CyberWire Daily - Cyber conflict between Iran and the US widely expected. ALLENITE threat group is after US, UK power grids. Jack-in-the-Box vulnerability. Signal's memory. Is ZTE going down?
Episode Date: May 10, 2018In today's podcast we hear that US withdrawal from the Iranian nuclear deal is widely taken as heralding a new round of cyber conflict. Cyberattacks on critical infrastructure are seen as an asymme...tric way of war. The ALLANITE threat group is observed successfully reconnoitering US and UK electrical power grids. Jack-in-the-Box does nasty things with images. Signal's self-deleting messages don't, or at least they don't always. And US sanctions may be putting ZTE out of business. Robert M. Lee from Dragos on the sliding scale of cyber security. Guest is Jonathan Matkowsky from RiskIQ with concerns over ICANNs pending interim policy changes on the WHOIS database in response to GDPR.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. withdrawal from the Iranian nuclear deal
is widely taken as heralding a new round of cyber conflict.
Cyber attacks on critical infrastructure are seen as an asymmetric way of war.
The Alanite threat group is observed successfully reconnoitering U.S. and U.K. electrical power grids.
Jack-in-the-box does nasty things with images.
Signal's self-deleting messages don't, or at least they don't always.
And U.S. sanctions may be putting ZTE out of business.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, May 10, 2018.
As the U.S. announced its intention to withdraw from the Iranian nuclear deal agreement. Concerns have risen over the prospects of renewed Iranian cyber offenses.
Iran had been active against a number of targets in cyberspace,
but its state-directed cyber attacks went into partial eclipse in 2015.
That lull is generally attributed to Iran's response to relaxation of sanctions
that followed conclusion
of the Joint Comprehensive Plan of Action, popularly known as the Iran Nuclear Deal,
in July of 2015. Under the Joint Comprehensive Plan of Action, Iran undertook to limit or delay
certain aspects of its nuclear weapons program. On April 30th of this year, U.S. and Israeli
authorities stated that Iran had failed to disclose a past covert nuclear program to International Atomic Energy Agency inspectors, and this Tuesday, President Trump announced that the U.S. would withdraw from the Joint Comprehensive Plan of Action.
The U.S. decision to withdraw from the agreement is expected to reverberate in cyberspace,
with concerns about critical infrastructure becoming sharper.
We heard from Dragos CEO Robert M. Lee,
who reminded us that when tension rises between states,
so does the targeting of industrial control systems.
Lee said, quote, In this case, activity moves beyond conducting early reconnaissance
to gaining access to infrastructure companies and stealing information that could be used at a later date. Thus, cyber risk can be reliably forecast to follow geopolitical tension.
Phil Nire, vice president of industrial cybersecurity at CyberX,
a company specializing in ICS, SCADA, and industrial IoT security,
reminded us that, quote,
Iran has a long history of going after U.S. targets,
including the massive DDoS attacks they conducted on 24 U.S. financial institutions during 2012 and 2013.
End quote.
Phil Nire sees cyber operations as an asymmetric way of warfare.
Quote,
Cyber is an ideal mechanism for weaker adversaries like Iran,
because it allows them to demonstrate strength on the global stage without resorting to armed conflict.
I expect that Iran will continue to escalate its cyber attacks on U.S. targets, So far, Iran's damaging attacks have come against targets located in its regional rivals,
like Saudi Arabia, but in principle they could be extended to the U.S. or elsewhere.
Observers think it likely that a cyber attack attributable to Iran would draw a strong U.S.
reprisal. Recorded Future offers a lengthy assessment of Iran's cyber establishment.
One interesting note, Tehran depends on competing contractors for most of its offensive capabilities.
There are at least 50 organizations that vie for the work.
Studies of wiper malware issued this week by Cisco's Talos Group
are also worth reviewing as U.S.-Iranian tensions rise.
Shamoon, a wiper used against Saudi Aramco in 2012,
has generally been attributed to Iran.
There are, of course, other threats to infrastructure out there.
Industrial cybersecurity experts at Dragos this morning released a report on Alanite,
a threat actor the company says has been actively prospecting U.S. and U.K. electrical utilities.
They've observed watering hole and phishing leading to ICS recon and screenshot collection.
Alanite resembles the Russian Palmetto Fusion Group,
the U.S. Department of Homeland Security described last year.
