CyberWire Daily - Power grid risks. Update on the Mandiant employee hack. "Mr. Smith" holds HBO for ransom. Shipping industry looks for GPS backup. DHL sees a NotPetya windfall. Google patches ten Android remote-code execution vulnerabilities. NIST issues a Cybersecurity W
Episode Date: August 8, 2017In today's podcast, we hear about a security incident at EirGrid, a misconfigured server in Texas, and a demonstration of photovoltaic system hacking prompt power grid security concerns. Update on th...e Mandiant employee hack. "Mr. Smith" holds HBO for ransom (but says, no, he's really a good guy). Shipping industry looks for GPS backup capability, and shippers not hit by NotPetya enjoy an increase in business. Google patches ten Android remote-code execution vulnerabilities. Joe Carrigan from JHU on Facebook and Google eavesdropping conspiracy theories.  Juan Perez-Etchegoyen from Onapsis on Oracle business app vulnerabilities . NIST issues a Cybersecurity Workforce Framework. Supported by E8 Security, Johns Hopkins University, and Domain Tools. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A security incident at AirGrid, a misconfigured server in Texas,
and a demonstration of photovoltaic system hacking prompt power grid security concerns.
Updates on the Mandiant employee hack.
Mr. Smith holds HBO for ransom but says no, he's really a good guy.
The shipping industry looks for GPS backup capability
and shippers not hit by NotPetya enjoy an increase in business.
Google patches 10 Android remote code execution vulnerabilities
and NIST issues a cybersecurity workforce framework.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 8, 2017.
It's come to light that Irish power utility Airgrid sustained a security breach earlier this year,
apparently a man-in-the-middle attack through Vodafone's direct internet access service.
It was a data collection operation, not an attack on power distribution itself,
but the incident is attributed to an unspecified state-sponsored hacker,
and it's worth noting that attacks on Ukraine's power grid were preceded by collection.
And it's worth noting that attacks on Ukraine's power grid were preceded by collection.
So whether this is battle space preparation or a more ordinary intelligence service sweeping in what's there to be swept up remains to be seen.
And of course infrastructure is vulnerable to more obvious, less exotic risks as well,
including the now familiar issue of inadvertently exposed databases.
UpGuard's Chris Vickery found a misconfigured rsync server that exposed customer data involving critical infrastructure
for the city of Austin, Texas,
and such private companies as Dell, Oracle, and Texas Instruments.
The server is maintained by Power Quality Engineering.
The data exposed, Vickery said,
include schematics, plans, and, of course, credentials.
We've seen reports on the vulnerability of solar power systems to hacking.
Recent reports that solar power systems were vulnerable to attack are on one obvious level unsurprising.
Why should solar be immune to attacks when coal, diesel, nuclear, wind, and hydropower generation systems aren't?
The answer, of course, is that solar systems are themselves connected to the grid.
And unless you're truly living off the grid, in that fishing camp you've retired to and
the Aleutians say, well, you may not be interested in solar systems, but a hacked solar system
might be interested in you.
Research into vulnerabilities in SMA solar systems shows that a successful attack could well cascade across the grid as a whole.
The research, conducted by Willem Westerhoff, a security engineer at ITSEC Security Services in Amsterdam,
took as its starting point the increasing number of photovoltaic installations on the grid,
their high degree of Internet connectivity, and the interconnection of the power distribution
system itself. The European grid has over 90 gigawatts of photovoltaic capacity in it.
Causing that capacity to fluctuate suddenly could induce load balancing issues that could severely
disrupt the grid as a whole. Westerhoff also says the vulnerabilities he disclosed still haven't
been patched.
It can be a challenge to keep your business-critical applications patched and up-to-date.
The folks at Onapsis Research Labs provide intelligence on Oracle and SAP security threats.
We spoke with their chief technology officer, Juan Pablo Perez-Echigoyen,
about vulnerabilities affecting Oracle business-critical applications.
This is not an SAP problem.
It's a problem of the business critical applications because all these applications are very complex with proprietary protocols,
heavily integrated, heavily customized, very critical.
And we started researching on Oracle E-Business Suite
and a new research project that we started early this year,
we went deeper into Oracle E-Business Suite and identified a research project that we started early this year. We went deeper into Oracle
Business Suite and identified a lot of different vulnerabilities. One of the most critical
vulnerabilities that was patched by Oracle in the latest CPU was an arbitrary reports download,
arbitrary download of files from the Business Suite. We were able to go deeper into the web interface
and understanding how it works, which are the components. And because of that, we were able
to identify multiple vulnerabilities. And overall, we reported over 250 already to Oracle.
And what has Oracle's response been to your reporting? Have there been patches issued?
Well, this specific issue that was mentioned, it was patched. A lot of the issues that we And what has Oracle's response been to your reporting? Have there been patches issued? specific vulnerabilities. We reported them in April and in July. There was already a patch for this one and some others as well. I assume they take this very seriously because of the
nature of the application, how critical it is, and also how critical these vulnerabilities are.
And so you've discovered these vulnerabilities through your research.
Was there any sense that any of these vulnerabilities were being exploited in the wild?
Well, that's the hardest part of all this, right?
It's very challenging to identify if someone is actually abusing of those vulnerabilities in the wild.
We have not seen any evidence, but that doesn't mean that they are not being exploited.
And so for those people out there who are using some of these Oracle applications, what's your advice to them?
We understand that the patching process in business-critical applications is really complex.
Most of the times they do not even get the change management windows or they get a very small time frame to do changes.
But despite that, the recommendation is to apply the patches.
Go back to your DBA teams and make sure they understand
how critical these vulnerabilities are
and how important it is to be up-to-date
in these applications in terms of patching.
That's Juan Pablo Perez Echigochen.
