CyberWire Daily - Reconnaissance and degradation. Hybrid war in Eastern Europe and Southwest Asia. Eternal Silence infects unpatched systems. Dell customers reset passwords. SamSam indictments.
Episode Date: November 29, 2018In today’s podcast, we hear warnings of Russian recon “degradation” of the North American power grid. Information operations in Russia’s hybrid war against Ukraine. Factions in Yemen’s civil... war contest cyberspace (and fiber optic cables). Eternal Silence exploits systems not patched against EternalBlue and EternalRed. Dell tells its customers to reset their passwords. And the US indicts two Iranians for deploying the SamSam ransomware. Emily Wilson from Terbium labs with unintended consequences of GDPR. Guest is Francis Dinha, founder and CEO of OpenVPN, discussing the VPN landscape. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Warnings of Russian recon degradation of the North American power grid,
information operations in Russia's hybrid war against Ukraine,
factions in Yemen's civil war contest cyberspace and fiber-optic cables,
eternal silence exploits systems not patched against Eternal Blue and Eternal Red,
Dell tells its customers to reset their passwords,
and the U.S. indicts two Iranians for deploying the SAMSAM ransomware.
and the U.S. indicts two Iranians for deploying the SAMSAM ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 29, 2018.
Security firm FireEye warns that Russian threat actors are conducting opportunistic
and worrisome reconnaissance of the North American power grid.
FireEye calls the group they've been monitoring Temp.Isotope,
but it's better known as either Dragonfly 2.0 or, of course, Energetic Bear.
Temp.Isotope seems interested for now in collection and not disruption.
Some of that collection is thought to be designed with a view to improving Russian power distribution,
but it's difficult to read much of the rest as anything other than battlespace preparation.
It's worth noting that Energetic Bear has concentrated on intelligence collection,
and that it's operated to a great extent through fishing and watering hole attacks.
Even reconnaissance takes a toll.
It certainly doesn't amount to a grid takedown or
to a disruption of service, but it does amount to what FireEye calls degradation in the
counterintelligence sense. It consumes security resources. It wearies security teams. It forces
certain defensive responses, and of course it can lay the groundwork for some future disruptive attack.
This is part of battlespace preparation. Russia's Ukrainian battlespace is already well-prepped.
It's also newly kinetic in the Sea of Azov, as Russian naval units have fired on and seized
some Ukrainian vessels. Ukraine has declared martial law in parts of the country. Information
operations have also begun. Ukrainian objections to attacks on shipping are nothing more, in Moscow's telling, than an electoral ploy to prop up Ukrainian President Poroshenko in preparation for the March elections.
Russian territorial waters and got what they had coming to them,
and anyway the incident has been blown out of proportion.
Expect more of this, and don't look for consistency.
It's what sticks that counts.
Information operations are nothing if not opportunistic,
and expect kinetic attacks in this hybrid war to be accompanied by offensive cyber operations.
Another kinetic war, the one in Yemen, is spilling over into cyberspace.
The Saudi-backed government and the Iran-backed Houthi rebels are contending for control of the
internet, blocking opponents, collecting intelligence, and conducting some online
banditry. The Houthis have been particularly active in cyberspace, as noted by Foreign Policy.
The leverage control of cyberspace brings to the combatants
has helped set some of the faction's physical objectives.
The fiber-optic cables that run through the Sana'a region
are especially prized and are thought to be the source
of a good deal of the Houthis' operational intelligence.
On the consumer side of cybersecurity,
VPNs, virtual private networks, are a popular solution for privacy, obscuring who you are, security, obscuring the data you're exchanging, and geography, obscuring where you're located.
But what about the business and enterprise case for VPNs? Francis Denna is founder and CEO at OpenVPN, and he joins us to explain.
is founder and CEO at OpenVPN, and he joins us to explain.
Their first use case is mostly remote access. Basically, giving mobile workers, say, if you're working from home, or even in a lot of cases right now, where a lot of resources and data is being
deployed on a cloud, and now you want to give access to your employee, a remote access, but mostly secure access to all your resources, to all your services that is deployed, say, on Amazon Cloud, AWS on your virtual private cloud or on your private network for remote workers.
