CyberWire Daily - Capital One breach update. CISA warns of avionics CAN bus vulnerabilities. More attacks on local Louisiana governments. Change at the SEC. Cyber summer school for NATO, EU diplomats.
Episode Date: July 31, 2019Capital One takes a market hit from its data loss. Observers see the incident as a reminder that cloud users need to pay attention to their configurations. CISA warns of vulnerabilities in small, gene...ral aviation aircraft. Another parish in Louisiana is hit with a cyberattack. The SEC’s top cyber enforcer is moving on from the Commission. And diplomats go to cyber summer school in Estonia. It’s not a coding bootcamp, but it should give them the lay of the cyber land. Jonathan Katz from UMD on speculation of what a quantum internet might involve. Guest is Jessica Gulick from Katzcy Consulting on the Wicked6 eSports-style cyber competition coming to Las Vegas during Black Hat & Defcon. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_31.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Capital One takes a market hit from its data loss.
CISA warns of vulnerabilities in small general aviation aircraft.
Another parish in Louisiana is hit with a cyber attack.
The SEC's top cyber enforcer is moving on from the commission.
And diplomats go to cyber summer school in Estonia.
It's not a coding boot camp, but it should give them the lay of the cyber land.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 31, 2019.
Capital One's reputation and stock price have taken a hit from the data breach the financial services company disclosed this week, the Wall Street Journal reports.
Its share price dropped almost 6% on Tuesday.
The company has since its founding seen itself as a technologically savvy operation.
Corporate folklore describes Capital One's self-image as being a tech company that delivers financial services.
They were an early adopter of the cloud, for one thing,
and the misconfigured firewall that escaped notice is what gave the alleged attacker access to their data.
The cloud is good, and even good for security, but it can't be used casually or inattentively.
This isn't a set-it-and-forget-it proposition.
Another journal headline calls the incident an example of the insider threat,
but it seems instead to be a familiar case of misconfiguration allowing unauthorized
access to data in the cloud. The accused hacker, Paige Thompson, seems to have had the technical
wherewithal to pull the caper off, but in other respects seemed to struggle with problems with
living, again as reported by the Wall Street Journal. As Wired notes, she didn't cover her
tracks particularly effectively. The accounts in which she talked about her activities were easily traceable,
and Torr doesn't amount to a cloak of invisibility.
Forbes says that Thompson may be under investigation in connection with other incidents,
some involving at least one state government, others involving other companies.
The Department of Justice isn't commenting on the possibility.
Forbes bases its
conclusion on things people have observed in accounts that may be associated with Thompson.
Thompson is widely identified as having worked for Amazon, but that was a few years ago,
and it seems unlikely that any insider knowledge Thompson may have acquired in Amazon
had much, if anything, to do with the attack. The misconfiguration would seem to explain how an attacker got in.
Capital One isn't the first to suffer from this sort of mishap,
and they're unlikely to be the last.
For its own part, Amazon has said it wasn't affected by the incident.
Capital One is now subject to at least one class action suit,
initiated by a Connecticut man who says he's a Capital One customer
whose personal
information was compromised in the breach. It's expected that more lawsuits will follow.
New York's Attorney General has also opened an investigation.
Moving to aviation cyber vulnerabilities, the U.S. Cybersecurity and Infrastructure
Security Agency, that's CISA, has issued a warning based on research by Rapid7.
The research describes a way in which an attacker could compromise the avionics
controller area network, that's the CAN bus, aboard an aircraft. As CISA put it in their
warning, quote, an attacker with physical access to the aircraft could attach a device to an
avionics CAN bus that could be used to inject false data, resulting in
incorrect readings in avionics equipment.
The researchers have outlined that engine telemetry readings, compass and attitude data,
altitude, air speeds, and angle of attack could all be manipulated to provide false
measurements to the pilot.
The researchers have further outlined that a pilot relying on instrument readings would
be unable to distinguish between false and legitimate readings,
which could result in loss of control of the affected aircraft.
The immediate recommendation for mitigation of this risk
is to restrict physical access to aircraft.
CISA hopes that aircraft manufacturers will address the vulnerability
with upgrades and with new production.
A number of the stories reporting CISA's warning are illustrated with stock photographs of airliners,
but this might be misleading.
The study on which the warning was based didn't look at airliners.
Patrick Kiley, the researcher at Rapid7 who looked into the problem,
was talking about small aircraft.
