CyberWire Daily - Patching: the good, the bad, and the ugly. Script kiddies and disinhibition (with a caution about attribution). Industry notes, RSA, and Valentine's Day.
Episode Date: February 10, 2017In today's podcast we hear about patching: the good, the bad, and the ugly. But mostly the good. Dridex is back. Brussels airport hacker turns out to be a literal script-kiddie, with the emphasis on t...he "kiddie." Moscow treason trials shut down Russian cooperation with Western law enforcement. Robert Lord from Protenus returns to share their Breach Barometer Report results. Ben Yelin from the University of Maryland Center for Health and Homeland Security revisits the Playpen case. Industry notes, a look ahead to RSA, and some Valentine's Day advice.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
When it comes to patching, we've got the good, the bad, and the ugly,
but mostly the good.
Drydex is back.
The Brussels airport hacker turns out to be a literal script kitty, with the emphasis on the good. Drydex is back. The Brussels airport hacker turns out to be a literal script kitty
with the emphasis on the kitty.
Moscow treason trials shut down Russian cooperation with Western law enforcement.
Robert Lord from ProTennis returns to tell us about their breach barometer report
for the health care industry.
A look ahead to RSA and some Valentine's Day advice.
some Valentine's Day advice.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, February 10th, 2017.
We often hear about the importance of patching, and two stories today offer cautionary tales on why it's important, and why it's important to do it right.
First, why it's important and why it's important to do it right. First, why it's important.
Unpatched WordPress instances have been clobbered with defacements
at an increasing rate this week.
Sucuri, the firm that discovered and disclosed the now-swatted bug to WordPress,
has been tracking attacks and finds that as of yesterday,
more than 1.5 million pages had been hit.
WordPress quietly fixed the problem in its API back on the 26th of January,
with release 4.7.2.
The patch was rolled out quietly in the hope that hackers would overlook
the vulnerability WordPress was closing, but that hope was apparently in vain.
A number of industry observers would strengthen that observation,
saying that the hope was foreseeably inevitably in vain
since patching a vulnerability unavoidably discloses that vulnerability to the ill-intentioned.
So WordPress users are advised to patch. It's the old versions that are being hit hard.
Second, why it's important to do it right.
NASA's Inspector General has released a report on industrial control system security within the Space Agency.
NASA sensibly commissioned the study because of the extent to which operational technology
has evolved away from manual systems toward increasingly comprehensive automation.
Among the findings was this.
Application of a security patch to software used to control a large engineering oven
caused a reboot that stopped the oven's monitoring equipment from running.
This effectively disabled both temperature control systems and impeded alarm activation,
causing a fire that burned undetected for three and a half hours.
So, check patches for unintended consequences before applying them.
And managers, when IT says they're verifying the patch is okay to apply,
remember they have good reason to do so. According to authorities in Belgium and the
United States, the post-massacre cyberattack on Brussels International Airport last March
proved, surprisingly and troublingly, to be the non-ideological work of a Pittsburgh minor
described in news reports as a child.
There's no sign of ISIS inspiration or commitment, just another awful example of online disinhibition,
and another lesson in the importance of remaining circumspect in attribution.
Treason arrests of current and former FSB officers in Moscow are said to have effectively muzzled Russian cooperation with Western law enforcement operations. They've clammed up, as Fidelis' John Bambinek
described it. Since the FSB officers are accused of giving information to the Americans, you
might think twice before doing something that could be misconstrued as espionage.
In industry news, Accenture buys Verisign's iDefense security intelligence service to
augment its cyber threat intelligence offerings.
Evident.io and its remediation platform pick up $22 million in a Series C investment, and
threat intelligence exchange Truestar attracts $5 million led by Storm Ventures.
Next Tuesday is St. Valentine's Day,
and since we know a thing or two about our listener demographic,
we're pretty sure that many of your thoughts are turning to a romantic dinner for two at Arby's.
As you offer your significant other the horsey sauce, however,
you may be troubled by Arby's disclosure yesterday to Krebs on Security
that the restaurant chain had been the victim of
a data breach. Jeff Hill, director of product management at Prevalent Inc., reminds us that
this is part of a pattern. Quote, when the retail industry is attacked, it very often manifests as
a point-of-sale infection, and point-of-sale device infections nearly always originate at a third
party. End quote. He cites the famous Target breach, traced to an HVAC contractor as one of the more famous examples.
