CyberWire Daily - Pensacola under cyberattack. Notes on ransomware. The US Justice Department IG report on Crossfire Hurricane. Who let the bots out?
Episode Date: December 10, 2019The city of Pensacola is hit hard by an unspecified cyberattack. Ryuk ransomware decryptors may cause data loss. A new variant of Snatch ransomware evades anti-virus protection. The US Justice Departm...ent’s Inspector General has reported on the FBI’s Crossfire Hurricane investigation. Another unsecured database exposes PII. Keep an eye out for Patch Tuesday updates. And it’s prediction season, so CyberScoop lets the bots out. Ben Yelin from UMD CHHS on legislating the right to sue online platforms. Guest is Chris Wysopal from Veracode with findings on security debt from their State of Software Security report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The city of Pensacola is hit hard by an unspecified cyber attack.
RIAC ransomware decryptors may cause data loss.
A new variant of snatch ransomware evades antivirus protection.
The U.S. Justice Department's inspector general has reported on the FBI's crossfire hurricane
investigation.
Another unsecured database exposes PII.
Keep an eye out for Patch Tuesday updates.
And it's prediction season, so CyberScoop lets the bots out.
And it's prediction season, so CyberScoop lets the bots out.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 11th, 2019.
The city of Pensacola, Florida, has disconnected most of its networks in response to a cyberattack that hit over the weekend.
The attack began early Saturday, the Pensacola News Journal says,
hours after a Saudi military pilot undergoing training at Pensacola Naval Air Station murdered three U.S. sailors and was subsequently shot by local police.
The timing of the cyber attack raised speculation that it might be connected to the shooting,
which, according to the New York Times, authorities are investigating as a possible terrorist incident.
But so far, no such links have been found. The motivation behind the cyber attack remains
unclear. The city hasn't said, for example, whether it's received ransom demands. The city
has said that no personal information appears to have been compromised, but the investigation is still young and still ongoing.
Pensacola is working with the FBI on the case.
The decryption specialists at Emsisoft warn that the criminal-provided
Ryuk ransomware decryptors may damage larger files.
The decryptor truncates big files,
and Emsisoft finds that this can result in unrecoverable data loss.
Decrypt if you must, but better to restore from secure backups.
And better yet, to avoid infection in the first place.
While we're on the subject of ransomware, researchers at security firm Sophos Labs report finding an evolved version of snatch ransomware
that avoids some antivirus protections by causing
Windows to reboot in safe mode.
The U.S. Justice Department late yesterday released its Inspector General's report on
the FBI's 2016 Crossfire Hurricane investigation.
Crossfire Hurricane was open to look into allegations of Russian influence in President
Trump's campaign.
As The Washington Post summarizes the report,
the IG found that the FBI had grounds to open an investigation, but that the investigation itself
was marred by serious failures. Those failures are particularly evident, NBC News says, in the
way the FBI obtained and used FISA warrants and in its handling and assessment of confidential
human sources. Reading through the report, we see handling and assessment of confidential human sources.
Reading through the report, we see that the most prominent confidential human source mentioned,
or CHS as the IG teaches us to call such persons, is Christopher Steele, the British national who provided the compromat of the Steele dossier to various parties, including opposition research
shop Fusion GPS.
The FBI cited information from Steele in its application for a FISA warrant to surveil Carter Page,
then a foreign policy advisor to the Trump campaign.
The process of obtaining a FISA warrant requires that the request be based on verified information.
That verification, according to the IG, was less than fully successful.
In one instance, for example, the Bureau submitted a Yahoo News article in verification of some of Steele's claims,
without noting that the article was based on information from Steele.
With apologies to Ludwig Wittgenstein, this is a little like buying a second copy of a newspaper to confirm the stories you read in your first copy.
The IG found that the process of securing the warrant was marred
by serious performance failures by the supervisory and non-supervisory agents with responsibility
over the FISA applications. Page, the IG report says, did indeed have contact with Russian
intelligence officers, but he did so with the knowledge of an unnamed U.S. agency he was
providing information. That agency, Page has
said, was the CIA. In general, the report suggests that the inquiry was handled carelessly and under
the spell of the sort of targeted fixation investigative agencies frequently tempted.
There's no finding of political bias in the Bureau, but those disposed to look for it will
find, indeed, have already found, plenty of circumstantial evidence of it,
mostly surrounding eagerness to swallow the Steele dossier hook, line, and sinker.
Those disposed to dismiss political bias are focusing on the IG's finding
that the FBI had grounds to start an investigation.
