CyberWire Daily - Power grids, accidents, the challenge of forensics, and the nature of deterrence. BlueKeep considerations. Third- and fourth-party risks.
Episode Date: June 18, 2019Investigation into Argentina’s power failure continues, with preliminary indications suggesting “operational and design errors were responsible for the outage. Russia reacts to reports that the US... staged malware in its power grid. Iran says it stopped US cyberespionage. ISIS worries about its vulnerability to BlueKeep. A breach at EatStreet illustrates some of the features of third-party risk. Ben Yelin from UMD CHHS on a Virginia license plate reader ban. Guest is Jack Danahy from Alert Logic on the troubling issue of adversary dwell time and the IT vigilance gap. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_18.html Support our show  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Investigation into Argentina's power failure continues,
with preliminary indications suggesting operational and design errors were responsible
for the outage.
Russia reacts to reports that the U.S. staged malware in its power grid.
Iran says it stopped U.S. cyber espionage.
ISIS worries about its vulnerability to Blue Keep.
And a breach at Eat Street illustrates some of the features of third-party risk.
of third-party risk.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 18, 2019.
Investigation into the South American grid failure centered on Argentina proceeds, but
remains in its early stages, and no cause has been publicly identified,
according to AFP and other sources. The blackout is thought to have cascaded from a local failure.
Operational and design errors are thought to be at fault. Officials in Argentina say,
according to the AP, that while a cyber attack is a possibility, that seems unlikely.
a cyber attack is a possibility, that seems unlikely. Reports of U.S.-staged malware in Russia's power grid, presumably held there for retaliation against future Russian cyber attacks
on U.S. targets, stand about where they did yesterday. The reports are unconfirmed publicly
and at least partially denied by the U.S. TASS is authorized to state that Russia regards cyberwar with the U.S. as a
hypothetical possibility, that while it's accustomed to U.S. misbehavior in cyberspace
and elsewhere, Russia is quite capable of protecting its grid. Thank you very much.
Lawfare has a useful account of how the laws of armed conflict might apply to what would appear
to be a long-running, low-level conflict in
cyberspace that many think has the potential to produce kinetic effects.
The piece argues that there's at least a plausible case to be made that U.S. staging of malware
in the Russian grid represents a, quote, countermeasure responding proportionally to Russia's activities
in U.S. energy systems, end quote.
That there have been such Russian activities for some time seems probable, to say the least.
Last week's warnings about the appearance of xenotime reconnaissance in U.S. utilities
are the most recent reports of such cyber incursions.
It's worth noting that few, if any, are saying that the U.S. has actually induced blackouts in Russia.
Johns Hopkins University's
Thomas Ridd, a scholar whose interests lie in cyber conflict, had observed on Twitter that
telling someone you've put malware in their systems blows the capability. That is, it alerts
the opposition and helps them find and fix what you've done. He offers this as general grounds
for skepticism about the story, and as far as that
goes, he's surely correct, and it would be wise to await more information. On the other hand,
if the aim is deterrence, then you naturally want your opposition to know. They're not deterred by
what you might do unless they're aware of what that might be. There's that saying, when it comes to breaches, it's not a matter of if,
it's a matter of when. But it's also a matter of how long. The amount of time an adversary
stays in your system, also referred to as dwell time. Jack Danahy is Senior Vice President of
Security at AlertLogic. It would be great if dwell time weren't as important, if people could
simply feel perfectly
protected all the time. But in reality, we know that a dedicated attacker will usually find a way
in. And so therefore, dwell time is a really important measure about how quickly that intruder
will be found and caught and stopped. So over the past probably decade or so, we've actually seen
dwell time improving. There were points in our history
where dwell time was measured in years. But what we find now is that dwell time has been reduced,
but it's been reduced to months. And the unfortunate part of that is good attacks,
successful attacks, are successful in compromising system in seconds or in minutes. And they're
exfiltrating data just as soon as that
happens. And so therefore, the fact that it will take weeks or months to actually discover that
that's ongoing and to find a way to contain it makes it a real problem. The dwell time continues
to be too slow in comparison with the speed with which the damage is happening.
Can you help me understand what are the different reasons for a long dwell time?
Is it a tactical sort of thing?
I can imagine there are some cases where someone would want to get out in and out as quickly
as possible, but I suppose there are other times when they want to stay in that system.
You know, a lot of these compromises can have multiple purposes.
Over the last few years, we saw a real rise in what I think of sort of like smash and
grab kinds of
attacks like ransomware. The evidence of the attack is the benefit of the attack that they
attack and then they want to tell the victim, I've broken into your system, give me some money,
I'm not going to give you your data back. And so in that case, dwell time was very, very short.
