Threat and Threats and Top story vulnerabilities vulnerabilities

PwC Weekly Security Report

This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.

Threats and vulnerabilities KRACK attacks defeat Wi-Fi security on most devices

Threats and vulnerabilities This bug let a researcher bypass GoDaddy’s site security tool

Malware Hyatt Hotels hit by credit card data-stealing malware – again

Top stories Microsoft Edge is the best browser for blocking phishing websites Hacking a power grid in three (not-so-easy) steps Threats and Threat and Malware Top story vulnerabilities vulnerabilities

KRACK attacks defeat Wi-Fi security on most devices

Conventional wisdom has long held that locking Some router makers have started deploying fixes for down your router with WPA2 encryption protocol enterprise-grade hardware. Microsoft has released a would protect your data from snooping. That was patch for its limited vulnerabilities, too. A few true for a long time, but maybe not for much longer. distros have patches live, but it’ll take time for A massive security disclosure details vulnerabilities everyone to catch up. in WPA2 that could let an attacker intercept all your precious data, and virtually every device with Android devices are trickier. Google says it will have Wi-Fi is affected. patches complete for existing devices in the coming weeks, but it’s up to individual OEMs to roll them The vulnerability has been dubbed a Key out. Since it’s mostly newer phones that are Reinstallation Attack (KRACK) by affected, it shouldn’t be too much of a hassle. Any discoverers Mathy Vanhoef and Frank device with the November 2017 patch level or later Piessens of KU Leuven. It’s not specific to any will be protected. specific piece of hardware or device–it’s a flaw in the WPA2 standard itself. KRACK bears some resemblance to standard “man in the middle” attacks by impersonating an existing network.

To exploit a network, attackers first clone the MAC Source: address of the network and set up a duplicate of it https://www.extremetech.com/internet/257 on a different wireless channel. Devices connecting 518-krack-attacks-defeat-wifi-security- to the original can be forced onto the fake network. devices That would usually be impossible because of the non-matching AES encryption keys in WPA2, but KRACK leverages a flaw in the four-way handshake that confirms the match.

Normally, WPA2 keys require a unique encryption Our perspective key for each network frame. The KRACK The WPA2 security protocol protecting most vulnerabilities allow the rogue network to reuse old Wi-Fi devices can be bypassed, potentially keys and reset the counter to make them valid allowing any attacker to intercept every again. At that point, it becomes trivially easy to password, credit card number or critical data decrypt traffic coming from a device. over the airwaves, if an attacker is part of the There are multiple variants of this attack. The most network. The problem lies in the very basic severe version affects all current Linux distros and structure of the protocol as a result of which all Android devices running 6.0 or higher. Apple’s changing the password of the Wi-Fi router macOS is vulnerable to almost as many variants, would not be of much help. The threat of attack but Windows is only affected by one version or becomes more severe when client systems KRACK. The iOS platform doesn’t have the most access and share data over the same network. severe vulnerability, but several others do work. According to the researchers, every operating Microsoft and Apple confirmed that they have system and piece of networking hardware is patched their systems against these attacks. It susceptible to at least one flavor of KRACK. is therefore advisable for administrators of Wi-Fi routers to upgrade firmware to the So, what can you do about this? Not a whole lot latest available from the OEM after assessing right now. The issue exists on virtually all devices, the risk of the changes made to the systems. and it’s up to vendors to release patches. Threat and Threats and Malware Top story vulnerabilities vulnerabilities