Indeed, from his blog post, it appears he got interested in the problem while
working on his own kit-built airplane. He worked on two CAN bus implementations that are popular
with small aircraft pilots. If you're familiar with earlier research into vulnerabilities
associated with CAN bus implementation in automobiles, these findings will have a familiar
ring. The CAN bus is a standard protocol for vehicles that allows their internal systems and devices to communicate electronically.
Kiley shared his findings with CISA, Idaho National Laboratory,
the Federal Aviation Administration,
and the Aviation Information Sharing and Analysis Center, the AISAC.
He urges other researchers to do likewise.
He found it a valuable exercise.
He urges other researchers to do likewise. He found it a valuable exercise.
He also points out in his blog that general aviation's reliance on physical security at airports to protect airplane systems may have made the sector less attentive to cyber risk than the similar automotive sector.
That is, you park your car on the street and usually lock it, but otherwise people can gain access to it. So the automobile sector
has paid some attention to things like network segmentation and other security controls. That
hasn't yet been the case with general aviation, Kiley thinks. The Women's Society of Cyberjitsu
is holding a special cyber exhibition fundraiser next week in Las Vegas. They're calling it the
Wicked Six Cyber Games,
and we're proud to be media partners for the event. Jessica Gulick is CEO at Cat's Eye and vice president of the Women's Society of Cyberjitsu.
We had this idea, why not try to take this to Black Hat and really start to encourage people to recognize cybersecurity as a sport, as an e-sport specifically,
because it brings such a great dynamic to the conversation around cyber skills, as well
as playing as a team, as well as the career aspect of cybersecurity.
So we wanted to focus first on college students, a co-ed competition, bring them out, have
some excitement like you would at a football game.
So much of cybersecurity in the media really goes to talking about major hacks.
And we talk about infamous hackers, if you will.
We wanted to spend some time on really celebrating those people that are honing their skills for good.
they're honing their skills for good yeah it's interesting to me too because i i think um we were all aware of that stereotype of that you know loners sitting in their basement uh hacking away
at a keyboard you know at all hours of the night and so i think of the emphasis here on on team
sports uh that's really something uh fresh you know it's interesting that that you say that
because i feel that way as well.
In the reality, and reality has a vote, in reality, when you're running a cyber team,
it's a team, right? You're not doing cyber defense and it's one individual working from home.
They are usually working together. And whether it's a penetration test, an adversary emulation, or any kind of defensive tactic, real cybersecurity happens in teams. They happen in operation centers 24 by 7. And so it's important to have that team
dynamic. And that to me is always fun, right? I remember the first time that I went on a penetration
test exercise, if you will. We had it at a client. I was the
project manager. I was expecting everybody to open up their laptops and just start attacking
the network. It's not what happened. What I found was it was a heist. They planned it out and they
were very careful on what steps they took when they took it. There was a lot of communication.
There was this best athlete where they would literally rotate chairs. Okay, your turn. Looks like I got
through. Next, your turn. And there was this team dynamic that really excited me. And that's
really what got me started in wanting to be supportive of cyber competitions like this.
And I think that part of the story is not being told out there. And if more people heard
about it, more people would be interested in playing or having this as
a career. Can you give us some insights into the actual formation of the teams
themselves? Did some of the teams come to you preformed or have you
been putting folks together yourselves or a mix of both? So for this first year
what we wanted to do is focus on college teams because many of the colleges already have a team identified.
We wanted to provide a format so that they could create a team if they didn't have it.
For example, community colleges might not typically play in this arena, and we still wanted to allow for that kind of opportunity.
allow for that kind of opportunity. So we put out parameters, we did a lot of scouting, if you will, reaching out to college teams we knew already existed, either through individuals that we know
or online through social media. And we had 21 collegiate teams come together. There are
requirements, they have to have six players, four active players, and one of those active players need to be a female.
But for the most part, they have a lot of flexibility. But we'll also have an opportunity
because this is a fundraiser for some of the adults that are walking in that, you know,
either they feel like, hey, I could do that, or I'm curious, they'll have the opportunity to donate
and put their fingers on a keyboard and try out a mission or two themselves.
So can you give us a little background information on the Women's Society of Cyberjitsu?
So the Women's Society of Cyberjitsu was started in 2012.
And our mission really is to advance women into cyber careers.
We also have Cyberjitsu Girls, which reaches down all the way to middle school and provides some programs for them, both of which are across the nation.
It's a really exciting program. It's not competing with training.
This is really about opportunity for workshops and to really taste and try out your skills.
We have over 2000 members and they're ranging of a variety of skill sets.
