CyberWire Daily - Not every incident is necessarily an attack. Not everything that purrs is a kitten (sometimes it’s a bear that would like you to think it’s a kitten). ICS security notes.
Episode Date: October 21, 2019Some notes on not jumping to conclusions that incidents are cyber attacks. A false flag operation shows the difficulty of attribution: not everything that purrs is a kitten, because sometimes it’s a... bear. Notes from the ISC Security Conference in Atlanta, including some reflections on the criminal market’s business cycle, the dangers of social engineering, and the importance of attending to the fundamentals. And the Vatican fixes a bug. Joe Carrigan from JHU ISI on the ease with which one’s identity can be determined using previously anonymized data sets. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Some notes on not jumping to conclusions that incidents are cyberattacks.
A false flag operation shows the difficulty of attribution.
Not everything that purrs is a kitten because sometimes it's a bear.
Notes from the ICS Security Conference in Atlanta,
including some reflections on the criminal market's business cycle,
the dangers of social engineering,
and the importance of attending to the fundamentals.
And the Vatican fixes a bug.
From the Cyber Wireire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 21st, 2019. The CyberWire has some of our folks down in Atlanta
this week for the 2019 ICS Security Conference, which opened this morning. Before we talk about
some of today's sessions, however,
it's worth discussing some news that broke over the weekend
that's directly relevant to ICS security.
We're all familiar with the difficulty surrounding attribution.
It's the familiar fog of war,
and the related, but less often discovered, glare of war,
the way in which having too much information can blind you
to what's really going on. So here's some fog of war that blew in over the weekend.
Often there's uncertainty with respect to whether an incident involves a cyber attack at all,
and that was the case with an incident in Iran. A social media report out of Iran yesterday said
that a refinery fire in that country was caused by a cyber attack,
but these reports remain unconfirmed. And note that the Twitter thread's assertion that the
incident is confirmed doesn't really count. Reuters, sourcing Iranian state media, said there
was a fire in a canal carrying waste from the Adaban refinery, but that the fire was under
control. In this respect, ICS security firm
Dragos blogged caution in accepting reports of a cyberattack at face value. After all,
while cyberattacks can and have caused physical damage, accidents do happen, and it's important
not to jump to conclusions. That holds true of attribution as well. Another example of the difficulty of
attribution may be found in a joint report issued this morning by the UK's NCSC and the US NSA.
The agencies find that the Russian government group Turla, also known as Venomous Bear,
White Bear, Snake, Waterbug, and Uroboros, hijacked Iranian tools to mount an effective false flag operation in which
Turla effectively posed as APT-34, or Helix Kitten.
The espionage operation not only used APT-34 backdoors, but also prospected known APT-34
victims.
According to Reuters, the NCSC says it's not aware of any official attributions influenced
by the misdirection,
but officials point out that the discovery should serve as a caution against hasty attribution.
Compare a similar false flag during the last Winter Olympics held in South Korea
when Russian services impersonated North Korean operators.
Wired is running a long series on that incident that's worth a look.
Wired is running a long series on that incident that's worth a look.
We note that the joint warning seems consistent with the recently announced determination of NSA's Cybersecurity Directorate to engage the public more directly.
To return to the Atlanta ICS Security Conference, we heard some interesting presentations during the first morning.
If there's one overarching lesson the speakers agree on, it's the importance of paying attention to the fundamentals.
Bruce Bilodeau of Rockwell Automation's subsidiary Maverick Technologies
presented an overview of the darknet
and what those concerned with ICS security should know about it.
The basic problem from an ICS perspective
is the way in which sensitive information and hacking tools
can be propagated across the black markets
that establish themselves in the dark net.
He offered a range of lurid true stories
designed to make plant managers' flesh creep,
the ease with which people trade company information anonymously,
the hacking services freely available,
and the price lists that make such services accessible to many who wish companies ill.
One of his more interesting observations noted last week's recent arrests
of some 300 individuals who were engaged in child abuse
in the course of running illicit content services online.
That, Bilodeau pointed out, is what law enforcement is interested in stopping,
and quite properly so. Your concerns, he said, addressing anau pointed out, is what law enforcement is interested in stopping, and quite properly so.
Your concerns, he said, addressing an ICS audience, don't have that kind of high priority.
And he also noted the fracturing of contraband black markets with the Silk Road takedown.
That's part of the normal black market business cycle, consolidation followed by an official crackdown,
black market business cycle, consolidation, followed by an official crackdown,
followed by the proliferation of small operators,
followed by another phase of consolidation that continues until the next official crackdown.
We're currently in a fragmented phase, Bilodeau observed.
Earlier in the morning, Mark Kerrigan, COO of PAS Global, talked about the good, the bad, and the ugly of ICS security. The good lay in
signs of increased cooperation between OT and IT, with OT beginning to catch up to IT,
particularly with respect to access management. He also saw industry focused on the right things,
visibility, audits, and security awareness programs. And above all, companies now understand that OT security deserves investment.
