CyberWire Daily - NATO-Russian cyber tensions high. They're also high between Saudi Arabia and Iran. Updates on AMD vulnerability report. Another exposed AWS S3 bucket?
Episode Date: March 16, 2018In today's podcast we hear that NATO has condemned Russia for a chemical attack in England. The US sanctions Russia for NotPetya and election meddling, and warns of Russian preparations for an ...attack against US infrastructure. Chinese cyber operations support that country's claims to the South China Sea. Iran shows increased cyber espionage activity. Observers fear a return of Triton/Trisis ICS malware. Another unsecured AWS bucket may have been found. Johannes Ullrich from SANS and the Internet Storm Center podcast, discussing credential stuffing. Guest is Rico Chandra from Arktis Radiation Detectors on securing radiation detectors.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
NATO condemns Russia for the chemical attack in England.
The U.S. sanctions Russia for NotPetya and election meddling
and warns of Russian preparations for an attack against U.S. sanctions Russia for NotPetya and election meddling and warns of Russian preparations for an attack against U.S. infrastructure.
Chinese cyber operations support that country's claims to the South China Sea.
Iran shows increased cyber espionage activity.
Observers fear a return of the Triton-Trisis ICS malware.
Another unsecured AWS bucket may have been found.
And my conversation with Rico Chandra from
Arctis Radiation Detectors on protecting our nation from nuclear attacks.
I'm Dave Bittner with your CyberWire summary for Friday, March 16, 2018.
NATO has placed itself firmly behind the UK in its nerve agent dispute with Russia,
which ought to give nuclear-armed Russia some Article 5 pause.
TASS is authorized to state that sources have told it that NATO won't invoke its Article 5 collective defense clause,
presumably because the chemical attack in Salisbury was too small and too ambiguous.
The official Russian line has been
that the attack wasn't its doing in any case, and besides, traitors deserve to get what's coming to
them anyway. The U.S. administration also issued sanctions yesterday in reprisal for both NotPetya
and the 2016 election meddling. Sanctions are not, Russia is unlikely to knuckle under quietly, and U.S. authorities expect attacks in cyberspace.
Yesterday, the FBI and Department of Homeland Security
contributed analysis that resulted in U.S. CERT issuing a joint technical alert
warning of Russian government intrusion into U.S. government and energy sector networks.
The prospecting of the energy sector is particularly disturbing,
as it includes apparent preparations for industrial control system attacks.
The alert warns, quote, DHS and FBI characterized this activity as a multi-stage intrusion campaign
by Russian government cyber actors, who targeted small commercial facilities networks where they
staged malware, conducted spear phishing, and gained remote access into energy sector networks.
After obtaining access, the Russian government's cyber actors
conducted network reconnaissance, moved laterally,
and collected information pertaining to industrial control systems.
End quote.
It goes back at least to 2016, U.S. cert says, and it's an ongoing campaign.
So what would happen in the event of a full-blown cyber conflict between the U.S. and Russia?
If you ask FireEye's CEO Kevin Mandia, he would tell you Russia would win.
That's what he said yesterday in an interview on CNBC's Closing Bell.
He said, quote,
The reality is if all of Russia's cyber weapons went against us and all
of our cyber weapons went against Russia, they would win, end quote. Part of his reason for
saying this is heavy American dependence on the internet. The U.S. has a big attack surface.
Mandia's company is calling out the Chinese threat as well this week. U.S. engineering,
defense, and maritime companies tied to U.S. operations
in the disputed waters of the South China Sea are being hit by Chinese hackers. FireEye thinks
the attackers are controlled and directed by the Chinese government. The Financial Times has a long
piece on the way in which a number of other nation-states are looking to Russian cyber
operations as a model to be emulated. Citing research by
security firms FireEye, CrowdStrike, GlassWall Solutions, and Kroll, the report indicates that
countries like North Korea, India, and Pakistan are noting the success Russia's had and are
considering following the same path. In North Korea's case, of course, that country is well
down that path. Iran shows continued activity in spear-phishing targets in Asia and the Middle East.
The threat group Temp.Zagros, more often known as Muddy Water,
no connection to the similarly named hedge investment firm,
has stepped up its distribution of malicious Word documents.
Palo Alto Networks, FireEye, and Trend Micro are all tracking the group.
Observers are warning the industrial control system malware Triton or Trisis may be ready
for a comeback. It was used last August against petrochemical targets in Saudi Arabia.
The campaign, which was extensively analyzed by ICS security firm Dragos and others,
was disturbing in the way it went after safety
systems. People fear that were it to be used again in an improved form, it might succeed in
having deadly effect. Saudi Arabia is currently in a heightened state of tension with regional
and religious rival Iran. Saudi's Crown Prince Mohammed bin Salman this week compared Iran's
Supreme Leader Ayatollah Ali Khamenei to Adolf Hitler,
and he meant that as the strongest possible condemnation.
He also said that Saudi Arabia would swiftly acquire its own nuclear weapons should Iran do so.