But if you think about a more strategic attack where they're trying to exfiltrate data,
whether it's credentials or financial
information or trade secrets, the best way for the attacker to do that is to remain on that system
for a long period of time, to take out as much data as they can, and not to make themselves so
instantly discoverable. And for some of the other monetization strategies, things like crypto
jacking, they also want to hang around for a long time because those miners are continuously using those system resources to generate cryptocurrency. They also don't want
to be detected very, very quickly. And so what we see happening, and you see some of this in
reporting that came out in various analyst positions, you actually see that the first
forms of attack are getting on the system. But then the next three things that these organizations are subject to is actually these persistence strategies.
How do they create backdoors and how do they stay in those systems?
Why the plateau? Why have we not continued to get better with this?
I think it's a combination of things.
The threat surface itself, meaning the way in which organizations are expanding their use of technology and their use of platforms, has caused it to be a really dynamic environment.
And maintaining visibility across it can be hard.
A second piece is that a lot of the more viral attacks are now applying themselves almost as commodities
across organizations of all sizes.
And so we're seeing a lot more attacks against the small, medium-sized enterprises
who may not have the capabilities and resources
to be watching closely. So that amount of threat service that has to be covered,
weight changes dynamically, combined with the style of organizations that are being attacked,
it creates a natural opportunity for the criminals to get on and stay on.
What are your recommendations? How can folks get a better handle on this?
I think, number one, opportunities like this, where people can learn about the fact that dwell time is a considerable problem,
that they have to be watching all the time across their entire systems to make sure that these things aren't happening to them,
is the number one piece of awareness for people.
Number two is understanding that the attacks themselves are changing, right?
We've seen hundreds and hundreds of new types of attacks that come.
We've got dozens of threat researchers who are out there gathering the intelligence about what's changing in the attack profile.
And the types of attacks are changing as well.
So you have to be vigilant across all your platforms, but you also have to make sure that you're looking for all the things that may matter.
And then when those things are happening,
you also have to have the capability to recognize them and respond to them, right?
Because the ultimate benefit of shortening dwell time is being able to stop the attack
and get those people off the system, get those folks off the system before more damage can happen.
That's Jack Danahy from AlertLogic.
Iranian official media, without providing much detail,
says that Tehran has detected and thwarted a U.S. cyber espionage campaign,
which they attribute to the CIA.
ISIS, from its diaspora in cyberspace,
is said to be expressing an interest in protecting its adherents from blue-keep exploits.
Homeland Security Today says the Electronic Horizon Foundation, an ISIS help desk, is
warning about the risk of Blue Keep-based attacks.
It's noteworthy that ISIS is concerned about its own exposure to Blue Keep.
And it's not just ISIS.
TechCrunch reports that the U.S. Department of Homeland Security has developed a remote
code execution proof of concept exploiting
the bug. DHS's Cybersecurity and Infrastructure Security Agency, CISA, says that it successfully
executed remote code on a Windows 2000 machine. Microsoft, of course, stopped supporting Windows
2000 back in 2010, and so Redmond's Bluekeep fixes don't apply there. We hope Windows 2000 is far, far in your rearview mirror,
but in case it's not, if you can, upgrade.
Eat Street, an online food ordering service,
has disclosed that it sustained a data breach.
Unauthorized parties were in Eat Street's systems from May 3rd until May 17th,
at which point they were detected and ejected. Customers
who purchased food through Eat Street's website or app, which is available on Google Play,
might have lost data that includes names, credit card numbers, expiration dates,
card verification codes, billing addresses, email addresses, and phone numbers. Also exposed were
data Eat Street had on its partners, including participating
restaurants and the delivery services that actually brought the food to the customers.
Eat Street says it's notified credit card companies to be on the lookout for attempted fraud.
ZDNet has been contacted by the person or persons who claim responsibility,
and it's a familiar name, Gnostic players. ZDNet says,
and it's a familiar name, Gnostic Players.
ZDNet says,
Over the past few months, this hacker has stolen and put up for sale 1.071 billion user credentials from 45 companies.
In the Eat Street case, he claims to have taken 6 million user records.
Whether that's 6 million individuals' records
or whether Gnostic Players is counting each data element as a record is unclear.
We heard from security firm Panerais' CEO, Matan Orel,
who sees this as another instance that demonstrates the ways in which an organization's security
extends to its supply chain and into regions that are not really under its direct control.
To form a business relationship, Matan Orel suggests, is inevitable to assume risk.
