Tag Archives: Cybercrime

Hacking EirGrid: NCSC MiA, GCHQ Inertia, US Data Centres, & Creating Backdoors to UK/EU Grid

This post was first published by me on Peerlyst on 7th August 2017.

This hack took place last April (2017) but the details are only emerging now. Hackers compromised EirGrid’s routers at Vodafone’s Direct Internet Access (DIA) service at Shotton, Wales. The MITM “virtual wire tap” then intercepted unencrypted messages between EirGrid and SONI (EirGrid NI). Firmware and files were copied from the compromised router devices but there is no estimate as to the scale of the breach or the magnitude of the data that was stolen.

The Role of NCSC & GCHQ

An informed source has confirmed to AirGap Anonymity Collective that this hack was going on for some time before it was “detected” and before EirGrid were informed – that was already reported.

However, the same source is also of the opinion that the UK’s National Cyber Security Centre – part of GCHQ – instructed Vodafone not to tell EirGrid of the breach – while they tried to ascertain who the perpetrators were (understandable) but that this was for an unreasonably extended period of time.

The source is not clear on what portion of the estimated nine weeks of the hack overlapped with GCHQ’s attempts to identify the hackers.

Where was Ireland’s National Cyber Security Centre while all of this was going on?

The Irish National Cyber Security Centre (NCSC) & Computer Security Incident Response Team (CSIRT)

Formally established in 2015. Together with the (CSIRT), they have responsibility for Ireland’s national cyber security defences. They say:

“The global cybersecurity threat landscape continues to pose an immense challenge. As part of wider efforts to address these security threats, the Directive on Security of Network and Information Systems (NIS Directive) was approved in July 2016. Member States have until May 2018 to implement the NIS Directive, with both the NCSC and CSIRT playing a critical role in this regard.”

Seán Kyne – Minister of State for Community Development, Natural Resources & Digital Development – discussed the NCSC’s objectives, and offered his thoughts on the nature of the digital security threat to the public and private sector alike in a press conference last month.

INCSC

EirGrid & UK Energy Policy

The UK has become increasingly reliant on off-shore wind farms and it’s power needs are augmented by the purchase of power generated in the Irish Midlands. Irish supplied power is key to the UK meeting its projected 2020 energy needs. The Irish supply is seeking to generate circa 3GW for the UK market.

The Irish national grid is managed by a company called EirGrid. They took over the Irish national grid in 2006 from ESB (the Electricity Supply Board). They own all of the physical electricity transmission assets in the country (about 7000kms of cable (fact check)).

As such, they run a monopoly and nearly all of the large independent generators (Airtricity, Synergen (70% EirGrid) Viridian and others) connect to the transmission system and utilise it to transport their power to all regions and abroad. They also operate the wholesale power market and operate (and own) the 500 MW East–West Interconnector, linking the Irish power system to Great Britain’s grid.

Last month the operator was awarded over €20 million by the EU to fund research into the deployment of renewable energy. Ireland’s own target, set out by the European Union, is to secure 40% of its electricity from renewable sources by 2020.

“We won’t have enough renewable energy left over to export to the UK without completing some specific projects, such as the proposed Midlands development,” according to Fintan Slye (EirGrid CEO). “There are sufficient renewable projects in train to meet the 2020 targets, but it’ll still be challenging. There are 2,000MW connected across the island – we need to get that to over 4,000MW by 2020.”

The EU is also funding a France-Ireland power link (that bypasses the UK) via an undersea cable as an “obvious solution” to Ireland’s energy reliance on a post-Brexit United Kingdom.

Motives – All Those Data Centres in Ireland & A BackDoor to the EU/UK Grids 

IE DCs

Extract from EirGrid Group All-Island Generation Capacity Statement 2016-2025:

“2.2(d) Data Centres in IrelandA key driver for electricity demand in Ireland for the next number of years is the connection of large data centres.Whether connecting directly to the transmission system or to the distribution network, there is presently about 250 MVA of installed data centres in Ireland. Furthermore, there are connection offers in place (or in the connection process) for approximately a further 600 MVA. At present, there are enquires for another 1,100 MVA. This possibility of an additional 1700 MVA of demand is significant in the context of a system with a peak demand in 2014/15 of about 4700 MW (where it would add 35%). In forecasting future demand, we need to appreciate that data centres normally have a flat demand profile.”