CTS Labs, who discovered vulnerabilities in AMD chipsets that may or may not be serious,
has issued a clarification to answer growing objections to their hair-trigger disclosure.
That's the disclosure that got to AMD the day before it went out to the general public.
CTS defends its different flavor of responsible disclosure as better for everyone,
disclose the vulnerability to vendors and everyone else at the same time,
but also impede criminal reverse engineering by redacting technical details.
The downside to this, of course, is that it also impedes legitimate researchers
from assessing whether the vulnerability disclosed is real, let alone serious.
CTS admits it erred in not lining up some independent verification in advance,
but hopes to do better in the future.
The other issue involves the appearance that the disclosure
was connected with short-selling AMD stock.
In its white paper describing its findings,
CTS offered a disclaimer many observers have read with raised eyebrows.
They said they may have, quote,
either directly or indirectly an economic interest in the performance of the securities, end quote, mentioned in the report, that is, in AMD.
Coincidentally or not, a short-selling investment firm, Viceroy Research Group, essentially simultaneously released an analysis of AMD's value explicitly based on CTS Labs' report.
AMD's value explicitly based on CTS Labs' report.
It reckoned the value of AMD at zero and predicted the company's quick shipwreck in Chapter 11.
This suggests that Linus Torvalds may have been onto something
when he dismissed CTS Labs' report as short-selling, not research.
The incident recalls to several observers
the 2016 incident in which security researchers at MedSec
coordinated disclosure of vulnerabilities in St. Jude medical devices to several observers, the 2016 incident in which security researchers at MedSec coordinated
disclosure of vulnerabilities in St. Jude medical devices with Muddy Waters short sellers.
Gamers, take note, hackers are getting into Fortnite registered accounts and using them
to make fraudulent purchases.
Fortnite, which now rivals Minecraft in popularity for online gamers, of course offers in-game
purchases.
Credential stuffing attackers are gaining access to gamers' registered accounts
and making fraudulent purchases.
Chromtech, one of the security companies that looks for unsecured Amazon S3 buckets,
says it's found another one.
1.3 million customers of Walmart partner Limoge's jewelry
may have had their personal information exposed in an openly accessible database.
Finally, to return to the concerns about Russian cyber attacks,
it's not just NATO that's on the key weave against Russian cyber operations.
Relatively neutral Sweden is devoting serious thought and resources
to defending itself against Russian ambitions, both kinetic and cyber.
They are, after all, just a short hop across the Baltic,
and as ABBA has known since 1982, something's going on.
I know there's something going on. We'll see you next time. buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and
teeth chattering, choose coconut sipping and pool splashing. Oh, and yeah, book by February 16th
with your local travel advisor or at... And now a message from Black Cloak. Did you know the easiest
way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's from the SANS Technology Institute. He's also host of the ISC Stormcast podcast. Johannes, welcome back. We wanted to talk today about credential stuffing, particularly how to prevent it. What do you have to share with us?
Yeah, credential stuffing really sort of has become a big topic in the last year or so. The problem that really sort of emerged is that so many credentials were stolen.
It's pretty easy for an attacker to find a username-password combination that a user used across different sites.
And then these credentials are used sort of in these automated scripts, just like of the good old password brute forcing.
Even if it's not a credential, it's often just the things that you're using for password resets and even to set up an account.
So a lot of organizations, for example, have problems if users already have an account set up with you.
Now they're trying to establish online access,
what questions are you going to ask them to sort of authenticate them?
And that sort of fair credential stuffing comes into play quite often.
So take us through that. I mean, what questions should they be asking?
Well, now, first of all, they should be asking questions
that are typically not known to other sites.
So something that's very specific to your site.
In addition to this, there is really no good way around some kind of offline confirmation.
So if, let's say, someone has an account with your company and is all for a sudden setting up online access,
company and is all for a sudden setting up online access, it's not really too much to ask to then send them a good old postal mail with like an activation code that they can then use to activate
that online account. Given all the information that's out there right now, there is no real
good way to prevent this. Now, as far as just the passwords go, Troy Hunt, he sort of collected a lot of
passwords that were leaked over the last few years, and he made that list public. So what you
probably should do is download that list, and he sort of published it as SHA-1 hashes, and try to
check if users are using these passwords that are using also your site.
Now, if you did the right thing and you hashed your passwords with something other than SHA-1,
then this may not be so straightforward.
But the next time the user logs in or the user changes or sets up a new password,
then you can check is that password on that list of leaked passwords,
and warn the user and suggest that the user uses a different password.
All right. As always, good advice. Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Rico Chandra.
He's the CEO of Arctis Radiation Detectors, a company that specializes in nuclear detection.
He joins us to describe the types of nuclear threats the world faces and the intersection of cybersecurity, the industrial IoT, and physical security.
