acceptable Given our continued reliance upon this fact that the author needed to be able to security to be offered on their own sites. much-maligned technology, it is reason- understand them). This meant omitting The assessment process involved creat- able to expect that those requiring people various non-English sites (eg, Baidu, Qq, ing and using accounts on the sites in to use passwords would at least be taking Taobao and Sohu), as well as regional order to determine the password selection all reasonable steps to ensure that they do variations such as Google.co.in, and other requirements. The passwords were then so in an informed and effective manner. sites that used the same login service as updated using the available change and With that thought in mind, this article others already listed (eg, YouTube, listed reset procedures. The overall evaluation presents the results from an assessment of at number two, uses Google credentials process sought to establish whether: password guidance and policy enforcement to sign in). As a result, Netflix – the • The sites provided any guidance to on a series of leading websites. The study 10th-ranked unique English language support password selection, and (if continues the theme of an assessment first site – was actually 27th in the overall list. so) the extent of the coverage. conducted in 2007 and then repeated in The full list of sites and their ranking at • The site enforced any restrictions on 2011 and 2014.7-9 In each instance, the the time, is shown in Table 1, along with permissible password choices. findings have been revealing in terms of the description provided on the Alexa site • Users were provided with interactive the approaches taken by the sites and par- (with the exception of Instagram, where feedback or nudges to improve their

6 Computer Fraud & Security July 2018 FEATURE

Alexa ranking Site Alexa description of site guidance at password reset. Meanwhile, 1 Google “Enables users to search the world’s information, other sites (eg, Reddit) were consistent including web pages, images, and videos.” in a lack of guidance throughout. 3 Facebook “A social utility that connects people, to keep up It is notable that in the initial registra- with friends, upload photos, share links and videos.” tion stage (Figure 1a), Twitter offers a 5 Wikipedia “A free encyclopedia built collaboratively using feedback message requesting that users wiki software.” “enter a stronger password”, but the site 6 Reddit “User-generated news links. Votes promote stories provides no support for them to under- to the front page.” stand what ‘stronger’ actually means. 7 Yahoo “A major Internet portal and service provider By contrast, the term is directly defined offering search results, customisable content, in the password-reset stage (Figure 1c). chatrooms, free email, clubs, and pager.” Meanwhile, the ‘Learn more’ link takes 10 Amazon “Amazon.com seeks to be Earth’s most customer- the reader to an informative set of advice centric company, where customers can find and on account security, including a good set discover anything they might want to buy online, and endeavors to offer its customers the lowest of password dos and don’ts (and interest- possible prices.” ingly this includes advice suggesting that 13 Twitter “Social networking and microblogging service utilising users “Do create a password at least 10 instant messaging, SMS or a web interface.” characters long” – four characters longer 15 Instagram Social networking service for sharing photos than they are encouraged to choose at sign- and videos. up).10 As such, it seems rather unfortunate 17 Microsoft Live “Search engine from Microsoft.” that a link to this resource is not provided 27 Netflix “Flat monthly fee streaming TV and movies service.” to assist users at other stages of the process. Table 1: Ten popular websites selected for assessment. One factor that was common to several of the sites (eg, Facebook, Twitter and Yahoo) password choices (eg, via a password because they have forgotten it), and the was that, although they do not provide any strength meter or ratings). results are presented in Table 2. guidance (or indeed indication of password • There was any means for users to As in previous runs of the study, it rules) upfront, they do progressively reveal supplement their passwords with was interesting to note the considerable various requirements in response to users additional protection (eg, via one-time variations in guidance and support that entering passwords that do not qualify. As passcodes sent to their mobile devices). existed at different stages. For exam- an example, Figure 2 shows three messages • The site permitted the reuse of old ple, Figure 1 illustrates the differences from Yahoo that appeared in response to passwords. observed with Twitter, which was largely passwords that were (a) too short, (b) too • A means was offered to reset or devoid of upfront guidance at sign-up, obvious (‘password1’), and (c) included the recover passwords. provided strength ratings for password surname (‘furnell1’). Aside from the fact change and provided onscreen advice, that it seems unhelpful to reveal the exist- Provision of password ratings and a ‘Learn more’ link to full ence of rules in a piecemeal manner, it is guidance Guidance provided The first issue of interest is whether the Site Sign-up Password Password reset website provides any upfront guidance on change selecting (and ideally managing) the pass- Amazon ✘ ✘ ✓ word it is asking the user to set. To qualify, Facebook ✘ ✘ ✓ a site needed to present – or offer links Google ✓ ✓ ✘ to – at least a couple of tips, and this guid- Instagram ✘ ✘ ✘ ance had to be available before users tried to Microsoft Live ✘ ✘ ✘ enter their choice (ie, the assessment does Netflix ✘ ✘ ✘ not count feedback messages provided in Reddit ✘ ✘ ✘ response to choices that are not permitted). Twitter ✘ ✘ ✓ The sites were assessed in three password- Wikipedia ✘ ✘ ✘ setting scenarios (ie, at initial sign-up, if users elect to change their password, or if Yahoo ✘ ✘ ✘ users are forced to change their password Table 2: Provision of password guidance at different stages.

7 July 2018 Computer Fraud & Security FEATURE

the sites will actually permit users to select. To this end, the other significant aspect of the assessment examined the password restrictions that sites imposed at sign-up, as well as other elements of support that they might provide in order to help users behave more securely. In terms of restrictions on password choices, the study applied the same set of tests as had been used in the 2007- 2014 versions, namely: • Does the site enforce a minimum password length, and if so what is it? • Are users prevented from using their Figure 1: surname as their password? Contrasting the • Does the site prevent the re-use of the password guidance at: (a) initial user ID (or email name) as the password? registration; • Are users prevented from using (b) password change; and (c) password the string ‘password’? reset. • Does the site check the composition of the password to ensure multiple character types? • Does the site filter out the use of dictionary words that would be easily compromised with cracking tools? All of these are feasible to check (although checking surname and user ID aspects requires these to be featured during the registration process), and all of them are well-founded on the basis of the estab- lished bad practices that users can other- wise adopt. Table 3 summarises the degree of enforcement of these restrictions during initial sign-up to the sites. It also includes indications of additional provisions that also liable to annoy users if they keep trying dictionary words and personal informa- sites may make, which are also considered things and then keep getting knocked back. tion, often remains unclear. Many users in the discussion that follows. As an aside, Additionally, as an aside in this particular still have no conception of password it may be noted that some sites do actu- case, it can be noted that the message in cracking or social engineering, and may ally differ in terms of the passwords they Figure 2a asks users to make the password still imagine the threat coming from an will accept at sign-up and those that are longer, but still neglects to reveal the mini- attacker sitting at the keyboard trying permitted at later stages, but a detailed mum length that they should be aiming for. things manually. Explaining a little about account of these variations was beyond the It is notable that even where guid- the reality of the threats, or about what scope of the study. ance is provided on what to do, none the various password requirements and As can be seen, the best provisions (con- of the sites make much of an attempt restrictions seek to achieve, could aid sidering permitted password length and to explain to the user why this advice is users’ understanding and improve their the other restrictions applied) were offered relevant. While users can probably work buy-in and compliance as a result. by Google, Microsoft Live and Yahoo. out the reasons for themselves in terms This finding is broadly comparable with of advice around not writing passwords Enforcement of restrictions the 2014 results – where they were also down or sharing them, the rationale for the top three among the sites assessed – being asked to provide longer and more Whether they provided guidance or not, although the checks and provisions are not complex passwords, as well as avoiding the other key question is what passwords exactly the same (eg, in 2014, Google did

