CyberWire Daily - Hacktivism threatened over embassy move. Significant probe of an industrial plant. That was no BGP error. TV blues.
Episode Date: December 14, 2017In today's podcast we hear that Anonymous has called for action against US and Israeli government sites. FireEye reports a significant attack against an industrial plant, possibly involving nation-...state reconnaissance. A lot of Internet traffic was briefly rerouted through Russia yesterday, possibly deliberately, for unclear reasons. TV troubles. Dale Drew from CenturyLink on measuring against standards and certs. Torsten Mayer from FICO on using AI to help protect nonprofits online.  And if toys are getting too connected, consider a puppy—very interactive. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. sites, FireEye reports a significant attack against an industrial plant, possibly involving
nation-state reconnaissance. A lot of internet traffic was briefly rerouted through Russia
yesterday, possibly deliberately for unclear reasons. There's some TV troubles, and if toys
are getting too connected, consider a puppy. It's interactive.
I'm Dave Bittner with your CyberWire summary for Thursday, December 14, 2017.
Anonymous is unhappy with the U.S. decision to move its embassy in Israel from Tel Aviv to Jerusalem.
The hacktivist collective has called for worldwide unremitting attacks on Israeli and U.S. government sites.
Nothing so far. Anonymous has had indifferent success in the past with its Op Israel,
but of course such threats bear watching.
Security company FireEye reports a significant attack on an unnamed industrial plant.
Reuters, quoting ICS security experts at Dragos, calls it a watershed event.
The attacker hit Triconex industrial safety technology supplied by Schneider.
Triconex is widely used in the energy sector, including oil and gas and nuclear power generation.
Dragos says the affected plant was in the Middle East.
Industrial security firm CyberX is more specific, saying the plant is in Saudi Arabia.
FireEye suggests there's evidence the attackers were working on behalf of a nation-state,
which one is not specified.
Its researchers think the attack may have been reconnaissance gone awry.
The hackers appear to have inadvertently tripped safety systems into fail-safe mode, thereby
shutting down plant operations.
It's good the systems failed safely, as intended, but the
possible implications of the reconnaissance are disturbing, since it seems to have been aimed at
learning how to disenable safety systems during an attack. Graceful degradation under attack is,
of course, far better than catastrophe, and a catastrophic attack against such industrial
control systems has catastrophic potential indeed.
The Bitfinex cryptocurrency exchange is back and in operation,
having recovered from this week's distributed denial-of-service attack.
Speculative interest in Bitcoin and other cryptocurrencies is rising.
The principal German stock exchange is considering opening trading in Bitcoin futures, for example, so Frankfurt could join Chicago in serving this market,
and with such trading interest, criminal interest rises proportionately.
Yesterday, traffic to and from some very large companies
was briefly routed through what Ars Technica calls
a hitherto unknown ISP in Russia.
The companies whose traffic was affected include Microsoft, Google, Facebook,
Apple, Twitch, NTT Communications, and Riot Games. This doesn't appear to have been an ordinary
Border Gateway Protocol error, that's BGP. Monitoring services, including BGP Mon, think it
may have been intentional. The cherry-picking of targeted companies strikes observers as odd, and so does the fact that, as Ars Technica puts it,
the hijacked IP addresses were broken up into smaller, more specific blocks than those announced by affected companies,
an indication the rerouting was intentional.
The Russian autonomous system AS39523 was the apparent cause of the redirections.
system, AS39523, was the apparent cause of the redirections. It added BGP table entries saying in effect it was the proper origin of the 80 or so prefixes affected. Why the
redirection was done is unclear, but observers note it as another instance in which a system
designed for parties who trust one another falls short in the Internet as it exists today.
With the holidays approaching here in the U.S.,
financial institutions and non-profits alike are working overtime
to prevent fraud, abuse, and even money laundering.
These days, they're turning to artificial intelligence
to help root out anomalous transactions and cut down on false positives,
all while staying compliant.
FICO is one of a host of companies who provide these sorts of services,
in their case with their Tonbeller Siren suite of tools.
We spoke with Torsten Mayer,
Vice President of Risk and Compliance Solutions for FICO.
Artificial intelligence is a very proper tool
in order to enlighten the dark spaces in your customer base.
So, for instance, the past banks used to use rules,
rules which described known behavior.
On the other hand side, now and even more in future,
artificial intelligence will help to detect by using self-learning algorithms
unknown, unexpected behavior.
So artificial intelligence will help a lot to uncover so far unknown criminal behavior and methodologies.
And that's what banks like to have, not to only rely on rules,
not to only rely on rules, but use artificial intelligence, self-learning algorithms to detect the unknown. That's one part. And maybe for the larger institutions, even more important to reduce the number of false positives.
You know, the financial industry is certainly heavily regulated.
The financial industry is certainly heavily regulated.
Are there any specific challenges with integrating artificial intelligence into an environment that has so many rules of its own?
So far, we use analytics in addition to rules.
The simple reason why we do that is that typically regulators are not ready to accept artificial intelligence based systems only.
Technology and sophisticated applications, maybe it's 50 to 60 percent of what a
financial institution needs to do in order to be compliant. They need to have internal procedures in place. The top management needs to see the importance of being compliant
in order to protect at least reputation.
