Author Archive

Publishers face hit from upcoming Apple privacy controls

Privacy changes in Apple’s upcoming iOS 14 operating system upgrade have drawn an increasing amount of attention before a fall release (mainly from those who benefit from the advertising industry) – and Facebook made its strongest statement yet about what the changes could mean, suggesting it could halve revenues from its Audience Network business, a multibillion-dollar operation.

Digital publishers are also bracing for the impact, which could take away a sizable chunk of the revenues they draw from iPhone users.

Apple’s change involves the collection of its advertising identifier for users, called the IDFA – a tag that can help advertisers connect a click on an ad with an eventual app install on a device. Apps will be required to ask users whether they can be tracked, and if most users opt out, it could deal a heavy blow to an industry already reeling from the COVID-19 pandemic.

“When every publisher is fighting for every last advertising cent, this couldn’t come at a worse time,” DMG Media’s Martin Clarke tells the WSJ.

While Apple won’t prohibit tracking – instead putting the onus on app makers to get permission – one concern among publishers is the language being used to inform users of their rights. Europe’s GDPR left it to publishers to formulate that language, but claims of a “harshly worded prompt” from Apple lead many to believe a vast majority of users will opt out.

And the result may be ad-tech firms (many of whom expect ad rates to drop by up to 40%) writing off the Apple identifier. Branch Metrics’ Alex Austin tells WSJ that the firm’s assuming IDFA is “dead for everything we’re doing.”

And while not every publisher will see the same impact, the ones who moved faster into “programmatic” ad buying (and tend to have large numbers of iPhone users) could see meaningful impact.

via: seekingalpha

Jack Daniel’s Manufacturer Was Target of Apparent Ransomware Attack

Brown-Forman Corp., a manufacturer of alcoholic beverages including Jack Daniel’s and Finlandia, said it was hit by a cyber-attack in which some information, including employee data, may have been impacted.

The company, which is based in Louisville, Kentucky, said in a statement it was able to prevent its systems from being encrypted, which is normally caused by ransomware attacks. It provided few other details about the incident, including when it happened or how the hackers accessed the data.

“We are working closely with law enforcement, as well as world class third-party data security experts, to mitigate and resolve this situation as soon as possible,” the company said. “There are no active negotiations.”

In ransomware attacks, hackers typically encrypt a company’s files and demand a payment to unlock the files. In some instances, hacker groups post snippets of stolen files on websites, or send them to the media, to pressure companies to pay. Such attacks have increased in recent years against all kinds of businesses and government agencies, including cities and school districts.

In this instance, a message sent anonymously to Bloomberg claimed to have hacked Brown-Forman and compromised its internal network. The alleged hackers said they copied 1 terabyte of confidential data and promised to share it online. The website named by the attackers goes to a page that lists victims of Sodinokibi ransomware, which emerged in 2019 and has spread across the globe, according to McAfee LLC. Also known as REvil, the ransomware code is maintained by one group of people and distributed by affiliates, a model known as ransomware as a service, McAfee said.

“An attempt at dialogue with the company did not bring any results,” the alleged hacker said.

via: bloomberg

Decryption Tool Released for WannaRen Ransomware

Security researchers released a decryption tool that enables victims of WannaRen ransomware to recover their files for free.

On August 19, Bitdefender announced that it had made a WannaRen decryption utility publicly available for download.

The security firm urged victims of this ransomware to save the decryptor somewhere on their computer after completing the download process.

Once they click on the saved “BDWannaRenDecryptor.exe” file, they should click “Yes” and give the decryptor the permissions it needs to modify files on the infected device. They should then agree to the end user license agreement.

With a “test folder” containing pairs of encrypted/not-encrypted files, victims can instruct the tool to scan their entire machine for encrypted files as part of the recovery process.

Bitdefender also recommended that users select the “Backup files” option.

A screenshot of the WannaRen decryptor’s dialog box. (Source: Bitdefender)

News of this decryption utility arrived several months after WannaRen first attracted the attention of the security community.

In April 2020, 360 Security Center was among the first to witness the ransomware circulating in the wild and demanding ransoms of 0.05BTC (worth approximately $600 at the time of writing).

