Mac-using iPhone developers are the latest targets of a widespread, sophisticated cyberattack.

Microsoft revealed yesterday that it got hit with the same kind of Java-based hack that targeted Apple and Facebook earlier this year, and which may also have compromised Twitter, spilling secrets on 250,000 of its customers.

The Microsoft attack seems to have had a smaller impact than the others.

“During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations,” Microsoft wrote.

It’s not clear if all three companies were targeted by the exact same attacker, but the techniques used were similar:

• Programmers within the targeted company visited a website aimed at mobile app developers, probably iPhone developers specifically.
• The website infected the programmers’ computers, via their web browser’s Java plugin. Initially the malware appears to have targeted Macs, but Reuters reports that there is also a version that targets Windows PCs.
• The malware on the developer computers then attempted to transmit information back to the hackers.

It’s not clear from these reports exactly how much information got leaked, or what kind of information the hackers were seeking. Microsoft says no customer data was compromised. Facebook also said earlier this month that no customer data got out.

VentureBeat’s upcoming DevBeat conference — by and for hackers — will include sessions on what developers need to know about security, including an all-night “breakathon” where you’ll learn black hat techniques. Find out more about DevBeat.

Twitter wasn’t so lucky: 250,000 of its customer accounts were compromised, with hackers making off with usernames, hashed passwords, and session IDs.

Also unclear: The source of these attacks. However, Reuters reports that the attacks may have originated in China. A widely-publicized report from Mandiant this week identified a People’s Liberation Army unit, called APT1, which it claims has been responsible for a long-term, sophisticated cyber espionage campaign.

Apple responded earlier this month by issuing its own patch for OS X. Oracle, which publishes Java, issued its own patch later.

As a side note: Apple has not shipped Java since Mac OS X Lion — which launched in July of 2011 — and also disables Java if it has not been used in 35 days.

That’s looking more and more like a wise idea.

Photo credit: carlosj via photopin cc

The response from the Communist Chinese government comes a day after U.S. security firm Mandiant Corp. released a lengthy report (PDF) claiming that a Chinese military group stole hundreds of terabytes of data from about 141 organizations since 2006. While the report mentioned no specific businesses, the firm did say that the type of organizations came from several industries, including information technology, energy, aerospace, and telecommunications.

“Cyberattacks are anonymous and transnational, and it is hard to trace the origin of attacks, so I don’t know how the findings of the report are credible,” said Chinese foreign ministry spokesman Hong Lei during a news conference today.

That may be so, but Mandiant’s report indicated that the bulk of cyberattacks in its report came from a building just outside Shanghai that is operated by “Unit 61398” of the People’s Liberation Army. I’d say that’s pretty specific, which basically makes the Chinese government’s response equal to a professional version of nuh-uh. And while that response might be OK for denying cheating during a middle school game of kickball, it’s probably not going to hold up for hacking giant U.S. corporations.

But the attackers are coming from both sides, according to the Chinese government. During the press conference, Lei stated that his government was also the victim of cyberattacks that originated in the U.S. Lei didn’t, however, finger the U.S. government as being responsible.

Cyberattacks from within China are certainly on the rise. The New York Times reported being infiltrated by Chinese hackers back in January. And more recently, both Facebook and Apple reported Chinese hacker groups attempting to breach corporate security.

Cybersecurity image via Sergey Nivens/Shutterstock; Illustration by Tom Cheredar Via WSJ

Online security threats have taken a new, darker turn in the past few years.

Instead of script kiddies and credit-card hackers, the dominant threats now are government-backed entities using sophisticated tools to steal corporate secrets, blueprints, and code. And, a growing number of threats — also backed by various national governments — are targeting civilian infrastructure, such as water supplies, power plants, and more.

“What once was the hacker in the basement … has evolved dramatically. We’re now seeing a tremendous amount of terrorist activity, nation-state-funded cyber attacks … a lot of it for intellectual property gain,” said David DeWalt (pictured), a longtime computer security executive.

