CyberWire Daily - International reactions to US sanctions against Russia (positively reviewed in Europe and the UK, but panned by Russia). Continuing threats to the cold chain. Natanz back in business? Data breach notes.
Episode Date: April 16, 2021The European Union expresses solidarity with the US over the SolarWinds incident. The UK joins the US in attributing the incident to Russia. Russia objects to US sanctions and hints strongly that it i...ntends to retaliate. IBM discloses new cyber threats to the COVID-19 vaccine cold chain. Iran says Natanz is back in business. Kevin Magee from Microsoft looks at the security of startups. Our guest is Brad Ree of ioXt Alliance with results from their Mobile IoT Benchmark report. And data breaches hit people who park and people who read. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/73 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The European Union expresses solidarity with the U.S. over the SolarWinds incident.
The U.K. joins the U.S. in attributing the incident to Russia.
Russia objects to U.S. sanctions and hints strongly that it intends to retaliate.
IBM discloses new cyber threats to the COVID-19 vaccine cold chain.
Iran says Natanz is back in business.
Kevin McGee from Microsoft looks at the security of startups.
Our guest is Brad Rhee
from the IOXT Alliance with results from their mobile IoT benchmark report. And data breaches
hit people who park and people who read. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 16th, 2021.
The European Council has expressed soft solidarity with the U.S. on the impact of malicious cyber activities,
notably the SolarWinds cyber operation, which the United States assesses,
has been conducted by the Russian Federation.
The EC's principal interest, as expressed in its statement,
is to call for the development of international norms to inhibit attacks on the
ICT supply chain in particular. That call is consistent with the aspirations expressed by
the White House in yesterday's statement. ZDNet says that the UK has joined the US in
attributing the solar winds compromise to the Russian organs. Russia dismisses the British stance as idle MeTooism.
Whitehall is just going along with its Yankee cousins.
The Guardian quotes Sergei Naryshkin,
head of Russia's SVR,
that's Cozy Bear if you're keeping track
of the malign menagerie on your scorecard,
saying that U.S. sanctions introduced yesterday
were an unfriendly step,
which in his opinion is also poorly considered,
that would contribute to the destruction of international stability.
The Hill reports that Russian authorities denounce the sanctions as illegal
and rumble about retaliation in kind.
Reuters quotes Kremlin spokesman Dmitry Peskov as saying,
We condemn any intentions to impose sanctions, consider them illegal,
and in any case, the principle of reciprocity operates in this area.
Reciprocity so that our own interests are ensured in the best possible way.
That is, what's sauce for the Moscow goose is equally sauce for the U.S. gander.
Sanction us and we'll sanction you back. Reciprocity isn't necessarily symmetrical. Indeed, in this case, it can't be.
The U.S. isn't vulnerable to Russian economic restrictions, for example,
in the way interruption of trade with the U.S. and its allies is a pain point for Moscow. But expect such measures as
expulsion of a comparable number of U.S. diplomats from their Russian stations. This happened during
the last round of reprisal for Russian hacking, when the previous U.S. administration expelled
60 Russian diplomats and Russia responded by giving 60 American diplomats the boot.
responded by giving 60 American diplomats the boot.
Immediately after imposing the sanctions,
U.S. President Biden waved the carrot of high-level talks to ameliorate tensions between Washington and Moscow, NBC News reports.
The U.S. sanctions against Russia have received general bipartisan approval from Congress.
If anything, congressional barking suggests that Capitol Hill
is ready for an even harder line than the one the administration has actually taken.
Among the Russian organizations affected by U.S. sanctions were six companies.
The U.S. Treasury Department names them as Positive Technologies, ERA Technopolis,
Positive Technologies, ERA Technopolis, Neobit, Advanced System Technology, AST, Passit, and SVA.
The biggest fish in Treasury's net is Positive Technologies.
Quote, Positive Technologies is a Russian IT security firm that supports Russian government clients, including the FSB.
Positive Technologies provides computer network security solutions to Russian businesses, foreign governments, and international companies, and hosts large-scale
conventions that are used as recruiting events for the FSB and GRU, end quote. MIT Technology
Review devotes a long article this week to Positive Technologies. It's a billion-dollar operation, a tech unicorn whose research into vulnerabilities
is widely respected and often quoted.
That's fine, of course, but U.S. intelligence services have also concluded
that Positive Technologies provides offensive cyber tools,
consulting on such operations,
and even direct operational support to Russian espionage agencies. Positive
Technologies works with a range of Russian agencies, but it's thought to be especially
close to the FSB, whom it provides exploit discovery, malware development, and even
reverse engineering of cyber capabilities. A note from our linguistics desk, Positive
Technologies has an English name.