A close look by 360 Security Center at WannaRen revealed that the ransomware had originated from Hidden Shadow, a digital crime organization which has a history of exploiting EternalBlue for the purpose of moving laterally on infected networks and distributing banking trojans.

The security firm found that WannaRen arrived with a PowerShelld downloader containing this same propagation method.

It’s not always possible for security researchers to develop a decryption tool for a ransomware family. Sometimes, the code reveals no apparent weaknesses that allow for the creation of such a utility.

Acknowledging that reality, organizations and users alike should take steps to prevent a ransomware infection from occurring in the first place. This resource serves as an excellent starting point.

via: tripwire

Here’s who’s hiring right now

Companies from industries spanning from technology to retail are hiring to meet increased demand caused by the coronavirus pandemic. Below is a regularly updated list of companies hiring right now.

While we’d like to feature all opportunities on this page, we want to highlight those that will be relevant to the greatest number of LinkedIn members. Search the #HiringNow hashtag to see other possible job openings. Also, be sure to use that hashtag in posts if you’re offering or know of employment opportunities. You can also find additional opportunities on the LinkedIn jobs page.

For those of you in Canada, see a list of companies hiring in your country by clicking here.

Also, for those looking for the latest information about job seeking during this difficult and unusual time, you can find the #GetHired guide here:

Microsoft to permanently close all of its retail stores

The company will also “reimagine” three of its existing stores, specifically the ones in London, New York City, and Sydney, as Microsoft Experience Centers.

Microsoft is pulling the plug on its retail store experience. After launching its first physical store more than 10 years ago, the company is permanently closing all its physical retail outlets across the world, David Porter, corporate VP for Microsoft Store, said in a LinkedIn post on Friday.

“As part of our business plan, we announced a strategic change in our retail operations, including closing Microsoft Store physical locations,” Porter said. “Our retail team members will continue to serve customers working from Microsoft corporate facilities or remotely and we will continue to develop our diverse team in support of the overall company mission and objectives.”

In revealing the decision, Porter said that Microsoft’s hardware and software sales have been shifting online, while its lineup has evolved to digital products, including Microsoft 365 as well as content for gaming and entertainment. Porter touted growth in traffic to and the company’s digital Xbox and Windows storefronts that see as many as 1.2 billion monthly customers across 190 markets.

Further, the coronavirus lockdown seemed to show Microsoft that it could provide sales and technical support to buyers and customers

without maintaining a physical presence. The company’s shift to a remote workforce due to COVID-19 still allowed it to support individuals and organizations.

“Our retail sales team helped small businesses and education customers digitally transform; virtually trained hundreds of thousands of enterprise, government and education customers on remote work and learning software; and helped customers through support calls,” Porter said. “The team supported communities hosting more than 14,000 online workshops and summer camps and helped more than 3,000 schools and 1.5 million students celebrate virtual graduations.”

In line with the store closures, Microsoft employees will offer sales, training, and support from their corporate offices as well as remotely, Porter said. The company also aims to enhance its digital storefronts where people can buy products, receive training, and get technical support. One new service slated for these online storefronts will be 1:1 video sales support.

The existing retail stores in London, New York City, and Sydney and on the Redmond campus will be “reimagined as new spaces,” according to Porter. Specifically, the locations in London, New York, and Sydney will be turned into Microsoft Experience Centers, designed to serve consumer, small business, education, and enterprise customers. At these centers, people will be able to try out Microsoft products, view product demos, explore device bars, and learn about Microsoft technology.

Also on tap at these Experience Centers will be consultations for small business and education customers and training seminars for enterprise customers. Plus, the centers will allow customers to schedule appointments for support and Answer Desk visits and offer a variety of community events and workshops. However, purchasing will be available only through Microsoft’s digital storefronts.

Borrowing a page from Apple, Microsoft opened its first retail store in the US in October 2009 to sync with the launch of Windows 7. Over the years, the number of US stores climbed to 72 locations across 31 states. Expanding beyond the United States, Microsoft kicked off stores in Australia, Canada, Puerto Rico, and England, for a total of 82 worldwide.

