U.S. warns public about attacks on energy, industrial firms

(Reuters) – The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure.

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

U.S. Department of Homeland Security emblem is pictured at the National Cybersecurity & Communications Integration Center (NCCIC)

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

Department of Homeland Security spokesman Scott McConnell declined to elaborate on the information in the report or say what prompted the government to go public with the information at this time.

“The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats,” he said.

The FBI declined to comment on the report, which security researchers said described an escalation in targeting of infrastructure in Europe and the United States that had been described in recent reports from private firms, including Symantec Corp.

“This is very aggressive activity,” said Robert Lee, an expert in securing industrial networks.

Lee, chief executive of cyber-security firm Dragos, said the report appears to describe hackers working in the interests of the Russian government, though he declined to elaborate. Dragos is also monitoring other groups targeting infrastructure that appear to be aligned with China, Iran, North Korea, he said.

    The hacking described in the government report is unlikely to result in dramatic attacks in the near term, Lee said, but he added that it is still troubling: “We don’t want our adversaries learning enough to be able to do things that are disruptive later.”

The report said that hackers have succeeded in infiltrating some targets, including at least one energy generator, and conducting reconnaissance on their networks. It was accompanied by six technical documents describing malware used in the attacks.

Homeland Security “has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign,” the report said.

The report said the attacker was the same as one described by Symantec in a September report that warned advanced hackers had penetrated the systems controlling operations of some U.S. and European energy companies.

Symantec researcher Vikram Thakur said in an email that much of the contents of Friday’s report were previously known within the security community.

Cyber-security firm CrowdStrike said the technical indicators described in the report suggested the attacks were the work of a hacking group it calls Berserk Bear, which is affiliated with the Russian Federation and has targeted the energy, financial and transportation industries.

“We have not observed any destructive action by this actor,” CrowdStrike Vice President Adam Meyers said in an email.

By: Jim Finkle in Toronto; Additional reporting by Gary McWilliams in Houston; Editing by Nick Zieminski and James Dalgleish

Source: https://www.reuters.com/article/us-usa-cyber-energy/u-s-warns-public-about-attacks-on-energy-industrial-firms-idUSKBN1CQ0IN

Secret Service IT management slammed after breach

Secret Service IT management slammed following Chaffetz breach

By Joe Davidson

A Secret Service agent orders people into buildings near the entrance to the West Wing of the White House in Washington on Friday, May 20, 2016, after the White House was placed on security alert after shooting on street outside. (AP Photo/Andrew Harnik)
A Secret Service agent orders people into buildings near the entrance to the West Wing of the White House in Washington on Friday, May 20, 2016, after the White House was placed on security alert after shooting on street outside. (AP Photo/Andrew Harnik)

 

Now that the votes are in and the presidential campaign is done, the Secret Service can close an incredibly busy election season.

Perhaps it can turn some of that energy to protecting its computer systems, which suffer from neglect, ignorance and bad management, according to a watchdog’s report.

The report by the Office of Inspector General (OIG) at the Department of Homeland Security is related to the agency’s breach and leak of personal information belonging to Rep. Jason Chaffetz (R-Utah) last year. That was another in a string of embarrassments for a law enforcement agency that has had such a proud tradition.

A 2015 OIG investigation found that 45 employees got into Chaffetz’s 2003 Secret Service job application. Only four had a legitimate need, leaving the rest in violation of the Privacy Act and agency policies. The file snooping began minutes after Chaffetz, chairman of the House Oversight and Government Reform Committee, opened a hearing into allegations of agents’ misconduct.

Chaffetz said the current report, issued last month, shows that “despite past warnings, USSS [U.S. Secret Service] is still unable to assure us their IT systems are safe.” In a letter to Inspector General John Roth, Chaffetz also said the discipline for some agents in his case “is not adequate to deter similar behavior in the future” and asked Roth to continue his investigation.

The October report goes well beyond the Chaffetz case and dissects the agency’s information technology operation in scathing particulars.

Summing up the report, the inspector general’s office offered this mouthful: The “audit uncovers a myriad of problems with Secret Service’s IT management including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records. The OIG concluded that Secret Service’s IT management was ineffective because Secret Service has historically not given it priority. The Secret Service CIO’s [Chief Information Officer] Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy.”