Additionally, with the rise of cloud-based solutions, a whole host of new threats have emerged, aimed at online infrastructure.

“Their readiness is very poor,” DeWalt told me, referring to cloud providers as a whole. More mature software-as-a-service providers, in general, have better protection, while newer companies are typically less ready, he said.

DeWalt engineered the $7.68 billion sale of security company McAfee to Intel in 2010. He stepped down as chief executive of McAfee in 2011 and remained on the company’s board until last month. He’s now chairman of the board for two security companies, Mandiant and FireEye, sits on the boards of Jive Software and Delta Airlines, and is a member of the President’s National Security and Technology Advisory Council. With a high-level security clearance and years of experience in the security field, it’s safe to say that DeWalt has an excellent overview of the security picture.

Of course, like any vendor of security solutions, he’s also got a stake in painting a dire picture of the threats facing us, the better to encourage you to buy protection. But DeWalt makes a convincing case that the nature of global cybersecurity threats has shifted in the past few years.

“Now we’re seeing a lot of new stuff … attacks on the energy grids, attacks on intellectual property. It’s just scaled dramatically,” DeWalt said.

As evidence, he points to the string of major attacks that have hit the news in the past few years: Operation Aurora (in which 150 tech companies, including Google, were hit by cyber-thieves stealing source code); Night Dragon (an attack aimed at getting mineral rights bid information from 70 energy companies); Operation Shady Rat (which targeted 75 food, drug, and life science companies); Stuxnet (a virus, probably created by the U.S. and Israel, aimed at disrupting Iran’s nuclear-material refining processes); Flame; Duqu; and more.

“It’s going on now,” DeWalt told me. “It’s just that the public has a tolerance for it.”

As for infrastucture like power grids and transportation, DeWalt says their vulnerability is a side effect of their increasing connection to digital networks.

“Everything’s digital, and everything that’s digital can be attacked through a cyber attack,” he said. “That’s what keeps the good guys in the security industry awake at night, is the possible 9/11-like scenarios that could exist out there. We have to do everything in our ability to prevent that from happening.”

DeWalt joined the board of FireEye because he was impressed with the company’s approach to threat detection, which is not based on the signatures or filters that older technologies use.

“FireEye came up with a whole next-generation model that leverages virtual machines and virtualization technology, writing advanced heuristical algorithms instead of signatures, and really managing it with next-generation technology.”

Detection rates are higher with FireEye, DeWalt says, and it is able to identify attacks on their “zero day,” rather than having to wait until signature updates and security patches are deployed, as with other types of threat detection.

Check out my whole interview with DeWalt in the video below.

https://vimeo.com/45490833

As more employees work remotely and use mobile phones for work, the risks are growing and security is getting harder to implement. Those are some of the conclusions of Symantec’s 2011 State of Security Survey, where Symantec surveyed more than 3,300 companies about the security threats they face. There’s no surprise in the report, but it reinforces the notion that companies need to pay more attention to cyber threats.

“Cyber security is once again top of mind for a lot of CEOs,” said Ashish Mohindroo, senior director of product marketing at Symantec, said in an interview. “It has always been a top-three concern for operations executives and chief information officers. But the awareness is high because of all of these breaches. The companies feel more vulnerable than in the past.”

About 71 percent of the companies surveyed reported that they have been attacked in the last year. About 21 percent saw the frequency of attacks increasing and 25 percent saw the attacks as somewhat to significantly effective.

Some 92 percent of those attacked saw losses including downtime, intellectual property theft, and customer credit card info loss. About 84 percent of attacks led to actual costs. About 20 percent of the businesses said they had lost at least $195,000 as a result of attacks.

“That’s a big disruption to the business and it takes a long time to recover from reputation loss,” Mohindroo said

As noted in a recent McAfee report, high-profile “hacktivist” groups such as Anonymous and LulzSec have changed the landscape by drawing a fine line between attacks for personal gain and attacks meant to send a message. There were roughly 20 major hacktivist attacks in the second quarter alone, mostly due to the alleged activity of LulzSec.