He goes on to say, quote, studies vary, but it is generally recognized
that at least 40% of all enterprise breaches originate at a third-party vendor.
In the retail space, that figure is likely much higher, end quote.
So, a reminder of the significance of third-party risk.
But to return to the silver lining in the story,
the good news is that Arby's reports they've remediated the point-of-sale system problems,
and so you may squire your betrothed to the local food court
without unusual risk of losing your paycard information.
Any other romantic risks, and you don't need us to tell you
February 14th is a positive minefield of such risks, are solely your responsibility.
Brothers and sisters, you know who you are.
Maison Blabla, mes frères.
Finally, of course, we'll be in San Francisco next week. That's right, in the city by the other bay, covering RSA 2017, the annual Woodstock of the cybersecurity industry.
We've been linking to some forward-looking pieces on the conference, and we'll be reporting on what we see and hear around the event.
In the meantime, here are some of the stories we'll be watching.
The innovation sandbox is always interesting, and the startups chosen to compete have over the years become some of the industry's more influential players.
The sandbox runs Monday. We'll be there for it.
The conference provides many opportunities for a look at the interplay of technology, commerce, and policy.
It'll be interesting to see, for example, what technologies the Department of Homeland Security's Science and Technology Directorate has queued up for transition.
And, of course, we'll be talking with interesting companies, large, small, and medium.
If you see us around the Moscone Center, be sure to stop us and say hello.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Game Night Bitch, January 24, only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
safe and compliant. Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, you know, once again,
we find ourselves back looking at the Playpen child porn case, but we've got some interesting
developments here. Bring us up to date. Yeah, so back in 2015, and we've talked about this before, federal investigators temporarily began operating this Playpen child pornography site for 13 days before shutting it down as part of what they called a network investigative technique to try and find basically IP addresses, the users of this uh of this service one of those users was a guy by
the name of jay mishode who lives up in vancouver washington he allegedly logged on to this playpen
site while it was being run by the federal government and he was arrested and prosecuted
uh the judge as part of the prosecution asked for the source code used to target this defendant.
And instead of providing that source code, the FBI decided to keep it classified.
Without the source code, the case can't go forward.
The prosecution can't go forward.
The federal government has dropped its appeal on the case and has allowed this individual, Michaud, to go free.
So we were just talking about it before.
This is one of the luckiest people in the country. He was caught using child pornography, but because
the federal government has bigger fish to fry in the form of the source code, he's going to be able
to evade prosecution. So just take us through sort of the big picture of this. I mean, here we have
someone who has serious charges against him, But instead of pursuing that case, the government decides to step back and
live to fight another day? Yeah. First of all, there are 135 cases like this nationwide in
courts of varying jurisdictions. So it's possible that there could be a friendly judge somewhere
that could go through with the prosecution without asking for the source code. Generally,
a defendant in a criminal case has a right to what's called a Franks hearing, which is to
determine the sufficiency of the interrogation methods used to get evidence to arrest a person.
It's possible that there could be a judge that could deem the
investigatory process sufficient without looking at the source code. And since there are so many
cases cut across so many jurisdictions, it's certainly possible. And in that case, in order
to protect the code, it would not be in the government's interest to continue to prosecute
cases where they would have to reveal the code.
Of course, the result of that is that people who have committed a federal crime,
viewing child pornography, are going to evade prosecution. But I think the way the federal
government sees it, that's a small price to pay in order to protect the integrity of the source code.
And is there a way that the government can take that off the table?
And is there a way that the government can take that off the table?
I mean, it's going to be really hard.
Defendants have a constitutional right to confront the evidence against them and to know exactly which evidence produced the incriminating information that led to their charges. As I mentioned, they're entitled to this so-called Franks hearing.
And there could be judges who are going to be satisfied with the evidence without seeing the source code.
But if a judge isn't, then there are very few options that the federal government has.
Ben Yellen, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Robert Lord.
He's the CEO and co-founder of Protennis,
a company that provides privacy protection
for patients and providers in the healthcare industry.
