CyberWire Daily - Memcrashing no longer just a theoretical possibility. Fancy Bear's pawprints in German networks and other peoples' embassies. Deterrence in cyberspace. High-profile fraud victims.
Episode Date: March 2, 2018In today's podcast, we hear that a Memcrash amplification attack took GitHub offline, but only briefly, thanks to Akamai mitigation. Germany continues to fight off ongoing attacks on sensitive gover...nment networks. Germany hasn't said so, but everyone else sees Fancy Bears pawprints over this one. Fancy Bear is also said to be snuffling around embassies and other diplomatic targets. Capitol Hill mulls cyber deterrence. Equifax breach looks worse. Robert M. Lee from Dragos on ICS in advanced manufacturing. Guest is Marcus Harris from Saul Ewing Arnstein & Lehr LLP, discussing the decision by companies like McAfee and Symantec to allow the Russians to look at their source code. Two high-profile fraud victims. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Memcrash amplification attack took GitHub offline,
but only briefly thanks to Akamai mitigation.
Germany continues to fight off ongoing attacks on sensitive government networks.
Germany hasn't said so, but everyone else sees Fancy Bear's paw prints all over this one.
Fancy Bear is also said to be snuffling around embassies and other diplomatic targets.
Capitol Hill mulls cyber deterrence.
The Equifax breach looks worse.
And the story of two high-profile fraud victims.
looks worse, and the story of two high-profile fraud victims.
I'm Dave Bittner with your CyberWire summary for Friday, March 2, 2018.
The amplification attacks against which security experts warned earlier this week turned up in the wild Wednesday.
GitHub was briefly taken down.
Estimates range from 5 to 20 minutes.
Security experts call it the biggest distributed denial-of-service campaign on record, 1.3 terabits per second.
The attack used the amplification potential of memcached servers.
Akamai, whose Prolexix service GitHub used to mitigate DDoS attacks,
was able to stop the attack by routing traffic coming to and
from GitHub through Akamai's scrubbing centers to screen malicious packets.
Fortunately, Akamai had recently put measures in place that enabled it to handle memcached
amplification attacks, a problem that has only come to light in recent weeks.
This form of attack differs from ones using the more familiar attack tools like Mirai in that they don't depend upon a botnet established by malware infestations.
Just spoof the target's IP address and send a few queries to memcached servers and Bob's your uncle.
Too many memcached servers sit out there facing the Internet and open to exploitation.
Some 100,000 by estimates reported by Wired magazine.
Until those are closed, other enterprises face the risk of cripplingly large DDoS attacks.
Germany, which continues to work on remediation of what's being called an ongoing attack
on a government-dedicated secure network, officially declines to attribute the attack.
Their economy minister yesterday said that while there were no indications Russia was behind the hack,
it would be problematic if this would turn out to have been the case.
Few others are so reticent.
The industry consensus is that the attack is the work of Fancy Bear, Russia's GRU.
Some members of the Bundestag who've been briefed on the incident are calling it a form of warfare.
Fancy Bear has been busy elsewhere, too.
Palo Alto Networks reports that it's observing a campaign mounted against diplomatic targets elsewhere in the world.
As disturbing as Russian cyber operations have been, CrowdStrike says that, in its view, North Korea remains the greater threat.
Dragos agrees that North Korea needs to be taken seriously.
The company believes Pyongyang has been working hard on tools
to be used against industrial control systems.
It also believes the DPRK is sizing up the U.S. power grid
as a promising high-payoff target.
General Paul Nakasone, nominated to succeed Admiral Rogers
as head of NSA and U.S. Cyber Command, thinks deterrence in cyberspace is difficult but essential.
He told Congress the opposition must face costs.
What costs to impose and how to impose them remain difficult questions to answer.
For deterrence to work, you need to have identified something the opposition values and shown that you can hold that value at risk. Classical nuclear deterrence held human beings, whole cities
of them, at risk. No one has yet come up with a clear analog in cyberspace. Few advocate lethal
attacks on critical infrastructure as part of a new mutually assured destruction regime.
So far, deterrence seems to have come down to economic sanctions and naming and shaming.
These aren't crazy or weak approaches, but they do appear to have proven insufficient.
As recent inquisitions on Capitol Hill suggest, the U.S. Congress is in a pretty sharkish mood.
It will be up to General Nakasone to come up with something that will satisfy their
appetite for credible retaliation.
to come up with something that will satisfy their appetite for credible retaliation.
The Equifax breach, first publicly disclosed last September,
has just been discovered to be worse than originally thought.
