CyberWire Daily - Hacking in the Gulf region. Vulnerability research into airliner avionics. Phishing and ransomware move to the cloud. EU data responsibilities. US bans five Chinese companies.
Episode Date: August 8, 2019Tensions in the Gulf are accompanied by an increase in cyber optempo. A warning about vulnerable airliner avionics. Phishing is moving to the cloud, and so is ransomware. Android’s August patches ad...dress important Wi-Fi issues. An EU court decision clarifies data responsibilities. The US bans contractors from dealing with five Chinese companies. Bogus Equifax settlement sites are established for fraud. Our guests are both offering insights and observations from this year’s Black Hat conference. Matt Aldridge is from Webroot and Bob Huber is CSO at Tenable. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tensions in the Gulf are accompanied by an increase in cyber op tempo,
a warning about vulnerable airliner avionics,
fishing is moving to the cloud, and so is ransomware.
Android's August patches address important Wi-Fi issues,
an EU court decision clarifies data responsibilities,
the U.S. bans contractors from dealing with five Chinese companies,
and be on the lookout for bogus Equifax settlement sites.
settlement sites. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 8th, 2019. According to the Wall Street Journal,
Bahrain has sustained incursions into the networks of its national security agency,
whose mission is criminal investigation, the Ministry of Interior, the
First Deputy Prime Minister's Office, the Electric and Water Authority, and manufacturer
Aluminum Bahrain.
Bahrain believes the activity was the work of regional rival Iran, and that the activity
directed against the Electricity and Water Authority amounted to staging and rehearsal
for an attack on critical infrastructure.
The U.S. Maritime Administration has issued a formal warning of Iranian cyber operations against shipping in the region.
It singles out GPS interference in particular as a likely form of attack.
As Boeing continues to debug the troubled 737 MAX avionics,
code for the company's 787 appears to have been exposed on an unprotected server,
Wired reports. Ruben Santamarta, the security researcher with IOactive who found the exposed
code, says that the software is vulnerable to attackers who could pivot from the aircraft's
in-flight entertainment system to safety-critical avionics, including flight controls and sensors.
Attackers could, Santamarta maintains, exploit memory corruption vulnerabilities in the non-critical
systems to establish themselves in the aircraft, and then move from there to critical avionics.
Boeing denies that this is a possibility and rejects Santamarta's claim that he's found
a path that could make it so.
The company maintains that security barriers effectively
segment the 787's onboard networks in ways that make such an attack impossible. Santa Marta and
others who've reviewed the vulnerabilities he says he's found agree that they don't represent
an immediate material threat to flight safety, but they argue that their presence suggests a
troubling laxity in software security engineering.
Santa Marta is presenting his work at Black Hat this week.
One of the challenges of attending a major industry trade show
is optimizing the limited amount of time available for meetings,
keynotes, presentations, and social events.
Experienced attendees have their own strategies for making the most of their time at events like Black Hat.
Robert Huber is chief security officer at Tenable, and he took a few minutes away from the show floor to share his insights.
Of course, you're going to expect to see the normal parade of solution providers on the floor and sponsorship and discussions,
but there's a lot of conversation that takes place outside of the venue itself,
which are usually related to either nascent problems or up-and-coming solution providers that are addressing problems that either for one reason or another just haven't matured yet or gotten traction.
And those are the areas of my own particular interest because they're probably addressing issues that I have at the fore, whether that was driven by Wall Street Journal effect, if you will,
or just moving
into newer technology areas and issues that don't have defined solutions readily available.
And, you know, I'll say, you know, interestingly enough, some of the areas that are getting
attention and those things that kind of sit on the periphery that have been out there
for a while, which is just overall risk management, right?
And what I mean by that is there's a lot of solutions out there that will portend to try and measure and assess your program.
Nobody's done it really well at the risk level.
And when I say risk, I'm usually talking about cyber risk, but also the risk management level, enterprise risk management.
So you're starting to see a lot of solution providers who are new to the market, new entrants to the marketplace, and not wide adoption yet.
So a lot of them are in beta releases or have a few GA customers where they're trying to take
what I would generally say are a lot of those subjective components of a security program
where you may answer a question. So whether that's some type of framework questionnaire
or something related to maybe the insurance industry and try to give an
assessment of your program, which in and of itself, that's fairly simplistic. I mean, you can do that
with a spreadsheet, right? But to be able to do that and then track that over time and tie it to
your resources you apply against the problem and track progress and learn and gain insight from
that and tie that to business context and risk, those are the conversations I'm interested in.
