CyberWire Daily - 5G worries. Whitefly vs. SingHealth. Speculative execution bug.
Episode Date: March 6, 2019In today’s podcast, we hear that Australia's former prime minister warns Britain about Chinese tech companies. Symantec says Whitefly was behind SingHealth's massive data breach. Iranian hackers sho...w code overlap. Intel CPUs are vulnerable to another speculative execution flaw. The NSA hasn't been using its domestic phone surveillance program lately. Sharing code presents dangers. And Google will ban political ads in Canada. Justin Harvey from Accenture with results from their Costs of Crime report, as well as observations from RSAC. Guest is Gerald Beuchelt from LogMeIn with info from their latest password survey. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Australia's former prime minister warns Britain about Chinese tech companies.
Symantec says Whitefly was behind SingHealth's massive data breach.
Iranian hackers show code overlap.
Intel's CPUs are vulnerable
to another speculative execution flaw.
The NSA hasn't been using
its domestic phone surveillance program lately.
Sharing code presents dangers.
And Google will ban political ads in Canada.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 6, 2019.
The U.S. isn't alone in its concerns over a prospective Chinese role in 5G networks. Former Prime Minister of Australia Malcolm Turnbull strongly warned Britain
against using equipment produced by Huawei or ZTE in its upcoming 5G network,
the Sydney Morning Herald reports.
In a speech given to the Henry Jackson Society in London last night,
Turnbull said Australia's decision to ban Huawei
was based on advice from the country's own intelligence agencies
and not because of external pressure from the US
He pointed to the fact that there are only four major 5G vendors in the world
two of which are Chinese
He added that it beggars belief that none of the Five Eyes countries has a leading 5G vendor
Turnbull said that when assessing the potential
danger posed by these companies, quote, it's important to remember that the threat is a
combination of capability and intent. Capability can take years or decades to develop, but intent
can change in a heartbeat, end quote. Symantec published a report today on the group behind
last year's SingHealth data breach.
The group, which they've dubbed Whitefly, primarily targets organizations based in Singapore,
although links to attacks in other nations suggest that it may be part of a larger intelligence-gathering operation.
The researchers describe Whitefly as
a highly adept group with a large arsenal of tools at its disposal,
capable of penetrating targeted organizations and maintaining a long-term presence on their networks.
The group's primary goal is stealing large amounts of sensitive information,
and it uses a wide variety of custom-built and open-source malware tools to do so.
Its targets include organizations in the healthcare, media,
telecommunications, and engineering industries. A Symantec spokesperson told Reuters that they
believe it's a state-sponsored espionage group, but they're not certain which state it's working for.
The cyber attack against SingHealth occurred in June 2018 and resulted in the theft of personal data belonging to 1.5 million
patients. Singaporean officials stated at the time that they believed a state-sponsored actor
was responsible, although they didn't share further details. Palo Alto Network's Unit 42
has identified potential code-sharing between two threat groups linked to Iran.
Unit 42 found that the Chafer threat group targeted Turkish government entities late last year using a Python-based payload they've named Mecca Flounder.
The initial download URL of this payload contains a parameter
that's been spotted in many campaigns carried out by Chafer and the Oil Rig threat group.
The researchers also note that malware code used by both groups shares a number of common
variable names, and the tools exhibit similar functionality.
Based on these links, however, they aren't confident enough to combine the two groups.
Researchers at LogMeIn, makers of the LastPass password management tool, have used anonymized data gathered from their users to get a better picture of where things stand
when it comes to how folks are creating, reusing, and managing their passwords.
Gerald Buchel is chief information security officer at LogMeIn.
Overall, if you really look at the big picture, a moderately good environment where people that are using LastPass are starting to have overall a security score that ranges depending on where you are and what you do in the 50s.
So the average score across all our reports that we looked at was 52 out of 100, which is an internal score that takes into consideration length of password
uniqueness across different sites, which means that people are already taking password security
quite seriously, but there's also still some room for improvement. We're also seeing some
regional differences. So the scores in the US and Europe and other parts of the world are higher or
lower, sometimes even across industries.
There's not a huge variability, though.
So it's not that the US is like in the 90s and the rest of the world is in the 30s or so.