The Microsoft store was an attempt to sell products and services, offer support and training, and provide customers with a more personal one-on-one approach. But unlike Apple, Microsoft failed to squeeze much success or profitability out of its retail store experience. One factor lies in a core difference between the two companies.

Apple designs and sells its own hardware and software, mostly for individual consumers who can enjoy and benefit from an in-store experience. Microsoft is a more nebulous company that creates and sells software to run on devices from other vendors, while its direct target audience consists of enterprise customers less likely to venture to a store for sales or support.

via:  techrepublic

Zoom Not Offering End-to-End Encryption to Free Users to Help Law Enforcement

Zoom’s chief executive revealed on Tuesday that free users will not be offered end-to-end encryption as the company wants to assist the FBI and local law enforcement in their investigations.

Zoom’s popularity has increased significantly since the start of the COVID-19 pandemic due to many people being forced to work and study from home. This popularity has also attracted the attention of privacy and security experts, who have identified some serious issues in the video conferencing service, as well as the attention of bad actors who have started abusing the platform.

Zoom has promised to take action and it has already started implementing measures that would help it address security and privacy concerns.

One of these measures is related to end-to-end encryption. Zoom does encrypt communications between clients and its servers, but it currently does not offer true end-to-end encryption, which would prevent even the company itself from gaining access to the content of customers’ communications.

Last month, the company published a detailed draft of the cryptographic design it plans on using for its upcoming end-to-end encryption feature, which it said would be offered to paying customers and schools.

During a conference call following the release of financial results for the first quarter of fiscal year 2021, Zoom CEO Eric Yuan told investors that they do not want to offer this kind of protection to free users, which are more likely to abuse the platform, as the company wants to work with the FBI and local law enforcement if people use Zoom for “bad purposes.”

In a long thread on Twitter, Alex Stamos, who was hired by Zoom as an outside advisor on cybersecurity, shared some details on the company’s plans for end-to-end encryption, which he says “are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues.”

Stamos, who in the past worked as CSO at Yahoo and Facebook, said Zoom does not proactively monitor meeting content and it does not plan on doing so in the future. He says the vast majority of abuse comes from people who use Zoom for free and the company plans on taking measures that would “create friction and reduce harm.”

Stamos pointed out that if end-to-end encryption is enabled, Zoom’s Trust and Safety team will not be able to enter a meeting they believe to be abusive — this is now possible without end-to-end encryption — and there will be no backdoor to facilitate such access. Stamos also noted that some meeting features are also incompatible with end-to-end encryption. This is why end-to-end encryption will be opt-in “for the foreseeable future.”

“So we have to design the system to securely allow hosts to opt-into an E2E meeting and to carefully communicate the current security guarantees to hosts and attendees,” Stamos said.

Zoom’s revenue for the first quarter was $328 million and the company expects to generate up to $1.8 billion this fiscal year, with an estimated profit of up to $380 million.

via:  securityweek

Researcher Spots New Malware Claimed to be ‘Tailored for Air‑Gapped Networks’

A cybersecurity researcher at ESET today published an analysis of a new piece of malware, a sample of which they spotted on the Virustotal malware scanning engine and believe the hacker behind it is likely interested in some high-value computers protected behind air‑gapped networks.

Dubbed ‘Ramsay,’ the malware is still under development with two more variants (v2.a and v2.b) spotted in the wild and doesn’t yet appear to be a complex attacking framework based upon the details researcher shared.

However, before reading anything further, it’s important to note that the malware itself doesn’t leverage any extraordinary or advanced technique that could let attackers jump air-gapped networks to infiltrate or exfiltrate data from the targeted computers.

According to ESET researcher Ignacio Sanmillan, Ramsay infiltrates targeted computers through malicious documents, potentially sent via a spear-phishing email or dropped using a USB drive, and then exploits an old code execution vulnerability in Microsoft Office to take hold on the system.

