CyberWire Daily - Cyberattacks that may not have been. Ropemaker corrupts email after delivery. Concerns about companies working for intelligence services.
Episode Date: August 24, 2017In today's podcast we consider the way in which two potential state cyberattacks are now looking more like, respectively, an accident and a conventional crime. US Government officials double-down o...n warnings of Kaspersky connection to the Kremlin, and Australia's Government isn't buying Huawei's protests that it's not working for the PLA, either. Ropemaker attacks could inject malicious code into email after it's been delivered. Joe Carrigan from JHU on medical device security legislation. Christopher Pierson from Viewpost with observations from DEFCON. Some teasers on the Chertoff Group's Security Series. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Your patient data depends on incident response plans. Prepare with DeltaRisk's webinar. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Two potential state cyberattacks look more like, respectively, an accident and a conventional crime.
U.S. government officials double down on warnings of Kaspersky connections to the Kremlin,
and Australia's government isn't buying Huawei's protests that it's not working for the PLA either.
Rope-maker attacks could inject malicious code into email after it's been delivered,
and some teasers on the Chertoff Group security series.
Chertoff Group's Security Series.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, August 24, 2017.
We begin with two cautionary tales of commendable caution.
First, the U.S. Navy hasn't ruled out the possibility that a cyberattack may have contributed to the collision between the destroyer USS John S. McCain and a merchant tanker in the Straits of Malacca off Singapore this week.
That possibility, however, now seems increasingly unlikely.
The commander of the U.S. 7th Fleet has been relieved.
His seniors have lost confidence in his leadership of the fleet.
Suspicion that there could have been a cyber attack at the root of the tragedy
was based on the a priori possibility that navigation technology
could be affected by a threat actor.
Indeed, there were reports in June of GPS spoofing conducted by Russian operators
against shipping in the Black Sea.
That spoofing appears to have been a trial or proof of concept.
There were other reasons to find the collision suspicious.
It was the fourth collision involving a 7th Fleet ship in less than a year,
which struck many observers as far too high for coincidence.
The investigation continues and is likely to be thorough.
We'll follow the story as it develops, but for now at least,
it seems the incident was one of seamanship, not cyber security.
The other story is out of Ukraine, which today celebrates the anniversary of its independence.
Authorities in Kiev have been concerned that the anniversary would see some renewal of state-sponsored cyber attack,
which by consensus means Russian-directed.
The sorts of attacks the country sustained include the Black Energy Grid hacking incidents, and of course, NotPetya, the pseudo-ransomware attack that moved quickly from its initial Ukrainian infestations to become a pandemic.
Many of the concerns expressed centered on a pseudo-ransomware rerun, and it appeared briefly that such a campaign was in progress.
The web server of Crystal Finance Millennium, an accounting software firm based in Kiev,
has been found compromised with Pergin ransomware,
but this attack seems simply criminal, not state-directed as was the case with NotPetya.
Pergin has been on the server since August 18, according to Kaspersky Labs,
and security firm ISSP's analysis of the malware indicates that it's in all likelihood
conventional ransomware being distributed with the aim of extorting money from its victims. security firm ISSP's analysis of the malware indicates that it's in all likelihood conventional
ransomware being distributed with the aim of extorting money from its victims.
The two stories are worth considering. They indicate the high degree of readiness people
now have to see cyberattacks, especially state-directed espionage and sabotage,
behind incidents that may in fact be simply criminal or accidental.
It's good that general awareness of cyber risk is high,
and that people also understand the degree to which cyberspace has become a domain of international conflict.
But it's also important to bring some healthy skepticism to the discussion.
Attribution and even understanding can be notoriously difficult,
and for all the warnings we've seen over the past two weeks of an impending cyber Pearl Harbor, or cyber 9-11, it's worth reflecting that we're at least as likely to experience a cyber Tonkin golf incident, where what we perceive as an attack turns out in the
end to have been nothing at all. Christopher Pearson is Chief Security Officer and General
Counsel for ViewPost, a secure payment network provider,
and he's a regular guest here on the Cyber Wire.
I caught up with him after Black Hat and DEF CON
for his take on the trends he sees coming from those shows.
At DEF CON this year, it was interesting.
Three real kind of high-level takeaways from the event.
First was that when you take a look at application security,
we still are not addressing this correctly.
The services, the devices, the things that are being built,
we're not building security in from an engineering perspective.
So I think that's the first and foremost thing that we have to tackle.
We have to make sure that we're building new products, new services,
new devices securely and safely.
And that starts with good engineering, good QA, good testing, and good cybersecurity awareness in the applications first and foremost.
Second, the cloud controls.
Cloud controls are definitely, definitely gaining in wisdom, gaining in expertise.
At this point in time, I think there's kind of a full shift from both
Black Hat and DEF CON in terms of acceptance within the cybersecurity community that there
are a sufficient number of and type of and diversity of cloud controls that are there to
protect and safeguard data that we are storing in those instances. And then third, this kind of focus in on the user, the end user,
and how are we actually enabling them for security? How are we actually providing them
the security controls that they need in a transparent manner so that we're moving security
away from their task, their goal, their to-dos? Because whether it be patching or antivirus or VPN or firewalls, certainly we're
seeing the same patterns exist in users year after year without little change. We need to do
something differently there, almost like the card-based world of chip and pin and moving into
a tokenized basis for electronic transactions, as opposed to mandating that PCI be this requirement of the mom-and-pop shop.
So really pushing that further up the food chain.
So those are kind of three high-level takeaways from DEF CON in terms of overall observations.
What about incentivizing?