The bad is that attacks on OT are no longer just collateral damage.
Threat actors, especially those run by nation-states,
are now researching OT systems and developing attacks designed specifically for those systems.
And then there's the ugly, chiefly the confusing OT security market and
the tendency companies have to fixate on shiny objects, the latest buzzwords and trends. We also
find, Kerrigan observed, that solution results seem to fall short of expectations and too much
information overwhelms understanding. Too much focus on detection is also ugly.
Basic protection and recovery mechanisms can have massive risk reduction.
Turning to the threat of social engineering,
a presentation by Chad Lloyd,
security architect at Schneider Electric,
pointed out that compromising a system
very often starts with compromising a human being.
Social engineering enables the attacker to leapfrog not only cyber defense in depth,
but even expensive physical security measures.
He agreed with Kerrigan, attention to the basics matters.
And in defense against social engineering in particular,
those basics include security awareness training for employees.
We'll have notes and updates throughout the duration of the conference.
And finally, we're all familiar with the Internet of Things and the industrial Internet of Things.
There's also, inevitably, an Internet of Sacramentals, that is, the things religious
believers use in the course of their devotions. Last Wednesday, the Vatican introduced an e-rosary
app that's designed to enhance the
prayer life of those who use it. You signed up with an email and a four-digit pin was transmitted.
Unfortunately, that pin was easily intercepted, and once intercepted could give an attacker access
to all the information the Android app requested. The researcher who found the vulnerability
informed the Holy See,
and the bug was fixed by Thursday. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, it's great to have you back.
It's good to be back, Dave.
I had an article come by.
This was from the MIT Technology Review,
and it was about how easy you are to track down
even when your data has been anonymized.
Yeah.
Article by Charlotte G.
What's going on here?
Fairly trivial to re-identify people
from an anonymized data set.
Okay, well, let's start out with some definitions here. When we're talking from an anonymized data set. Okay, let's start out with some definitions here.
When we're talking about an anonymized data set.
Okay, first off, let's explain why we have these things called anonymized data sets,
particularly in the field of healthcare.
Okay.
A lot of times we need these data sets in order to perform research, right?
But there's regulations and there are HIPAA regulations and there might be some
internal IRB regulations that say if you're going to store this kind of information, you
have to store it in an anonymized fashion, right?
Which means that all of the personal identifiable information has been stripped from the data
set and replaced with tokens, right?
But there is some information that can't be stripped because it's important to the research,
and those things happen to be demographic pointers, right?
Like your age.
Whether I'm a man or a woman.
Whether you're a man or a woman, your gender, whether you're white, black, Hispanic, whatever,
your race is usually a very important indicator because there are certain health conditions
which affect different races disproportionately than the other races.
So that's important.
Where you live, what zip code you're in.
So those are all very valid reasons to have de-identified data sets.
However, this study found if I know three things about you, that being your birth date, your gender, and your zip code,
you, that being your birth date, your gender, and your zip code, then I can identify somebody correctly 83% of the time in a data set.
And they even have a tool that has some data sets that tells you how well you can be identified.
So I went into this tool and I entered my date of birth, my gender, my zip code, and
it came back with a 99% identifiability.
So in other words, if somebody looked me up in any of these data sets, then they would
be 99% sure that they had me.
Even though they didn't have, the data set did not have your name in it.
They could look at the health information that was associated with my record.
Now, a couple of things.
When I join any of these sites that demand to know my birthday, I always tell them the same thing.
It's January 1st.
That's not my birthday, but that's what they get told.
Okay.
Because I don't want them to be able to identify me with other data sets that might be out there where they actually do have my birthday.
And I'm actually now reconsidering whether or not it's important for my healthcare provider to know my actual birthday after reading this. Because when I enter January 1st and the other information, that identifiability instantly
goes down to 63%, which is well below the average.
And getting pretty close to 50%, which is essentially you're anonymous because it's
a coin flip on whether or not you have the actual person.
Right.
Okay.
Now, there is a new technology out there, a newer technology called differential privacy,
which takes one of these anonymized data sets and adds noise to it.
But the noise doesn't change any of the value of the data set.
All it does is add more anonymity to the point where if I know something about somebody,
those three points of data, or maybe more points of
data, then when I get a record out that may or may not be the person, I can't tell more than 50,
50%. In other words, I'm guessing whether or not that is the actual person. So I think that's the
solution when you're looking at public health data and public health information. But when
you're looking at data that's information about an individual, it may not be useful.
Hmm.
Right?
Yeah, it's interesting.
In this article, they were saying that they're going to be using differential privacy for
the U.S. Census database.
Well, that's a good use of it, right?
Because the U.S. Census database is a database that's supposed to have general demographic
information about a population. Mm-hmm. Right? So differential privacy is a great application's supposed to have general demographic information about
a population, right?
So differential privacy is a great application for that.
All right.
Well, it's interesting.
Nice to know that there are solutions at hand to make this better, that it's not all hopeless.
Yeah, yeah.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
deny approach can keep your company safe and compliant. our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.