‘Several instances of these same malicious documents were found uploaded to public sandbox engines, labeled as testing artifacts such as access_test.docx or Test.docx denoting an ongoing effort for trial of this specific attack vector,’ the researcher said.
Ramsay malware primarily consists of two main functionalities:

  • Collecting all existing Word documents, PDFs, and ZIP archives within the target’s filesystem and storing them to a pre-defined location on the same system or directly to a network or removable drives.
  • Spreading itself to other computers being used within the same isolated facility by infecting all executable files available on a network shares and removable drives.

According to the researcher, the Ramsay samples they found do not have a network-based C&C communication protocol, nor does any attempt to connect to a remote host for communication purposes.

airgap malware

Now the question arises, how the attackers are supposed to exfiltrate data from a compromised system.

Honestly, there’s no clear answer to this at this moment, but researcher speculate that the malware might have been ‘tailored for air‑gapped networks’ with similar scenarios—considering that the only option left is to physically access the machine and steal the collected data with a weaponized USB.

‘It is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control document retrieval,’ the ESET researcher said.

“This assesses the relationship between Ramsay’s spreading and control capabilities showing how Ramsay’s operators leverage the framework for lateral movement, denoting the likelihood that this framework has been designed to operate within air-gapped networks.’

‘The current visibility of targets is low; based on ESET’s telemetry, few victims have been discovered to date. We believe this scarcity of victims reinforces the hypothesis that this framework is under an ongoing development process, although the low visibility of victims could also be due to the nature of targeted systems being in air-gapped networks,’ he added.

However, a lack of technical and statistical evidence doesn’t support this theory yet and remains a broad guess.

Moreover, since the malware is still under development, it’s too early to decide if the malware has only been designed to target air-gapped networks.

It likely possible that the future versions of the malware could have an implication to connect with a remote attacker-controlled server for receiving commands and exfiltrating data.

We have reached out to ESET researcher for more clarity on the ‘air-gap’ claim and will update this story once he responds.

UPDATE: Researcher Explains ‘Air Gap’ Scenarios

Researcher Ignacio Sanmillan, who discovered and analyzed Ramsay malware, has provided the following explanation for our readers.

“We only have a copy of the Ramsay agent, which only has code to aggregate and compress the stolen data in a very decentralized and covert way on the local filesystem of the infected host. Based on this, we assume that another component is responsible for scanning the filesystem, locating the compressed files, and performing the actual exfiltration.”

On asking if the attacker needs to rely on the physical access for data exfiltration, Sanmillan said:

“There are several ways the attacker might do this. We have not seen this operation performed; however, we have a few hypotheses on how the attacker could do this. Those are only our best-educated guess and pure speculation at this point, so please treat those two hypothetical scenarios as such.”

Scenario 1 — Imagine System A, connected to the Internet and under full control of the Ramsay operators, and System B, an air-gapped computer infected by the Ramsay agent. Then imagine a legitimate user of those systems occasionally transferring files between both systems using a removable drive.”

“When the drive is inserted into System A, the attacker could decide to place a special control file on the removable drive which, when connected to System B, would cause the Ramsay agent to execute the Ramsay exfiltrator which would be built to retrieve the staged stolen data and copy it to the removable drive for later retrieval once the removable drive gets connected to System A. This scenario is a variation of how Sednit / APT28 operated USBStealer.”

“USBStealer systematically copied the stolen data on the removable drive used between System A and System B, while Ramsay stages the stolen data locally for a future explicit exfiltration.”

Scenario 2 — Imagine Ramsay agent running for days or weeks in an air-gapped network, staging on the local filesystem all the data it can find on network drives and all the removable drives that got connected to the system.”

“Then at some point, the attacker decides it is exfiltration time. He would need to gain physical access to the infected system and either obtain code execution to run the Ramsay exfiltrator, or in case the system does not have full-disk encryption, boot the system from a removable drive, mount the filesystem, parse it to retrieve the well-staged stolen data and leave.”

“This scenario is more elaborate and requires the physical presence of an operative/accomplice, but it could still be plausible as it would allow for a very quick on-site operation.”

To answer if the malware author can integrate remote C&C communication module in future versions, the researcher said:
“Ramsay has a series of common functionality implemented across their versions, which is the control-file based protocol and how artifacts involved in this protocol are retrieved from Removable media and Network Shares.”