8 Computer Fraud & Security July 2018 FEATURE not enforce password composition rules, but did provide a password meter). The three least favourable sets of results were from Amazon, Reddit and Wikipedia. Indeed, consistent with all of the prior versions of the study, Amazon’s password requirements remain the most liberal and the lack of any password meter to nudge users in the right direction means that it can ultimately be judged lower than Reddit in terms of overall support. Meanwhile, Wikipedia was somewhat ironic insofar as it filtered out obviously poor choices (such as the user ID or the word ‘password’) but would otherwise permit one-character passwords Figure 2: to be chosen without complaint. Password feedback While most of the length restrictions messages revealed in response to are simply as stated in Table 3, the value unacceptable for Yahoo merits some further commen- choices. tary. In this case, the length restriction works in conjunction with password composition. As shown in the table, the shortest permitted is seven charac- ters, but this is only permitted with all character types (ie, uppercase, lower- case, numeric, and punctuation) being used. The system will not allow seven- character passwords with less diversity (enforcing an eight-character minimum length with three character types, and a nine-character minimum with one or two types). So, while Yahoo still does not enforce password composition with multiple character types, it certainly

Restrictions enforced at sign-up Other Support Enforces min Prevents Prevents Prevents Enforces Prevents Password Extra Prevents length surname user ID ‘password’ composition dictionary meter protection reuse Site (+max if stated) words Amazon 6 ✘ ✘ ✘ ✘ ✘ ✘ ✓ ✘ Facebook 6 ✓ – ✓ ✘ ✓ ✘ ✓ ✘ Google 8 ✓ ✓ ✓ ✓ ✓ ✘ ✓ ✓ Instagram 6 ✘ ✓ ✓ ✘ ~ ✘ ✓ ✓ Microsoft Live 8 – ✓ ✓ ✓ ~ ✘ ✓ ✓ Netflix 4–60 – ✘ ✘ ✘ ✘ ✘ ✘ ✓ Reddit 6 – ✘ ✘ ✘ ✘ ✓ ✓ ✘ Twitter 6 ✘ ✘ ✓ ✘ ~ ✘ ✓ ✘ Wikipedia ✘ ✘ ✓ ✓ ✘ ~ ✘ ✘ ✘ Yahoo! 7 ✓ ✓ ✓ ✘ ✓ ✘ ✓ ✓ Table 3: Enforcement of password restrictions and availability of additional support.

9 July 2018 Computer Fraud & Security FEATURE

Test word Amazon Facebook Google Instagram Microsoft Netflix Reddit Twitter Wikipedia Yahoo Live letmein ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✓ ✘ football ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✘ ✘ iloveyou ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✘ ✘ monkey ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✘ ✘ dictionary ✓ ✘ ✘ ✓ ✘ ✓ ✓ ✓ ✓ ✘ diamonds ✓ ✘ ✘ ✓ ✘ ✓ ✓ ✓ ✓ ✘ Diamonds ✓ ✘ ✘ ✓ ✓ ✓ ✓ ✓ ✓ ✘ Dictionary ✓ ✘ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✘ Dictionary1 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Table 4 : Dictionary words accepted by each site under test. makes use of it as a factor in determin- Yahoo now only lets users get away with naturally prevented by virtue of other checks ing acceptable choices. single character-type passwords if they are already in place (eg, both ‘letmein’ and Upper limits on password length were at least nine characters long – and so one ‘monkey’ were both too short for the sites not specifically tested and only Netflix way or another their policy is still ensur- requiring eight-character minimum lengths). explicitly indicated one. However, at 60 ing a significant character space in the Microsoft Live also looks like it did a reason- characters, this was likely to be sufficient resulting password. The fact that com- able job, until it is noted that most options for all but the most masochistic of pass- position rules remain the least enforced were actually stopped by virtue of its com- word users. aspect of policy is arguably understanda- position rule, which required at least two In terms of preventing the use of the user’s ble, given earlier findings that users strug- character types (and it is apparent it did not surname, only three sites that collect the gle to create and remember passwords block dictionary words if presented in mixed user’s name then utilise the information in with multiple character classes.11 case – eg, using ‘Football’ was accepted). password filtering. Meanwhile, three of the In terms of dictionary words, the assess- None of the sites was able to prevent the sites (Microsoft Live, Netflix and Reddit) do ment was based upon a range of options, ‘extreme’ test case of ‘Dictionary1’. not collect the user’s actual name at the point as shown in Table 4. The first three A notable observation in this run of the the password is set and so implicitly cannot entries are words or word combinations study was that only Reddit offered any use it in the checking process either. found within the top 10 in SplashData’s form of password meter at sign-up (and Aside from requiring a minimum most recent annual list of the worst pass- even then, it would still accept passwords length, the most commonly encountered words (and are included on the basis that that the meter had rated minimally low). policy rule was the prevention of the word it might consequently be reasonable to As previously observed in Figure 1, Twitter ‘password’ (which is warranted, given its expect sites to block them).12 The inclu- offered strength ratings at change and consistent prominence in the lists of worst sion of ‘monkey’ is because it is another reset stages (as did Facebook), but overall passwords actually used). However, probing dictionary word that was popular in ear- there were few examples of any password a little further tends to reveal some weak- lier versions of the same list (and indeed rating/scoring throughout the trial. This nesses beyond the initial positive result, as still appeared 13th in the 2017 listing). is in rather marked contrast to the earlier although the majority of the sites do indeed The use of ‘diamonds’ and ‘dictionary’ rounds, where the use of meters or ratings prevent the use of ‘password’, several accept- was to test longer strings while retaining had been far more prominent. For exam- ed predictable variants such as ‘password1’, dictionary words as the basis (with the ple, four of the 10 sites used them at sign- ‘Password’ and ‘Password1!’. latter choice doing so literally). The final up in the 2014 study and seven did so in three variations were included to see if 2011. Indeed, this means that some sites Multiple types the password parsing could be fooled by that once offered such feedback at sign-up mixing the case and arbitrarily adding a no longer do so, with Facebook, Google As in previous runs of the study, one of number to the end (in the final variant). and Twitter all falling into this bracket. the least common policies enforced was As can be seen from the table, Amazon, This is perhaps surprising, given that ear- to require that passwords be composed of Netflix and Reddit performed no checking lier research has found that suitable meters multiple character types. As in 2014, just in this context and consequently permit- can have a positive effect on password two sites did this, with only Microsoft ted everything. Meanwhile, the remaining selection behaviours.13 Live being consistent across both stud- results are very much mixed, with only An area in which some good provi- ies. In 2014, Google did not do so, but Facebook, Google and Yahoo managing sion is now being made is in relation to Yahoo did. However, as observed earlier, to do a credible job of it. Some words were additional login protection (eg, via two-

