CyberWire Daily - Following up on security scrambles in Sweden and Ukraine. #LeakTheAnalyst. Blu Product phones booted by Amazon. BitCoin's hard fork. The Internet of Things Cybersecurity Improvement Act of 2017.
Episode Date: August 2, 2017In today's podcast we following up on some of the stories we've been tracking: the latest on Operation #LeakTheAnalyst, firmware spyware in down-market phones, Sweden's big breach, and Ukraine's new ...cyber friends. BrickerBot is back, offering Indian routers and modems unwelcome help. The US Senate considers IoT security legislation, and the US Justice Department issues a framework with guidelines for bug-hunting programs. Bitcoin's hard fork occurred yesterday. Robert M. Lee from Dragos, on ICS attack basics. David Murray from Corvil on security in the financial markets. And why people care about the HBO hack. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
We've got some midweek follow-up, the latest on Operation Leak the Analyst,
firmware spyware and downmarket phones, Sweden Breach, and Ukraine's New Cyber Friends.
Brickerbot is back, offering Indian routers and modems unwelcome help.
The U.S. Senate considers IoT security legislation, and the U.S. Justice Department issues a framework
with guidelines for bug-hunting programs.
Bitcoin's hard fork occurred yesterday.
And why do people care about the HBO hack?
It's not just because winter is coming.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, August 2, 2017.
Today we follow up on some stories that have been developing over the past few days.
FireEye confirms again that its own systems weren't penetrated by hacker group 31337 in Operation Leak the Analyst,
but the company has disclosed that information about two customers
was exposed in the successful hack of Amandian Analyst's own accounts.
The company is working with the affected customers.
Amazon is stopping sales of low-cost Android phones produced by Blue Products, citing researchers' discovery of spyware in the phone's firmware.
Observers worry that the HBO hack involving Game of Thrones, among other properties, will prove a bellwether, a cheap way for a hacking group to gain publicity.
publicity. Another note on pirated shows. They're usually obtained from BitTorrent, which in recent months has become, as ESET points out, a notoriously malware-laden way of getting content.
Resist the urge to go there just to find out early what's happening in Game of Thrones.
We can assure you of one thing. Winter is coming. Sweden's government continues to scramble to lock
down sensitive data in the wake of a long-standing and botched outsourcing of transport ministry information.
Two members of the government have been forced out,
they held the interior and infrastructure portfolios, and more may follow.
The investigation of the incident has now spread to six state agencies,
and remediation is not expected to be complete until sometime next month.
Several members of the cabinet are also said to have been aware of the problem,
but kept the prime minister in the dark for 18 months.
Expert opinion tends to see the episode as indicating government officials' gross naivete
with respect to information security.
Ukraine, facing continued Russian pressure in cyberspace and a guttering hybrid war on the ground,
is also beefing up its defenses, probably with a significant degree of Western help,
and help from countries in the near abroad, especially Moldova,
in which Ukraine has developed a close and valued cyber-intelligence-sharing relationship.
From the West, help is arriving mostly from the UK and the US,
with forensic and cyber law enforcement expertise
among the first support to arrive. Russia isn't pleased with such cozying up to its adversaries,
and relations with the US in particular have become frosty. US Secretary of State Tillerson
recently warned Moscow that US-Russian relations could get worse, and they just did.
There's that famous quote attributed to bank robber Willie Sutton.
When asked, why do you rob banks?
He replied, that's where the money is.
And these days, the same could be said for financial institutions and cyber attacks.
David Murray is chief business development officer at Corval,
providers of streaming real-time analytics,
and he provides us with some insights on the challenges facing financial institutions.
First of all, you have criminal activity.
That's a big driver of ransomware.
Data is important.
There's a tremendous amount of financial data held by financial organizations
and therefore about individuals.
And so if you're able to access that information,
it provides attackers a treasure trove of information that they can use for other attacks, you'll see that, you know, obviously wherever there are banks and money, there's that they may be able to embarrass a bank
or look at huge disparities in pay between senior executives and employees at banks and whatnot.
You have, in some cases, espionage as a risk to bank,
both in terms of key deals that the bank may be working.
So for merger and acquisition or investment banking activity, that would be extremely valuable, as well as just understanding key accounts and key targets.
And then you've got nation state attackers.
So banks are very much a critical infrastructure of any nation.
And so if you're able to disrupt the banks, then you're able to ultimately trigger a result, an outcome that may be deemed successful.
And as you say, we certainly hear about the high-profile stories.
We hear when millions of dollars get stolen and so forth.
But I guess, as with many things, we don't hear the stories about the successful defense, about the theft that is thwarted.
Can you give us some perspective on that?
How do the financial services do overall? I think they're among the most sophisticated
security teams in the industry. I mean, they have to be because they are such a target. And so
your point is a good one. There are countless, countless critical saves that are accomplished
by financial services security teams.
You know, it's not unusual for it to be very cyclical with security, while there is a constant
stream of attacks and threats across, whether it's through credit card fraud or market disruption
drivers or someone stealing credentials to log into a brokerage account.
And then there is just the constant bombardment of attacks against overall financial services infrastructure.
The financial services community has done a pretty good job in the past of being able to pool as a community
and at least share information about common attacks that are hitting them at a
given period of time, the access and the cost of launching a successful cyber attack is only
dropping over time. And that's certainly driving an increase in supply. The same technologies that
allow cybersecurity professionals to look at, manage more data and be able to try to identify anomalies
or the same technologies that are being used or the same core technology capability that bad
actors are using to attack. And they have a surface which is far more variable, which is
social engineering and working through individuals. So that will continue, and they'll continue to use machine learning
to test different models and approaches for compromise.
