Dallas Alarms Hack a Warning of Infrastructure Vulnerability

Dallas residents were wide awake and in a state of confusion late Friday night when the city’s outdoor emergency system was hacked, causing all of its 156 alarms to blast for an hour-and-a-half until almost 1:30 a.m.

With some interpreting the warning as a bomb or missile, a number of residents dialed 9-1-1, but the number of calls—4,400 in all—overwhelmed the system, causing some callers to wait for up to six minutes for a response, the New York Times reported.

The alarms blasted for 90-second durations about 15 times, Rocky Vaz, the director of the city’s Office of Emergency Management, told reporters at a news conference.

Mr. Vaz said emergency workers and technicians had to first figure out whether the sirens had been activated because of an actual emergency. And turning off the sirens also proved difficult, eventually prompting officials to shut down the entire system.

“Every time we thought we had turned it off, the sirens would sound again, because whoever was hacking us was continuously hacking us,” Sana Syed, a spokeswoman for the city told the Times.

Eventually the alarms were turned off, which had to be done manually, one alarm at a time.

On Saturday afternoon the system, used for hurricanes and other warnings, was still down, but officials said they hoped to have it functioning soon. They also said they had pinpointed the origin of the security breach after ruling out that the alarms had come from their control system or from remote access.

Mr. Vaz said that Dallas had reached out to the Federal Communications Commission for help and was taking steps to prevent hackers from setting off the system again, but that city officials had not communicated with federal law enforcement authorities.

Security officials have warned about the risks that such hacking attacks pose to infrastructure, which is often aging and in disrepair. Federal data shows that the number of attacks on critical infrastructure appears to have risen: to nearly 300 in 2015 from just under 200 in 2012. Attacks include a 2008 oil pipeline explosion in Turkey; a 2015 hacking of Ukraine’s power grid, leaving 200,000 people in Western Ukraine without electricity for several hours; and in 2013, hackers tried to gain control of a small dam in upstate New York. Seven computer specialists, who worked for Iran’s Islamic Revolutionary Guards Corps., were indicted for trying to take over controls of the dam, according to the Times.

8 Steps to Stronger Passwords Enterprise-Wide

Passwords remain one of the most critical security controls widely used to protect and secure company infrastructure and data. While the need for strong passwords has long been discussed, they continue to be the difference between a secure infrastructure and a potential cyber catastrophe.

Last year was extremely busy in cybercrime, with more than 3 billion credentials and passwords stolen and disclosed on the internet. That works out to a rate of 8.2 million credentials and passwords each day or 95 passwords every second.

Passwords have always been a good security control, but password strength and how they are processed make a major difference in how secure they really are. For example, it is critical to choose an easy password to remember, keep it long, and use some complexity and uniqueness. In addition, how the password is processed and stored in an encrypted format plays a major role in password security.

Here are eight easy steps to get in control and ensure passwords are strong and secure:

  1. Go with encryption: Passwords cannot be left in plain text ever and especially not in an Excel document. Always store passwords with encryption.
  2. Escape complexity: Focus on teaching your end users to use longer and more easily remembered passwords, like password phrases. Don’t let them get bogged down with having to remember special character requirements.
  3. Teach employees: Continued training is critical and is the most important step in implementing your policy. Make sure your users understand their role, prepare quarterly reviews, and make it fun with incentives.
  4. Size matters: The longer the password, the harder for a hacker to break. Make human passwords at least eight characters long and systems passwords 12-50 characters.
  5. Trust no one: Two-factor authentication is a must! No matter the size of your organization, there are two-factor options for you, like RADIUS tokens, DUO, or Google Authenticator.
  6. Omit duplicates: Use a unique password for each of your accounts. The same password should never be used more than once!
  7. No cheating: Remembering a long password can be difficult, but don’t allow password hints. These just make it easier for hackers to get in.
  8. Get a vault: Start using a trusted password manager to enforce strong password best practices. This way, users can always generate long and complex passwords, never have to remember all their passwords and, if you use a vault for your IT team, you can find one that automatically changes your admin passwords. When it comes to IT, automation is key to preventing a breach.

For more information on what’s expected in relation to security and passwords, check out Thycotic’s recent report on the current and future state of password security.