We talk about, particularly with IoT devices, if the manufacturer has no incentive to do anything other than build a cheap device that people will buy on Amazon and the user has no incentive to change the password or even update
the firmware on the device if a vulnerability is discovered, how do we put in proper incentives to
make these things safer? Yeah, I think that this is an area that we have to get better at. I mean, I can see this in really two different areas.
So first, incentivizing companies to build safer, more secure products.
Also make sure that they're adequately updated, that the firmware is being updated, that they're staying on top of things once these products are pushed out into the market.
It isn't simply good enough to produce the device.
It isn't simply good enough to produce the device.
You have to maintain the device in a safe and secure fashion, especially with IoT, as these devices make their way into the homes.
And I think that we can do a lot there through tax incentives and other types of economic incentives for companies. The other thing that I think is interesting is that on the build process, I think that there's a role for tax incentives to play in
hiring. So for example, maybe one out of every 30 individuals at the company, if they have a job
that is a security development lifecycle engineer, where they're actually taught cybersecurity
practices, best practices in engineering, maybe OWASP top 10 or SANS top 20 threats, if they're actually taught about those
and can more safely code with those in mind, there'd be some type of economic incentive that's
paid back to the company. Maybe it's half their salary is a tax rebate. Maybe there's something
in terms of education dollars so that you can actually take your current engineers and existing
engineers and go ahead and provide for education that's free and clear and sponsored in some form or fashion,
maybe even by the government, and get education and training on secure development practices into the hands of the engineers.
That's probably one of the biggest things.
We need to stop.
We can't necessarily stop everything on the back end in terms of firmware updates and patching and all the rest. We have to tackle this problem on the
front end, which is better written code, safer written code, cybersecurity being a part of each
product and service, and really built in on the front end. I think if we have some large-scale
IoT, especially IoT, outages in this area or impacts in this area that impact the personal safety and privacy of the home,
I think you may see some movement in the right direction.
But without that, the consumer is still fairly ill-informed.
And our products, especially from DEF CON, the number of hacks of IoT devices and the ease of penetration
and the IoT capture the flag exercise was just mind-boggling.
Very, very easy hacks, very easy compromises, very easy vulnerabilities,
should never have been in the products, should never have rolled out to market with some of those easy hacks.
That's Christopher Pearson from ViewPost.
The United States government, in the form of both the FBI and the White House cybersecurity lead,
continues to express concerns that Kaspersky products could be, in effect, virtual moles,
working for Russia's FSB and reporting back to Moscow.
Australia's government is similarly cautious about Huawei,
which it wishes to block from installing a communications cable for the Solomon Islands
that would transit Australian territory and networks. In this case, the concern is that
Huawei products are a cat's paw for Chinese intelligence services. Both Kaspersky and
Huawei say the suspicions are groundless and point out that the business they do with Moscow
and Beijing is legitimate, no different from what a Silicon Valley company might do for Langley or Fort Meade.
The security firm Mimecast warns of RopeMaker, a method of altering the content of emails after they've been received.
A threat actor could inject malicious content via remote CSS files.
Mimecast hasn't seen RopeMaker used in the wild yet.
We were at the Chertoff Group's security series in Palo Alto, California yesterday,
and we'll have accounts of the proceedings tomorrow.
As a teaser, however, we'll ask two questions that the Chertoff Group posed to the audience.
First, what does a medieval scholastic and Catalan poet have to do with artificial intelligence?
And second, since when did being disruptive become a good thing
and not something that earned you a trip to the vice principal's office?
Write your answer 500 times on the blackboard, Silicon Valley.
Look for answers to these and other questions raised at the conference in tomorrow's CyberWire
Daily News Briefing.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
You sent over an article about some
legislation that was introduced by Senator Richard Blumenthal. He's a Democrat from Connecticut.
Yep.
About medical device security and privacy and things like that. Fill us in.
Well, there's a large problem with the security of medical devices. And being that our institute
is a Johns Hopkins affiliate,
we've actually spent a lot of time looking at these things. And there are vulnerabilities out there and all these devices. I think in the article that I sent you, there's
a horror story about one device that had like 70 some vulnerabilities in it.
Wow.
And in talking with people like Kevin Fu from University of Michigan and some folks up at
Dartmouth, we work on a project called the
Trustworthy Health and Wellness Project where we talk about exactly this issue. One of Kevin's
points is that a standard statement from these device manufacturers is just put it on a secure
network because we're not really worried about working on security right now. And to an extent,
there's a real needs-based issue here. And the story that was first enlightening to me is that when a doctor is working on somebody, on a patient, that if the security of the device gets in the way of the doctor providing the care, that security is going to go away.
Because your security is impacting the provision of potentially life-saving care.
The doctor in the emergency room never hears from the patient,
make sure that my data stays secure.
It's always make sure my heart is beating, make sure I can breathe,
get these bullets out of me, those kind of things.
So it's not really a very high priority, but it is a real problem.
So what Senator Blumenthal's legislation does, one of the things
it does is it tries to provide a report card for these devices. I don't know exactly what he means
by report card, but apparently it's a security assessment of some kind of these devices that
have, the devices have to go through this assessment before they're available for sale.
And on the surface, that sounds reasonable, but you have some concerns. I do. My concern is who's going to be doing the testing? How is that
going to be provided? Are these medical device manufacturers going to go out to third-party
testing organizations whose product will essentially be a wink and a nod? Hey,
your product's good to go. For the low, low price of?
Low, low price of $1,000. I'll give you a really good report card. There definitely needs
to be some supervision of this process, I think. Yeah. Well, I mean, it's good to see, I suppose,
that it's risen to the level of getting attention from folks like Senator Blumenthal.
I'm happy to see it being talked about at this level.
Yeah. All right. Well, we'll keep an eye on it. Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided Thank you.