CyberWire Daily - Audit finds no Chinese spy chips on motherboards. Huawei CFO hearings continue in Vancouver. Oilfield services firm’s servers attacked. Spyware and adware. Congressional hearings, reports.
Episode Date: December 11, 2018Audit finds no “Chinese spy chips” on Supermicro motherboards. Huawei CFO Meng’s hearing continues. Oil services firm’s servers attacked. Seedworm shows some new tricks. Secure instant messa...ging apps may be less secure than hoped. A new adware strain reported. Mr. Pichai goes to Washington, and Uncle Pennybags puts in an appearance. The US House Oversight and Government Reform Committee reports on the Equifax breach. Prof. Awais Rashid from Bristol University on risk management in a data-intensive world. Guest is Barry Hensley from Secureworks on supply chain risks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An audit finds no Chinese spy chips on Supermicro motherboards.
Huawei CFO Meng's hearing continues.
An oil services firm's servers have been attacked.
Seedworm shows some new tricks.
Secure instant messaging apps may be less secure than hoped.
A new adware strain's been reported.
Mr. Pichai goes to Washington and Uncle Pennybags puts in an appearance.
And the U.S. House Oversight and Government Reform Committee reports on the Equifax breach.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 11, 2018.
Regular listeners will recall on October 4, Bloomberg reported that motherboards built by Supermicro
had been compromised in a hardware attack on the company's supply chain.
Small chips the size of a grain of rice were said to have been found in the motherboards,
and these chips were said to have been installed to give Chinese intelligence services
access to any devices that used them. Supermicro denied the report.
access to any devices that used them.
Supermicro denied the report.
Among Supermicro's customers were Apple and Amazon,
and both of them also quickly issued strong and unambiguous denials that any such compromised hardware existed in their servers.
Bloomberg did not retract its report,
but some of the sources cited in the articles
walked back the stronger claims attributed to them.
Federal authorities, including the FBI, the Director of National Intelligence,
and the Department of Homeland Security also expressed public doubt about the Chinese spy chip claims.
At this point, the story is widely regarded with skepticism,
and there has been little subsequent follow-up.
In a letter to its customers today, Supermicro says a third-party audit of its hardware conducted
by Nardello tested the company's motherboards and found none of the Chinese spy chips a
Bloomberg report said there were.
That said, as TechCrunch noted, the October report worked its damage.
Supermicro's stock tanked shortly after its publication.
Share prices have not recovered
their September value. Huawei CFO Meng's bail hearing continues. A Vancouver judge did not,
as expected, rule yesterday, and the process has continued into today. Ms. Meng has proposed
electronic monitoring as an alternative to custody and has offered to arrange and pay for security.
The proffered oversight by her husband and private security
seems unlikely to convince the Supreme Court of British Columbia.
It's worth noting that Ms. Meng is wanted by the U.S. for alleged sanctions violations,
not, as one might think from such coverage, on espionage or IP theft charges.
Security concerns about Huawei persist and are widely shared,
but they are not directly what this case is about.
There's a developing story in the oil and gas sector this week.
The Italian oil service company Saipem reports that its Middle Eastern servers have sustained a cyber attack.
Details remain sparse, but Saipem says it shut down some of its IT in order to remediate and recover from
the incident. The affected centers, apart from a small branch office in Aberdeen, were located in
the United Arab Emirates and Saudi Arabia. Elsewhere in the oil and gas sector, and affecting
other targets as well, the Seedworm
espionage group continues to be active and troublesome. Researchers at security firm Symantec
find that the threat actor, which they also track as Muddy Water, has deployed a new backdoor,
Powymuddy, new variants of its PowerStats backdoor, a GitHub repository for storing scripts,
and an array of post-compromise exploit tools.
Seedworm is most active against targets in the Middle East,
but it's also been found in Europe and the Americas.
There's been a shift from oil and gas toward telecommunications services
and government agency IT services.
Symantec assesses the group's goal as espionage, collection of actionable
intelligence likely to be useful against the target at some point. Researchers at Cisco's
Talos unit report that secure instant messaging services may be less secure than generally
believed. They've found that the widely used apps WhatsApp, Signal, and Telegraph are in principle vulnerable to side-channel attacks that could expose messages to hackers.
