Friday, April 16, 2010
Bank Worker Pleads Guilty to Hacking 100 ATMs
Bank Worker Pleads Guilty to Hacking 100 ATMs
By Kim Zetter April 13, 2010 | 4:43 pm | Categories: Crime
A Bank of America worker pleaded guilty Tuesday to installing malware on more than 100 ATMs, and stealing $304,000 over a seven-month period.
Authorities were able to recover at least $167,000 in cash after the worker told U.S. Secret Service agents where they could find the money, according to a press release issued by the U.S. Attorney’s office in North Carolina, where the charges were filed.
Rodney Reed Caverly, 53, pleaded guilty to one count of unauthorized computer access for installing the malware.
Caverly’s attorney told Threat Level that his client wrote the code himself. It instructed the ATMs to dispense cash without creating a record of the transactions.
“I have seen some media speculation that this event is somehow related to an Eastern European computer virus from last year,” defense attorney Christopher Fialko said in an e-mail. “It is not.”
Fialko was referring to a Threat Level report that suggested Caverly’s code might have been related to malware found last year on ATMs in Russia and Ukraine, which also instructed the machines to dispense cash without leaving a record.
According to prosecutors, Caverly withdrew the cash over a seven-month period ending in October 2009. A Bank of America representative told Threat Level that the company discovered the theft internally.
A source familiar with the case said that Caverly specifically targeted at least 100 ATMs with his malware.
Caverly began working for Bank of America in 2007 writing application software and troubleshooting programs.
He was formerly the founder and CEO of Sovidian, a North Carolina software development company established in 1999. The company merged in April 2003 with Data On CD, a document-management and archiving firm. According to a news release on Sovidian’s website announcing the merger, the company has provided “tailored software and software integration solutions for the finance industry for over 10 years,” and counted Bank of America and two other major financial institutions as customers.
Caverly is out of jail on a $25,000 bond until his sentencing hearing later this summer. He faces up to five years in prison and a maximum fine of $250,000.
Read More http://www.wired.com/threatlevel/2010/04/malware-targeted-100-atms#ixzz0lIbTlqU0
By Kim Zetter April 13, 2010 | 4:43 pm | Categories: Crime
A Bank of America worker pleaded guilty Tuesday to installing malware on more than 100 ATMs, and stealing $304,000 over a seven-month period.
Authorities were able to recover at least $167,000 in cash after the worker told U.S. Secret Service agents where they could find the money, according to a press release issued by the U.S. Attorney’s office in North Carolina, where the charges were filed.
Rodney Reed Caverly, 53, pleaded guilty to one count of unauthorized computer access for installing the malware.
Caverly’s attorney told Threat Level that his client wrote the code himself. It instructed the ATMs to dispense cash without creating a record of the transactions.
“I have seen some media speculation that this event is somehow related to an Eastern European computer virus from last year,” defense attorney Christopher Fialko said in an e-mail. “It is not.”
Fialko was referring to a Threat Level report that suggested Caverly’s code might have been related to malware found last year on ATMs in Russia and Ukraine, which also instructed the machines to dispense cash without leaving a record.
According to prosecutors, Caverly withdrew the cash over a seven-month period ending in October 2009. A Bank of America representative told Threat Level that the company discovered the theft internally.
A source familiar with the case said that Caverly specifically targeted at least 100 ATMs with his malware.
Caverly began working for Bank of America in 2007 writing application software and troubleshooting programs.
He was formerly the founder and CEO of Sovidian, a North Carolina software development company established in 1999. The company merged in April 2003 with Data On CD, a document-management and archiving firm. According to a news release on Sovidian’s website announcing the merger, the company has provided “tailored software and software integration solutions for the finance industry for over 10 years,” and counted Bank of America and two other major financial institutions as customers.
Caverly is out of jail on a $25,000 bond until his sentencing hearing later this summer. He faces up to five years in prison and a maximum fine of $250,000.
Read More http://www.wired.com/threatlevel/2010/04/malware-targeted-100-atms#ixzz0lIbTlqU0
Security Incidents Rise In Industrial Control Systems
Security Incidents Rise In Industrial Control Systems
Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems
By Kelly Jackson Higgins, DarkReading
April 14, 2010
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=224400280
While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.
A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.
