CyberWire Daily - Norsk Hydro recovers from LockerGoga infection. Cyber conflict, cyber deterrence, and an economic case for security. EU out of compliance with GDPR? Big Tech in court. Thoughts on courtship.
Episode Date: March 20, 2019In today’s podcast, we hear that Norsk Hydro’s recovery continues, with high marks for transparency. Some notes on the challenges of deterrence in cyberspace from yesterday’s CYBERSEC DC confere...nce, along with context for US skepticism about Huawei hardware. Cookiebot says the EU is out of compliance with GDPR, it’s sites infested with data-scraping adtech. Google and Facebook get, if not a haircut, at least a trim, in EU and US courts. And some animadversions concerning digital courtship displays.  Dr. Charles Clancy from VA Tech’s Hume Center on updates to the GPS system. Guest is Landon Lewis from Pondurance on balancing AI and human intelligence. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Norsk hydro recovery continues with high marks for transparency.
Some notes on the challenges of deterrence in cyberspace from yesterday's CyberSecDC conference, along with context for US skepticism about Huawei hardware,
CookieBot says the EU is out of compliance with GDPR, its sites infested with data-scraping ad
tech, Google and Facebook get, if not a haircut, at least a trim in EU and US courts,
and some animad versions concerning digital
courtship displays.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, March 20th, 2019.
Wire summary for Wednesday, March 20, 2019.
Norsk Hydro has made significant strides toward recovery from yesterday's Locker-Goga infestation.
The company said this morning that it had recovered many of its affected systems and is on its way toward restoring normal, stable operations.
The disruptions had affected both business and production systems.
Some speculation about nation-state or hacktivist involvement aside,
the emerging consensus seems to be that this was low-level commodity criminal activity
with far-reaching effects.
We heard from CrowdStrike's Vice President of Intelligence, Adam Myers,
who wrote that Locker-Goga was also behind the infection of the French engineering company Ultran
in January of this year.
Myers wrote, quote,
While details of the Norsk Hydro incident are still developing,
CrowdStrike Intelligence has been able to identify a new sample of the Locker Gauguin ransomware
that was uploaded to a public malware repository in two zip files from an IP address based in Oslo, Norway.
End quote.
Norsk Hydro is engaged in the electricity-hungry production of aluminum.
CyberX VP of Industrial Security Phil Nire pointed out to us in an email that manufacturers like Norsk Hydro have some particular concerns about ransomware.
He said, quote,
Downtime is measured in millions of dollars per day, and companies producing metals or chemicals are at additional risk should production disruption cause safety and environmental incidents, end quote.
Norsk Hydro itself is getting pretty high marks for the speed and transparency of its response to the incident.
Drago CEO Robert M. Lee has tweeted Norsca thumbs up in particular for their transparency.
He offers a simultaneous thumbs down, that's two thumbs way, way down,
to those in the industry who would use the incident as fud fodder to flack their products.
We were able to attend the inaugural meetings of CyberSecDC in Washington yesterday.
Their focus was on the connection between economic development,
particularly the rapidly advancing tech sector, and cybersecurity, particularly as that linkage
is evolving along NATO's eastern flank. Sponsored by the Center for European Policy Analysis,
SIPA, and the Kosciuszko Institute, the conference's announced goal was to advance the transatlantic quest for
cyber trust. The discussion inevitably turned to the threat of hybrid war from Russia,
something of which the 12 nations of the Three Seas Group are uneasily aware.
The Three Seas Initiative is a cooperative arrangement among the Central and Eastern
European nations that stretch from the Baltic to the Black and Adriatic Seas.
Austria, Bulgaria, Croatia, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Poland, Romania, Slovakia, and Slovenia.
With the exception of formerly neutral Austria, these states are all either former Warsaw Pact countries or former Soviet republics,
either former Warsaw Pact countries or former Soviet republics, and so are very much attuned to the risky ministrations of what several panelists called
our friends to the east.
Several of the speakers pointed out that the challenge the Russian adversary poses
is in operations that fall below the threshold of armed conflict.
While NATO has made it clear that cyber attacks can trigger the collective
defense the alliance's Article 5 commits its members to, cyber operations are still too new
for there to be a clear set of proportionate responses. The participants recommended full
use of the NATO toolbox, including diplomatic and economic tools, and they argued that imposition
of costs need not, and probably should not,
be symmetric. That is, threatened retaliation for cyber attacks need not confine itself to
cyber counterattacks. The other challenge the conference took up was the different,
more long-term threat that China poses as it continues to advance its position
in the global technology marketplace.