Data may be secure in transit, but during processing or on a user's device, not so much.
A great deal depends on the way the apps and their protocols are implemented,
and many users overlook the complexity of setting them up in a secure manner.
and many users overlook the complexity of setting them up in a secure manner.
The upshot is that all three of the popular apps could be susceptible to desktop session hijacking.
Controlling access to your network and data is of critical importance to every organization,
but just how common are issues with third-party access?
Barry Hensley is Chief Threat Intelligence Officer for SecureWorks,
and he joins us to share what they're seeing. You know, if you look at it from a SecureWorks perspective, we did about a thousand incident response engagements last year, and we found
about three percent of those engagements, and those are, you know, opportunities that an
organization either was breached or had an opportunity to be breached, we found that 3% of those were tied to some third-party supply chain challenge,
meaning the avenue of approach into the environment
was based upon that third-party relationship that they had.
A common theme that we saw was a trust relationship that was in some cases broken,
meaning if you had a relationship with some software distribution portal
or some software development world or other software update mechanisms,
how do you validate those downloads, as an example?
Or the other thing is, if you gave a third-party managed service provider,
from an IT perspective, access to your environment,
how do you validate
their credentials and their access in a way that's a trust but verified model?
We took a step back and we said, what's the most common things we'd recommend that you'd,
in this case, what we'd call have a holistic defense in depth approach based upon these
various type of risks from a supply chain perspective.
Some of it does go back, and I hate to say, get you back to the basics.
And so we found in most of these engagements, people didn't have the right logging in place
that ultimately would allow them to draw a conclusion.
Was it their own employer?
Was it some third party?
How do you give those suppliers access to your environment? And so now, as an
example, anybody that accesses the network, especially externally from the internet, should
be doing what we call multi-factor authentication, so that there's more than just a username and
password that you gave them. And then obviously, how do you manage user account access or privileges? And so what access should those third-party suppliers have?
And then, you know, once they, in this case, did get in the network,
how do you ensure they can, you know, what we call elevate privileges of some user
based upon the access they maintain?
And then last one, you know, the endpoint is the new parameter.
And so in the end, they're usually going to gain access to the first server,
the first endpoint or host that they can gain access to,
and then they're going to pivot into the network.
And so from a rapid detection perspective,
how do you have the ability to detect that initial compromise?
And so I guess the last one is how robust is your visibility at the endpoint?
That's Barry Hensley from SecureWorks.
A quick report from security firm Netscope this afternoon
tells us that they've found an adware family they're calling Capital Install
that's moving from Microsoft Azure Blob Storage,
whose IP range is unfortunately widely whitelisted.
The malware looks like a commonly used enterprise software installer.
Netscope says the malware makes its criminal masters money through ads
relating to altcoin mining and bogus search engines.
Its effect on the victims is mostly productivity loss
and consumption of computational resources.
French authorities investigate possible Russian influence over ongoing Yellow Vest unrest.
RT, the news service formerly known as Russia Today and one of the Russian government's
principal information outlets, objects that covering the news isn't meddling. And that's
a fair point, simply saying that there are demonstrations
and some rioting in France
and discontent over President Macron's policies
surely doesn't constitute interference or disinformation.
But that's not what investigators are looking into.
They are inquiring into whether a fictitious foreign persona
are trolling in social media.
The chum tossed out in this case would be mainly the hashtag
Zizhezhon, that is, yellow vest, and protesters have certainly made use of that in a grassroots
way. The opportunistic conduct of information operations would seem to make it possible that
such trolling has made its own contribution to the unrest. How large that contribution might be is unknown. Social upheaval
of this kind is very commonly overdetermined in any case. Google CEO Sundar Pichai makes his
appearance before the House Judiciary Committee today to discuss Google's data collection, use,
and filtering practices. His prepared remarks emphasize Mountain View's American family romance,
founded by two young dreamers, one a Michigander, the other a Marylander, coming together at
Stanford to dream big. They welcome employees of all viewpoints. They've built jobs, made
immigrants profoundly grateful for this land of opportunity, and so on. Congress is interested
in hearing about data privacy. They think Google may have a problem with this,
and bias, ideological, gender, or any other form bias may take.