“This denotes that evaluation for these techniques was taken into account while designing this malware, all of which point towards the implementation of capabilities for operation without the need for any network connection.”

“It seems that if attackers would leverage techniques relying on Network artifacts would not correlate to the philosophy of this malware. We indeed think that Ramsay can be under development, but we are highly inclined to believe that they won’t introduce a Network-based exfiltration component.”

via:  thehackernews

Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases

More than 4,000 Android apps that use Google’s cloud-hosted Firebase databases are ‘unknowingly’ leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

“4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication,” Comparitech said.

Acquired by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and even engage with users via in-app messaging features.

With the vulnerable apps in question — mostly spanning games, education, entertainment, and business categories — installed 4.22 billion times by Android users, Comparitech said: “the chances are high that an Android user’s privacy has been compromised by at least one app.”

Given that Firebase is a cross-platform tool, the researchers also warned that the misconfigurations are likely to impact iOS and web apps as well.

The full contents of the database, spanning across 4,282 apps, included:

  • Email addresses: 7,000,000+
  • Usernames: 4,400,000+
  • Passwords: 1,000,000+
  • Phone numbers: 5,300,000+
  • Full names: 18,300,000+
  • Chat messages: 6,800,000+
  • GPS data: 6,200,000+
  • IP addresses: 156,000+
  • Street addresses: 560,000+

Diachenko found the exposed databases using known Firebase’s REST API that’s used to access data stored on unprotected instances, retrieved in JSON format, by simply suffixing “/.json” to a database URL (e.g. “”).

firebase database security

Aside from 155,066 apps having publicly exposed databases, the researchers found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.

Complicating the matter further is the indexing of Firebase database URLs by search engines such as Bing, which exposes the vulnerable endpoints for anyone on the Internet. A Google search, however, returns no results.

After Google was notified of the findings on April 22, the search giant said it’s reaching out to affected developers to patch the issues.

This is not the first time exposed Firebase databases have leaked personal information. Researchers from mobile security firm Appthority found a similar case two years ago, resulting in the exposure of 100 million data records.

Leaving a database exposed without any authentication is an open invite for bad actors. It’s therefore recommended that app developers adhere to Firebase database rules to secure data and prevent unauthorized access.

Users, for their part, are urged to stick to only trusted apps and be cautious about the information that’s shared with an application.

via:  thehackernews

Facebook Launches ‘Discover,’ A Secure Proxy to Browse the Internet for Free

Free Internet with Facebook Discover Proxy

More than six years after Facebook launched its ambitious Free Basics program to bring the Internet to the masses, the social network is back at it again with a new zero-rating initiative called Discover.

The service, available as a mobile web and Android app, allows users to browse the Internet using free daily data caps.

Facebook Discover is currently being tested in Peru in partnership with local telecom companies such as Bitel, Claro, Entel, and Movistar.

Unlike the regular rich-content browsing, Facebook’s latest connectivity project only provides low-bandwidth text-only based browsing, meaning other forms of data-intensive content such as audio and video are not supported.

Another key differentiator is that it treats all websites equally, whereas users of Free Basics are limited to a handful of sites that are submitted by developers and meet technical criteria set by Facebook.

The move, ultimately, drew criticism for violating principles of net neutrality, leading to its ban in India in 2016.

A Secure Web-Based Proxy

But how does Discover actually work? It’s a lot similar to Free Basics in that all traffic is routed through a proxy. As a result, the device only interacts with the proxy servers, which acts as a “client” to the website users have requested for.

This web-based proxy service runs within a whitelisted domain under “” that the operator makes the service available for free (e.g. “” is rewritten as “”), which then fetches the webpages on behalf of the user and deliver them to their device.

Free Internet with Facebook Discover Proxy

“There is extensive server-side logic in place to make sure links and hrefs are correctly transformed,” the company said. “This same logic helps ensure that even HTTP-only sites are delivered securely over HTTPS on Free Basics between the client and the proxy.”

