CyberWire Daily - Cyber concerns about naval and maritime shipping operations. AWS S3 data exposure. Game of Thrones hack. NHS breach? Killer robots. Scareware.
Episode Date: August 22, 2017In today's podcast, we hear about maritime hacking worries, with potential risks to navigation, cargo handling, and manifest data. Another misconfigured AWS S3 bucket exposes business data. "Mr. Smit...h" says he's going to release the Game of Thrones season finale. The UK's NHS may have been breached. Google pulls 500 backdoored apps from the Play store. Fear of robots. Fileless cryptocurrency miner installed through EternalBlue. Jonathan Katz from UMD on separating science from snake oil. Dan Larson from CrowdStrike on incident response for zero-days. Scareware scares web surfers.  Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Maritime hacking worries with potential risks to navigation, cargo handling, and manifest data.
ISIS increases online terror inspiration,
even as the caliphate's physical territory shrinks to insignificance.
Another misconfigured AWS S3 bucket exposes business data.
Mr. Smith says he's going to release the Game of Thrones season finale.
The UK's NHS may have been breached.
Google pulls 500 backdoored apps from the Play Store.
Fear of robots.
Fileless cryptocurrency miner is installed through Eternal Blue and Scareware scares web surfers.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, August 22, 2017.
Worries about maritime hacking continue. Monday's collision between the destroyer USS John S. McCain and the merchant tanker Alnick MC in the Straits of Malacca
has aroused speculation that shipboard navigational and safety systems might have been deliberately interfered with.
This is, we note, speculation.
Such suspicions are based, it's important to say, on a priori possibility,
Such suspicions are based, it's important to say, on a priori possibility,
overlaid with what observers are calling an unusually high rate of collisions involving the U.S. Navy.
There have been four such collisions, all of them in the western Pacific over the past year.
The U.S. Navy is investigating and undertaking an immediate review of seamanship throughout the fleet,
surely sensible steps.
The results of the inquiry will be of considerable interest.
In the meantime, spare a thought for the sailors missing or injured in the collision.
There is one ship system hacking threat that's more than speculative.
People are now recalling the incident on June 22nd in which Russian operators engaged in GPS spoofing
that affected navigation in the Black Sea.
That's being cited as a proof of concept and not as attribution. engaged in GPS spoofing that affected navigation in the Black Sea.
That's being cited as a proof of concept and not as attribution.
If there were some form of cyber attack in the Western Pacific,
both China and North Korea would be the usual suspects.
Pseudo-ransomware similar to NotPetya may have been implicated in the reported incident at China's Shengli oil field.
Information on whatever happened at Shengli remains as sparse as it is suggestive.
There have been no updates since Reuters broke the story Monday.
Another misconfigured Amazon S3 bucket has exposed its data.
This time, the affected business is hospitality booker GroupEyes.
The exposure was found by researchers at ChromTech,
the security company that counts MacKeeper among its brands.
ChromTech reported their findings to GroupEyes on October 9th.
GroupEyes had rendered the data inaccessible by August 15th.
The information exposed included business and personal data
in the form of contracts, pay card credentials, names, and so on.
Mr. Smith is threatening to release the season finale of Game of Thrones.
The hacker's ransom demands are still unmet by HBO, and this is probably HBO's best course of action.
And so Mr. Smith has posted material that indicates he may have indeed obtained the material he claims to hold. Mr. Smith's second release of stolen HBO material last week was less impressive than the
first round. How prepared is your organization in the event of a new Zero Day, and how do you know
if your incident response plan, assuming you have one, will be effective in protecting you and
minimizing risk? We checked in with Dan Larson from CrowdStrike for some strategies organizations can adopt to help them get ahead of the problem.
They need to think about it in three phases.
You know, what can you do ahead of time?
You know, hardening the environment, that sort of thing can be helpful.
But what really moves the needles is doing exercises like penetration testing, red teaming, tabletop exercises,
doing an overall risk assessment,
even basic stuff like getting an IR retainer in place.