Companies said they are getting better at fighting the war on cyberattackers. Many suffered damages in cyberattacks, but more respondents reported a decline in the number and frequence of attacks compared to 2010. Spam has been reduced, thanks to the take-downs of some big bot nets such as Rustock.

Half of the respondents said they could still do more to secure their networks and assets. So they are increasing their cybersecurity staffing and budgets. About 46 percent are increasing security staffing and 38 percent are increasing security system budgets.

Mohindroo said that some of the drivers of the attacks are new, such as social networking as a vector for finding vulnerabilities. More attacks are personally targeting individuals as well. For instance, hackers can get your name or email address and send a message with a malware payload to one of your trusted friends.

“If you tell your friends that you are going to a conference, the attackers would discover that and craft a message saying they saw you there,” Mohindroo said.

And incidents such as the Wikileaks episode should remind companies that employees are often the perpetrators of cyberattacks against company networks.

The majority of the companies interviewed had more than 5,000 employees, and 1,200 of the respondents were high-level employees. The survey was conducted from April to May.

These are all possible scenarios in an insufficiently secured electricity grid, and in particular in the emerging smart grid.

Smart grid is a bionic upgrade to power generation and distribution that will let our energy network diagnose and heal itself, dynamically integrate renewable energy and local power sources and automatically lower electricity demand. The source of those new superpowers is information technology. But increasing automation and communications within the electricity grid potentially has a dark side; increased vulnerability to attack.

The Stuxnet worm, which attacked nuclear power plants in Iran, suddenly thrust a subject which was previously the domain of a small group of experts, the security and automated control of industrial systems, into the limelight. The systems used to control nuclear power plants are very similar to those which run the power grid. “The idea that industrial control systems of infrastructure can be penetrated in a clever way like that has really opened the eyes of the community and the general public.” says Jeff Meyers, a smart grid executive at Telvent.

While security experts always knew that an attack like Stuxnet was possible, the general view was “the threat is going to be an external one. It’s going to come from hackers”. In fact Stuxnet was delivered as part of a Siemens industrial control system, an internal threat rather than an external one.

Markus Braendle is the cyber security manager at ABB, a leading vendor to utilities. He asks “How do you put a price on what happens if we lose power in a small distribution grid? Anywhere from a couple of people being annoyed because they can’t watch TV to, if it’s a cold winter, people losing their lives.”

Security in the smart grid

The Government Accountability Office (GAO), which audits government activities, recently released a report on smart grid cybersecurity which reveals significant problems. The report concluded that there are gaps in cybersecurity regulation and problems with jurisdiction and that even when regulation exists utilities are focused on regulatory compliance rather than comprehensive security. Utilities are governed by a complex set of national, state and municipal regulators who set compliance rules and can impose fines if they are not met. Many state regulators have not imposed any formal requirements on utilities, and even when there are requirements, they are usually limited to smart metering.

Currently NERC (North American Electric Reliability corporation) defines national standards on cybersecurity for utilities, but according to several of the experts I spoke to, the NERC CIP standards are not sufficient to ensure robust security in the smart grid. Making sure the standards are implemented correctly via testing and monitoring is also an area of concern.

The smart grid security problem

The smart grid presents unique security problems. When a power grid operator talks about security, he means reliability of electricity supply. Keeping the electricity flowing is the primary concern of every operator. In the IT world, security means cybersecurity.

Braendle explained that ”in the end what we are trying to secure is a physical process and not a piece of information.” Most security techniques like encryption or authentication were developed for environments like banking which manipulate pure data. They don’t take into consideration the delays required to open a valve or switch a feeder and conversely often cannot operate fast enough for grid applications like protection where the local grid must be isolated from a malfunction in less than two milliseconds.

