CyberWire Daily - Lojack for Laptops backdoor? World Cup cybersecurity. Schneider Electric patch. Reward points for sale. Medical device vulnerabilities. PPD-20 revision?
Episode Date: May 3, 2018In today's podcast we look at some indications that LoJack for Laptops might have been compromised to report back to Moscow. World Cup cybersecurity. Schneider Electric patches developer's tools. ...Travel and hospitality rewards points are the menhaden of the black market. Medical device vulnerabilities. Taking the gloves off Cyber Command. It's National Password Day, and Microsoft (along with many others) would like to move beyond the password. And a requiem on Press Freedom Day for working journalists murdered by the Taliban. Ben Yelin from UMD CHHS discussing who’s responsible when an AI kills someone. Guest is Edna Conway from Cisco on pervasive security architecture and third party risk. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Does LoJack for laptops report back to Moscow?
World Cup cybersecurity.
Schneider Electric patches developers' tools.
Travel and hospitality reward points are the bait of the black market,
medical device vulnerabilities, taking the gloves off Cyber Command,
it's National Password Day, and Microsoft, along with many others,
would like to move beyond the password,
and a remembrance on Press Freedom Day for working journalists murdered by the Taliban.
Freedom Day for working journalists murdered by the Taliban.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 3rd, 2018.
Finding, locking, and getting files back from a stolen laptop?
These things are all good.
If you look at them another way, however,
you can see some potential for problems. Finding, locking, and data exfiltration are, of course,
things that attackers are just as interested in doing as admins are. Security firm Netscouts
Arbor Networks has reported a possible backdoor in LoJack for laptops, a tool that enables
administrators to remotely lock, locate,
and remove files from a stolen computer. Five LoJack agents were found to be communicating
with four dodgy command and control domains, three of which have in the past been associated
with Fancy Bear, familiar to all of us by now as Russia's GRU. Absolute Software, which makes
LoJack for laptops, says it's been in discussions with Arbor
Networks. It takes the matter seriously and is investigating, but doesn't believe its customers
are at risk. Fans of football, what we here in the States refer to as soccer, know that this year the
World Cup will be played in 11 Russian cities. Russian security authorities are boosting cyber preparations
before the event, looking at hotel Wi-Fi, World Cup networks, media, and so on. They're probably
mindful of this past winter's hacking of the Olympic Games and don't want the same threat
actors spitting in the soup this summer. Who was that mucking around in the South Korean games?
Fancy eagle? Fancy lion? Fancy kiwi? Fancy kangaroo?
Fancy loon? Fancy something or other? Well, wait, never mind. Schneider Electric has patched a
vulnerability in its Indusoft Web Studio, an in-touch machine edition. The products aren't
themselves control systems, but rather tool sets used to develop SCADA systems, human-machine interfaces, and applications that connect automated systems.
The bug, discovered and disclosed by security firm Tenable, is a buffer overflow issue that could be exploited to execute arbitrary code.
Travel reward points are relatively easy to monetize, and they're being sold in Russian-language dark web markets.
Botnet operators often pick up such credentials incidentally in the course of other illicit activities,
and for the most part they sell them to other criminals.
The botnets deploy keyloggers to pick up more directly valuable items, like network or financial credentials,
but they sweep up the
travel rewards along the way. It's like Waterman going after rockfish and then selling the bycatch
for cat food. Analysts at security company Flashpoint, who've been following the matter,
say that the fact that there are such a surprisingly large number of dark web
boutiques specializing in travel and hospitality reward points, indicates a
serious criminal demand for them.
How long will the trade continue?
That's an easy question to answer.
As Flashpoint says, it will go on as long as money is to be made from it.
Edna Conway is Chief Security Officer, Global Value Chain, at Cisco.
She joins us to discuss how organizations can build what she
calls a pervasive security architecture that tackles the often undefined and overlooked
third-party risks. Look, as we digitize, we're all aware of the fact that we're expanding the
ecosystem of third parties who really will inevitably impact us for better or for worse.
When you start to think about that, what it means is you need to
think about security in a pervasive way, not just using the words cyber and thinking information
security, but thinking comprehensively about the way we experience the digital economy through
devices, engagements with people, engagements via services, and incorporate
that holistic thinking into an approach that I call pervasive security. That's the goal.