In addition, the cookies used by the websites are stored in an encrypted fashion on the server to prevent mobile browsers from hitting cookie storage limits. The encryption key (called internet cookie key or “ick”) is stored on the client so that the contents of the key cannot be read without knowing the user’s key.

“When the client provides the ick, it is forgotten by the server in each request without ever being logged,” Facebook noted.

But allowing JavaScript content from third-party websites also opens up avenues for attackers to inject malicious code, and worse, even lead to session fixation.

To mitigate this attack, Facebook Discover makes use of an authentication tag (called “ickt”) that’s derived from the encryption key and a second browser identifier cookie (named “datr”), which is stored on the client.

Free Internet with Facebook Discover Proxy

The tag, which is embedded in every proxy response, is then compared with the ‘ickt’ on the client-side to check for any signs of tampering. If there’s a mismatch, the cookies are deleted. It also makes use of a “two-frame solution” that embeds the third-party site within an iframe that’s secured by an outer frame, which makes use of the aforementioned tag to ensure the integrity of the content.

But for websites that disable the loading of the page in a frame to counter clickjacking attacks, Discover works by removing that header from the HTTP response, but not before validating the inner frame.

Furthermore, to prevent impersonation of the Discover domain by phishing sites, the service blocks navigation attempts to such links by sandboxing the iframe, thus preventing it from executing untrusted code.

“This architecture has been through substantial internal and external security testing,” Facebook’s engineering team concluded. “We believe we have developed a design that is robust enough to resist the types of web application attacks we see in the wild and securely deliver the connectivity that is sustainable for mobile operators.”

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

via:  thehackernews

Cybersecurity Threats to the Food Supply Chain

When Smithfield Foods closed its Sioux Falls pork processing plant – joining other meat and poultry closures from Tyson Foods, Cargill and JBS USA – headlines suggested that the country was ‘perilously close to the edge’ of food shortages. So, just how safe is the food supply?

The recent closures have been forced by the COVID-19 pandemic. This is likely to be a transient risk, but all modern plants face an ever-present consistent risk from cyber-attack. COVID-19 has merely focused minds on an under-considered risk: how safe is the food supply chain?

It’s a question that needs to be asked. Food supply is a fundamental pillar of ordered societies, and a catastrophic lack of food would rapidly lead to social disorder. This would likely be more rapid and severe in the western democracies that have not experienced serious food shortages for more than 70 years since the end of World War II.

Cyber risk and threat

There is no risk if there is no threat. The first question, then, is whether there is a cyber threat to food supply. Are cyber criminals likely to attack the food industry?

The answer is clearly ‘yes’; and there are at least three obvious channels: hacktivists, cyber-criminal gangs, and nation states. And a fourth, that needs to be mentioned: competitors. “Increased levels of espionage and sabotage from competitors will also heighten as organizations do battle for technological supremacy in this space,” warns Daniel Norman, research analyst with the Information Security Forum (ISF).


There is a growing social movement to use the re-emergence from the COVID lockdown as an opportunity to ‘reboot’ the way society operates. Environmental pollution has dropped rapidly, and nature has recovered from its effects quickly. Environmental activists are calling for governments to invest in green technology as a post-pandemic economic stimulus.

Where this does not happen, and where the old polluting industries revert to their traditional practices, activists are likely to ‘punish’ the worst offenders. This is likely to be two-pronged: environmentalists concerned about increasing pollution, and animal rights activists objecting to the return to mass animal slaughter.

This punishment may come in the form of large-scale DDoS attacks, or even direct attacks against individual plants.

Cyber-criminal gangs

Criminal gangs are driven by two related issues – opportunity and money. The pandemic will have focused attention on the food supply chain, and both issues are apparent. The pandemic will be followed by recession, which could potentially be followed by a deeper depression. Even in the best scenario, there will be many areas of society operating on drastically reduced incomes in the foreseeable future.

The threat is not new. Theft of food has always existed: those who have none are forced to steal from those who have plenty. In the distant past, this was small-scale – effectively petty theft. In the more recent past, criminal gangs have become involved in more large-scale theft from distribution (cargo theft) and warehouses.

