3.1 C
London
Sunday, November 19, 2017
Home Tags Gasoline

Tag: gasoline

It's a great package when everything works together, but 7.6kWh isn't enough.
It drives like a hot hatch and might have the best front seats wersquo;ve sat in all year.
The internal combustion engine's days are numbered.
Some algae can turn fat into hydrocarbons using a light-driven reaction.
Many others had given up trying to make homogenous charge compression ignition work.
From September, Euro 6 rules mean diesels have to prove theyrsquo;re clean in the real world.
Oil giant faces ongoing battle over whether it presented good information to investors.
But whether those rules are enacted is in jeopardy with Trump and EPA chief Pruitt.
Stricter nitrogen oxide emissions regulations mean an end to diesel-engine development.
The deal with Plug Power is good news for a faltering hydrogen fuel cell economy.
Stunned security experts tear strips off president-elect pick hours after announcementUS president-elect Donald Trump's freshly minted cyber-tsar Rudy Giuliani runs a website with a content management system years out of date and potentially utterly hackable. Former New York City mayor and Donald loyalist Giuliani was today unveiled by Trump's transition team as the future president's cybersecurity adviser – meaning Giuliani will play a crucial role in the defense of America's computer infrastructure. Giulianisecurity.com, the website for the ex-mayor's eponymous infosec consultancy firm, is powered by a roughly five-year-old build of Joomla! that is packed with vulnerabilities.
Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open – from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. Security gurus are right now tearing strips off Trump's cyber-wizard pick.

Top hacker Dan Tentler was first to point out the severely out-of-date Joomla! install. "It speaks volumes," Tentler told The Register, referring to Giuliani's computer security credentials, or lack of, and fitness for the top post. "Seventy-year-old luddite autocrats who often brag about not using technology are somehow put in charge of technology: it's like setting our country on fire and giving every extranational hacker a roman candle – or, rather, not setting on fire, but dousing in gasoline." Content management system developer Michael Fienen also pulled no punches: It gets worse. "Giuliani is running a version of PHP that was released in 2013, and a version of Joomla that was released around 2012," said Ty Miller, a director at Sydney-based infosec biz Threat Intelligence. "Using the version information, within minutes we were able to identify a combined list of 41 publicly known vulnerabilities and 19 publicly available exploits.

Depending upon the configuration of the website, these exploits may or may not work, but is an indication that Giuliani's security needs to be taken up a level." Found on /r/sysadmin, presented without comment. pic.twitter.com/UmWe7tHURv — Ryan Castellucci (@ryancdotorg) January 12, 2017 The most surprising fact in all of this is that the Giuliani Security website hasn't ALREADY been hacked.

They might as well put out a sign. — Michael Fienen (@fienen) January 12, 2017 Another computer security expert, speaking to The Register on condition of anonymity, analyzed Giuliani's website for us. Our guru, based in Australia, said that while the pending cyber-tsar is likely to have outsourced management of his online base, the fact that the mayor-turned-cyber-expert didn't check for lax security on his own website is not going to instill any confidence. We have reproduced our contact's assessment in full on the next page. ® 'Someone should be taken to task for this' Well, talking nuts and bolts: that website is hosted with a hosting provider.
It looks like it has its own IP address based on having a single DNS PTR object (reverse address to the name giulianisecurity.com) which means its unlikely to be in use by other organisations (except maybe his own... who knows.) That IP address is allocated out of a block of addresses registered to Japanese giant NTT but these could also be provided to NTT’s customers such as web developers/hosting providers etc. Without actively poking at the site – which I’m terrified to do, frankly – it may be shared hosting, may be a VPS, or may be a physically separate dedicated hosting solution.
I’m betting it’s a cheap VPS-based ‘dedicated’ solution. My experience with this kind of hosting means that a nice attack vector is identifying the hosting provider and trying to get allocated a similar hosting solution in the adjacent IP address space, getting root on it (or having it if it’s a VPS) and then using ‘layer 2’ fun and games to redirect the victim site’s traffic to the attacker.

This still works amazingly well and is why smart people try to do things like statically publish layer-2 addresses for layer 3 IP gateways (although this is only so effective, really). For the giulianisecurity.com domain they seem to use Microsoft Office 365 for his email. Not a bad choice.

Email security sucks and, unless you know what you’re doing/are a glutton for punishment or are generally my kind of tinfoilhat wearer (hey, friends), it’s best to leave email security to someone reasonably credible. I also note they use a large trademark monitor company – MarkMonitor.com – for the DNS service provider for the domain name giulianisecurity.com. Which is hilarious.

Because, yeah, you’d want to intrude trademark-wise on this guy’s name because it’s such a valuable brand. Like Trump’s, you know? The reality is someone else makes these choices for him for his business.
It’s not like he’s there, updating his ancient and known vulnerable Joomla content management system himself (he’d get props from me if that were the case :) Anyone truly trying to protect your brand would avoid putting a giant red flag like an unpatched CMS in a commodity hosting environment out there. Whether it’s Giuliani’s company’s responsibility or an outsourced provider’s (very likely) the ‘having ancient Joomla’ in place is a pretty bad look.
Someone should be taken to task a bit for this.