A number of media outlets have spelled the company's name in a way that makes it look Russian,
but it's not. It's simply pronounced Positive Technologies,
transliterated into Cyrillic, and then transliterated back into the Roman alphabet.
IBM warns that the COVID-19 vaccine cold chain, the refrigerated logistics necessary to ship and
store vaccines, remains an attractive target for active cyber attack. The company's security
X-Force says that it's recently discovered an additional 50 files tied to spear phishing emails
that targeted 44 companies in 14 countries in Europe, North America, South
America, Africa, and Asia. The campaign impersonates an executive from Hair Biomedical, IBM says,
going on to explain that this is a major Chinese biomedical company that is purported to be the
world's only complete cold chain provider. So why would someone be interested in these particular targets?
The vaccine cold chain is an international one with participation by companies from many nations
active in several sectors and by governments, international organizations like UNICEF
and various non-governmental organizations. So there's a great deal to find. IBM recommends that everyone involved with the
cold chain stay vigilant and that they check TrueStar station for updates. Whatever somebody,
probably Israel, did at Natanz, probably a bomb, the enrichment facility seems back in business and now producing 60% uranium-235,
or so Iranian authorities tell Reuters.
And finally, are yinz thinking of parking in Pittsburgh?
Yinz out of luck.
A Pittsburgh parking authority's app has been breached by some jagoff,
the Pittsburgh Tribune says, although not exactly in those words.
About 20 million drivers, or at least parkers,
are affected, and since the steel city has just north of 300,000 residents, the arithmetic-savvy
listener will soon conclude that this must be wider than the Managahela Valley, deeper than
the Allegheny River, and it is. Inns don't even need to be a Carnegie Mellon grad to figure that out.
It's a third-party problem deriving from a breach at the Park Mobile service detected at the end of March.
Why do we mention Pittsburgh in particular?
We just like talking about yins, and besides, we saw the article in the Trib.
Calling all sellers. Thank you. with purpose and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It is becoming more and more the norm that if you buy any type of electronic device,
there's a companion app that goes along with it. In my own life, I've got apps for my bathroom scale, lights and appliances,
and even my son's fancy new electric scooter.
The folks at the IOXT Alliance recently partnered with the team at NowSecure
on a report titled Mobile IoT Benchmark, the State of Mobile App Security.
Brad Rhee is CTO at the IOXT Alliance.
So the IOXT Alliance is an organization of leading IoT and device manufacturers who are really working to basically address the cybersecurity concerns for smart homes, smart building, and cellular IoT spaces, all of which have nothing to do with this mobile application.
However, in the last six months, what we did was we realized that in all of these connected devices, of our authorized labs, to help set up the certification program. And more importantly, they went and did a market survey of what the landscape of connected apps looked like.
And so that was the genesis of where the report came from, with many of these findings ultimately being rolled into our certification
program. Are there any trends here in terms of certain types of devices tend to be more attentive
when it comes to security? So the biggest trend that I actually see out of this is that many of
the developers, or at least the managers over the development teams
were surprised at the results. So for the most part, many people think that they're following
best practices and everything, but it's only when you sort of get that third-party assessment
that libraries may have been included that had some issues or developer code that was
left in and not fully thought through was left and exposed. So like I say, unfortunately,
the biggest trend is a little bit of a surprise on many of the developer side.
Interesting. Now tell me about the process of certification.
What do folks have to do to go down that pathway, and what are the benefits?
Sure. Well, we have a couple different ways that we're certifying devices and everything. So,
we went in first to find a standard that is testable and scalable. And what we really mean by that is it has to be able to
address the hundreds of thousands of devices or the millions of apps out there and everything.
So we have a self-cert program where developers can come in and basically run through the
questionnaire and everything themselves. Or we also have working with labs like now Secure and
some of our other authorized labs can have third-party assessments.
And then a bunch of our labs have also been working on, like NowSecure has some tools that they offer that manufacturers can do some automated scans to look for the low-hanging fruit of the security issues.
of the security issues.
Are there any things that folks can do who are the consumers of these devices
in terms of having any assurances
that the combos that they're using
are as secure as they think they should be?
Yeah, there's a couple things.
There is a little bit of a challenge,
which is where IOXT Alliance
is really trying to step in with having a certification that is public and visible and everything else.
But I would caution consumers when they're installing apps and permissions are being requested, they should think twice about what that permission is.
Don't just blanket accept everything.
I'll throw a great example.
