CyberWire Daily - Daily: Patch Tuesday notes. Pokémon Go (of course), ICS security, energy recon, fansmitters.
Episode Date: July 13, 2016In today's podcast we go over some of the highlights of this week's patches, including fixes from Microsoft, Abode, Drupal, and Niantic. We discuss the security of the industrial Internet-of-things an...d critical infrastructure, especially the power grid. We hear about the current state of ransomware play, and note the return of xDedic, the hacker server hawker, to the dark web souk. Industry news includes coming cyber upgrades to SWIFT, VC updates, and notes on the markets. The University of Maryland's Jonathan Katz tells us about "fansmitters", and Booz Allen's Scott Stables shares threat data from their latest ICS report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. air gaps and fansmitters, paycard breaches, Bay Dynamics gets $27 million in Series B funding,
markets process Imperva's disappointing results, Swift turns to BAE for cybersecurity,
and Pokemon Go gets some fixes, but trainers choose well.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 13, 2016.
Yesterday was Patch Tuesday, and the customary set of fixes emerged from the big fish in Redmond
and some of its smaller, yet still significant, pilot fish.
SysAdmins should be busy this week and next.
As we all know, but still need to be reminded, patch management is one of the best security, best practices.
Be reminded, patch management is one of the best security best practices.
Microsoft issues fixes for 11 bugs, 6 of them critical, that address more than 40 flaws.
Connoisseurs of Patch Tuesdays consider this a relatively light load.
15 of the bugs fixed were in Internet Explorer, 13 in its successor browser Edge. One set of patches closed a printer vulnerability Vectra Threat Labs discovered.
If left unpatched, these flaws could exploit networked printers to install malicious drivers.
Other patches address ways in which attackers could have bypassed some office security features
and close off ways in which malicious documents could be created to serve as vectors for malware infection.
Adobe patched as well, plugging some 50 holes in its widely used and oft-exploited Flash Player browser plugin and in the popular Adobe Reader.
Open source content management system Drupal was a little late to the party, but was a most welcome arrival this morning with fixes to critical remote control execution vulnerabilities in some contributed modules.
The SANS Internet Storm Center reports that Drupal Core is not affected.
Google and Niantic continue to grapple with some of the security issues raised by their
wildly popular Pokemon Go. Niantic has now limited the permissions the game asks for to
know who you are on Google and view your email address. Formally, the game had automatically
scooped up permissions to access essentially all things Google about its players,
Gmail, Google Docs, etc.
Other issues, including the possibility of the game's locking iOS users out of their Google accounts,
remain to be addressed.
The augmented reality game has drawn other attention.
For one thing, as Motherboard puts it, Pokemon Go's endgame is, quote,
to get you to walk into Chipotle, end quote.
This seems a reasonable enough business model,
and no more nefarious than many other forms of advertising,
but the geocaching in the augmented reality system
has its dangerous and unseemly aspects too.
Reports persist of inattentive players being led into risky neighborhoods
and even ambush muggings.
And, it's sad to report, in greater Washington, D.C.,
both the Holocaust Memorial and Arlington National Cemetery
have had to ask players not to pursue virtual Pokémon in what ought to be recognized as sacred spaces.
So, players, update your games and enjoy them, but remember that while Charmander might be a virtual being,
you remain an embodied one.
Turning to the Internet of Things, especially its industrial control system precincts, the
energy sector cyber-recon tool Sentinel-1, found associated on the dark web with the
Firtom campaign, continues to look like the work of a state security service.
The malware seems tailored to specific European energy companies, but utilities worldwide
are taking note of their vulnerability to cyber threats. Both the U.S. House and the Senate are looking into critical infrastructure protection this week.
We heard from Ray Rothrock, CEO of Red Seal, about the regulatory issues involved.
He thinks the payment card industry might provide a cautionary example.
Quote, critical infrastructure organizations need to act immediately.
End quote.
Warning that compliance with sound standards is central to protecting the people from attacks. End quote. End horizon, end quote.
Booz Allen recently published an industrial cybersecurity threat briefing.
We spoke with Scott Stables, the chief technologist for industrial cybersecurity at Booz Allen,
about the report.
The type of attack and perhaps the motivation behind the attack is changing. So we've seen less interest in, you know, oil and gas utilities and a change towards what I would
call manufacturing or, you know, high-tech manufacturing, critical manufacturing. And
that could potentially be due to, you know, interest in alternative motivations for attacks.
So perhaps less of the nation state and perhaps more of the organized criminal elements
are looking towards making money out of conducting attacks against manufacturers of equipment, products, and so on.
Scott Stables says the report reveals a troubling combination of vulnerability and high stakes. The other part, I think, is that the consequence of failure of some of these components of our critical infrastructure is measured in a different way.
in a cataclysm, an event at a refinery, an outage in one of the hottest days of the year,
for example, that could cause some significant impacts to large amounts of people.
In Booz Allen's report, one-third of operators reported some kind of breach in 2015.