This bug let a researcher bypass GoDaddy’s site security tool

A widely used security tool owned by web hosting "In reviewing this situation, it appears someone was provider GoDaddy, designed to prevent websites able to find a vulnerable website and manipulate from being hacked, was easily bypassed, putting their requests to temporarily bypass our WAF," websites at risk of data theft. said Daniel Cid, GoDaddy's vice-president of engineering. The company's website application firewall (WAF), provided by Sucuri and acquired by GoDaddy "Within less than a day, our systems were able to earlier this year, protects websites against a pick up this attempt and put a stop to it," he said. range of attacks by adding an extra layer of security to a website to protect against cross-site scripting Cid said the company is "not aware of other and SQL injection techniques. customers" impacted by the bypass, but wouldn't say how many websites were at risk of the But a security researcher told ZDNet that the bypass technique. firewall would let through some commands, allowing him to gain access to vulnerable databases Lesley Carhart, a digital forensics and incident behind the scenes. That, he said, put sites at risk of response specialist, explained that web application data theft. firewalls mimic the behavior of antivirus products rather than a traditional firewall. Touseef Gul was able to bypass the firewall with a relatively simple SQL injection string, which he "In a lot of ways web attacks are way harder to showed to ZDNet but we're not publishing. SQL firewall than traffic in and out of a network," said injection attacks can be launched from the web Carhart. "You can deny almost everything at a browser's address bar. If the attack is successful it network firewall or host firewall." will display a list of database tables on the website "Web traffic filtering relies more on blacklisting bad itself. Where he was expecting to receive an "access stuff using signatures than whitelisting slews of denied" message, the firewall let the command unneeded ports and protocols like traditional through and returned a list of tables from the target firewalls," she added. website's database. He was also able to obtain the database's admin account and MD5 hashed Web application firewalls block attacks on sites password, which nowadays is easily crackable. running web applications that are already vulnerable to attacks, like out-of-date content management What surprised the researcher, he said, was how systems, like WordPress or Joomla, she explained. easy the firewall was to bypass. "In principle, it's a great move to add another layer He gave an example of part of the code he used. He of defense to sites, but it should never be mistaken said that while the firewall would block a common for or implied to be a replacement for secure command used in SQL injections, such as "UNION coding," she said. SELECT," a modified, encoded version of the same command -- such as "UNION SELE%63T" (where %63 is an encoded "C") -- was not blocked by the filter. Source: http://www.zdnet.com/article/security- For its part, GoDaddy said it patched the bug within bug-let--bypass-godaddy-site- a day of the security researcher's private disclosure firewall-tool/ to the company. Threat and Threats and Top story vulnerabilities vulnerabilities Malware

Hyatt Hotels hit by credit card data-stealing malware – again

Hackers have infected Hyatt Hotels' payment card "This incident is something we take seriously, and systems with malware and have potentially stolen we are sorry for the inconvenience and concern this visitor names and credit card details for the second may cause our guests," said Floyd. time in as many years. The company says it is has implemented additional In a statement Hyatt Hotels Corporation president security measures to strengthen the security of its of operations Chuck Floyd said the company has systems and that "Customers can confidently use "discovered signs of and then resolved payment cards at Hyatt hotels worldwide". unauthorized access to payment card information" from cards entered manually or swiped at the front It's the second time the hotel group has been hit desk of some Hyatt hotels between March 18, 2017 with malware recently: last year, the hotel group and July 2, 2017. revealed that almost half its properties had fallen victim to payment data stealing malware. In total, 41 hotels are affected, almost half of which are in China. Irregular activity has also been ZDNet contacted Hyatt Hotels for additional detected in Hyatt hotels in Brazil, Columbia, Guam, comment, but had not received a response as of the India, Indonesia, Japan, Mexico, Puerto Rico, South time of publication. Korea and Hawaii in United States. Source: Upon discovering the unauthorized access, Hyatt http://www.zdnet.com/article/hyatt-hotels- launched an investigation alongside "third-party hit-by-credit-card-data-stealing-malware- experts", payment card networks and the again/ authorities. The investigation found that the data breach can be traced back to "an insertion of malicious software code from a third party onto certain hotel IT systems."

The company hasn't provided figures on the number of guests who have fallen victim to the credit card data thieves, only that it's a "small" number of them, but Hyatt says it has contacted all the guests who used the payment card systems at the infected hotels during the at-risk dates.

A Hyatt spokesperson told ZDNet its cyber security team discovered signs of suspicious activity in July, with customers being notified yesterday (12th October) following the conclusion of the investigation.

Hotel guests are advised to closely review their credit card statements regularly and report any unauthorized activity to their bank as soon as anything is noticed. Threat and Threats and Malware Top story vulnerabilities vulnerabilities

Microsoft Edge is the best browser for blocking phishing websites

You may believe that Chrome is top dog for To compound things somewhat, Google’s Chrome security – it was certainly the undisputed champion browser also had some further bad news this week, of browsers at Pwn2Own earlier this year – but with a fake Adblock Plus extension causing Microsoft’s Edge has just been rated as the best considerable havoc for many thousands of its users. browser for defending against phishing websites.

NSS Labs conducted the research in question over a period of 23 days, testing some 36,120 separate instances which involved accessing a total of 1,136 Source: suspicious URLs across three major browsers: http://www.techradar.com/news/microsoft Chrome, Firefox and Edge. -edge-is-the-best-browser-for-blocking- Edge dealt with the vast majority of these phishing phishing-websites sites and came top by a country mile, blocking no less than 92.3% of the dodgy links. Chrome was some distance behind on 74.6%, and Firefox was lagging at the rear on 61.1%.

Edge also came top of the tree when faced with new ‘zero-hour’ (i.e. freshly unleashed online) phishing threats, blocking 81.8% compared to 58.6% for Chrome, and 50.7% for Firefox.

Locked but not secure

Interestingly, NSS Labs further observed that a locked-down operating system didn’t make any meaningful difference when it came to phishing protection. In other words, during testing on different platforms, S didn’t perform any better than plain Windows 10 for Edge, and in the case of the Chrome browser, that didn’t do any better on a Chromebook (Chrome OS) compared to Windows 10.