The database logs security incidents in process control, SCADA, and manufacturing systems, and gathers voluntary submissions from victim companies as well as from news or other reports.
Nearly half of all security incidents were due to malware infections -- viruses, worms, and Trojans, according to the report. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: "A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It's several layers removed, but once there's a virus [on the business network], it finds its way into the control systems," says John Cusimano, executive director of the Security Incidents Organization, which runs the RISI database. "And you see USB keys bringing in malware" to the SCADA systems, for instance, or via an employee's infected laptop, he says.
Doug Preece, senior manager for smart energy services at Capgemini, says another entry point for malware are those process control system platforms that are based on Windows. "Some of these platforms have evolved over time to lower-cost, more open, Windows-based stuff," Preece says. "It's not connected to the Internet, so the ability to receive patches at the OS level is hampered. The management of these systems is not as closely monitored as it is at the enterprise OS level."
That leaves unpatched, out-of-date software running on the systems, which leaves them prone to attacks. "Out-of-date patching [makes] a highly vulnerable platform," Preece says. And all it takes is an infected USB stick or floppy drive to be popped into one of these machines and it's infected, he says.
At the time the report was published late last month, the database contained 175 confirmed incidents in the database, and Security Incidents Organization's Cusimano says the database averaged three- to four new incident reports per month.
Security experts say attacks targeting the power grid are likely to rise and intensify during the next 12 months, as smart grid research and pilot projects advance. So far, the RISI database has only logged a single smart grid incident, but such incidents are likely to increase, experts say.
Cusimano says the sole smart grid incident basically involved an HVAC system that knocked out service to thousands of residents in one community. "With the [federal] stimulus money, there are a lot of smart grid projects going in this year," he says. "The good news is that security" has been part of the equation from the get-go with these next-generation power grid systems, so it's not an afterthought, he says.
Even so, there are concerns that smart grid projects are moving forward a bit too fast, without allowing time for properly securing them, he says. Cusimano, whose day job is working with an automation consulting firm, says his company is working on a U.S. Department of Energy-funded smart grid project that has a tight timeline. "We have a very short deadline to prepare the security model," he says.
Page 2: Industry remains skeptical that it's at risk Meanwhile, the RISI report's findings of a major drop in chemical and petroleum security incidents may be the result of consolidated facilities and closed refineries, for instance, Capgemini's Preece says.
Water plant and wastewater plant incidents may be higher because they are typically required to issue press releases of incidents to their communities, notes Cusimano.
Overall, 25 percent of the security incidents in process control systems were intentional, directed attacks, where an outside attacker or an insider breached the system, according to the report. Of the remaining 75 percent, half were malware-borne, and half where equipment breakdowns or failures of some sort. Insider attacks rose 30 percent over the last five years.
Cusimano noted that there was an improvement in the number of viruses infiltrating control systems: the number of malware incidents has dropped by 83 percent in the past five years. "Largely, companies are doing a better job at firewalling their control systems and using anti-virus protection," he says. And if companies were to address their accidental incidents, most of them would also be protected from most targeted attacks, he says.
The financial impact of these incidents on the organizations is rising: according to the report, over the past five years, twice as many incidents added up to $10,000 to $100,000 in losses. The majority of incidents occurred in the U.S.
But the industrial process control sector remains largely unconvinced that they face major cybersecurity threats, he says. "There's a lot of skepticism that there's a real problem, particularly when it comes to doomsday scenarios like when the press talks about China or Russia breaking into a chemical plant to blow it up," Cusimano says.
And like the IT versus security dynamic in many enterprises, there's often a disconnect between the IT department and the SCADA group in process control, according to Cusimano. "The control system engineering department in control of the control systems and the plant's IT department have yet to find a way to work well together," he says. While the IT department looks at control systems as any other asset, it prioritizes confidentiality, then integrity, and then availability. "But the control systems department's priorities are reversed: availability is paramount, then integrity and confidentiality"
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. http://metasploit.com/users/hdm/tools/axman
Copyright © 2007 CMP Media LLC
Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems
By Kelly Jackson Higgins, DarkReading
April 14, 2010
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=224400280
While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.
A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.
The database logs security incidents in process control, SCADA, and manufacturing systems, and gathers voluntary submissions from victim companies as well as from news or other reports.