And if you’re a security and safety company with an understanding of information security threats you’d have threat management programs in place to identify and improve your controls. For example, if you were undertaking actual security testing of your site I’d wager anyone in infosec – or in IT generally really – would’ve noticed the ancient CMS and its default install remnants using the crappiest, free-est tools out there.
So respectfully, Rudy, get someone to patch your shit and seek out some kind of specialist advice. Snarky comments aside – it really comes down to this greater concern: there’s literally millions of people in infosec who would be better cyber security advisors than Giuliani or whomever his technical advisors are that he’d call on for advice. So I’d ask – again respectfully – that the president elect cast a slightly wider net than he has to receive ‘cyber’ security advice.

As much as most people in infosec are a bunch of opinionated jerks (oh, and we are) we’re all here to help. Just ask a professional.

First sign in knowing one? It’s the person who doesn’t use the word ‘cyber’ to prefix everything they say.
When it comes to industrial processes, security begins at the molecular level. Not all cybersecurity risk is created equal.

Case in point: when Sony was hacked, information was stolen, systems were wiped, and society was temporarily deprived of a Seth Rogan movie.

These were mostly bad outcomes, and Sony certainly suffered a significant financial loss. Now, imagine a similar attack on an oil refinery where compromised systems include the proprietary industrial control systems that manage volatile processes. When I say volatile, I'm referring to processes where a boiler is heating oil by hundreds of degrees separating molecules to produce gasoline and other products. With appropriate access, a bad actor can change how hot that boiler is configured to run.
If you combine that with disabled safety systems, production, environments —  even lives —  can be severely affected.

A German steel mill experienced this in 2014 when a boiler exploded after an industrial control system attack; and 225,000 Ukrainians lost power in December 2015 when a hacker group shut down substation systems. I don't want to diminish the impact that malicious attacks have on our financial industry and others. However, chemical, oil and gas, and power generation attacks can have much graver outcomes — yet, surprisingly, these industries are in some ways the most vulnerable.
If you examine cybersecurity within a typical industrial process company, you find many of the same protections you find in any other company — antivirus software, firewalls, application whitelisting, and more.

These security controls are focused on protecting workstations, servers, routers, and other IT-based technology.
In other words, they protect the flow of information. But systems that move and manipulate molecules (for example, oil separating into constituent parts) are not nearly as secure. Why? Because many of these systems were built and deployed before cybersecurity was even a thing.
Industrial facilities rely primarily on layered defenses in front of industrial control systems, security by obscurity (think complex systems on which it takes years to become an expert), and air gapping (physical isolation from other networks). The reality is that layered defenses and air gapping can be bypassed.
Industrial facilities, for instance, periodically have turnarounds where they perform maintenance or switch production output.

This requires hundreds of engineers — many of them third-party ones — working multiple shifts to get production back online.

They are authorized users who could accidentally (or intentionally) introduce malicious code or configuration changes into a control system. Relying on obscurity as a strategy only has limited effect. With the rise of nation-sponsored cyber warfare, the capability of manipulating complex control systems is also on the rise.

The Ukrainian power attack, for instance, included malicious firmware updates that were believed to have been developed and tested on the hacking group's own industrial control equipment. Heck, you can even buy a programmable logic controller (a type of industrial control system) on eBay. Potential ImpactThe Obama administration's Commission on Enhancing National Cybersecurity report was released in early December.

There were some good recommendations in the report, particularly around having a security rating system for Internet of Things devices. What I found disturbing was that the report stated the distinction between critical infrastructure systems (found in the industries highlighted in this post plus others, such as transportation, that also rely on industrial control systems) and other devices is becoming impractical.

The point is that in a connected world, everything is vulnerable and attacks can come from any quarter.
It's a fair point, but this idea diminishes the importance of impact, which is essential to driving priority, policy, and investment decisions. Protecting the systems that manipulate molecules must have priority and, in some cases, have precedence over the ones that maintain information. So, where do you start? Where should investment flow? Most companies need to start at the beginning and simply begin to track the cyber assets they have in an industrial facility.

Another fun fact: many don't track that data today, or do so in a highly manual way, which means there are data gaps and errors. Without visibility into the cyber assets in a plant, you can't effectively secure them. And when we talk about cyber assets, any credible inventory plan must include the controllers, smart field instruments, and other systems that manage the volatile processes we've discussed (these systems, by the way, make up 80% of the cyber assets you find in an industrial facility).

This can't happen in a spreadsheet, but it must happen through automation software that can pull data from the many disparate, proprietary systems that can exist in a single facility. With an automated, detailed inventory that is updated regularly, companies can begin to do the things they know are important for securing any system — they can monitor for unauthorized changes, set security policies, and more.

Doing so allows companies not only to secure information, but also secure the molecules — the lifeblood of an industrial process company. Related Content: As General Manager of the Cybersecurity Business Unit at PAS, David Zahn leads corporate marketing and strategic development of the PAS Integrity Software Suite.

David has held numerous leadership positions in the oil and gas, information technology, and outsourcing ...
View Full Bio More Insights