Those things will help you immensely understand your exposure and help you minimize both the likelihood and the impact of an event.
But then if we move forward and we think about, you know, at the point of an attack, you know,
what can you do if there is, you know, software in your environment that has a zero-day vulnerability? Obviously, you know, endpoint
security products have anti-exploit capabilities, and it's important that you have those, that you
turn them on, that you keep them up to date, and you do that work. In fact, new products include
new technologies, machine learning, artificial intelligence, behavioral analytics, that significantly, you know, move the needle in your ability to stop zero days. But I also think
it's really important to note that this notion of stopping the threat at the point of the attack
is a guaranteed way to solve the problem. What we have learned over the last couple of years,
you know, I can just use WannaCry with EternalBlue and DoublePulsar as an example.
As much as everybody wants to block those at the point of attack,
we have learned that security products as a whole have not been very effective in zero days.
So, for example, the testing company MRG EFITAS at the time of that attack
rounded up all the security products
and found that only three of them, and keep in mind, there's more than 100 of these available,
and only three of them could stop the exploit at the time of the attack. If we accept that as the
new reality, we then have to start asking the question, okay, if we have this general problem
of stopping things at the point of attack, especially when there's zero days, you know, how can I still end up in a secure state? And that's why now there's a lot of
conversation around understanding sort of post exploitation activity. If I work from the
assumption that, you know, a breach is inevitable, that it's going to happen to me, what can I do
to reduce the impact of that event or to basically stop the malicious
activity before it becomes a full-blown breach or before the real damage is done? And that's where
new solutions, especially EDR products with their behavioral logic, you know, they're looking for
telltale signs of attacker behavior. So it could be credential theft, it could be privilege
escalation, it could be lateral movement, it could be privilege escalation,
could be lateral movement, it could even be trying to encrypt files or destroy files or leak files.
These are all criminal or adversary behavior that we can now understand as the attack is happening
on the endpoint and not only detect that malicious activity, but block it. So there's this kind of,
you know, cascading reduction of
risk as you go through the process, you know, be as prepared as you can implement the best
prevention tech you can at the time or at the point of attack. But you have to accept the reality
that that'll never be 100% effective. So you need to think about, you know, what happens in the case
where the attacker is successful and gets on the network,
and do you have the tools, process, and technology to mitigate the event before the real damage is done.
That's Dan Larson from CrowdStrike.
Britain's National Health Service has sustained a breach in its SwiftQ appointment service.
The hacker or hackers claiming responsibility represents
himself or herself or themselves as performing a public service, exposing security flaws.
The incident is under investigation, but SwiftQ says that it simply doesn't hold the quantity
of data the hackers claim to have accessed. Google has pulled about 500 apps from its
Play Store. They contained compromised versions of development kit Egexin
that effectively installed a backdoor for spyware.
There are many worries about the robot menace being expressed this week.
Elon Musk is the most prominent celebrity robophobe.
He's warning of the dangers of combat-capable robots armed to kill
and calling for some sort of convention to restrict their deployment.
It's perhaps worth noting in this regard that similar worries have been around for well over a hundred years.
The first inhumane robot on record, which appeared before the word robot was coined,
is probably the Whitehead Automotive Torpedo,
widely condemned at the turn of the 20th century as the devil's device. Still, there have
been advancements in lethality since Whitehead's day, and the automotive torpedo was limited in
range and not susceptible to hacking, so Musk's concerns aren't frivolous. A more proximate threat,
however, may be the exposure of industrial robots to cyber threats. Observers are especially spooked
by recent demonstrations by IOactive of the hacking of Cobots,
robots that collaborate with one another in various industrial processes.
Researchers at Trend Micro noticed the convergence of three tech trends in a single threat.
They found Trend 1, a cryptocurrency miner that surreptitiously installed using, trend two,
EternalBlue for distribution, and the miner is, trend three, Filus.
Trend Micro calls the winner of this trifecta as trog64 underscore coinminer dot qc.