Its target set is similar to Dragonfly's,
but Dragos assesses Alanite's technical capabilities
as being significantly different from those exhibited by Dragonfly.
When Alanite first made its appearance last year,
its successes had been confined to penetration of business and administration systems, but Dragos now confirms that Alanite had succeeded in extracting information directly from industrial control systems.
the nonprofit responsible for coordinating the maintenance of Internet domain names and numbers,
are expected to implement an interim plan in response to GDPR in an attempt to align privacy laws with the Whois system.
Jonathan Matkowski is a VP at RiskIQ,
and he sees ICANN's plan as a potential serious threat to the open and public Internet.
Because the Whois database has evolved,
serious threat to the open and public internet. Because the WHO's database has evolved,
it's difficult to presume that every person would have expected WHOIS to be used for consumer trust and protection purposes or, you know, DNS security. At the same time, it's very difficult to go so far
as to say that given the public nature of WHO is and over time how increasingly available privacy and proxy registration services have been over the years, that people would not expect that these kind of processing activities take place with their data.
So while consumer protection and consumer trust are not, when I look at it, the technical mission of ICANN as defined within its bylaws,
they're more than just compatible with ICANN's mission. Therefore, ICANN's temporary policy
that I expect that they would be putting forth in the next several days, in my opinion,
should require new GTLD, who is database operators, to inform new registrants in a GDPR compliant manner about the legitimate interests that are
relied upon to share who is personal data with ICANN, intellectual property rights holders,
law enforcement, threat intelligence analysts, and incident responders for consumer protection
and consumer trust. So if ICANN itself doesn't hold its GTLD, who is database operators,
accountable for abusing their discretion or intentionally failing
to assess these legitimate interests in thick WHOIS data requests,
I think there'd be significant foreseeable damages that would inevitably result.
So as far as the public WHOIS, I think ICANN needs to be
make sure that newly registered organizational domains, it's not actually ICANN that needs to
make sure, it's those collecting the data, it's GTLD who is database operators. They need to make
sure that when they collect for newly registered organizational
domains, who is information, registrant details, that they don't collect personal data in email
addresses without having unambiguous consent to do so. And because otherwise, this is used as
an excuse, basically, not to include organizational emails
in the public who is, you know, because it creates concerns under GDPR for some.
I think that ICANN and its board members have a fiduciary duty to ensure that they don't
issue a temporary policy for who is output that causes unnecessary DNS abuse.
They should expect damage reports to be collected. for WHOIS output that causes unnecessary DNS abuse.
They should expect damage reports to be collected. Without accountability, it's meaningless.
ICANN's job is not to enforce GDPR.
Its job is to fulfill its mission
consistent with applicable laws, including GDPR.
What's required is that there be a way
to hold GTLD, who is database operators, accountable for either intentionally or recklessly either failing to conduct a GDPR required legitimate interest analysis for who is data requests or abusing their discretion. Now, ultimately, I don't want to see the internet fragmented like this for GTLDs.
That is an SSR concern, as many people have expressed.
The community has been working on a tiered access model.
Lack of accreditation is not supposed to be used to infer lack of GDPR compliance,
and a legitimate interest analysis is required by GDPR.
We need to streamline this process, or it's going to cause damage to the internet,
because there will be fragmentation, and in practice, it will just be a very, very difficult situation.
That's John Matkowski from RiskIQ.
If you're looking for more of the details on this topic, RiskIQ has a blog post on it.
It's on their website.
Security company Aqua describes an image pull vulnerability in Windows.
They're calling it jack-in-the-box.
Aqua has a proof of concept that shows the possibility of extracting
malware from a maliciously crafted image into any directory on the target system.
Exploitation occurs during the process of unpacking the image.
If you're a user of the self-deleting messaging app Signal, take note. Signal's disappearing
messages apparently don't disappear, at least not by default. Self-deleted messages persist for some indefinite period in macOS's notification history.
You may want to turn off notifications.
Chinese device maker ZTE may be down for the count.
U.S. sanctions that prevented from buying from U.S. suppliers have induced it to cease major operations.
prevented from buying from U.S. suppliers have induced it to cease major operations.
Deprivation of Android software and Qualcomm chips appear to have been the final blow.
