SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


Leave a comment

SWITCH Security Report September/October 2021

Dear Reader


The latest issue of our bi-monthly SWITCH Security Report is available.

The main topics of the current report are:

  • Covid collateral damage: how the pandemic impacts IT security
  • Malware-as-a-service – advertised via Google Ads and supported by brazen PR
  • Advertising and reality: data stolen from 50 million T-Mobile US Inc. customers
  • Facebook face down – the temporary fall of the Zuckerberg empire

> Download English Report I > Download German Report


Leave a comment

The electricity industry: the need for action on cybersecurity

The ‘Cybersecurity and cyber resilience in the Swiss electricity supply’ report by the Swiss Federal Office of Energy concludes that the electricity industry needs to take action on cybersecurity.

There’s no doubt that the electricity supply is most likely the most important of all critical infrastructures in a modern, digitalised society. In the Swiss Confederation, the electricity supply network is heavily fragmented – there are around 600 power plants supplying homes and businesses in the network. Unlike other critical infrastructures, the electricity sector must be viewed as a complex overall system from the perspective of cybersecurity. In view of the threat situation, this gives rise to major challenges.

Inside-it.ch columnist Martin Leuthold of the Switch Foundation has analysed the report entitled ‘Cybersecurity and cyber resilience in the Swiss electricity supply’ and gives his thoughts on four proposals made by the Swiss Federal Office of Energy (SFOE).

Who are the key market players in Switzerland?

The report starts by using the term ‘boundary conditions’ to propose that the SFOE define mandatory requirements and/or a risk-based minimum standard for key market players. In terms of the criteria for defining ‘key market players’, reference is made to the practice in neighbouring countries, which makes sense. How these parameters should be defined in Switzerland, however, remains unanswered. Realistically, the focus should initially be on 20 to 30 leading energy firms. We recommend looking for ways in which the many small utility suppliers can also be included in parallel with the industry.

In our experience, it’s also important that the (continued) development of a mandatory minimum standard, as yet undefined, take place in close consultation with the industry. Also in our experience, we expect that no more than the top 50 in the industry will be able to implement and operate a risk-based minimum standard for cybersecurity through their own reasonable efforts. For the others, outsourcing or establishing a specialised joint venture are likely to be viable routes. The only real alternative is a major consolidation of the industry, which would lead to massive ‘defragmentation’, but in the federalist system that we have, that goal will be difficult to achieve and will take a considerable amount of time. 

Authorities should audit safety standards regularly

The second measure proposed in the SFOE report is to establish an auditing body. In view of their current activities, Elcom or METAS would be predestined for this role. This would also ensure a separation of powers. The SFOE report also mentions, among other things, an implementation option based on certification. This variant would need to be based on an internationally recognised and certifiable standard – in the cybersecurity domain, this certification would most likely be ISO 27001. Service provider certification has been successfully implemented for other critical infrastructures. With that form of solution, the effort required to undertake the audit is shifted to the service provider on a ‘user pays’ basis, with no additional state structures that need to be funded by the taxpayer. We strongly discourage country-specific adaptation of standards or even the development of a national standard, both of which are mentioned.

Encouraging reporting obligations through sanctions and incentives

Thirdly, the SFOE report proposes a reporting obligation, which includes a model of sanctions and incentives. The central reporting office would be the NSCS, which would systematically forward information concerning incidents to the SFOE. As the NCSC is developing a concept for a reporting obligation based on the NCS, pressing ahead in the electricity sector would not be a sensible approach and it would be expedient to wait for the results from the NCSC before designing this measure. In our many years of experience, the quality of the reports will suffer if the reporting office does not have a certain level of independence from the regulator, and particularly if the regulator operates a regime of sanctions.