There is a certain level of general awareness about the password security.
But at the same time, there is also, generally speaking, a lot of room for improvement
that it was seen before. Yeah, one of the things that caught my eye was that you've been tracking
a real increase in the use of multi-factor authentication. Absolutely, yeah. That's
definitely something that we were very pleased to see. We have about 45% of business users using MFA for access to their LastPass accounts.
And I think that is, given the amount of password breaches and the concerns that we've seen in the past,
a really good sign in terms of people making sure that they are starting to take password security seriously,
especially at the enterprise level.
starting to take password security seriously, especially at the enterprise level.
And it really amounts to a total increase of about 24.5% from 2017 when we're comparing this.
So what were some of the areas where folks could still use some improvement?
What are some of the places where people are still coming up short?
I think it really depends a little bit on what sector you're in. So for MFA,
for example, since we're just talking about that, the tech sector is currently at 31% across the board, which is leading the pack to some extent. I think improving multi-factor is something that's
important. Making sure that there is stronger passwords that are automatically generated instead of just leveraging passwords that have been free used from prior accounts and just using LastPass to store them.
And then really emphasizing the unicity of the passwords across different accounts.
If we look at the recent recommendations, not so recent anymore, but the recommendations from NIST and from other experts in this field. The basic
idea is really that we want to make sure that passwords are very
long and are unique across different sites
and are not being reused, especially if they have been breached in the past.
Focusing on that, I think, is going to drive the security score
up and at the same time make sure that the overall password hygiene and posture is going to be better.
Yeah, it was interesting to me.
One of the statistics here from the report was that 50% of users didn't create different passwords for work and for personal accounts.
Yeah, that is really concerning because if you think about a system administrator or somebody who has access to sensitive information as part of their work environment,
that they're using the same password that they are using, say, for LinkedIn or that they have been using for LinkedIn or any of the other sites that have been breached over the last five to 10 years,
then those kind of accounts are obviously at risk through credential stuffing and similar tactics, which we see really on an ongoing basis across the industry.
What we see is with the right education about how to share or not share a password or how to not reuse them, how to enable multi-factor authentication, etc., we do see significant increases in adoption of LastPass.
increases in adoption of LastPass and ultimately what's really helpful is really getting away from the standard ceremony of signing in by
punching in your username, punching in your password
and go off to the paradigm that LastPass offers
which is simply clicking on a tile in your vault
in order to log in. Once you really transition users
to that kind of general behavior
through the appropriate engagement,
through awareness training,
through other forms of education,
it becomes second nature
both in their private lives
as well as in their work lives.
And that really leads to significant adoption
and then ultimately a much better security posture.
That's Gerald Bouchel from LogMeIn.
Intel CPUs are vulnerable to a new flaw stemming from speculative execution,
the Register reported yesterday. Researchers from the Worcester Polytechnic Institute and
the University of Lubbock released a paper on Friday outlining the vulnerability, which they
call Spoiler. The flaw reveals critical information about physical
page mappings to user space processes. In other words, it can allow a non-privileged user to
discover the physical layout of virtual memory by measuring the timing of speculative operations.
Spoiler increases the speed and efficiency of existing side-channel attacks to an extraordinary degree,
some of which can be run by JavaScript in a web browser.
The vulnerability affects all Intel core processors and will require hardware mitigations,
so a patch will likely take years.
One of the researchers told the Register that he doesn't expect the issue to be fully mitigated within the next five years,
since microcode patches would cause a significant loss of performance.
The National Security Agency hasn't been using its domestic phone surveillance program
to track links to foreign threats for the past six years,
according to Luke Murray, the National Security Advisor to House Minority Leader Kevin McCarthy.
Murray said that he's not certain if the program will start back up.
He noted that the system had been running into technical issues last year
related to working with telecommunications companies.
A spokesman for Mr. McCarthy told the New York Times that Murray,
quote, was not speaking on behalf of administration policy
or what Congress intends to do on the issue, end quote.
Finally, Google will ban political advertising in Canada before that country holds its upcoming
federal election. Google's Canada head of public policy and government relations told the Globe
and Mail that Canada's new Election Act was too difficult to comply with. The bill is intended to promote transparency
and hinder foreign influence in elections
by requiring Internet companies to keep a record
of all the political ads published on their platforms.
