CyberWire Daily - Daily: State-directed cyberattacks in the 2017 forecast. Tenable's Cybersecurity Assurance Report Card. DDoS and ransomware notes. Content filtering in social media. Connected toys too curious.
Episode Date: December 6, 2016In today's podcast, we hear that more state-directed hacking is in the forecast for 2017 (and Pyongyang seems to have a head start). A new DDoS botnet rivals Mirai. Ransomware notes. Android users are... advised to stick with Google Play (and so avoid Gooligan). Content filtering in social media. Cris Thomas from Tenable talks about their cybersecurity report card. Awais Rashid from Lancaster University outlines critical national infrastructure. And more connected toys seems to be far too curious about those who play with them. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More state hacking is in the forecast for 2017,
and Pyongyang seems to have a head start.
A new DDoS botnet rivals Mirai, ransomware notes.
Android users are advised to stick with Google Play and so avoid Gooligan.
Content filtering in social media.
Tenable talks about its cybersecurity report card.
And more connected toys seem to be far too curious about those who play with them.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, December 6, 2016.
Observers at FireEye and elsewhere take a look at 2017 and predict more state-directed cyber attacks.
Some of them are thought, on track record alone, to already be in progress but still undiscovered.
The usual suspects and objectives are invoked. Russian surveillance and information operations,
Chinese industrial espionage, nor should the Democratic People's Republic of Korea be forgotten.
The Yonhap News Agency reports that a South Korean military intranet has sustained a North Korean-directed malware infestation. Seoul's Ministry of Defense acknowledged finding the malicious code
in one of its cyber command networks.
As we mentioned on yesterday's show,
Tenable Network Security published their Global Cybersecurity Assurance Report card for 2017,
which measures the attitudes and perception of enterprise IT security practitioners around the world.
Chris Thomas is a strategist with Tenable.
It's interesting. We want to be able to try to go out there and talk to people who are actually in
the trenches, the cybersecurity professional, and say, hey, what are your feelings about your
organization's ability to determine your risk level in these various areas? And so we've asked
a bunch of people what their thoughts are. We've combined those results
together and then assigned each, not only each area a letter grade, but also each country and
each industry vertical so that we can sort of get a picture of where things might be good and where
things might not be so good. So take me through some of the key findings. Unfortunately, most of the key findings are not happy, if you will.
In risk assessment, we have an overall falling of a score by 12 percentage points.
An organization's ability to assess their risks has gotten worse this year over last.
Cloud environments are still showing a very difficult time for people, despite how long we've been working with cloud.
We saw a seven point drop in cloud.
Mobile is not doing well at all.
We've gone from 65 percent, a D, to an F, a failing grade in mobile.
And, you know, now we have DevOps and containers on top of that.
And so we added those to the survey this year, but they did not get that
great of a score as you can possibly imagine. When you look at the numbers, when you look at
the findings, what do you think is driving these decreases in confidence? You know, that's a good
question. I think I was kind of surprised to see basically a drop on almost all the grades across the board, whether that is mobile or cloud or whether it's, you know,
Europe or United States or Australia or education or government or retail.
Just about everything we looked at, the numbers dropped. And why? Why is that?
It's a good question. I had hoped from last year that we're getting better at our jobs.
We're doing better things. We've learned more stuff. Our numbers should increase this year, at least a good question. I had hoped from last year that, geez, we're getting better at our jobs, we're doing better things, we've learned more stuff, our numbers should increase this year,
at least a little bit. But there are very few aspects, very few areas that we actually saw
increases. So why did everything decrease? And I think possibly, again, we have to look at,
we're looking at people's perceptions of their organization's abilities. It's really hard to get
definitive metrics in some of the questions that we're asking. So a lot of this comes down to people's perceptions of their organization's abilities. It's really hard to get definitive
metrics in some of the questions that we're asking. So a lot of this comes down to how you
feel about your organization's ability to do their job. And so if you're hit over and over and over
again by these massive news reports of these massive breaches, OPM data breach, target data
breach, you have all the election stuff that happened this year.
And you're seeing all this negativity in the news. You know, you may get a little downbeat and a
little discouraged and think, well, gee, maybe I'm not as good at our job as we thought we were.
Or maybe our technology is better now. And so we actually have some numbers to say,
hey, you know, we're not doing as good as we thought. So we have to assess ourselves
that are slightly lower grade. Were there any bright spots in the report? Yeah, there were a
couple of bright spots. The biggest one for me was one of the final questions that we asked. And it
was just kind of a, I don't want to say a give me, but we asked everybody what their overall
perception was of their security from this year to last year. Compared to this time last year,
do you feel more optimistic or pessimistic about your organization's ability to defend itself
against cyber attacks? This is a question we asked last year also, but this year we have
almost 90 percent, over 90 percent of the people who feel either the same or better about their
organization's ability, about being optimistic about the future.
And I think, yeah, that's interesting.
That is interesting, isn't it?
You have all this pessimism and all these bad grades and, oh, no, we're bad at this, we're bad at that, we're bad at this.
But, oh, look, next year we're going to be better.
We're going to have a positive attitude and we're going to go out there and we're going to be awesome defenders.
Because as a defender, the news is almost always bad because somebody's always getting breached.
And you read about it in the news and you're always trying to fight off the bad guys. And yet,
despite all this bad news that's out there, we're maintaining a positive attitude. And to me,
I think that's better than half the battle. That's Chris Thomas from Tenable Network Security.