Trust is a critical factor for success when it comes to reporting, and the NCSC will need to consider carefully whether or not to squander that trust with an inappropriate solution in the energy sector. What is forwarded to the SFOE, and how, will be decisive to this. When it comes to incentives, the end point of state functions must be clearly regulated. The NCS stipulates that the state acts a subsidiary agent, and particularly only when overriding interests – such as the functioning of society, the state or the economy – are in peril. It is not the state’s job to provide systematic incident response support to incentivise the reporting of cyber incidents – and it would be wrong to use taxpayer money to fund it. Firms themselves must remain responsible for incident response, with relevant support services procured from the market.

A two-stage reporting route, which the federal government is also considering, is not addressed in the SFOE report. It is, however, an interesting option, as reports could then be sent to an independent trusted partner – perhaps because the industry is involved in the governance of that organisation. In Switzerland, SWITCH-CERT would be an appropriate platform for energy as it enjoys trust and can be developed accordingly. In Austria, the industry comes together in the Austrian Energy CERT, which also acts as a reporting office and forwards reports in accordance with applicable requirements (e.g. the NIS Directive). There is no doubt that reports must be sent to the NCSC in suitable form in a two-stage model and that regular exchange with the regulator would be both helpful and desirable.

Encouraging regular knowledge sharing

Continuous knowledge sharing on the current situation, threat intelligence and prevention is the fourth measure proposed by the SFOE. With SWITCH-CERT’s many years of experience, this would certainly add value if implemented properly. As such, it is hard to understand why it is only treated as an option, with implementation considered only in the long term. The effort required to implement this measure is estimated to be minimal, and the NCSC and the SFOE should establish capacity in this area. Our extensive experience illustrates that implementing these measures involves considerable effort – it would make sense for the NCSC to play a central role in this.

We don’t consider the demand for the SFOE to also establish capacities in this area to be realistic or useful, as it would mean a duplication of roles and considerable effort. Truly valuable knowledge sharing – the only thing that will bring the added value needed – requires very open exchange between participants, as well as a high level of trust. The SFOE, in its role as regulator, will never be able to build that trust. In contrast, the NCSC (MELANI/GovCERT) enjoys an excellent reputation and is considered trustworthy, not least because the organisation has ample experience in moderating these kinds of closed groups.

SWITCH-CERT has proven itself adept at operating exchange platforms in selected sectors, complementary to the NCSC and in close collaboration with MELANI/GovCERT. Thanks to its independence and high degree of transparency, this non-profit foundation enjoys a high level of trust, including amongst ten firms operating in the electricity sector. SWITCH-CERT, one of the first CERTs in Switzerland, has worked systematically since 1996 to establish an excellent network both nationally and internationally. In addition, over the past few years, it has also set up its own centre of excellence for OT security for the industry & logistics and energy sectors. It would be a mistake not to use this knowledge and experience to improve cybersecurity in the energy sector.

About Martin Leuthold

As a member of the Management Board, Martin Leuthold has been Head of the Data, Security and Network Division at the SWITCH Foundation since February 2016 and is a member of the Swiss Academy of Engineering Sciences’ Cybersecurity Advisory Board. His Twitter handle is @MLeuthold.


SWITCH Security Report July/August 2021

Dear Reader

The latest issue of our bi-monthly SWITCH Security Report is available.

The main topics of the current report are:

  • Perhaps 1984 WAS like 1984 – a big blunder by Apple or simply brilliant advertising?
  • Pegasus: what IT users can learn from the ancient Greeks
  • The biggest hack in cryptocurrency history – fingerwagging or hacker vanity in its purest form?
  • In bed with Siri, Alexa and Uber – what is the privacy and data security situation for working from home?