That's David Murray from Corville.
BrickerBot is back, its author claiming responsibility
for an attack on modems and routers in India.
BrickerBot sees itself as a positive vigilante operation,
hitting poorly secured
Internet of Things devices and, as its name implies, bricking them, rendering them inoperable
before they can be roped into larger, dangerous botnets. BrickerBot's victims have not generally
welcomed its ministrations, so it's difficult to count BrickerBot among the good guys,
whatever its intentions may be. A better approach to IoT
security may be embodied in a bipartisan bill introduced this week in the U.S. Senate.
The Internet of Things Cybersecurity Improvement Act of 2017 seeks to incentivize good security
by requiring vendors to meet certain baseline IoT security standards before they can sell to
the U.S. government. The principal sponsors are Senators
Mark Warner of Virginia and Cory Gardner of Colorado, the co-chairs of the Senate Cybersecurity
Caucus, joined by Senators Ron Wyden of Oregon and Steve Daines of Montana. The legislation's
core provisions would require vendors to ensure their devices can be patched, that they use
industry standard protocols, and that they contain neither hard-coded passwords nor known vulnerabilities.
The bill's provisions include protections for legitimate security researchers,
something other legislation is often thought to have overlooked.
Supporters see it as an improvement over what Senator Wyden calls
the overly broad legislation currently in effect,
notably the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.
Under the new legislation, white hats would be specifically protected from prosecution under those two laws.
Concern about exposure to prosecution also motivated the U.S. Department of Justice
to issue a framework with guidelines for setting up vulnerability disclosure programs, including bug
bounties. The goal, Justice says, is to substantially reduce, quote, the likelihood that such described
activities, that is vulnerability research and responsible disclosure, will result in a civil
or criminal violation of law under the Computer Fraud and Abuse Act, end quote. Bitcoin's hard fork occurred yesterday, as expected, splitting into
Bitcoin and Bitcoin Cash. If the latter smaller currency is successful, observers see positive
competition. They also see jockeying for the legacy of legendary Bitcoin creator Satoshi
Nakamoto, wherever Nakamoto-san may be. Satoshi, give us a call.
wherever Nakamoto-san may be.
Satoshi, give us a call.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Robert, we were talking, of course, with you about ICS attacks, and I thought we'd address some basics here.
How do ICS attacks happen, particularly here in the United States?
Yeah, great question.
So when the industry, and sort of we're all called sort of the larger IT security industry, has historically evaluated intrusions.
One of the models that a lot of people use is the cyber kill chain
and this idea of stepping through the steps an adversary can take.
And it's not really about predicting every possible step they're going to do.
It's really about clumping things together in a structured schema,
data into buckets that people can analyze and draw knowledge from.
And in IT, a lot of what we hear as called cyber attacks are really just intrusions or
espionage or theft, right?
I break into a bank and I steal a lot of credit cards.
Well, it's not really an attack.
You didn't lose availability of your systems and you didn't have destruction take place.
But obviously, it's very personal.
And so companies call it attacks.
In industrial control systems, though, the type of systems that run our power grids
and water facilities and oil and gas companies,
there's nuance there about what an attack actually means.
And to be an attack in an ICS, it really needs to manipulate or disrupt
or potentially destroy the industrial process or its equipment.
We've seen Stuxnet in 2010 physically destroy centrifuges.
We saw in 2015 and in 2016 a cyber attack disrupt the electric grid in Ukraine.
So there's nuance in what that means.
And when we look at how it happens in industrial environments,
we usually refer to the ICS cyber kill chain. And it goes to show that the IT kill chain that most use is just the first stage of an attack. The second stage is where the adversaries have
to develop specific knowledge or tradecraft or capabilities like malware, test it out,
specific knowledge or tradecraft or capabilities like malware, test it out,
re-deliver it into the industrial environment, and actually execute that specific attack.
One piece of malware developed for a petrochemical process is not really going to be able to disrupt in a high-confidence way a nuclear enrichment process. We have very, very specific environments.
So I would say that what we generally see in the media and what
we generally hear about is that first stage. And the question is always in our mind of,
is it going to go to that second stage? Are the adversaries gathering the type of data in stage
one that they would actually move to stage two? So to give you two examples, in the United States,
we heard a while ago about the breaches into the energy sector,
and we heard about spear phishing emails being delivered to a nuclear site as well as a couple of power companies, about 14 in total.
That is very interesting, but it's not an attack, and it didn't need all the alarmism that we saw.
Nobody was at risk.
No industrial control systems were compromised. It was the business networks, the IT networks, those facilities.
The question is, what were they stealing?
If it was normal
espionage inside those business networks, there's no indication they could go to a stage two.
But on the converse, we see discussions in the UK and Ireland about maybe a similar,
if not the same group, targeting energy sites there, but also targeting engineering firms,
these third-party data source holders, where they have the physical layouts of the industrial environment, the engineering documentation, integration documents,
and stealing those off. That's the type of stage one activity that gives us pause,
because that's the type of stage one espionage that you would need to facilitate a stage two.
Not saying that it is going to happen. That's what we look for when we're looking for that
nuance of when do we really care about a stage one impact? And when do we think that a stage two is even possible? And that
nuance is hard to capture sometimes, but that is at a high level, a simple breakdown of really how
ICS cyber attacks occur. All right, Robert M. Lee, thanks for joining us.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.