CyberWire Daily - Hacking the Czech Foreign Ministry. Microsoft patches new wormable bugs. More controversial human review of AI. Insecure links, exposed databases, and a California vanity plate.
Episode Date: August 14, 2019The Czech Senate wants action on what it describes as a foreign state’s cyberattack on the country’s Foreign Ministry. Microsoft warns against the wormable DéjaBlue set of vulnerabilities. More h...umans found training AI. Insecure airline check-in links. Exposed databases involve BioStar 2 and Choice Hotels--the latter was held at a third-party vendor. And the LAPD doesn’t find a vanity license plate with the letters N-U-L-L particularly funny. David Dufour from Webroot with thoughts on cyber security insurance policies. Guest is Elisa Costante from ForeScout on building automation vulnerabilities. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Czech Senate wants action on what it describes as a foreign state cyber attack on the country's foreign ministry.
Microsoft warns against the wormable deja blue set of vulnerabilities. More humans found training AI, insecure airline check-in links,
exposed databases involve BioStar 2 and Choice Hotels. The latter was held at a third-party
vendor. And the LAPD doesn't find a vanity license plate with the letters N-U-L-L, particularly funny.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Wednesday, August 14th, 2019. Citing intelligence from the Republic's National Cyber and Information
Security Agency, the Czech Senate has concluded that a foreign state power
was responsible for recent attacks on the foreign ministry. The Senate doesn't name the foreign
state, but Reuters says that Czech news outlets are calling the attacks a Russian operation.
Dien Ik-En reported that the incident took place in June. There's been no comment from
Czech officials so far. The Czech Counterintelligence service, BIS, in its last annual report
did assert that Russian intelligence operators had conducted cyber espionage campaigns
against the foreign ministry.
We have no wish to keep calling Wolf Wolf, or more precisely Worm Worm,
because the large-scale worm infestation expected from Bluekeep has yet to appear.
On the other hand, that risk is hardly over,
and yesterday Microsoft released patches for a similar family of vulnerabilities,
being called DejaBlue, affecting the remote desktop protocol.
Bluekeep was a risk to unpatched Windows 7 instances
and to any earlier versions of Windows out there,
but DejaBlue affects Windows 7 and
more recent versions, up through the most current ones. Redbin warns that there are seven new
vulnerabilities in that new family. Two of those are regarded as particularly serious in that they
could be wormable, exploited to deploy a worm that could propagate from one infected system to others.
Microsoft advises patching immediately.
Simon Pope, director of incident response at the Microsoft Security Response Center,
blogged yesterday, quote,
It is important that affected systems are patched as quickly as possible
because of the elevated risks associated with wormable vulnerabilities like these,
and downloads for these can be found in the Microsoft Security Update Guide.
Facebook has been paying contractors to review user interactions with its products, Bloomberg reports. The social network is the latest to receive scrutiny over the practice. Google,
Apple, Amazon, and Microsoft have all been found doing this, most commonly in human AI interactions
with such digital assistants as Siri, Alexa, and Cortana.
Facebook had offered users of its Messenger the option of having their voice chats transcribed.
It hadn't made it clear, however, that human operators would check the quality of the automated transcription.
The social network says it stopped this practice about two weeks ago
after seeing the reputational hot water in which similar reviews landed Amazon and Apple.
In fairness to Facebook and the other companies
who have had humans review user interactions with AI,
none of them appear to have done so with any nefarious intent.
They do seem to have been working to improve the user experience.
If anything, the incidents serve as a reminder
that artificial intelligence, for all its power and commercial promise,
remains an immature technology deeply dependent upon human trainers.
Wandera reported yesterday that British Airways has been sending insecure, unencrypted check-in links to passengers.
The links include passenger details, last name and confirmation number,
to make it easier for passengers to log in to the British Airways site.
Unfortunately, that information also makes it possible for hackers to do the same
and to move on to acquire other personal information connected with booking a flight,
including email addresses, telephone numbers, British Airways loyalty program membership numbers,
flight times and seat numbers.
Neither pay card data nor passport numbers appear to be exposed.
British Airways, which the UK's Information Commissioner's Office last month hit with a proposed $221 million fine,
says it's working to fix the problem.
These days, the buildings in which we live and work likely contain a variety of security and automation systems
to control everything from who gets in to the temperature inside the building.
As you might expect, those systems come with their own security concerns.
Elisa Costante is head of OT Innovation Technology at Forescout.
Most of the buildings we live in or work in
are actually controlled by legacy building automation systems.