So let's dig into some of the details here. How do you make that a reality from a practical point
of view? That's a great question. It's not easy. And I think that the reason why it's not easy is because you have to sit back, take the
time to think about your third party ecosystem. So if you want to pervasively drive security,
the first thing you really need to think about is looking at that value chain or that third party
community holistically. Who are they? What do they provide to you? Where are they providing it? And how are they providing it?
These begin to inform you on how to drive an architecture that will allow you to look at
security threats and exposures in a way that's, while comprehensive, flexible for the purposes
of examining each of those third parties in their own environment, in their own business
context, and how you utilize them. When I'm dealing with a third party, what's your recommendations
in terms of verification to make sure that they're actually living up to their end of the deal?
Verification is an interesting question. I mean, if you look at it, I mean, look, global governments
are clearly ramping their focus on what they refer to often as cyber supply chain risk management.
So it's a way of managing risk, not necessarily a focus that says compliance and compliance only.
Right. We see it in the NSF draft one dot one. We see it in the energy sector here in the US and North America and Mexico with NERCS SIP.
How you do that is first sit down and say,
what am I worried about? Identify what the threats are. Translate those threats into exposures that
make sense for your third parties. And then drive a flexible architecture with what I like to call
domains that are common, but the requirements within those domains are customized based on the nature
of each third party member's effort on your behalf as part of your ecosystem.
Do you find that people have a hard time breaking this process down into manageable bites?
It depends on who they are. I think in the information communications technology arena, we're seeing it
grow more and more as part of doing business. The reporting, the metrics on it is still a little bit
of a burgeoning area, quite frankly. But look, you know, I think everybody realizes, they don't
particularly say it the way I do, but look, I believe the currency of the digital economy is
trust, the same currency humans have always had. If you say that trust is the currency, data is the fuel, right? And data
is a fuel maybe for our own decision making and artificial intelligence to help us with decision
making. All that does is form deposits in your bank of trust. You have to figure out how you
want to go out and address the people part of it. Do I trust in people, whether informed by AI or not? Do I trust in the data? Maybe I'm going to say I want to drive that because I'm going to drive a digital ledger capacity.
that are deployed by that third party from whom you acquire a product or service or information?
And then do we want the government to validate? And that's an open question. What is going on in industry in an effort to seek to both protect their citizens and get back to the question you
asked me, which is alignment? All of us can do it in a variety of different ways, but we need to
look at some international standards and parameters
to set the floor. And quite frankly, I think also set a ceiling that says no matter what we're doing
and no matter how high we seek to achieve a level of security based on risk, these fundamental 10,
12, 15 things need to be in the portfolio of what needs to be done and what we're going to measure.
That's Edna Conway from Cisco.
Becton Dickinson has advised that its medical devices, using WPA2 encryption,
are vulnerable to crack key reinstallation attacks.
That's K-R-A-C-K.
This general Wi-Fi problem isn't confined to medical systems,
but Becton Dickinson has issued a fix for the problem insofar as it affects their devices.
And the U.S. FDA has ordered the recall of about 465,000 St. Jude, now Abbott, laboratories,
implantable cardioverter defibrillators, that is ICDs, for a firmware update.
The problem with the ICDs and their associated Merlin at-home monitors
essentially come down to an authentication backdoor.
You may remember that this is the vulnerability publicly disclosed by MedSec in 2016,
controversial because the disclosure was done in apparent conjunction
with short-selling of St. Jude Medical stock by Muddy Waters LLC.
conjunction with short-selling of St. Jude medical stock by Muddy Waters LLC.
The vulnerabilities MedSec reported were subsequently independently confirmed by Bishop Fox.
U.S. Senator John McCain, Republican of Arizona, is about to publish a book in which he argues,
among other things, that the U.S. ought to punish Russian cyber operations with American cyber attacks. That's one senator's view, of course,
but there are signs that the National Security Council wants the gloves taken off of U.S.
Cyber Command, too. CyberScoop reports a movement among the NSC staff to rescind or modify
Presidential Policy Directive 20 to streamline the process by which military commanders could
receive approval for offensive cyber operations.
It's worth noting that PPD-20 is a classified document,
and so critiquing it involves a lot of looking at what agencies do and reading between the lines.
But it's generally been characterized as a document that requires extensive interagency coordination across the federal government
in the interest of both proper
restraint and due respect for agency equities. You're familiar with today's big holidays and
observances, right? If you can take time away from celebrating Garden Meditation Day, quietly,
Public Radio Day, with proper self-satisfaction, National Raspberry Popover Day,
formerly known with unintentional sauciness as National Raspberry Tart Day,
or Paranormal Day,
because the truth is out there,
consider that it's World Password Day.