The most valuable good they have to protect is their reputation.
That's Torsten Mayer from FICO.
Some TVs are found vulnerable. That's Torsten Mayer from FICO. to use an approach similar to the Weeping Angel exploit Wikileaks dumped from its Vault 7 earlier this year.
They were able to take control of the device's integrated camera and microphone.
Unlike Weeping Angel, introduced via a USB drive, Tripwire's proof-of-concept didn't
require physical access to the device.
Cracking a Wi-Fi password would do the trick. Second, Trend Micro has disclosed that the Linksys WVBRO-25,
the wireless video bridge DirecTV's parent AT&T provides customers,
is susceptible to remote code execution.
Trend Micro disclosed the issue to Linksys six months ago.
They're going public with it because, they say,
Linksys has both failed to fix the problem
and ceased talking with the researchers who found it.
Belkin, which manufactures the Linksys devices, says it furnished a firmware patch to DirecTV.
The holiday season inevitably brings with it worries about oversharing over connected
toys.
French authorities have already said non to Bluetooth-connected doll Kayla.
It's too chatty, too open to interaction with people
you'd rather not have the children hearing from or being heard by.
So there's much advice out there about how to keep the holidays more private.
It's easy to find, but could we offer a suggestion?
How about a puppy?
They're very interactive, and ours have never tried to collect any credentials.
Just snacks.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed
novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Dale Drew. He's the chief security strategist at CenturyLink.
Joining me once again is Dale Drew.
He's the chief security strategist at CenturyLink.
Dale, welcome back. You know, I think a lot of us look towards stability, and we want to be able to measure
ourselves against standards and so forth.
And there are plenty of standards in this industry, but you want to make the point today
that maybe standards aren't the thing we need to look for for security.
Yeah, I think the tagline for
certifications is the good, the bad, and the ugly, right? I mean, the nice thing about certifications
is it provides sort of a toolkit for people to set sort of standard expectations for how
an ecosystem or data sets are going to be protected, right? And so it's supposed to
provide some degree of comfort for people who are familiar with that standard when they're
evaluating doing business with a partner or a vendor or something like that. So that's the good
about standards. I think the bad about standards is that everyone largely agrees two things. One,
we have too many standards. Every industry has got their own representation of standards, whether it's the financial community, the manufacturing community.
Everyone has their own set of security standards, and each one of those has sort of their own obligations associated with it.
And the other thing is that having an infrastructure that is certified doesn't necessarily make that infrastructure secure.
that is certified doesn't necessarily make that infrastructure secure. The biggest concern is that we're seeing people sort of play games with the scoping statement of a standard so that they
can say a certain thing has been certified as being standard and people take a look at that
sort of overall statement, but they're not digging into the details about what actually is in scope,
what systems are in scope and what systems are in scope and what
controls are in scope. Because a lot of standards basically allow you to say, I'm going to say how
I'm protecting something and I'm going to prove I'm protecting it. They don't typically say,
this is what you should be protecting. There's an example that we have of a single server
within our network that serves a number of products. And so we have different customers in different industries
who are interested in the security of that server.
So we have no less than four certifications on that single server.
That server is audited about five times a year,
independent third-party auditors audited by us
and our internal audit organization.
We have 600 pages of documentation around how we are
protecting that poor server. And that information has to be updated every year, right? We have a
very Herculean effort associated with managing the audit resources, working on findings,
audit resources, working on findings, updating the documentation, and providing those sort of accreditation packages to all the auditors every year. We spend more time maintaining the
certification of that server than we do protecting it. If we look at the amount of investment we have
from a security perspective, protecting that server, and you equate that to a dollar, you know, I'm spending 75 cents certifying the server,
and I'm spending 25 cents protecting that server. That, to me, is sort of upside down.
And so we're advocating something along the lines of a single international security standard,
like, you know, the one that is sort of prominent is ISO 27001. And I know I'm
going to get, you know, skewered for mentioning a standard because everyone has an opinion on what
standard that they believe is the best, but we have to start somewhere. And so, you know, I really
like the idea of like an open source standard, right? So imagine an open source concept policy standard
where the industry can concentrate policy and risk assessments to heat that policy up to date.
Imagine that it could allow for different certification levels, you know, your bronze,
silver, gold sort of standard, you know, by implementing tested and mature sort of ratings.
Imagine that you could have security tools built specifically to audit the measures in that
standard that could work across each of the industries. And then, you know, imagine things
like devices could be programmed to log information that's formatted specifically for those policy
events. And so instead of just free formatted specifically for those policy events.
And so instead of just free formatted log data, I could now start directing my vendors to generate log information and audit information
that sort of denotes the policy violation that that log message represents.
And then we'd have a common language across the industry on training, education, certification, security vendors, all focused on the sort of
open source standard around a single policy. And I think that's really what we need. We need the
ability of sort of consolidating the ability for the industry to focus on one way of protecting
our infrastructure so we can all get around that common methodology.
Dale Drew, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. We are proudly produced in Maryland by our
talented team of editors and producers. I'm Dave Bittner. Thanks
for listening. Your business needs AI solutions that are not only ambitious, but also practical
and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.