This is continuing: recent data from Transported Asset Protection Association (TAPA) suggests that cargo theft has increased by 114% over the last 12 months. On May 3, 2020, FreightWaves reported, “Trucks carrying food and other essentials have been popular with thieves along Mexico’s highways in recent weeks. Cargo theft of trucks has increased 25% during the coronavirus pandemic period, according to a survey conducted by LoJack Mexico.”

Cybercrime, however, could take this to a new level. Entire shipments of food could be redirected and stolen. Entire food companies can be extorted for large sums of money. IT and OT networks can be compromised by ransomware, and the rapid spoilage of food in production would be an incentive to pay the ransom. With much of the food industry comprising small local businesses, it will often become a question of paying up or going under – and this equation will attract additional attackers.

Nation states

The importance of the food supply chain is not lost on the military. In 1812, when Napoleon invaded Russia, the Russian army withdrew but operated a scorched earth policy to deny food supplies to Napoleon’s army. Without supplies, Napoleon was forced to retreat from Moscow, which arguably and ultimately led to his downfall.

“It is a well-known fact,” comments the ISF’s Norman, “that during times of conflict, the party that can destroy the food supply chain will inevitably win. It is therefore conceivable that cyber-attacks from nation state-backed actors and terrorist groups will begin targeting organizations dependent on new technologies, disrupting global supply chains.”

Cyber brings the opportunity of large-scale adversarial interference in food supplies. In military terms this could be a precursor to kinetic warfare, but the cyber age has introduced a new style of cyberwar. The U.S. experienced it in 2016 with Russian interference in the presidential election. The purpose may not have been to directly influence the outcome of the election, but to demoralize the American population. With a demoralized population, a nation’s effectiveness on the world stage is inevitably weakened.

“One way to weaken your adversary is to cause internal conflict,” added IOActive’s Sheehy. “Well, you can survive about three minutes without air, three days without water, and about three weeks without food. People will riot very quickly if they cannot get food. Even in this relatively civilized COVID lockdown, the stresses on the food supply chain have caused very high tensions among people.”

Continued interruption to the food supply chain would inevitably demoralize the population. In extreme circumstances it would lead to rioting in the streets and food looting. The possibility of such a threat from an adversarial nation should not be ignored.

The security of the food supply chain

The food industry is no different to any other industry – it has undergone rapid evolution into the fourth industrial revolution. IT and OT are being converged, and OT uses the same ICS devices with the same vulnerabilities as other industries. The same priority of continued production over updating systems prevails, and continued use of Windows 98 is still found. But just as older, vulnerable systems continue to be used, the industry is adopting new and not yet battle-tested technology with advanced sensors, robotics, drones and autonomous vehicles.

“One of the trends we see broadly in the food industry,” comments Sheehy, “is a move towards more automation. Partly this is a response to the pandemic – robots won’t be sent home in any similar or repeated scenario. Labor is more of a business risk than robots. However, moving to more significant automation is going to change the risk profile in a way that a lot of organizations haven’t formerly had to manage – operational technology has not been considered a high-risk priority.”

It’s exacerbated, added Matt Rahman (IOActive’s COO), “by the structure of the industry. About 74% of food manufacturers have less than 20 employees. About 97% have fewer than 500 employees. They don’t have the staff nor expertise to properly manage their cyber security.”

It is also worth noting that the food supply chain is more complex than the supply chains for most industries. Elsewhere, the supply chain primarily comprises third-party suppliers, product or parts delivery, and the manufacturer. With food it is third party suppliers (normally farmers), product delivery, food processing (the manufacturer), and then a further complex distribution to groceries/supermarkets and/or consumer. Each stage of this chain can be threatened.

“Technology adoption has skyrocketed in virtually every segment of our agriculture sector including food production, processing, and distribution,” comments Parham Eftekhari, founder and chairman of the Institute for Critical Infrastructure Technology (ICIT), “and experts predict this trend to continue with robotics and self-driving freight carriers paving the way for an autonomous future. This creates significant opportunity for disruption to our supply chain and food safety concerns.”

