CyberWire Daily - Malware in nuclear plant business system, but not in control systems. Facebook versus inauthenticity and spyware. Twitter refuses political ads. NIST wants comments. Cyber risk a factor in credit ratings.
Episode Date: October 31, 2019The Kudankulam Nuclear Power Plant confirms it had malware in a business system, but that control systems were unaffected. Franchising coordinated inauthenticity. Facebook deletes NSO Group employees.... Twitter says it will no longer accept political ads. NIST wants your comments. And Moody’s appears ready to consider cyber risk in its credit ratings. Ben Yelin from UMD CHHS on Europeans' right to repair. Guest is part two of my interview with Tanya Janca from Security Sidekick on web application inventory and vulnerability discovery. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_31.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. in a business system, but that control systems were unaffected. Franchising coordinated inauthenticity.
Facebook deletes NSO group employees.
Twitter says it will no longer accept political ads.
NIST wants your comments.
And Moody's appears ready to consider cyber risk in its credit ratings.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, October 31, 2019.
Reports of a cyber incident at India's Kudankulam nuclear power plant have been confirmed.
Reuters quotes a statement from the Nuclear Power Corporation of India Limited,
acknowledging that it had found malware on a computer connected to administrative systems, but that control systems were unaffected.
Various sources say the malware was D-Track, an information stealer associated with North
Korea's Lazarus Group.
D-Track has recently affected Indian financial and research institutions.
It's worth noting that malware in a business system doesn't necessarily mean that a
control network has been compromised. Sometimes attackers have been able to pivot from business
to control systems, as they did in Ukraine, but in other cases, like that of the Wolf Creek plant
in Kansas, they haven't. The descriptions of what happened at Kudankulom sound so far more like
Wolf Creek than they do Kiev, but it's still a
matter of concern.
Yesterday, Facebook announced that it had taken down 35 accounts, 53 pages, 7 groups
and 5 Instagram accounts for coordinated inauthenticity.
All originated in Russia and have been connected to Russian oligarch Yevgeny Prigozhin, commonly
called Putin's chef, as the Washington Post reminds everyone.
Their messaging focused on Africa, specifically on Madagascar, the Central African Republic, Mozambique,
the Democratic Republic of the Congo, the Ivory Coast, and Cameroon.
The campaign's objective was election influence, generally aligned with Russian regional objectives.
was election influence, generally aligned with Russian regional objectives.
But there's also some informed speculation in circulation that the campaigns may represent, in some fashion,
the emergence of a kind of franchise model into this form of information operations.
The troll shops may also be working on behalf of local political factions.
Ars Technica reports that Facebook has cancelled accounts belonging to NSO group personnel.
The cancellations seem fairly extensive.
By some reports circulating on Twitter, most NSO group employees have been affected.
The NSO People Band received a message from Facebook's Instagram platform that said,
Your account has been deleted for not following our terms.
You won't be able to log into this account and no one else will be able to see it. The action follows Facebook subsidiary WhatsApp's filing of a lawsuit against NSO Group.
WhatsApp's beef comes down to this.
They claim NSO Group used WhatsApp to serve Pegasus,
which is correctly described as both spyware and as a lawful intercept product,
on about 1,400 devices.
WhatsApp complains that the targets included
attorneys, journalists, human rights activists, political dissidents,
diplomats, and other senior foreign government officials.
NSO Group has said it's done nothing wrong
and that it intends to contest the lawsuit vigorously.
As far as the Facebook deletions are concerned, NSO Group hasn't commented.
Facebook says they're welcome to appeal if they think the deletion is unfair.
Yesterday, I spoke with Tanya Janka about her decision to leave Microsoft to co-found Security Sidekick.
Microsoft to co-found Security Sidekick. Our conversation continues with insights on the security challenges her new company is looking to face head on. We're trying to make sure that
you know all of the apps and APIs that you have. So our tool goes out and finds all of them,
which I know is not sexy. Inventory is not sexy, but you can't protect stuff if you don't
own the stuff, if you don't know you have it.
And I did so much incident response, David, for things where I didn't know I owned it.
And that is the worst day of your job as an application security engineer. That's the worst
incident ever. You have no idea what it is and your data is for sale on the dark web or
like it's being attacked and you don't even know where it is.
So you can't even block the attack.
I was a developer for a really long time, 17 years before I switched full time to security.
And just so many security people getting in my way.
Don't you know I have deadlines.
I've got a feature.
I need to do this.
And they'd be like, oh, well, if you
just send it to us, when this guy gets around to it, he's going to scan it with this thing. There's
going to be all this crap wrong. No one's going to explain to you what it is. So we put our tool
not in the pipeline, which I realize people are like, that's sacrilege. But you don't run it
manually. It runs itself. So it just lives on your network as an invisible proxy after your DNS.