And with legacy, we mean systems that have been there for quite a while
because they represent a lot of investment for the facility owners or the facility managers.
So we are speaking of quite old-fashioned technology, I would say.
The new usage that we do of this system was not in the mind of the designers. So for instance, we rely on systems that
use protocols that are
unauthenticated and unencrypted,
which means that if
you basically manage to get
a hand on these building automation
networks, because those systems
need to communicate with each other,
you actually can get access to
a lot of information.
And plus, it's not only information,
but actually if you manage to enter this network
and send the right comment,
you can ask the building automation system
to behave the way you want in a very easy way.
Now, are these systems generally segregated from each other
or is there a sort of a central control system
for multiple systems?
Most of the cases that we have seen, there is no segregation.
What that means is that basically your surveillance system is on the same network where your heating system is and on the same network where your access control is.
in our research when we actually showed with the proof-of-concept malware how you can exploit the vulnerabilities in the weakest of your system in order to get access to all of your most critical
systems. Well, walk us through what was the proof-of-concept malware that you developed?
So what we created is a building automation network that is composed of three subsystems.
We have a surveillance network and we have a management network,
surveillance system, a management system, and an access control system.
And we put them on the same network.
So we applied no segmentation,
which is something that we have seen to be quite realistic.
And what we did is, okay, let's look at how vulnerable
these systems that are in our lab are.
So we spent some time
into identifying and finding
vulnerabilities. We found
some zero days, but also
for some of the devices we have in our
lab, during the time that we were doing our
experiments, another company came
out with some zero days for one of the
IP cameras that we had in our lab.
So we decided to recycle and reuse those zero days for one of the IP cameras that we had in our lab. So we decided to recycle
and reuse those zero days to create exploits for those zero days. What we eventually managed to do
was a completely automated malware that was managing to enter into the network from an IP
camera. From the IP camera was moving to a Windows machine that was vulnerable to some default
credentials. And from that Windows machine, eventually arrived to the most critical device that we had in our
lab, which is a controller that was controlling the access control system. So it was the controller
in charge to define and decide who would get access to critical areas. Now, these critical
areas in our case was our lab, but imagine if
the critical area was a hospital or a data center. And what the malware managed to do once it arrived
on this controller, it basically was having access because we leveraged the vulnerability,
quite the critical vulnerabilities on the device, to get the access to basically the full device and either the late or the users. So no
one has access to the area. Imagine if you block access to people in an emergency room or in an
operation surgery in a hospital. So what are your recommendations for organizations to better
protect themselves? First of all is awareness. Awareness about the fact that when we speak about cybercrimes and cyberattacks nowadays,
we are not speaking only about data, but we are more and more often speaking about cyberphysical
attacks.
So, attacks can actually have an effect in our lives, in our daily lives, and all the
things that are surrounding us.
And after, what you need to have is device visibility first, because there is
nothing you can do unless you know how your network is composed of, how it looks like,
what are the devices, are they vulnerable? Do I have devices that are on the same network and
they shouldn't be in the same network because one of them is extremely vulnerable and the other one
is extremely critical.
So once you have this visibility, what you can do is actually create a strategy that if you have risks, reduces your highest risk.
And this strategy might include continuous monitoring.
So for instance, being alerted every time something strange, anomalous, or suspicious happens on your network,
and eventually move to a full, ideally, segmentation of your network, where you are sure that only the devices that are supposed to speak with each other for a clear reason, they are.
That's Elisa Costante from Forescout.
VPN Mentor has found the biometric data of some one million people exposed online in an unprotected database.
The data were held by BioStar2, a web-based smart lock platform that controls access using fingerprints and facial recognition.
The information exposed includes employee personal information and unencrypted usernames and passwords.
The exposure was discovered on August 5th,
disclosed on August 7th, and resolved on August 13th.
That's not the only exposed database disclosed this week.
Comparatech says it collaborated with researcher Bob Dychenko
to find an exposed MongoDB instance belonging to Choice Hotels.
They disclosed their finding to the hospitality chain,
but unfortunately criminals got there first
and left Choice Hotels a ransom note for 0.4 Bitcoin,
which at current exchange rates comes to about $3,800.
The database held guest information,
including names, email addresses, and phone numbers.
Most of the data amounted to test data
and didn't refer to actual customers,
but some 700,000 of the records did. Choice Hotels says the data were hosted on a vendor's server
and that Choice Hotels' own system had not been exposed. The data were exposed for four days.
Choice Hotels told Comparatech, quote, We have discussed this matter with the vendor and will
not be working with them in the future.
