CyberWire Daily - Maritime cybersecurity concerns. ExpressLane dump stirs up international trouble. IoT botnet threat addressed. Defray ransomware. Cyberattack in Scotland. Tehran's info-ops rapper.
Episode Date: August 28, 2017In today's podcast, we hear that the USS McCain collision appears to unrelated to any cyberattack, but observers warn of ICS security issues as maritime cyber concerns rise. WikiLeaks' ExpressLane ...Vault7 dump raises concerns in India. Telnet credentials for Internet-of-things devices exposed; security experts work to close this DDoS risk. "Defray" ransomware being distributed with unusually precise and plausible spearphishing. A ransomware attack disrupts some healthcare services in Scotland. Acquisition news in the cyber sector. Ben Yelin from UMD CHHS on web sites logging form submissions even before you hit the “submit” button. And Iranian information operations seem to be piping the devil's tune (more or less literally, from Tehran's official point-of-view). Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. Check out & subscribe to Recorded Future’s free intel daily. We read it every day. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. JHUISI & partner COMPASS Cyber present Cyber Security Conference for Executives on September 19th in Baltimore. Register for the event. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The USS McCain collision appears unrelated to any cyber attack,
but observers warn of ICS security issues as maritime cyber concerns rise.
WikiLeaks' ExpressLane Vault 7 dump raises concerns in India, Telnet credentials for
Internet of Things devices are exposed, Defray ransomware is being distributed with unusually
precise and plausible spear phishing, ransomware disrupts some healthcare services in Scotland,
acquisition news in the cyber sector, and Iranian information operations
seem to be piping the devil's tune.
I'm Dave Fittner in Baltimore with your CyberWire summary for Monday, August 28, 2017.
The U.S. Navy's investigation of the destroyer USS McCain's collision with a merchant tanker
a week ago
seems to be tending toward the painful conclusion that seamanship errors and not cyberattacks were the cause.
This hasn't halted speculation about a cyberattack,
with many observers offering suggestions as to how such an attack might have been accomplished.
These are perhaps best regarded, absent further evidence, as hypothetical cautionary tales.
Most will be familiar to those who have followed accounts of industrial control system vulnerabilities.
There's a strong family resemblance.
Remember, these are cautionary tales about control system vulnerabilities,
not findings from any investigation into the collision.
They include a malware-laden USB drive.
This is believed to have been the method used to introduce Stuxnet
into an Iranian nuclear research and development facility.
Infected diagnostic and maintenance equipment, perhaps during a visit to its home port.
Infection by a malicious insider, although the famous cases of malicious insiders
have typically involved espionage, not sabotage.
Installation of a rogue device into an internet-connected
network, malicious components introduced into a compromised supply chain, exploitation of
an unpatched vulnerability in a legacy control system, and of course, all the other methods
by which control systems are rendered vulnerable.
The bodies of all 10 McCain crew members who were missing have now been recovered.
We spare a thought for them, their families, and their shipmates
as we follow news of this sad mishap.
WikiLeaks' Vault 7 dump last week featured descriptions of ExpressLane,
an alleged CIA program for installing liaisonware
to allegedly extract information from partner agencies.
Most of those agencies are believed to be other U.S. organizations,
including NSA, FBI, and the Department of Homeland Security.
But WikiLeaks suggested Friday that international partners were similarly affected.
The information ExpressLane is said to have collected included biometric data.
The strongest reactions so far seemed to be from India, where the public is
already skittish about several disclosed vulnerabilities in their national identification
program. The Unique Identification Authority of India, responsible for the program,
dismissed any suggestion that the CIA was trolling through India's biometric data.
They say they had stringent security features in place to prevent the sort of compromise
WikiLeaks insinuated Langley accomplished.
They also said that allegations to the contrary were coming from sources with vested interests.
The authorities' denials are being received with a grain of salt by the Indian media,
which has seen too many other issues surface with the identification program to accept easy reassurance.
Other issues surface with the identification program to accept easy reassurance.
New Sky security researchers have noticed a large list containing thousands of working IoT device telnet credentials dumped online,
an obvious distributed denial-of-service threat.
Security experts are scrambling to forestall that possibility.
The GDI Foundation, a not-for-profit organization whose stated mission is to defend the free and open internet by trying to make it safer, addressing security issues through responsible
disclosure, says the list includes just over 8,200 unique IP addresses. Just over 2,000 of the devices
were still running open telnet services this weekend, and around 1,700 of these were reachable
with the leaked credentials.
The concern, of course, is that the IoT devices could be roped by bot herders to give greater
effect to a distributed denial-of-service campaign. It appears that prevention is well in progress,
with the GDI Foundation and others reporting a gratifying response to the warnings they've
sent device owners. Proofpoint researchers have found a new strain of ransomware, Defray, infesting targets across
a range of sectors, especially healthcare, but also manufacturing and even an aquarium.