You can see why most of his friends just call him JP.
He's from Onapsis.
To follow up on the story of the 31337 group's hack of a Mandiant employee,
Corporate Parent FireEyes investigation appears to confirm its initial take on the incident.
It appears to have affected one employee's online accounts,
and any damage seems to have been limited and now contained.
A tip of the hat,
by the way, to Jason DeFilippo at the Grumpy Old Geeks podcast for pointing out that 31337
translates to elite in hackerspeak. Of course it does. HBO is falling, or so Mr. Smith would have
everyone believe. More Game of Thrones material has been released,
and the attacker's motive has come into clearer focus.
They're asking for millions in extortion payment from HBO.
A letter from the hackers they sign, as Mr. Smith says,
quote, Our demand is clear and non-negotiable.
We want, and the amount has been redacted,
dollars to stop leaking your data.
HBO spends $12 million for market research
and $5 million for GOT7 advertisements, so consider us another budget for your advertisements,
end quote. Well, that's one way of thinking about it, we suppose. Mr. Smith also says,
implausibly, that it's not about the money, that they wish HBO all the best and just want to become the cable giant's partner.
Their claim of white hat status is of course not being taken seriously.
The incident remains under FBI investigation,
and most observers think the most damaging leak has been that of the script
to an as-yet-unreleased episode of Game of Thrones.
The shipping industry continues to experience material effects from the NotPetya infestation
that spread outward from Ukraine beginning this past June.
Not all those effects, however, have been bad ones.
At least one shipper, German package delivery outfit DHL, was not hit by the malware epidemic
and has seen an increase in its business as frustrated customers shift their trade from
infected shippers to DHL.
The maritime shipping industry is concerned about the vulnerabilities of GPS
and is looking to re-establish manual navigation as a backup should GPS suddenly turn unreliable.
GPS represents an attractive target for cyber attack by criminals, hacktivists, or nation-states,
and even as efforts to harden it proceed,
the logistics sector seems to be preparing for the worst
in the form of regaining various old-fashioned kinds of navigational expertise.
Google issued its August Android update yesterday.
The fixes patched 10 critical remote code execution bugs.
In the U.S., NIST has released its new Cybersecurity Workforce Framework.
Special publication 800-181 was circulated yesterday.
The goal of the framework, developed by NIST-led National Initiative for Cybersecurity Education, or NICE,
is to promote cyber workforce development.
The NICE framework establishes a common, consistent lexicon to describe cybersecurity work
by category, specialty area, and work role.
It also provides a list of knowledge, skills, abilities, and tasks for each such work role.
It's hoped that the framework will help foster the emergence of clear training,
education, and career paths for cybersecurity.
the emergence of clear training, education, and career paths for cybersecurity.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigrigan he's from the johns hopkins university information
security institute joe welcome back hi dave all right so we are going to wade into a conspiracy
theory i love conspiracy theories are we talking about chemtrails no that's my favorite no no no
it's not chemtrails it's not it's not bigfoot it's not nothing but okay but okay so here's
here's the scenario you're having a conversation with a friend.
You are not logged into any computer or anything like that.
And you're just talking about something.
You're talking about some product that you might be interested in.
And immediately after that, you start seeing ads for that product.
Odd.
Because it's interesting because yesterday I had this conversation with another person as well.
Yep. Me too, actually.
She was saying that she has noticed a trend in her advertising that it has to do with
conversations, things she's not necessarily searched for. Everybody knows when you search
for something on Google or when you use Gmail or Facebook, you start getting targeted ads.
But what she has said she's noticed, and I've noticed this too, and apparently you've noticed,
is that things that you've discussed in conversation are now coming up in ad engines.
Right.
And you're pointing to a conspiracy theory mindset, but it's certainly not outside the realm of possibility, right?
It's not.
And so Google and Facebook deny that they're doing this.
Of course, we know that our devices are capable of listening to us.
That's how, you know, the things like when you're summoning things like Siri and Alexa and so forth, they always have to be monitoring sound for that to work.
They have to be listening.
So it's within the realm of possibility.
There was actually a story in the BBC about this where they contacted some researchers who they sort of spun up an app in a couple of days
that was a proof of concept that this sort of thing could happen. Right. You could set they
were using an Android phone and it could listen and not use a lot of battery power and send the
things that it heard to a nearby PC that could then be used to target ads and so forth. But
all you need to do is just upload it to some cloud service and you've got it. Right, but what I'm skeptical about is this seems like the kind of thing that if it were so,
researchers would be all over this.
Security researchers would be all over this,
and it wouldn't be that hard to figure out if it were actually happening.
It is a good research topic, I think.
I think maybe there's somebody out there working on a PhD
that would like to take this on as one of their research papers. Well, and I haven't found anything other than anecdotal evidence, which we agree, anecdotal
evidence is not evidence.
It's anecdotal or it's evidence.
That's right.
So there's tons of anecdotal evidence about this.
People are convinced that it's happening.
Everybody has stories.
On the other hand, the sophistication with which these
tracking systems work i think could fool you into thinking that perhaps it was listening to a
conversation when it actually wasn't it would be simple enough to find out if it's happening
from our phones listening to what we're talking about i would think so so here's what i propose
if we have any listeners who have actual data about this, I'm not looking for anecdotes.
I'm looking for a scenario where someone has actually studied this and looked into it to try to conclude whether it's actually happening or not.
Please let us know.
You contact us on Twitter.
It's at the Cyber Wire.
Or you can send us an email.
It's questions at the cyberwire.com.
We'll talk about it here.
We'll probably talk about it on Grumpy Old Geeks coming up this week.
And we'll see what we can get to the bottom of it.
All right.
I like that idea.
All right.
Thanks, Joe.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.