BreachExchange mailing list archives
Hacking from below: Subcontractors can leave big companies vulnerable
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 25 Oct 2013 23:13:38 -0600
http://www.mysanantonio.com/business/eagle-ford-energy/article/Hacking-from-below-Subcontractors-can-leave-big-4921092.php Hackers are finding ways to steal information from even large energy companies, breaking in through poorly defended subcontractor systems on their way to financial data, fluid formulas and other goodies. While the largest companies in the energy industry have taken steps to protect themselves from intruders, they have failed to insist on the same vigilance from their subcontractors, said Stephen Coty, director of threat research for Houston-based security firm Alert Logic. Its energy industry customers are targeted more often than those in any other industry and faced nearly 9,000 threats from Jan. 1 and May 23, the company said. Nearly half of those attacks were the result of malware, which can be loaded onto computers through contaminated links in emails or through USB drives. Thirty-one percent of the threats were brute force attacks, in which hackers repeatedly attempt to crack passwords, the report said. “That's higher than any other industry that's going on out there,” Coty said. “The only thing that might even come close to this would be financial.” The company released a report on the problem Wednesday, shining light on an issue that has drawn concern throughout the security community. Coty said the gaps in energy company cybersecurity policies are a stark departure from physical safety protocols, which energy companies stress daily to their employees and contractors. “To put it nicely, I'd say it's not a mature process,” he said. “I don't think that they hold their contractors up to the same standards that they do their employees. I think that's a growth issue, or understanding the risks.” It's not hard to understand why hackers target the energy industry, Coty said. “People are wanting to know where they're drilling, what their secrets are, what's the formula (for hydraulic fracturing fluids),” Coty said. “This is all data that people are interested in ... even a major company overseas wants to know those formulas.” The U.S. Department of Homeland Security reported in January that the energy industry received 41 percent of all reported cyberattacks in 2012, more than any other industry. Alert Logic said in March that about two-thirds of its 54 energy industry clients experienced brute-force or malware attacks, a higher rate than companies in other fields. Attacks on oil companies have ripped through 30,000 computers at Saudi Aramco and incapacitated drilling rigs, knocking them offline for weeks at a potential cost of millions of dollars, the Houston Chronicle reported earlier this year. Contractors for oil companies, electricity providers and pipeline businesses are often small and make easy targets for hackers, Alert Logic said. Alert Logic described a routine it said hackers use widely to attack energy companies through contractors The process includes researching a company to identify subcontractors that may have access to valuable information; identifying the subcontractors' employees; and learning enough about those workers to send targeted emails containing personal information that would prompt them to click on links. The links allow hackers to break into computer systems or load malware onto machines. Booz Allen Hamilton executive Emile Trombetti said hackers used that tactic to send a message that appeared to be from his daughter. “They found out my daughter's name,” Trombetti, senior vice president for the consulting firm, told the audience at a Houston energy conference last week. “They found out what school she went to. And they found out her Yahoo address. And I get an email that says, 'Dad, it's an emergency.'” Trombetti said he recognized the email as a hack attempt, but worried that people less familiar with security issues might not see through such ploys. Attackers also use personal information to try and guess passwords of company employees. Hackers have exploited these avenues to jump from subcontractor systems into major company systems, working through the chain to steal tens of thousands of user names and passwords, the Alert Logic report said. Through the stolen credentials, attackers have accessed valuable information, such as seismic survey data, details of financial deals, intellectual property and other material, Alert Logic said.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Hacking from below: Subcontractors can leave big companies vulnerable Audrey McNeil (Oct 28)