We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature.
We are also establishing a responsible disclosure program, and we welcome Mr. Dychenko's assistance in helping us identify any gaps.
And finally, the Los Angeles Police Department is in its full humorless Joe Friday mode.
A gentleman who presented at DEF CON last week, who goes by the hacker name Droogie,
decided he would get himself a vanity license plate for his ride,
but nothing so obvious as boo-boo or third Emmy or powerhouse or litigate,
all of which have been seen on the 405 out and about in the City of Angels,
Droege liked and purchased Null, both as a good joke and a gesture of invisibility in the direction of the Golden State's famously big brotherish Department of Motor Vehicles.
Anyhoo, it turns out that the software used to administer parking tickets sent him all
the tickets for which it didn't have the actual license plate, that is, for which the value was null. It came to more than $12,000. The LAPD fixed about half of
the tickets so far, but just the fact, sir, tickets continue to show up. The DMV and the LAPD both
advise him to change his license plate, but Droogie is hanging tough and the software vendor behind
the systems
isn't budging either.
We're sure there's a serious lesson here
about the automation of police operations and so forth,
but hey, Officer Bill Gannon, where are you?
From the basin to the valley, from the desert to the sea,
they need your good humor.
But somewhere, Jack Webb is smiling.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is David DeFore. He's the Vice President of Engineering and
Cybersecurity at WebRoot. David, it's always great to have you back. I wanted to touch base with you today on cybersecurity insurance and
get some of your insights on that. Great to be back, David. And this is a topic that I'm super
interested in. It's kind of interesting because, you know, I'm an engineer in cybersecurity, but I
do see this coming up a lot and it's a good discussion point and something people really
need to think about. All right, well, let's dig in. What are your thoughts here?
Honestly, I think there's a lot of value in looking at cybersecurity insurance for some
organizations. And in fact, there could reasonably be more value than maybe buying that next
$100,000 tool that's going to protect your network. And you need to take the time to
understand the risk and the benefit. For example, an insurance might protect you from a breach that occurred and you aren't
that exposed to a breach.
So you don't need to buy that new network monitoring tool.
You don't need to buy that solution that's expensive and you have to bring on cybersecurity
resources where because you're not so exposed or not in an industry that has a lot of interest
to attackers,
an insurance policy could be the better solution for you.
Is this a matter of sort of taking a risk-based approach of taking a look at your vulnerabilities and your strengths and deciding where are the best places to spend your money?
That is exactly what it is, David.
And there's a couple of things you got to watch out for, honestly.
And I'm not a lawyer.
I'm not giving specific advice. I want people to think about this. A lot of organizations are starting to offer cybersecurity insurance. They're underwriting policies for folks. If you're
a medical provider or some organization that needs compliance, it's arguable that cybersecurity
insurance is something that's very important for you because compliance metrics
or it could be litigation things of that nature but if you're that welder I sometimes talk about
in Oklahoma who all he wants to do is send out his his invoices at the end of the month it might not
be that big a deal for you to have that cybersecurity insurance to protect your shop if
you've got good backups the key though is, there are a lot of organizations that are now trying to offer cybersecurity insurance. And you need to look for insurance, people that have
underwritten policies that maybe have gone through paying out, that have gone through litigation,
to really understand that they have that track record that the policy will be used and you're
able to enforce it and get some money back. Because there's a lot of folks that are saying, well, we'll provide you insurance, except if you're hacked, we're not going to help
you recover. You know, things like that. You've really got to spend the time to understand what
the policy covers. Yeah. And things like deductibles and all that. None of us, you or me,
or probably most of the people listening to this show are insurance experts. So you need to work
with somebody you trust to make sure that you're going to be well taken care of and ask those
questions. Well, that's exactly right. It goes down to looking for someone that maybe isn't new
in this industry that's been doing it for a while. But in addition, you as the person looking for
a policy have a responsibility for understanding the requirements of that
policy?
Do you have compliance requirements if you get it?
Do you have, you know, things that that policy requires you to implement in your organization?
What is that policy going to cover?
Is it going to cover your brand protection if you do get attacked and data is taken out?
Will they help you, you know, with the media coverage? Or are they just going to help you get data back? And things like how do you prove that the hard drive didn't go bad in the
server, that it was a hacker? You've really got to understand how you're going to be able to
get money or recourse out of that policy. Don't just sign up for something and think you're
covered. All right. Well, it's good advice. David DeFore, thanks for joining us.
Yeah. Great being here, David.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.