CyberWire Daily - AMD investigates report of processor flaws. A look at OceanLotus. Patch Tuesday. Russo-British tensions high. MuddyWater threatens researchers.
Episode Date: March 14, 2018In today's podcast, we hear that AMD is investigating a report of exploitable flaws in its processors. Vietnamese threat actor OceanLotus gets a look from researchers. Patch Tuesday notes. Brita...in expels Russian diplomats in retaliation for a nerve agent attack. Russia demands to know what these cyberattacks are that the UK is said to be threatening. A brief history of Russo-British Twenty-first Century espionage and cyber tensions. Iranian threat actor MuddyWaters threatens researchers. Justin Harvey from Accenture on the importance of the first 48 hours following a breach. Guest is Patrick Sullivan from Akamai on VPNs and the notion of “verify and never trust.” Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N Ocean Lotus gets a look from researchers.
We've got some Patch Tuesday notes.
Britain expels Russian diplomats in retaliation for a nerve agent attack.
Russia demands to know what these cyber attacks are that the UK is said to be threatening.
A brief history of Russo-British 21st century espionage and cyber tensions. And Iranian threat actor Muddy Waters threatens researchers.
I'm Dave Bittner with your CyberWire summary for Wednesday, March 14, 2018.
Significant flaws in AMD processors have been reported by CTS Labs,
a hitherto little-known Israeli firm.
AMD says it's investigating, but also says it had never heard of CTS Labs, a hitherto little-known Israeli firm. AMD says it's investigating, but also says it had never heard of CTS Labs, and that CTS gave AMD only a day's warning before going public.
This is, of course, far shorter than the 60 to 90 days most companies tend to follow.
Google's Project Zero, for example, uses 90 days.
How quickly a flaw might be made public can
depend upon other things too.
A present danger to public safety might well warrant swift public disclosure, but that
doesn't seem to be the case here.
The flaws, which affect EPYC, Ryzen, Ryzen Pro, and Ryzen mobile processors, require
admin rights for exploitation.
It is possible for attackers to gain admin rights in various ways,
so that's not an insurmountable obstacle to exploitation.
CTS Labs calls the vulnerabilities Masterkey, Rise and Fall, Fallout, and Chimera.
Assessment of the details is difficult.
CTS Labs redacted much technical information to prevent its use by bad actors.
Security experts differ in their judgment of the problem's severity,
but few seem willing to defend the way the vulnerabilities were disclosed.
ESET and others have been tracking Ocean Lotus, also known as APT32 or Cobalt Kitty.
The threat group operates for the most part against targets in Southeast Asia.
Cambodia, Laos, and the Philippines are said to be particularly affected.
It shows some sophistication in its approach and operations.
Yesterday was March's Patch Tuesday.
Adobe issued its regular ritualistic patches of Flash Player,
and if you use Flash Player, you should apply them.
Microsoft came out with 14 updates that, by Krebs on Security's estimation, covered more than 75 vulnerabilities.
Avanti puts the number at 78.
Redmond's patches affect all the still-supported Windows versions,
and also Explorer, Edge, Office, SharePoint, and Exchange Server.
The critical vulnerabilities addressed are said to be in browsers and related software.
Mozilla Firefox and Firefox ESR also issued patches.
They rate their updates as critical and say they've fixed 21 vulnerabilities.
Do you use a VPN to access your corporate network remotely? Plenty of people do,
and it's widely considered a good practice for security and privacy reasons. Patrick Sullivan
is Director of Security Tech and Strategy at Akamai, and he joins us to outline some of the
challenges of VPN use and why the notion of verify and never trust is a core principle worth consideration.
You know, VPN is sort of a broad term.
There are VPNs, you know, for point-to-point connectivity between offices.
We won't talk about that today.
I think we'll talk about the category of VPNs that are used to provide remote access.
So I think, you know, really what we're seeing is at one time sort of VPNs were, if not the exclusive, certainly the dominant technology used to provide remote access.
And if we look at sort of the assumptions that went into that, there was sort of a network perimeter based model that almost everybody implemented.
And really in that model, you saw users and apps inside sort of a trusted network segment, typically in a corporate data center.
And then there was some form of network perimeter that would separate the trusted segment of the network, which was on private IPs from the untrusted public Internet.