As investigation continued,
Equifax determined that nearly 2.5 million U.S. customers not notified during the initial round of disclosures
turn out to have been affected.
Equifax, which posted an update to the investigation on its site yesterday,
is notifying the affected parties by U.S. mail.
Finally, don't think it's just the naive and unsophisticated newbies
who swallow phishing and other online scams, hook, line, and sinker.
FS-ISAC, the Financial Services Intelligence Sharing Group,
is widely regarded as one of the more capable organizations of its kind.
Yet even so, one of its employees was successfully phished by crooks who induced the hapless
fellow to pony up his email credentials, which they then proceeded to use in phishing other
FS-ISAC personnel.
Happily, the imposter was quickly recognized and contained before it spread very far.
The ISAC people who received the spoofed round of phishing emails were quick to be suspicious and report the problem.
And of course, you've heard of Steve Wozniak, one of Apple's co-founders.
The Woz himself says he was hoodwinked by someone who bought bitcoins from him a while back.
The scammer paid for the cryptocurrency with a credit card, and then, once the seven bitcoins were transferred to his wallet,
just went ahead and charged back his credit card.
So you can reverse a credit card transaction, but not so a bitcoin transfer.
Those are irreversible.
So Mr. Wozniak was left with not a zippo zilch.
Seven bitcoins would be worth today around $70,000.
Be sorry for the Woz, but don't worry,
we hear he'll still be financially okay. And good on the Wo to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. Robert, welcome back.
We have been working our way through some of the various ICS environments.
And today I wanted to talk about advanced manufacturing.
What can you tell us about that?
Yeah, absolutely.
So when we think about the manufacturing industry in general, it is good to be able to separate it out into different classifications like you did in the introduction.
When you think about manufacturing in North America, I think there's something like 7,300 or so manufacturing shops.
That's not all what we're talking about, though, because many of those are not interconnected
systems or using industrial control systems in the way that we are talking about when we think
about advanced manufacturing. So when I think of advanced manufacturing, it is those environments
where they have industrial control and they have
interconnected systems and they're taking advantage of technology to help their process
in a significant way. Think of like Tesla and SpaceX and Pepsi and Kellogg, these big manufacturing
companies. And for them, what's interesting about their challenges as well as opportunities for
business is unlike any other industry, they're really going towards the Internet of Things.
But it's not the traditional Internet of Things. It's an extension of industrial control. So we
generally call it the Industrial Internet of Things. Sometimes people get confused and think
that IoT and IIoT are very similar. Oh, they're just one letter apart.
They're a world apart.
You basically go from IoT to IT to ICS to IIoT.
There's kind of a life cycle there.
But those advanced manufacturing folks, instead of just having their traditional SCADA-type environments, they've got their control elements and things on the factory floors.
But they've also got things like robot arms that are connected and they can swing around and there can be safety issues if it's not protected correctly.
Maybe even a simple broadcast storm in the network could cause one of those things to
malfunction. And as is the human operator outside of like a safety cage, well, that's going to
introduce a potentially life issue in terms of safety. So for them, they've got this amazing
opportunity to take advantage of industrial internet of things as well as ICS to be much more effective, efficient and automated in the production processes than ever before.
But at the same time, they have the risk that there are now issues, not only incidental sort of malware and incidental broadcast storm and that kind of thing, but also targeted nature where things can occur to stall or disrupt the process.
You know, the factory lines sometimes have a very, very tight schedule.
And when they're producing like the Tesla, as an example, you know, they're very much
pushing full steam ahead.
But they also have the consideration that a lot of the intellectual property is not
just stored in the IT environment.
The actual implementation of how you're making devices and configuring them together and
the efficiency to which you're achieving devices and configuring them together and the efficiency
to which you're achieving in and of itself is an intellectual property. And a lot of that's
contained down the industrial networks. And so an adversary getting into those locations, espionage
is a significant challenge for them. So when we think of electric and oil and wind and these other
water, these other places, there's issues and there is espionage. There's a very like military
focus for a lot of
foreign nation states on projecting foreign power. When you think of manufacturing, that is also true,
but there's also a major component of intellectual property that they're trying to address.
So they also have some unique threats in doing so. So while they have a great opportunity in
front of them, making sure that they can identify and understand and protect all those new thousands,
tens of thousands of internet,
not really internet connected, but interconnected industrial IoT devices.
That is a challenge that they're now trying to adapt and meet.
Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Marcus Harris.
He's a Chicago-based global technology attorney at Saul Ewing Arnstein & Lair LLP.