Nearly half of all security incidents were due to malware infections -- viruses, worms, and Trojans, according to the report. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: "A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It's several layers removed, but once there's a virus [on the business network], it finds its way into the control systems," says John Cusimano, executive director of the Security Incidents Organization, which runs the RISI database. "And you see USB keys bringing in malware" to the SCADA systems, for instance, or via an employee's infected laptop, he says.
Doug Preece, senior manager for smart energy services at Capgemini, says another entry point for malware are those process control system platforms that are based on Windows. "Some of these platforms have evolved over time to lower-cost, more open, Windows-based stuff," Preece says. "It's not connected to the Internet, so the ability to receive patches at the OS level is hampered. The management of these systems is not as closely monitored as it is at the enterprise OS level."
That leaves unpatched, out-of-date software running on the systems, which leaves them prone to attacks. "Out-of-date patching [makes] a highly vulnerable platform," Preece says. And all it takes is an infected USB stick or floppy drive to be popped into one of these machines and it's infected, he says.
At the time the report was published late last month, the database contained 175 confirmed incidents in the database, and Security Incidents Organization's Cusimano says the database averaged three- to four new incident reports per month.
Security experts say attacks targeting the power grid are likely to rise and intensify during the next 12 months, as smart grid research and pilot projects advance. So far, the RISI database has only logged a single smart grid incident, but such incidents are likely to increase, experts say.
Cusimano says the sole smart grid incident basically involved an HVAC system that knocked out service to thousands of residents in one community. "With the [federal] stimulus money, there are a lot of smart grid projects going in this year," he says. "The good news is that security" has been part of the equation from the get-go with these next-generation power grid systems, so it's not an afterthought, he says.
Even so, there are concerns that smart grid projects are moving forward a bit too fast, without allowing time for properly securing them, he says. Cusimano, whose day job is working with an automation consulting firm, says his company is working on a U.S. Department of Energy-funded smart grid project that has a tight timeline. "We have a very short deadline to prepare the security model," he says.
Page 2: Industry remains skeptical that it's at risk Meanwhile, the RISI report's findings of a major drop in chemical and petroleum security incidents may be the result of consolidated facilities and closed refineries, for instance, Capgemini's Preece says.
Water plant and wastewater plant incidents may be higher because they are typically required to issue press releases of incidents to their communities, notes Cusimano.
Overall, 25 percent of the security incidents in process control systems were intentional, directed attacks, where an outside attacker or an insider breached the system, according to the report. Of the remaining 75 percent, half were malware-borne, and half where equipment breakdowns or failures of some sort. Insider attacks rose 30 percent over the last five years.
Cusimano noted that there was an improvement in the number of viruses infiltrating control systems: the number of malware incidents has dropped by 83 percent in the past five years. "Largely, companies are doing a better job at firewalling their control systems and using anti-virus protection," he says. And if companies were to address their accidental incidents, most of them would also be protected from most targeted attacks, he says.
The financial impact of these incidents on the organizations is rising: according to the report, over the past five years, twice as many incidents added up to $10,000 to $100,000 in losses. The majority of incidents occurred in the U.S.
But the industrial process control sector remains largely unconvinced that they face major cybersecurity threats, he says. "There's a lot of skepticism that there's a real problem, particularly when it comes to doomsday scenarios like when the press talks about China or Russia breaking into a chemical plant to blow it up," Cusimano says.
And like the IT versus security dynamic in many enterprises, there's often a disconnect between the IT department and the SCADA group in process control, according to Cusimano. "The control system engineering department in control of the control systems and the plant's IT department have yet to find a way to work well together," he says. While the IT department looks at control systems as any other asset, it prioritizes confidentiality, then integrity, and then availability. "But the control systems department's priorities are reversed: availability is paramount, then integrity and confidentiality"
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. http://metasploit.com/users/hdm/tools/axman
Copyright © 2007 CMP Media LLC
Apache project server hacked, passwords compromised
Apache project server hacked, passwords compromised
Robert McMillan
April 14, 2010 (IDG News Service) Hackers broke into a server used by the Apache Software Foundation to keep track of software bugs.
The attack did not compromise the open-source Web server's source code repository, but it did give hackers access to a server used by the project to keep track of bugs, and they also obtained low-privilege accounts on another server used to maintain the people.apache.org Web site, according to Philip Gollucci, vice president of Apache infrastructure. "None of the source code was affected in any way," he said.
