CyberWire Daily - Influence operations in Brazil and the US. Vulnerabilities disclosed in commonly used software. Healthcare.gov breach. Industrial control system cybersecurity.
Episode Date: October 23, 2018In today's podcast we wonder WhatsApp with Brazil's runoff election? Hacktivism hits Davos-in-the-Desert. Kraken Cryptor ransomware gets an upgrade. Remote code execution vulnerabilities disclosed in ...two classes of systems. Healthcare.gov breach under investigation. More calls for retraction of the spy chip story. Cozy Bear calls for proper Internet governance. US on effects of influence ops. Notes on industrial control system cybersecurity, with an emphasis on attending to the obvious. We talk to Awais Rashid from Bristol University to get his thoughts on supply chain security, and we also hear from IJay Palansky from Armstrong Teasdale on IoT legal liability concerns. For links to all of the stories discussed in today's podcast, visit https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_23.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Hacktivism hits Davos in the desert. Kraken crypto ransomware gets an upgrade.
Remote code execution vulnerabilities disclosed in two classes of systems.
Healthcare.gov breach under investigation.
More calls for retraction of the spy chip story.
Cozy Bear calls for proper internet governance.
U.S. on effects of influence ops.
Notes on industrial control system cybersecurity with an emphasis on attending to the obvious.
From the Cyber Wire studios at Data Tribe, I'm Peter Kilby, executive editor,
sitting in for the vacationing Dave Bittner with your Cyber Wire summary for Tuesday, October 23, 2018.
As Brazil's elections enter their final phase, WhatsApp messaging in that country is seeing a surge in politically-oriented questionable stories.
What effect they'll have on the outcome remains to be seen.
Runoff voting will conclude on October 28th.
The murder of Jamal Khashoggi in Saudi Arabia's Istanbul consulate continues to arouse international outrage.
Turkey's President Erdogan addressed the death earlier today in an address to
his Development and Justice Party, calling for Saudi Arabia to be more forthcoming about its
role in the death and suggesting that any trial be held in Turkey. Hackers have defaced the Davos
in the desert site with a picture showing both Khashoggi and behind him a sword-wielding Saudi
Crown Prince Mohammed bin Salman. The site has been taken down.
The attack looks like hacktivist work.
The believing computer says it's receiving attention
from the masters of the Kraken cryptor ransomware,
who released version 2.0.6 of their tool over the weekend.
There are two new recent reports of remote code execution bugs.
Zimperium reports finding such vulnerabilities in FreeRTOS, the open-source OS
widely used in embedded systems. The bug's effects are seen across the IoT spectrum,
from smart homes to critical infrastructure. And Cisco's Talos says it's found remote code
execution flaws in LiveNetwork's Live555's streaming media RTSP server. Exploitation
could trigger a stack-based buffer overflow.
U.S. authorities continue to investigate a breach in healthcare.gov that affects about 75,000 people.
Hackers got in through the federally facilitated exchanges. These exchanges are designed to help
brokers and others make it easy for citizens to sign up for benefits. The government is restoring
the system and will be warning those whose data were lost. Amazon and Supermicro have joined Apple in demanding
that Bloomberg retract its story about Chinese supply chain poisoning of motherboards with spy
chips. There's still neither confirmation nor retraction of the story, but at this point,
Bloomberg is standing effectively alone. We've mentioned Brazil's elections, but of course the U.S. midterm
elections are also upon us. U.S. National Security Advisor Bolton is in Moscow for talks with Russian
leaders. The principal topic is the future of the INF Arms Control Treaty, which the U.S. is
considering leaving over what it characterizes as long-running Russian cheating. But he also
addressed yesterday Russian election meddling. He spoke on a Russian
radio program where he was asked to comment on the recent U.S. indictment of a Russian national
on charges related to election influence operations. Mr. Bolton said he told Russian
officials that their attempts to affect the 2016 elections had no effect on the election's outcome.
But those efforts did, he advised them, quote, so enormous distrust, unquote, of Russia
among Americans. That distrust has become a major obstacle to achieving agreement on issues even
when Russian and American interests converge. Bolton said, quote, just from a very cold-blooded
cost-benefit ratio, you shouldn't meddle in our elections because you're not advancing Russian
interest, unquote. He hopes
he was persuasive, but these talks have been tense once. Russia's FSB intelligence service
recommends that the internet be brought under, quote, proper governance, unquote. Few will receive
this as unproblematic good government advice, but there you have it. Cozy Bear has your interest at
heart, or that's what Cozy would have you think.
