Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Privileged Insider Defrauds Australian Museum

Australian Federal Police have executed a search warrant at the Macquarie Park (Sydney) home of a man, 23, arresting him in connection with an alleged cybercrime-enabled fraud against the Australian National Maritime Museum (ANMM). Police seized a number of electronic items including a laptop, hard drives and a mobile phone for forensic analysis.

Photo Credit:AFP

The man appeared at Burwood Local Court on Friday 3 March on several charges:

• Two counts of unauthorised access and modification with intent to commit a serious computer offence, contrary to section 477.1 of the Criminal Code Act 1995 (Cth),
  Four counts of dishonestly obtaining or dealing in personal financial information, contrary to section 480.4 of the Criminal Code Act 1995 (Cth), and
  Five counts of dishonestly obtaining property by deception, contrary to section 192E of the Crimes Act 1900 (NSW).

The AFP will allege that the man was a contracted IT support worker for a third-party service provider, and that he accessed ANMM's accounts payable system and changed bank account details stored in the system to his own.  It is further alleged that he obtained the financial details of several individuals and businesses, using the credit card information to make a series of unauthorised purchases.

In November 2023, the ANMM detected anomalies in provided financial information for some contractors, and called in independent forensic investigators who identified the extent of the issue. The AFP was then notified, and linked the alleged offender to the unauthorised access to several systems and servers.

AFP Detective Leading Senior Constable Clare Yammine said trusted insiders remained a very real threat to the Australian community, and initial estimates of the total value of money allegedly diverted in this matter at $90,000.

“The AFP is committed to preventing and prosecuting cybercrime and fraud committed against Australians and businesses,” Leading Sen-Constable Yammine said.

AFP Media, Third-party IT contractor arrested for $90,000 fraud, media release, 4 March 2023. Available online at https://www.afp.gov.au/news-media/media-releases/third-party-it-contractor-arrested-90000-fraud.

Yet Another IoT Thing to Worry About: EV Charge Points

Researchers at specialist energy network security firm Saiflow have found that cyber attackers can disable electric vehicle (EV) charge points and cause a denial of service by exploiting versions of the Open Charge Point Protocol (OCPP) that use WebSocket communications. OCPP is used for communication between the charge points (CP) and a central system management service (CSMS) which together form a charging station network.

The attack exploits two new vulnerabilities that were found in the OCPP standard. First, the standard does not specify how to handle more than one connection to a single charge point simultaneously. As a consequence, an attacker can disrupt the current connection between the CP and the CSMS by simply opening an additional "new" connection to the CSMS. To do this, the attacker also has to exploit a second vulnerability: weak authentication in OCPP.

SaiFlow's researchers tested this approach on multiple CSMS providers; some would close the original CP connection, effectively disconnecting the CP, while others will keep the connection but not use it. Both cases expose the charging station network to a DDoS attack, but the second case will also fail to notify the charge point operator that something is wrong. The attack can also expose some sensitive and personal information.

These vulnerabilities exist in OCPP 1.6J, which is the most commonly deployed; OCPP 2.0.1, which is only now rolling out, could also be vulnerable if authentication is not properly implemented.

Saposnik, Lionel Richard and Doron Porat, Hijacking EV Charge Points to Cause DoS, blog post, 1 February 2023. Available online at https://www.saiflow.com/hijacking-chargers-identifier-to-cause-dos/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.