In this respect, Robert L. Strayer, Deputy Assistant Secretary for Cyber and International Communications and Information Policy at the U.S. Department of State, had some observations that placed the well-known American reservations
about participation by companies like Huawei and 5G networks into context.
These are worth mentioning as they're often glossed over
in discussions of the controversies around Huawei.
Strayer observed that vendors from countries that subject their companies
to extrajudicial processes are fundamentally untrustworthy
and should be viewed with particular suspicion
with respect to participation in 5G networks.
Such extrajudicial processes would include non-appealable demands
to contribute to state surveillance and espionage activities. The much-expanded attack surface 5G
will present makes accepting this risk a high-stakes proposition, and Strayer argued that
no source code review will be sufficient to reveal all the problems equipment from such
companies may bring with it.
He offered two other economic reasons to be wary of Chinese companies, and specifically of Huawei.
Its engineering seems not to be up to par, and that while the equipment might be cheaper up front,
it's likelier to be costlier over its life cycle. Thus, Strayer found it surprising that Europe
flirted more with Huawei
than it did with European champions like Ericsson or Nokia.
And he also argued that the financial terms under which Chinese equipment is being offered
are unrealistic and ultimately inadequate to sustaining a competitive market.
An observation we heard from folks on the ground at this year's RSA conference
was that much of the marketing hype surrounding AI and machine learning had died down quite a bit.
Landon Lewis is CEO of security firm Pondurance, and he joins us to share his thoughts on our relationship with AI. behavioral analytics as nearly a concept of identifying suspicious behaviors and then
marrying both humans and technology to attempt to uncover that. In the past, there were enough
technologies and not enough people. And essentially now, you know, there's a capability of almost,
I would look at it as enhanced or advanced behavioral analytics that have come to the market.
I look at AI or any technology or tool as more of an extension of hands in a way to create more efficient processes for eliminating some of the risks that the market's facing.
So, I mean, walk me through in your estimation, what is the appropriate place for AI
in an organization? Where does it sit in the stack of tools that folks have available to them?
Typically anywhere where it's easy to understand good data and bad data. And what I mean by that,
we've seen, I think we're at the end of this market, but it was termed as next generation
endpoint or the EDR space. And there were some early adopters in that space of leveraging what
they're calling AI. Essentially, they're able to run a bunch of binaries that they know are bad.
And what I mean by that is they were able to essentially go out to VirusTotal and say, let's download everything that has a bad score.
If we download everything with a bad score and then we can download things that have a good score, we're able to separate good from bad.
And we can build a model around bad and we can build a model around good.
And then it's all about the gray area in between, right?
That kind of makes it a
differentiator. There's a lot more complexity to that. That's a simplified model of essentially
what you would try to do on a network or what you might try to do with log data that a machine
generates. So anything that you could separate good and bad from, And there has to be a large quantity of that data.
The closer you are to building something that's more AI, machine learning driven,
that can help a SOC analyst or an individual engineer.
What about intuition? I've heard where folks have described how they'll look at some data or look at
a report or something and they'll say say something just doesn't feel right here.
I can't quite put my finger on it, but there's something that I feel like I should spend more time with.
Is that an area where AI comes up short or can AI sometimes surprise us?
trained appropriately from a futuristic standpoint, or we're at least moving in that direction,
where some type of event could basically have suspicious indicators that your models could basically kind of provide tips to your analyst, right? So again, more of an extension of the hand
of saying, this is suspicious, and here is why. I think it behooves us really to start explaining to an analyst what it is about
that, right? So essentially you've got to say, how was that model built and translate that back
into something that an analyst understands. So the AI can say, hey, I flagged this and here are
the reasons why I think this needs a second look from you. That's one of the most difficult pieces,
right? Is you have to go back to,
okay, well, who built this model and what type of events was it looking at for me to understand
as an analyst? I have this event and it's saying, you know, suspicious activity.
How can I go layers deeper? So the point ends up being, you've got to have an analyst with the
skill level that can almost move backwards,
right? And not be, you know, a data scientist to really understand like why the model may be
flagging it. I think AI is something that's typically going to help us. I believe describing
it as a silver bullet is somewhat dangerous. And I believe that humans are still required
to train the models that make AI more useful. I do believe in the long run it's going to help us essentially extend the hands of our staff.
