CyberWire Daily - Cryptowars notes. DDoS in Finland. Bears aren't under the beds; they're in the routers. Smart city attack surfaces. Sanction notes. Training through puzzle-solving .
Episode Date: August 14, 2018In today's podcast, we hear about the cryptowars down under. Major DDoS incident in Finland. Bears in the home routers, and concerns about IoT and power grid security prompt a US Senator to demand a...nswers. Smart cities present big attack surfaces. Preliminary notes on patches. ZTE and Huawei devices formally disinvited from US Government networks. Cyber retaliation expected from Russia and Iran over sanctions. And locking people in a room to teach them good cyber hygiene. Justin Harvey from Accenture on threat hunting. Guest is Bob Stevens from Lookout discussing app-based malware on mobile devices. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_14.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. incidents been found in Finland, bears in the home routers, and concerns about IoT and
power grid security prompt a U.S. senator to demand answers.
Smart cities present big attack surfaces, preliminary notes on patches, ZTE and Huawei
devices have formally been disinvited from U.S. government networks, and locking people
in a room to teach them good cyber hygiene.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 14th, 2018.
There's a fresh offensive in the crypto wars, and this one comes out of australia the government has announced its proposed regulations that would address encrypted communications used for criminal or espionage
purposes mindful no doubt of the shirty reaction the other side in the crypto wars will have to
any proposal that involves mandatory backdooring of systems or other measures that would weaken
end-to-end encryption the government explicitly rules out any intention of backdooring systems.
Instead, in cases of criminal investigations, national security matters,
or significant threats to the financial system,
the government would be able to require companies to render various forms of assistance.
Where a company held a key, for example,
it might be called upon to let
investigators use it to inspect communications. Or a company might be required to assist with
development of a tool to gain access to otherwise inaccessible traffic. This hasn't mollified
opponents of the measure, who don't see how the regulations could accomplish their purpose
without unacceptable
compromises of end-to-end encryption. Critics tend to see the proposed regulations as either
a backdoor to backdoors or as a species of magical thinking in which encryption would be defeated
without defeating encryption. But the government is determined to obtain a capability to read
traffic associated with significant criminal, terrorist, and nation-state threats.
On Sunday, Finland sustained a major distributed denial-of-service attack.
The country's Information and Communications Technology Center, Valtori,
called it the biggest attack we've had in the past few months,
implying a relatively high rate of attack.
Several citizen-facing websites were unavailable,
including the national online identity verification service, suami.fi.
The defense ministry was unaffected.
There's no attribution yet, but earlier DDoS attacks have been ascribed to unnamed foreign actors.
attacks have been ascribed to unnamed foreign actors.
Concerns about state-sponsored attacks on industrial and consumer Internet of Things devices remain high.
In the U.S., these concerns continue to center on Russian activity.
There have been recent warnings about GRU compromise of home routers, known about for
some time but only imperfectly redressed, such devices being notoriously easy to ignore when patching.
Other concerns focus on the power grid, where GRU probes of utility business networks have been widespread.
It's worth noting, as industrial cybersecurity firm Dragos did in its blog last week,
that GRU presence in business networks isn't the same as staging disruptive
malware in the industrial control systems used by electric utilities. It's a serious matter,
especially given the role compromised business systems played in Russia's takedown of portions
of Ukraine's grid, but it's not as if Moscow has installed a kill switch for Con Ed on President
Putin's nightstand, right next to his copy of The Art
of the Deal. So worth taking seriously, but also soberly and without panic.
Congress continues to push the U.S. administration about power security.
The most recent legislative paladin to ride to the grid's defense is Senator Markey,
a Democrat from Massachusetts who's widely
circulating his letters of concern. He's asked individual utilities if they were victims of
Russian probes the Department of Homeland Security warned about, what measures they're taking to
cover themselves from third-party risks, and if they've complied with recommendations from the
North American Electric Reliability Corporation. And on that last, if not, why not?
He's also asked for detailed descriptions of their security measures,
a detailed account of any successful or attempted physical or cyber attacks,
the utility's opinion of FERC-critical infrastructure standards,
and an account of any other vulnerabilities they've turned up,
and what they intend to do about them.