By taking advantage of a common Web programming error known as a cross-site scripting bug, and then using another password-guessing attack, hackers were able to break into the Atlassian JIRA software used by Apache. They then installed a password stealing program on that software, ultimately seizing full control of the machine. That gave them access to two other programs hosted by Apache on the same server, the Confluence wiki program and Bugzilla.
The intruders stole three cached login credentials from the compromised server to get access to the Minotaur.apache.org server that runs People.apache.org and provides shell accounts for Apache developers, but were unable to do much with these low-level accounts, Gollucci said. Even the data on its bugtracking systems is not sensitive, as Apache does not store information about security flaws on any of these servers, he said.
The unidentified attackers broke into Apache's JIRA server on April 6 and had begun stealing user passwords by the time Apache administrators noticed the issue on April 9.
In an attack launched at the same time, intruders were also able to break into Atlassian's own servers and gain access to customer user names and passwords. Atlassian employes several Apache developers, and attackers could have used the information from the Apache attack to try to break into accounts at Atlassian. "It's hard to say whether it was directed at Apache or at Atlassian," Gollucci said.
These passwords may prove to be valuable if Apache or Atlassian developers happen to use the same passwords on their source control systems. Then the attackers could make changes to the source code -- adding back door access to Apache projects, for example, said Chris Wysopal, chief technology officer with Veracode, via a text message.
Atlassian sells software development tracking and collaboration products, including the JIRA and Confluence software used by Apache.
According to a Atlassian blog post, hackers were able to access an unencrypted database of usernames and passwords used to login to customer accounts. "The breach potentially exposed passwords for customers who purchased Atlassian products before July 2008," Atlassian CEO Mike Cannon-Brookes said in a blog post. "We made a big error. For this we are, of course, extremely sorry. The legacy customer database, with passwords stored in plain text, was a liability."
Atlassian could not be reached immediately for comment.
This is not the first time the Apache Software Foundation has been hit by hackers. Last August intruders were able to break into the Minotaur server and run their owns scripts on Apache's Web site.
Robert McMillan
April 14, 2010 (IDG News Service) Hackers broke into a server used by the Apache Software Foundation to keep track of software bugs.
The attack did not compromise the open-source Web server's source code repository, but it did give hackers access to a server used by the project to keep track of bugs, and they also obtained low-privilege accounts on another server used to maintain the people.apache.org Web site, according to Philip Gollucci, vice president of Apache infrastructure. "None of the source code was affected in any way," he said.
By taking advantage of a common Web programming error known as a cross-site scripting bug, and then using another password-guessing attack, hackers were able to break into the Atlassian JIRA software used by Apache. They then installed a password stealing program on that software, ultimately seizing full control of the machine. That gave them access to two other programs hosted by Apache on the same server, the Confluence wiki program and Bugzilla.
The intruders stole three cached login credentials from the compromised server to get access to the Minotaur.apache.org server that runs People.apache.org and provides shell accounts for Apache developers, but were unable to do much with these low-level accounts, Gollucci said. Even the data on its bugtracking systems is not sensitive, as Apache does not store information about security flaws on any of these servers, he said.
The unidentified attackers broke into Apache's JIRA server on April 6 and had begun stealing user passwords by the time Apache administrators noticed the issue on April 9.
In an attack launched at the same time, intruders were also able to break into Atlassian's own servers and gain access to customer user names and passwords. Atlassian employes several Apache developers, and attackers could have used the information from the Apache attack to try to break into accounts at Atlassian. "It's hard to say whether it was directed at Apache or at Atlassian," Gollucci said.
These passwords may prove to be valuable if Apache or Atlassian developers happen to use the same passwords on their source control systems. Then the attackers could make changes to the source code -- adding back door access to Apache projects, for example, said Chris Wysopal, chief technology officer with Veracode, via a text message.
Atlassian sells software development tracking and collaboration products, including the JIRA and Confluence software used by Apache.
According to a Atlassian blog post, hackers were able to access an unencrypted database of usernames and passwords used to login to customer accounts. "The breach potentially exposed passwords for customers who purchased Atlassian products before July 2008," Atlassian CEO Mike Cannon-Brookes said in a blog post. "We made a big error. For this we are, of course, extremely sorry. The legacy customer database, with passwords stored in plain text, was a liability."