After the break, we'll hear a recent conversation Dave had with Owais Rashid from Bristol University.
They'll be discussing supply chain security.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. cybercriminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Awais Rashid.
He's a professor of cybersecurity at the University of Bristol.
Welcome back.
We wanted to talk today about cybersecurity issues in supply chains.
The key thing that I wanted to raise was that we often think of cybersecurity in the context of an organization that we want to protect.
But many threats actually arise from the supply chain itself.
Many threats actually arise from the supply chain itself.
For instance, in any organization, for example, think of an organization with critical national infrastructure. It will have many complex supply chains with a number of other parties providing software and hardware components, third-party services.
There will be distributors involved.
There will be transporters involved, engineers, and third-party staff coming on site.
And all that creates a much more complex environment than we normally think of as cybersecurity within the confines of a single organization.
The challenge comes is that we normally focus our efforts on protecting the network and the infrastructure and the information of the organization in question,
on protecting the network and the infrastructure and the information of the organization in question,
which is, of course, very important.
But not enough attention is often paid from the threats that arise from the supply chain.
And we have seen various examples where actually threats arising in the supply chain then actually end up impacting the organization under consideration.
How do we deal with this kind of issue?
I think the key thing has to be to think of the supply chain as a socio-technical ecosystem that includes technologies, but a multitude of organizations as well. And all the cybersecurity practices of the various sectors within the supply chain actually then have an impact on the overall security and resilience of the whole supply chain itself. And in terms of an organization, you know, setting budgeting for these sorts of things,
I guess it's really a matter of having to look outside of your own organization and
make sure that you have the resources to be able to properly vet everyone in your supply chain. Yes?
Yes, I think it's a resourcing question, but also it's a risk thinking question.
So at a strategic level, when decisions are being made about particular organizations coming as part of the supply chain to your organization, you have to ask the question.
And not only just what kind of security certification or compliances do they have, for example, things like ISO 27001, but what are their actual security practices? And would those security practices have an impact onto your organization?
If you look at Stuxnet as an example, the worm spread through potentially infected USBs or machines being carried into the nuclear power plant by third-party engineers.
And that's the kind of threat that arises.
And the kind of practices at arises. And the kind of practices
at an organization in the supply chain have an impact on what happens to you.
Awais Rashid, thanks for joining us.
We're in Atlanta for the 2018 ICS Cybersecurity Conference organized by Security Week.
We'll have updates on the proceedings throughout the week.
Industrial control systems security company CyberX is among the many vendors at the conference,
and this morning they've released their 2019 ICS and IIoT risk report. Their findings are based on
traffic captured from 850 production networks across various industrial sectors in many
countries around the world. Their major conclusions are not surprising. They found that passwords in plain text, direct connection of industrial systems to
the internet, and weak implementation of antivirus tools continue to be common across the sector.
All of these vulnerabilities, of course, have led to industrial security problems in the past.
NotPetya, last year's big shocker, has apparently shocked some operations into positive changes.
Among those positive changes has been the decrease in industrial use of Windows XP and other legacy operating systems.
But still, a lot of exploitable weaknesses are still out there.
CyberX says it's found unpatchable Windows instances in just over half the industrial sites studied.
Here's some high-level details from their observations of traffic from industrial sites.
Here are some high-level details from their observations of traffic from industrial sites.
69% of those sites permit plain-text, unencrypted passwords to cross their network.
The air gap that long protected legacy systems is now officially a myth.
CyberX found that 40% of the sites they observed have at least one operational technology connection to the public Internet.
Those OT systems are also increasingly connected with business IT networks, which isn't much better. Many operations don't run even minimally acceptable antivirus protection. Automatic updating of signatures would set a minimally acceptable bar,
but more than half of those sites CyberRx looked at didn't even go that far. Despite some top-down
reform in the wake of last year's not-Petyia pseudo-ransomware attacks, 53% of the
sites were still running outdated, beyond-end-of-life Windows systems. And finally, 16% of the sites had
at least one wireless access point. Many of these are misconfigured. Many of the issues of hygiene
the report raised were echoed by presentations by other companies at the conference this morning.
