CyberWire Daily - Finland’s data protection authority investigates suspicious smartphone activity. GitHub repos are leaking keys. Cardiac devices can be hacked.
Episode Date: March 22, 2019In today’s podcast, we hear that Finland’s data protection authority is investigating reports that Nokia 7 Plus smartphones are sending data to a Chinese telecom server. Thousands of API tokens an...d cryptographic keys are exposed in public GitHub repositories. The US government warns that certain cardiac devices can be hacked from close range. A North Carolina county government is dealing with its third ransomware attack. And Magecart groups go after bedding companies. Malek Ben Salem from Accenture Labs with thoughts on securing the digital economy. Guest is Adam Isles from the Chertoff Group on supply chain risks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Finland's Data Protection Authority is investigating reports
that Nokia 7 Plus smartphones are sending data to a Chinese telecom server.
Thousands of API tokens and cryptographic keys are exposed in public GitHub repositories.
The U.S. government warns that certain cardiac devices can be hacked from close range.
A North Carolina county government is dealing with its third ransomware attack.
The Chertoff Group's Adam Isles joins us with insights on supply chain risks and transportation.
And Magecart Group's go-after bedding companies.
That'll keep you up at night.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 22, 2019.
I'm Dave Bittner with your CyberWire summary for Friday, March 22, 2019.
Finland's Data Protection Authority is investigating a potential data breach violation following a report that some Nokia 7 Plus smartphones,
developed by HMD Global, were transmitting sensitive data to a Chinese server.
NRK reported yesterday that every time one of the phones was switched on or the screen was unlocked,
it sent an unencrypted data packet containing the phone's geographical position,
SIM card number and serial number to a server belonging to China's state-owned telecommunications company.
HMD Global, a Finnish company that develops Nokia-branded phones,
said the issue was due to a glitch in the phone activation software,
which was patched last month.
The company says its phone's erroneously included software meant for the Chinese market.
This explanation would make sense,
because the Nokia 7 was a China-exclusive product
before a newer version was released for the global market.
Collecting data when a phone is first activated
is a standard industry practice,
as it allows telecom companies to activate the phone's warranty.
It's also possible that the activity was required for Chinese phones
in order to comply with local data collection laws.
The report caused additional concern, however,
since it came at a time of heightened apprehension
about potentially backdoored Chinese technology. HMD's phones are manufactured by Foxconn in China, so some
researchers believe the issue is worth looking into further. Finland's data protection ombudsman
agrees, so he's ordered an investigation. He believes that this at least looks like a violation of GDPR.
HMD holds that no personal information was transmitted,
but that's going to be a hard sell if the phone sent location data without user's consent.
It's worth noting that Nokia itself doesn't appear to be involved in this situation,
although the phone still bear its name. The company sold its mobile phone business to Microsoft in 2014,
bear its name. The company sold its mobile phone business to Microsoft in 2014,
and the business was taken over in 2016 by former Nokia executives at HMD.
More than 100,000 GitHub repositories have exposed API tokens and cryptographic keys due to poor coding practices. Researchers from North Carolina State University scanned millions of public
GitHub repositories looking for text strings that resembled tokens or keys and discovered
more than 200,000 exposed keys spread across more than 100,000 projects. They see thousands
of new keys appearing every day, 81% of which aren't removed within two weeks.
81% of which aren't removed within two weeks.
Yesterday, the U.S. Department of Homeland Security and the FDA warned that the Connexus wireless telemetry protocol
used in certain Medtronic cardiac devices
can be hacked from up to 20 feet away.
Two teams of security researchers discovered the vulnerability
in 16 different models of Medtronic implantable
defibrillators. The Connexus protocol, which uses radio frequency to communicate between devices,
doesn't implement encryption, authentication, or authorization. An attacker in close proximity
could modify or inject data between the devices and their control units.
The devices have some mitigations built in, and Medtronic is working to develop further safeguards.
The company says the risk of physical harm to patients is low, since an attacker would have to be so close.
The devices are also only vulnerable when they're in listen mode, which is deactivated throughout most of the day.
The FDA urges patients to keep their monitors plugged in,
saying that, quote, the benefits of remote wireless monitoring of an implantable device
outweigh the practical risk of an unauthorized user exploiting these devices' vulnerabilities,
quote. The vulnerability does not extend to any pacemakers.
Orange County, North Carolina, is dealing with its third ransomware
attack in six years. Orange County spokesman Todd McGee told a local CBS affiliate that the malware
shut down systems in the sheriff's office, the register of deeds, and the local library, among
others. Some systems have been restored, but the county doesn't know how long the full recovery will take.
McGee said the attack was likely due to someone clicking on a malicious link,
adding that it could have spread from the public computers at the library.
