website defacement, 7 tips to impede it

Case study: Quick intervention to impede website defacement

Over 40% of all websites worldwide use WordPress. This Content Management Systems owes its popularity to the open-source codebase and the possibility to extend the core functionality of the website via third party plugins – there are more than 59 thousand official plugins currently available.

Plugins are in most cases developed by independent software companies and professionals with different levels of expertise and security awareness. Before being added to the official WordPress library, plugins are audited to ensure they work as they are intended to, but also that they follow WordPress's security guidelines. However, not even the most efficient review team can test WordPress plugins under the lens of cyber security and grant they are 100% cyber secure. Also, consider plugins are checked only when first added to the WordPress repository.

Lots of other plugins are available outside the official library. In most cases, they are cracked or alternative versions of fee-based plugins, which can be downloaded from free but may embed backdoors. For these reasons, you may not be surprised to read that in 2021 about 98% of vulnerabilities concerning WordPress websites were related to plugins.

An outdated plugin ignited the compromise of the website of one of our customers. During routine content update, its digital marketing team was unable to access the administration panel: the anomaly was suspicious enough to promptly call for an investigation about this issue. Paradox Engineering’s cyber security team analyzed the case, pointed out a cyber security incident and detected two attack vectors with different goals.

The first attack aimed at manipulating the home page of the website (so called ‘website defacement’), the second was likely to host a hidden ecommerce website to sell illegal goods. The attackers exploited an outdated and vulnerable plugin to upload a modified configuration file, which triggered a new WordPress installation on the host machine. The new installation process allowed attackers to upload other malicious files to gain full control of the website.

In less than a week, the site would have become a valuable resource in the hands of cyber criminals. Fortunately, the request for investigation came to PE a few hours after the malicious files were uploaded, so it was possible to impede the website defacement. The early intervention reduced the time of compromise, leading to the clean-up of the website within a few hours.

 

case study website defacement

 

Paradox Engineering’s incident management process is based on NIST best practices to mitigate the impact of the attack and speed up recovery. The first step is to collect as many data as possible regarding the events that occurred in the attacked system and extract relevant information about the attack vectors. After the assessment, it is important to quickly implement all necessary containment actions to block other possible attack movements. Finally, after the containment, a deep investigation to find the root cause is useful to define the best resolution and mitigations actions to prevent similar attacks in the future.

 

7 tips to protect your website:

  1. implement advanced authorization and authentication website backup policies – store the backup in a safe place (not accessible from the web instance) and always use backup solutions that are not provided by CMS plugins
  2. prefer policies that follow the main principles of “need to know” and “least privilege”
  3. install only strictly necessary plugins and regularly delete the ones you don’t use
  4. keep the CMS and plugin updated. It’s recommended to set automatic updates for security patches and manually apply major releases
  5. have a staging environment to test any update
  6. collect log events for the cybersecurity team to detect anomalies
  7. implement a change detection mechanism (e.g., through hashes) to notify the cybersecurity team in case of suspicious website access or modification

 

Learn more about our Cyber Security Services and contact our experts to ask for consultancy and advice!


Wireless IoT; zero-day vulnerabilities

Case study: Discover and manage zero-day vulnerabilities

In a city or company infrastructure, the IoT attack surface includes all possible security vulnerabilities of connected devices, applications, and networks.

At first sight, an IP camera may seem harmless from a security point of view. However, particularly when connected to an IoT network, it may become an attractive target for a cyber criminal for three main reasons.

First is about privacy: the hacker may be interested in acquiring and analyzing live images of people living or moving in a certain area to learn their habits and behaviors, or get personal sensitive information (faces, car license plates, etc.). Secondly, the violation may grant visibility on the infrastructure to which the camera is connected and pave the way to a network attack. Last but foremost, the breach may also lead to the exploitation of its computational power for crypto mining, or as a node of a command-and-control network called botnet.

During a routine security assessment on the IoT network of a customer, our cyber security team detected a newly installed device, specifically an IP camera. A research activity was run to assess if the camera could be considered secure enough for being used and exposed on a public network. The team discovered two zero-day vulnerabilities: as these software vulnerabilities are typically found by researchers or potential attackers before the vendor becomes aware of them, no patches are available for their resolution.

Discovering a zero-day vulnerability requires the adoption of an evil mindset and the expertise to ask the right questions: how many devices offer an attack surface? How deeply is the situation analyzed from the attacker's perspective? To answer these questions as exhaustively as possible, our cyber security experts leverage a methodological process that is part of the company's cyber security framework.