The lessons Panerais draws is that
companies need to vet their prospective partners from the point of view of security, taking into
account their postures, practices, and procedures, and working with the partners to close security
gaps before they're onboarded. And even when the partnership is concluded, some form of continuous
monitoring is in order, since security is an ongoing process.
We're accustomed to hearing about, and maybe even thinking about, third-party risk.
Panerais, and they're not alone here, makes a good point.
An organization's supply chain risk runs beyond third parties.
Panerais talks about fourth-party risk, and that indeed seems depressingly plausible.
They sensibly stop there, but why not fifth or sixth or even greater levels of risk?
At some point, one would have to stop.
If anyone has any persuasive reason to count of where, if anywhere,
an organization could draw a line in its due diligence,
we'd be interested to hear about it.
Seriously.
It would be a shame if we wound up in the position of the philosopher William James,
who, in conversation with a society, given to esoteric speculation, heard from her that the world rested on the back
of an elephant, who in turn stood upon the back of a turtle. To James's question,
and what madam does the turtle stand? She replied firmly, it's no good, Mr. James,
it's turtles all the way down. Just what do you think you're doing, Dave?
And finally, yesterday's Daily Podcast erroneously said in an aside
that in Stanley Kubrick's film 2001, Hal 9000 killed Dave Bowman.
In fact, the computer killed, at least, Frank Poole, V.F. Kaminsky, and J.R. Kimball.
The latter two were in suspended animation.
H.A.L. Niner Triple Zero, a native of Urbana, Illinois, we understand,
only tried to kill Dave Bowman, but astronaut Bowman was in fact the only survivor.
The Cyber Wire regrets the error.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the university
of maryland center for health and homeland security ben it's always great to have you back
we had an article come by this is actually from car and driver and it is license plate readers
are dealt a blow in virginia but privacy is still a rare commodity nationwide you and i have talked
about these license plate readers before. What's the latest here?
As you know, license plate readers are able to take real-time photographs of people's license plate, put them in a giant database, and that information can be used to collect all sorts of
identifying information on individuals, where they are at certain moments. I watch a lot of
Law & Order, and they're always using license plate readers to see, you know, who's driven into New Jersey, where can we chase the suspect? So they're very prominent in their
usage. What this article lets us know is that one county in Virginia, Fairfax County, which happens
to be, I believe, the most populous county in Virginia, their court ruled against the use of
license plate readers absent some sort of specific articulable reason
for that information to be collected. Normally, and this is how it works in probably 99% of
counties and states across the country, there are virtually no legal limits on the collection of
automatic license plate readers. This is largely due to a Supreme Court doctrine called the plain
view doctrine. You can't really have any expectation of privacy in anything that you put into the
plain view that any law enforcement officer could spot doing a routine patrol on the street.
Perhaps that concept is a little bit outdated when we're talking not about one single law
enforcement officer using his Polaroid to capture a license plate,
but we're talking about a systematic effort, an automated effort to collect every single
license plate that goes through a particular turnstile, a particular area. This type of
license plate reader can hold a lot of information, and it's completely suspicionless.
Law enforcement, for the most part, does not need to have a reason to collect this information.
But led by the ACLU, drivers in the county of Fairfax, Virginia sued and got an injunction
against the police department in Fairfax saying that in this particular county, the government
actually has to have a reason to collect somebody's license plate.
This isn't that strict of a standard.
It's not saying that you have to have probable cause that somebody has committed a crime.
It just has to, you have to, law enforcement has to come up with some justification about
why this private information is collected.
Yeah, one of the things that fascinates me with this topic that I wonder about is the
difference between the collection of the
information and the analysis of the information. In other words, I can imagine a scenario where
these cameras are out vacuuming up all the information, but law enforcement isn't allowed
to look into that bucket of information without a warrant. So the information is there and it's
available, but I have to convince a judge that what I'm looking for is legitimate and that the scope of what I'm looking for makes sense in terms of being narrow enough.
This is such an interesting question.
We see it a lot in all types of Fourth Amendment cases.
If you're collecting a haystack of records, then do you really have a privacy interest in a simple needle of that haystack. And what other courts and analysts have said is, you know,
think about doing a control F search in a 100 page Word document. In order to see if the word
that you've identified is contained in that document, you necessarily have to search through
every single word. If you have a database of license plates that have been subject to these
automatic readers, they are necessarily
all going to be scanned when you're doing a search for an individual license plate. Now,
whether that's problematic from a civil liberties perspective is going to depend on individual
tastes. But I think certainly courts have acknowledged that a person potentially could
have a privacy interest simply in the collection of
that information, even if it specifically has not been analyzed. Well, this is one that continues
to evolve and we'll keep an eye on it. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.