Power grid hackers
Power companies the world over are being taught how to see the warning signs that they are being targeted by hackers, following an attack in December last year on a power grid in the Ukraine which left over 230,000 people without electricity for hours after malware was successfully inserted into critical systems. This attack wasn’t the country’s first of this kind; another previous attack occurred in March 2015.
The malware from the breach has since been analysed by researchers from Black Hat and Def Con, two of the most prominent cadres of professional hackers and security specialists from around the world, giving insight into the security holes the companies have and how to plug them.
During the latest Black Hat convention, Robert M. Lee, the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos Inc. gave a talk on the subject. “Power grid operators need to be aware that these styles of events are out there and they need to prepare for them.”
The information provided to the power companies details the kinds of code and other signs to check for, based on the malware used previously. This should help them when scanning their systems for clear signs of an intrusion and aid them in developing other defences to combat hacker reconnaissance, and prevent future attacks before they can even get going.
Both Dragos and security firm Eset have also laid out further ways in which the malware being used could be deployed. “All of the functionality exhibited in the malware was not seen in the Ukraine attack. They built more functions in it than they needed”, according to Lee at the convention last month.
He also went on to stress that there was little evidence that the same attackers had other power networks in mind for future potential targets. However, the techniques and solutions developed and deployed by them could easily be transferred to work on grids in other countries.
Power companies spanning Europe, Asia, and the Middle East were directly in the firing line, due to similarities in the structure of their systems, whereas US systems were generally safer due to differences in hardware.
Lee continued on to talk about the fact that governments were not doing nearly enough to raise awareness and deal openly with the problem, despite the seriousness of the events that had taken place in the Ukraine. “No senior policy makers in any government has come out and condemned the Ukraine attack”, he said. “That’s done nothing but embolden the attackers and that’s a worrying trend.”
Both the Def Con and Black Hat conventions had numerous other security experts sharing information regarding their work, to come up with vectors for attack on a power network in order to figure out solutions before problems ever arise.
A student at New York University, Harrys Konstantinou and two of his peers had developed a project to determine how easy it would be to create a detailed map of the US power networks. The three of them dug through grid maps, blackout reports, regulatory filings, press releases and more, in order to construct a detailed model of some portions of the power grid spanning the US. They also utilised free software that allowed them to map power flows and test the outcome of parts of the network going offline. To further hone their setup to be as accurate as possible, they even purchased substation control systems from eBay.
“There exists a wealth of information out there that can accurately model the grid and enable a widespread attack”, according to Konstantinou.
He also added that because of their work, some of the information regarding the layout of the US power grid has now been taken down from the internet and has pushed hardware manufacturers into hardening their systems against attacks of this nature.
It’s not just older power networks that are at risk either: newer ones such as those of renewable energy sources like wind farms are also just as likely to be as vulnerable, as stated by Dr. Jason Staggs from the University of Tulsa during his talk at Def Con, presenting some of his work and findings. “The increased reliance on renewable energy sources will draw attention from attackers for all kinds of reasons”…”These networks are extremely susceptible to attack”.
His work revealed weaknesses in both the hardware managing the wind farms and the software allowing them to be maintained remotely, and in many cases even calling the difficulty and effort needed to gain access ‘trivial’. He further urged wind farm owners and their operators to consider security much more heavily in order to limit the potential damage that could be caused by an attack on such systems.
An advertisement from electrical and PC giants Curry’s PC World has been banned by the UK Advertising Standards Authority following their exaggeration of the capabilities of their Knowhow Cloud backup facility.
The advertisement on their website was banned following an ASA investigation. The ASA concluded the misleading advertisement gave customers false information, and ruled that “the impression created by the ad was not that the product was singularly for cloud storage, but that it provided some sort of additional security”. The advertisement in question suggested that it offered complete security – however this was proved to not be the case.
The ASA found that consumers were led to believe that the Cloud would be beneficial to them, providing additional security benefits compared to other standard cloud storage providers. Promotional phrases on the company’s website included, “Once backed up, your files can be accessed whenever you need them, anywhere in the world”, and, “All your data is protected and backed up in our military grade encrypted UK based data centres. You can also secure the files on your computer, so if it’s ever lost or stolen your data is safe”.