The Secret Service agreed with the report’s 11 recommendations, even though officials believe it does not reflect the agency’s recent IT progress. In a memorandum responding to the report, Secret Service Director Joseph P. Clancy noted last year’s hiring of retired Marine Brig. Gen. Kevin Nally as CIO and “the sweeping and unprecedented improvements” under his leadership.

“While more work remains to be done,” Clancy said that “the Secret Service has made considerable improvements in a remarkably short period of time. . . . We take the motto of being ‘worthy of trust and confidence’ very seriously in all areas in which we operate.”

Here are some points from the report:

  • Inadequate and ineffective system security: Security plans were “inaccurate, incomplete, or in one case, non-existent.” Many plans “were missing key items.” Some plans “incorrectly listed system security personnel in positions they no longer held, making it unclear as to who to contact in case of an incident.”
  • Outdated access controls: Secret Service access control policies were last updated 16 years ago, more than a lifetime in the digital era. “As such, it was not clear who should have access to the sensitive information retained on the USSS systems.” Once users gained access to the Master Central Index mainframe system, they could get into all system data, whether they needed it or not. Inactive accounts were not promptly disabled.
  • Poor audit controls: This hindered the ability to detect unusual activity or respond to security risks and attacks.
  • Lack of privacy protections: “Privacy documentation was incomplete, not up to date, or missing.” The inspector general requested system security plans for five systems. “Only four were provided,” and each was incomplete. Information System Security Officers “indicated they were unaware of the requirements for documenting privacy controls.”
  • Missing leadership: The Secret Service did not have a designated, full-time privacy officer reporting directly to the agency director as the Department of Homeland Security required, increasing “the likelihood that privacy requirements would continue to not be fully addressed.”
  • Over-retention of records: This violates the Privacy Act and relates directly to Chaffetz’s file, which was viewed when it was 12 years old. “[I]t was not reasonable to maintain this information for more than 10 years after Congressman Chaffetz submitted his application, and therefore, the continued retention of his records violated the Privacy Act.”
  • Low priority: The OIG found some “key guidance” related to IT management dated to 1992, “reflecting that IT was not a priority.” Key IT openings were left vacant for months. At one point, the agency’s CIO office’s vacancy rate was 29 percent. Hundreds of employees lacked adequate IT training, leaving them not fully aware of their “responsibilities in properly safeguarding mission critical data.”

Roth recognized agency IT improvements in a statement with the report, but added that until they and the recommendations are fully implemented “the potential for another incident like that involving Chairman Chaffetz’ personal information remains.”

Source: https://www.washingtonpost.com/news/powerpost/wp/2016/11/09/secret-service-it-management-slammed-following-chaffetz-breach/

Raspberry Pi 3: The inside story from the computer’s creator

By Nick Heath | February 28, 2016
Source: www.techrepublic.com #ftag=YHF87e0214

It’s fair to say the success of the Raspberry Pi computer has surpassed expectations.

Co-creator of the board Eben Upton famously said he originally thought they’d sell about 1,000 of the $35 pocket-sized boards.

RPi-3
Raspberry Pi-3 : Image: Matt Richardson

 

That estimate turned out to be somewhat conservative. More than eight million boards have shipped in the four years since the Pi’s launch – with the Pi selling faster than ever last year.

This burgeoning demand is being fuelled by newfound appetites for the Pi. While early sales were driven by hobbyist makers and tinkerers, in recent years schools and businesses have began using the boards in serious numbers.

It’s easy to see that momentum continuing, as from today you’ll be able to get far more Pi for your buck. Monday marks the launch of the Raspberry Pi 3 Model B – a machine some 50 percent faster than the Pi 2 that came out just last year.

The Pi 3’s release comes somewhat out of the blue. In the first three years following the Pi’s release there were no major updates to the board but over the past year its capabilities have surged, with the release of the Pi 2 and now the Pi 3.

“We’ve got a 10x improvement in processing in 13 months,” said Upton, describing the jump from the single core processor of the original Pi to a faster, more capable quad-core chipset in the Pi 3.