Some people call this sort of a castle and boat architecture.
technology that would be used to extend that interior of the castle and boat, if you will,
to one of our trusted employees who happen to be outside of the four walls of that corporate office. So to extend that castle and boat to somebody's remote location and give them
trusted network layer access that they could use to access corporate applications.
So you all are advocating this principle
of verify and never trust.
Can you take us through what that means?
We're certainly one voice of many there.
So I think when you look at kind of the traditional VPNs
or kind of what we're talking about today,
somebody would connect in to that VPN
for the duration of that session, maybe eight hours.
And at that point, we've decided that we trust them on that VPN session. If somebody walks into
our office, their employee, they connect into an Ethernet port or a corporate Wi-Fi, we're trusting
them at the network layer. So really, that level of trust at the network layer is dangerous. We've seen that. I think there are a number of
voices out there, you know, Forrester with zero trust. Gartner talks about Carta. And really,
they speak about the risk of trying to make a perfect macro level security decision, you know,
specifically in this case, to give somebody network layer access on a VPN for the next
eight hours, right? That's a macro level decision.
And I think the opposite of that is to not trust that the network layer, to proxy each and every
request, to inspect those and to consider identity, to consider least privilege, which applications
does somebody need to perform their job, you know, based on their role in the organization,
you know, potentially, you know, doing simple things like multi-factor authentication as well
as part of that configuration. So take us through, what are you advocating in terms of
implementing this sort of thing? I have to say it sounds more complicated than what we were
dealing with earlier, but is it in fact? I don't think so, right? So I think if you look at the
way this would work, in many cases, what you have is an access proxy.
So rather than a network layer device that drops you into a trusted network segment, an end user would point their browser to a proxy.
DNS will direct them there.
And then that proxy will have information about their identity in that organization.
And part of that identity would be their role, their job description.
So it's actually, in many ways, it's simpler to set up and it's faster.
I think when Akamai first embarked on this, we were up and running and we first looked at third-party retailers and we had a system up in place in ours.
Because it is a SaaS-based model in the cloud,
which takes away a lot of the challenges of rack and stack.
That's Patrick Sullivan from Akamai.
Taking a quick look at our CyberWire event tracker,
coming up is the third annual Billington International Cybersecurity Summit.
That's going to be on March 21st at the National Press Club in Washington, D.C. And if you're in the Denver area next week, on March 22nd,
the Cybersecurity Summit is coming up. You can get 50% off your admission with the code
CyberWire50 on their website, CybersummitUSA.com. To find out more about these events and to get
your event listed, head on over to thecyberwire.com slash events. before last night's midnight deadline, instead demanding explanation of rumors that the UK is considering retaliatory cyberattacks against Russia.
Prime Minister May has said she will consider the full range of measures available to retaliate against Russia.
Business Insider has a useful quick summary of what that range looks like.
First, expulsion of Russian diplomats.
This has been done, with 23 of them declared persona non grata.
Second, formal withdrawal of official UK presence at the upcoming World Cup to be held in Russia.
Foreign Secretary Boris Johnson has suggested this.
It seems likely to happen.
Third, withdrawal of credentials from RT, the Russia Today news service.
Ofcom, the independent
British communications regulator, is considering pulling RT's license, and many observers think
it likely to do so. If it does, Russia is likely to kick British news services out of Russia.
Fourth, cyberattacks against Russia assets. This one is risky, but it's also an option that Home Secretary Amber Rudd has hinted at in
the past. It's also the option Russia has itself demanded an explanation of. Britain is a capable
cyber power, and it's difficult to imagine London and Moscow actually wanting to swap punches in
cyberspace. On the other hand, the Five Eyes have all recently attributed NotPetya to the Russian
government, and British companies figured prominently among the victims of that campaign,
so there may be some sense that the battle's already been drawn.
Fifth, freezing the assets of Russian oligarchs.
The Conservative government has come under pressure from Labour, and also from others,
to enact some version of the US Magnitsky Act, which would enable the freezing or forfeiture of Russian assets.
The government has been reluctant to do so,
but this sort of retaliation would certainly hit what influence Russians' value.
Her Majesty's government is asking for a U.N. Security Council meeting
to address what it regards with reason as a Russian chemical attack on British soil.