We have seen quite a number of them coming in from IT careers, so they're crossovers or what we call boomerangs coming back into the career. And they just want to belong to an organization to allow for them to learn new skills and network and understand where they want to take their career.
That's Jessica Gulick.
The Wicked Six Cyber Games are August 8th at the Luxor Hotel and Casino in Las Vegas.
You can find out more at their website, wickedsix.com.
A fourth school district in the state of Louisiana has sustained a cyber attack.
The Advocate reports that Tangipahoa Parish is the latest victim.
Some, although not all of the attacks on the four parishes so far affected have involved ransomware,
but the identity and motives of the attackers remains unclear.
The SEC's top cyber enforcer is moving on after 15 years with the commission.
Robert A. Cohen, who led the U.S. Securities and Exchange Commission's Division of Enforcement Cyber Unit since its inception in 2017, will be leaving the agency in August, the SEC announced.
offered a summer school for NATO and European Union diplomats designed to give them some necessary familiarity
with the issues, technologies, and strategies
that shape international relations in cyberspace.
One of the objectives was to familiarize them
with basic hacking techniques like what's a botnet?
What's a distributed denial-of-service attack?
They don't need to be coders,
but knowing the lay of the land in cyberspace
is undeniably a good thing.
a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, it's great to have you back.
We had an article come by from Scientific American,
and this was titled,
The Quantum Internet is Emerging One Experiment at a Time.
We've got some progress being made here when it comes to quantum things in the digital world.
I think that there's some early progress here.
There are certainly people talking about making progress.
And what's going on here really is we know a lot about or we've heard a lot about quantum computers,
which you can think of as, you know, local computation devices that are relying on quantum mechanics to do things that we can't do classically.
People have probably heard about quantum key distribution, which allows two computers to use quantum mechanics in order to agree on a classical cryptographic key.
And what they're talking about here is basically going to the next level and thinking about what it might look like to have a fully quantum internet,
meaning to allow computers, quantum computers, to be able to communicate quantum states with each
other, fully general quantum states with each other, and what that might allow. So people are
just, I think, really only starting to think about this. People are doing initial experiments to try
to determine feasibility,
and people are also thinking about what that might mean
and what kind of applications that might allow.
Yeah, one of the things the article dug into here,
which I found fascinating,
was that thing that Einstein called spooky action at a distance
with quantum entanglement.
What are the implications of that?
Right, so quantum entanglement would basically mean essentially that you have two different entities who are able to share, let's say,
pieces of a quantum state. And then when any one of those entities would measure the state that
they hold at their side, it would instantaneously cause a change in the state held by the other
party at the other side some distance away. And that's the spooky action at a distance that you were referring to.
And this could allow potentially, well, it's not clear what it might allow, to be honest with you.
I think one of the things is that people are talking about using these kind of protocols for secure communication
because that action at a distance would be something that an attacker would not be able to observe.
It's truly instantaneous, right?
We're talking faster than the speed of light kind of stuff.
Well, so you have to be a little bit careful.
It's true that it's instantaneous.
It does not allow you to communicate faster than the speed of light.
But still, it does give you some other properties like this privacy I was talking about
or it allows you to basically defer certain choices until a later point in time. And there are cryptographic applications and distributed
computing applications that you can do once you can share entangled states like that. And that's
the kind of thing that people are talking about. The quantum key distribution that we already have
some examples of experimentally is not sharing entangled states. And so this is basically the
next level up.
And any sense for what we're talking about in terms of a timeline? Is this the sort of thing that's decades away or sooner than that? Well, it's likely to remain five years away
for the next decade. Of course, yes, I understand.
It's really not clear, to be honest. I think there are so many things that have to happen
before this can become a reality. I think there are really two questions that have to happen before this can become a reality. I think, you know, there are really two questions.
One is, at what point can we say that, in principle, we can build a quantum internet,
and that's going to take some research and some experimental prototypes and things like that.
And then there's the question of what time frame this quantum internet actually gets built.
And that's maybe more of a business decision and an economic decision,
how much demand there is for these things.
And that's really unclear. All right. Well, I have to admit that this stuff is incredibly fun,
but also mind bending and head spinning and all that sort of stuff. But I'm glad I have folks like you to help explain it to me. I appreciate it. Whatever I can do to help. Yes. On behalf of
our listeners, thanks to you. So Jonathan Katz,
thanks for joining us.
OK, thank you.
Cyber threats are evolving every second
and staying ahead
is more than just a challenge.
It's a necessity.
That's why we're thrilled
to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.