That boost puts the Pi 3 more squarely in the category of an entry-level home computer than ever before – with testers of the pre-release boards noticing an appreciable difference in the usability of the Pi 3 as a PC, according to Upton.

“Talking to people who’ve played with the units, it’s crossed some kind of line.

“It’s become more PC-like. When you’re using LibreOffice and the web browser it just feels more modern in that respect.

“You’re looking at an entry-level PC from the latter part of the last decade.”

Breaking down the performance, the Raspberry Pi 3’s new CPU performs 50-60 percent faster in 32-bit mode than that of the Raspberry Pi 2 and roughly ten times better than the original single-core Raspberry Pi in a multi-threaded CPU benchmark like SysBench. Compared to the original Pi, real world applications will see a performance increase of between 2.5x – for single-threaded applications – and more than 20x – for NEON-enabled video codecs.

The increased speed and capabilities of the chipset means the new board can now play 1080p video at 60 frames per second, in a boost to the Pi’s media center credentials.

Pi 3’s increased ease of use isn’t just down to more processing muscle, but also built-in support for wi-fi and Bluetooth – a first for the Pi.

The addition not only makes web browsing easier but also offers network connectivity without affecting the Pi’s performance. A recurring complaint about earlier models of the Pi is that USB and Ethernet share the same data bus. This shared bus limits the amount of data that can be passed to and from the Pi, which could slow things down when a user attempted to pass large amounts of data over Ethernet and to USB-attached storage at the same time.

In contrast the Pi 3’s wireless LAN doesn’t share the USB bus – allowing users to sidestep some of the problems that shared bus can cause.

Just as important a decision when releasing a new Pi is what features to leave out and Upton says that one oft-requested feature that didn’t make the cut was a Sata port, which would provide a high speed connection for attaching storage. Sata was omitted from the Pi 3 mainly for technical reasons, as the board’s architecture would mean the Sata connection having to send data via the USB2 bus. This would have the effect of throttling the Sata connection, with its maximum throughput of 6 Gbps squeezed down to the 480 Mbps speed of USB2.

What’s next for Android, Chromium OS and Windows on the Pi?

The Pi already runs a suite of Linux-based operating systems but the Pi 3’s additional power also furthers the possibility of the Pi running new OSes, such as Android, Chromium OS and, eventually, maybe Windows.

Windows 10 was released for the Raspberry Pi 2 last year but it isn’t the full desktop version of the Microsoft OS, but rather a cut-down version called Windows IoT Core designed to support Internet of Things appliances.

However, from a technical standpoint, Upton says the Pi 3 has the chops to run a full version of Windows – pointing out the similarities of the board’s hardware to that of the original Surface RT tablets, which ran a version of Windows 8.

“There’s no fundamental difference between this device and a Windows Surface device,” he said.

“The operating system underpinnings are the same. We’d dearly love to have the [Windows] shell and applications on there but that isn’t something that is in scope for the relationship we have [with Microsoft] at the moment.”

Specswise the Pi 3 is based around a more powerful CPU core than the original Surface tablets but its memory is half that of the original Surface and clocked at a lower speed. The Surface RT OS has since been superseded by Windows 10 Mobile, which can be used on tablets and smartphones that, like the Pi, use ARM-based hardware.

Also, Upton points out that when it comes to Windows software most people want to run the apps that work on their desktops and laptops at home, not the far smaller pool of software that ran on Surface RT.

Getting that standard Windows software to run on the Pi is complicated due to the board’s underlying hardware being ARM- and not x86-based, although specialist tools like ExaGear and Wine can used together get x86 Windows software to run on the Pi. Running software in this way takes a large toll on performance – something the additional processing power of the Pi 3 may help to address.

“We’re chipping away at it, as we are putting more and more power into the system there is that range of stuff that becomes possible,” said Upton.

What looks to be more feasible, and has already been realised to a degree, is getting popular operating systems Android and Chromium OS – the open-source equivalent of Chrome OS – to run on the Pi.

Getting these systems onto the Pi is being enabled both by the more powerful hardware of the new board and the development of an open-source 3D graphics driver for the board that is making it easier to implement these systems.

“Our technical choices were blocking the community from getting this stuff done and we’re backing away from those now,” said Upton of the Mesa and DRM driver developed by Eric Anholt.