NERC, federal agencies, and power marketing associations
have received similar letters.
Any responses he receives will be interesting,
and some of them will be surprising.
Smart city technology presents an especially attractive attack surface.
There's a growing concern about the sensors that technology deploys.
IBM security and data security firm ThreatCare
studied sensor hubs in particular,
focusing on those delivered by three of the leaders
in that sector, Labellium, Echelon, and Battelle.
The hubs integrate inputs from a variety of sensors
in order to provide a kind of swift situational awareness of conditions on the ground,
including traffic, weather, pollution levels, and so on.
The researchers found and disclosed 17 bugs in the hubs that they thought posed a significant risk.
The vendors have patched them, but two points are worth bearing in mind.
First, many of the issues were familiar IoT problems,
like easily guessed default passwords.
Second, sensors, like so many IoT devices,
are notoriously easy to overlook when applying patches or upgrades.
Studies show that we are spending more of our online time on mobile devices,
relying on apps to help us keep in touch and manage our day-to-day
tasks. That, of course, makes mobile devices an attractive target. Bob Stevens is vice president
of public sector at Lookout, a company that provides products to help protect mobile devices.
As you know, I mean, applications have caught on quite successfully. I mean,
it is an app-based world now. You know, unfortunately, the bad guys have figured that out as well,
so that they're starting to or have been targeting applications,
particularly on mobile devices, to try and steal data or credentials
or, you know, to be able to turn your microphone on and listen in at meetings
or take your photos or turn your camera on
and figure out where you are in your surroundings.
So, you know, things of that nature.
Where are you usually seeing these pop up?
I mean, I think we hear the stereotype of the flashlight app that does a lot more than what it's advertised doing.
But are you seeing particular trends here?
We are, yes.
You know, one trend is, you know, is fishing.
And I don't know that you can say that that's a new trend. Yes. One trend is phishing.
I don't know that you can say that that's a new trend.
Phishing has been popular on desktops for a long time.
The big difference is that on a desktop, the phishing came via email, but in a mobile world, it can come from
a lot of different places. It can come from a text. It can come via an application
like Facebook or a communications application like WhatsApp or Signal or Telegram. It can come via the email.
It can come via the web. So there's a lot of different ways for somebody to fish you on a
mobile device. And are you seeing that one platform versus the other does a better job of keeping these types of apps out of their app store?
They both try, but the bad guys are pretty creative.
And I'd hesitate to say that one does better than the other.
I think that they both put together equal amounts of effort to ensure they're providing safe applications for their users. But like I said,
the bad guys still get in. And the bad guys don't necessarily use the app stores either.
As an example, there's one threat that we recently announced called Stealth Mango. And
it started with a phishing attempt, but then they would send you to not one of the popular app stores, but a different app store to download an
upgrade of an application. And of course, once you got that application, you had malware on your
device. And it didn't come from, you know, the popular ones, but it's still out there and they're
able to get it on your device. So what are your recommendations for folks to better protect
themselves? Well, you know, it's a defense in depth, as with anything.
You know, an enterprise should be deploying some sort of mobile device management,
or they now call it EMM, Enterprise Mobility Management,
to ensure that the policies that your organization want to have enforced are enforced.
So what I mean by that is, you know, if Lookout's on a device
and we detect that, you know, you've just downloaded a version of Facebook that is malicious, that MDM can now take over and quarantine you from
the network so that you can't do any more damage or the bad guy can't do any more damage,
and have you performed some sort of remediation on your device to remove the application. So I
think that's required. You know, an application like Lookout that's looking for malware, looking for
risky behavior, looking for network-based threats, looking for phishing
attempts so that they can be blocked before any harm can be done,
and safe browsing to ensure that you're going to safe
websites. Deploying some sort of encryption is always good. You want to make sure
that the data that's on your device is encrypted so that even if they are able to access something,
you know, it's worthless to them. So I think those are probably the three things that you
want to look at. Your mobile devices are used for just about everything now. You know, your banking
apps, all your travel, your calendars, your email. There's a lot of data there. It's basically your
life. So you need to protect it as if it's one of the most important things that's in your life.
That's Bob Stevens from Lookout.