The FBI immediately accepted the report's recommendations
and says it's moving to strengthen applicable procedures and oversight mechanisms.
Application security firm Veracode recently published the latest update
to their state-of-software security report.
Chris Y. Sopal is CTO and co-founder at Veracode,
and he takes us through their findings.
Customers that scan their software for vulnerabilities on a more frequent basis end up fixing vulnerabilities a lot faster.
So it shows that just a process change can lead to more secure software.
So based on what you gathered here in this report, what are your recommendations?
report. What are your recommendations? Yeah, so the recommendation is to make a cultural change of not having a separate security team be the people that test software, decide what to fix,
and then essentially harangue the development team to fix issues not on the development team's
schedule or when it's best for them. The recommendation is to get management in the development organization to take ownership for this
and use as evidence things like the State of Software Security Report,
which says you're going to have much more secure software actually with less effort.
It's going to be easier for you to produce more secure software.
And get that buy-in at the executive team and then push it all the way down to the individual
development teams where they will take ownership for securing the software and the security
team then becomes a consultant.
They become someone that helps this process work, but they're not there in the daily meetings
saying, should we fix this bug anymore?
The security team takes ownership of that and gets trained to have some expertise so they actually
know what they're doing. Then they build it into their process and they think about getting it
better and better over time. Was there anything in the report that was surprising to you? Any
unexpected results that came through?
Well, we did something which was a little different this time,
which was we didn't just look at how often scanning was done.
We looked at the pattern of the scanning.
So was it steady?
Was it on a daily basis, a weekly basis?
Was it irregular?
Was it something where it seemed haphazard? Like, why are they scanning now?
And why is there a lot of intense scanning over this period?
Or what we called bursty, which was long periods of time where no scanning activity happens,
then a month or two of intense scanning activity, and then a long period of time with none.
And that kind of showed us that they were scanning only as they got close to the release cycle.
And that kind of showed us that they were scanning only as they got close to the release cycle.
And we didn't know what to expect from breaking development teams into those three categories, steady, irregular, and bursty.
So the recommendation is scan on a steady basis or even an irregular basis, but don't go long periods of time without scanning.
That almost guarantees your product is going to be less secure.
It kind of reminds me of the frantic cleaning of the house that takes place before Thanksgiving or when family's coming over and you haven't done it in a while,
you start throwing things into closets and you pay for it later.
Absolutely. I think that's a great analogy.
At the high level, when we say like, you know, is software,
you know, getting more secure or less secure? We just saw over the 10 year period that we've
been doing it, a lot of vulnerabilities that are well known, like SQL injection,
are sort of at the same percentage rate that they were 10 years ago, we had 23% of apps
10 years ago, had one or more SQL injection vulnerabilities. And here in
2019, 24% of apps have one or more SQL injection vulnerabilities. So it's crazy to think that
if you zoom out and look at the big picture, not much has changed as far as are people fixing
these problems or not, or introducing these problems. So we still have a lot of work to do
as an industry. And we hope that these recommendations that come out of the report,
where we see what particular development teams are doing really well, we can percolate that
through the industry so that becomes the average way of doing things, and everyone gets better,
not just these teams that have a great process. That's Chris Wyseopal from Veracode.
The day now seems somehow incomplete without news that a misconfigured cloud database has
exposed a great deal of personal information, and today, unfortunately, is complete. TechCrunch
reports that the British penetration company Fidus has found another one. It's an AWS bucket
belonging to a company that TechCrunch and FIDUS
declined to name. The company's business is the processing of applications for copies of U.S.
birth certificates. The exposed database holds more than 750,000 applications. Such applications
contain a considerable amount of personally identifiable information, including, according
to TechCrunch's look at the material, the applicant's name,
date of birth, current home address, email address, phone number, and historical personal
information, including past addresses, names of family members, and the reason for the application,
such as applying for a passport or researching family history. That's a lot. Amazon said it
would notify the unnamed company whose bucket it is that needs to, well, do something about it.
Today, of course, is Patch Tuesday, so be on the lookout for updates from Microsoft and Adobe.
Expected sometime this afternoon. We'll have notes on the fixes tomorrow.
And finally, it's also prediction season, and the cybersecurity industry has been busy making them.
We do link to those in our daily news briefing,
and we encourage those interested to look there for the sector's virtual crystal ball.
But we'd be remiss if we didn't mention one outstanding and very funny aggregation of 2020 forecasts.
It's in CyberScoop, and by all means, give it a look.
The publication decided to turn the AI loose on the predictions to glom them all together.