> Download English Report I > Download German Report


Secure PLC Coding Practices

In the world of operational technology, programmable logic controllers (PLCs) control physical elements such as a municipal water supply system, the room temperature in offices or a chocolate bar packaging machine. Twenty years ago, manufacturers promoted their PLCs as compliant with the IEC 61131 standard. Today, the standard is well established and supported by all major PLC suppliers. To program a PLC, five programming languages are defined:

IEC 61131-3 languageDescription
Ladder Diagram (LD)Looks like a electrical diagram
Function Block Diagram (FBD)Contains elements from boolean algebra / digital technology
Structured Text (ST)Similar to Pascal or C
Instruction List (IL)Has its roots in the assembler language
Sequential function chartGraphical elements for programming e.g. batch programming

An electrician will likely choose Ladder Diagram as programming language. Someone who is used to programming in a high-level language will most probably use Structured Text. Often it is a mixture: functions or libraries are written in ST, while the “glue logic” is written in Function Block Diagram.

Continue reading


One more Podcast – Security Awareness Insider

There are more than 2.6 million podcasts available on Spotify. For every possible topic you can find experts, famous people or entertainers talking about it. Among podcasts evolving around politics, sports, psychology, crime or history there are also some putting the topic of information security in the spotlight.

“Back then: plant a tree, build a house, father a son. Today: have a podcast.”

A lot of security, but no awareness

If you are working in security awareness there is not much in it for you though. Most podcasts on security cover the topic by inviting one phishing simulation provider. But as you know, there is so much more to it!

This is why Marcus Beyer (Security Awareness Officer at Swisscom) and I decided to start our own podcast on security awareness only: Security Awareness Insider (in German).

Continue reading


The May/June 2021 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Back and forth in the pipeline: hacking and rehacking the US fuel firm Colonial Pipeline with Ransomware as a Service
  • Meat and greed – the world’s largest meat processing company pays a hefty USD 11 million ransom after a ransomware attack
  • When Android devices catch the flu: FluBot, the banking trojan, spreads to Android devices
  • Russian cyber spies attack government and NGO networks

The Security Report is available in both English and German.

»»  Download the English report.     »»  Download the German report.

Mobile Malware


2 Comments

Android FluBot enters Switzerland

FluBot is a new Android malware first discovered in December 2020. During the first few months, FluBot has been active in Spain, Hungary and Poland. Since then, the development of the malware advanced quickly and the malware has set foot in almost all European countries.

On the 18th of June 2021 FluBot version 4.6 was spotted which added a configuration for Switzerland. As of today it is actively being spamertized through SMS.

Alias Names

FluBot is known by different names. The name “FluBot” is best known because this was the name given in the first public technical writing. Below the reference to the most well known aliases:

  • January 2021, ThreatFabric was the first to give it the name “Cabassous” in a Twitter post
  • March 2021, ProDaft published a detailed technical report and gave it the name “FluBot”
  • April 2021, IBM Trusteer took a deeper look at the different FluBot versions and gave it the name “FakeChat

Distribution

FluBot is distributed using smishing (a combination from the words SMS and phishing). The victim receives an SMS with a link to an URL which distributes the APK. The installation is straight forward using sideloading.

If the recipient device is not an Android mobile phone or the fraudster does not want to distribute the malware at that time, the URL redirects the user to a scam website or with the Voicemail lure we have seen a redirection to the Voicemail app from Deutsche Telekom AG on the Google Playstore.

FluBot SMS are typically sent from other infected mobile phones. If the number of infected devices within a country is not very high it has been seen that infected devices from other countries are used to send the SMS.

The SMS text message may vary as do the URLs. Sometimes they talk about parcel delivery using brands such as DHL or UPS. The current campaign in Switzerland uses Voicemail as a lure. The malware distributed in Switzerland from the smishing URLs are currently all FluBot samples. However, this may change as in other countries it has been seen that another well known trojan called Anatsa is dropped instead. See also tweet by ThreatFabric.

Continue reading


The March/April 2021 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Exploit on Exchange – vulnerabilities in Microsoft Exchange servers trigger a red alert
  • Learning by doing – data leaks discovered in the Swiss Army’s cyber training school
  • Rocky start(up) at Verkada – 150,000 surveillance cameras hacked
  • Refunds from the remorseful Ziggy ransomware gang
  • Data scraping on Facebook and LinkedIn: big data brings big damage

The Security Report is available in both English and German.

