CyberWire Daily - Daily & Week in Review: Conficker worms into medical IoT. Talking key management, DevOps. NERC standards take effect.
Episode Date: July 1, 2016In today's podcast we discuss Internet-of-things threats, not only botnets assembled from compromised security cameras, but also medical device hacking (with Conficker) as a way of stealing patient in...formation. More insurance sector breaches appear to be in progress, too. The Sprashivai social network is compromised. The Infy espionage infrastructure is taken down (but may return—they often do). NERC standards for power grid cyber security take effect today. John Leisebeor from Quintessence Labs explains key management within a security framework, and we learn about DevOps from Cybric's Mike Kail and eGlobalTech's Branko Primetica. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com facilities and insurance companies suffer more conventional breaches.
DevOps and its implications for security.
Power grid cyber protection standards
take effect today in North America.
Swift-based threats to Eastern European banks.
Sprachevai is compromised.
Observers still see misdirection in Guccifer 2.0.
And Palo Alto takes down
some Iranian cyber espionage infrastructure.
I'm Dave Bittner in Baltimore with your Cyber Wire summary and week in review for Friday, July 1, 2016.
The Internet of Things has occupied much of the week's news.
A large botnet of security cameras has been used in distributed denial-of-service attacks. The CCTV bots were herded using Lizard Stressor, which incorporates both clients
on hacked Linux-based machines and a server attackers use to control the clients. Lizard
Stressor is one of the tools being used to exploit embedded devices.
Medical devices are of course of particular concern. It's easy to fear that they might
be disrupted by hackers to threaten the safety or health of patients and users.
There seems, however, to be a more proximate threat.
Criminals appear to be attacking them not to disrupt the devices themselves,
but rather to exploit the devices as conduits into larger caches of patient information,
an indirect assault on medical records and personally identifiable information.
There's a large demand for that kind of data on the criminal market,
where they're selling for between $10 and $20 a record.
Compare that to the $5 most financial records fetch,
and medical records' attraction to criminals becomes obvious.
TrapX Labs reports observing a wave of such medical device hacks,
using the venerable Configure worm to exploit them and gain access to data.
Configure's salad days were back in 2009,
but it remains effective against systems running older versions of Windows.
That, unfortunately, is what a lot of medical devices run.
Trapex calls the current wave MedJack2
and says that attackers have used ConfigFicker against, among other targets,
radiation oncology, fluoroscopy, and x-ray systems.
The goal in each case is to gain access to patient information.
More conventional approaches to medical data that don't involve IOT exploitation also persist,
as we see in this week's disclosure by Massachusetts General Hospital that it suffered a data compromise
affecting some 4,300
patients. A third party, specifically a dental patient scheduling software vendor, is thought
to be the origin of the breach. The insurance sector is similarly at risk. While the quality
and provenance of the health insurance data Dark Overlord is selling in the real-deal dark web
market remain controversial, there are reports
out of India of another breach. InfoRisk Today reports that Shiram Life Insurance has suffered
compromise of an undetermined number of records. Third parties claim to InfoRisk Today that they've
confirmed the incident. The head of the Uttar Pradesh Police Cybersecurity Task Force says
they'll open a formal investigation once they receive a disclosure from the affected company. We hear a great deal about DevOps and the role
it can, should, or might play in security. Today we hear from two experts, eGlobalTech's
Bronco Prometica and Cybrix's Mike Kyle, to help explain what a DevOps culture is
and what to expect if you transition to one. You can think about it as comprised of
four tenets. The acronym is CAMS, so collaboration, automation, measurement, and sharing. That's Mike
Kyle from Cybrick. If you look back at the original software development lifecycle, you had
your development team, and then they handed off the application to the operations team,
which really didn't understand the application from
an automation and deployment perspective, as well as measurement and performance.
They were basically just order takers, so deploying code and trying to run it without
really understanding the whole development process.
You know, the collaboration movement of merging those two and making, you know, peer operations
people think like or act like engineers, and engineers to take some operations with respect to automating processes into their workflow.
It's kind of merging the two worlds is probably a good way to think about it.
Well, DevOps is simply referring to the integration of development and operation teams
when they're deploying a solution in a more automated and repeatable manner.
That's Bronco Prometica from eGlobal Tech.