So VPN is used for remote access to your basically a network resources that are deployed in a private cloud
or a private network. There is also another case for managing devices. So for instance,
where you have companies who are deploying Internet of Things, we have, for instance,
a company air conditioning company where they deploy all these air conditioning units,
and they use VPN to basically monitor and control remotely control all these different devices.
So that's more of an Internet of Things. Another use case would be points of sales.
For instance, there is a company that uses our open VPN
for basically points of sales in different restaurants where they utilize internet,
but then what they do is they use the VPN to tunnel all that information and send and exchange
all that information for point of sales going to the data centers. And believe it or not,
for point of sales going to the data centers.
And believe it or not, and even in some certain cases,
even car like Tesla.
Tesla uses VPN and OpenVPN to tunnel all their traffic,
all things related to software updates,
or when it comes to whether they have the Google map for the navigation for updating that.
That, again, goes all the way to their private data centers and basically
being able to exchange information remotely and securely. So it's all for businesses,
it's all about remote access. There is another use case for businesses is also that I want to
make sure as an IT person, I have a full control for all the information that's
basically exchanged between the employee device and even the internet. So in a way,
this is a use case for security. So I would be able to tunnel all the traffic from that device
and making sure that I can block certain content, I can scan, I can block spam. So it's mostly for threat management and
intrusion preventions. So all that stuff,
its VPN is used as a tool also for
the IT organization to control that level of
information and to provide that level of service, mostly for security.
So it's very close to the cloud security for the consumer.
But this is where the businesses basically have that use case of remote access,
but also the security, the cloud security as well.
And so when an organization is shopping around for a VPN provider,
what are the types of questions they should be asking?
It depends what is their use case.
The type of the question that they need to ask is what kind of protocols they are supporting.
Are they supporting OpenVPN protocols?
Are they supporting IPsec?
What kind of authentication mechanisms do they have?
Do they have dual-factor?
Do they support second-factor authentication?
Is it a certificate base? So all these security questions that they have to ask.
The other thing they have to ask is on the server side, do you have a self-hosted solution?
Can I host this on my network or on my own cloud without having to go through your cloud?
Because I don't want my traffic to go through your cloud.
If it's okay, maybe in some cases,
I don't mind my traffic to go through
through a third party provider.
Is it a self hosted?
Can I deploy this on my cloud private network?
What kind of authentication also mechanism is support?
Does it support Active Directory?
Does it support the radius?
LDAP, does it support SAML?
What kind of access control do you provide on your
VPN solutions? Do you provide me tools where I can
basically have different access for different groups, different organization
or different groups within my own organization? For instance, I have a
sales organization, I have engineering organization, and I have different access
privileges there that I can set, right? So there are all these kind of questions a
business have to ask. I mean, it's really unlike consumers. The consumer use case is very simple.
I'm connecting to a third party VPN provider, all my traffic is flowing there. And I'm getting
pretty much just the service to access internet. But in this use
case for business, we're talking about basically remote access to a private network, a private
resources or private cloud, and also to tunnel all the traffic for securing that traffic through
their network as well. That's Francis Denha from OpenVPN.
Security researchers at Akamai report that the UPN proxy vulnerability that enables exploitation
of the universal plug-and-play protocol is now being used to hit unpatched devices behind router
firewalls. Attacks use EternalBlue and Eternal Red, which the shadow brokers released
and said were NSA exploits against targeted computers. Akamai calls the campaign Eternal
Silence. As Akamai points out, this was bound to happen eventually. More than 45,000 routers are
believed to be compromised so far. It's worth noting that the vulnerabilities these exploits
use have been patched for some time,
but there's clearly no shortage of unpatched systems out there.
Dell has warned of an attempted breach of its networks and has taken the precaution of resetting
customer passwords. The computer company told Dell.com customers that it detected unauthorized
activity in its network on November 9th.
Dell believes that some unknown parties tried to access names, email addresses, and hashed passwords.