And those are some of the solution providers I'm speaking with that are, again, like I said, new entrants to the market.
Most folks wouldn't recognize the names, but when I have a conversation at the board level, that's what I'm trying to relate to the board.
And quite honestly, most folks on my side are using spreadsheets and PowerPoints to relate that information.
And I think there's an opportunity there for solutions in that space in particular to try to start not only collating the answers to all those, you know, a lot of subjective questions to represent the risk to the enterprise.
But then there's those conversations of, okay, how do we tie that back to real quantifiable metrics and telemetry?
And then that's my interest, right?
Because most security practitioners operate in the realm of day-to-day operational metrics.
And we have understanding of what that means.
But at the higher level, the conversation, the executive level or to the board, it's
really hard to relate those two.
So I think there's still a gap between what I'll call is the, you know, the endpoint solutions.
The things that are providing real protection, detection, telemetry types of information, that conversation and the board level conversation.
I imagine for you when you're walking around a show like Black Hat and people glance at your name badge and they see the position and that you're with a company as well known as Tenable.
position and that you're with a company as well known as Tenable, probably their eyes widen and they smell blood in the water and they think, ah, here's someone I want to talk to to sell my wares
or hit up for a job or something like that. From your perspective, what's the best way to
communicate a message to someone like you? What's the best way for someone to respect your time
in a trade show situation like this?
You know, that's a great question. And I get that internally as, you know, Tenable is a solution provider. And, you know, we're always trying to figure out ways to approach the market space.
You know, for myself in particular, I will say regarding resources, looking for talent,
I'm always open to that conversation. So if somebody wants to have that conversation,
I'm all ears, you know, whether it's for just Tenable or, you know, to help other folks out,
right? We're all in this together. When I'm walking the floor, though,
if I will engage directly with the providers I'm interested in to solve a problem I'm trying to
address, right? So, it's very apparent when I walk in, very rarely do I walk in and just say,
tell me what you do. I'm there for a specific reason. I really only have limited time when
I'm on the showroom floor. So, I'll go down there. In fact, I have a list of probably seven or eight vendors.
And I'm going to make a specific point to go visit with them, see the tech in person, understand what the problems are trying to solve.
And, of course, I'll have follow-up conversations, you know, after that.
But when I'm down there, you know, I hate to say this.
I'm all business.
I mean, I head to the areas I know I want to be.
And then everything else I just shut out.
Yeah.
You've done your homework. I have. Absolutely. I mean I want to be, and then everything else I just shut out. Yeah, you've done your homework.
I have, absolutely. I mean, that's part of my job.
Certainly, you know, as I have team members that are here, they do the same thing,
but I will put the message out to my larger team to say,
who should I be talking to, what questions do I need to be asking,
and that's to help us solve problems we're trying to address within Tenable.
So I make that my business to do that.
Bob Huber is Chief Security Officer at Tenable, so I make that my business to do that. Bob Huber is chief security officer at Tenable.
Researchers at Proofpoint this morning released a report on a phishing campaign that hosts its
landing pages in the cloud. They observed the campaign late last month, and they say it's
continuing. It spoofs the branding and email transaction format of DocuSign, and the landing
pages it directs its victims to are hosted in the Amazon public cloud.
As Proofpoint notes, this remains a relatively uncommon practice. Using enterprise-grade
services like AWS is snazzier than the more familiar tactic of employing consumer services
like Dropbox or Google Drive. Proofpoint thinks Amazon has been commendably vigilant in trying
to take down such abuses
of its services, but the security firm warns that you should be alert to the possibility
that the DocuSign transactions you're seeing may not be what they appear.
A report on ransomware by security firm Vectra also concludes that extortionists are devoting
more attention to files stored in the cloud. As Vectra puts it, encrypting files that are widely available on the network is faster and more efficient than encrypting files on every single host device.
Their research also suggests that ransomware gangs are increasingly looking for organizations with deep pockets and valuable data,
on the familiar grounds that that's where the money is.
on the familiar grounds that that's where the money is.
Of course, smaller, unprotected enterprises will continue to receive their share of opportunistic attention from petty skids.
Franklin Parish in Louisiana is working to defend itself from just such a crime this week.
This represents a continuation of the criminal activity that led the governor of Louisiana to declare a state of emergency last week.
Android's August patches are out.
Among the fixes are patches for two vulnerabilities Tencent's Blade team called Qualpone, CVE-2019-10539 and CVE-2019-10540. Both are Wi-Fi issues that are potentially serious because they might be
exploited without user action.
