CyberWire Daily - Cyberespionage in the Korean peninsula. Russian influence operators bought Facebook, Google ads. Forrester hacked. Kovter, OilRig get upgrades. US CYBERCOM CSM notes.
Episode Date: October 10, 2017In today's podcast, we hear that North Korea may have hacked into South Korean defense plans. Facebook and Google receive increasing scrutiny for Russian ad buys during 2016 US election season. A dis...sident Chinese billionaire, exiled to New York, says he's been under cyberattack from Shanghai. OilRig is back, with new and improved cyberespionage. Forrester market research reports accessed by hackers. Kovter malware gets an upgrade. Chris Poulin from BAH on medical device safety. Yassir Abousselham from Okta on challenges establishing and managing identity.  And we offer some observations from the Cyber Pavilion at the Association of the United States Army meetings. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Cylance uses cutting edge artificial intelligence to help protect your systems. If you are a woman in cyber security and want make connections with others in the field, check out our own Women in Cyber Security event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korea may have hacked into South Korean defense plans.
Facebook and Google receive increasing scrutiny for Russian ad buys during the 2016 U.S. election season.
A dissident Chinese billionaire exiled to New York says he's been under cyber attack from Shanghai.
Oil rig is back with new and improved cyber espionage.
Forrester market research reports are accessed by hackers.
And we offer some observations from the cyber pavilion at the Association of the United States Army meetings.
Informations from the Cyber Pavilion at the Association of the United States Army meetings.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, October 10, 2017.
Amid tensions over North Korea's increasingly capable missile and nuclear arsenal,
reports out of South Korea indicate that someone has successfully hacked into some of Seoul's defense planning files.
Reports from both France and South Korea say that some 235 gigabytes of sensitive data
were accessed in September of last year.
They included detailed war plans to be used in the event of a North Korean attack, including
plans for a decapitation strike against North Korean leadership.
Such a strike would be designed to destroy the Kim regime
and with it presumably the North's ability and willingness to continue a war
that recent tests and threats suggest could rapidly escalate to nuclear attacks on South Korea.
Some sources indicate the hackers were based in China,
and there's some uncertainty as
to attribution, but North Korea seems the obvious suspect to observers. Some of Pyongyang's cyber
operators are known to work from China. Turning to presumed Russian attempts to influence U.S.
elections, Facebook initially seemed uncertain that Russia had been behind some of the election
season influence operations
the social media company found itself enmeshed in last year,
at first pulling attribution to Russia from early versions of its report on the matter.
The company now has said there were Russian advertising purchases.
Google is also facing renewed scrutiny over Russian ad buys.
The amounts bought seem relatively small,
sub-$100,000 purchases, as people are saying.
This would not be particularly significant
in the context of typical election spending.
The reports on where the ad money from Russia went
are interesting and probably instructive.
The messages supported Donald Trump,
but also insurgent independent running as a Democrat Bernie Sanders
and Green Party candidate Jill Stein.
Some reports suggest that the buyers regarded all three as probably also rans.
Chinese sources deny involvement in apparent cyberattacks directed against a Chinese businessman
who's been critical of alleged corruption in PRC leadership.
Guo Wengi, a billionaire currently residing in New York and asking for political asylum,
he's facing an indictment in China on corruption charges himself.
The incidents were directed at organizations associated in some way with Mr. Wengi.
A Hudson Institute event was canceled after an apparent DDoS campaign mounted from Shanghai,
event was cancelled after an apparent DDoS campaign mounted from Shanghai, and a second unspecified incident is said to have led the law firm Clark Hill to withdrawing representation
from him. They'd earlier lodged his asylum claim.
Guo Wengi has accused China's ruling Communist Party of being a kleptocracy. Chinese officials
deny involvement in any of the alleged incidents and say they've had nothing to do with any cyber attacks the exiled billionaire may have faced.
The Chinese Ministry of Public Security said,
The Chinese government would like to suggest that the U.S. law enforcement authorities supply China with the detailed information,
relevant clues and evidence so that China could assist in the investigations to identify the real source of such hacking.
The ministry said they'd cooperate with U.S. investigators.
Palo Alto Networks reports that the oil rig threat group,
prominently involved in hacking Middle Eastern targets, is back,
with an enhanced set of Trojans in its tool bag.
The oil rig cyber espionage threat group is widely believed to
be operating on behalf of the Iranian government. Its targets have prominently included Saudi Arabia
and other regional rivals. They're using new infection documents and a new injection Trojan.
Forrester, the market research firm, has disclosed a breach in which unauthorized
parties obtained access to the company's reports.
It was apparently a case of credential theft. Forrester says the hackers obtained credentials
that enabled them to get the reports. The company stressed that, quote, there is no evidence that
confidential client data, financial information, or confidential employee data was accessed or
exposed as part of the incident, end quote. When it comes to online authentication and identity,
we'd probably pretty much agree that a simple username and password combination
just doesn't cut it these days.
With more data and services moving to the cloud,
the notion of simply protecting your perimeter can get a bit cloudy.
Yassira Bousselham is chief security officer at Okta,
where one of their specialties is identity management, and he offers his perspective.
So when you take a look at where we came from as an industry, so in the past we had a handful
of enterprise applications that are deployed on-premise, and to be able to access those services,
you would have to be within the network perimeter.
Things have changed for the last decade. So a lot of the applications are now outside the network
perimeter. Some of those applications are managed by IT and some other applications are managed by
the user. So the users essentially are defining their requirements and looking for applications
that meet those requirements that allow them to do their jobs. So in a way, IT does not have 100%
control over accounts that are used to either access corporate data or to manage all the
transactions that the business user has to carry out on a daily basis.