In industry news, eSentire announces that it's received a significant growth equity investment round from Warburg Pincus.
The amount is not yet publicly available, but it's believed to be unusually large.
Do you have a guilty conscience over something?
Find yourself looking over your shoulder while you're getting in some screen time?
Well, the guilty flee when no one pursueth, or so they say.
Well, the guilty flee when no one pursueth, or so they say.
Scareware has reappeared in Japan, where people browsing over to adult sites find themselves greeted by a convincing warning that appears to be from the National Police Authority,
telling the site's users that the jig is up and the National Police want a cut.
Be reassured, users. The National Police want you to know it's not them.
You're fleeing when no man pursueth.
And think about it.
Are the police actually likely to find you online?
The national police do advise internet users to be cautious about where they go and what they do online,
but that's because of the risk of cybercrime, not because the police are watching.
And there's an extortion scam being run against users of adult sites in Australia.
This one is different in that it's openly criminal with no pretense to being a law enforcement operation.
The crooks demand payment, in Bitcoin of course.
If you don't pay up, they'll expose you, and that exposure will include posting video,
a threat the specifics of which we'll leave as an exercise for you, our listener.
In any case, the guilty flee where no one pursueth, but the righteous are as bold as the lion. So be righteous to each other, friends. Be righteous.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland.
He's also director of the Maryland Cybersecurity Center.
Jonathan, welcome back. You know, you and I were talking about an article that came by that was talking about some claimed improvements in encryption.
And you were a bit skeptical of it.
And it really brought us to the notion that with a subject this complex, how do you sort through and make sure that someone isn't trying to sell some snake oil?
Yeah, that's a great question.
But imagine actually that for people out there who are not experts in cryptography, when they're reading something on the web or they're reading about some new product, it can be very difficult for them to tell whether something is an actual advance in technology or whether it's really a lot of marketing hype.
And the one thing that I usually look for in particular is, number one, that the algorithm, the new crypto system that's being touted should be described very clearly and publicly.
You want the system to be out there. You want it to be secure, even in the event that people know all the details of the
system. Of course, not the secret key that's being used, but all the details of the algorithm.
And you actually want people to go and study the algorithm and look for potential flaws or to
analyze it and show that it's secure. So one of the first things I look for is that they make the algorithm public
and they clearly describe it and also have it analyzed and peer-reviewed by the scientific community.
Now, when you're looking over a press release from someone who's claiming some new breakthrough,
are there certain things that stand out to you that maybe point to perhaps it not being everything that it claims to be?
Yeah. So besides what I just mentioned, the other things I look for are a lot of marketing buzzwords
that actually don't have any technical meaning. So I'm looking at this particular article you
forwarded me, and they're talking about using what they call heuristic random wave envelopes.
And I have no idea what that is. I've never heard that term before. Maybe it's a
term from physics. It's not a term in cryptography. And so I can't really tell what that is. And the
fact that they can't explain what it is in simple English kind of is a warning sign to me that
they're just trying to obfuscate things rather than clarify things. So looking at it from the
point of view of a company who's trying to develop new technology, doesn't that kind of box them in if people are resistant to them having trade secrets?
Or is cryptography just an area where trade secrets might not be the best thing to have?
No, I think absolutely you don't want trade secrets in this area.
What you want is algorithms that are widely published.
And so, in fact, one of the first things I look for when I'm looking at a new company
and trying to evaluate their technology, and this actually goes beyond crypto,
is a white paper just explaining, number one, what the technology is doing, how it's different
from prior work, and then also an explanation at some level in some technical detail of the
protocol itself. It's a good cautionary tale. Jonathan Katz, as always, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Hello, dearest listener. In the thick of the winter season, you may be in need of some joie de vivre. Well, look no further, honey, because Sunwing's Best Value Vacays has your
budget-friendly escapes all the way to five-star luxury. Yes, you heard correctly,
budget and luxury all in one place. So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing. Oh, and book by February 16th with your local travel And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.