CyberWire Daily - Daily: Bug bounty? Nah, just short the stock. Pegasus, cyber arms control, and more.
Episode Date: August 29, 2016In today's podcast, we update the story on SCADA malware in Iran—Iran now thinks it didn't cause petrochemical industry fires. France, India, and Australia investigate theft of submarine design data.... Citizen Labs' investigation of iOS spyware renews debate over cyber arms control. The Shadow Brokers haven't yet got their half-billion dollars, but their leaks chill US-Russian relations and prompt both election fears and concerns over zero-day disclosure. The US prepares to revise its anti-ISIS social media operations. Security firm MedSec discloses alleged St. Jude medical device vulnerabilities to a hedge fund, seeking to profit from short-selling. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security gives us the details on PPD 41 from the White House. Fishing and hunting license databases exposed. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Miller Lite.
The light beer brewed for people who love the taste of beer
and the perfect pairing for your game time.
When Miller Lite set out to brew a light beer,
they had to choose great taste or 90 calories per can.
To brew a light beer, they had to choose great taste or 90 calories per can.
They chose both because they knew the best part of beer is the beer.
Your game time tastes like Miller time.
Learn more at MillerLight.ca.
Must be legal drinking age.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Iran says SCADA malware wasn't the cause of petrochemical industry fires.
France, India, and Australia investigate theft of submarine design data.
Citizen Labs' investigation of iOS spyware renews debate over cyber arms control. The shadow brokers haven't yet got their half billion dollars, but their leaks chill U.S.-Russian relations and prompt
both election fears and concerns over zero-day disclosures. U.S. prepares to revise its anti-ISIS
social media operations. A security firm gives its medical device vulnerability research to a hedge fund, hoping to profit from selling
the affected company's stock short.
And fisher folk in at least two states should be alert lest they find themselves in a social
engineer's creel.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, August 29, 2016.
Iran says a recent series of fires at its petrochemical facilities were not the result of a cyber attack.
Official sources report that such facilities had sustained attempted attacks,
but those attempts were unsuccessful and unrelated to the fires they sustained earlier in July of this year.
Brigadier General Ghulam Reza Jalali, chief of Iran's civil defense organization, said
his organization's inspections of SCADA software discovered, quote, inactive viruses in one
or two petrochemical complexes, end quote, and that the infections were remediated without
incident.
He also observed that at least some of the malware came pre-installed
with industrial control systems purchased abroad.
India, France, and Australia continue to investigate theft of design documents
related to the Scorpène family of submarines.
The data belong to French shipbuilder DCNS,
which has contributed to the design of Australia's related
short-fin barracuda
class of diesel-electric boats.
French investigators so far believe the theft was committed by a rogue DCNS insider.
India is also a user of Scorpene-class submarines, with six boats building or in service.
It's unclear so far where the data went or on whose behalf they were taken.
The investigation occurs as Australian authorities work to shore up that country's cybersecurity.
Of particular concern, and not apparently related to the DCNS breach, are reports of
long-running Chinese intrusions into Australian government and corporate networks.
The goal of the incursion again appears to be technical information on sensitive programs,
thus industrial
espionage. China's embassy in Canberra denies the whole thing, totally groundless and false
cliches. Also, China's a big victim of cybercrime and cyberespionage, and not at all the bad guys
here, says the embassy. Observers react to reports by Citizen Lab and Lookout of iOS Zero Days, since patched by Apple,
actively exploited by surveillance tools provided by Israel-based, California-owned NSO Group.
Citizen Lab is particularly insistent that Ahmad Mansour,
whose iPhone was found infected with Pegasus spyware exploiting the since-patched Trident vulnerabilities in iOS, was a legitimate human rights advocate
and not a cat's paw for subversion or terrorism
against the United Arab Emirates.
Haaretz, among others, thinks the incident calls for closer scrutiny
of what many are calling cyber arms dealers.
It's worth reading the comments section on many of the articles.
When an editorialist calls for restrictions on products
like those the Citizen Lab report associated with NSO Group, within the first few comments, one sees an accusation that
the writer is shilling for Vossener, the much disputed and still evolving cyber arms control
regime. So the question of how threat actors might be controlled without impeding legitimate
vulnerability research remains open. So does the question of what counts as a legitimate lawful intercept tool
and what counts as a legitimate intelligence operation.
Discussion of lawful intercept tools is reminiscent of long-running discussions
that sought to find distinctions between offensive and defensive kinetic weapons.
Discussion of legitimate intelligence operations has continued to turn
on issues of vulnerability discovery and disclosure. The Shadow Brokers incident prompts many to see its leaked zero
days as an object lesson in the unwisdom of hoarding as opposed to disclosing vulnerabilities.
The Shadow Brokers are, as current consensus holds, a sock puppet for Russian intelligence
services, who possibly operated with the assistance of a compromised insider,
although how they got the material they're advertising remains an open question.
The incident is regarded by many as an escalation of U.S.-Russian conflict
to levels not seen since the Cold War.
Concerns for upcoming U.S. elections,
which may be vulnerable to both information operations
and direct manipulation of electoral returns,
prompt some gestures toward infrastructure protection
from the U.S. Department of Homeland Security.