So are we talking about cloud-based services, things like Gmail, Dropbox, and things like that?
That is correct.
So those services could be application services such as Dropbox, Gmail, Concur, Expensify, and so on.
But we're also talking about infrastructure services such as AWS.
services such as AWS. And so as we've gone to these online and cloud-based services,
has the role of identity changed or kept up? The role of identity is changing in a way that it's becoming the cornerstone of the security strategy of every enterprise. So when you think
about it, the network perimeter is eroding. Since now, we cannot protect services that are hosted within the perimeter.
And all of those services or most of those services are migrating to the cloud.
They're no longer hosted on-premise.
And so we cannot rely on the network perimeter to protect access to those services.
As these services move to the cloud,
the users and user accounts are also located in the cloud,
so they are outside of the network perimeter.
And really, the identity is the only element that we can control
and where we need to focus our security controls.
That's why a lot of the companies right now
rely heavily on identity as a service,
as I mentioned, a cornerstone of their identity and security strategy. So beyond the old school username and password, we have things like multi-factor and biometric types of things.
What sorts of things are on your radar?
What sorts of things are on your radar?
The first thing that we need to consider is the fact that we need to implement this layer between the business user and all of the services that we need to access.
That layer can be in the form of single sign-on in a way that we need to maintain a single user account for all of the services that the business users need to do their jobs on a daily basis.
The second thing that we need to add is multi-factor authentication.
So now we believe that cyber attacks are increasing in numbers and sophistication.
We need to add multi-factor authentication as a real requirement to be able to protect access to these services.
Because of the fact that the number of attacks and the sophistication of the attacks is increasing,
multi-factor authentication is now required.
And that's just one element and one layer that we need to add to our security strategy
to properly secure access to the enterprise assets.
That's Yassir Abusoham. He's the CSO at Okta.
Proofpoint warns that purveyors of Covter malware are running a new aggressive campaign.
Its apparent goal is ad fraud.
We've been down in Washington, D.C., covering the Association of the United States Army's
annual meetings from the military professionalsessionals Cyber Association's Cyber Pavilion.
We'll have some extensive accounts of the sessions later this week,
but wanted to share a brief account of Command Sergeant Major David Redmond's presentation yesterday
on the current state of U.S. Cyber Command.
He's the senior non-commissioned officer at both U.S. Cyber Command and the National Security Agency.
He began with a caution for military people thinking about cyber operations.
It's easy to become intimidated by the technology, he said, but in his experience,
the commands that are most effective operating in cyberspace are those that take their existing
processes and apply them to the domain. Cyber effects bear strong comparison to kinetic effects,
and this should be borne in mind when thinking about cyber operations.
The cyber operators themselves, he said,
need to remember that there's a so what to their craft.
They have to bear in mind that they're working in support of larger goals.
It's not, he said, just a matter of high-fiving
when you've succeeded in doing something to a box somewhere.
He's also confirmed what many others have observed.
There's a strong convergence between cyber operations
and more traditional intelligence and electronic warfare disciplines.
And he echoed a familiar call for more effective use of artificial intelligence
to free operators from the repetitive tasks they find themselves involved with.
We'll have more on this and other presentations later this week.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Chris Poulin.
He's a principal at Booz Allen Hamilton Strategic Innovations Group. He heads up their Internet of Things security team.
Chris, welcome back.
We wanted to touch on medical devices today.
You know, we've seen stories recently about pacemakers and insulin pumps.
What's your take on where we are when it
comes to protecting connected medical devices? Yeah, so it's interesting. It's sort of the new
frontier right now. As a matter of fact, at DEF CON, we saw that there was a biohacking village
around different types of implantables. And I know that the medical device manufacturers are
highly concerned about the security of their devices. It's kind of interesting, though. It's sort of
a mixed bag between implantables. Everybody sort of seems to focus on pacemakers and insulin pumps
and all the things that have a direct consequence on the humans who are wearing those devices.
But there are also other things like infusion pumps and MRI machines and x-ray machines are
also connected. And so, you know, on one hand, we want to protect the patients.
But on the other hand, the thing that concerns me quite a bit is that even just an infusion pump,
and one of the security researchers not too long ago found that it was listening on Telnet
without a username or password. So you could Telnet to the device and it would drop you to
a root shell. And so, you know, the thing that scares me the most is that if you are in a hospital, and even if you're not at risk of somebody turning
up the infusion pump and giving you dose after dose after dose, the attackers are still using
those things as a front door to get into the medical networks and eventually get to the billing
systems and to the electronic medical records, which we know are worth a lot more in the black market than credit cards are. And in fact, there was a research, I think in 2015, where some security
readers went on Shodan and they found that 68,000 medical devices were actually exposed to the
internet that provided an access point to get into a healthcare network. I think the thing that
we're focusing on is not just looking at
what can happen from a gee whiz perspective or a shock and awe factor, literally when we talk
about basemakers, no pun intended, but also the fact that medical devices themselves are
far and wide and scattered amongst different places, and not just the big hospitals,
but also the small caregivers who may or may not understand cybersecurity in the first place.
And that exposes medical records.
So that's one of the things that we've been doing is working quite a bit on trying to find vulnerabilities in devices, profile them, but also put in place technical stacks that help to identify the medical devices and appropriately
isolate them so they're not directly on the same networks as information that's valuable to cyber
criminals. All right, interesting stuff. Chris Poulin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.