We took a look at a, it was a manufacturer of air conditioners and their mobile app for controlling
an air conditioner was actually asking for both access to the microphone and recorded sessions.
And I contend there's very few air conditioners that
need to have access to any kind of recorded material. I concur. Absolutely. So some of those
kind of things really definitely jump out and you should just take a deep breath,
not accept everything that's required, or use at
least temporary permissions. That's Brad Rhee from the IOXT Alliance. The report is titled
Mobile IoT Benchmark, the State of Mobile App Security. There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Kevin McGee.
He's the Chief Security and Compliance Officer at Microsoft Canada.
Kevin, it's great to have you back.
I know you do a lot of work with startups, and in particular, you do work with startups
who are not necessarily in the cybersecurity realm.
I was curious, you know, what sort of insights can you share
from the work you do with those sorts of organizations?
Thanks for having me again, Dave.
Previous, obviously, to my role at Microsoft,
I was involved in a number of startups, some successful, some for not.
I definitely have a preference for which ones I enjoy being a part of.
But a lot of the cybersecurity startups really think about cybersecurity up front and build it into their internal processes or not.
Other startups that are not based on security or don't have a product based on security really have to keep focused on a lot of different things.
And security might be pushed down and down in the priority list, which can be for what is perceived as the right reason. I'll give you the example.
If you've got a product
where you want user adoption
to happen really quickly
so you can demonstrate to funders
that you need more money,
adding multi-factor authentication
or other sort of friction for security
will actually decrease your user adoption.
So making those decisions
based on growth alone
can leave you exposed
to a lot of security problems.
Working with the startups to have that discussion up front to really look at how do we manage that
risk is something I really enjoy and feel adds a lot of value to these startup founders.
What are some of the advantages that startups have these days when it comes to
their security posture versus organizations that have been around for a while?
Well, they can take a lot of advantage
of decades of best practices of cybersecurity.
So we've got cloud computing
that comes with a lot of defaults turned on.
Most of the users in startups are familiar
with things like multi-factor authentication
or DevSecOps or whatnot.
But they also don't have this sort of legacy
of policies, procedures, or infrastructure
that was built during a different time
with different legislation
or it needs to be retrofitted.
So they get to start from scratch.
So taking advantage of getting those norms
and leaning in on what's already available,
but also then balancing that
with making sure that you're not creating
additional technical debt
by avoiding security for, like I mentioned before, user adoption or other things that are relevant to the business
can still be a challenge.
Does having so many things that we rely on, so many of the technical aspects of running a business,
having them be cloud-based these days, is that overall an
advantage in your estimation? It is because, again, it provides a lot of security by default.
It allows a lot of scale. You can very quickly and cheaply scale a startup. My first one was in
the 90s. We had to buy physical servers or build them. It was really difficult to provide that
level of scale if you needed compute power, which is now really cheaply available and securely available.
But it also accumulates a lot of data and a lot of assets in one place that are really valuable for hackers to go after.
So again, it's one of those balancing acts.
How do you take full advantage of all the opportunities that cloud and new technologies offer, but making sure that you're also not becoming a very attractive target for hackers as well. Do you suppose that there's
a sort of a cultural evolution here where I'm thinking of, you know, when you start up a
business, people will advise you that there are certain professionals you need to engage with.
You need someone to help you with your insurance. You need a good lawyer, those sorts of things. Are we approaching a point where cybersecurity professionals are
part of that list? I would like to think so. Having a great accountant can make sure you
don't get an audit. Having a great lawyer sets you up for success if you are ever sued or whatnot.
So having a great cybersecurity professional at the beginning would be a great
addition to your team, but often not seen as an expense or maybe an expense that could be pushed
off or reprioritized to the future, generally to the detriment of the company should an event
happen. But it's certainly something that startups could take full advantage of. Startups also have
much more to lose than the average business. If there's a compromise of a credit card, you might
lose up to the credit card limit. If there's a business email compromise, an invoice may be improperly paid.
But if a startup really gets hacked, maybe their IP gets stolen and they have no reason to exist
anymore. Or if there's a reputational damage because of a hack, they can't get funding
and whatnot as well. So there's a lot more at risk for an early stage startup to get it wrong.
And so it becomes super important to really get it right.
All right.
Well, Kevin McGee, thanks for joining us.
Thanks, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Fights bad breath doesn't give you medicine breath.
Listen for us on your Alexa smart speaker, too.
Be sure to check out Research Saturday and my conversation with Deepan Desai from Zscaler. We're discussing a new Trojan malware that's using social engineering techniques and fake
cybersecurity resume cover letters.
That's Research Saturday. Check it out. Thank you. Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Thank you. act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.