It's Patch Tuesday with Microsoft and others expected to roll out fixes over the course of the day.
Some noteworthy patches have already been released over the last few days.
A patch for NetCom 4G LTE light industrial M2M routers
is out, addressing a critical vulnerability. Users are advised to patch quickly. Oracle
has addressed a vulnerability that could compromise an Oracle database and grant shell access
to underlying servers. President Trump has signed legislation barring ZTE and Huawei devices from federal enterprises.
Other sanctions, particularly against Russia and Iran, are widely expected to prompt cyber retaliation.
Finally, here's a cyber hygiene training approach from the National Geospatial Agency.
Lock employees in a room until they get it.
That sounds more sinister than in fact it is.
And the reality sounds way more fun than the sort of Alcatraz solitary the headlines suggest.
The NGA will be running training events in its Virginia and Missouri campuses.
They've hired training company Living Security to design escape rooms that one can get out of by solving various
cybersecurity puzzles that focus on the NGA's tenets and risks, and that will use training
moments and challenge questions customized to NGA's information technology and security policies
and messaging to provide consistency with the cybersecurity program.
So, let us know how that works out, you NGA types.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
We wanted to touch on threat hunting today.
Why don't we start off, what is threat hunting and what is it not?
So threat hunting is looking for adversaries that are already present within your network or your endpoints. Enterprises today are spending money on things like antivirus and firewalls
and intrusion detection and prevention systems for their network. But what do you do if any
of that fails? It really only takes a couple systems
for an adversary to move around or to subvert, and then they're in and persistent within your
environment. And so what threat hunting is, is the constant and continuous searching for basically
two things, Dave. Number one, it's looking for the anomalous. So it's
looking for things that don't smell quite right, but it could be a new patch that has changed that
registry key or a new program has shown up because someone installed it. Or looking at things like
the suspicious, things like perhaps this registry key was added with this new probable potentially unwanted program or the suspicious being someone logging in directly into a Linux system using a root login instead of logging in as a user and then becoming super user.
So threat hunting is really looking for the things that are misplaced or shouldn't be there. So is this an expensive thing to spin up within an organization?
When do you know when it's time to activate this process? Well, I think all enterprises of
sufficient size, meaning really in the SMB market, I think threat hunting is going to be too spendy to do it yourself. I think that most managed service providers or managed detection and response providers should be supplying that for the SMB market.
But for the larger enterprises that are managing their own infrastructure, it should absolutely be a part of their cyber defense program. The barrier to entry to threat hunting is that there's simply
not enough people in the industry today in order to not only run the threat hunt program,
but develop the threat hunt program. Many of my clients are struggling with saying, okay,
I know we need to do threat hunting and I kind of have some people to do it, but what do I do?
There have been some vendors out there that are automating their EDR systems in order to codify things like the MITRE attack matrix and putting that in their agent or in their software so that human beings don't have to remember every little nitpicky thing that the attack matrix for MITRE presupposes. And so with that automation, it still gives our threat hunters a leg up in order to find
the anomalous and the suspicious. So what's your advice? So what's the best way for someone to get
started? The best advice here is to bring in a trusted third party, hopefully one that has a threat hunt methodology in order to
give to the threat hunters. In my experience, or at least in the old days, the old days being
several years ago, threat hunting was just merely hiring a bunch of smart infosec people and throwing
them against a problem saying, go find evil, go find the anomalous and the suspicious. And that hasn't been working at scale. So I think number one is to settle on a threat hunting
methodology. Ours, the one that we've developed amongst my team, is what we call intel-driven
hypothesis-based threat hunting methodology. But there's a lot of other types of methodologies out there that are just as good. The second step, Dave, would be focusing on a technology set that will support
codifying things like the MITRE ATT&CK matrix into an EDR product. So not only do you have to have
the people, the methodology, but you also have to have the tools and the visibility amongst the endpoints and the networks in order to surface that telemetry and then to
analyze it. So some of our customers utilize EDR products that send all their data back to a
centralized source. Perhaps it's Splunk, perhaps it's their SIM, perhaps it's the EDR console,
and then they hunt within that
environment in order to find those adversaries latent within the network and the endpoints.
Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.