Google told the Canadian Senate in November
that its advertising system is a highly automated bidding process
that chooses which ads to display in less than a second,
so building a registry
beforehand would require a fundamental reworking of its system. The company said the only feasible
way to follow this regulation was by banning political ads altogether. Other online platforms,
such as newspapers, are also struggling to find ways to comply with the law.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back.
I want to touch on a couple things today.
You are out at RSA, so I want to get your take on how the conference is going so far.
But also, Accenture, you all just recently released your Cost of Cybercrime report.
Why don't we start with that? What does the report cover?
Well, the Cost of Cybercrime report, Dave, is based upon interviews with more than 2,600 security and IT professionals at over 355 organizations worldwide. And we put together a comprehensive listing of questions and asking for data, which we've then merged into this final
report. And the 2019 cost of cybercrime study really focuses on what our organizations are
missing through cybercrime. And there are actually quite a few observations
and some data points that I'd like to share with you and the listeners. The first is
two types of cyber attacks accounted for one third of the total $13 million cost to companies
on average. So that means that one third of the cost of cybercrime comes from
malware and malicious insiders. And the average incident cost is over $13 million. Now,
keep in mind, Dave, last year was $11.7 million on average. And actually, the cost of responding
to these incidents has gone up. Another data point that I find very interesting
here is also the data point not of the cost, the direct cost of a cyber attack, but we've also,
we've actually been able to articulate what companies are missing out on. And that missing
out on is revenue. So up to, in some cases, over 3% of annual revenue can be lost through a cyber attack.
And perhaps it's brand damage.
Perhaps it is the revenue opportunities are not there because they're not able to collect revenue from customers.
Or perhaps they have to delay new services to generate that revenue. And like I said, it was 3% for the organizations, but
it's up and over $580 million worldwide when it is combined. And that number is only going to rise
as cybercrime increases. So in terms of recommendations based on what you gathered
from the report, what can you share there? Well, the recommendations really come back
to the same talking points
that our industry has been talking about
for quite some time.
It's about building a cyber resilient enterprise,
one that can bounce back from a cyber attack
to get back to business.
A few of the highlights,
automation, orchestration,
and machine learning technologies can be deployed and integrated over the next few years.
That will actually help the two key metrics that we always talk about, Dave.
One, the mean time to detect.
How can we get better and faster at finding the bad guys?
And then finally, the mean time to respond.
So not only can we find the bad guys, but we can actually get them out of the enterprise faster and in a more timely manner.
So I want to switch gears with you. You are there on location at RSA Conference.
What is your overall sense of the show this year? As you walk around, what's the overall tone?
The theme this year is
products, products, products. There are an immense amount of products and solutions and platforms
and technology that is fueling this industry. And I keep saying it every year, I'm waiting for the
other shoe to drop. There is a ton of investment in security technologies
and products. And that is showing in the RSA conference here. This is the first year where
they've actually had one contiguous show floor. And years previously, it was north and south.
Many of your listeners know that they have Moscone Center here in San Francisco that has been renovated. And now it's one huge floor. It is a sea of vendors and technology. And I'm really waiting
for this market consolidation to happen. We've seen the economy kind of plateau, I guess you
could say, over the last year. There have been some high, really high highs, really low lows.
It's evening out. But there's a lot of capital
investments being poured into the technology here. And I can't help but think that coming to this
conference, that I could walk away being, let's say, a new person saying, oh, well, I need all,
do I need all these technologies? Could I do a best of breed solution based approach for every
little niche problem I have? Do I need to buy a tool?
And I think that many of us are saying, where's the people?
Where's the process?
Where is the emphasis on the individual in things like security awareness and training and understanding the threat landscape and really understanding the mechanics behind what the adversaries are doing and how to respond to those?
And, yes, Dave, I do see some training booths.
I do see some security awareness booths.
But I think the industry needs to take a little bit of a course correction here
in getting back to what's most important, and that is the people.
All right.
Justin Harvey, thanks for taking the time for us.
Thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.