Atlassian could not be reached immediately for comment.
This is not the first time the Apache Software Foundation has been hit by hackers. Last August intruders were able to break into the Minotaur server and run their owns scripts on Apache's Web site.
Friday, April 02, 2010
Company says 3.3M student loan records stolen
Company says 3.3M student loan records stolen
Jeremy Kirk
March 29, 2010 (IDG News Service) Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing.
The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut.
The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release.
Law enforcement has been notified. "ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation," it said in a statement.
ECMC will send a written notification to affected borrowers "as soon as possible" and offer them free services from Experian, a credit monitoring agency.
Data loss can occur in a variety of ways, including by remote hacking or employee theft. ECMC didn't say whether the data taken was encrypted.
The information could be useful for data thieves, who use personal information to apply for loans and credit cards or to assemble portfolios for larger identity theft schemes.
ECMC's data loss is significant but far short of some of the largest incidents.
More than 130 million credit card numbers were stolen around 2008 from Heartland Payment Systems, an attack ranked as the largest to date by DataLossDB, which tracks incidents. One of the hackers, Albert Gonzalez , was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.
In 2006, a laptop and hard drive containing personal information of 26.5 million military veterans and their spouses was stolen from the home of a U.S. Department of Veterans Affairs employee.
Jeremy Kirk
March 29, 2010 (IDG News Service) Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing.
The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon and Connecticut.
The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release.
Law enforcement has been notified. "ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation," it said in a statement.
ECMC will send a written notification to affected borrowers "as soon as possible" and offer them free services from Experian, a credit monitoring agency.
Data loss can occur in a variety of ways, including by remote hacking or employee theft. ECMC didn't say whether the data taken was encrypted.
The information could be useful for data thieves, who use personal information to apply for loans and credit cards or to assemble portfolios for larger identity theft schemes.
ECMC's data loss is significant but far short of some of the largest incidents.
More than 130 million credit card numbers were stolen around 2008 from Heartland Payment Systems, an attack ranked as the largest to date by DataLossDB, which tracks incidents. One of the hackers, Albert Gonzalez , was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts.
In 2006, a laptop and hard drive containing personal information of 26.5 million military veterans and their spouses was stolen from the home of a U.S. Department of Veterans Affairs employee.
'Smart' utility meters have security holes and can be hacked, expert finds
SAN FRANCISCO — Computer-security researchers say new “smart” meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways.
At the very least, the vulnerabilities open the door for attackers to jack up strangers’ power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else’s power on and off.
The attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters’ resistance to attack.
These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press. There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.
Power companies are aggressively rolling out the new meters. In the U.S. alone, more than 8 million smart meters have been deployed by electric utilities and nearly 60 million should be in place by 2020, according to a list of publicly announced projects kept by The Edison Foundation, an organization focused on the electric industry.
Unlike traditional electric meters that merely record power use — and then must be read in person once a month by a meter reader — smart meters measure consumption in real time. By being networked to computers in electric utilities, the new meters can signal people or their appliances to take certain actions, such as reducing power usage when electricity prices spike.
But the very interactivity that makes smart meters so attractive also makes them vulnerable to hackers, because each meter essentially is a computer connected to a vast network.
There are few public studies on the meters’ resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.
Alan Paller, director of research for the SANS Institute, a security research and training organization that was not involved in Wright’s work with InGuardians, said it proved that hacking smart meters is a serious concern. “We weren’t sure it was possible,” Paller said. “He actually verified it’s possible. ... If the Department of Energy is going to make sure the meters are safe, then Josh’s work is really important.”
SANS has invited Wright to present his research Tuesday at a conference it is sponsoring on the security of utilities and other “critical infrastructure.”
Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the patchwork system we have now, which is already under hacking attacks from adversaries believed to be working overseas.
“We know that automation will bring new vulnerabilities, and our task — which we tackle on a daily basis — is making sure the system is secure,” said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.
But many security researchers say the technology is being deployed without enough security probing. Wright said his firm found “egregious” errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. “Even though these protocols were designed recently, they exhibit security failures we’ve known about for the past 10 years,” Wright said.
He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.