Culprits

Lots but the most likely candidate for this hack is Russia – why? Because I cast lots, sacrificed a chicken, and got my Tarot cards read. And also …

Irish energy networks being targeted by hackers – Hackers have targeted Irish energy networks amid warnings over the potential impact of intensifying cyber attacks on crucial infrastructure. Senior engineers at the Electricity Supply Board (ESB), which supplies both Northern Ireland and the Republic, were sent personalised emails containing malicious software by a group linked to Russia’s GRU intelligence agency, reported.
Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid – It was 3:30 p.m. last December 23, and residents of the Ivano-Frankivsk region of Western Ukraine were preparing to end their workday and head home through the cold winter streets. Inside the Prykarpattyaoblenergo control center, which distributes power to the region’s residents, operators too were nearing the end of their shift.
Ukraine power cut ‘was cyber-attack’ – BBC News – A power cut that hit part of the Ukrainian capital, Kiev, in December has been judged a cyber-attack by researchers investigating the incident. The blackout lasted just over an hour and started just before midnight on 17 December. The cyber-security company Information Systems Security Partners (ISSP) has linked the incident to a hack and blackout in 2015 that affected 225,000.
Hackers targeting UK energy grid, GCHQ warns – Hackers may have compromised Britain’s energy grid, GCHQ has said as it warned that cyber criminals are targeting the country’s energy sector. The security agency said industrial control systems may have already been the victim of attacks by nation state hackers.

 

ENDS

Welcome to the Jungle – Adolescent Hackers With Very Adult Problems

I won’t try to write about what those who are far better qualified * than me have already written ** or engage in debate about the pedigree of Marcus Hutchins ***. I am not a security researcher, I am not a hacker, I am not a programmer (anymore), and I am incredibly disinterested in trying to compete with far cleverer teenagers and young adults who would have me “pwned” in a matter of minutes.

The New Criminals

What many of the recently infamous hackers have in common, aside from being bright with little relevant experience which would make them capable of handling serious jail time, is that they do not know the way the world really works.

They seem to be unfamiliar with cause and effect. Many of them unknowingly thread the thin line between legality and illegality. In the evolving landscape of cyber-crime legislation what was quasi-legal and unregulated yesterday may be highly illegal tomorrow.

Most “security researchers” stay on the right side of the street but even in doing so they inevitably rub shoulders with those who are not. Something that aspiring researchers should remember is that “ignorance” is never a defence in a court of law. If and when someone chooses to wander across to the shadier side of the street (knowingly or unknowingly) they find themselves way out of their depth.

There is a very big gulf of reality between facing down a virtual opponent in a chatroom and eyeballing a professional interrogator in an “interview suite”. I have sat on both sides of that particular table, sometimes in places that the most intrepid backpacker wouldn’t consider going, and it is not a place that you want to be.

These are kids with very adult problems.

Dmitry Bogatov

Picture: Dmitry Bogatov

Welcome To The Jungle

Being a criminal or a member of an organized crime gang used to involve certain stages or rituals. It was a way of life sometimes forced on people as a result of their environment or poverty or family history or simply a conscious decision. Criminals are not always victims of circumstance.

For serious criminals it was an informed choice of sorts. It normally began with petty crime and graduated into more serious categories of crime as time passed. As the scale, sophistication, and seriousness of the crimes being committed grew so too did the tariff.

But the career criminal was more or less aware of this and the risk-return ratio. Also, to be effective in crime at the levels where it potentially attracted a forty year prison term, one had to have a network, contacts, tools, “pedigree”, and lots of other stuff. Not any more.

Jail sentences of these types for these hackers are not jail sentences, they are death sentences. Warming a concrete mattress in a concrete cage for twice as long as you have already been on the planet leaves these people with few choices.

They find themselves sharing space with men who have committed all sorts of crimes that actually involve leaving their mothers house. All of the lobbying and strongly worded letters from the Electronic Frontier Foundation, Amnesty International, family run crowd funding efforts, and emotional tweet storms will not help them when that door closes.

The phenomenon of the new criminals is highly contradictory. We now see fresh faced “deer in the headlights” types facing the sort of time that would make harder men cry for their mother.