Defray is a small-scale, highly targeted effort, selective in its prospecting and not asking
for an unusually high ransom.
$5,000 is the amount being mentioned.
The campaign is unusual in its very plausible, carefully baited spearfishing.
It's unknown for now whether the incident is a defray infection, but healthcare services
operated by National Health Service Lanarkshire in Scotland were hit last weekend by a ransomware
attack that disrupted patient care into the week. NHS Lanarkshire, the register sourly notes, was among the British healthcare operations hit by
one encrypt earlier this year. The service's chief executive apologized to patients,
asking them to bear with the healthcare provider as it brought its systems back online
and requesting that people delay non-urgent care.
In industry news, Forcepoint announces its acquisition of behavioral analytics shop Red
Owl.
Details of the price are not presently available, but it represents a significant addition to
Forcepoint's capabilities.
Finally, with all the attention rightly devoted to ISIS, it's easy to overlook ISIS's competitors
in jihad, which includes not only
Sunni rivals in al-Qaeda, but of course Shiite Iran. The Islamic Republic has long denounced
America as the great Satan, and chants of death to America have long been a staple of popular
information. But Iran's leaders have apparently decided that this mode of delivering the message
is stale. The New York Times reports that the Islamic Republic has permitted distribution of a rap version
as an updated way of inspiring the rising generation.
This despite Tehran's long-standing condemnation of rap music, and for that matter, dancing.
The online videos feature rap delivered from atop the bridge of a frigate,
stomping soldiers, flags, effigies of the Statue of Liberty,
clutching a menorah in case you didn't get the point
that the great Satan is involved with the Zionist lesser Satan, and so on.
Reviews have been mixed.
It's perhaps worth remembering from an information operations point of view
that Satan is, in his supposed interactions with believers, fundamentally a tempter, and so
one might think twice before playing the tune that the devil's piping. But that, of course,
is a matter for authorities in Tehran to decide. It's also perhaps worth recalling that Russian
information operations, for all their historic success, have always played best with straight
disinformation. Our linguistics desk says they never came across a lamer attempt
than they did in the Cold War endgame,
when they tried to use rock and roll as a way to reach youth.
We leave you with one such example. Увидится нам Мои номера телефонные Разбросаны по городам
Заводится сердце
Сердце волнуется
Почтовый пакуется грудь
Мой адрес недолго не улица
Мой адрес Советский Союз
Мой адрес недолго не улица Мой адрес Советский Союз My address is the Soviet Union. My address is not a house or street.
My address is the Soviet Union. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Ben Yellen. Thank you. who fill out a form online, a web form like all of us do. But before you even hit the submit button,
this company has already grabbed that data that you may have put into that field.
What's going on here?
So this is technology from a company called Navistone,
and many familiar companies to us use this particular technology.
One of them is Quicken Loans.
If you want to find out how much a mortgage is going to cost, you go to Quicken Loans website, you fill out some personal
information, what your income is, your location, et cetera, et cetera, and they'll give you a quote.
Now, most of us assume that unless we press that submit button, that the website is not going to
collect that information. But what Navistone's technology does is it collects
every piece of information that you filled out even before you've pressed the submit button.
And in a survey of a bunch of different websites that use this technology, only a few of them
actually give a warning anywhere on the website, anywhere on the page that says some of the
information you enter into the applicable fields could be stored and retained. So this potentially could run afoul of a whole number
of laws, including some business fraud laws where they're misleading consumers about what
information is being collected. Yeah, let's dig into that a little bit. I mean, I think most of
us probably, as you said, assume that our information isn't being collected there. Is this a matter of just bad form on their part? Or run us through what
are some of the actual legal traps that these folks could fall into for doing this?
So there's a U.S. law, I actually have the citation here, part of the U.S. Code, Section 45,
that prohibits unfair or deceptive acts or practices in affecting
commerce. Now, this was just one legal analyst who was hypothesizing that this law could be
applicable because this is potentially deceptive. You think that any information you fill in before
pressing that submit button, and I think all reasonable people think this, you think that
that information has not been submitted, that it's been protected? If you change your mind at the last minute, you're not forfeiting your
personal information. This is potentially unfair or deceptive, especially if there's no warning in
the terms or conditions. Obviously, none of us really read the terms and conditions anyway, but
it was especially disturbing to see that of all the companies that use this Navistone software,
only one of them actually had an item
in the terms and conditions saying that the information you enter into the fields can be
collected even before it's submitted. Yeah, so browser beware, and hopefully by shining a light
on this, maybe some of these companies will back off this policy. Yeah, and one of the interesting
things about this is after Gizmodo posted this story on its website, I think it generated some very bad publicity for Navistone.
And they have now said they're not going to collect email addresses from people in this way, which I think is interesting.
It's interesting that the activism of the electronic privacy community gets results once in a while and can shame, in a way way some of these companies from the most abusive consumer practices.
All right. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.