10 Computer Fraud & Security July 2018 FEATURE step or two-factor options). As an exam- ple, Facebook (which otherwise looks quite mixed in terms of its provisions in Table 3) offers a host of additional protection options, as shown in Figure 3. Meanwhile, Amazon (which otherwise looks among the worst in the earlier table) does at least offer a tangible two- step authentication option (see Figure 4). Reset or recovery?

A final factor assessed throughout the series of studies is whether the ‘forgot- Figure 3: Additional security options offered by Facebook. ten password’ feature works by offering password reset or recovery. The latter is less secure, insofar as, if compromised, it ends up revealing a password that might also be in use on other sites and services (given the well-known propensity for users to have the same password across multiple systems). Meanwhile, the genuine account holder may remain entirely unaware that their secret has now been compromised (unless they are specifically sent a notification that recovery has been used, via a channel the attacker does not control). By con- trast, if password reset is offered, then an attacker is forced to change the password, thus alerting the legitimate user to a problem once he can no longer access the account himself. While various sites can be found that persist in offering password recovery, it was not a practice among any of the 10 sites surveyed here. All offer reset rather than recovery, although differing in terms Figure 4: Amazon’s two-step verification option. of the specifics of how they achieve it (eg, on-going predictions of their impending still allow it). Password length remains the Wikipedia emails a temporary password, demise, passwords remain dominant. In most commonly enforced restriction, but while all the others send a reset link or a spite of this, the way in which they are even this is not universally enforced and one-time verification code). As such, this offered and enforced still falls well short (as shown in Table 3) the actual length was at least one area in which good prac- of what good practice would suggest. requirements still vary. (For information, tice was seen to be uniform. To see how things have changed over the average minimum length, across sites the years, Figure 5 presents a comparison that enforced one, increased from 6 char- Discussion between the 2007 and 2018 versions of acters in 2007 to 6.33 in 2018.) the study, tallying the number of sites that The other thing that has significantly With over a decade having passed since supported each type of restriction on each improved is the number of sites offering the original version of the study, it seems occasion. As can be seen, the only area that some form of additional protection. This appropriate to reflect upon the differences has notably improved is the proportion aspect was not assessed in 2007, but only between then and now. The first, funda- of sites that prevent the word ‘password’ three sites did so in 2011, rising to four in mental observation is that despite all the being used (and even here a third of sites 2014. The fact that eight sites now offer

11 July 2018 Computer Fraud & Security FEATURE

About the author

Prof Steven Furnell is a professor of infor- Figure 5: mation security and leads the Centre for Total sites enforcing Security, Communications & Network different Research at Plymouth University. He is also restrictions an Adjunct Professor with Edith Cowan in 2007 and 2018 studies. University in Western Australia and an Honorary Professor with Nelson Mandela University in South Africa. His research interests include usability of security and something to supplement and strengthen user receives appropriate guidance is privacy, security management and culture, authentication beyond the password alone ultimately an aid to usability anyway.16 and technologies for user authentication and is a tangible improvement. However, while intrusion detection. He has authored over the vast majority of sites offer something, Conclusions 290 papers in refereed international jour- none of them explicitly flag this option at nals and conference proceedings, as well as sign-up. As such, it would seem reasonable With over 10 years between the studies, it books including Cybercrime: Vandalizing to assume that many users will not use is somewhat disappointing to find that the the Information Society and Computer the features and many will remain entirely overall story in 2018 remains largely similar Insecurity: Risking the System. Furnell is unaware of them. Indeed, evidence pre- to that of 2007. In the intervening years, the current chair of Technical Committee sented earlier this year suggested that less much has been written about the failings 11 (security and privacy) within the than 10% of registered Google users have of passwords and the ways in which we International Federation for Information enabled two-factor authentication, despite use them, yet little is done to encourage or Processing, and a member of related work- the option having been available to them oblige us to follow the right path. ing groups on security management, security for seven years.14 To be clear, this article is not intended as education and human aspects of security. He Overall, however, the feature that a defence of passwords. They are inadequate is also a board member of the Institute of remains fundamentally lacking is clear for most modern requirements and their Information Security Professionals and chairs upfront guidance and support for users. shelf life is increasingly limited. Even if we the academic partnership committee and While some sites (indeed some readers) get people to use them better, events such as southwest branch. may dismiss this in the belief that users the recent Twitter breach will render their would simply ignore it anyway, other protection worthless unless combined with References results have demonstrated clear improve- further steps or factors. The basic argument 1. Ranger, S. ‘Windows 10: We’re going ments from the mere presence of appro- here – as with the earlier versions of the to kill off passwords and here’s how, priate guidance at the point of password study and the others referenced – is for pro- says Microsoft’. ZDNet, 2 May 2018. selection, with the addition of feedback vision of user-facing security to be matched Accessed Jun 2018. www.zdnet.com/ yielding further improvements. Indeed, in with accompanying support. Passwords article/windows-10-were-going-to-kill- one of our other studies, we observed that are a good example because we know that off-passwords-and-heres-how- the proportion of weak-rated passwords many people are poor at using them. And says-microsoft/. dropped from 75% to 35% simply by yet the lesson continues to go unheeded 2. Thurber, A. ‘Burying Weak making guidance and feedback available and we continue to criticise the method and P@$$vv0rd$ Once and For All’. (ie, without any actual enforcement of blame the users instead. Inside BlackBerry, 2 May 2018. password restrictions at all).15 As such, the The increased availability of two-step http://blogs.blackberry.com/category/ fact that it remains entirely absent from verification and two-factor authentica- new-blackberry/news/ (accessed 4 many sites is curious and potentially sug- tion options is positive, not least because June 2018). gests that their priorities lie elsewhere – eg, of the numerous instances of passwords 3. Agrawal, P. ‘Keeping your account signing-up users with as few obstacles as getting compromised en masse on the secure’. Twitter blog, 3 May 2018. possible, rather than putting them off by provider side. However, users arguably Accessed Jun 2018. https://blog. thinking about security. Of course, the require more encouragement – or indeed twitter.com/official/en_us/topics/ resulting usability must be a consideration, obligation – to use them. Otherwise, like company/2018/keeping-your-account- but prior research has suggested that this passwords themselves, they will offer the secure.html. does not have to come at the expense of potential for protection, while falling 4. Best, J. ‘Gates: The password is dead’. password strength and ensuring that the short of doing so in practice. ZDNet, 16 Nov 2004. Accessed Jun