One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities’ computers. Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone’s power. Or someone could impersonate meters to the power company, to inflate victims’ bills or lower his own. A criminal could even sneak into the utilities’ computer networks to steal data or stage bigger attacks on the grid.
Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security.
For instance, the meters encrypt their data — scrambling the information to hide it from outsiders. But the digital “keys” needed to unlock the encryption were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities’ networks, where they would be safer.
“That lesson seems to be lost on these meter vendors,” he said. That speaks to the “relative immaturity” of the meter technology, Wright added.
© 2010 syracuse.com. All rights reserved.
At the very least, the vulnerabilities open the door for attackers to jack up strangers’ power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else’s power on and off.
The attacks could be pulled off by stealing meters — which can be situated outside of a home — and reprogramming them. Or an attacker could sit near a home or business and wirelessly hack the meter from a laptop, according to Joshua Wright, a senior security analyst with InGuardians Inc. The firm was hired by three utilities to study their smart meters’ resistance to attack.
These utilities, which he would not name, have already done small deployments of smart meters and plan to roll the technology out to hundreds of thousands of power customers, Wright told The Associated Press. There is no evidence the security flaws have been exploited, although Wright said a utility could have been hacked without knowing it. InGuardians said it is working with the utilities to fix the problems.
Power companies are aggressively rolling out the new meters. In the U.S. alone, more than 8 million smart meters have been deployed by electric utilities and nearly 60 million should be in place by 2020, according to a list of publicly announced projects kept by The Edison Foundation, an organization focused on the electric industry.
Unlike traditional electric meters that merely record power use — and then must be read in person once a month by a meter reader — smart meters measure consumption in real time. By being networked to computers in electric utilities, the new meters can signal people or their appliances to take certain actions, such as reducing power usage when electricity prices spike.
But the very interactivity that makes smart meters so attractive also makes them vulnerable to hackers, because each meter essentially is a computer connected to a vast network.
There are few public studies on the meters’ resistance to attack, in part because the technology is new. However, last summer, Mike Davis, a researcher from IOActive Inc., showed how a computer worm could hop between meters in a power grid with smart meters, giving criminals control over those meters.
Alan Paller, director of research for the SANS Institute, a security research and training organization that was not involved in Wright’s work with InGuardians, said it proved that hacking smart meters is a serious concern. “We weren’t sure it was possible,” Paller said. “He actually verified it’s possible. ... If the Department of Energy is going to make sure the meters are safe, then Josh’s work is really important.”
SANS has invited Wright to present his research Tuesday at a conference it is sponsoring on the security of utilities and other “critical infrastructure.”
Industry representatives say utilities are doing rigorous security testing that will make new power grids more secure than the patchwork system we have now, which is already under hacking attacks from adversaries believed to be working overseas.
“We know that automation will bring new vulnerabilities, and our task — which we tackle on a daily basis — is making sure the system is secure,” said Ed Legge, spokesman for Edison Electric Institute, a trade organization for shareholder-owned electric companies.
But many security researchers say the technology is being deployed without enough security probing. Wright said his firm found “egregious” errors, such as flaws in the meters and the technologies that utilities use to manage data from meters. “Even though these protocols were designed recently, they exhibit security failures we’ve known about for the past 10 years,” Wright said.
He said InGuardians found vulnerabilities in products from all five of the meter makers the firm studied. He would not disclose those manufacturers.
One of the most alarming findings involved a weakness in a communications standard used by the new meters to talk to utilities’ computers. Wright found that hackers could exploit the weakness to break into meters remotely, which would be a key step for shutting down someone’s power. Or someone could impersonate meters to the power company, to inflate victims’ bills or lower his own. A criminal could even sneak into the utilities’ computer networks to steal data or stage bigger attacks on the grid.
Wright said similar vulnerabilities used to be common in wireless Internet networking equipment, but have vanished with an emphasis on better security.
For instance, the meters encrypt their data — scrambling the information to hide it from outsiders. But the digital “keys” needed to unlock the encryption were stored on data-routing equipment known as access points that many meters relay data to. Stealing the keys lets an attacker eavesdrop on all communication between meters and that access point, so the keys instead should be kept on computers deep inside the utilities’ networks, where they would be safer.
“That lesson seems to be lost on these meter vendors,” he said. That speaks to the “relative immaturity” of the meter technology, Wright added.
© 2010 syracuse.com. All rights reserved.