»»  Download the English report.     »»  Download the German report.


The January/February 2021 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Dependency confusion – when trust is too good to be true
  • Water hacking – not a new trendy sport, but a serious threat
  • Emotet: the king is dead – let there be no successor!
  • Rumours of its death are greatly exaggerated: how phishing mailers trick cutting-edge security filters with good old Morse code

The Security Report is available in both English and German.

»»  Download the English report.     »»  Download the German report.


The November/December 2020 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Choose your team carefully – hackers use fake MS Teams updates to attack networks, especially those of educational institutions
  • Audacious coronavirus relief phishing delivers an extra malware ‘bonus’ on request and creates a challenge for BEC
  • Stopping the attempt to stop online hate speech?
  • Close the gates before it’s too late: what Sneakers and the Internet of Things have in common

The Security Report is available in both English and German.

»»  Download the English report.     »»  Download the German report.


2 Comments

DNSSEC signing your domain with BIND 9.16

BIND 9.16 has improved DNSSEC support to the point where it can (finally) be called simple to use. This is excellent news for DNS administrators because it means there are now several options (viable alternatives being Knot DNS or PowerDNS) which make DNSSEC simple to deploy.

Six years ago we wrote a blog post about BIND 9.9 and its new in-line signing support. This article got a lot of views but at some point we had to put a warning message on the blog post stating vaguely that we would not recommend the method described anymore. The main reason was that DNSSEC with BIND 9.9 still contained many manual steps which could not be configured in named.conf. Especially key roll-overs caused headaches for administrators. If you cannot upgrade to BIND 9.16 the old blog post might still be useful. But in this case, we recommend to omit key roll-overs altogether.

However, now that we have BIND 9.16, you can just make some configuration changes to named.conf and it’s all done. Now let’s take a closer look on how you can enable DNSSEC for your domain name.

OS Setup

We used Debian 10 (aka buster) which comes with BIND 9.11 at the time of writing. We used the BIND9 packages provided by ISC, who offer BIND 9.16 in the “BIND 9 Stable” repository. Please head over to ISC Packages for BIND 9 for instructions on how to use the ISC packages directly.

Once you have added the ISC BIND 9 Stable repository we install bind9, bind9 utils and the bind documentation:

apt-get install bind9 bind9-dnsutils bind9-doc

You have now a running bind9 instance. You can check its running state with systemctl:

systemctl status bind9

Continue reading


The .ch zone file will be published as open data

The Swiss Federal council adopted the lower laws to the telecommunicaiton act today. Amongst it is the Ordinance on Internet Domains that also regulates the ccTLD .ch. SWITCH-CERT welcomes the new ordinance and the smart regulation by the Federal Office of Communications (OFCOM). The Ordinance on Internet Domains will come to power on 1.1.2021 and has some important changes.

The most obvious ist that the personal data of domain holders will no longer be published in the public whois, following other European countries and the GDPR. This is an important change to protect the privacy of Domain holders. There will be a regulated and monitored access for Swiss Authorities and others that require that data for fighting cybercrime or have other legitimate reasons to get access to the identity of a domain holder. You can find more information on the SWITCH website.

Not so obvious, but from the CERT and security persepective as important is that the .ch zone file will be published as a whole. While the data about (active) .ch domains itself has been published in the distributed Domain Name System ever since, the file containing all domain names – the .ch “zone” – was never public. This will change as of January 2021, details on how to access the .ch zone file will be published at the SWITCH open data page soon.