Senior representatives of Schneider Electric, Siemens, and Rockwell Automation
pointed out that they still see,
when they visit industrial facilities,
poor awareness of risk profiles.
They see, for example, that organizations
continue to scramble with asset management
during incident response.
It's bad practice to wait until you're under attack
before you ask questions like,
how many of these devices do I have?
And where are they?
And where are they connected to? They're also struck by the way sound configuration management
practices are disregarded. They have seen some encouraging developments, however.
Boards, for one thing, are showing a significantly increased level of awareness about the seriousness
of industrial cybersecurity. And of course, concerns about liability will always exert a
powerful influence on business.
Legal exposure will grow with the IoT in all its forms.
As the number of internet-connected devices in our lives continues to increase,
there are increasing concerns about legal liability from the manufacturers of those devices should connectivity lead to a breach of security, privacy, or physical safety.
I.J. Polanski is litigation partner at Armstrong Teasdale LLP.
Dave had a chance to talk with him about these issues.
I come to this as the lead counsel in the class action that followed from Charlie Miller and Chris Valasek's hack of the Jeep Grand Cherokee back in 2015.
back in 2015. And we just got class certification in that case, which means that it looks like we've got about 220,000 vehicles, and we're proceeding on behalf of the owners and the people who leased
all of those. And really, this, I think, as far as I know, is sort of a first of its kind case.
But I also believe that it's the tip of the iceberg. And so I think that where we're at right now is that things are about to change very significantly. I think that there hasn't
been a lot of activity in this area in terms of civil lawsuits or enforcement lawsuits relating
to IoT cybersecurity vulnerabilities. But I think that we're right on the precipice of that really
changing. And can you give us some examples of how we might see that change play out? Well, I mean, that's really the big question here. So first of all,
there are a couple of conditions that have to be met in order for lawsuits to be brought.
And most of those conditions haven't really held up until now. But those things are changing. So
for example, cybersecurity for IoT devices is not necessarily where it needs
to be by and large. And when they start to get hacked, when people start to get injured,
whether it's an economic injury or through some sort of cyber physical effect, and where there's
attribution, those are the cases that are really ripe for lawsuits. And with cases like the GPAC
case that are working their
way through the courts, you're going to have a playbook for plaintiffs to consult. And as that
happens, there are going to be more and more cases brought. Now, how those are going to play out is a
really interesting question. The legal principles that apply aren't going to be any different,
by and large, than the legal principles that apply to other types of lawsuits. The question is, how are they going to be applied? And there are a whole
bunch of questions all wrapped up into that. But I think probably the most interesting one is that
almost irrespective of what the particular legal theory is, ultimately, the plaintiff is going to
need to show that the defendant, whether it's the manufacturer
of the product or of a component or the person who designed the software or whatever it may be,
didn't live up to their standard of care. And so the really big question is,
how do we determine what the standard of care is for a particular IoT device? And from my
perspective, I usually represent defendants, even though in the chief
base, I represent plaintiffs. But first, coming from a defense orientation, the question is,
if you're facing the possibility of a lawsuit like this, what do you need to do to make sure
that that determination and the health of your company isn't put in the hands of a judge or jury
that probably doesn't know very much about cybersecurity and isn't put in the hands of a judge or jury that probably doesn't know
very much about cybersecurity and isn't going to be very well equipped to make that determination
about what the right level of care is for the product.
And so where do you think that's going to lead?
I mean, I think about, you know, for your average consumer, we were met with some sort
of device like this, that's software intensive.
And of course, the first thing we do is we click through some sort of EULA where we basically sign away all of our rights and agree that if anything bad happens, it's completely our fault.
Once we've headed down that path, where can it lead to?
Well, I think that where it's going to lead in the next few years as you get more of these hacks and more lawsuits is a situation where there can going to be a lot of organizations in the IoT
space who are unprepared. And there's going to be a wave of lawsuits where the rules and the
implementation of the rules is going to be unclear, which leads to significant risk.
It's very difficult to predict how that ultimately is going to play out. What I can tell you is
that I would be very surprised if there weren't a lot of lawsuits and if there weren't a lot of companies in the IoT space who
were hit with very big verdicts or compelled to settle for very big numbers based on cybersecurity
inadequacies or faulty design in their products. That's I.J. Polanski from Armstrong Teasdale.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.