Terrence Jackson, the CISO of Thycotic, told the Information Security Media Group
that he wonders if the county paid the previous ransoms, encouraging additional attacks,
or if the problem is simply poor cyber hygiene.
Chris Morales from the threat detection firm Vectra
believes the county was targeted because attackers know
that local governments struggle to fund adequate security measures.
And finally, Risk IQ revealed two Magecart attacks
which compromised the websites of the pillow manufacturer MyPillow and the mattress company Amerisleep.
In the case of MyPillow, attackers placed a skimmer by registering a domain and injecting it into the live chat script in MyPillow's website.
The skimmer was placed in late October but hasn't been active since November 19th.
was placed in late October but hasn't been active since November 19th.
Amerisleep was compromised by a long-running campaign from December 2016 to October 2017.
Two months ago, however, the attackers returned and injected skimmers into payment pages on Amerisleep's website.
The domain used by these skimmers has since been taken offline,
but Amerisleep's website is still compromised
and the company hasn't answered RiskIQ's attempts to inform them. these skimmers has since been taken offline, but Amerisleep's website is still compromised,
and the company hasn't answered RiskIQ's attempts to inform them.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Malek Bensalem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, it's great to have you back.
We wanted to touch today on a presentation from Accenture
about securing the digital economy.
What do we need to know here?
Hi, Dave. Thanks for having me.
Yeah, so this is a paper that we have recently published.
It's based on a survey that we've conducted with a number of our clients.
And we want to look at the fundamentals of the internet. We know, right, and businesses know
that they're dependent on the digital economy and the internet for growth.
But what we've been realizing and what a lot of CEOs have been realizing recently is that that growth is dependent on trust.
We need to build trust with clients.
So creating an online account today, purchasing from a website, downloading an app is more than an exchange of data and an exchange of goods or services.
But really, it's an exchange or
a transaction that is based on trust. But building that trust with the current state of the internet
seems to be complex and we're not sure whether that is feasible. So this is a study to see what can be done today by CEOs to improve, not only
improve their security posture, but also improve digital economy as a whole for everybody.
Okay, so what are some of the details?
We know that without trust, the future of our digital economy is potentially at risk.
The internet is unable to sustain the digital economy due to several reasons.
Number one is its evolution.
We know the internet started or evolved from a military asset where security considerations were based on preventing physical failures to an open infrastructure where security
issues are more sophisticated. The existing internet protocols are not secure. So that's
one factor. The other factor is this IoT effect. We expect, you know, probably 50 billion IoT
devices on the internet. We do have an identity crisis. If you go back to 2006,
an average person had to maintain six passwords, where today that average has gone up to 27
passwords. Regulations are changing. So, you know, the flow of data is changing based on that change in regulations.
And the cost of insecurity, according to a study that Accenture has conducted, the cost actually over the next five years within the private sector may amount to a lost opportunity of $5.2 trillion in revenue opportunities that are lost because of this lost interest in the digital economy.
So something has to be done.
And this is beyond just securing infrastructures,
but rather something that businesses have to do across ecosystems.
And so what are the recommendations?
What do you all propose?
So we do propose continuing the technology investments, what we call, you know, continuing
to do the work underground. So that's the technology investments, securing the infrastructure,
the plumbing underneath our digital economy. But also, more importantly, what we recommend to CEOs is focusing on governance.
So joining forces with other companies to govern globally, creating an internet security
code of ethical conduct for each industry, being proactive with standards, particularly
with principle-based standards, you know,-based standards, like trusted AI,
explainable AI, ethically aligned design, promoting consumer control of digital identities,
taking privacy as a digital human right, and then committing to sharing information about cyber
attacks across industries, across an ecosystem. That's from the governance
side. But we also have recommendations about the business architecture. So obviously, CEOs need to
prioritize security by design. They need to make sure that their line business leaders are accountable for security and that they protect the
entire value chain. So we have recommendations related to technology investments. We've been
doing that. We continue to make those recommendations, but we also have strong
recommendations on adopting best practices and ethical conduct for each industry and around
governance across business ecosystems. All right. Well, it's an interesting paper,
certainly a lot of ground covered there. Again, what's the title if folks want to hunt it down?
Securing the Digital Economy, Rein reinventing the internet for trust.
All right. Malek Ben Salem, thanks for joining us. Thank you, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Adam Iles. He's a principal at the Chertoff Group, where he helps clients
evaluate their security risk management programs. Adam Isles previously served as Deputy Chief of
Staff at the U.S. Department of Homeland Security. He joined us from the Chertoff Group's Washington,
D.C. offices to discuss management of supply chain risk.
You need to take a risk-based approach, right? Not every supplier
represents the same degree of risk, right? You know, if you're getting a training service, right,
that's a different level of risk than, you know, someone that's managing your payment systems.