He returns to the Cyber Wire to tell us
about their breach barometer report covering 2016.
One thing that we see is a remarkable consistency
from month to month on the proportion of types of breaches.
So we see always probably around 40%, give or take, of breaches that are attributable to insiders.
So one issue there is that we constantly, when we think about breaches, when we think about hacking or cybersecurity incidents,
we think about these external actors, individuals who are breaking into our systems and stealing data, whether that's state or criminal actors.
But in fact, what our research reveals that at least in healthcare, you've got hacking that
makes up about 26.8% of all breaches when you look back at all of 2016. But insider threats
are about 43% of all breaches. And so really what we're saying is,
you know, we really need to take a more, a closer and quantitative look to say,
what really do we need to defend against? And is it matching up with our broader intuition
around our vulnerabilities? So when you say insider threats, what's the spectrum of things
that that encompasses? So insider threats can be anything from your naively dangerous individuals, so individuals who might be taking information inappropriately home and then losing it, all the way to individuals who are systematically scraping and stealing medical records and diverting them to the black market for resale or for use against individuals. So it's a pretty wide spectrum of maliciousness and sophistication. But overall, what we see
is that healthcare, unfortunately, is not having these threats go down, really not deploying any
solutions to tackle them systematically across the industry, and that there's a real need to
grow an awareness of these challenges.
In terms of reporting these breaches, obviously healthcare is a highly regulated environment.
So how does the reporting with what is known, with what is made public, and the delays in getting that information out, how does that all play out?
Great question.
Reportable healthcare breaches fall into two broad categories.
One is your smaller breaches that just need to be reported on an annual basis. And those can be
things like faxes being missent, small individual incidents that don't really need to have the scope
of an immediate public notification, that type of thing. But any breach that involves greater than 500 patients,
HHS needs to be notified immediately of that. You have a 90-day reporting window for that.
And then those are added to what's called the wall of shame, which is maintained by the Office
of Civil Rights, which is responsible for administering HIPAA. And that really allows
you to get a sense of what are the breaches that are occurring? Um, what are the characteristics of those breaches and how long is it taking people to respond to them? Now, one of the challenges that we see with that is wall, of breaches versus the OCR wall of shame were not being put on the OCR wall of shame.
And so what this means is that there still is a need to have a bit more of a rigorous methodology,
perhaps more of a proactive methodology to finding and reporting these breaches and making sure that
there's a centralized place for people to look at all of that information and understand what these trends are. We think that as hospitals and
health systems, HIEs, payers start to examine their security posture, we believe and we hope
that 2017 becomes the year of insider threat awareness. It's not that anything's fundamentally
changed. It's that what we believe is occurring is an awareness and a transformation in people's understanding of the fact that this is a threat that they can no longer avoid or believe is just the cost of doing business.
about at the Institute for Critical Infrastructure Technology. And that issue is, how do we ensure trust in healthcare, right? How do we have the confidence to know all the way from the patient
believing that their data will be protected and will be used appropriately, to the system
administrator knowing that everyone who has access to that data appropriately has that access and is
using it appropriately, to everything in between.
A hospital really needs to understand every single access to patient data that occurs.
And the health system as a whole badly needs a set of systems and processes to feel that
all of this interoperability, all this exchange of health data, all of this data sharing that's
been pushed, and appropriately so for improving patient care, is not done to the detriment of the privacy and security of all the
patients whose data is being shared. At its core, trust in healthcare is a question of making sure
that you understand what appropriate use of information is. And to do that, we really need
a greater understanding of all the players. That means we need to understand all the users and
how they normally and appropriately access data. We need to understand all the patients and what
those normal care flows should look like, what does an appropriate course of care look like,
and then all the connections between those, whether it's health information exchanges,
electronic health records, payers and claims management, financial systems.
Understanding both the content of the
data as well as how that data flows through all these health organizations is a real challenge
that healthcare is facing now, but one that they're beginning to tackle, one that they
understand really needs to come onto their horizon for 2017 and 2018, and one that also
at Pertennis we're confident that they're going to be able to tackle successfully, especially with
new technologies coming out to the front from a variety of different areas.
That's Robert Lord from Protennis.
You can sign up to receive copies of their breach barometer reports on their website.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your