That's Landon Lewis from Pondurance.
Physician, heal thyself.
Security firm Cookiebot has looked into EU official government services sites
and determined that a surprisingly large fraction of them leak personal
information of EU citizens to various third parties in ways that contravene the EU's GDPR
regime. ZDNet calls it an infestation of third-party ad tech scripts. The EU has fined
Google's parent Alphabet 1.49 billion euros, that's about 1.7 billion dollars, for anti-competitive restriction
of other companies' ads. This is the last of three formal EU antitrust actions against the company.
It's by no means a business killer, since Alphabet has deep pockets, but it's a large judgment.
Some U.S. politicians have already pointed out that maybe more aggressive antitrust action, like a breakup, should be in the cards, but so far that's preliminary posturing.
Facebook has settled a lawsuit by agreeing to change its advertising platform to reduce the possibility of discrimination in housing and employment.
This affects in particular use of such user demographics as race, age, and gender.
effects in particular use of such user demographics as race, age, and gender.
The number and volume of DDoS attacks dropped significantly after the FBI took down 15 DDoS for Hire sites in December. Researchers from NexusGuard found that in the fourth quarter of
2018, the number of DDoS attacks sank by 11%, and the average size of these attacks fell by 85%. So bravo, FBI,
but everybody else, well, don't get cocky, kids. And finally, those who have followed the National
Inquirer's coverage of Amazon Chief Bezos' online courtship display, the one Mr. Bezos gamely
addressed in his No Thank You, Mr. Pecker blog post,
may have wondered where Mr. Pecker's inquirer obtained the texts that constituted this
particular expression of ardor. Speculation had run toward Saudi Arabia, the White House,
hackers everywhere, but it appears that the entire transaction may have been much more
prosaic than that. The peacock may have spread his metaphorical tail feathers
to inspire reciprocal feelings in the peahen,
but reports in the New York Post's page six say that the inquirer paid the peahen's brother,
that would be the peacock's boyfriend-in-law,
some $200,000 to send them the goods.
Pro tip, during courtship, send flowers,
bake cookies.
Sure, they're traditional,
but they're almost always appreciated.
These kids today.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. I saw an article come by recently, and this was about a new GPS satellite that was recently launched successfully. And they're touting this as being the first GPS-3 satellite. What are we talking about here? What makes GPS 3 special? So GPS technology is 40 years
old at this point. The military has been launching satellites since the, well, planning satellites
since the late 1970s and launching since the 1980s and has been incrementally improving the
technology as they have launched more and more satellites. GPS Block 3 has been
in planning now for over a decade, and we've just now finally seen the first satellite launch.
Some of the features of GPS 3 include a higher signal strength. The actual signal that's
transmitted by the GPS satellite is stronger. That means you'll be able to lock on to it inside. The goal is to try and get more indoor coverage for GPS.
Another feature is that they are transmitting a companion signal that actually is a guide to help
you find the GPS satellites. If you used, say, a Garmin GPS probably 15 years ago, you may recall that it could take a
couple minutes to actually lock onto the GPS satellites. Now we have assisted GPS technology,
where essentially your cell phone is using cell tower data to try and figure out where it is,
and then it uses GPS to refine that location. So it's a fundamentally different system.
But there's a companion signal that's going to be part of the GPS Block 3 that makes it much faster to acquire the GPS signal.
And there's one other component.
There's a new localization signal called L5 that is part of the transmitted signal.
And this is a higher bandwidth signal that will give you finer grain ability to localize yourself.
will give you finer grain ability to localize yourself.
So the idea is that once GPS Block 3 is fully deployed,
you'll be able to get more indoor localization,
and the localizations that you see will be on the order of one meter in accuracy.
Now, are we still in a situation where the real precise GPS is being limited to the military?
No.
Back in the 1990s, that feature was activated in the GPS constellation as commercial use began to grow.
And there was the civilian GPS versus the military GPS.
But in the early 2000s, the White House approved basically opening up that military level of accuracy to everyone.
So there really isn't a difference in the level of precision that the military sees versus the civilian GPS receivers.
I see.
All right.
Well, thanks for filling us in.
As always, Dr. Charles Clancy, thanks for joining us.
Thanks a lot.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.