12 Computer Fraud & Security July 2018 FEATURE

2018. www.zdnet.com/article/gates- & Security, Dec 2011, pp.10-18. L; Christin, N; Cranor, LF. ‘How the-password-is-dead/. Accessed Jun 2018. www.scien- Does Your Password Measure Up? 5. ‘Lenovo, Nok Nok Labs, PayPal, cedirect.com/science/article/pii/ The Effect of Strength Meters on and Validity Lead an Open Industry S1361372311701233. Password Creation’. Proceedings of the Alliance to Revolutionize Online 9. Furnell, S. ‘Password practices 21st USENIX conference on Security Authentication’. FIDO Alliance, press on leading websites – revisited’. symposium, USENIX Association release, 12 Feb 2013. Accessed Jun Computer Fraud & Security, Dec Berkeley, CA, 8-10 Aug 2012. 2018. https://fidoalliance.org/lenovo- 2014, pp.5-11. Accessed Jun 2018. 14. Thomson, I. ‘Who’s using 2FA? nok-nok-labs-paypal-and-validity- www.sciencedirect.com/science/arti- Sweet FA. Less than 10% of Gmail lead-an-open-industry-alliance-to- cle/pii/S136137231470555X. users enable two-factor authentica- revolutionize-online-authentication. 10. ‘About account security’. Twitter tion’. The Register, 17 Jan 2018. 6. ‘FIDO Alliance and W3C Achieve Help Centre. Accessed Jun 2018. Accessed Jun 2018. www.theregister. Major Standards Milestone in Global https://help.twitter.com/en/safety- co.uk/2018/01/17/no_one_uses_two_ Effort Towards Simpler, Stronger and-security/account-security-tips. factor_authentication/. Authentication on the Web’. FIDO, 11. Komanduri, S; Shay, R; Kelley, PG; 15. Furnell, S; Khern-am-nuai, W; press release, 10 Apr 2018. Accessed Mazurek, ML; Bauer, L; Christin, Esmael, R; Yang, W; Li, N. Jun 2018. https://fidoalliance.org/ N; Cranor, LF; Serge, E. ‘Of pass- ‘Enhancing security behaviour by fido-alliance-and-w3c-achieve-major- words and people: measuring the supporting the user’. Computers standards-milestone-in-global-effort- effect of password-composition & Security, Vol.75, pp.1-9, 2018. towards-simpler-stronger-authentica- policies’. Proceedings of the SIGCHI Accessed Jun 2018. www.scien- tion-on-the-web/. Conference on Human Factors in cedirect.com/science/article/pii/ 7. Furnell, S. ‘An assessment of web- Computing Systems’. 7-12 May S0167404818300385. site password practices’. Computers 2011, Vancouver, BC, Canada. 16. Shay, R; Komanduri, S; Durity, AL; & Security, vol.26, nos.7-8, 2007, 12. ‘Worst Passwords of 2017 – Top Huh, P; Mazurek, ML; Segreti, SM; pp.445-451. Accessed Jun 2018. 100’. SplashData. Accessed Jun 2018. Ur, B; Bauer, L; Christin, N; Cranor, www.sciencedirect.com/science/arti- www.teamsid.com/worst-passwords- LF. ‘Designing Password Policies cle/pii/S0167404807001083. 2017-full-list/. for Strength and Usability’. ACM 8. Furnell, S. ‘Assessing password 13. Ur, B; Kelley, PG; Komanduri, S; Transactions on Information and guidance and enforcement on lead- Lee, J; Maass, M; Mazurek, ML; Systems Security, Vol.18 Issue 4, ing websites’. Computer Fraud Passaro, T; Shay, R; Vidas, T; Bauer, May 2016. The role of crypto- currency in cybercrime Aaron Higbee, Cofense

Aaron Higbee The first crypto-currency appeared in 2009 when Bitcoin was born. Since then, numerous others have entered the market. The market for crypto-currencies has been incredibly volatile and, at its peak in 2017, one bitcoin was worth over $11,200, although it is now suffering from sustained losses in 2018.1,2 These cess is called mining and requires masses peaks and troughs have made crypto-currency value a popular media topic and of computing power. In return, miners hackers too have taken notice. are paid in crypto-currency. To generate For example: hackers take control of a money, a preferred payment option and, this sort of computer power, hackers are victim’s devices to mine digital currency, in some cases, a lure for phishing scams. looking to botnets – a network of infect- ransomware attacks now demand payment ed computers under a hacker’s control – in crypto-currency, and the topic of crypto- Mining applications to log transactions and ‘mine’. currency can be used in a phishing attack. The ability to command machines Undoubtedly, crypto-currency is transform- Crypto-currencies log the history of trans- for mining is achieved through phish- ing cybercrime. It’s a method of making actions on a distributed ledger. This pro- ing emails sharing a compromised link

