CyberWire Daily - Notes from the CISA Summit. New DDoS vector reported. Medical images exposed online. Huawei and US sanctions. Engaging ISIS in cyberspace.
Episode Date: September 19, 2019A quick look at CISA’s National Cybersecurity Summit. A big new distributed denial-of-service vector is reported. Medical servers leave patient information exposed to the public Internet. Huawei is ...suspended from the FIRST group as it argues its case in a US Federal court. And one of the challenges of engaging ISIS online is that it relies so heavily on commercial infrastructure--it’s got to be targeted carefully. Ben Yelin from UMD CHHS on a case of compelled encryption which may be heading to the supreme court. Guest is David Talaga from Talend on how privacy fines have informed customers’ approach to planning around data security compliance. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got a quick look at CISA's National Cybersecurity Summit.
A big new distributed denial-of-service vector is reported.
Medical servers leave patient information exposed to the public Internet.
Huawei is suspended from the first group as it argues its case in a U.S. federal court.
And one of the challenges of engaging ISIS online is that it relies so heavily on commercial infrastructure.
It's got to be targeted carefully.
carefully. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, September 19th, 2019. U.S. federal agencies are taking election security
seriously, as we heard yesterday at the second annual National Cybersecurity Summit
organized by the Cybersecurity and Infrastructure Security Agency, CISA.
CISA and its partners are concerned with direct hacking of voting systems
but also with countering influence operations
mounted by hostile foreign governments.
Discussions were particularly aware of the ways in which
social media lend themselves to confirmation bias
and the ways in which such bias can be used to create or exploit phishers in civil society.
CISA director Christopher Krebs also offered a suggestion to the security industry,
please stop selling fear.
Sure, it can work for marketing sometimes,
although even there it's subject to diminishing returns
as the customer slides into learned helplessness.
But it's an impediment to sensible discussions and planning that could actually avert damage.
This is especially true, he thought, with election security,
where citizens' confidence in their institutions is a principal target.
He didn't ask why we should do the opposition's work for them, but we will.
If the bad actors want to destroy trust and confidence,
let them try to do so without the security industry scoring a lot of their own goals.
So keep calm and carry on.
Akamai reports that a new distributed denial-of-service vector, WS-Discovery,
a UDP amplification technique, is being exploited in the wild. The approach is a good one from the attacker's point of view, Yeah, we don't have an intuitive grasp of how big that is either.
It's like astronomical distances.
You've got no feel for them at all, but you're pretty sure they're pretty big.
This, Akamai points out, gives the attack technique the fourth highest reflected
amplification factor on the DDoS leaderboard. There's been another case of misconfigured
servers exposing private information to public inspection. Researchers at Greenbone Networks
have found a very large number of medical images,
radiological images for the most part, sitting out there online.
Greenbone looked at 2,300 picture archiving and communication systems,
servers based on the DICOM protocol,
and found that some 400 million images belonging to 24.5 million patients were easily accessible.
Why would someone care about this? Apart from being sensitive about your x-rays, there are several good reasons. The exposed files were
commonly associated with patient data that included a full name, date of birth, date of
examination, what the researchers call scope of the investigation, the type of imaging, the attending
physician, the healthcare facility where the procedures were performed, and the type of imaging, the attending physician, the healthcare facility where the
procedures were performed, and the number of images generated during the procedures.
One often thinks first of identity theft in such cases, and of course that's a possibility,
but this sort of information is also very useful in social engineering. Consider, you are in for
medical imaging, which is often associated with serious and frightening conditions.
Your guard will be down if you receive an email or phone call that appears to be from the doctor or the tech who took the x-rays or MRI.
That's the bigger problem here.
GDPR created huge incentives for companies to make sure they met data privacy regulations by the implementation deadline. Still, there are some areas where they are lagging behind. David Tallaga is from data
integrity and integration firm Talend, and he offers his insights. It's a GPR one-year anniversary
back in May 19. At that time, the European Data Protection Board registered around 90,000
complaints.
Most complaints were coming for kind of telemarketing use case, promotional email, video surveillance, that kind of things.
On NorthSites, what we found out is that 98% of the policy have been updated by customers, which is fine.
They update the data privacy policy with GPL. You can go to the website.
You can see some terms of agreement that have been updated but in reality we we saw that 70 percent did not apply failed to provide data within the
30 days which is a kind of a limit that has into gdpr so in reality data management is still
suffering uh is still not there so from a policy point of view from a policy point of view, from a process point of view, that's fine.
You can say that the legal,
the lawyers have done their jobs,
but in reality, data management pipelines
need really to be integrated with each other.
And what is causing that gap?
Why are they not doing a better job?
Because I think that the point is
that they really start by going to the lawyers,
but not going to the IT departments
and talking business and IT
talking together about what do I need to do to make sure that my data is covered. And the fact
is sometimes topics like data quality is nowhere is accountable for that into companies. First
point. Second point, they don't know that such kind of tools are existing sometimes. They are
very keen on integrating things but not keen on trusting the data.
And they don't even know where,
you know, where that.
So we try over the last two years
to tell them to make really good progress
on that, informing your customers,
informing the market that things have changed.
And now we have data quality tools
that help them to really protect their data
and secure their data pipeline.
Now, describe to me,
when you're talking about data masking, what exactly is that, and what
does that get me in terms of compliance?
Data masking, so it's when you go to a store, and once you go to a store, and they register
your personal information.
But maybe you go to a website, and you enter your email, your address, and so on.
And you kept receiving some promotional emails.
And you're upset about that.
So you want to claim for data deletions, just to have your record being deleted by the company.
The thing is, right now, companies are struggling to do that.
They're doing manually.
It's OK for one or two records.
But imagine that you have millions of records processing through your website or through your retail shops.