Underlining the point that these locked-down systems are more about defending against rogue software. And of course, this highlights the fact that the browser’s ability to block phishing threats really is crucial (although it also helps, naturally enough, to have a user with a suitably canny disposition when it comes to evaluating links).

Obviously, this will be welcome news for Microsoft, particularly given that Edge came stone last in the Pwn2Own hacking event we mentioned at the outset of this story – so this is quite a security turnaround. Threat and Threats and Malware Top story vulnerabilities vulnerabilities

Hacking a power grid in three (not-so-easy) steps

In 2017, IT can sometimes seem like power grids Sandworm team behind the blackouts in Ukraine… are practically crawling with digital intruders. Over just the last four months, news has emerged that So when news arises that have merely Russian hackers penetrated a nuclear power plant, "penetrated" an energy utility—as North Korean that the same group may have had hands-on access hackers recently did—receive it with those numbers to an American energy utility's control systems, that in mind, and not with the assumption that the next another group of Kremlin hackers used a new form or Sandworm has dropped. "This is a world of automated malware to induce a power outage in where people can die," Lee says. "If we come out and Ukraine—and now this week, that North Korean say it’s a big deal, it should be a big deal." hackers breached an American energy utility. To that end, here's WIRED's guide to the different Reading those headlines, you'd be forgiven for gradations of grid hacking, to help you dial in your thinking that hacker-induced blackouts were a panic to the appropriate level for the power-grid near-weekly occurrence, not a twice-ever-in- penetrations to come. And there will be more. history event. Step one: Network breach But as real as the threat of power-utility hacking may be, not every grid penetration calls for When government agencies or the press warn that Defcon 1. Responding to them all with an equal hackers have compromised a power utility, in the sense of alarm is like conflating a street mugging vast majority of cases those intruders haven't with an intercontinental ballistic missile attack. penetrated the systems that control the flow of What's publicly referred to as a "breach" of an actual power, like circuit breakers, generators, and energy utility could range from something barely transformers. They're instead hacking into far more more sophisticated than a typical malware infection prosaic targets: corporate email accounts, browsers, to a nation-state-funded moonshot months or years and web servers. in the making. Those incidents could also have vastly different consequences, from mere data theft Those penetrations, which typically start to a potentially catastrophic infrastructure failure. with spearphishing emails, or "watering hole" attacks that infect target users by hijacking a website It's true that the last several years have seen a they commonly visit, don't necessarily differ from "stark spike" in hacking attempts on industrial traditional criminal or espionage-focused hacking. control systems like power utilities, water, and Most importantly, they don't generate the means of manufacturing, says Rob Lee, a former NSA analyst causing any physical damage or disruption. In some who now runs the critical-infrastructure-focused cases, the hackers may be performing security firm Dragos, Inc. But Lee says it's crucial to reconnaissance for future attacks, but keep a sense of proportion: Of the hundreds of nonetheless don't get anywhere near the actual well-funded hacker groups that Dragos tracks control systems that can tamper with electricity globally, Lee says that roughly 50 have targeted generation or transmission. companies with industrial control systems. Of those, Dragos has found only six or seven groups Earlier this week, for instance, a leaked report from that have reached into companies' so-called security firm FireEye raised alarms when it revealed "operations" network—the actual controls of that North Korean hackers had targeted US physical infrastructure. And even among those energy facilities. cases, Lee says, only two such groups have been known to actually trigger real physical disruption: The , believed to be the NSA team that used the Stuxnet malware to destroy Iranian nuclear enrichment centrifuges, and the Threat and Threats and Malware Top story vulnerabilities vulnerabilities