13 July 2018 Computer Fraud & Security FEATURE

Where hackers once demanded pay- ments via Western Union or PayPal, cryp- to-currencies have transformed the field. One likely reason for this shift is the ano- nymity of using crypto-currency; payments Reporting rates for phishing attempts have are untraceable as they do not link back risen over the past to bank accounts or addresses. This allows few years, reducing organisations’ hackers to cover up their steps, making it susceptibility to these easier for them to repeatedly get away with attacks. Source: Cofense. these types of attacks. To collect the ran- soms paid in crypto-currency, some hack- ers have gone as far as to create a QR code that contains a Bitcoin wallet address. The Sage ransomware attack, which occurred that directs users to a website domain Ransomware payments in 2017, used this technique, presenting that allows hackers to run a short script an interactive ransom note to victims with designed to begin the mining. The Last year, 54% of UK companies expe- a QR code. After several collections from Monera crypto-currency has been the most rienced ransomware attacks.3 These separate wallets, hackers can transfer all popular currency associated with this type often begin with a phishing attack that their crypto-currencies into one large wal- of hack, as it uses calculations that can run convinces a user to open a compromised let and reap their reward. on normal computing devices, rather than email and click on a malicious link, People now debate whether untrace- the specialised applications that are used granting the hacker access to the network. able crypto-currency is causing ransom- for other crypto-currencies such as Bitcoin. Once inside the network, the attackers ware attacks to increase. Other security Hackers have also added mining plugins can siphon information, encrypt it and breaches such as trojans, where bank to websites to take control of people’s demand a ransom for its decryption. In details are stolen, are more traceable due devices and mine valuable crypto-curren- some cases, the ransom is demanded in to the evidence in the transaction history. cies. Coinhive, for example, is a popular crypto-currency. Therefore, such attacks hold more risk. mining application which many hackers Last year’s WannaCry attack was the However, the future of using crypto- have been able to install on victims’ devices largest ransomware attack in history, currency in ransoms isn’t certain. For without permission, using up their bat- affecting Windows systems all over the example, as the value continues to fluctu- tery and compute power. What’s more, world, including many used by the NHS. ate, it will be difficult for hackers to know this hack is not limited to laptops or The hackers behind the NHS attack the amount they are demanding from computers; hackers are increasingly target- demanded ransom payments in the form victims. Potentially, values will vary too ing victims’ mobile phones. For instance, of bitcoins. Since then, other ransomware much to make it worth hackers’ while, Android apps available on Google Play attacks have demanded ransom to be paid or be so unfeasible in price that ransoms were found encoded with malicious in crypto-currencies and some hackers wouldn’t be paid. This is perhaps why mining capabilities. In these cases, the have offered victims the choice to negoti- the Scarab ransomware allowed victims JavaScript runs code making this process ate the ransom value. to negotiate the amount of bitcoin they invisible to the user. While mobile phone hacks generate much less profit compared to computer devices, both type of device are vulnerable to hacking. There has been some effort to protect Reporting rates against mining malware. Google added have increased while suscept- specific protections in its web browser, ibility rates Google Chrome, while anti-virus firms have decreased, leading to greater have updated software to detect and dis- resiliency. able unauthorised mining applications. Source: Cofense. The main mining application, Coinhive, has also put measures in place to ask users for their permission to mine, protecting against hackers.

14 Computer Fraud & Security July 2018 FEATURE

paid. The change in Bitcoin’s market the browser windows he or she can see. It is also important to educate users to price is also changing the debate around An evaluation of dozens of phishing the phishing emails making the rounds. the crypto-currency’s role in cybercrime, sites that launch ‘in the browser’ crypto- If they’re given the most up-to-date intel- which could leave a space for other digital miners, including those that phishers place ligence on what to look for, employees currencies to fill. on already compromised servers, has so can help IT teams catch malicious emails. far found that they have all been linked to IT, in turn, can more effectively respond Phishing lures Coinhive. While there may be legitimate to security threats and expel hackers from reasons why a company might want its idle the network if employees supply real-time There is a number of reasons why a hack- machines to mine for Monero, surely most intelligence. er would launch a phishing attack, from businesses would rather not have their Remember, even when facing newer siphoning off information, turning a vic- machines used to enrich strangers. threats fuelled by crypto-currency, it tim’s computer into part of a botnet, or A simple fix is to block all access to takes more than technology to defeat the using it as an access point to dwell within ‘coin-hive.com’ or ‘coinhive.com’ from hackers. You need vigilant humans, too. a network. The most effective way of get- your network – access that shouldn’t be ting victims to click is through an email needed for employees’ day-to-day work. About the author that is targeted or topical. In the world Be aware that if these URLs are blocked, Aaron Higbee is the co-founder and CTO of crypto-currency, imagine an email some JavaScript will load the session from of Cofense (formerly PhishMe), directing discussing Bitcoin’s fluctuating value. an alternatively named domain. Network all aspects of development and research Internet users trading Bitcoin might be administrators might consider observing that drives the feature set of this solution. intrigued enough to open the email and traffic immediately after rejecting traffic to The Cofense method for awareness train- click on the link. This would enable the Coinhive, just to be extra cautious. There ing was incubated from consulting services hacker to penetrate the network. are other browser-based mining scripts, provided by Intrepidus Group, a company More recently, new outlets have but Coinhive is the site most actively that Higbee co-founded with Rohyt Belani reported on a particular Monero min- exploited. Many anti-virus products also in 2007. ing software that runs in a browser. The provide protection from this class of ‘prob- site most commonly associated with ably unwanted programs’ and there are References this behaviour is the aforementioned even browser plugins, such as ‘No Coin’, 1. Desai, Neera. ‘Locky-Like Campaign Coinhive. The level of exploitation is that claim to offer protection. Demonstrates Recent Evolving such that recently CheckPoint Software Trends in Ransomware‘. Cofense, said that Coinhive miners were their Building resiliency 7 Dec 2017. Accessed May 2018. ‘most wanted’ malware, with some 55% https://cofense.com/locky-like-cam- of their customers exposed to one or While the crypto-currency market can paign-demonstrates-recent-evolving- more crypto-currency mining malware be unpredictable, as long as there is trends-ransomware/. families. money to be made, hackers will be after 2. Bovaird, Charles. ‘Crypto market We know from experience that many it. Building resiliency to any attack often down nearly 40% from all-time email recipients, even if they believe an comes down to protecting against phish- high’. Forbes, 14 Sep 2017. Accessed email is likely to be a phish, will still click ing emails. If people can spot a suspi- May 2018. www.forbes.com/sites/ on it simply because they are curious. cious email, they can stop hackers in cbovaird/2017/09/14/crypto-market- Many believe that if it is a phish, they their tracks. down-nearly-40-from-all-time- will be smart enough to recognise it once With phishing attacks up 65% high/#1f9a3ae97c74. they see the page and ‘not fall for it’. worldwide, a strong defence is critical.4 3. ‘Presenting: Malwarebytes Labs 2017 The trend now is to embed the miner Businesses are in a perfect position to State of Malware Report’. Malwarebytes into more traditional credential-phishing help employees spot phishing attacks Labs, 25 Jan 2018. Accessed May sites, where an email lures you to a fake seeking to deliver ransomware. Phishing 2018. https://blog.malwarebytes.com/ website designed to steal the user ID simulations are the most successful way malwarebytes-news/2018/01/present- and password to an online service, email to do this. They condition users to recog- ing-malwarebytes-labs-2017-state-of- system or financial institution. When nise and report fraudulent emails and the malware-report/. this approach is used, popular browsers more users report suspicious emails, the 4. ‘Enterprise phishing resiliency and launch instances of themselves which less susceptible they become to attacks. In defense report 2017’. Cofense. are hidden from the user, allowing 2017, reporting rates were up more than Accessed May 2018. https://cofense. coin-mining to continue in the back- 4% annually, with susceptibility rates com/whitepaper/enterprise-phishing- ground, even if the user has closed all dropping 2%. resiliency-and-defense-report/.

