Read. Learn. Share
Tech Talk Show Notes
February 20. 2021
The Florida water treatment facility whose computer system experienced a potentially hazardous computer breach last week used an unsupported version of Windows with no firewall and shared the same TeamViewer password among its employees, government officials have reported.
The computer intrusion happened last Friday in Oldsmar, a Florida city of about 15,000 that’s roughly 15 miles northwest of Tampa. After gaining remote access to a computer that controlled equipment inside the Oldsmar water treatment plant, the unknown intruder increased the amount of sodium hydroxide—a caustic chemical better known as lye—by a factor of 100. The tampering could have caused severe sickness or death had it not been for safeguards the city has in place.
According to an advisory from the state of Massachusetts, employees with the Oldsmar facility used a computer running Windows 7 to remotely access plant controls known as a SCADA—short for “supervisory control and data acquisition”—system. What’s more, the computer had no firewall installed and used a password that was shared among employees for remotely logging in to city systems with the TeamViewer application.
According to researchers at Cambridge University, in terms of annual energy consumption, Bitcoin now consumes more power than Argentina, the Netherlands, and the United Arab Emirates, at 121.36 TWh.
The Cambridge Bitcoin Electricity Consumption Index, a tool developed by the Cambridge Centre for Alternative Finance under the University of Cambridge’s Judge Business School, provides a real-time update on Bitcoin’s network power. Their annualized chart shows a sudden rise from an estimated annual consumption of 56.48 TWh in late October to almost double that at 112.23 TWh in mid-January.
This surge in electricity consumption aligns with the meteoric rise of Bitcoin’s price, which has increased from $13,748 on November 1 to $46,517.40 on February 9. While much focus has been given to its price, experts are reportedly becoming increasingly alarmed by the “sheer level of energy required by so-called miners, which release new coins into circulation.”
Google’s major iOS apps have been seeing serious neglect for the past few months. On December 8, Apple’s App Store started requiring all apps to show privacy “nutrition labels” in their app store listing, where developers self-report what data an app uses for tracking and how that data is linked to a user. Coincidentally, a lot of Google’s apps, especially the most popular ones, have not been updated since December 8.
The situation has gotten so bad that Google’s servers were briefly flagging its own iOS apps as “out of date.” As detailed by Techmeme editor Spencer Dailey, Gmail, Google Photos, and Google Maps on iOS were all caught showing a server-side pop-up message to users saying, “You should update this app. The version you’re using doesn’t include the latest security features to keep you protected. Only continue if you understand the risks.” Actually, Google, you should update this app. Thanks to Google’s sudden disinterest in iOS app updates, the messages were showing even when users had the latest, two-month-old updates of these Google apps. The messages have since been removed through a server update.
The Biden administration has pledged to take immediate action to address a global shortage of semiconductors that has forced the closure of several US car plants.
Jen Psaki, White House press secretary, said the administration was “identifying potential chokepoints in the supply chain” after coming under pressure from lawmakers, semiconductor companies, and car manufacturers over the shortages.
A surge in demand for consumer electronics during the pandemic has led to the shortage of chips, which has been exacerbated in the US by sanctions on SMIC, the Chinese chipmaker.
It has hamstrung carmakers worldwide as chipmakers diverted supplies for customers in consumer electronics, which pay more for semiconductors.
A White House official said the administration was in “active conversation” with car companies, semiconductor groups, and foreign diplomats in an effort to address the issue.
Getting humans to Mars and back is rather hard. Insanely difficult, in fact. Many challenges confront NASA and other would-be Mars pioneers when planning missions to the red planet, but chief among them is the amount of propellant needed.
During the Apollo program 50 years ago, humans went to the Moon using chemical propulsion, which is to say rocket engines that burned liquid oxygen and hydrogen in a combustion chamber. This has its advantages, such as giving NASA the ability to start and stop an engine quickly, and the technology was then the most mature one for space travel. Since then, a few new in-space propulsion techniques have been devised. But none are better or faster for humans than chemical propulsion.
That’s a problem. NASA has a couple of baseline missions for sending four or more astronauts to Mars, but relying on chemical propulsion to venture beyond the Moon probably won’t cut it. The main reason is that it takes a whole lot of rocket fuel to send supplies and astronauts to Mars. Even in favorable scenarios where Earth and Mars line up every 26 months, a humans-to-Mars mission still requires 1,000 to 4,000 metric tons of propellant.
Just because a vulnerability is old doesn’t mean it’s not useful. Whether it’s Adobe Flash hacking or the EternalBlue exploit for Windows, some methods are just too good for attackers to abandon, even if they’re years past their prime. But a critical 12-year-old bug in Microsoft’s ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don’t try to make up for lost time.
The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.
Hackers broke into the computer system of a facility that treats water for about 15,000 people near Tampa, Florida, and sought to add a dangerous level of additive to the water supply, the Pinellas County Sheriff said on Monday.
The attempt on Friday was thwarted. The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar to gain control of other systems, Sheriff Bob Gualtieri said in an interview.
“The guy was sitting there monitoring the computer as he’s supposed to and all of a sudden he sees a window pop up that the computer has been accessed,” Gualtieri said. “The next thing you know someone is dragging the mouse and clicking around and opening programs and manipulating the system.”
It has come to our attention that there is another bad actor in this story.
Apparently, the original publisher, LAVABIRD LTD, is not the bad actor. It is instead an account under the name “The space team.” Nevertheless, there is evidence that updates of Barcode Scanner by either publisher results in a malware infection of Android/Trojan.HiddenAds.AdQR.
To get the full story on this saga, you can also read our full-length blog on our investigation into who owned this app and who is likely responsible for the malicious changes. Read the story here: Who is to blame for the malicious Barcode Scanner that got on Google Play?
The SolarWinds attack is historic for its multidimensional sophistication. As we continue to learn of new victims, techniques, and implications, it’s important that chief information security officers (CISOs) and security professionals take stock of their defense-in-depth strategies. One critical element of the approach is the principle of least privilege (POLP). Based on what we’ve learned from the SolarWinds attack so far, there are a few valuable lessons to unpack.
Before we do so, here’s a quick POLP primer. Implementing least privilege is one of the 33 IT security principles outlined by NIST, which it defines as:
“The concept of limiting access, or ‘least privilege,’ is simply to provide no more authorizations than necessary to perform required functions. This is perhaps most often applied in the administration of the system. … Best practice suggests it is better to have several administrators with limited access to security resources rather than one person with ‘superuser’ permissions.”