The issues with the advertising campaign came to light following a Knowhow Cloud customer was exasperated following his efforts to use the service to restore personal backups following a ransomware attack. Hoping to use the “fast and convenient” service that had been promoted, the customer then found himself with the exhaustingly laborious task of restoring his files manually and individually.
Curry’s PC World were quick to defend themselves following these allegations, by claiming that the backup service “…was not intended to cover files that were virus infected, which created a rather complex situation for restoration”. Curry’s went on to blame the customers inability to protect themselves from viruses and that the customer was at fault originally by being subjected to ransomware attack in the first instance.
Following the order from the ASA, DSG Retail Ltd, the company who are behind the Curry’s PC World brand are still yet to remove misleading phrases from their website, although M&C Saatchi, the PR firm working on behalf of Curry’s PC World have recently confirmed in a statement in response to the ASA ruling, that product details will be updated as a matter of priority.
Broadband broadly panned
A £600 million plan has been suggested by Digital Minister, Matt Hancock to allow BT to provide minimum speed internet to the 5% of the country that are not currently connected, with a view to BT recovering the costs through higher costs to its other consumers.
The telecoms giant is currently considering offering the UK government a voluntary scheme to connect the most distant and remote dwellings in the UK with BT Broadband over a period of five years. The recovery of costs would be made through rising wholesale charges that are collected through BT’s retail business, in additional to other broadband providers within the UK including TalkTalk and Sky.
Experts predict that customers could see their broadband contracts grow by anywhere between £10-£20 per month. BT has earnt nearly £2 billion in taxpayer’s money in recent years with a plan to improve connection speeds and provide a ‘Broadband Britain’. Critics and rivals claim that BT have been given far too much time to consolidate investments.
£258 million of taxpayer’s money has already been returned following a previous scheme by BT, after soaring profits were received by BT from a broadband roll-out. Matt Hancock is most insistent that BT have the workforce and the ability to deliver broadband to every household within the UK. Previous government ministers were eager to secure a law that meant that BT were providing consumers with broadband speeds of 10MBps.
Shuffle off its mortal coil
Being the last remaining two of the company’s music player devices that can’t run the company’s streaming service Apple Music, and having received no upgrades in quite some time, Apple has announced that they are planning to kill off the iPod Nano and iPod Shuffle product lines.
The announcement stated that the reasoning was a ‘simplification’ of the iPod range of devices that the company offers, with only the Touch model remaining. The Touch is basically a slimmed down iPhone…without the phone.
As of the announcement, the two models have been removed from Apple’s online store, and it will not be long until the physical brick and mortar stores stop making them available as well.
The Shuffle, released 12 years ago in 2005, was a slightly controversial move for the company, ditching the screen in favour of simplicity and a specific purpose, leaving the user unable to pick a specific track in their playlist or read a screen to find out what’s currently playing .
The same year as the Shuffle was released, Apple also introduced a replacement to the iPod Mini in the form of the Nano. Apple stopped making the original iPod model since 2014, stating that they could no longer source the parts necessary to manufacture more.
The Micro:bit, the BBC’s newest attempt to get school kids interested in technology and coding, may well be putting smiles on their faces. Hackers have also found it to be a great little tool for some extracurricular mischief, due to its wireless capabilities and the programmable nature of the board itself.
The BBC aren’t new to the concept of trying to encourage more people to get into technology and coding. The predecessor to the Micro:bit was the BBC Micro, a 1980s project designed to introduce children to computing for the first time, designed and built by Acorn Computers.
Jump forward some 30 plus years, and the Micro:bit is an incredibly affordable piece of kit, for somewhere between £12.99 and £14.99 depending on the version you go for (See Bulletin article Technical revolution is child’s play thanks to the Micro:bit). Powered by a tiny ARM Cortex-M0 processor running at 16MHz with just 16KB of RAM, its features include:
• An accelerometer
• A compass
• A Micro-USB connector
• A 5×5 programmable LED grid
• Bluetooth connectivity
• Two programmable buttons
• Three digital/analogue input/output rings
All of this on a circuit board just 5cm wide by 4cm tall – quite an impressive little device.
At Def Con, the hacking conference hosted in Las Vegas, a presentation given by Damien Cauquil, senior security researcher at Econocom Digital Security, showed off some of the potential the device had, such as packet sniffing keystrokes from a wireless keyboard, or controlling a quadcopter drone.