Hacking a power grid in three (not-so-easy) steps

A followup report from security news site screenshot the so-called human-machine interfaces Cyberscoop asserted that at least one of those for power systems, likely so that they could study attempts successfully penetrated a US utility. But a them, and prepare to start flipping actual switches subsequent FireEye blog post indicated that its to launch a full-on grid attack. analysts had only found evidence that the hackers had sent a series of spearphishing emails to its "Evidence of a phish attempt and probably infection intended victims—a fairly routine hacking operation is one step in a ladder," says Mike Assante, a that doesn't appear to have come close to any power-grid security expert and instructor at the sensitive control systems. SANS Institute, a security-focused training organization. "Scrapes from an HMI is a few rungs We have not observed suspected North Korean up the access scale," Assante says, contrasting the actors using any tool or method specifically recent North Korean phishing with the Dragonfly designed to compromise or manipulate the 2.0 attack. industrial control systems (ICS) networks that regulate the supply of power," FireEye's statement In theory, OT systems are "air-gapped" from IT reads. "Furthermore, we have not uncovered systems, with no network connections between the evidence that North Korean-linked actors have two. But with the exception of nuclear power plants, access to any such capability at this time." which strictly regulate their operational systems' disconnection from outside networks, that air-gap is North Korea no doubt has ambitions to wield power often more permeable than it ought to be, says over US grid systems, and the fact that they've Galina Antova, a co-founder of the industrial control taken the first step is significant. But for now those system security firm Claroty. She says that Claroty attacks—and any others that stop at the level of IT has never analyzed an industrial control facility's compromise—should be seen at worst as setup and not found a "trivial" way in to its OT foreboding, rather than an imminent threat of systems. "Just by mapping the network, we can see hacker blackouts. the pathway from IT to OT," she says. "There are ways of getting in." Step two: Operational access But Dragos' Lee counters that given the small Hackers poking around an energy firm's IT system proportion of hackers that actually do manage to should cause some concern. Hackers poking at cross that gap, it's hardly a trivial distinction. That's operational technology systems, or what some in part because while IT systems are somewhat security experts call OT, is a far more serious standardized, OT systems are more customized and situation. When hackers penetrate OT, or gain esoteric, making them far less familiar. "They can so-called operational access, they've moved from basically practice and train so that they can the computer systems that exist in practically every completely compromise IT networks," Lee says. "If modern corporation to the far more specialized they want to get to operations networks, it's going to and customized control systems for power be weird equipment and weird setups, and they're equipment, a major step towards manipulating going to have to learn that.“ physical infrastructure.

In one recent hacking campaign, for instance, Symantec revealed that a group of hackers it named DragonFly 2.0—possibly the same Russian group reported earlier in the summer to have broken into a US nuclear facility—had gained operational access to a "handful" of US energy firms. The intruders had gone so far as to Threat and Threats and Malware Top story vulnerabilities vulnerabilities

Hacking a power grid in three (not-so-easy) steps

Step three: Coordinated attack Some grid hackers do appear to be putting in the work to plan a wider, more disruptive operation. Even when intruders have "hands-on-the-switches" The second Ukrainian blackout attack used a piece access to grid control systems, Lee says, using that of malware known as Crash Override, or access effectively is far harder than it might seem. Industroyer, capable of automating the process of In fact, he argues that all actions ahead of flipping sending sabotage commands to grid equipment, and that switch are just a preparatory stage that built to be adapted to different countries' setups so represents only about 20 percent of the that it could be deployed broadly across hackers' work. multiple targets.

Beyond the obscurity of whatever equipment setup That specimen of ultra-advanced grid hacking a utility may have, Lee points out that its physical malware is troubling. But it's also extraordinarily processes can require real expertise to manipulate, rare. And there's a significant gap between a piece of as well as months more effort and resources—not Black Swan malware and the dozens number of grid- just opening a few circuit breakers to cause a penetration incidents that often amount to little blackout. Even after hackers gain access to those more than spearphishing. No power grid breach is a controls, "I can confidently say they’re still not at a good thing. But better to recognize the difference stage to turn off the power," Lee says. "They could between a dress rehearsal and the main event— turn off some [circuit] breakers, but they’d have no especially when there are more of those events on understanding of the effect. They might be stopped the horizon. by a safety system. They don’t know."

In the Ukrainian blackout of late 2015, the Source: first-ever confirmed case of hackers causing a power outage, for instance, the intruders manually https://www.wired.com/story/hacking-a- opened dozens of circuit breakers at three different power-grid-in-three-not-so-easy-steps/ facilities across the country, using remote access to electric distribution stations' control systems—in many cases by literally hijacking the mouse controls of the stations' operators. Analysts who responded to the attack believe it likely required months of planning and a team of dozens working in coordination. Even so, the blackout it caused lasted just six hours, for roughly a quarter-million Ukrainians.

Hackers essentially have to choose between the scope and duration of a blackout, Lee says. "If they wanted to do the full Eastern Interconnect, that’s exponentially more resources," he says, referring to the grid that covers nearly the full eastern half of the US. "And if they want to take it down for a full week, that’s an exponential of an exponential." About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,23,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in

PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity. Please see www.pwc.com/structure for further details.

©2017 PwC. All rights reserved

For any queries, please contact:

Sivarama Krishnan [email protected]

Amol Bhat [email protected]

All images in this presentation are protected by copyright, trademark, patent, trade secret and other intellectual property laws and treaties. Any unauthorised use of these images may violate such laws and shall be punishable under appropriate laws. Our sharing of this presentation along with such protected images with you does not authorise you to copy, republish, frame, link to, download, transmit, modify, adapt, create derivative works based on, rent, lease, loan, sell, assign, distribute, display, perform, license, sub- license or reverse engineer the images. In addition, you should desist from employing any data mining, robots or similar data and/or image gathering and extraction methods in connection with the presentation. © 2017 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

PK/October2017-10984