CyberWire Daily - Kaspersky loses court challenge to US Government ban. Cryptomix ransomware. US Departments of Commerce, Homeland Security, and Energy plan resiliency. A packrat at CIA? Reboot your routers.
Episode Date: May 31, 2018In today's podcast we hear that Kaspersky has lost its court challenge to the US Government ban on its products, but plans to  appeal. Cryptomix ransomware is out in the wild. Vulnerabilitie...s found in SingTel routers. Chrome 67 update includes patches. The US Departments of Commerce and Homeland Security address botnets (and ask for research). The US Department of Energy plans for resiliency. Twitter takes down tweens. A packrat at CIA? Reboot your routers. Robert M. Lee from Dragos, reviewing some recently published ICS security reports. Guest is Adam Vincent from ThreatConnect on the increasing importance of threat intelligence for many organizations. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Kaspersky loses its court challenge to the U.S. government ban on its products,
but says it will appeal.
CryptoMix ransomware is out in the wild.
Vulnerabilities are found in Singtel routers. Chrome 67 update includes patches. The U.S.
Departments of Commerce and Homeland Security address botnets and ask for research. The U.S.
Department of Energy plans for resiliency. Twitter takes down tweens. Is there a pack rat at CIA?
And have we mentioned reboot your routers?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 31st, 2018.
Kaspersky's challenge to the U.S. government's ban on its software has failed,
with its suits dismissed yesterday by the District Court for the District of Columbia.
The company had filed two suits.
One claimed, under the Administrative Procedure Act,
harm to Kaspersky's reputation and sales without due process.
The other asserted that the National Defense Authorization Act,
making the ban a matter of law,
amounted to an unconstitutional bill of attainder, inflicting punishment without a judicial trial.
On Wednesday, the District of Columbia District Court tossed both suits.
U.S. Judge Colleen Collar-Cotelli dismissed Kaspersky's case,
challenging the U.S. government's ban on the company's products.
She found that the NDAA did not impose any recognizable punishment,
but rather established a reasonable protective policy justified on national security grounds.
While the policy undoubtedly has a negative impact on Kaspersky,
it's not punitive, and any such negative impact doesn't outweigh the security reasons that motivated the ban.
Kaspersky has expressed both its disappointment and its intent to appeal.
Kaspersky isn't the only company to endure difficult times over its perceived closeness to a nation's security and espionage services.
Concerns about possible security threats Chinese device manufacturers present remain very much alive in the United States, Canada, and Australia.
Huawei and ZTE are most often mentioned in dispatches.
Malware Hunter Team reports that a new variant of crypto-mix ransomware is circulating in the wild.
There's no free decryptor available for it yet, so unfortunately some victims will be tempted to pay the ransom.
The best defense against this and other ransomware strains is secure, tested, and used backup.
Some organizations, late comers to backup for the most part,
continue to pay ransom to get out from under other strains of malware.
One such victim is a public school district in Oregon,
where the Roseburg schools
say they've paid the attackers to regain access to their data. The school district was hit with
the ransomware a month ago. What they paid, they haven't said, but they do say they're now taking
steps to protect themselves against future infestations. Researchers at New Sky Security
have found a vulnerability that affects most routers used by Singtel, Singapore's main internet service provider.
Two more misconfigured AWS S3 buckets have been found by security firm Chromtech.
They belong to Honda India and are said to have exposed some 50,000 customers' data.
and are said to have exposed some 50,000 customers' data.
The customers who were affected had downloaded Honda Connect,
a remote car management app that let drivers not only interact with their Honda smart car,
but also to obtain and use online services Honda Car India provides.
Threat intelligence continues to become an important part of many organizations' security operations.
But there's still some confusion on how to get started and how to dial in the right amount and kind of intelligence.
Adam Vincent is CEO of ThreatConnect, and he offers his insights. I think that every company out there that has any kind of security wherewithal is starting to think about how to make better decisions across
their business. And data and intelligence is a great way to do that. Why not use intelligence
to drive their security program as well? When you interact with folks who are considering
threat intelligence, do you find that there are some common misperceptions that they might have?