Using publicly available software, he showed that he could program the device to do all kinds of interesting stuf. Though admittedly the storage on the device is incredibly small, it’s more than enough to store some passwords pulled out of the air from a nearby wireless keyboard for later misuse.
He admits that the system wasn’t perfect by any means, citing latency issues rooted in the low cost parts, which often resulted in loss of connection rather easily with the quadcopter drone. Nethertheless, it was still fast enough to override the owner’s signal.
Cauquil also stated that the Micro:bit was arguably even better at over-the-air sniffing and hacking than a multitude of dedicated hacking devices due to the wireless systems it has along with Python support. If you’re interested, and want to find out more, you can take a look at it on the official Micro:bit website, http://microbit.org/, and can even buy one from a wide range of resellers that they’ve partnered with here: http://microbit.org/resellers/.
Amazon Makes First Autonomous Drone Delivery
Amazon revealed late last year that they’d completed their first delivery made completely by an autonomous drone, delivered to a “Richard B” (no, not that one) living in Cambridgeshire, England. He ordered popcorn and an Amazon Fire TV (check out the official video promoting the event). The salient takeaways of the current system are:
• End-to-end order to delivery time is approximately 30 minutes.
• Drones are loaded up with ordered items in an Amazon warehouse, packaged by hand before being sent on a conveyor belt in a specific box to be loaded into the drone automatically.
• The drone, once loaded, travels along a track to an outside launch pad, where the drone then takes off to its destination, overseen by an operator at the warehouse.
• The house delivered to in the example is in a rural area with plenty of surrounding open ground giving the drone ample space to presumably ensure the test goes well.
• Amazon states that the drone flies under 400ft and can lift under five pounds.
Although only a test flight, many more will come, expanding to ‘hundreds’ of customers that live within the ‘several mile’ proximity of the warehouse. Currently there is a limited range of products on offer for the service, presumably due to weight and size restrictions.
And… that’s about it, not many more details are available at the moment but we’re sure we’ll be seeing lots more from Amazon about this in the future, though the rural setting for the delivery may indicate some accuracy and space issues, until they can improve on the system further. Until then, these drones may not yet be ready for more dense urban environments.
Paint no more?
New features will be available following the Microsoft Windows 10 update which has been named “Autumn” in the UK, however, there was an outcry when it was announced to users of Microsoft Paint that it was to be no more once the update had taken place.
Following its release in 1985, as an accessory within the Windows 1.0 package, Microsoft Paint became a fundamental part of Windows, commencing life known as a monochrome licensed version of ZSoft’s PC Paintbrush, a graphics editor that entered the PC world and was subsequently used by innumerable users.
Microsoft introduced the ‘New Paint 3D’, incorporated within the Windows 10 update released in April this year. It was introduced next to the traditional Paint feature. The new Paint features new tools to make 3D imagery, as well as basic 2D image editing. It is not to be confused as an update to the original Paint – it is a new upgraded version.
Microsoft Paint was not the only feature to appear on the condemned features list. Outlook Express, the Reader app and Reading list within the Windows 10 Autumn Creators Update are also scheduled to be removed. The removal is due to new features being introduced rather than the redevelopment of current features. Microsoft Paint was scheduled to be one of the latest victims, and the chances are after this week’s outcry and subsequent backpeddling by Microsoft, it will quietly be culled in the next couple of years anyway.
Users often felt that Paint was not one of the most capable application for the use of editing, due to it being limited to bitmaps (BMP) and PCX formats. Many users used Paint for scribbling quick notes using of a mouse rather than a keyboard, and use it for cutting and pasting whether it be on a home or work computer. However, even with the more recent version of Paint for Windows 7, an improved version which allowed people to save files as JPEGs and PNGs, still did not meet many user’s requirements compared to other free alternatives found on the net such as Paint.NET, and the features were still considered poor.
Microsoft have since announced that Paint has been given a reprieve. When it does finally go to Software Valhalla, users will still either be celebrating or complaining about its demise,in much the same way they did when Microsoft killed Clippy, the animated talking paperclip avatar, originally introduced with Microsoft Office 95. Without a doubt, Paint will go down in history as being one of Microsoft’s longest ever used apps.