CyberWire Daily - Mueller finds no evidence of Russia collusion. ISIS no longer holds any ground. LockerGoga hits chemical plants. FEMA fumbles PII. Cyber 9/12. PewDiePie versus T-Series.
Episode Date: March 25, 2019In today’s podcast, we hear that the  US Attorney General has reported to Congress the results of Special Counsel Mueller’s investigation. The basic finding is that there’s no evidence of collu...sion with Russian influence operations. ISIS no longer holds any ground. Expect it back in cyberspace. LockerGoga ransomware hits two chemical plants. FEMA mishandles more than two-million disaster victims’ PII. Notes on Cyber 9/12. And there’s a squabble for YouTube subscribers. Robert M. Lee from Dragos on their recent purchase of Next Defense and the subsequent open-sourcing of their tools. Guest is Rohit Sethi from Security Compass on the PCI security framework. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Attorney General has reported to Congress
the results of Special Counsel Mueller's investigation.
ISIS no longer holds any ground.
Expect it back in cyberspace.
Locker Goga ransomware hits two chemical plants.
FEMA mishandles more than 2 million disaster victims PII.
Notes on Cyber 912.
And there's a squabble for YouTube subscribers.
subscribers. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Monday, March 25th, 2019. Special Counsel Robert Mueller closed his probe of
Russian election meddling with a report to the U.S. Attorney General Friday. Sunday afternoon,
Reuters tweeted that Attorney General Friday. Sunday afternoon, Reuters tweeted
that Attorney General Barr informed Congress that the investigation found no knowing collusion
between the Trump campaign and Russian actors. The Attorney General's letter to the Senate and
House Judiciary Committees summarized the investigation into Russian influence operations.
Those operations followed two broad directions of attack,
trolling from Russia's Internet Research Agency and attacks on Democratic Party networks.
In these matters, the special counsel found that neither, quote, the Trump campaign or anyone
associated with it conspired or coordinated with Russia in its efforts to influence the 2016 U.S.
presidential election.
Special Counsel Mueller declined to make a recommendation on obstruction of justice,
where the evidence is complicated and indistinct, and the Attorney General sees nothing to warrant charges. As the letter continues,
After reviewing the Special Counsel's final report on these issues, consulting with department
officials, including the Office of Legal Counsel counsel and applying the principles of federal prosecution that guide
our charging decisions deputy attorney general rod rosenstein and i have concluded that the
evidence developed during the special counsel's investigation is not sufficient to establish that
the president committed an obstruction of justice offense our determination was made without regard The special counsel will not recommend any further indictments.
The full text of the Mueller report is expected to be released after the Justice Department reviews it.
Full text of the Mueller report is expected to be released after the Justice Department reviews it.
To redact any information, the Federal Rule of Criminal Procedure precludes the department from disclosing.
ISIS and its caliphate now officially controls no territory,
having been ejected from its last enclaves in Syria.
Its leader, Abu Bakr al-Baghdadi, remains at large or at least unaccounted for.
So does much of the terrorist group's money.
Its adherents intend to continue jihad through the Dar al-Harb, which is where most of you listeners reside.
ISIS has shown small capability to conduct cyber attacks properly considered, but it has been and can be expected to remain active online with inspiration and
recruitment. Kaspersky Lab reports that Asus laptops were infected with malware via the
company's automatic updating system. Kaspersky calls the campaign Operation Shadowhammer.
There's no attribution yet, and Asus hasn't commented publicly, but Kaspersky says they've notified the Taiwan-based manufacturer
and that Asus is working on the problem.
Operation Shadowhammer appears to have been conducted between June and November of last year
and may have affected 51,000 users.
The locker Goga ransomware that afflicted Norsk Hydro has hit two U.S. chemical companies,
Hexion and Momentiv.
This brings to four the number of known victims of Locker-Goga.
The first was Altran, the French engineering consultancy hit in January,
and the second was Norsk Hydro, best known for aluminum production,
which sustained a Locker-agoga infection earlier this month.
Norsk Hydro has largely completed its recovery, and both Hexion and Momentiv have theirs underway.
On Friday, the U.S. Federal Emergency Management Agency, FEMA,
acknowledged improperly disclosing disaster victims' personally identifiable information to an unauthorized third party.