The .ch zone file contains all registered .ch domain names that have a NS record that points to the nameserver that gives authoritative answers for that domain name. If a domain is registered but has no NS record, it will not be published in the .ch zone file and cannot be resolved, the domain is not active, the website and email are not reachable by Internet users. The .ch zone file is an entry point to query all active .ch domain names for domain data at the authoritative nameserver. This data contains the (IP) addresses for webservers, for email and other public reachable services. It also contains information about who runs the infrastructure and allows the mapping to a country or geolocation. It is also visible which new technologies like IPv6 are used or what security features (DNSSEC, DANE, SPF, DMARC) are used or which Certificate Authority is indicated. This gives direct information about technological and economic details for all active .ch domain names. All this is already done by different initiatives. The publishing of the .ch zone file will give the possibility to make these data collection on .ch domain names complete.

Zone files of most TLDs are available. Generic TLDs (gTLDs) like .org and .com have to publish their zone file via ICANNs Centralized Zone Data System (CZDS) and also some other ccTLD registiries publish their zone file.

One of the possibilities with this information is to see recently activated domain names. This allows security researchers and authorities to monitor these names for potential harmfull activities like phishing or online fraud. Having access to the .ch zone file, they can react fast on malicious registrations and prevent damages for Internet users.

But fighting cybercrime was not the only reason to publish the .ch zone. Switzerland has a law on Open-Government-Data-Strategy that follows the open-by-default strategy. As the zone file contains no personal data, the publishing of the .ch zone file is in line with that law and we hope that open data researchers, public archives and others that look a the Swiss Internet can make use of this data for the public interest. We think that the .ch zone file is an important piece of information to better understand the economic, social and technological impact of the digital transformation in Switzerland. As almost everything in the Internet uses a domain name, changes in domain names can be important signals to detect ongoing or historic changes.

We welcome and encourage any public archives of historic and derived data by organisations and individuals who can add value to the .ch zone file. If you publish data like scan results or statistics, please let us know at cert@switch.ch.

 


GÉANT and Cyber Security Month with Security awareness at the Paul Scherrer Institute


Cyber Security Month with GÉANT – “Become a cyber hero”

The European data network for the research and education community GÉANT interconnects national research and education networks (NRENs) like SWITCH across Europe, enabling collaboration virtually and accelerate research, drive innovation and enrich education.

Also this year GÉANT joins the European Cyber Security Month, an initiative launched by ENISA, EC DG CONNECT and a variety of partners, to raise security awareness within the European community. With the tagline «Become a cyber hero» GÉANT publishes practical tips, case studies and articles on social engineering, phishing, password security and ransomware throughout October. The content is provided by experts within the community.

SWITCH-CERT is proud to share with you one of the interesting contributions from the Swiss NREN. Read about Björn Abt, IT Security Officer at the Paul Scherrer Institut (PSI), talking about their approach to security awareness:

Continue reading


The September/October 2020 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Ransomware – the new normal of digital extortion
  • A murky supply chain – how hackers profited from Cumulus data
  • Smisherman’s Friends – a new wave of smishing attacks is washing over Europe and Switzerland

The Security Report is available in both English and German.

»»  Download the English report.     »»  Download the German report.


Growing support for open security standards in Switzerland

Open security standards are essential for a secure and resilient Internet in Switzerland and protect the privacy of Swiss Internet users. The adoption rate for Internet security standards like DNSSEC, DANE and DMARC in Switzerland is still low compared to the leading countries in Europe, but there is more and more support from the Internet industry, authorities and not for profit organizations in Switzerland.

Why are open security standards so important?

The implementation of open security standards that come out of the Internet Engineering Task Force (IETF), reduce the attack surface of the domain/service owner. But even more important, a growing implementation rate reduces the attack surface of the internet as a whole and makes the life of cyber criminals and state actors more challenging. Open security standards provide different mechanisms to secure our communication on the internet, most important encryption and authentication. Encryption keeps our communication on the internet confidential and prevents third parties from reading our emails and tracking on which web sites users spend their time. Authentication allows us to identify and authenticate our communications partners, it makes sure that we are not on a fake website or send emails or our login credentials to a rogue email server. Continue reading