Kimberly Crawley‍; 4th Aug 2017; “MalwareTechBlog and the Cybersecurity Community versus the FBI“; Peerlyst

** Kevin Beaumont; 5th Aug 2017; Regarding Marcus Hutchins aka MalwareTech; DoublePulsar

*** IPostYourInfo; 4th Aug 2017; The Marcus Hutchins I Knew; Medium

ENDS

Quick Reference Resource Introduction: WikiLeaks CIA Vault 7 Leaks

This series covers links to and analysis of each of the WikiLeaks CIA Vault 7 leaks including:

  1. The WikiLeaks pages;
  2. The associated CIA documents – Specification Documents, Systems Requirements, Installation Guides, User Guides, User Manuals, Test Plans, Tactics Documents, Slides and so on;
  3. Links to external references and sources including The Hacker News (Twitter @TheHackersNews), HackRead (Twitter @HackRead), and Pierluigi Paganini at “Security Affairs”; 
  4. Analysis by other third party publications of each leak;
  5. General comments, notes, and links added by AirGap Anonymity Collective as each leak and its previous deployment is more clearly understood;
  6. How these posts will evolve over time:
    1. The first post will be a generic description of each leak including 1-3 above; 
    2. Content will be added over time and date-stamped to include:
      1. Articles, external resources, and commentary that augment the knowledge base with respect to the basic content of each leak; 
      2. Advice on counter-measures / new research; 
      3. Analysis and examples of the subsequent deployment (in the original form or altered) of these hacking tools by cyber criminals, cyber terrorists, state actors, hackers, and others;
      4. Other information that does not emanate from generic or main stream media sources; 

These documents are marked with various security classifications. To understand what these classifications mean see Understanding NSA / INR Security Classifications on Intelligence Assessments;

Posts in this series to date:

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #14 – OutlawCountry;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #15 – BothanSpy & Gyrfalcon;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #16 – HighRise;

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #17 – Imperial: Achilles, SeaPea, & Aeris

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #18 – UCL / Raytheon

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #19 – Dumbo

Quick Reference Resource: WikiLeaks CIA Vault7 Leak #20 – CouchPotato

All third party content is explicitly acknowledged and content or imagery that has been altered or amended for ease of use is clearly marked.  

ENDS

Data Is The New Perimeter in Emerging Age of Corporate-Espionage-as-a-Service

Last Tuesday, July 11 2017 I was pleased to listen to Mike Desens, Vice President, IBM Z and LinuxONE Offering Management, IBM Systems as he took myself and some colleagues through a preview and introduction of the z14 prior to the July 17 announcements *.

The overriding theme of the briefing was that IBM view the z14 as “Designed for Trusted Digital Experiences”. The last twenty four months in particular have seen data breaches that have seriously eroded public confidence in erstwhile trusted institutions and organizations.

There have been hacks that have embarrassed nations, and led to real fears about the risk that insecure data poses to our energy and commercial infrastructures not to mention the veracity of election results but I am not going there.

Shadow Brokers dumps and WikiLeaks releases of alphabet agency backdoors and toolkits have given cyber criminals (even the opportunists), and terrorist outfits almost nuclear-grade hacking capability when compared to 2014.

IBM are hoping that these real fears, but more particularly their real solution, will be the key driver in convincing customers to adopt the new platform.

Been There, Done That

I have seen this before (IBM pinning their hopes of making the mainframe cool by leveraging an unexpected turn of events). I worked on the deep end of the ADSTAR Distributed Storage Manager (ADSM) ESP’s in the early 90’s (renamed Tivoli Storage Manager in 1999).

Back then entire banks ran on less DASD than your kid’s pot burner phone does right now (and that included all the IMS, CICS, and DB2 data). IBM pinned some of their hopes on maintaining their lucrative storage market share on ADSM in the face of EMC inroads. “Disk mirroring” however by EMC was the final blow when EMC turned an engineering weakness into a strength. It cost outsider Ed Zschau, ADSTAR Chairman and CEO, his job in 1995.

IBM had made a very valid argument for ADSM adoption. All that data on the newly acquired (mostly by accident and without permission by rogue business units – especially the capital markets mavericks), rapidly expanding, and poorly managed (in terms of Disaster Recover and Business Continuity at the very least) AS/400, Tandem, and NT infrastructure was best managed on the mainframe storage farm.

This also included using those new-fangled robotic tape libraries on Level 2 (which even appeared in a few movies with perspex exterior, the StorageTek one though, not the IBM Magstar 3494 Tape Library).

