[BreachExchange] From Car Theft To Bombing Military Targets – Security Continues To Get “Real”

Tue Jan 10 19:34:21 EST 2017

https://www.riskbasedsecurity.com/2017/01/from-car-theft-to-
bombing-military-targets-security-continues-to-get-real/

As we’ve written before, “cyber” risk is largely viewed as a financial
problem. Criminals target rich caches of personal data for a myriad of
identity fraud schemes or go after financial processes in order to steal
money. Whether the attack is wildly successful – like Yahoo’s recent
revelation a whooping 1 billion user records were compromised and the
extraordinary multi-million dollar heist from Bangladesh’s Central Bank –
or just another run of the mill breach, organizations and the impacted
persons are often left facing the financial burden of cleaning up the mess.
Breach costs can take many forms, ranging from straightforward
investigation and remediation expenses to months of productivity lost to
chasing after diverted funds or defending expensive lawsuits. Whatever the
costs might be, security events are largely viewed as a hit to the balance
sheet and not a threat to property or well being.

But recently disclosed events show that times are changing. In August of
this year, Houston police disrupted a car theft operation responsible for
stealing over 100 cars and sending them to Mexico for resale. Armando Arce
and Jesse Irvin Zelaya were accused of taking advantage of the keyless
entry system used by locksmiths, auto dealers and repair shops for
accessing vehicles. According to reports, Arce and Zelaya were able to
persuade auto dealer and repair shop employees to sell their usernames and
passwords for accessing Chrysler’s key code databases. Armed with their
unauthorized access to this data, Arce and Zelaya were able to create new
key fobs for the target vehicles and simply drive away with the car.

In a case of “you can’t keep a good idea down”, a similar operation was
uncovered in east Jerusalem in December. It appears the same basic method
was used – the keyless entry system was exploited in order to create new
keys and steal the targeted vehicles. In this more recent example, luxury
models from Hyundai and Kia were the targets. Curiously, reporting
attributes the thefts to a “data leak” rather than directly accessing the
key code database. Regardless of whether the database was accessed with
legitimate credentials or data was exfiltrated and later used by the car
thieves, the result was the same – real property was stolen thanks to
unauthorized access to data.

The latest installment in the long-running Ukrainian crisis illustrates
just how extreme the consequences of lax security practices can be.
Ukrainian artillery officer Yaroslav Sherstuck promoted the use of a mobile
application that would reduce the time to fire a D-30 howitzer, commonly
deployed by Ukrainian artillery groups. Allegedly Russian counter forces
were able to obtain a copy of the application, embedded malware useful for
targeting purposes and distributed the Trojanized version via bulletin
boards. CrowdStrike, which released their research on the application,
stated:

“Open source reporting indicates that Ukrainian artillery forces have lost
over 50% of their weapons in the 2 years of conflict and over 80% of D-30
howitzers, the highest percentage of loss of any other artillery pieces in
Ukraine’s arsenal.”

On January 6th, the Ukrainian military denied the report, stating
“artillery losses were many times smaller and not caused by the reason”
given by CrowdStrike, and there is research that supports this conclusion.
It is unknown – and most likely will never be confirmed – how many of the
D-30 howitzers might have lost thanks to the intelligence gathered by the
Trojanized app – or how many persons might have been injured or lost their
lives when opposing forces targeted and bombed those field guns. According
to the UN High Commissioner for Human Rights, approximately 9,300 people
have been killed and 21,000 injured since the Ukrainian conflict began in
2014. If even one half of one percent (0.005) of casualties could be linked
to the malware, that would be approximately 150 people hurt by the use of a
malicious application.

There have been well over 4,000 data breaches reported in 2016, with more
than 4.2 billion records compromised. Most certainly the majority of these
incidents resulted in some level of disruption or financial consequences
for the compromised organizations. However, early warning signs are
emerging that things are changing. When there is money to be made,
malicious actors will exploit all the tools at their disposal including
compromising data and systems in order to steal or damage real property. It
may well be just a matter of time before weaknesses in internet connect
security systems and cell phones open the door to some very “real”
consequences.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170110/35d120f4/attachment.html>