“There’s a quite impressive looking ChromiumOS port for the Pi. As we get more processing power and as Eric’s stuff matures further, we hope that can become something we can endorse and have as an option on the Pi.”

In the nearer future, a version of Windows 10 IoT Core will be released for the Pi 3 and is in a complete that it is expected to be demoed at the Pi 3’s launch on Monday.

Upton expects the release of the Pi 3 will pave the way for individuals and small businesses to begin using Windows IoT Core to begin creating products in earnest.

While the Windows OS has been used by people to build homemade sensor hubs and the like, he believes that its use to create Pi-based appliances may have been held back by the lack of a Raspberry Pi compute module that could run Windows IoT Core.

The Raspberry Pi compute module packs the processor and memory of the Pi onto a slim board the size of a memory module. The idea of the compute board is to make it easier to bolt together a custom appliance using a Pi, as the compute module can be plugged into a base board with all of the necessary peripheral circuitry.

While the Raspberry Pi Foundation had originally intended to release a compute module based on the Pi 2 that could run Windows IoT Core, Upton said demand for the main model B Pi 2 board was so strong there wasn’t enough stock to make it happen. The foundation now plans to instead launch a compute module based on the Pi 3 (CM3) “in the next few months”.

“The compute module is how you get through the 1,000 to 10,000 range as you’re scaling your product out. One of the reasons we’re excited about getting CM3 out is it will give people a platform to move on from tinkering and doing the odd fun little home automation projects.

“It’s exciting because it’s giving people an opportunity to build small businesses from scratch.”

Can we expect a new Raspberry Pi each year from now on?

Upton is adamant that the foundation is not about to start bringing out new Raspberry Pi boards each year. The rapid release Pi 3 is something of a one-off, he said, made possible by a combination of technical and cost factors. The earlier work the foundation completed on designing the Pi 2 paved the way to begin using the more powerful chipset found in the Pi 3. This technical readiness coincided with a reduction in the cost of producing the board, which allowed wi-fi and Bluetooth support to be added without increasing the price.

“We’re kind of at the end of that particular roadmap. I would expect a longer pause, a couple of years at least, before any kind of major bump to the platform,” he said.

The release also coincides with two important landmarks for the Raspberry Pi and the foundation.

“We’re releasing it exactly on our fourth birthday. There’s also this eight million milestone, eight million units [sold] of prior platforms. It feels like an auspicious time to do it.”

The previous Raspberry Pi boards will continue to be sold after the Pi 3’s release, although Upton expects demand for the Pi 1 will last longer than for the Pi 2.

“I think Raspberry Pi 1 will outlive Raspberry Pi 2. What we did with Raspberry Pi 1 was move the price point so a model B+ costs $25. Raspberry Pi 1 at $25 has a place to live at a differentiated price,” he said.

“The Raspberry Pi 2 chipset is not significantly more cost effective than the Raspberry Pi 3 chipset, so there’s nowhere for 2 to go.”

The Pi 3 Model B that goes on sale on Monday will be followed by a Pi 3 Model A, which will release in the middle of this year. Like the Pi 1 Model A, the board will be a version of the Pi 3 that has no Ethernet port and only one USB port but that sells for a cheaper price. Upton points out, however, that the lack of Ethernet and single USB will be compensated for in the Pi 3 Model A by the inclusion of wi-fi and Bluetooth connectivity.

Like the compute module, a Model A based on the Raspberry Pi 2 was never produced, again because every Pi 2 chip was needed to meet demand for the Model B boards.

This time around Upton doesn’t anticipate people will have too much trouble getting hold of the Pi 3, as he says there will be a much more steady supply of new boards.

“This year we have a much more robust supply chain. There will be 100,000 flowing through every week for as long as we need, to deal with the demand that’s built up.”

That said, given the surge in orders that follows each major new release of the Pi, he expects “supply will be fairly tight for the first few days”.

Add-ons for previous generations of the Pi should still work as the dimensions and layout of the board remain the same, save for the LEDs moving position. This move will mean the LEDs aren’t visible on some cases for previous generations of the Pi and a new official case will be released.

Most existing operating systems for the Pi will run on the Pi 3, including the official Raspbian OS.