Bob Lockhhart, who wrote Pike Research’s smart grid cybersecurity report, told me that something as simple, from the IT point of view, as “pinging” a device to see if it is running can sometimes bring down a legacy system. Adding monitoring can disrupt real-time processes on the grid. For a grid operator reliability of supply is all. Braendle points out that “we have systems which have an allowed down time of 5 minutes per year.”

The smart grid will be composed of an enormous number of devices of various types and vintages, from smart meters and solar inverters to electrical substation equipment and sensors on electricity lines. More devices means more entry points into the grid which can be used as points of attack. Many legacy devices in the grid have limited processing power, communicate using proprietary protocols over low-bandwidth connections and have no built-in security. Replacing older devices is often not an option for cost or reliability reasons. For this reason, building the smart grid has been compared to rebuilding a plane in flight.

What are the security threats?

Ask a group of smart grid experts to name the major threats to the smart grid and you will get as many answers as people. According to Lockhart, when it comes to smart meters, utilities want smart meters to last for 20 year but this timeline is too long for IT companies. So they are concentrating on making the meters upgradeable. Upgradeability creates vulnerabilities. The threats include rolling back the meter to avoid billing, using the meter as an entry point to the rest of the network or even denial of service attacks on meters.

Braendle asserts that customer privacy is a new problem for utilities. Data from smart meters can reveal all kinds of private information from the number of people in your household to when you are on holiday. Utilities have a legal obligation to keep this data private. “How do you protect the privacy of the customer so not everyone knows when you are taking a shower?” he asks.

John Cooper, author of GridNet’s cybersecurity whitepaper, agrees on meters being a possible entry point to the grid but also points to the distribution grid (the part which connects to homes and businesses) where decisions which were previously manual are being automated and made locally. Cooper also considers renewables, in particular small-scale, local generation of renewable energy known as Distributed energy resources (DER), as a brand new area which doesn’t fit the current paradigm. Utilities are used to generating power in large-scale, centralised power stations. Distributed solar or wind farms, local electricity storage and even electrical vehicles add thousands of devices on the edge of the grid. ”DER will require control” Cooper maintains “and we will have much less control over the physical access to those locations as opposed to substations (A substation transforms high to lower voltage and acts as a local centre to distribute electricity to homes and businesses)”.

Rolf Adam, Cisco‘s Director of utilities and smart grid in Europe, contends that physical security will be more important than cybersecurity in early smart grid deployments. “Doing physical damage to an infrastructure is much easier than damaging that infrastructure using cybersecurity” he says. The best firewall in the world won’t stop someone from driving a bus into a substation. Adams also highlights the need to apply security to people, e.g. who gets access to a substation, and processes. Cisco is using RFID tags for utility employees and materials to track them in the field. It is also advocating the use of video collaboration tools so that more inexperienced, maintenance staff, who may inadvertently cause damage by flicking the wrong switch in a substation, can get expert advice.

Meyers also mentioned physical security threats and small-scale power generation but added that there are threats everywhere that new communication and sensing technology is used.

The good news

The good news is that cybersecurity standards and techniques or smart grid are being developed. “In North America right now the awareness (of cybersecurity) is higher than anywhere else” asserts Braendle. One reason for this is the NERC CIP cybersecurity guidelines and the accompanying fines for non-compliance. Another is that all smart grid projects which receive stimulus money from the U.S. government must meet certain cybersecurity standards.

Meyers and Cooper agree that a lot of good work has been done on defining cybersecurity requirements, but there are still many open questions related to regulation, testing and compliance. Meyers explained that the diversity in the devices in the grid and their age could be an advantage as well as a difficulty since it makes it more difficult to acquire the knowledge to do harm. He also wonders if hackers will think it’s as “sexy” to take down a part of the distribution grid as, for example, a big bank.

Cooper says that the ultimate goal of cybersecurity is not to make the smart grid impregnable, but to make it more costly, and therefore less attractive, to attack. However, his final words are clear. ”The smart grid should not be built if it’s not built securely.”