And so every time you visit anything,
it just, it catalogs it.
It's like, did you know you own this?
Because this isn't on the list you gave us.
You should check it out
because it belongs to you.
It lives on your network
or it's living in your cloud.
Or did you know that, you know,
the business bought the SaaS tool
and that's living on your network now? FYI know that the business bought the SaaS tool and that's living
on your network now? FYI. This is phase one of our roadmap and we have more that we're planning
once we perfect the tool with this stuff. I'm so excited. I have to say one of the things that I
always enjoy when I have the opportunity to chat with you is that you are so unapologetically you.
And I mean that as a compliment. I mean, I think in this world, this sort of buttoned down world
in which we live, and particularly in information security when it can be so serious and there are
big things at stake, the energy and the enthusiasm that you bring, I find refreshing.
And I wonder, have you found that sometimes people try to push back on that?
Has it been a challenge for you to maintain your sense of self
in a world that might not always react positively to it?
A little bit of pushback,
but mostly those people just go sit in a different talk
or don't read my blog.
I have had some feedback from conference talks like,
oh, she's so bubbly and effervescent.
It's hard to take her seriously when she's not being serious.
I am serious.
It doesn't mean I can't be in a good mood about it
or be really excited that I made this giant pipeline or whatever the thing is that I did.
Like, sometimes people do react badly, but those people are in the wrong talk,
because you can't please everyone. You know, one other area of pushback that I've gotten
is from old school security people that do not want to change and
they don't want to talk to developers and they feel that all the security problems in software
are all the developers faults. I actually read a talk about it because I had so many bad experiences
as a developer with security people. It took me a long time. And the first time I had someone run a VA scanner on my app,
he found a bunch of things wrong with it. And I'm like, oh, you know, what's this? I've never
seen this before. And he was like, if you were a good developer, you would know. You should know.
And then, you know, it took me three times to pass the scanning tool. And then I finally did.
And I was like, wow, that was really hard.
And he was like, if you're a good developer,
there never would have been any problems with your app.
And it's like, what type of punishment?
Like, why would you speak to another person that way?
But then when I learned about, you know, scanning tools
and I learned about hacking and pen testing
and AppSec and solving problems,
I was like, oh, that guy has no idea
what he's talking about. He refused to give me help because he had no clue. And he just doesn't
know the answers and doesn't and is too afraid to be vulnerable and admit he doesn't know.
Especially some workplaces where you can't admit you're wrong and I'll just admit I'm wrong.
Yeah. Like even in an interview where that's being recorded, sometimes I get asked a question. I'm
like, you know what? I don't know the answer to that. And I'm like, but I can find out, or,
you know, maybe this or that. And we've set up like places in our industry where people feel
like you're not allowed to ask for help and you're
not allowed to admit you're wrong. And then that is when bad things happen. That is when developers
are like, no problem. I'll write my own encryption algorithm or something else. Right. And oh, no.
That is the one and only Tanya Janka. She is the CEO and co-founder of Security Sidekick.
Twitter has decided that it won't try to fact-check or police paid political content.
They'll simply no longer accept political ads.
The exclusion affects ads for candidates and issues, but not voter registration drives.
The move is getting mixed reviews.
Some think it's a sensible and even-handed way of handling inauthenticity and influence operations.
This is basically Twitter CEO Jack Dorsey's view,
who's tweeted that influence and reach should be earned,
and not something one should be able to purchase.
Others think the decision to decline political ads
is a way of getting Twitter out of the censorship business altogether,
but there are skeptics on this matter. At best, Twitter seems to have kicked the problem
down the road. The platform is surely right when it says that fact-checking social media at scale
is practically impossible, but it's not clear that deciding what's a campaign or issue ad
will be much easier. And of course, many people read Twitter's announcement as a shot at
Facebook's recent refusal to fact-check political ads, a way of saying, hey everybody, we're better
than the House of Zuckerberg. In the U.S., the National Institute of Standards and Technology,
better known by its acronym NIST, has asked for comments on proposed cryptographic standards.
The two draft standards in question deal with digital signature standards
and recommendations for discrete logarithm-based cryptography,
elliptic curve domain parameters.
NIST's goal is to develop sound standards
that will help ensure these technologies are implemented securely.
If you have thoughts on either of these,
NIST would like to hear from you within the next 90 days.
And finally, credit rating company Moody's made a presentation at Energy Tech 2019
on the credit and financial implications of cyber risk. Control Global welcomed Moody's
perspective as providing those responsible for control system security a key to the boardroom.