The people affected were victims of 2017's California wildfires
and of Hurricanes Harvey, Irma, and Maria.
Some 2.3 million people's data were exposed
in what the Washington Post calls the biggest data breach to occur under the current administration.
It's not clear whether any crimes have been committed on the basis of
the lost data, but if nothing else, the incident will test the government's express determination
to hold officials responsible for mishandling data.
FEMA has declined to name the contractor with whom it overshared.
The PCI Software Security Council recently published a new software security framework,
including the PCI Secure Software Standard and the PCI Secure Software Lifecycle.
Rohit Sethi is Chief Operating Officer at Security Compass,
and he shares his thoughts on what it all means.
It is much more in-depth on the requirements for people producing software
to make sure
that software is secure. Now at this point it's just the standards. There is
no program around it, meaning there isn't anything rolled out yet that says when
it's going to be mandatory for specific participants in the payment ecosystem,
but we expect that to happen later this year. I think there's two ways to think
about this. There's one from
the standard itself, right? And so, for example, if you're a payment application vendor, you know,
what will happen is that instead of having to go through the standard PA DSS process, you'll
eventually be moving to the software security standard. And the two programs we rolled into one.
Practically, what that means is that there's going to be a degree of scrutiny in the way that you
produce software and how secure that software is that we haven't really seen from other compliance
mandates before. Now, the standard itself, there's actually two standards. One is the software
security standard and one is the secure lifecycle standard. The software security standard is again a more in-depth
standard on a specific release of software. But one of the things
that PCI recognized early on is that as people are moving
to agile and DevOps development, it's simply not
feasible to necessarily have every release of software go through
this certification process and still remain nimble and agile and use modern software development processes.
So they've introduced this concept of a secure lifecycle standard so that instead of having every single release, when organizations are sometimes shipping multiple releases in a day, instead of having every one of those releases certified, you can periodically get the software itself certified.
And then if you have the development process around it certified, then essentially it allows you to release more frequently without going through the same depth of analysis for every single individual release.
single individual release. If you're somebody who produces software in the payment ecosystem,
and specifically payment vendors, you're going to have to, at some point, actually comply with this standard. Now, there are thoughts about how this might apply to other participants in the
ecosystem. At this point, it doesn't necessarily apply to people who have to comply with the PCI
DSS. That's the common one I think we mostly
think of when we hear PCI, which is a data security standard. But as you know, in the PCI DSS
standard, there is actually a section on application security today. And it's possible
that sometime in the future, elements of the software security standard could find their way there.
I think a lot of it will depend on how it rolls out and how it's received in industry.
The other, I think, bigger impact, if you will, is I believe they're setting a precedent.
And if you look at the OWASP top 10, Open Web Application Security Project top 10,
that was a standard that was developed many, many years ago.
Security Project Top 10. That was a standard that was developed many, many years ago.
In 2006, the PCI Data Security Standard sort of, I guess you could say, made OWASP Top 10 popular. People learned about this idea that there are 10 really common application security risks.
And what happened was, after PCI adopted it, it was almost, you know, I won't say every
single other standard followed PCI, but something like 30 different standards today that all
reference the OWASP top 10. And so PCI has this, I guess you could say, reputation of being kind of
a leader from a compliance standpoint. And so what we believe is PCI is
stepping up the scrutiny that we're paying on payment applications, the payment providers,
by way of software security that is largely absent from the entire rest of industry. With
the exception of a handful of pockets in like, say, defense and large banks, most industries do not have any mandate to produce secure software.
They have other security mandates, but they don't have to build security into the development
process.
I think it'll be hard for things like, say, industrial Internet of Things providers and
automotive manufacturers and telecom and other parts of infrastructure that are really critical
to really justify that they don't also make sure the products are very robust and secure
in the same way as payments are doing today.
So we feel like PCI is setting a precedent and other industries are going to follow suit.
That's Rohit Sethi from Security Compass.
We were able to spend last Thursday and Friday in Crystal City, Virginia,
observing the Atlantic Council's Cyber 912 Strategy Challenge.
The competition challenged teams of students to develop policy response recommendations for the U.S. President.
The scenario was a tabletop exercise with well-crafted ancillary material.
It presented the competing teams with an evolving situation
designed to capture much of the ambiguity crises carry.