And they didn't stop there, either. They let the bots do the writing, too. As the editor says in
her disclaimer, the article is all generated through Markov chains and is only super lightly
edited for clarity. Those Markov chains are rattling better than the cash boxes that
encumbered Jacob Marley when he visited Ebenezer Scrooge. Their most insightful prediction, we thought, was prediction number eight.
More security officers will get worse.
Tell it, brothers and sisters.
We particularly liked the way the bots attributed a quotation
to Karl von Clausewitz at the end of every section,
a riff on his famous dictum that
war is the continuation of politics by other means.
A few of our favorites were war is merely the continuation of politics by other means. A few of our favorites were
war is merely the continuation of the evolution in cloud security,
or war is merely the only way to monetizing IoT network attacks,
and war is merely the marketing deployed.
So bravo, CyberScoop, and do go read the whole thing.
Calling all sellers. Salesforce is hiring account executives Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen he's the program director for public policy and external
affairs at the university of maryland center for health and homeland security also my co-host on
the caveat podcast ben great to have you back good to be here with you dave interesting article this
is from the verge uh something you and i have touched on over on the caveat podcast but there's
some specifics here i wanted to dig in for our audience. And this has to do with whether or not you have a right to
sue Facebook and other online platforms and some legislation that's being cooked up to address this
sort of thing. What's going on here? So there was some promise in the past several months that there
could be bipartisan agreement on federal data privacy
legislation. This has been a long running problem. We have this patchwork of state laws
and some federal regulations that apply to data privacy, but we don't have
uniform federal legislation. So a couple of key senators, the United States Senate, a Democrat,
Maria Cantwell of Washington, a Republican, Roger Wicker of Mississippi, have been trying to work on a bipartisan solution to this problem. And I
think there is general bipartisan interest in the skeleton of such a bill in terms of some of the
things we all agree on, like giving the FTC, Federal Trade Commission, enforcement authority
on data privacy violations. But a big source of disagreement is giving consumers, users,
a private right of action against the big tech companies.
What does that mean?
So this would allow a legal cause of action for any user of any one of these sites
or any one of these technological devices to directly sue that company for damages.
So oftentimes you'll see legislation that bans a private right of action
where the legislation will explicitly say
an individual doesn't have standing to sue
on the basis of a violation of this statute.
What Senator Cantwell's proposal would say is that
users do have legal standing to sue
if they are alleging that their data has been compromised by one of these companies.
So the positives would be having a private right of action gives these tech companies,
the Twitters and Facebooks of the world, more of an incentive to protect user data.
If they're fearful about getting sued, they might hire more compliance officers to make sure that they're complying with this federal statute. The downside, which is something that Senator Wicker and other
Republicans have talked about, is that this could lead to a flood of lawsuits. And when a similar
standard, a similar private right of action was applied to the telecommunications companies
back in the 90s, it did lead to a lot of lawsuits, hundreds of thousands of them.
A corollary to that argument, Senator Wicker's argument,
which I think has a lot of merit to it,
is Facebook and Twitter, you know,
they have the resources to respond to lawsuits.
They're wealthy companies.
Mark Zuckerberg can hire the best lawyers in the country.
Jack Dorsey probably could too. You know, resources are just not going to be a problem for them, even if they're sued by millions of users, if there are a bunch of class action lawsuits.
So this might be a regulation or a change in the law that actually would benefit big tech companies at the expense of the smaller guys out there.
Could keep the smaller guys from establishing a foothold in the market even.
Exactly.
A big burden.
Exactly, because compliance would just be far more expensive.
And there would constantly be this threat of litigation so that might impact somebody developing a new technology where you know or a new interface where they're not entirely clear
if there are robust data protections maybe the company decides not to go through with that
because it's too expensive to try to comply with these new federal regulations so the upshot of
this you know senator wicker claimed as part of this article
that he doesn't think this dispute on a private right of action is going to derail the entire
effort to have a federal data privacy bill. I think Senator Cantwell has also signaled an openness
to having legislation that does not have this private right of action. This is just going to be part of ongoing negotiations.
There are certainly legitimate positives and negatives for that particular provision,
but it's something that's going to have to be worked out in the United States Senate.
All right. Those gears keep turning, right?
Absolutely. They always are.
Although we don't usually associate the United States Senate with gears turning.
Gears grinding. Yeah, the gears are grinding very slowly.
Sanding, monkey wrenches, and rust on the gears.
It is the cooling saucer, as they say, of our democracy.
Yes, yes.
All right.
Well, Ben Yellen, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second, Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening.
We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.