He's known online as Space Rogue.
The Global Cybersecurity Assurance Report Card is available on Tenable's website.
Mirai appears to have a competitor in the distributed denial-of-service market.
Web performance and security company Cloudflare has reported that a new,
so far unnamed botnet began executing attacks on November 23rd.
It ran on a predictable schedule,
eight hours a day for seven days, beginning at 10 a.m. Pacific Standard Time.
On the eighth day, the attack switched to 24 hours,
reaching a peak volume of 400 gigabits per second.
For comparison, Mirai has hit 620 gigabits per second.
It's unclear what kind of bots it's comprised of.
It may or may not be an IoT botnet.
Attacks seem to have originated with Chinese IP addresses
and to have targeted servers in California.
Cloudflare thinks the targets were gaming and virtual goods, sites and services.
What the motive might be is also obscure,
but gaming and virtual markets are of course particularly sensitive to
disruption. Ransomware also tends to hit enterprises that depend upon high online availability,
which is one reason so many healthcare providers have been victims. Locky ransomware operators
have shifted to.oceris extensions in malicious code being spread by bogus Excel invoices.
No decryption is yet available,
so secure regular backup is the best preparation for recovery.
Globe 2 ransomware is implicated in successful attacks on British hospitals
that disrupted patient services. Three hospitals were affected by the disruption of systems in the
North Lincolnshire and Google NHS Foundation Trust. Some 2,800 patient appointments were canceled.
Investigators either don't know or aren't saying how the attack was accomplished.
Ransomware exacts opportunity costs from its victims.
San Francisco's Muni Light Rail estimates it lost some $50,000 in fares during the attack.
That's $75,000 less than the ransom Muni refused to pay, but it still hurts.
Android users should remain wary of Gooligan malware, which continues to romp in the wild.
Many observers are noting that its vectors are malicious apps
the victims download from sources outside Google Play.
So in this case, please stay inside the walled garden.
Google Play. So in this case, please stay inside the walled garden. Social media companies and sites continue to grapple with content filtering. Counter-trolling
seems unsuccessful. Control of terrorist imagery remains a work in progress, but
is proceeding along lines followed to exclude child porn from networks. Finally,
as you shop for children over the holidays, remember to exercise due diligence.
Some tablets being marketed as offering child-safe searches have been shown easily susceptible to workarounds.
For example, a simple browser search may not take the children to inappropriate content,
but Google Translate may provide an unintentional workaround.
And you'd also do well to be suspicious of connected toys.
My friend Kayla and IQ Intelligent Robot, both basically dolls and both made by Genesis Toys,
have been complained about to the Federal Trade Commission and other regulatory bodies.
They're alleged to be collecting and reporting way too much information about the kids who play
with them. Come on, toy makers.
Can you try not to put Chucky under the Christmas tree?
Paradise is an all-new series set in a serene community inhabited by some of the world's most prominent individuals.
But this tranquility explodes when a shocking murder occurs
and a high-stakes investigation unfolds.
Starring Sterling K. Brown, James Marston, and Julianne Nicholson.
Paradise is streaming January 28th only on Disney+.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Professor Avas Rashid.
He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, I know today you wanted to tell us a little bit about cybersecurity and critical national infrastructure.
Yes, thank you. Thank you for that.
The security of regular information systems is very much in the news these days.
We hear of large-scale breaches, often of credit card theft, financial theft online.
But equally, we are increasingly seeing cyber attacks against critical national infrastructure.
These are the things that we see as fundamental to daily functioning of society,
things like power plants, water treatment facilities, your energy supply systems.
And you'd be surprised how many of them are potentially open to cyber attacks.
And the reason for this is that a lot of these systems were designed without actually security in mind. And you'd be surprised how many of them are potentially open to cyber attacks.
And the reason for this is that a lot of these systems were designed without actually security in mind.
20, 30 years ago when these systems were designed, they were designed based on proprietary protocols.
They were often closed systems with little connectivity to the Internet.
And you needed very specialist knowledge to actually work with these systems.
As our systems have become more and more connected, these systems are also connected to other systems within organizations and also potentially to the internet. And as a result, given that they weren't designed with security
in mind, there are often quite a lot of vulnerabilities in them. And we are seeing
increasing incidents of these. There was a fairly well-known incident of a German steel mill
a fairly well-known incident of a German steel mill where a furnace was destroyed as a result of a cyber attack that escalated and got out of hand. Similarly, we saw the cyber attack on the
Ukrainian power grid more recently. And of course, there are more high-profile attacks that we know
historically, such as the Maruchi water services almost now 10, 15 years ago, as well as Suxnet, which destroyed the
centrifuges in Iran's nuclear facilities. So the problem we actually have is that these
infrastructure are increasingly connected to the internet. There have been studies done through
the search engine Shodan that show that a lot of these facilities are connected to the internet,
yet they are highly vulnerable to a number of what I would call fairly basic cyber attacks.
And that's an area we look at very closely in terms of securing such systems.
The key issue is that these attacks don't often require you to be very sophisticated.
The entry level to attack cyber physical systems,
such as an industrial control system, which is prevalent in critical national infrastructures,
is actually quite low. Yes, you need to know a little bit about how these systems work. But
in the end, the underlying protocols and the systems that are in deployment are often so vulnerable that you don't really need to be a highly sophisticated attacker to actually breach these systems.
Avas Rashid, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.