These gestures are not being universally welcomed by the states,
many of whom sniff a federal incursion into their turf,
and other observers question whether such measures
as designating elections-critical infrastructure
will be on balance positive steps.
Another issue regarding vulnerability disclosure
cropped up late last week. Muddy Waters Capital, a hedge fund, shorted the stock of St. Jude
Medical Incorporated, which trades on the New York Stock Exchange under the ticker symbol STJ.
The short sellers also announced that St. Jude's pacemakers and other related devices are,
Muddy Waters says, vulnerable to hacking.
The fund also suggests, quote, a strong possibility, end quote,
that nearly half of St. Jude Medical's revenue will be lost over two years
as devices are recalled and vulnerabilities remediated.
Muddy Waters did not, of course, perform the vulnerability research itself.
The hedge fund was approached, it says, by MedSec Holdings,
a security firm focused on the health care sector. CEO Justine Bone told Bloomberg she
thinks St. Jude can fix the devices, and she hopes they do so soon. She also told Bloomberg,
in response to a question about whether MedSec would profit from the short,
that her company's compensation is keyed to Muddy Waters' investment. She recognizes that their approach is non-traditional,
but she said that she believed St. Jude has a record of brushing aside security concerns
and that this justifies their unusual step of seeking compensation through investment
as opposed to bug bounties.
St. Jude Medical has been in acquisition talks with Abbott Labs.
Many analysts think this incident likely to derail or at least delay any acquisition.
Returning to information operations,
the U.S. government is reported to be again rethinking its social media effort against ISIS.
The fresh approach appears to be one of enlisting third parties
in preference to using direct messaging against the caliphate.
Finally, there have been two curious, similar, but probably unrelated incidents
in which Fish and Wildlife Services in Kentucky and Oregon
suffered breaches exposing personal data of game license applicants.
In the Oregon case, one Mr. High is demanding ransom
and threatening to leak the information.
So if you're fishing in the Ohio or the Pacific Northwest,
take care you don't wind up as some social engineer's catch of the day.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1, dollars off. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is Marcus Roschecker.
He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
Marcus, recently the White House put out a presidential policy directive,
I believe it's number 41. This deals directly with cybersecurity. Fill us in. What is this about?
So about a month ago, the White House issued PPD 41, which is called U.S. Cyber Incident Coordination. And it really tries to address one of the fundamental problems of cybersecurity,
which is the question, who's in charge and who's responsible for responding to a cyber incident in
the government? Who do victims contact within the government wants to become victims of a cyber
incident? So this is what the PPD tries to outline. And it does it in a pretty straightforward way,
I think. It certainly sets forth some of the guiding principles for the federal government in how to respond to cyber incidents. And it also establishes clearly
the lead federal agencies that are going to be responsible in a cyber incident response.
Give us some examples. Who's responsible for what?
The PBD kind of breaks it out into different response areas for a cyber incident.
So you'll have a threat response area, an asset response area, and an intelligence support area of responsibility.
What does that mean?
A threat response deals primarily with law enforcement, national security.
So really how to investigate a cyber incident.
And for that response area, the PBD says that the FBI will be the lead agency, the lead federal government agency, to deal with threat response.
The second area of response would be asset response.
For that, the PBD 41 says that Department of Homeland Security is in charge.
And what does that mean?
of Homeland Security is in charge. And what does that mean? Well, Department of Homeland Security in its asset response responsibilities is going to provide technical assistance to organizations,
to victims. It's going to help them find some of those threats that are out there,
try to patch some of the vulnerabilities, help with risk assessments, and then outlining some
courses of action that the victim or the organization might want to undertake in response
to the cyber incident. So that's DHS, the Department of Homeland Security's job, according to PPD 41.
And then finally, the last area of responsibility that the PPD outlines is the intelligence support
area. And for that, it says the Office of the Director of National Intelligence is going to
be in charge. And basically, we're talking about intelligence here, right? So we're talking about increasing
situational awareness across the board. Federal agencies should know what the threats are based
on what the intelligence community knows so that they can be better prepared for any kind of cyber
threat. Has there been any reaction to this so far? Is it being positively
received? I think anytime you try to provide more clarity, anytime government tries to provide more
clarity in terms of what the roles and responsibilities are and who's in charge,
I think that is always well received. Part of the PBD also says that the Department of Homeland
Security will be responsible for submitting a national cyber incident response plan to the White House.
And I think that's going to take this PBD even a step further in terms of outlining some of those roles and responsibilities and clarifying those roles and responsibilities for both the government, the public sector, and the private sector in terms of what some of those
roles and responsibilities are. So we're going to see this National Cyber Incident Response Plan
relatively soon. In October, we're going to see a draft put out there for public comments,
so people can comment on the draft. And then the final version will actually be submitted to the White House in January of 2017, or no later than January of 2017. So, you know, we'll have to wait and see
what that response plan looks like. But I think it'll also help in terms of outlining those roles
and responsibility and just clarifying the effort that the federal government is going to undertake
when it comes to cyber incidents.
All right, Marcus Roshecker, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.