The analysis confirmed it was not secure to publicly expose the IP camera. The customer was given a detailed view of the risk the company was running. The first vulnerability would have allowed an unprivileged user to create a valid account to access all IP camera commands without being authorized. The second vulnerability was related to the passwords of the IP camera users. By reverse engineering the source code publicly available, it would have been possible to discover the salt used in the hash function which stores user passwords.

Two different solutions were suggested: remove the camera and replace it with a more secure product or install a firewall to limit the access to known IP addresses. The customer agreed to remove the IP camera to avoid any possible issue and restore the overall security level.

 

Is your IoT infrastructure secure enough? Learn more about our Cyber Security Services and contact our experts to have all your questions answered!


cybercriminals

When a city is held hostage – podcast

Cybersecurity threats are on the rise and ransomware is the prime threat for private companies and public bodies, says latest ENISA Threat Landscape report by the European Union Agency for Cybersecurity.

Cybercriminals are increasingly motivated by the monetization of their activities, and their attacks are growing in terms of sophistication, complexity, and impact due to our massive online presence, the transition of traditional infrastructures towards digital solutions, advanced interconnectivity of systems, and the exploitation of new features of emerging technologies.

Ransomware and cryptojacking are the techniques that money-oriented attackers use more frequently, and cryptocurrency remains their most common pay-out method. Without surprise, ENISA highlights supply-chains attacks are ranking high because of the significant potential they have in inducing catastrophic cascading effects.

But something is changing. DDoS (Distributed Denial of Service) campaigns are becoming much more targeted, persistent, and increasingly multivector. And not all cyber offenders are primarily driven by money.

In the UK, on December 20th 2021, Gloucester City Council became aware of a cyberattack hitting its systems and resulting in some key services such housing benefits management to be delayed or unavailable. As reported by BBC, it could take months to fix affected servers and systems, while preliminary investigations unveiled there could be links to hackers in the former Soviet Union.

The mounting tension between Russia and Ukraine is seen by cybersecurity experts as a possible trigger of hacking offensives threatening Europe, the US, and beyond. That has already happened in 2017 with NotPetya, a Russian cyberattack that targeted Ukraine but rapidly impacted the entire world at a cost of billions of dollars.

The likelihood of cyberwar scenarios makes ENISA underline there are four categories of cybersecurity threat actors to be monitored: ‘traditional’ cybercriminals, state-sponsored attackers, hacker-for-hire actors, and hacktivists. Understanding how these actors think and act, what their motivations and goals are, is an important step towards a stronger cyber incident response.

Are cities prepared to recognize and face such different threats? Listen to Nicola Crespi, head of R&D at Paradox Engineering, and Dario Campovecchi, our cybersecurity architect, in a conversation that explores some of the most acute dangers Smart Cities are confronted with, and how to manage cybersecurity as a lifelong journey.

The podcast is available on Tomorrow.City


cybersecurity

What about cybersecurity in Smart IoT Cities?

Your city has been hacked” – this is the news everybody fears...

If measuring it as a country, cybercrime would be the world’s third-largest economy after the U.S. and China. According to a report by US-based firm Cybersecurity Ventures, cybercrime is predicted to inflict damages for 6 trillion US dollars globally in 2021. Growing by 15% per year, expected damages will reach 10.5 trillion US dollars by 2025 including stolen money, theft of personal and financial data, theft of intellectual property, lost productivity, forensic investigation, restoration and deletion of compromised data and systems, and reputational harm for the hacked organization.

A cyberattack could potentially disrupt essential public services, expose personal and financial data, and disable the economy of a city. Not a reassuring perspective for cities which are increasingly relying on interconnected networks and sensor-based infrastructures to operate and deliver any application that people and businesses need, from energy distribution to mobility systems, from street lighting to municipal waste collection, and more.

Are cities prepared to face such a threat? An online survey we carried out in October 2021 targeting city officers, utility managers and ICT professionals, found that two-thirds (67 per cent) felt their city was “somewhat vulnerable” to cyberattacks and only four per cent claimed to be “100 per cent cybersecure”. The majority’s (42 per cent) main concern in the case of an attack was around financial data violation, followed by business continuity (40 per cent) and personal data privacy (18 per cent).