He continued, “Today, we are already hearing stories of processing plants shutting down and the potential of food shortages. What if manufacturing and storage facilities of perishable food products have their cooling systems hacked during a time of a national food shortage? It would only take a handful of high-profile attacks to create panic among citizens that could lead to a rush on grocery stores and threaten an already fragile food supply.”

The food industry supply chain is vulnerable at every stage. “Farmers are using GPS technology and robotics to custom fertilize and plant their land to optimize yield,” said Eftekhari. What if these systems are hacked – without their knowledge – resulting in crops that underperform expectations across the nation.”

Norman added, “5G environments will enable precision agriculture and farming at the individual crop or livestock level but will use poorly secured IoT devices and drones to monitor soil fertilization, nitrogen levels, pest control, water and sunlight requirements. Automated robotic combine harvesters will operate on private 5G networks, with machine learning systems calculating and monitoring optimum conditions across larger and interconnected ecosystems. The danger of attacks on the integrity of information could significantly alter the production process.”

At a local level, this could be a punitive attack by a hacktivist group objecting to use of certain pesticides, or genetically modified crops in general. “The agricultural industry is one of the biggest contributors to greenhouse gas emissions in the world,” says Norman. “Extreme levels of methane, nitrous oxide output and water usage consistently make them a prime target for activism. With greater dependency on technology, hacktivists will turn their attention to disrupting the technology underpinning the supply chain.”

At a national level, as part of modern geopolitical disruption, the aim could be to reduce yields in complete crops – shortages in wheat, corn and soybean crops would be both economically and socially damaging.

Distribution, both from farmer to processor and from processor to distributor, has long been subject to cargo theft by criminals – and the cyber element is growing. “Criminals hack into distribution firms,” comments IOActive’s Rahman, “to learn about shipments, create false invoices, bills of lading and manifests to falsify delivery/collection times when they can simply pick up the stolen cargo.”

The food processing plant is the obvious primary target for cyber criminals, especially for extortion. Ransomware is already targeting manufacturing. “Today, we are hearing stories of processing plants shutting down and the potential of food shortages,” said Eftekhari. “What if manufacturing and storage facilities of perishable food products have their cooling systems hacked during a time of a national food shortage? It would only take a handful of high-profile attacks to create panic among citizens that could lead to a rush on grocery stores and threaten an already fragile food supply.”

Here the worst scenario might come from terrorist groups rather than nation-states or criminal gangs. The motivation would be to seek harm rather than sow discord or acquire money. Such groups would be worried about neither attribution nor retribution, but could seek to break into processing plants either to damage equipment or poison supplies.

Beyond the processing plant, the food supply chain continues to the sales outlets. For now, the threat is physical redirection or old-fashioned cargo theft. This will change in future years as more and more supplies are delivered by autonomous trucks. Autonomous vehicles are proven to be hackable. Experts expect the recent trend of the food industry adopting new technology to continue, warns Eftekhari, “with robotics and self-driving freight carriers paving the way for an autonomous future. This creates significant opportunity for disruption to our supply chain and food safety concerns.”

But the threat already exists with current connected trucks. “The heavy vehicle cabs are exposed to potential cyber-attack,” warns Sheehy, “as well as their refrigerated trailers. The more modern refrigerated trailers often have their own monitoring systems which can be remotely accessible over mobile networks. They are also often attached to the controller area network (CAN bus) of the vehicle, providing a potential attack point to compromise the overall security of the vehicle.”

The COVID-19 pandemic has highlighted the fragility of the global food chain. This fragility will not be lost on cyber criminals. As the world moves from pandemic lockdown to economic recession, criminals will almost certainly look closely at the food supply chain as a means of making money. The risk is not to any one specific part of the chain nor any one type of criminal – the whole chain is at risk.

“If an attacker wants to provide some type of disruption to the food supply, one area could be transportation; a second is in food processing; but a third would be in food safety,” says Sheehy. “If the cold storage facility is not kept at the appropriate temperature, products will spoil. Even though different parts of the supply chain may have successfully done the production, the transportation and processing securely, you may still be in a situation where you have a constraint on supply due to a compromise in the integrity of the safety processes.”

via:  securityweek