Twenty-two people were treated
for exposure to nerve agent three the two targets sergey skripal and his daughter and a british
first responder remain under treatment a few hundred others in the vicinity of the attacks
were offered decontamination another russian businessman nikolai glushkov a fugitive from
russian justice in an aeroflot embezzlement
case and a witness in the Litvinenko assassination, which also happened in the UK, died under
unexplained circumstances Tuesday in his London home. Police report signs of strangulation.
Of course, Russian wet operations are widely suspected, and authorities in the UK are investigating the death as a possible act of terrorism.
Alexander Litvinenko was a former FSB officer and defector who became a naturalized British subject.
On November 1, 2006, Litvinenko was hospitalized for what was diagnosed as exposure to polonium-210.
The dose proved lethal. Litvinenko died three weeks later.
If Sergei Skripal and his daughter were hit with a chemical weapon,
Litvinenko fell victim to a radiological one.
The Muddy Water Threat Group, generally associated with Iran,
also seems newly disposed to play rough.
Trend micro-researchers probing a server connected to the group
received a message in stereotypical terrorist lingo
right out of the scriptwriter's world.
Stop! Kill you researcher!
Normally, one would laugh this kind of thing off as skid nonsense,
but anyone might be excused any additional wariness they might feel
in the wake of what's been happening in the UK.
they might feel in the wake of what's been happening in the UK.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what
AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You know, I have often heard that when you suffer a data breach, time is of the essence.
And you wanted to make the point today that those first 48 hours are really critical.
Yeah, many times you don't really know if you have an incident.
And when you get that first alert or when you get the first notification,
the clock really starts ticking.
So during that first 48 hours, you've got to do a few things. Number one is you've got to triage and
see exactly what you have. Is it nation state? Is it cryptocurrency malware? Is it cyber criminal?
Is it a ransomware? And once you establish what that type of malware is or what that incident is,
then you need to go into incident response mode, assuming that it is
characterized as an incident. And it's really critical that you follow your incident response
procedures and actually that they are developed up front. What we're seeing many times is that
during that first 48, there is a bit of a let's throw caution and the plan that we've worked on for the last few years
or that we've always kept in this little box ready to go break in case of cyber emergency.
And all that goes out the door.
So it's critically important that you spend the time up front and drill around a strong incident response plan.
It's also important to have a retainer, to be able to reach out to another firm or organization
to get help.
And a lot of times what I have seen is that there's a cyber crisis or a cyber incident
and the company or the enterprise hasn't prepared in getting all of the necessary paperwork done for having that
incident response retainer for outside help. And what ends up happening is there is a deluge
of vendors. If it becomes public, there's a deluge of vendors trying to get their foot in the door
and tell you about their solution, their service, their people that can help you. And assuming that you do pick an incident response vendor during this first 48, then you're going to go into legal hell.
You're going to go, your own legal team will be amped up wanting to review everything because there's an active incident.
And can you imagine trying to get an incident response retainer or incident response contract done in that period of time?
So you're going to go back and forth on red lines around liability, around data protection classifications, how your data is handled and where it's stored.
You don't want to do that up front.
You want to be able to have that retainer in place beforehand so that it's as simple as picking up the phone and dialing an incident
response company and saying, I need your services right now.
And it strikes me that because so much of this, I think when something like this happens,
there's a natural tendency for people to be emotional.
Something bad has happened.
And the more you can plan ahead of time to help keep yourselves out of that emotional
state, that probably the
better off you're going to be. Absolutely. When you're going off half-cocked, if you're going off
and not properly framing the problem and thinking about it in a deliberate manner,
you are at risk of making some poor decisions. For instance, one of the things that is very
commonplace in the industry is don't destroy the evidence. Meaning, if you have an incident,
don't turn the machine off and don't ship it in its shutdown state to somewhere else for
examination. You want to put the system in hibernation mode. By putting it in hibernation mode, that gets it off the network. It is
essentially sleeping and you're able to preserve the memory for future analysis.
Oh, I see. So your volatile memory is an important part of assessing what's happened as well.
Absolutely. We're seeing more and more filelessbased attacks, meaning attacks that are only resident within
memory. A lot of these are PowerShell-based in nature, and it's very difficult to go back in time
without that volatile memory. Yeah. All right. Good advice as always. Justin Harvey,
thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.