How can cities mitigate cybersecurity risks and build a secure foundation for their IoT infrastructure? How can we manage cybersecurity as a lifelong journey? Don't miss our digital event 'What about Cybersecurity in Smart IoT Cities?' on Thursday November 18th, 2021: at Smart City Expo World Congress, our Chief Innovation Officer Nicola Crespi and our Cybersecurity Architect Dario Campovecchi will discuss Paradox Engineering's security by design approach and introduce some innovative services we will launch in 2022.

Free registration is required, contact us to submit questions in advance!


zero trust

Zero trust, the new cybersecurity buzzword

Any device or network architecture can be breached, that’s true. So we shouldn’t trust any user or system. The simple but trenchant assumption is feeding ‘zero trust’, a new hype concept in cybersecurity and a ‘very fashionable term’ in the tech world as the UK's National Cyber Security Centre defined it.

Widespread digitalization, new hybrid workforces and collaboration models, and the growing sophistication of cybercrime created the conditions for a more restrictive vision of data and infrastructure protection. While the EU is shaping its Cybersecurity Strategy, the US is already approaching zero trust after President Biden's "Executive Order on Improving the Nation's Cybersecurity." Released last May, the order basically pushes federal agencies to implement zero trust architectures and prepare for future enhancements. Updated guidance was released last week and agencies are given specific security goals to be achieved by September 2024.

If asked to summarize what zero trust is about, we might say “Never trust, always verify”. The idea is to remove inherent trust from the network, and don’t trust devices by default just because there are inside the perimeter of a firewall or VPN. A zero-trust architecture should verify everyone and everything, using granular techniques to permit only necessary network access and transactions.

The migration to this network design could be expensive and somehow disruptive for most organizations, and it could require years to be completed due to the extent of changes to be implemented.

Zero trust supporters highlight this strict model allows the organization to minimize cyberattack risks, define stronger authentication and authorization policies, reduce the network overhead, and react more quickly in case something gets compromised.

However, we need to remember 100 percent cybersecurity is an impossible goal, unless we fully give up on innovation and digital transformation. So zero trust architectures or solutions can’t be taken as the ‘silver bullet’ answer to solve everything.

Some analysts recommend a pragmatic approach, starting with an accurate assessment of actual vulnerabilities. Which network elements actually require zero trust protection? Which data, transactions, or applications need to be locked down with the utmost level of security? This kind of analysis could lead to the decision to shift to zero trust only for the most critical assets and acting more proactive and systematic cybersecurity measures without adding unnecessary complexity.

 

What’s your approach to cybersecurity? Is zero trust applicable to your network? Contact our cybersecurity experts to share thoughts and insights!


survivorship bias

Cybersecurity in Smart Cities: don’t be trapped in the survivorship bias

During World War II, a team of researchers at the Columbia University was asked to examine the damage done to aircraft that had returned from missions and recommended adding armor to the areas that showed the most damage. This sounded pretty logical, but the statistician Abraham Wald contradicted the US military's conclusions by pointing out that only the aircraft that had survived had been considered. Since the bullet holes in the returning aircraft identify areas where a bomber could take damage and still fly well enough to come back safely to base, Wald proposed to reinforce areas where the returning aircraft were unscathed.

The ‘survivorship bias’ – thus the logical error of concentrating on people or things that passed some selection process and overlooking those that did not – can lead to some false conclusions in several different ways, and it is a pitfall for cybersecurity too.

In 2020 the Center for Long-Term Cybersecurity at UC Berkeley surveyed 76 cybersecurity experts and ranked different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack. According to this study, not all Smart City technologies pose equal risks: emergency alerts, street video surveillance, and smart traffic signals stand out as the most vulnerable, while smart waste systems and satellite water leak detection are meant among the safest.

City officials should therefore consider whether cyber-risks outweigh the potential gains of technology adoption on a case-by-case basis, and invest more on technologies are both vulnerable in technical terms and constitute attractive targets to capable potential attackers because the impacts of an attack are likely to be great. Again, this sounds like a logical recommendation – but let us beware the survivorship bias.

Achieving 100% cybersecurity is an impossible goal unless we fully give up on innovation and digital transformation. However, Cities should be 100% conscious that any urban network infrastructure and application should be properly designed and implemented with security built in from the outset. Even potentially unattractive systems – such as streetlights – might become interesting for criminals, and the human element is often the weak link to turn a vulnerability into an actual leak.

Many governments around the world are raising cybersecurity consciousness and starting dedicated programs to protect critical systems and resources. Last May, President Joe Biden signed an executive order aimed at strengthening US cybersecurity defenses, a move that follows a series of sweeping cyberattacks on private companies and federal government networks over the past year. The order seeks to move the federal government toward more modern and safer digital infrastructure, and sets stricter rules for IT service providers working with public bodies.