The processor bump and additions to the board mean peak power consumption of the Pi 3 is about 50 – 60 percent higher than its predecessors, though Upton says that “power consumption at constant workload stays the same”. The foundation is also releasing a new official power supply, which will be rated at 2.5A5.1V, compared to the 2A5V-rated supply used by earlier boards.

A minor change, which will help those who use attach drives to the Pi, will be the ability for the Pi 3 to boot directly from a USB-attached hard or pen drive – rather than having to boot from an SD card. Similarly Pi 3 will also support booting from a network-attached file system, using PXE, without the need for boot data on an SD card – something Upton forsees being useful for boards used for factory automation.

Can the Pi retain its popularity?

The foundation sold more Pis in 2015 than in any previous year and Upton hopes that by continuing to improve the board, while keeping its price at the $35 mark, that success can continue.

“We’re still happy that the platform that we’re shipping is the best platform. So I’m hoping that the combination of that and the community will mean that we keep seeing growth.”

The large community of enthusiasts who share tips and tricks and third party companies that make add-on boards to extend the Pi’s capabilities is a major draw for the platform, and distinguishes it from the slew of Raspberry Pi clone boards released in recent years.

As with the popularity of the Pi, Upton and his fellow founders of the Raspberry Pi Foundation underestimated the number of dedicated users the board would attract.

Upton digs out a business plan from 2009 that sets out expectations for the size of the community that would grow up around the Pi.

“Such a community requires roughly 1,000 members, of whom 100 view the forum regularly and 10 post actively,” the plan states. In contrast the forums on the official Raspberry Pi site today has 156,000 members who have racked up 885,000 posts on 126,000 topics. “There’s a little bit of a difference of scale,” he admits.

The success of the Pi has allowed the foundation to double down on its mission of educating children and adults about computers. The not-for-profit charity has a 60-strong workforce, publishes an official magazine and employs staff focused on creating teaching resources and running outreach projects with schools and at shows.

“It’s a real powerhouse,” said Upton. “We’re doing things that we wouldn’t have believed when we started.”

Beyond the foundation, the expandable hardware of the Pi and the software bundled with its official Raspbian OS aims to show just how satisfying hardware hacking and coding can be – with a suite of tools such as a coding-oriented version of the popular game Minecraft and the drag-and-drop coding app Scratch.

The reward for Upton is seeing an uptick in numbers of people applying to study computer science at Cambridge University in the UK, after years of sustained decline. It was frustration at that steady fall that drove him to create the Pi, in an effort to get a new generation excited about working with computers.

“That was our ‘Oh shit’ moment, when we saw that nobody was applying to study computer science at Cambridge, which is kind of the best place in the world to study computer science.

“It had gone from 600 people in 1999, when there was the dotcom boom and people thought that computer science was a meal ticket, to about 250 people by about 2008, an appalling collapse. It’s now up to over 700, there are more people applying to study computer science than we had at the height of the dotcom boom. So there’s some sort of gross evidence that we’re making a difference,” he said, adding the foundation’s work is part of a larger effort by a number of initiatives to reinvigorate how computing is taught.

As the engineer who designed part of the 3D chip used by the Pi, Upton’s only disappointment at the board’s overwhelming success is that he doesn’t have much time to hack together his own projects.

“For me, the big change is that I write less code and that’s sad. I spend so much time answering email. I made this lovely toy and don’t really have time to play with it.”

The Raspberry Pi 3 Model B is available now for $35 via Premier Farnell and RS Components.
Raspberry Pi 3 specs

Chipset: Broadcom BCM2837
CPU: 1.2GHz quad-core 64-bit ARM cortex A53
Ethernet : 10/100 (Max throughput 100Mbps)
USB: Four USB 2.0 with 480Mbps data transfer
Storage: MicroSD card or via USB-attached storage
Wireless: 802.11n Wireless LAN (Peak transmit/receive throughput of 150Mbps), Bluetooth 4.1
Graphics: 400MHz VideoCore IV multimedia
Memory: 1GB LPDDR2-900 SDRAM
Expandability: 40 general purpose input-output pins
Video: Full HDMI port
Audio: Combined 3.5mm audio out jack and composite video
Camera interface (CSI)
Display interface (DSI)