So it's based upon what's called the quote-unquote lean attitude.
That means that in the development process and the deployment process, which is merged
now, you involve all the stakeholders, just kind of the communication and open communication.
There is what's called the focus on the customer, meaning that they're always involved in the process beginning to end,
so no requirements, surprises, functionality, surprises arise.
And also doing things right the first time.
That's something that's thrown around a lot.
And that simply means the ability to stop the line
or to stop the development process or to stop the deployment process if an issue arises. And all of the people who are involved, the developers or
operations people, kind of quote-unquote swarm, they go to the issue, fix it immediately,
and keep on going. So that saves time and resources. According to Bronco Prometica,
there are significant benefits to adopting a DevOps culture. Well, one, you step up the quality of your software engineering and your code, right? Because
everybody's involved. There's constant peer reviews. Things are more automated and repeatable.
So that kind of lowers time to market and also the quality of your code. Another major benefit
is that it boosts transparency and predictability in an IT development effort.
So nobody's caught by surprise because everybody's involved.
Mike Kyle says there's time savings, too.
You speed up the overall application development and deployment lifecycle
because everybody's involved in working together versus that somewhat contentious handoff of the previous years or days.
Of course, a shift to a DevOps culture is a culture shift.
And Mike Kyle warns that organizations should expect some resistance.
I think it's more of personal fear.
So if you're a pure operations person,
and you maybe don't understand engineering,
you might be a little bit afraid of it,
and that your job's going away, and vice versa.
So if you're a developer and you think, you know, I don't want to do operations,
I think there's the extreme cases and, you know, kind of fear, uncertainty, and doubt pushback.
I mean, I think you have candid conversations with them and say, look, you're going to expand your skills.
You know, developer, you're not moving into pure operations.
You just have to take a little bit of an operations mindset.
And operations need to take a little bit of an operations mindset. And operations need
to take an engineering approach to things. I think that, you know, look at where the world
is moving and you want to advance your career and the company. This is what you need to do.
Bronco Prometica says once you get buy-in, it's important to have a plan.
Something that says, okay, this is what we want out of DevOps. And then I would work on developing a DevOps methodology.
So get your development operations teams together.
Make sure that they're involved in the process, that they're familiar with it, and it actually works for them.
You want to get your security people there as well, your business people there, so that they're all up to date.
Then I would select the support tool set.
You need a scheduling tool for release management and for peer reviews of code, for example.
You need automated testing.
Once you've done all of that stuff, then I would make sure that my team is up to date on their skill sets.
Do they understand all of this?
Can they actually
automate some of these processes? Do they really know what we're talking about? And then I would
try out the methodology once everybody has that skill set. Say, hey, this is the foundational
methodology. Let me start with a new development project and follow this process that we've
established. That will allow you to actually refine your methodology.
It may seem slow going at first and there may be fits and starts along the way.
But Prometica believes that if you put the right systems and processes in place
and take the time to properly implement them, the payoff will be worth it.
Train everybody on what this means.
Guide them through the process.
Measure success and address it.
Because the first year or two of transitioning to this approach will not be an easy one
because you're changing not just the process, but the mindset, the culture,
the procedures they've been kind of used to now for several years.
And it's going to be slow at the beginning, but the payoff will be great at the end.
Our thanks to Mike Kyle from Cybrick and Bronco Prometica from eGlobal Tech.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And I'm joined once again by John Lisabar.
He's the CTO at Quintessence Labs, one of our academic and research partners.
John, I know it's easy to think of key management as just the generation of keys for encryption,
but there's more to it.
It really is a larger part of your whole security framework, yes?
Absolutely right.
So as you said, you know, team management at one level is just the secure generation,
perhaps storage of key material, perhaps the secure distribution of it,
and the use of it in cryptographic applications,
or at least supporting the use of it in crypto applications.
But there's a whole other area which is related to, I guess,
the policies that surround the usage of key material.
We have very simple policies in some cases, but some more complex.
An example of a simple policy might be that an organisation decides
that it needs to implement or ensure that products implement algorithms
of certain security strength, like a key length,
or that specific algorithms
are in use.
So you might find what might be called an object policy, perhaps, around a key would
be something like, you know, all objects encrypted with this key shall use 128-bit AES.
An extension of that might be a lifetime policy wrapped around a key.
