30,712 research outputs found
Applying Lessons from Cyber Attacks on Ukrainian Infrastructures to Secure Gateways onto the Industrial Internet of Things
Previous generations of safety-related industrial control systems were ‘air gapped’. In other words, process control
components including Programmable Logic Controllers (PLCs) and smart sensor/actuators were disconnected and
isolated from local or wide area networks. This provided a degree of protection; attackers needed physical access to
compromise control systems components. Over time this ‘air gap’ has gradually been eroded. Switches and
gateways have subsequently interfaced industrial protocols, including Profibus and Modbus, so that data can be
drawn from safety-related Operational Technology into enterprise information systems using TCP/IP. Senior
management uses these links to monitor production processes and inform strategic planning. The Industrial Internet
of Things represents another step in this evolution – enabling the coordination of physically distributed resources
from a centralized location. The growing range and sophistication of these interconnections create additional
security concerns for the operation and management of safety-critical systems. This paper uses lessons learned
from recent attacks on Ukrainian critical infrastructures to guide a forensic analysis of an IIoT switch. The intention
is to identify and mitigate vulnerabilities that would enable similar attacks to be replicated across Europe and North
America
The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election
In the world's largest-ever deployment of online voting, the iVote Internet
voting system was trusted for the return of 280,000 ballots in the 2015 state
election in New South Wales, Australia. During the election, we performed an
independent security analysis of parts of the live iVote system and uncovered
severe vulnerabilities that could be leveraged to manipulate votes, violate
ballot privacy, and subvert the verification mechanism. These vulnerabilities
do not seem to have been detected by the election authorities before we
disclosed them, despite a pre-election security review and despite the system
having run in a live state election for five days. One vulnerability, the
result of including analytics software from an insecure external server,
exposed some votes to complete compromise of privacy and integrity. At least
one parliamentary seat was decided by a margin much smaller than the number of
votes taken while the system was vulnerable. We also found protocol flaws,
including vote verification that was itself susceptible to manipulation. This
incident underscores the difficulty of conducting secure elections online and
carries lessons for voters, election officials, and the e-voting research
community
The changing nature of U.S. card payment fraud: industry and public policy options
As credit and debit card payments have become the primary payment instrument in retail transactions, awareness of identity theft and concerns over the safety of payments has increased. Traditional forms of card payment fraud are still an important threat, but fraud resulting from unauthorized access to payment data appears to be rising, and we are only beginning to get a sense of the dimensions of the problem. ; Thus far, the role of public policy has been to encourage the card payment industry to limit fraud by developing its own standards and procedures. Whether this policy stance is sufficient depends on the effectiveness of industry efforts to limit fraud in light of the dramatic shift toward card payments. ; Sullivan provides an overview of card payment fraud in the United States. He develops a preliminary estimate of the rate of U.S. card payment fraud and suggests that such fraud is higher than in several other countries for which data are available. The U.S. payment industry is taking steps to combat payment fraud, but progress has been slowed by conflicts of interest, inadequate incentives, and lack of coordination. Thus, policymakers should monitor the card payment industry to see if it better coordinates security efforts, and if not, consider actions to help overcome barriers to effective development of security.
Defending Against Firmware Cyber Attacks on Safety-Critical Systems
In the past, it was not possible to update the underlying software in many industrial control devices. Engineering
teams had to ‘rip and replace’ obsolete components. However, the ability to make firmware updates has provided
significant benefits to the companies who use Programmable Logic Controllers (PLCs), switches, gateways and
bridges as well as an array of smart sensor/actuators. These updates include security patches when vulnerabilities are
identified in existing devices; they can be distributed by physical media but are increasingly downloaded over
Internet connections. These mechanisms pose a growing threat to the cyber security of safety-critical applications,
which are illustrated by recent attacks on safety-related infrastructures across the Ukraine. Subsequent sections
explain how malware can be distributed within firmware updates. Even when attackers cannot reverse engineer the
code necessary to disguise their attack, they can undermine a device by forcing it into a constant upload cycle where
the firmware installation never terminates. In this paper, we present means of mitigating the risks of firmware attack
on safety-critical systems as part of wider initiatives to secure national critical infrastructures. Technical solutions,
including firmware hashing, must be augmented by organizational measures to secure the supply chain within
individual plants, across companies and throughout safety-related industries
Optimizing Anti-Phishing Solutions Based on User Awareness, Education and the Use of the Latest Web Security Solutions
Phishing has grown significantly in volume over the time, becoming the most usual web threat today. The present economic crisis is an added argument for the great increase in number of attempts to cheat internet users, both businesses and private ones. The present research is aimed at helping the IT environment get a more precise view over the phishing attacks in Romania; in order to achieve this goal we have designed an application able to retrieve and interpret phishing related data from five other trusted web sources and compile them into a meaningful and more targeted report. As a conclusion, besides making available regular reports, we underline the need for a higher degree of awareness related to this issue.Security, Phishing, Ev-SSL, Security Solutions
- …