So imagine that you have several hundreds
of these records of ask from the customer.
So you need encryption, you need data masking.
So at some point of time,
once the user has requested data to be deleted,
you can automate it, this kind of task.
So what does it mean is that the personal data,
like first name, name,
will be replaced by a random series of figure and letter
without any kind of personal information.
You will keep the first name and last name structure,
so you can order gender kind of things.
So you can, but no personal information will remain into the data.
And you can tell these guys, the companies,
okay, that's okay, we have deleted all your data. It's done.
That's David Talaga from Talon.
The Wall Street Journal reports that Huawei's membership in FIRST,
the Forum of Incident Response and Security Teams, has been suspended.
FIRST says the suspension is temporary
and was undertaken in response to U.S. trade sanctions against Huawei.
First is an important cooperative group for the sharing of information among cyber incident response organizations,
and Huawei's exclusion from the forum is not a trivial matter.
The Washington Post reminds readers that Huawei is defending itself against the sanctions and oral arguments today
before the U.S. District Court for the Eastern District of Texas.
Their contention is thought likely to be that the U.S. government's strictures against them
aren't based on security at all, but are just a gambit in a Sino-American trade war.
Observers are dubious about how likely this is to fly,
but it's not an obviously crazy position, and you can't blame
a guy for trying. U.S. Cyber Command is ramping up operations against ISIS. The sometime caliphate
is not generally reckoned to show a high level of technical sophistication, but it's been able
to operate effectively, particularly in its use of the internet for communication and inspiration.
Its resilience lies in part in its use of
commercial infrastructure, which makes ISIS's online operations difficult to disrupt without
doing unacceptably high and sometimes collateral damage. A Marine Corps brigadier general told
Fifth Domain, quote, whether it's cyber or kinetic, we're still under the law of war.
So we have to, one, determine where that is and if we find that out and we can hand that off to To follow up yesterday's discussion of cyber calls for fire,
this illustrates the complexity of the problem.
If cyber attack is analogous to fire support, it's like fire support delivered during combat in a densely populated city.
And the general's observation about the laws of war is an idol.
That's why they put JAG lawyers on targeting teams.
So a tough problem, but not necessarily an insoluble one. Task Force Ares,
good hunting. of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, it's always great to have you
back. I saw a story come by in the MIT Technology Review
by Patrick Howell O'Neill, and this was about smartphones and how this notion of
compelled decryption might be headed for the Supreme Court. What's going on here?
So the legal principle involved here is your Fifth Amendment right against self-incrimination. You can't be forced to testify against yourself in court.
Prior to the advent of Face ID and even Touch ID,
this issue was relatively simple
because courts considered entering in a passcode
to unlock your smart device
to be what we call testimonial evidence.
That's the equivalent of asking you in court,
what's your password to get into your phone?
And that would
force you to tell a judge or a jury what that password is, and they'd have access to your
device. What's become very interesting with the advent of Face ID and Touch ID is that the
evidence collected is no longer testimonial. Rather, it's something that you wouldn't have to actively tell anybody. It
could be simply the device matching up to your face or to your fingerprint. Courts have been
very divided as to whether forcing somebody to decrypt their device using Face ID or Touch ID
violates their Fifth Amendment right against self-incrimination.
And because there's been that divide at the lower court level, I think we're anticipating
in the next couple of years that this is going to be an issue that's going to make its way
to the United States Supreme Court.
Now, I know devices have what's referred to sometimes as cop mode, which is where if you
have one of these biometric unlocking mechanisms enabled, you can press a button on the phone a certain number of times and it'll switch over to require a password.
Are we looking at any sorts of adjustments to the legal approach to that sort of thing? One thing we talk about frequently in the battle between privacy and
government security is this idea of achieving equilibrium in our right to privacy. So because
the technology has evolved to have things like cop mode, where if there are a certain number of
attempts to unlock the phone with face ID or touch ID, the user has to type in the password. That's technology
that has made it more difficult for law enforcement to gain access to these phones, which means,
according to how Fourth Amendment jurisprudence has worked over the years, my guess is that courts
are now going to try and come up with an equitable solution to try and put those rights back in equilibrium.
To put it more simply, they're going to try and give law enforcement additional capability to
decrypt those devices in response to this change in technology. That's usually the way it goes
for these types of digital privacy cases. And I think that's something that the Supreme Court
would consider. It would be a major burden on law enforcement to lose this backdoor access to electronic devices.
And if there is this Fifth Amendment right against self-incrimination as it applies to biometric data,
they're going to have a very hard time getting access to smartphones.
Any indications on where the Supreme Court might go with something
like this? So one of the foremost experts on digital privacy, Professor Oren Kerr, has been
tracking this and has noted that there have been contradictory decisions in all different judicial
circuits across the country. And that's why it's such a favorable case for the Supreme Court.
the country. And that's why it's such a favorable case for the Supreme Court. When there are disagreements among circuit courts, it's something the Supreme Court is going to look at closely
because they're going to need to settle this issue, especially as we get to a point where almost all
smartphones and other electronic devices are going to be enabled with Touch ID or Face ID and are going to require biometric data
to decrypt. So I think it's going to motivate the Supreme Court to get involved. We've also seen
this come up in the news recently because the Attorney General of the United States suggested
that Congress should enact a law to give law enforcement the ability to decrypt devices. It would basically be a law mandating
access, backdoor access for the government to this encrypted data. So it's something that's
prevalent in the news. That's, you know, usually the signal when you have a split among judicial
circuits and something that's being talked about in the co-equal branches of government, that's usually a good signal that the Supreme Court is ready to take up the issue.
All right. Well, time will tell. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Thank you. Thank you. Thank you. Thank you. Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.