Congratulations to the two winning teams and their coaches.
NDU Team 3 of the U.S. National Defense University won the professional track, and the U.S.
Air Force Academy's Team de Longrand took top honors in the student track. And congratulations
to the other participants as well. The ones we observed represented themselves and their home
institutions with credit. We won't go into details about the scenario because we don't want a repetition of the Orson Welles' War of the Worlds moment we had the last time we did so,
but we will say that the scenario featured several superficially or perhaps coincidentally related incidents.
In any case, the exercise was for the most part conducted under the Chatham House rules
and will honor the conventions of non-attribution by confining ourselves to general observations.
It was striking how difficult the teams found it
to acknowledge and accommodate conditions of uncertainty.
The exercise materials intentionally left a great deal in doubt,
and most of the teams tended, in their recommendations,
to be more confident in their understanding of the evolving situation
than the evidence warranted. The teams also tended to perceive connections among disparate events
where in fact no such connection existed and were nothing beyond. Simple correlation, similarity,
coincidence, and so forth led many to conclude that the scenario painted a picture of a large-scale
coordinated cyber attack by a hostile nation-state.
One of the harder lessons to learn is skepticism about our tendency as humans to perceive noise as signal.
In the presentations themselves, some of the teams drifted away from considering their audience.
A decision briefing is prepared for a particular decision-maker,
and its goal is to inform the decision not to display the briefer's command of their material.
One other lesson was drawn by a student we had occasion to speak with.
Policy is a lot harder and more complex than technical people tend to think it is.
So another interesting exercise by the Atlantic Council,
a very good and intelligent effort by all who competed.
And finally, ransomware motivated by fandom flares in the fight for the top rank in YouTube.
It's between T-Series and, of course, PewDiePie.
Mr. Pie's adherents have been distributing PewDiePie ransomware, regarded as a poor copy of Shell Locker, and more recently and dangerously, PewCrypt, both with a view to forcing victims to subscribe to Mr. Pye's channel.
his fans' hacks.
But on the other hand, it must be said that YouTube stars, as we've
come to call them, hardly offer
the most edifying of examples.
Stay in school, kids. hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back.
You all at Dragos recently made an announcement, a purchase that's going to benefit a lot of people.
What's going on here?
Yeah, absolutely. So our company is a technology company in the ICS or industrial security space.
There's a lot of people that want to get started in ICS security, but it may not be really obtainable.
There are a lot of companies that want to get started in ICS security, but it may not be really obtainable. There are a lot of companies that want to dip their toe into doing something, but it's very difficult, I think, to go from we're not doing anything today to, hey, we're rolling out an industrial security program.
And one of the early companies in this space was a company called NextDefense.
So they had a technology that used to be called SOFIA and then got rebranded as Integrity.
It was a continuous monitoring for the purpose of asset identification tool.
One of the actual first passive asset identification tools in the industrial security community came out of Idaho National Labs.
And then, of course, NextDefense built a company around it.
So we announced that we purchased NextDefense.
And so we got access to the product and all.
We bought out the company.
So by purchasing NextDefense, it allows us to access to their product and all. We bought out the company. So by purchasing NextDefense,
it allows us to have access to their product as well,
which is Integrity.
And then a legacy product that we actually had,
which was an assessment tool called CyberLens
and had been used in the community for a long time.
So we've taken CyberLens, the assessment tool,
and Integrity, which is more of a fully professional
continuous monitoring kind of asset identification tool.
And we're just making it free to the community.
Essentially, if you're in the community, you're welcome to download them for
free. They're really meant to help people get a handle on asset invocation, or at least a starting
place, not a full feature asset invocation tool. Obviously, we're a company. It's a, hey, if you
really want a professional tool that's going to help you do this long term, as well as threat
detection and response to everything else, sure, go buy go buy our product but hey for the rest of the
community as a starting place especially for the smaller players just here's a a tool to go get
started i think something that we can all agree on is the industrial community is special and
and we all care that we keep the lights on the water going and similar so i'm one of the cool
things about running a company is trying to think about ways to give back to the community.
So here the community goes, you know, have the tools, have fun.
If you need more, obviously come contact us,
but it's mainly a, we hope this helps the community some.
All right. Well, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.