Pichai stressed Google's neutrality to democratic satisfaction and republican skepticism
with respect to its filtering algorithms.
He also came in for questioning over the company's privacy policies,
given some point by yesterday's disclosure that Google+,
had exposed some 53 million users' data to app developers
through an unduly permissive API.
The company has said it's found no evidence that the data was misused,
but it's accelerated plans to retire Google+,
now destined for an even quicker trip to the scrap heap.
But Chai says the company supports federal privacy legislation.
The hearings unfolded today with the usual street theater one sees in Capitol Hill hearing rooms.
For example, a guy dressed up as Uncle Pennybags from the Monopoly game was there in the audience behind Pichai,
twirling his mustache and mugging for C-SPAN.
Uncle Pennybags made his first appearance in the Congressional Peanut Gallery
during last year's Equifax hearings.
He's interested, he says, in showing by his presence
that industry is incapable of self-regulation.
It's not clear how this follows, but the monocle, top hat, and handlebar mustache
are a nice look for him.
Take a ride on the Redding, sir.
If you pass go, collect $200.
The House has released two reports on its investigation of the Equifax breach.
The Oversight and Government Reform Committee's report found that the breach was the preventable
result of the credit bureau's internal security missteps, thus confirming the conclusion most
observers have also reached.
A report by the committee's Democrat minority staff raked the majority over the coals for not doing more for data protection, but such disputes are the small change of partisan
combat in Washington.
There's no dissent from the basic findings.
Do not pass go, as Uncle Pennybags might put it.
And no, free parking doesn't entitle you to anything either.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Awais Rashid. He's a professor of
cybersecurity at University of Bristol. Awais, welcome back. Today we wanted to touch on some
of the things people have to consider when they are making decision making,
particularly when it comes to risk, and some of the challenges that come with using data there.
What can you share with us? We live in a data intensive world. At the moment, we also talk
about big data and AI transforming everything. But if you look at the sort of projections of
something like 30 billion devices or more by 2021 and other projections which talk about something like 278 exabytes of data per month by the same period, then we are looking at potentially a large amount of information that we can actually collect from the underlying infrastructure. The challenge comes is that how do you make sense of all this data?
And there is always a tendency to think
that we can actually log everything
and mine effectively the living daylights out of it.
But there is a big challenge there
as to how do we curate this information
and actually be more selective
about what information from the infrastructure
or the applications and services
that run in that infrastructure
is really pertinent to reasoning about its security state.
So when it comes to managing risk, what sort of approach are you advocating?
I think risk is ultimately a decision-making problem because we can't remove risk.
But it's how we inform our risk decision-making is very, very important.
And if we are not careful in the way we curate the data and what data we actually bring from
the underlying system or infrastructure in risk decision-making, then we, well, no pun
intended, risk overloading the decision-makers in the first instance with the information.
And as a result, it makes it really hard for them to make sense of such information.
I think the key here is a good balance between automated, semi-automated or human decision making.
And at the moment, we actually do not necessarily know as to which bits of it can we automate
and how automation can provide a value to the human decision maker so that
they can defer some of their decisions because the information that comes and the decisions
that come from automation and AI techniques would provide very valuable insights.
And where do we defer to the human?
Because they can look at the bigger picture, the social, economic, business consequences
of some of the decisions
that they are making with regards to risk.
Yeah, I mean, it strikes me that in this attempt to separate the signal from the noise, that
you sort of need a virtuous feedback loop where the, if you have automation providing
things to the humans and the humans need to be able to provide feedback to the automated
systems to say, well, this was valuable to me, or you missed the mark here. Absolutely. And humans are very good at plotting patterns that
computers sometimes can't. And I think the key challenge really there is that we need to make
sure how we get that feedback loop right. Over the years, mistakes have been made where the knowledge of so-called lay
persons in the organization, not security specialists, when they are seeing some
information coming through is often disregarded because they are not security specialists.
However, they understand the process within which they are working very, very well,
and they are often much better at spotting anomalies than perhaps a security system would.
I'm not saying always.
And I think it's how we get that feedback loop right
and getting the expert, the domain expert,
to provide what would be anomalous, non-anomalous events
in that sense actually create a more holistic loop
between the people and the machine
in terms of spotting events
and hence informing risk decision-making.
Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.