Italy is set to create a national agency responsible for fighting cyberattacks and creating a unified cloud infrastructure to increase security for public administration data storage. Most European countries are boosting their efforts to counter cyber risks, seen as a threat to their security and competitiveness in an increasingly networked world.

While we head for improved systems and data protection, we shouldn’t forget that it is possible to balance the value of innovative technology with the lowest possible risks. At Paradox Engineering, the balance is made thanks to our ‘security by design’ approach: this means injecting cybersecurity into IoT technologies from their very inception, and combine different methods (blockchain, dedicated hardware security modules on devices, ultra-reliable encryption, and other features) to ensure urban infrastructures are intrinsically secure.

Securing cities is an ongoing challenge which requires an overarching approach and strategy (let us avoid the survivorship bias!), together with constant monitoring, learning and collaboration, especially as hackers tap advanced technologies such as AI to become more effective and cybersecurity insurance costs soar.


cybercrime

Cybercrime: the human element is the weak link

More than 2,000 complaints per day and about $4.2 billion losses due to cybercrime and Internet frauds in 2020: these are some of the figures reported in the US by the FBI’s Internet Crime Complaint Center.

The uptick in cybercrime is mostly made of business e-mail compromise (BEC) cases and ransomware attacks. About 19,000 BEC scams were reported in 2020, with hacking or social engineering criminals penetrating legitimate e-mail addresses and stealing about $1.8 billion. Ransomware victims have increased a lot in the last twelve months; the American health care provider Universal Health Services announced $67 million losses after a single ransomware attack last September.

While the cybersecurity industry is adopting modern and sophisticated defensive systems, cybercriminals are sometimes exploiting the most basic tricks to achieve their goals. A study by a consortium of UK researchers, including WMG and the University of Warwick, analyzed the momentous surge in cybercrime during the Covid-19 pandemic. In some peak weeks, around three to four new attacks were being reported daily, revealing a direct connection between governmental policy announcements and cybercrime campaigns.

Scams pretended to impersonate public authorities such as the World Health Organization, healthcare services offering Covid-19 cures, or well-known organizations endorsing relief campaigns. Such scams were typically sent by text or e-mail messages, with a URL pointed to a fake institutional website that requested debit/credit card details. Most of these phishing, smishing, or malware campaigns were successful.

This reminds us of how relevant the human element is when dealing with cybersecurity. Although often underestimated, independent surveys said 90% of security breaches come out of human inadvertent errors.

With the pandemic resulting in more people working from home and accessing business-critical data from less-secure locations and less-protected devices, the potential vulnerabilities for cybercriminals have grown enormously. Also, cybercrime has evolved into a well-organized, professional, determined business, driving an economy which is about 7 times the size of Amazon, and 60 times that of Tesla.

While a security-by-design approach is absolutely needed when developing and implementing any digital system, private and public organizations are increasingly looking at cyber-awareness programs to educate their employees and share appropriate security policies and practices.

It might not be far the day when recruiters will measure the Cyber Quotient by assessing who the candidate is, what he/she knows about cybercrime, how much he/she is used to mitigating risks. This parameter would quantify the human element of cybersecurity and potentially become the basis for hiring new employees.


water utilities

Cybersecurity increasingly threatening water utilities

Water distribution networks are traditionally challenged by ageing infrastructures, inadequate pipes control and maintenance, or by seasonal problems such as pipes freezing and busting in Winter. But water utilities are increasingly threatened by another big issue, that is cybercrime.

A worrisome episode was reported last week in Florida, US, where a hacker attacked the water supply plant in Oldsmar. The intruder breached the plant control systems through a remote access program normally restricted to plant workers and managed to increase the amount of lye — sodium hydroxide — by a factor of 100. Lye is used to lower acidity, but in high concentrations it is highly caustic and can burn.

A supervisor monitoring the plant console saw a cursor move across the screen and change settings, and was able to immediately reverse it. Local population (about 15,000 people) did not suffer a real peril, since the existing monitoring systems would have soon detected the chemical alteration and avoided it to affect the water supply. Nevertheless, the case had huge coverage and raised alarms about how vulnerable water systems are to cybersecurity attacks.

Most municipal water utilities are quite underfunded and under-resourced; they have a very small IT staff and frequently no dedicated security staff at all. This makes them a soft target for cybercrime.