Do you know where your credentials are?
We hope they're not in too many places.
More seriously,
today is also World Press Freedom Day.
It's an important right with important responsibilities.
This year's observance should also be a somber and reflective one.
Taliban suicide bombers exacted a high toll in attacks this Monday.
Ten journalists were killed covering the news.
It's worth hearing their names.
They were Shah Marai, photographer for Agence
France-Presse and father of six. Yar-Mohamed Toki, cameraman for Tolo News, due to be married
this month. Ahmad Shah, of the BBC Afghan service. He alone wasn't killed in the bombings,
but was shot dead by unknown assailants in Khost province.
Maharam Durrani, who had just begun her work as a reporter for Radio Free Europe, Radio Liberty.
Abadullah Hananzai, journalist and videographer for Radio Free Europe, Radio Liberty.
Samawoon Kakar, a five-year veteran of Radio Free Europe, Radio Liberty.
Ghazi Razuli, reporter for Afghanistan's One TV,
Naruz al-Rajabi, a cameraman, also with One TV,
and the final two who lost their lives,
Salim Talsh and Ali Salimi, both with Mashal TV.
May they all rest in peace.
May their families, friends and colleagues be granted consolation in their grief. hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit usforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had a story come by from the MIT Technology Review, and the title of the article was, When an AI Finally Kills Someone, Who Will Be Responsible? Let's dig in here. What are we talking about?
So this sounds like a horror movie gone completely wrong. I actually think it's a relatively realistic scenario in the near future. So the proposition this article raised is that it's going to happen sometime over the next several years. We have a self-driving car navigating the city streets and it accidentally hit somebody who is going to be held legally responsible. And that's something that this academic John Kingston of the University of Brighton in the UK has tried to sort of decipher and do a legal analysis. So obviously,
an AI is not a real person. You can't lock this person behind bars, either real bars or proverbial bars. So we're sort of looking at alternatives, which actual humans would get punished for
either the deliberate actions or
the negligence of an AI. And this author proposed a few alternatives, a few sort of legal theories
about who we should hold accountable. First, he calls a perpetrator via another. In the physical
world, it would be when somebody gets somebody else who has some sort of mental incapacity,
maybe a minor, maybe a dog, maybe someone with
severe mental illness, to commit a crime for them. And then the person who actually solicited that
crime is the one who should be legally responsible. And that seems like something that you could
reasonably apply to AI. If I hacked into the system and instructed the self-driving vehicle
somehow to hit somebody on the street, I should be held legally responsible. Second theory he talks about, natural probable consequence, that's sort of when
in the course of doing what it does, the AI would happen to cause some sort of harm. And the example
that this author gives is an artificially intelligent robot in a Japanese motorcycle factory killing a human worker sort of reminds me, you know, of the Simpsons episode where the itchy and scratchy characters
falsely identify the Simpsons family as other robots to murder.
But that's sort of what he's talking about here.
The robot makes a mistake.
And if the programmer knew that this was potentially a concern,
then they could be held legally responsible. And then finally, there's the third theory,
which is direct liability. And that requires both an action and an intent. Action is usually going
to be pretty straightforward in this scenario that he's talking about, the AI hits somebody with their car. But the question is
intent. And this hypothetical, it's very unlikely that somebody had the intent to
program the self-driving vehicle to hit somebody. In that case, intent is going to be really hard
to prove. So what he proposes is that perhaps we should consider it as a strict liability crime.
There are a lot of crimes in our legal system.
One of them is statutory rape.
Frequently we see speed limits as a strict liability defense where either even if you had a good excuse and you didn't know what you were doing is wrong and you had no sort of criminal mental state of mind, you could still be held criminally liable.
So these are sort of the three theories he posited.
Certainly, I don't think it's something we're going to come to a resolution on anytime soon,
but they're certainly interesting issues to think about.
Yeah, it'll be interesting to see how it plays out.
So I guess we'll have to stay tuned.
As always, Ben Yellen.
I'll see you in 2023.
Would your
Skynet go self-aware? I can't remember.
Is it already supposed to have happened? Yeah.
It might happen. Yeah. All right.
All right. Ben Yellen, as always,
thanks for joining us. Thanks.
Cyber threats are evolving
every second, and staying ahead is
more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.