Right. And so, you know, you apply risk-based approach and you apply resources to those areas
of, you know, greatest criticality, you know, and or risk.
I think we're certainly in a situation right now where we have a very disaggregated approach
and frankly, a very inefficient approach
where you've got lots of resources being applied
as against supply chain risk,
but in a very decentralized onesie-twosie way.
And that creates major issues both for efficiency and effectiveness.
From an efficiency point of view, put yourself in the shoes of a vendor
where you're selling essentially the same product, be it service, software, firmware,
or hardware to multiple buyers.
And it's like, oh my gosh, I've got to go through how many
vendor risk assessment processes, you know, none of which asks entirely the same questions,
none of which has the same, you know, audit process. There's a huge amount of inefficiency
involved in going through onesie twosie, you know, vendor risk assessment processes
that cries out for simplification, that cries out for
some level of global or industry sector-based consensus
around what does a good risk-based
assessment process look like? Were we to move over time
to a more standardized approach, at least across
industry verticals, then you've got, you know,
a real incentive on the part of vendors to say, look, if I meet this bar, if I make this investment
bar, you know, it's not only going to kind of check the compliance box, but it may actually,
you know, help me differentiate my offering, particularly vis-a-vis, you know, the competitors that can achieve whatever good looks
like. So I think that there's both a challenge and an opportunity in trying to provide a kind
of a more standardized process to understanding, addressing, and monitoring, you know, supply chain
risk across sectors. And are you seeing efforts in that direction?
Yes. And I think you kind of have to take it on a kind of a sector by sector approach.
I mean, the defense industrial base has dealt with this issue for really for decades.
Right. I mean, in other words, if you can't hack the Pentagon, hack the Pentagon suppliers and you'll achieve somewhat the same effect.
I mean, my career began at the Justice Department. I started at DOJ in the criminal division 21 years
ago. And when I did in the late 1990s, a book called The Cuckoo's egg was required reading. And the cuckoo's egg tells the story basically of an East German intelligence plot
to compromise computers at Lawrence Berkeley National Lab
to steal strategic defense initiative, Star Wars-type secrets.
And so carry forward to today, if you look at U.S. cert alerts,
carry forward to today, right? If you look at U.S. cert alerts, what we're seeing is that same basic approach proliferating across sectors. So now we're moving beyond the defense industrial base
to the electric utility subsector, the energy sector. And you have to look no further than,
you know, U.S. cert alerts from spring of last year to talk about how Russia is essentially
leveraging, I think what are referred to as stepping stone, you know, attacks to, you know,
move from a vendor, you know, then into a, you know, an actual utility. And so I think the
opportunity, right, is at a sector to try to start to achieve some level of consensus on, you know, what does good look like?
You know, I mean, and so by way of example, in the financial services sector, right, you've seen
efforts to develop kind of model contracts, you know, that would speak to at least for the
acquisition of software, you know, what are the core, you know core terms and conditions you'd want to see in contracts?
And, you know, you're also seeing, I think, kind of additional class of third party risk management vendors that are coming onto the market, you know, that are offering kind of specialized tools that allow greater focus into things like actual effectiveness and continuous monitoring.
Those tools are being adopted to varying degrees from one sector to the other. I think where this comes together is in those places where sectors come together to address security risk.
Places like the FSI SAC, the Electric Subsector Coordinating Council, EEI, and other sector organizations.
I think at a general level, really, it's kind of a three legs of the stool approach.
Whatever we're dealing with, you start by assessing risk.
That's the first leg of the stool. You don't apply the same level
of security to each part of supply chain, right? You focus resources on where you have the greatest
risk. The second leg of the stool is mitigation, right? That is, okay, having done a risk assessment,
what is that balance of preventive, detective, response and recovery oriented resources that most cost effectively
actually buy down risk. The third leg of the stool, I think, is one where people often fall
down. And that's what I refer to as risk monitoring. And by monitoring, I don't mean,
you know, do you have like a sock that's constantly monitoring? I'm talking about
monitoring security systems and technology systems to ensure that they're operating as intended, which is to say, okay, I've put a defensive countermeasure in place.
Is it actually operating the way I think it is?
Because what we see over and over and over again, endpoint detection and response tool, intrusion detection system, DLP system that someone thought they had in place wasn't
actually operating as intended.
And Equifax is a great example of that.
Right.
Equifax actually had, you know, kind of, you know, outbound, you know, DLP inspection in
place.
It just wasn't working.
And in fact, when they figured out it was not working and, you know, they updated the
certificate that was required to make it work.
That's when they discovered that they may have been victimized by a breach.
That's Adam Isles from the Chertoff Group.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.