One hesitates to sound taps on such short notice for any company, especially one as large as ZTE,
but things certainly don't look good. A representative reaction may be seen in Australian telco Telstra, which has announced it will no longer sell ZTE phones.
It isn't dropping them for security reasons,
but rather because it seems unlikely to them
that ZTE will be able to continue to deliver and maintain its products.
It's a globalized supply chain,
and no industrial nation is exempt from the consequences of that globalization.
and no industrial nation is exempt from the consequences of that globalization.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He's the CEO at Dragos.
Robert, welcome back. I wanted to discuss today something that you have published
that is called The Sliding Scale of Cybersecurity. Can you take us through what's going on here yeah absolutely so
it's a paper I published a couple years ago at Sands and it's been an extremely
useful model and I've been humbled by how many folks in the community have
found it valuable so when I talk to folks and they say what do you do and oh
I do cyber security well that's not a thing like what do you actually do and
it's good to know where we can make investments and what the return on that investment would be.
So in the scale I put forth, there's really five categories of things you can do.
On the left-hand side of the scale is architecture, sort of planning and building the systems with security in mind and logging and things that you need, you know, sort of getting it right from the start, patching, maintaining it, et cetera.
patching, maintaining it, etc. The next over would be passive defense, which is the technologies and tools that you can add into the environment to give you visibility or protection from some of
the threats. The next is active defense, which is the analyst, the human component. This is where
the human gets involved to investigate and correlate and respond and hunt and be in the
environment, which is really, to me, the most powerful piece when you build towards that because you're putting human defenders against human adversaries.
Next is intelligence, which is we look through intrusions and collect data and try to extrapolate
it into useful intelligence on the threats.
And finally is offense.
And I even put in the scale, absolutely.
Offense is technically one of those things that you can do if it's for self-defense actions,
not retribution, but sort of like legal countermeasures.
And really, the whole point of the scale was originally to kind of push back against offense,
saying, look, if you pattern out all that you could do, the highest return on investment
is on the left hand side of the scale moving to the right.
So if you build it
right to begin with, you have a good defensible architecture with good passive defenses. The
amount that you have to spend into active defense to get a good return on investment is minimal.
If you don't know what your architecture is, you don't have tuned firewalls, I don't care how many
SOC analysts you hire, it's going to be a hard time for you. If you've got a well-understood
architecture and well-tuned environment, you eliminate a lot of the noise that you need less
human analysts to actually facilitate that. To be quite blunt, I've always told folks,
look, for the folks that think that they can go back and hack back, like, oh, I've been had,
and I'm going to go hack back. If you think that's going to be effective for you, you're wrong.
It's a very poor return on investment in terms of the resources required to do that.
And we need to actually invest where appropriate, build a roadmap for where we want to be and make sure the architecture and passive defense investments you're making align with where you want to be with your active defense and intelligence components.
be with your active defense and intelligence components, or make sure that the investments towards the right-hand side of the scale with active defense and intel actually align with what
you already have in architecture and passive defense. And do you find that people sometimes
get these out of order in terms of how they take on these various items? All the time. So it's not
really that you have to move one category to the other.
But if I looked at your security program and where you've invested overall as an organization,
I'd expect almost kind of a waterfall kind of approach where there might be, you know,
40% into architecture, 30% in the passive defense, 20% in acting defense, 10% into Intel or something
like that. It won't always align with that. That's fine.
But you need to make sure you're not completely off balance.
If 80% of your budget is going towards active defense and Intel, well, there's no way that
you're actually getting a good return on investment because you definitely need to invest a lot
more in your architecture and passive defense.
I do a lot of active defense and Intel stuff.
My class is at SANS, my company. I mean, everything's around like, oh, cool. extra impassive offense and i i i do a lot of active defense and intel stuff my classes at
sands my company i mean everything's around like oh cool let's go do hunting and intelligence and
this is really cool stuff but it's worth noting it's not the starting place and i see companies
all the time that that really love the idea where you can be with like a sock and they really like
the cool new tools for investigations and response and orchestration.
And,
man,
if we get this new intelligence,
we're really going to understand the adversaries,
but then they don't have an asset inventory and they don't have tuned
firewalls and they don't have an instant response plan.
And you sort of have to push back and say,
look,
you want to get to this place,
but there are steps along the road to take
to make it an actual good investment.
All right, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.