10 Lessons Learned from Breach Response Experts

SAN FRANCISCO—As hacking collectives target both the public and private sectors with a wide range of motivations, one thing is clear: Destructive attacks where hackers destroy critical business systems, leak confidential data and hold companies for ransom are on the rise. In a presentation here at the RSA Conference, the nation’s largest cybersecurity summit, Charles Carmakal and Robert Wallace, vice president and director, respectively, of cybersecurity firm Mandiant, shared an overview of some of the biggest findings about disruptive attacks from the company’s breach response, threat research and forensic investigations work.

In their Thursday morning session, the duo profiled specific hacking groups and the varied motivations and tactics that characterize their attacks. Putting isolated incidents into this broader context, they said, helps companies not only understand the true nature of the risk hackers can pose even in breaches that do not immediately appear to target private industry.

One group, for example, has waged “unsophisticated but disruptive and destructive” against a number of mining and casino enterprises in Canada. The hackers broke into enterprise systems, stole several gigabytes of sensitive data and published it online, created scheduled tasks to delete system data, issued ransom requests, and even emailed executives and board members directly to taunt them about the data exposed and increase the pressure to pay. Further increasing that pressure, the group is known to contact journalists in an attempt to publicize the exposed data. Victims have endured outages for days while trying to recover data from backups, and some have paid the ransoms, typically requested in the range of $50,000 to $500,000 in bitcoin.

Mandiant refers to this group as Fake Tesla Team because the hackers have tried to seem a more powerful and compelling threat by claiming they are members of Tesla Team, an already existing group that launches DDoS attacks. As that group is thought to be Serbian, they have little reason to target Canadian entities, and indeed, the bits of Russian used by Fake Tesla Team appears to be simply translated via Google.

In all of the group’s attacks that Mandiant has investigated, the hackers had indeed gained system access and published data, but they exaggerated their skills and some of the details of access. Identifying such a group as your attacker greatly informs the breach response process based on the M.O. and case history, Mandiant said. For example, they know the threat is real, but have seen some companies find success in using partial payments to delay data release, and they have found no evidence that, after getting paid, the collective does anything else with the access they’ve gained.

Beyond considerations of specific hacking groups or their motivations, Carmakal and Wallace shared the top 10 lessons for addressing a breach Mandiant has distilled from countless investigations:

  1. Confirm there is actually a breach: make sure there has been a real intrusion, not just an empty threat from someone hoping to turn fear into a quick payday.
  2. Remember you face a human adversary—the attacker attempting to extort money or make other demands is a real person with emotional responses, which is critical to keep in mind when determining how quickly to respond, what tone to take, and other nuances in communication. Working with law enforcement can help inform these decisions.
  3. Timing is critical: The biggest extortion events occur at night and on weekends, so ensure you have procedures in place to respond quickly and effectively at any time.
  4. Stay focused: In the flurry of questions and decisions to make, focus first and foremost on immediate containment of the attack.
  5. Carefully evaluate whether to engage the attacker.
  6. Engage experts before a breach, including forensic, legal and public relations resources.
  7. Consider all options when asked to pay a ransom or extortion demand: Can you contain the problem, and can you do so sooner than the attack can escalate?
  8. Ensure strong segmentation and control over system backups: It is critical, well before a breach, to understand where your backup infrastructure is and how it is segmented from the corporate network. In the team’s breach investigations, they have found very few networks have truly been segmented, meriting serious consideration from any company right away.
  9. After the incident has been handled, immediately focus on broader security improvements to fortify against future attacks from these attackers or others.
  10. They may come back: If you kick them out of your system—or even pay them—they may move on, perhaps take a vacation with that ransom money, but they gained access to your system, so remember they also may come back.

Ransomware Threats Jump 300%

Businesses have seen a huge increase in ransomware threats—300% from 2015, according to the FBI, which also reports there were 2,400 ransomware complaints in 2015. In addition to its growing frequency, the means of attack have also improved significantly, as hackers get better at social engineering and at developing malware.
ransomware1

Unlike other types of cyberattack, ransomware attacks are not about extracting data, they are about freezing access, holding businesses functionally hostage, according to Risk Management. When this type of malware infects a system, it encrypts files and documents and demands a ransom, typically in the form of digital currency such as bitcoin, in exchange for a decryption key.

The most frequent targets of attacks, 23%, were government entities, according to Hiscox. The category of business services was second at 18% and finance and insurance institutions followed with 13% of the attacks.
ransomware2
Because the encryption can be crippling and circumventing it is difficult, the FBI advises that businesses may be better off paying the ransom, especially if the company’s system backup has also been infected.
ransomware3