The highest risk sectors are the ones, as Control Global puts it, that
quote, rely on technology, are highly interconnected,
and have limited ability to revert to manual operation, end quote.
Cyber attacks that have an operational impact
can be expected to have an effect on credit ratings.
We've seen insurance affect security practices and risk calculations.
They can now be expected to affect credit.
Even if you're self-insured, as some power utilities are, everybody needs credit.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's the Program Director for Public Policy and External Affairs
at the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back.
We had an article come by.
This is from a website called Hackaday that primarily is for hardware hackers.
And it's written by Jenny List.
And the title is Europeans now have the right to repair.
And that means the rest of us probably will too.
What's going on here?
So anytime we get a refrigerator, dishwasher, etc.,
there's sort of an expectation that if one of the parts doesn't work, we can just return it
to the manufacturer and they'll give us one in working condition or they'll fix whatever
issue is affecting that device. Sure, warranties. Exactly. The truth is that in the United States, at least, there aren't
rigorous legal protections for warranties for those devices. And that leaves the consumer behind.
You know, obviously, this is to the delight of manufacturers who don't want to have to pay to
produce a new item. Also, I can imagine if my dishwasher breaks down and I look for a replacement part,
I'm handy, I'm capable of doing something on my own,
but those replacement parts have been discontinued.
That means instead of fixing it, I'm going to have to go out and buy a new dishwasher.
Exactly.
Yeah.
Which means you can't go to your local home supply store and do it yourself,
even if you are a handy person.
So the upshot of this article is that the European Union is introducing new rules
governing what's called repairability.
The law in the EU will mandate that certain household appliances and other devices,
so they're talking about washing machines, dishwashers, refrigerators, TVs, anything
you can think of.
Any of those items for sale within the EU have to have a guaranteed period of replacement
part availability.
And those replacement parts must be designed so that they can be worked upon with standard
tools, whatever that means.
So probably things one would have in their toolbox.
So how does this affect us in the United States? So as we saw with GDPR, when you have a rigorous
regulatory standard that comes out basically on anything that applies to the European Union,
multinational corporations are going to be forced to change their policies writ large to apply.
multinational corporations are going to be forced to change their policies writ large to apply.
So you and I got a million different emails when GDPR was going into effect saying,
we've updated the Verizon Terms of Service. The reason they did that is the European Union is such a huge marketplace. They're going to have to make these changes for all of those customers
anyway. They might as well do it for all of their customers across the globe. And I think that applies to what's happening here with this repairability law.
Because it's being introduced in the European Union, device manufacturers are going to have
to adjust their business practices to comply with this law. And while they're doing that to comply
with the European law, it's necessarily going to filter down to the United States. And this could potentially be
very, very good news for consumers. Yeah. I think the part that caught my eye was the part about
the requirement to have standard tools, because I think particularly with electronic devices,
I think particularly with electronic devices, it seems like they'll have some bizarrely shaped screw driver necessary.
You know, here's our new dodecahedron shaped screw driver that you must have in order to unscrew this.
And you can't go buy that at the local hardware store.
Yeah, I'm very curious as to how they define standard tools.
As someone who's put together a lot of IKEA furniture recently,
you know that nothing is ever completely standardized.
Right, right.
You know, there's going to be one screw that works, yeah, as you said, with this particular device.
Well, at least IKEA has the, you know, at least they're kind enough to include the tools with the,
well, I guess they have to.
You're putting it together yourself. Now, you know, maybe that's something we'll see as a result of this law in the European Union.
Oh, interesting.
They'll prepackage the tools with the device.
Right. Is it cheaper to throw in a customized screwdriver than to change all the screws in the device?
Almost certainly, I would say yes.
Now, I wonder if that would satisfy the terms of the repairability law.
Uh-huh. My guess I wonder if that would satisfy the terms of the repairability law.
My guess is that it probably would.
Of course, there's a problem of you get this device.
You put the package in some corner of your basement.
It has the tools in it.
Right.
Five years later, you clear out your basement.
Ten years later, the device breaks.
And so is there still sort of a repairability element? The other sort of downside to consumers they mentioned in this article is that the repairs don't have to be directly available to the consumer.
They can just be available to the manufacturer.
So the spare parts, in other words, aren't going to be made directly available to the consumer.
They're going to be released to the appliance repair trade.
I see.
So that means that the consumer is going to have to go seek those spare parts from the repair trade.
So that's another hurdle that the consumer is going to have to go through to get access to something that would fix these devices. Yeah, that's interesting. All right. Well, it'll be fun to see how this trickles down to us here
in the States, but interesting development. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. Sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.