You know, this key can be used for encryption,
but for no longer than 30 days.
After 30 days, it must be rotated out and a new key used.
So that's a couple of examples.
They're very simple policies,
but they're very important policies
in that they provide a guarantee, in some respects,
of the security strength
and also provide a mechanism for retiring keys
from use when they're effectively worn out, in quotes.
Probably a more complex policy, one that would support much richer forms of applications,
might be policies related to usage of keys.
So, for example, think of a key management server that supports a number of operations.
Get a key, create a key, revoke a key, destroy a key, modify the attributes of a key, change ownership of a key, those sorts of things.
Where key, when I say key, I mean general purpose cryptographic object.
A key might be a symmetric key, might be a public key or a private key, might be a certificate even.
Or it could even be cryptographic material that goes to create a password.
certificate even, or it could even be cryptographic material that goes to create a password.
So in a general sense there, I'm talking about a key as being anything of a cryptographic purpose related to cryptographic operations.
So usage policies there might be that you might say a user of the system can only use
a specific key if they're a member of a specific group, and the sorts of operations they perform
might be limited.
So we might give some users the ability to get keys and use a key for crypto purposes,
such as encryption.
We might say that another user or that same user is not permitted to destroy the key.
But perhaps if we have a quorum definition, then a usage policy might say that two out
of a group of five users, when they both agree, then a key can be destroyed,
can be removed from use from the system. So these sorts of policies allow us to build very powerful
applications to take advantage of a centralized key management platform for managing the security
that is built into the use of keys themselves.
John Lisebore, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Returning to the Internet of Things security in a different sector, today marks the implementation
of the North American Electric Reliability Corporation, that's NERC, Critical Infrastructure Protection, CIP, V5 standards.
These standards specifically address the cybersecurity of the power grid.
LogRhythm's CTO and co-founder Chris Peterson tells us it's about time.
NERC had delayed the compliance deadline by several months.
Quote,
The reality is that legally mandated compliance regulation is the best motivator that pushes critical infrastructure entities to improve their cyber defenses.
Given the challenge of hardening legacy systems, which were never designed to withstand cyber attacks, a security strategy of rapid detection and response is paramount.
End quote.
We also heard from Ray Rothrock, CEO of Red Seal, who also said it's about time.
He thinks delays rarely end well.
As demonstrated by previous delays in the payment card industry data security standard.
However, I hope the extra time means compliance and resilience is on the horizon.
The NERC standard is mandated by the Federal Energy Regulation Commission.
The utilities under NERC's jurisdiction serve by the Federal Energy Regulation Commission.
The utilities under NERC's jurisdiction serve more than 334 million people.
We'll be following the effects of NERC infrastructure protection standards going forward.
Turning to Eastern Europe and Central Asia, investigation into the potentially very large SWIFT-enabled funds transfer fraud
from Ukrainian and Russian banks continues.
enabled funds transfer fraud from Ukrainian and Russian banks continues. Reuters has obtained a copy of a confidential communication from Ukraine's central bank to lenders, warning them that it has
seen attempts at criminal fraud and urging them to increase security and be on their guard.
In Russia, the popular social networking Q&A site Sprashevi, which InfoSecurity magazine aptly compares to Yahoo Answers,
has been compromised. It's redirecting users to the RIG exploit kit, which is installing
the Smoke Loader Trojan. Smoke Loader is typically associated with credential theft and click fraud.
Looking at the hack of the U.S. Democratic National Committee, most observers continue
to see the hidden hand of Russian intelligence organs at work. They also regard Guccifer 2.0's hand-waving as so much misdirection,
although why the Russian services would go to the trouble baffles some observers,
since they're heartily shocked to learn that spy agencies spy.
Palo Alto Networks has taken down the infrastructure used by an Iranian group
to spread Infi cyber-espionage tools,
a welcome but probably temporary respite for those targeted.
And finally, as we head into Independence Day weekend, commemorating the AM Exit of 1776,
this seemed like a good time to acknowledge and thank our listeners in France.
So thanks all, especially for the indispensable help we got from the Marquis de Lafayette and Admiral de Grasse
during the AM Exit at Yorktown.
Someday we hope to visit, and when we do,
we'll be sure to say,
Lafayette, nous sommes à la veille.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your