The December 2022 issue of IEEE Spectrum is here!

Close bar

This Week in Cybercrime: Chevron Bitten by Stuxnet, SEC Embarrassed by Security Breach

South Carolina now thinks encrypting sensitive taxpayer data is good security practice

3 min read
This Week in Cybercrime: Chevron Bitten by Stuxnet, SEC Embarrassed by Security Breach

It’s been a relatively quiet week in the world of cybercrime. We start off this week’s review with Chevron’s admission yesterday that its IT systems were infected with the Stuxnet malware back in July 2010. This is the first time a U.S. company has acknowledged being infected by the malware which the U.S. and Israel created and used to target Iran’s uranium enrichment program.

Mark Koelmel, general manager of the earth sciences department at Chevron, told the Wall Street Journal that, “I don’t think the U.S. government even realized how far it [Stuxnet] had spread. I think the downside of what they did is going to be far worse than what they actually accomplished.”

Chevron’s admission will no doubt fan the debate over whether Stuxnet escaped into the wild or not, or whether Chevron was itself targeted may have been deliberately targeted.

Chevron told the WSJ that it was not adversely affected by Stuxnet, but I think that all depends on how you define “adversely affected.”

Coincidentally, a story at ComputerWorld yesterday reported that a team of Russian security researchers have found that the Siemens updated WinCC SCADA (Supervisory Control And Data Acquisition) software which was targeted by Stuxnet is still full of security holes.  The story says that the research team “found more than 50 vulnerabilities in WinCC’s latest version, so many that Siemens has worked out a roadmap to patch them all… Most are problems that would allow an attacker to take over a WinCC system remotely.”

Looks like Siemens has more work to do.

In a case of do-as-I-say, but-not-as-I-do, Reuters reported yesterday that staffers at the U.S. Security Exchange Commission “failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks.” The irony is that the staffers were part of the SEC's Trading and Markets Division, which is responsible, Reuters says, “for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems.”

The security breach caused the SEC to spend over $200 000 to conduct a security audit to ensure that no information was compromised.  The SEC also had to notify all the stock exchanges of the breach, which made none of them very happy (although the schadenfreude felt was likely acute), especially since the SEC has been pushing public companies hard to disclose the risk of cyber incidents.

The SEC had no comment on the Reuters story. It likely will be forced to break its silence and explain to Congress how the breach was allowed to exist, however, once a report is published on the incident in the near future by the SEC Interim Inspector General.

There was also a disturbing story this week in the Minneapolis Star Tribune about a former policewoman who has collected more than $1 million so far from lawsuits filed against a number of Minnesota cities because police officers illegally accessed her driver's license information from the state’s motor vehicle database. According to a story at CityPages, her information had been “accessed 425 times by 104 officers between 2007 and 2011… and additional 174 times in 2006.”

The Star Tribune story noted that police officers accessed the woman’s license “because she was very attractive and so they could see that 'she's changed and she's got a new look.’ ”

The routine and unauthorized access of the Minnesota's driver license database by police has been alleged in the suit, something that the city police departments involved deny. However, city governments across Minnesota have apparently taken steps to tightened police access to driver's license information as well as increase the penalties for unauthorized access in light of the lawsuits. So far, though, none of the officers identified as taking part have been disciplined.

Finally, in a case of locking the barn door after all the horses have escaped, South Carolina announced that it will be spending the next two to three months encrypting its revenue department data. As I noted last week, some 3.6 million unencrypted taxpayer Social Security numbers, 387 000 credit and debit cards, and information on over 657 000 South Carolina businesses were stolen by cybercriminals last month from South Carolina’s Department of Revenue.

Governor Nikki Haley had recently stated that Department of Revenue taxpayer data hadn’t previously been encrypted because doing so was “cumbersome” and what’s more, data encryption wasn’t an IT security industry best practice. I guess she has changed her mind.

It is estimated that South Carolina will be spending in excess of $30 million alone to provide affected taxpayers fraud protection services for the next year.

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less