It didn’t work though. Mainly because the network couldn’t handle the volumes, and record level backup was never going to work to help reduce the bandwidth requirements to fit the overnight backup windows what with the quagmire of proprietary databases that had sprung up.

GDPR Unwittingly Making the Market for “Corporate-Espionage-As-A-Service”

But I digress so I will briefly digress again to another but equally valid potential driver for z adoption. And that is GDPR. Soon GDPR regulators will be gleefully fining corporates who fail to adequately protect their data the higher of EUR€20M or 4% of annual turnover, for each breach. That’s an instant laxative right there for the entire C-Suite.

But what the proposed GDPR penalty system also makes me wonder is how much of a market maker it is (unwittingly) for Corporate-Espionage-As-A-Service (CEAAS) and Industrial-Espionage-As-A-Service (IEAAS).

Back On Message – Pervasive Encryption

Consequently, IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

Here are some stats to keep your CISO awake:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

The Z is arguably more powerful, more open and more secure than any commercial system on the planet and the box makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain. But again and again the focus comes back to Pervasive Encryption and that is the potential seismic shift that just might make the Z the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot.

Pervasive Encryption Is The New Standard

Back in the day as an MVS370 systems programmer I stressed about downtimes, availability stats, and the SLAs with business units. If I am being honest though I mostly stressed about the long holiday weekends spent in subterranean data centers upgrading ESP code or patching or migrating new releases from TEST to PROD LPARS or doing S390 disk mirrors.

Therefore when I first heard of the this bold new “encrypt it all” call to arms I wondered what the price for this would be in terms of the social lives and general marital stability of SPs globally.

However I am assured that the encryption “migration” involves no application changes, no impact to SLA’s, and that all of this application and database data can be encrypted without interrupting business applications and operations.

What’s Under the Hood

This section of the briefing was prefaced with the statement that the Z will deliver “unrivalled performance for secure workloads.” I have another post in the works with the tech spec dets on the encryption under the hood but for now here’s the 60k foot view:

“Industry exclusive protected key encryption, enabled through integration with a tamper- responding cryptographic HSM. All in-flight network data and API’s, true end-to-end data protection. 4x increase in silicon area allocated to cryptographic operations. 4 – 7x faster encryption of data with enhanced cryptographic performance. 18x fasterencryption than competition at 1/20th the cost to implement. 2x performance boost on Crypto Express6S. Securing the cloud by encrypting APIs 2-3x faster than x86 systems. Linux exploits Protected Key encryption for data at-rest.”

More later.

* From an article originally published on July 18 2017 on my Peerlyst blog

ENDS

IBM Mainframe Ushers in New Era of Data Protection with Pervasive Encryption

Main take-outs in IBM Z Systems announcement:

  1. Pervasively encrypts data, all the time at any scale;
  2. Addresses global data breach epidemic;
  3. Helps automate compliance for EU General Data Protection Regulation, Federal Reserve and other emerging regulations;
  4. Encrypts data 18x faster than compared x86 platforms, at 5 percent of the cost (Source: “Pervasive Encryption: A New Paradigm for Protection,” K. R. E. Lind, Chief Systems Engineer, Solitaire Interglobal Ltd., June 30, 2017);
  5. Announces six IBM Cloud Blockchain data centers with IBM Z as encryption engine;
  6. Delivers groundbreaking Container Pricing for new solutions, such as instant payments.

The new data encryption capabilities are designed to address the global epidemic of data breaches, a major factor in the $8 trillion cybercrime impact on the global economy by 2022. Of the more than nine billion data records lost or stolen since 2013, only four percent were encrypted, making the vast majority of such data vulnerable to organized cybercrime rings, state actors and employees misusing access to sensitive information.

In the most significant re-positioning of mainframe technology in more than a decade, when the platform embraced Linux and open source software, IBM Z now dramatically expands the protective cryptographic umbrella of the world’s most advanced encryption technology and key protection. The system’s advanced cryptographic capability now extends across any data, networks, external devices or entire applications – such as the IBM Cloud Blockchain service – with no application changes and no impact on business service level agreements.

“The vast majority of stolen or leaked data today is in the open and easy to use because encryption has been very difficult and expensive to do at scale,” said Ross Mauri, General Manager, IBM Z. “We created a data protection engine for the cloud era to have a significant and immediate impact on global data security.”

ENDS

* From an article originally published on July 17 2017 on my Peerlyst blog