The European Union's Court of Justice has rendered a decision on joint controllership of data.
The case, Fashion ID, involved responsibility for collection, storage, and analysis of data collected by websites that might embed, say, a Facebook Like button on a page.
In brief, the law firm Cooley says in a summary of the judgment,
websites containing embedded third-party content can be joint controllers of data collected and
transmitted by such code, but they're not responsible for any subsequent processing
of that data by the third party. The decision was rendered under the EU's older Data Protection
Directive, but it will also apply to the concept of joint controller
under the General Data Protection Regulation. Cooley notes that the joint controllership is
a broad concept that arguably applies to such things as the use of cookies, and the law firm
expects the decision to have significant implications for the ad tech industry.
And as the GDPR has taught the world, Europe isn't like Vegas What happens in Europe doesn't stay in Europe
The U.S. General Services Administration, Department of Defense, and NASA
have issued an interim rule that restricts contractors from purchasing from five Chinese firms
Huawei, ZTE, Hikvision, Hightera, and Dawa
It's entitled Prohibition on Contracting for Certain
Telecommunications and Video Surveillance Services or Equipment. The ban goes into effect on August
13. The comment period is open for 60 days from the time the rule is posted to the Federal Register.
The prohibition addresses concerns that Chinese equipment represent a security risk.
Huawei has a court challenge pending to the National Defense Authorization Act
that provides authority for the ban.
The company argues that the NDAA
represents an unconstitutional bill of attainder.
Separately, three Republican senators
have asked Google to explain
why it had cooperated with Huawei
to develop smart speakers for home use.
And finally, don't be gulled by a bogus Equifax
settlement site. The U.S. Federal Trade Commission does maintain a legitimate site where you can
submit your claim, but the FTC also warns that there are some crooked fake sites out there.
How can you recognize a phony Equifax settlement come on? Well, for one thing, the FTC won't charge
you to submit a claim. So if you must get something from Equifax to come on? Well, for one thing, the FTC won't charge you to submit a claim.
So if you must get something from Equifax to make you whole again,
insist on the genuine FTC-approved article. 125 bucks aren't worth getting pwned over.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And continuing our coverage of the Black Hat Conference,
joining us from the show floor is Matt Aldridge.
He's a senior solutions architect at Webroot.
Matt, what are you seeing there?
What is the overall mood there down on the floor?
So it's been a relatively positive mood.
I wouldn't say significantly different to previous years.
You know, every year you kind of sense increasing maturity in the industry as a whole,
Every year, you kind of sense increasing maturity in the industry as a whole, particularly as people are harnessing technologies in more sophisticated ways. They're getting to grips with the realities of some of the threats and things like that.
There's definitely increasing evolution, shall we say, in how people are dealing with threats, pushing towards more automation and things like that.
In terms of the messages that you're seeing out there from the vendors on the floor,
is there an overarching theme this year?
I wouldn't say there's one overarching theme. There's so many different
solutions providers telling so many different stories. But like I said, automation and taking more work away from analysts because
there's just not enough people to go around is a big theme. Getting more sophisticated with the
use of tools and technologies such as machine learning, getting cleaner inputs into machine
learning models. So taking, you know,
putting more steps in the chain to clean the noise out and getting more
value out of those systems, you know, to make the whole process more
efficient. Getting back to basics is a big thing. It's easy to look at all the
latest toys and the new techniques and forget to keep on top of the traditional things, you know, password training staff, sending out phishing campaigns
to help people learn from their mistakes in a controlled way rather than waiting until
they actually hit by real attacks.
From our own threat report, we've seen that there's a 70% drop in people clicking on malicious
phishing links after just 12 months of awareness training program.
So these things do make a real difference.
And the people are the first link in the chain for protecting against any kind of new attacks.
What is your own personal strategy when you're faced with a trade show like this
and you've got information that you want to gather for yourself? do you go about doing that so for me it's difficult time management
is difficult something like this um you know i have a lot of responsibilities with the company
i represent so i have to spend time on our booth and you know demonstrating solutions explaining
the services that we have. When I get time
out I'm often in meetings so it's just having everyone here in one place is
fantastic to actually physically get together, spend time, talk through things.
That's really for me the key value is actually getting that face time with
people in the flesh and you know getting the real kind of honest story of the challenges people are facing and start working on how we can help with that.
Well, Matt Aldridge, I hope the rest of the show goes well for you and safe travels as you head back home.
Awesome. Thanks, Dave. Great to speak to you again and keep well.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Thanks for listening.
We'll see you back here tomorrow. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.