15 July 2018 Computer Fraud & Security FEATURE Critical infrastructure: understanding the threat

Steve Mansfield-Devine, editor, Computer Fraud & Security Steve Mansfield- Devine With nation state cyber-meddling now an acknowledged problem, there’s growing concern about the threats to critical national infrastructure (CNI) – everything from water treatment plants through electricity generation and ‘hacktivists’ pursuing a cause or ideol- distribution to air traffic control. The vulnerability of systems that underpin ogy, or just looking to make a name for the functioning of society isn’t exactly news to security specialists. But now themselves; and the most worrying of all politicians and the general public are waking up to the potential carnage that – nation-state attackers. These, says King, hackers could wreak. As Scott King, a senior director at Rapid7, explains in this “are the one that we read about in the interview, the threats are real, but not necessarily in the way people imagine. news and everybody is terrified of,” and Just recently, Ciaran Martin, head of the detected by Positive in 2017 was greater their activities fall into two broad groups. UK’s National Cyber Security Centre than the previous year – 197 compared to The first of these is to prepare the (NCSC), issued another warning about 115 – it was lower than in 2015 and the ground so that a cyber-attack can be used nation state attacks on the country’s CNI numbers could be viewed as being fairly either to prepare for or be part of a broader and told a parliamentary committee that consistent for the past five years. The kinds campaign that might include ‘kinetic’ such attacks emanating from Russia and of vulnerabilities – information disclo- actions – that is, attacks involving military North Korea had increased significantly over sure, remote code execution and even old activities. The other group encompasses the past two years.1 There has been a “con- favourites such as SQL injection and buff- industrial espionage where attackers are sistent rise in the appetite for attack from er overflows – have a familiar ring to them, interested in information that could ben- Russia on critical sectors,” he said. The same suggesting that organisations running ICS efit their nation’s own industries. day, the NSCS announced that it would are prone to the same security failings as “Every nation has the same interests and be working closer with company boards, any other organisation. is probably doing the same things,” says providing them with a toolkit to help them In fact, a problem we now face is that King. “They want to understand foreign better understand the threats.2 of too much general doom-saying and not energy strategies. So they have an interest This followed an earlier advisory, in April, enough attention on the specifics. It might in obtaining confidential and restricted from the NCSC of a campaign underway be time for a reality check, says King. information from, say, the US government to target CNI in the UK. “The targeting is “It’s kind of like end-of-the-world around energy policy, or the largest energy focused on engineering and industrial control prophecies,” he says. “When they don’t producers or mining companies, or infor- companies and has involved the harvesting of come true, the person who prophesied mation about oil, natural gas and other NTLM credentials via Server Message Block them is completely discredited. The same consumable resources.” (SMB) using strategic web compromises and is true in the cyber-security space when we There’s one more group to which we spear-phishing,” the alert said, adding that talk about massive threats and the world should be paying more attention, King the attacks had been underway for a year.3 ending or having huge societal impact. believes, and that’s insiders. There can be The reality is that there are a considerable a significant impact on something like Reality check number of threats that face critical infra- electricity networks just from people mak- structure worldwide. I do, however, believe ing mistakes. And then there are malicious The NCSC warnings are not isolated – that these threats are potentially being insiders, perhaps in the pay of a foreign gov- security specialists have been saying for years misconstrued in many regards and it’s very ernment, who are in a position to do harm. that CNI targets are wide open to attack. helpful to focus on the different types of In a recent report on industrial control sys- threat categories, because each of those The dangers tem (ICS) security, Positive Technologies threat categories has a different potential said that it had detected 175,632 Internet- impact or a set of damages.” While many of the vulnerabilities connected ICS devices, with nearly half of The threat actors are the usual suspects: threatening CNI firms are the same as them (42%) being in the US.4 criminals looking to make money through for any organisation (albeit with some But is the position as dire as it sounds? activities such as ransomware and distrib- significant differences, as we’ll see), what While the number of new vulnerabilities uted denial of service (DDoS) attacks; makes attacks against this sector especial-

16 Computer Fraud & Security July 2018 FEATURE

causing problems that could have long- term impact. Ukraine without power “One of the challenges specific to the Ukraine provides a case study for power industry is that a lot of the com- how cyber-attacks can have real-world ponents used to put power onto the grid impact. The country suffered two have a long lead time to build,” says King. attacks against its electricity networks, “With things like transformers, you can’t the second coming almost exactly a just buy one off the shelf. These are things year after the first. that can take an extended period of time to In the first attack, in December obtain and cost a lot of money. Yet we’ve 2015, an engineer at a control centre seen examples of how transformers and that manages the electricity grid for Scott King is the senior director, security advi- sory services for Rapid7. He has over 20 years the like can be impacted, either through a large part of Western Ukraine, wit- of professional work experience in the IT and a natural disaster or through some type nessed unusual activity on a screen. cyber-security fields, with a strong focus on the of cyber-attack. I can tell you that large, Someone had taken control of the sys- energy sector. Most recently, he developed and ran a fortune 250 energy company’s combined high-voltage switches don’t respond well tem and was clicking on buttons to trip utility cyber-security programme. During this to constantly being flipped on and off, and circuit breakers and take sub-stations time, King chaired a cyber-security CISO collec- tive of the nation’s 14 largest electric utilities, when those types of things happen, you offline. The attacker logged out the acted as a board member for the American can cause an impact that can take a long engineer and changed his password. Gas Association’s Cybersecurity Task Force, participated in the Edison Electric Institute’s time to recover from. If you extend those At the same time, there were attacks Cyber-security working group, and was a board impacts out to multiple energy companies, in progress against two other power member for EnergySec. He has been an advo- cate for building better cyber-security practices multiple high-voltage transmissions, sub- stations. Some 30 sub-stations were and approaches, including helping design multi- stations and so on, you could potentially taken offline and back-up power sup- ple national critical infrastructure cyber-security incident response exercises for the Department cause extended energy outages.” plies disabled. Around 230,000 people of Homeland Security (DHS) and the North were left without electricity for up to American Electric Reliability Corporation (NERC), six hours. Even after power was restored advising the SANS Institute on building indus- Well-resourced attackers trial control systems and cyber-security training, there were problems. The attackers had guiding multiple universities on their cyber- While there are many similarities between overwritten firmware on serial-to-Eth- security bachelors/masters programmes, provid- ing comment and guidance for federal and state the attacks – and the attackers – that ernet converters, making some breakers cyber legislation, giving presentations to board plague organisations generally and those impossible to control remotely. members and board subcommittees, providing rate case testimony to public utility commission- specifically in the CNI sector, there are A year later, around a fifth of Kiev ers and giving dozens of talks on cyber-security also some significant differences. CNI was plunged into darkness. Hackers had at industry conferences and trade shows. organisations have to put up with ‘nui- targeted Supervisory Control and Data ly concerning are the potential results. sance’ hackers like any other business and Acquisition (Scada) systems belong- An attack in the cyber-realm can have hacktivists probably fall into this category. ing to the nation’s electricity grid. The kinetic consequences, such as the power But they are also targeted by extremely blame was levelled at the Fancy Bear going out across a whole region, as we well-resourced hacking groups, backed by group, which has carried out numerous witnessed in Ukraine in 2015 and 2016 the funds and capabilities of governments hacking attacks against targets consid- (see box). And there are various ways of and their intelligence agencies. ered to be in conflict with the interests achieving this. “A methodology that you could assume of the Russian Government. “You can hit the transformers that put would be employed in those situations is the power from the generation environ- people building full-scale environments highly motivated type of adversary is ment on to the transmission grid,” says of their targets, whereby they’re acquiring the bigger threat, because they have the King. “You could potentially hit the the same types of technologies, they’re means to map out their attack plans, and generator itself and cause a cascading acquiring the same types of infrastructure they can lay in wait and take as long as blackout, as we’ve seen in certain situ- to simulate the environment that they’re they need to ensure maximum success.” ations where there’s lots of load on the going to target, so that when they do With this kind of attack, however, tim- transmission grid – the other systems that actually go after their intended target, ing is everything, King believes. It’s quite produce power and are also put on the they have a higher degree of success,” likely that these kinds of infiltration will grid disconnect themselves to essentially says King. “They’ve practised and they be co-ordinated with other activities. “It save themselves from having an over- know where the weaknesses are and they will depend on the geopolitical situation generation potential.” have back-up plans when things don’t go whether they want to cause immediate There are also less obvious ways of according to plan. So that well-funded, damage because there’s some type of war

