The Decoupling Principle

Read Time:45 Second

This is a really interesting paper that discusses what the authors call the Decoupling Principle:

The idea is simple, yet previously not clearly articulated: to ensure privacy, information should be divided architecturally and institutionally such that each entity has only the information they need to perform their relevant function. Architectural decoupling entails splitting functionality for different fundamental actions in a system, such as decoupling authentication (proving who is allowed to use the network) from connectivity (establishing session state for communicating). Institutional decoupling entails splitting what information remains between non-colluding entities, such as distinct companies or network operators, or between a user and network peers. This decoupling makes service providers individually breach-proof, as they each have little or no sensitive data that can be lost to hackers. Put simply, the Decoupling Principle suggests always separating who you are from what you do.

Lots of interesting details in the paper.

Read More

Cyberattacks could worsen the global energy crisis

Read Time:3 Minute, 28 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

War, economic instability, external threats, and global politics affect the energy sector of a country or region. In addition, cyberattacks on critical infrastructure can cripple the strained energy market.

Europe is facing a severe energy crisis, and European governments are getting prepared for this winter by managing the demands and keeping energy reserves. The EU (European Union) also accelerated the work to improve critical infrastructure defence and resilience. This energy crisis is the outcome of Russia’s war in Ukraine (attacks on pipelines to disrupt the supply chain) and strict Russian policies towards European countries.

Cyberattacks on the energy sector

In addition to the physical challenges, the growing cyberattacks on the energy sector could worsen the energy crisis. According to Energy Security Sentinel, thirteen cyberattacks targeted energy infrastructure this year, making it the highest number of annual attacks over the last six years. Oil and electricity were the most vulnerable infrastructure, followed by gas and shipping.

The cyberattacks don’t only target critical European infrastructure. In 2021, the Colonial Pipeline in the United States was affected by the ransomware attack, which caused authorities to declare a regional emergency in 17 states and Washington, D.C.

The same year, Saudi Aramco – Saudi Arabia’s state oil giant, came under cyberattack. In that case, the hackers asked for $50m extortion money.

Why is the energy sector is a target for cyberattacks?

The energy sector is a lucrative target for financially motivated cybercriminals; they know the companies tend to be financially sound and can pay the heavy ransom to keep their operations running.

The economic activities of a country also rely on the energy sector; thus, a disruption can cause substantial damage. For example, a six-hour winter black-out in France could result in damages totalling over €1.5 billion ($.1.7 billion). It motivates state-sponsored hackers to target the opponent’s critical infrastructure to achieve political outcomes.

Despite the critical nature of the industry, the energy infrastructure is particularly vulnerable for three primary reasons:

Large attack surface
Lack of skilled professionals
Digitalization and integration

Large attack surface

Attack surface refers to all the possible entry points into any system. The energy sector has a broad attack surface. Their attack surface includes distribution networks, supply chains, partners, powerlines, smart meters and so on. Generally, organizations don’t have the capability to monitor or tag their assets, which increases the risk and can leave unprotected doors of entry.

Lack of skilled professionals

People working in critical infrastructure are typically not equipped with the skills required to protect the infrastructure from cyberattacks. Even organizations investing in security products and solutions face the human resource problem, which makes them vulnerable.

Interestingly, the public and private sectors are joining forces to overcome the skilled professional supply problem. ENCS in Europe shares information and knowledge and is owned by grid operators. Similarly, the US House of Representatives passed a bill named “Industrial Control Systems Cybersecurity Training Act”, intending to give free ICS training to IT professionals.

Digitalization and integration

Though digitalization and IT integration facilitate critical infrastructure management and operations, they introduce several security risks. IT/OT convergence arguably raises security risks, such as unauthorized system changes and logic could put human life in danger. The security risk can be minimized by actively monitoring the systems, managing patching carefully and having skilled people protecting the network.

What to do?

The inevitable nature of digitalization could introduce more risks, and cyberattacks could become more frequent and organized. This in turn could worsen the energy crisis. Thus, leaders in the energy sector must build their systems to be cyber resilient and implement a business continuity plan.

Energy organizations must also consider a security by design approach while initiating any energy project, and they must also include cybersecurity leaders and experts on the project.

To achieve economic stability, protecting the energy sector from cyberattacks is vital. This requires organizations and governments to work closely in protecting the energy sector.

Read More

qemu-7.0.0-12.fc37

Read Time:17 Second

FEDORA-2022-22b1f8dae2

Packages in this update:

qemu-7.0.0-12.fc37

Update description:

hcd-xhci: infinite loop in xhci_ring_chain_length (CVE-2020-14394)
ati-vga: out-of-bounds write in ati_2d_blt (CVE-2021-3638)
acpi erst: memory corruption issues (CVE-2022-4172)
qxl: qxl_phys2virt unsafe address translation (CVE-2022-4144)

Read More

CVE-2020-35588

Read Time:8 Second

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn. Further investigation showed that it was not a vulnerability. Notes: none.

Read More

USN-5763-1: NumPy vulnerabilities

Read Time:36 Second

It was discovered that NumPy did not properly manage memory when specifying
arrays of large dimensions. If a user were tricked into running malicious
Python file, an attacker could cause a denial of service. This issue only
affected Ubuntu 20.04 LTS. (CVE-2021-33430)

It was discovered that NumPy did not properly perform string comparison
operations under certain circumstances. An attacker could possibly use
this issue to cause NumPy to crash, resulting in a denial of service.
(CVE-2021-34141)

It was discovered that NumPy did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause NumPy to
crash, resulting in a denial of service. (CVE-2021-41495, CVE-2021-41496)

Read More