A 2020 paper in the Journal of Environmental Engineering found that water utilities are being hacked by a variety of actors, including disgruntled former employees, skilled cybercriminals looking for ransom and profit, and even state-sponsored hackers. Although such incidents have been relatively few so far, the risk is getting higher and requires immediate action to be mitigated.

The Biden administration has already signaled its intention of investing more in cybersecurity. The Department of Homeland Security issued 25 advisories listing various industrial control systems that could be vulnerable to hacking, mentioning water and energy distribution networks together with other urban infrastructures such as video surveillance cameras.

 

Want to learn more about our cybersecurity and blockchain-powered approach to smarter cities and utilities? Watch our webinar (free ondemand access, no registration required) or contact our cybersecurity experts!


cybersecurity

Cybersecurity: some trends to watch in 2021

Cybercriminals are eager to exploit any period of high uncertainty – such as Covid-19 pandemic – for their interests. As the health emergency pushed an unprecedented shift to work-from-home employees, the way people and enterprises manage their business changed, and this is true both for private organizations and public bodies.

The cyberattack scenario changed too. 2020 recorded a significant growth of threats to vulnerable home networks, as well as phishing and malware campaigns hidden behind popular buzzwords such as Covid-19 updates, vaccines, or government stimulus programs.

This will be a leitmotif even in 2021, say cybersecurity analysts. Global events like the Dubai Expo, the Tokyo Summer Olympics, and the UEFA Euro Cup – which are set to happen next year – will probably receive considerable attention from cybercriminals capitalizing on heightened public and media awareness.

Ransomware, along with extortion rackets, is expected to remain one of the biggest concerns for security teams in 2021. By the end of 2020, over $1 billion in financial damage was reported from ransomware attacks globally, and this increasingly deals with Cities, since they store and manage a huge amount of device-generated and personal data. About one year ago, the City of New Orleans in the US was victim of a disastrous ransomware attack, but succeeded in mitigating it thanks to a quick response, statewide partnerships, and a long planning process.

Corporate and urban networks are changing. Digital transformation is accelerating cloud computing and the deperimeterization of existing infrastructures. The conventional ‘bastion defence’ paradigm looks obsolete, and new strategies to ensure full network security, including device, data, and privacy protection need to be implemented.

At Paradox Engineering, we have carefully considered the growing number of connected objects and the relevance of data exchanged by our customers and partners, requiring cybersecurity to play a role in the design of our products and solutions. We call our approach “cybersecurity by design” because we want cybersecurity to be fully engrained in our technologies from their very inception, at all levels.

Thanks to our unparalleled blend of competences, we offer innovative Internet of Things solutions integrating reliable encryption features and dedicated hardware security modules, and blockchain technology to provide strong authentication, authorization, and validation at any level of the infrastructure.

Want to learn more? Contact our cybersecurity experts!


blockchain cybersecurity

More open = less secure?

Let's describe Smart Cities from a cybersecurity perspective. There already exists a concrete definition in that urban conglomerates are a massive collection of IoT devices, thus a massive aggregation and utilization of disparate types of information.

Devices and data needs to be collected, trasported, stored and processed to enable the smarter management of public services: watchwords of forward-looking urban management infrastructures are interoperability and openness.

Considering technology today, having different networks controlling different services would be anachronistic for a city. Interoperability means any urban application can be monitored and actioned through a single platform, with less complexity and costs, and huge benefits in terms of effectiveness, scalability, and sustainability”, states Gianni Minetti, CEO at Paradox Engineering. “Openness is also a tremendous opportunity for cities. Taking advantage of a standard-based network, local stakeholders and businesses can design their own innovative applications and services, sharing innovation and stimulating mutual growth.

Although open standards have been legitimised in the last few years, they are still somewhat worrisome, since some city managers might assume an open infrastructure is less secure than traditional, legacy technologies. But we have a persuasive view about this.

Let’s review the evolution of the Internet: we wouldn’t have what the web offers us today if it was built on the proprietary, closed and vendor-locked technologies that were mainstream until the late 1980s. Openness and interoperability are the bedrocks of any urban development to be defined smart, and they are not synonyms of more vulnerability,” adds Minetti. “Since the very inception of PE Smart Urban Network, back in 2011, and now as members of the uCIFI Alliance, we have always envisioned openness together with security-by-design principles. Today, we are moving one step forward by integrating blockchain technology in our platform.”

Read more on Cities Today