Absolutely. My biggest pet peeve is
that many people think of intelligence as a bunch of data that comes in and something called a feed
from the internet. And that aggregating feeds from the internet means that they can check the box and
say, we're now doing security in an intelligence driven way. In your mind, what is that transition from data to
actionable intelligence? We've always had the mentality here that intelligence is something
that is created from managing a security program. Feeds and other forms of external intelligence
were inputs into that process. But overall, the process of making a
better decision started with what decisions you need to speed up or make in the first place.
And so I think that most companies today that think that a feed is checking the box from an
intelligence perspective is on the journey to realizing that they're going
to ultimately need to become intelligence driven because that's what the CEO and their boss,
the CISO and their peers across the industry are doing. And that type of transition as an industry is really exciting and is being communicated as
something that is drawing others in and ultimately will be the reason why
someone goes from thinking a feed is good enough to realizing that
intelligence is more than just a feed. It doesn't need to be a very sophisticated
government-like capability where you go out
and hire a bunch of people.
And those people come from organizations like NSA or the intelligence community.
Instead, intelligence is to fuel the decision-making process and to speed up processes that the
companies that are looking to employ intelligence are already doing.
So, for example, you may have a phishing email process that's riddled with human capabilities today,
people doing analysis, people looking at who the emails were sent to, doing some spreadsheets,
and ultimately creating a PowerPoint for their boss that helps inform the decision of how phishing emails are affecting the organization. That's a great example of a process that could be data-driven and could
be automated to the point where we're creating knowledge about phishing and how phishing is
affecting the organization. We're disseminating that information, and we're even starting to automate the defensive actions we can take
that are driven by that newfound intelligence.
That's Adam Vincent from ThreatConnect.
In patching news, Google's release of Chrome 67 to the stable channel
includes fixes for 34 vulnerabilities.
The Departments of Commerce and Homeland Security rendered a report required by the May 2017 executive order on cybersecurity yesterday.
The report's title, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated Distributed Threats,
fairly expresses its
contents. The recommendations include aspirations for the government to lead by example and to seek
public-private partnerships that will build resistance to botnets into devices under
development. Manufacturers are expected to play an important part in driving down device
vulnerability to bot herding. Commerce and DHS call not only for government direction of research
into this kind of resilience, but also for funding that would support the R&D.
Another department has also reported in accordance with the executive order,
the Department of Energy has released its multi-year plan for energy sector cybersecurity.
The plan gives pride of place to the Department's
Office of Cybersecurity, Energy Security, and Emergency Response, established this February.
It also outlines three overarching goals. They are strengthen energy sector cybersecurity
preparedness, coordinate incident response and recovery, and accelerate game-changing research, development, and demonstration
of resilient delivery systems.
Like everyone else, energy is interested in greater resiliency.
Content moderation continues to trouble social media platforms.
Twitter is the latest with a policy designed to get a handle on such problems.
In this case, it's the problematic status of underage users. If your date of birth suggests you joined Twitter before you turned 13,
kids, Twitter is shutting you down. It is a GDPR compliance issue, and it doesn't matter how old
you are now. Twitter doesn't want to be placed in a position of sorting out under 13 from over 13
tweets.
If you're now of age yet find yourself having been booted from Twitter,
you can arrange for a new account for yourself.
Is there something about work and intelligence that either attracts pack rats or disposes people in the business to act like pack rats?
Another case would seem to suggest so.
You'll remember former NSA contractor Hal Martin,
whom the FBI said kept scads of highly classified stuff from work in his shed at home. This time,
it's a CIA contractor and another resident of the old-line state. Reynaldo Regis has entered
a plea of guilty to charges related to his having kept notebooks of things he saw
while working at the agency between 2006 and 2016. In Regis's case, he also seems to have been curious,
accessing lots of material that had little or nothing to do with his job. He's out on bond,
having surrendered his passport and promised to stay close to his Maryland home.
He'll be sentenced in September and could face up to five years in prison.
So, another question.
What's up with insider threat programs?
What are they looking at?
And does no one look at briefcases and other things people carry out of Langley?
Finally, if you haven't rebooted your router against VPN filter, well, why not?
If you don't trust advice from the FBI, maybe you'll accept it from Vietnam's Ministry of Information and Telecommunications,
Authority of Information Security.
Yes, Vietnamese authorities say that devices in that country have turned up with VPN filter infections,
and they offer their users the same advice the Bureau gave everyone in the U.S.
Reboot your routers.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee. He's the CEO at Dragos. Robert, welcome back.
You all recently published some reports looking back on 2017.