17 July 2018 Computer Fraud & Security FEATURE

network. What happens more often than not is that the front-loading device has no authentication, so it’s not validating who’s accessing it. It doesn’t have any protection around who can send a command.” Number of new If you can get on to that network, then vulnerabilities found in industrial control you can flip those switches. This is a system components. fundamental design problem, says King, Source: Positive although one that has been receiving some Technology. attention. Some manufacturers are start- ing to implement authentication systems. “The problem, though, is that when a utility company buys a piece of hardware like this, it’s a capital asset, and that capital asset has a depreciation cycle of five, 10, situation, or if they want to lay in wait in ing to the Internet systems that were never 15, even 20 years,” says King. “So if a util- case something happens, or so they can meant to be networked. Supervisory control ity were to want to replace it specifically make threats.” and data acquisition (Scada) systems, for for cyber-security reasons, they’re going to The Stuxnet attack is a classic example.5 instance, that were built before the Internet be losing money, because it hasn’t fully Generally attributed to US and Israeli intel- took off have been hooked up, often to pro- depreciated yet. And the whole revenue ligence, the Stuxnet malware was able to vide a link between operational technology model of utilities is based on capital assets destroy centrifuges in Iran’s nuclear process- (OT) and business IT. However, King feels and acquisition and depreciation of those ing plant, even though its networks were there is at least some movement away from assets over time, which helps them earn air-gapped, by taking control of Siemens this kind of inadvertent exposure. a rate of return on their investment. So if programmable logic controllers (PLCs). “Over the past decade, we have been you look at it from a monetary perspective, It has been reported that the intelligence reducing the number of industrial control it’s a losing proposition.” agencies built a replica of the Iranian facility systems that are directly connected to the using the same Siemens equipment in order Internet,” he says. “Although, if you do Rip and replace to learn how to best attack it. some searching with Shodan, I think that “I have to imagine that it was the same shows there’s still quite a bit of stuff out The simplistic nature of many of the with the attacks that we saw in Ukraine, there, some of which large utilities know devices involved means that there is no based on the sophistication,” says King. about, some of which they don’t.”6 update or patching process. Improving the “Whoever the perpetrator was, they had There are some significant challenges device means ‘rip and replace’ – taking out access to the same exact systems with the to solving this issue of unwisely con- the old device and replacing it with a new same model numbers and firmware versions nected devices, says King. one. And this isn’t necessarily an option. and configurations that were targeted. How “If you look at something like a turbine, “For example, I’ve seen a peaker plant they obtained that information, we can these are manufactured so that they have [a generation facility design to come only speculate. But it would seem as though multiple levels of controller identity. A online at peak load times] that is running there was a lot of inside knowledge. That’s large, gas-fired turbine is going to have two, how I would do it. And when you’re highly three or four control modules for redundan- motivated and have a lot of funding to sup- cy. Each of those control modules is going port one of these actions, you’re going to to be running the exact same firmware. So want to ensure your success. They’ve got if there’s a vulnerability on one, there’s a bosses, right? They don’t want their bosses vulnerability on all of them.” to get upset and fire them.” Another issue is that many of the devices, such as PLCs or embedded con- Source of vulnerabilities trollers, are not very sophisticated. “They open and close things,” says King. One of the chief sources of vulnerabilities “They receive a signal; they take an action. that has afflicted CNI organisations – and, Manufacturers have been putting modules arguably, companies in the energy sector in in front of these very simplistic devices Types of vulnerabilities in ICS components. particular – has been the habit of connect- that allow them to be connected to an IP Source: Positive Technologies.