Stables says the motivations of these attackers varies.
If you look at the nation-states, for example, we kind of characterize them in two buckets, ones that are getting in, establishing some kind of persistent presence there, access and doing reconnaissance and essentially doing nothing else, just waiting
potentially for who knows what, but just waiting. There are others who are going in there very directly and causing, you know,
some kind of disruption or impact. And, you know, if you look at the Ukraine example, that is,
that's exactly what happened there. So depending on who you are, you have a different motivation.
It's all driven geopolitically. Some of it may be driven by,ionage or potentially looking at getting inside a network for theft of IP, for example.
The report talks about the motivations for three or four different nation states in that respect.
I asked Scott Stables what in the report he found most surprising.
You have a fairly simple environment.
There's an awful lot that you can do in terms of basic things like cyber hygiene,
like network segmentation, like understanding what you have in the network, for example.
You know, what devices do you have there? When was the last time you did an inventory?
And, you know, I believe that many of the root causes and, you know, 88%, I think, of the
incidents initiated on the enterprise network,
many of these could have been avoided if you implemented some basic kind of approaches to cybersecurity.
And I think what's driving that, maybe it is some of this operational technology versus IT,
lack of integration, discussion, cooperation in the firms.
Maybe it's not.
I think you need to, as an organization, implement better interaction between these types of the organizations to get on the same page and do the basics.
I think that's probably the biggest takeaway.
and do the basics. I think that's probably the biggest takeaway.
You can download a copy of Booz Allen's Industrial Cybersecurity Threat Briefing on their website.
Returning to payment card standards and the related issues of point-of-sale security,
Tripwire's Tim Erlin, Director of IT Security and Risk Strategy,
commented on the recently reported breach at Omni Hotels.
The bright spot in this breach appears to be
that Omni Hotels detected the activity themselves.
Many breaches in the past have been detected
not by the compromised business,
but by third parties noticing fraudulent activity.
Security professionals at retailers
should use this incident to drive a review
of the controls on their own point-of-sale systems.
End quote.
On the ransomware front,
Heimdall warns us here in
Midgard that there's a new cheap and nasty out there to be on the guard against. It's called
Stampado, and this strain of ransomware is noteworthy because it doesn't need administrator
access to operate. ThreatTrack published a detailed report on Cerber, recently active
against Office 365 users, and Kaspersky reiterates warnings against Satana.
Trend Micro has opened up a ransomware hotline for victims,
and it's offering a set of recovery tools as well.
In the U.S., the Office of Civil Rights of the Department of Health and Human Services
releases new HIPAA guidance, suggesting that health care providers hit by ransomware may face penalties.
In industry news, Bay Dynamics picks up $27 million in Series B funding, the stock market
is processing Imperva's disappointing results, and the international funds transfer organization
Swift engages BAE to help it with cybersecurity.
Finally, Pokemon Go has reached Germany.
NG Data has seven security tips for players everywhere.
Install the game only from a trusted source.
Use security software on your device.
Watch the permissions you give the game.
Be aware of your surroundings when you play.
Think before you chase.
Remember to guard your privacy
and avoid in-game cost traps.
So, trainers, if you're in, say, Hessen
and you chase your Pokémoner
through the streets of Hanau,
past Schloss Philippsruhe and around the statue of the Brothers Grimm,
we say, viel Spaß, aber sei doch vorsichtig, Jungs.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs safe and compliant.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, you know, it's commonly believed that one of the best ways to protect a computer
is to air gap it, to have it not be connected to anything else.
But some researchers have come up with a clever way to get around that.
What are we talking about here?
Yeah, there's some really interesting work out of Ben-Gurion University in Israel
where the researchers show that even an air-gapped computer
can still be used to transmit information to an attacker.
So this would provide an attacker with a way to extract potential information from the computer, even if it's not connected to an attacker. So this would provide an attacker with a way to extract potential
information from the computer, even if it's not connected to the internet. And what were they
doing? What was the clever workaround they discovered? Well, what they did was they used
a physical channel, a physical channel for the communication between the computer and the
attacker. So think about if you have malware sitting on the machine, what they had the malware do was actually affect the CPU load on the computer,
which would in turn affect the speed of the fan that's used to cool the CPU.
And that speed, that change in the rotational speed of the fan,
could then be picked up by an attacker, say, who had a microphone planted nearby.
So by changing the speed, the device can pick it up and then they
can vary the speed and basically have some sort of binary communications with the external device?
Yeah, exactly. So really what this shows is just that there's all kinds of ways to communicate
and anything at all can be used as a potential communication channel. It's another example of
what we might call a side channel attack. And so rather than just relying on the network,
they've here shown how to use the sound being emitted by the fan
as a change of speed as a communication channel.
And I think there's been earlier work by the same team
that's shown how to use the temperature changes
that are induced by the rate of CPU consumption
of another communication channel.
So it really just shows that the hackers or the attackers
are always thinking and coming up with new ways
to get around existing security protections.
All right, Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.