I wanted to take the opportunity to look at those and talk about what you found.
Absolutely. So we did a Dragos year in review of 2017 across three different sections. And so
really mapped to our intelligence team and our operations center, we had a report on the
vulnerabilities, a report on the threat activity groups, and a report on lessons learned across hunting and responding.
So the reports were a very strong approach to let's look at the actual numbers.
Let's look at the actual findings and have this approach around them.
So some of the key things we found that I thought was interesting on vulnerabilities
as an example.
One, there's always been a myth in the community that
most of the vulnerabilities we see are from free products
and things that have trials and other things
that you can just download, and that really there's so many of these hidden vulnerabilities because
nobody can access the paid stuff. We found that
a significant majority of all of the vulnerabilities
released were actually from products and software that had no free version available or no trial
version available. So I completely destroyed that myth. The second thing that I thought was really
interesting from the vulnerabilities report is that 64% of all of the vulnerabilities released,
if you went and patched
that vulnerability it wouldn't have reduced any risk that the vulnerability itself was only
granting to an adversary functionality that was already available on the system like hey if you
exploit this vulnerability you get root permissions except you're already running
in root permissions on that device because of the way that it runs you know some in other words a
useless vulnerability which means that about 64 of the way that it runs. In other words, a useless vulnerability,
which means that about 64% of the patching done in the community
is completely wasted resources.
Not saying don't patch, it's just we should be patching smartly.
The third thing that I thought was really interesting
is 75% of all their releases,
75% of all the public vulnerabilities
for industrial control systems were wrong.
They were talking about the wrong product, talking about the wrong service, talking around
the wrong vulnerability, just absolutely wrong.
And that means we've got a lot of work to do.
What do you mean?
What do you mean by wrong?
Are you mistaken?
Just completely wrong.
Like, hey, go patch this vulnerability because this is the vulnerability that exists the adversary could take advantage of on this product.
And something about that statement would be wrong.
Like, it's the wrong product in the advisory, or it's the wrong vulnerability, or that's not actually what you do with the vulnerability.
Or it says, hey, this vulnerability can cause a denial of service, but it doesn't.
It might give you escalated privileges.
Just completely inaccurate reports.
I mean, it's an astounding finding.
So that's number one.
I mean, we actually saw this happen.
I don't want to get too much into the details.
We saw an adversary try to take advantage of a vulnerability,
and they read the advisory, obviously,
and did what the advisory said to take advantage of the vulnerability,
and it was wrong, and they screwed up in the attack.
I mean, it's kind of funny, but that sucks for defenders as well.
It's an inadvertent win, right?
Yeah, we shouldn't be doing that.
We don't want to run deception operations against our own community.
Right.
Okay, so that was the vulnerabilities.
In the threat activity groups, we always hear about individual attacks,
but there were groups specifically targeted towards industrial
in a way that we've never seen before. There's always been like one or two a year, but in 2017, there were groups specifically targeted towards industrial in a way that we've never seen before.
There's always been like one or two a year, but in 2017, there were five.
And I'm not talking about the larger.
I mean, there's dozens.
And I think there's something like 30 something that gets tracked in the community of teams
that run campaigns against infrastructure companies, but not industrial control systems
specific.
So there were five teams that were specifically targeting industrial control systems,
which is a large escalation
from what we've seen over the previous years.
And in the hunting and responding reports,
there's a consistent myth that spear phishing
is the number one way into
industrial control system environments.
And I've long positioned that's probably not accurate.
It's just because all of our collection and tools
and teams are in the IT environment, so that's where they see it. just because all of our collection and tools and
teams are in the it environment so that's where they see it and so we looked back at all the cases
of hunting and responding and instant response work that our team did over the past year and
found that yeah actually that's not true one of them it is a big infection vector but the number
one that we saw was actually vpn compromises directly into the ICS. So it's just interesting to see what's going on.
But I think another big key finding of that report was that companies we're engaging with
are significantly maturing in their security practices.
We were very pleased and very optimistic in our view of the industry.
And it's a little bit of a collection bias, because obviously the people that are coming
to talk to us anyway might already be a little bit more mature.
But we were surprised, even in that, of the level of maturity of these companies and what
they're doing for security.
All right.
It's interesting stuff.
Check it out.
It's on the Dragos website, a qualitative view of 2017.
Robert M. Lee, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.