To make it clear, the U.S. is certainly one of the best protected countries in the world,
and most of the Western world is fairly well protected against radiological and nuclear
threats. A large effort was put in shortly after 9-11 to equip our borders, so, you know, the land borders,
Canada and Mexico, and the seaports where the container ships arrive. All of those ports of
entries are equipped with so-called radiation portal monitors that detect if there is a
radiological threat in any of the cargo coming in. And most of the cargo that arrives in the U.S. actually
does pass through one of those radiation portal monitors. That said, you know, there's no such
thing as 100 percent security. And our adversaries are getting better connected, having access to
all sorts of new technologies and means. And so we need to improve our security
to keep our borders safe. And so in the process of doing that, to connecting those systems together,
you have to be careful about some of the cybersecurity vulnerabilities that may be
the result of that. Exactly. And that's really where I believe the world has evolved since 9-11.
If there were ever to be another attack on the scale of 9-11, be it against the U.S. or a European country, it's not inconceivable that it would be a physical attack combined with a cyber attack.
cyberattack, whereas 10, 20 years ago, that was not really a concern that you'd have this pairing of a cyberattack together with, say, a radiological attack or with conventional explosives attack or,
you know, the sort of acts of terrorism that we hear about in the news and are concerned about.
So can you take us through what are some of the challenges and some of the techniques that you all use to protect these systems, which I suppose you could say
these are mission-critical devices? These are mission-critical devices. And one of the things
that's been changing over the last couple of years is the customers, in our case, the customers are
typically governments. It's not like they didn't want to have cybersecurity on their devices in the past.
Cybersecurity has always been something that's been considered.
But the difference is today procurements are set up that way that the systems are from the base of their design needs to incorporate cybersecurity measures, whereas in the past that was more of an afterthought.
Oh, yeah. And then try to cyber harden what you have, whereas now it's part of the original specifications.
It's part of the original design and it's designed to be cybersecurity.
specifications. It's part of the original design and it's designed to be cyber secure.
I guess one of the things that I'm not clear about is what are the odds of these sorts of things actually making it through? And does it matter? Is it one of those things where you,
you know, it's such a big threat if something did come through,
that even though it's unlikely, you still need to protect against it?
Essentially, there's three categories of threats. The first is materials that could be
used to manufacture a nuclear weapon or a nuclear weapon itself. So we're talking the so-called
special nuclear materials, highly enriched uranium, plutonium, stuff where you can build a nuclear
bomb or an actual nuclear bomb. So that's the first threat.
The second threat is strong radioactive sources that could be used to construct what's called a radiological dispersal device
or a dirty bomb, for example.
And that's very different from a nuclear weapon.
It doesn't cause a huge bang.
doesn't cause a huge bang. Typically, it's used with conventional explosives, and it doesn't lead to many more casualties than a conventional explosive, but it does contaminate the area
where it's detonated, and that caused a lot of disruption to society and the economy because
you need to evacuate, and there's distrust of the public and authorities and all that.
So that's a second category of threats, very different.
And then a third thing that is increasingly becoming relevant is there is just a whole bunch of consumer goods
and industry goods that are contaminated for one reason or another by radioactive materials,
and we just don't want them in our supply chains. We don't want steel coming in that's radioactive. We don't want food
coming in that's radioactive. So that's more of a public safety than a security concern.
So you ask, how relevant are these threats and how likely are they to get through?
So the first one, the one of nuclear weapons, if you look at geopolitics today, it's very relevant.
We're discussing some of our adversaries have intercontinental ballistic missiles.
missiles. But what's the point of having missile defense if you can just, in principle, put a nuclear weapon into a freight container and ship it directly to the address where you want to? So
that's highly relevant. On the radiological dirty bomb scenario, we as a society, and especially
the agencies concerned with protecting against these threats, have quite a reason to be proud of the fact that
no attacks have taken place using dirty bombs, because many terrorist organizations would have
the capability and the intention to carry out such attacks. And the fact that they haven't
is a very good sign. And then the public safety aspect, we're just, you know, when we buy braces for your daughter,
we automatically assume that the steel that goes in there is not radioactive and we want it to stay that way.
In general, we're getting better and better at detecting stuff.
It's not always possible to detect everything.
You know, you can, certain configurations of nuclear materials, if shielded the right way, become very difficult to detect.
But the fact that we're constantly increasing the detection performance of the hardware and the software to detect these threats, that has quite a bit of deterrence value.
Because if, you know, say you're a nefarious actor and you want to smuggle something into the United
States, now you need to organize yourself. You need to figure out which border crossings you
have the best chances of getting into. You need to research how do you shield whatever material
you have to prevent detection or to try to minimize the risk of detection. This creates a lot of
chatter. You know, these organizations need to
need to coordinate and need to inform themselves. Nuclear detection isn't isolated. It's like in
a whole context of security. So if you have these many layers of security, not just at the U.S.
border, but also internationally, you're really increasing the likelihood that our intelligence services will
pick up on these groups as they try to organize themselves and as they try to inform themselves
about how to best slip through so more of a holistic approach where different measures
fit together to provide protection that's rico chandra from Arctis Radiation Detectors.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.