Our conversation centers on recent news that software companies like SAP and McAfee
are allowing Russian government entities to view their source code
and why, as a software litigation expert, he thinks that is a
bad idea. This has been going on for probably, I would say, at least a couple of years, where in
order to gain access into the Russian market, which is a multi-million dollar market that's incredibly desirable for companies like SAP, Symantec, McAfee, Oracle,
to enter what the Russians are doing as a requirement of entry into their marketplace.
They're requiring that software companies provide these Russian entities,
which are typically agents of the Russian government, either explicitly or
implicitly, to have access to the source code of the software, with the pretense being that
the Russians want to review the software source code in order to make a determination as to
whether it has any vulnerabilities in it.
Is there a reasonable argument that they can make that this is an anti-espionage tactic, for example?
And I think they have made that argument, and I think it's certainly a reasonable argument.
But, you know, where that argument starts to become suspect, I think,
Where that argument starts to become suspect, I think, is when the software is going to be utilized in really a non-governmental application.
So if that software is going to be utilized in a business that really has very little dealing with a Russian governmental entity, I don't see what the purpose of any kind of a substantive source code review would be. So I think, you know, if they're going to pin their hat on
an argument that, hey, this is important because we need to make sure that, you know,
our governmental interests are not going to be compromised, you know, it doesn't make a lot of
sense the farther removed you get away from actually utilizing that software in a government entity. And so what's the risk here? If this is a
consumer software or something that people are using to run their businesses, it's not a military
situation or anything like that, what is the downside for us? Well, I think there are a number
of risks, and I think, I actually do think that, you know, there are really at least two substantive arenas where this becomes risky.
And the first is certainly from a national security perspective. You know, you've got
Bill McDermott in a meeting a couple of weeks ago with President Trump touting that, and Bill
McDermott, by the way, is the CEO of SAP, which is one of the companies that has provided the Russians with the ability to access and review their source code.
Bill McDermott is sitting there in the White House touting that both the Army and the Navy utilize the SAP software in their operations.
So from that perspective, I think certainly it's a national security issue. But I think from a general business perspective, I think there's a lot of vulnerability and a lot of risk that any business owner that utilizes enterprise software needs to be aware of.
And that's a very large number of businesses.
I mean, enterprise software today is very much the backbone of the way modern business is conducted. And I would bet that
virtually all companies of any size are going to utilize an enterprise resource software application,
whether it's in the cloud or on-premise. And to the extent that your vendor has made its code
available for review to a hostile government entity like, say, the Chinese or the Russians.
In the case of China in particular, that that country doesn't have a good track record of protecting intellectual property
and actually has a track record of commercial espionage, trying to obtain proprietary information, confidential information so that it can utilize
for its own economic interests.
I think that's a big deal because I think then what happens is that you don't know what
the substantive risk associated with using that software could potentially be.
And I think you have to take reasonable steps to safeguard yourself from at least the possibility that your vulnerable information, your trade secrets, your proprietary information, your confidential information could be vulnerable to a greater extent than it would otherwise have been
had these companies not provided the key to the factory shop to these hostile government entities.
So I think it's a huge risk.
I remember, I think it was back in the 90s,
when the U.S. government classified certain types of encryption as munitions,
so it was illegal to export them.
Do you think we need that sort of oversight,
where the code behind some of these software packages,
the distribution of it gets oversight by the feds?
Yeah, I think so.
I think the example that you raise is a good one because there's all sorts of regulations associated with encrypted software.
Depending on the type of encryption, there's regulations as to what countries that particular piece of code or product can be exported to.
And I think there needs to be a very deep dive into what kind of government regulations need to be applied to this type of scenario.
I think if there are certainly going to be government entities that are utilizing software,
where that software's source code has
been disclosed essentially to the United States' enemies, I think certainly there needs to be
regulation of that. And it needs to be prevented or at least managed very carefully. I think it
becomes a little bit more difficult to tell these companies what to do with their source code to the
extent that it's not something like encryption where it can
be readily used against the country's interest, the United States' interest. But I certainly think
that this kind of blatant review for the purposes of understanding the software, understanding its
vulnerabilities under the guise of protecting the Russian government, for example, but really
for the purpose of facilitating hacking and the like. I mean, some of these government entities
on the Russian side that actually access the software or the source code are some of the
same government entities that are allegedly responsible for hacking into the DNC's email
system. So there's a substantial risk, and I think government regulation needs to come,
and it needs to come quickly in order to manage this process.
That's Marcus Harris. He's an attorney with Chicago law firm Saul Ewing Arnstein and Lair LLP.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of Data Tribe
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.