18 Computer Fraud & Security July 2018 FEATURE embedded Windows XP,” says King. “You can’t just turn up with a new ver- Triton ups the ante According to Schneider, that attackers sion of Windows and install it onto this Many specialists concerned with the According to Schneider, attackers appear embedded device that controls this power security of critical national infrastruc- to have tried to implant a remote access generator. You have to replace a whole ture believe that a recent malware trojan (RAT) in the affected system. unit – the control modules and so on – attack on a facility in the Middle East [https://www.youtube.com/watch?v that hasn’t depreciated yet. Unless you upped the stakes. Dubbed ‘Triton’, =f09E75bWvkk&feature=youtu.be] By are a very forward-thinking utility and the malware was the first recorded exploiting the credentials of one of the you have an overwhelming cyber-securi- instance of attackers specifically target- plant’s engineers, it seems the attackers ty risk management concern, you’re not ing a safety instrumented system (SIS). were able to gain access to engineering going to do that. Instead, you’re going https://www.fireeye.com/blog/threat- stations on the operational technol- to develop compensating controls for the research/2017/12/attackers-deploy-new- ogy (OT) side of the organisation via known weaknesses of your environment. ics-attack-framework-triton.html Remote Desktop Protocol (RDP) con- And then those insecure devices are According to FireEye, whose nections. This effectively bypassed the going to be protected in some way that Mandiant division was called in to ana- firewall between IT and OT systems. would prevent an adversary from getting lyse and remediate the incident: “We The initial stage of the malware used access to the network that the devices assess with moderate confidence that Schneider TriStation protocols which live on.” the attacker was developing the capabil- allow serial-over-Ethernet access to SIS In other words, an organisation will ity to cause physical damage and inad- devices, in part to allow the download- acknowledge that it has a vulnerable vertently shutdown operations.” ing of firmware. The SIS devices are pro- infrastructure and attempt to wrap extra The attack, widely attributed to an tected by a physical lock and any down- layers of protection around it. unnamed nation state, compromised a loaded code is stored in a user area that “That is the only thing that utilities and Schneider Electric Triconex safety sys- is not persistent. However, the attackers critical infrastructure providers can do at tem. Like other SIS solutions, these sys- exploited what Schneider has referred to this point,” says King. tems are used to shut down operations as a ‘zero day’ flaw that allowed them to and protect machinery, systems and escalate privileges gaining write permis- Managing risk people when dangerous conditions are sions regardless of the key switch posi- encountered. Disabling an SIS solution tion. This resulted in the malware’s pay- All organisations struggle with identi- could be a precursor to a larger attack by load being written to RAM. Although fying, analysing and quantifying risk. ensuring that critical systems are unable this isn’t persistent memory, SIS devices So are companies in, for instance, the to protect themselves. Or attackers could are rarely turned off. It was only a energy sector really on top of where their manipulate SIS solutions to shut down mistake by the attackers that led to the vulnerabilities lie? operations, as a form of denial of service. intrusion being detected. “Yes and no,” says King. “Larger utilities that have a heavy regula- radio frequency (RF)-based commu- tribution units. Not something we’re tory oversight from either NERC nications, and a lot of that RF com- talking about today.” [North American Electric Reliability munication is not encrypted, it can be In some cases, reckons King, areas of Corporation] through its CIP [Critical intercepted and potentially manipu- potential vulnerability are being ignored Infrastructure Protection] standards in lated in transit. That’s something that simply because they’re so complex and the US and parts of Canada, are doing I don’t hear a whole lot of people talk- costly to manage. Acknowledging the a much better job of managing risks ing about. There are distribution envi- risk might create greater liability for the that they know about.7,8 But there are ronments that rely on insecure radio organisation and so the approach is to still a number of risks that they have technology to transmit command and ignore it until caught – a form of secu- not assessed at a detailed level. For control signals from central control rity through obscurity. example, utility companies use a lot of centres to substations and field dis- Continued on page 20...

A SUBSCRIPTION INCLUDES: Online access for 5 users An archive of back issues

www.computerfraudandsecurity.com

19 July 2018 Computer Fraud & Security FEATURE/NEWS/CALENDAR

...Continued from page 19 do so. It’s just pre-set-up, and it’s based on mechanics, not technology.” EVENTS Ramping up Nevertheless, he adds: “Triton defi- nitely takes the level of sophistication up 1–3 August 2018 While CNI organisations are changing to a notch and shows that adversaries are IEEE International Workshop deal with the threats, attackers are also evolv- more knowledgeable about safeguards on Cloud Security and Forensics ing, as seen in a recent incident that many that are being implemented within New York, NY, US people believe to be game-changing – the industrial control systems.” http://bit.ly/2JuhQq7 so-called Triton malware (see box). So does 4–9 August 2018 King think this was a significant moment? About the author Black Hat USA “I do,” he says. “The malware went after Steve Mansfield-Devine is a freelance jour- Las Vegas, US a safety system. That is not something nalist specialising in information security. He www.blackhat.com we’ve seen before. A lot of control systems is the editor of Computer Fraud & Security – not from a security perspective but just and its sister publication Network Security. 9–12 August 2018 from an overall reliability perspective – rely Def Con on safety systems and redundant systems. References Las Vegas, US What is really interesting about the Triton 1. ‘Threat of cyber-attack from Russia www.defcon.org malware is that it went specifically after has intensified, British MPs told’. The 20–24 August 2018 the safety system. In a full-scale attack, National, 26 Jun 2018. Accessed Jun Hack In The Box GSEC that’s exactly what I would do. I would 2018. www.thenational.ae/world/ Singapore impact the redundant system first before I threat-of-cyber-attack-from-russia-has- https://gsec.hitb.org/ went in and hit my actual target. If I was intensified-british-mps-told-1.744200. going to target a generator, I would want 2. ‘NCSC to work with boards to better 21–22 August 2018 to understand all of the layers and levels prepare businesses for cyber incidents’. Artificial Intelligence, of redundancy for that particular type of National Cyber Security Centre, 26 Jun Robotics & IoT generation facility. I would want to target 2018. Accessed Jun 2018. https://www. Paris, France those redundant systems and safety systems ncsc.gov.uk/news/ncsc-work-boards-bet- http://bit.ly/2HV6v55 that would give the operators an indication ter-prepare-businesses-cyber-incidents. 3–7 September 2018 that something bad was about to happen 3. ‘Advisory: Hostile state actors com- European Symposium on or was happening, and only then would promising UK organisations with Research in Computer Security I actually cause the real damage. If you focus on engineering and industrial Barcelona, Spain take the safety and the redundant systems control companies’. National Cyber https://esorics2018.upc.edu offline, then the real damage is actually Security Centre, 5 Apr 2018. Accessed going to cause a pretty significant impact Jun 2018. https://www.ncsc.gov.uk/ 6–7 September 2018 that can’t be recovered from easily.” alerts/hostile-state-actors-compromis- GrrCON Attackers are showing that they now ing-uk-organisations-focus-engineer- Grand Rapids, Michigan, US have a deeper understanding of how sys- ing-and-industrial-control. http://grrcon.com tems are built and the protections in place. 4. ‘ICS Security: 2017 in Review’. 9–12 September 2018 “They want to cause a much larger and Positive Technologies. Accessed Jun 21st Information Security longer-lasting impact through attacking all 2018. www.ptsecurity.com/upload/ Conference relevant systems.” he says. “But where that corporate/ww-en/analytics/ICS- London, UK methodology breaks down is that there Security-2017-eng.pdf. http://isc2018.sccs.surrey.ac.uk are quite a number of redundant systems 5. ‘Stuxnet’. Wikipedia. Accessed Jun 2018. that are completely manual fail-safes. The https://en.wikipedia.org/wiki/Stuxnet. 10–16 September 2018 gas industry is a prime example. There is a 6. Shodan, home page. Accessed Jun Toorcon ton of manual systems that are not IP con- 2018. www.shodan.io. San Diego, US nected, that have no on/off switch that can 7. North American Electric Reliability https://sandiego.toorcon.net be controlled remotely. They’re just very, Corporation (NERC), home page. 12–14 September 2018 very simplistic. If a gas line has an over- Accessed Jun 2018. www.nerc.com. 44Con pressurisation situation, there are redun- 8. ‘CIP Standards’. NERC. Accessed Jun London, UK dant systems that will shut the valve down 2018. www.nerc.com/pa/Stand/Pages/ https://44con.com without receiving any kind of control to CIPStandards.aspx.

20 Computer Fraud & Security July 2018