The company says there's no conclusive evidence that whoever was in its network was able to get
any data, but it wants its customers to reset their passwords and make them strong ones.
And should those customers have followed the bad but common practice
of reusing passwords on other accounts, they should reset those too.
A U.S. federal grand jury has indicted two Iranian nationals
on charges related to distribution of SAM-SAM ransomware.
The U.S. attorney for the District of New Jersey has charged
Faramars Sahi Savandi and Mohamed Mehdi Shan Mansouri
with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud
and related activity in connection with computers, two substantive counts of intentional damage
to a protected computer, and two substantive counts of transmitting a demand in relation
to damaging a protected computer.
substantive counts of transmitting a demand in relation to damaging a protected computer.
The most well-known and consequential SAM-SAM infestation was the one that took so much of the city of Atlanta offline,
and other high-profile cases were also named in the indictment,
including the extortion attempts at the MedStar Medical Center in Baltimore, the Port of San Diego, the University of Calgary, and the Colorado Department of
Transportation. The FBI calls the effects of SAM-SAM staggering. Some 230 entities were infected
with SAM-SAM. The extortionists took in about $6 million in ransom payments, but that was the least
of the damage. The SAM-SAM infestation caused around $30 billion, that's billion with a B,
in damage to the public and private institutions it affected.
Both Mr. Savandi and Mr. Mansouri are presently outside the reach of U.S. law enforcement,
but they'd be well advised not to vacation in places where an extradition treaty with the U.S. is in force.
They also face sanctions from the U.S. Treasury Department,
and those will have some effect whether the gentlemen are in custody or not.
Treasury has added, for the first time, digital currency identifiers to the targets on its
sanctions list, and it's helpfully provided guidance on how people involved with those
currencies can help block transactions. This is expected to be precedent-setting.
It's worth noting that this law enforcement operation was an international one.
The cooperating agencies included, the FBI says, the UK's National Crime Agency and West Yorkshire
Police, as well as Canada's Calgary Police Service and the Royal Canadian Mounted Police. Solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Emily Wilson.
She's the Fraud Intelligence Manager at Terbium Labs.
Emily, welcome back.
You know, certainly GDPR has been top of mind.
And one of the things you've been tracking is this possibility that there might be some unintended consequences as a result of GDPR kicking into place. So what's going on here? One of the news stories that caught my eye recently
is this feedback from the ICO. This is the Information Commissioner's Office out of the UK
where they're talking about an issue of too many breach reports coming in. The commissioner there mentioned this issue in a
talk they gave at a cybersecurity conference recently saying that they're getting something
like 500 calls a week since GDPR kind of came into play back in May. And something like a third of
these are actually not something that you would need to report. And beyond that, they're getting
people who don't have enough information or can't provide information, aren't in a position to talk
more in depth about what the issues are in a given situation. I think it's interesting because I
don't think any of us would have thought we'd get to a point where there are too many breaches being
reported. If we're getting 500 calls a week, I think that speaks to at least some of the volume
that we weren't hearing about until now, that people didn't have a reason to report until now.
And I think it puts the community in an interesting situation because we're facing kind of two things here.
One, we have the opportunity to get real insight into the frequency of how many data breaches are actually occurring or how many data breaches people think are occurring.
And then also we're seeing some confusion over the process, right?
In the meantime, we have companies that seem overly willing to comply,
whether because they're concerned about consequences or because, frankly, they need help.
And then in the meantime, who's not reporting?
Who are we not hearing from?
Who does have a good grasp on the situation and is thinking,
you know what, I'm going to just let this one slide and see if they find out. Something that got my attention from this,
some coverage about this comment from the commissioner was, you know, concerns about
too many notifications coming in and the problems that can have with breach fatigue, you know,
notification fatigue for consumers. And it is a difficult line because, you know, we want that
information to come in. I think as a community we want that information to come in.
I think as a community, we need it to come in.
We need to know what the baseline looks like.
We need to know how bad it is and in which ways it's bad so that we can make some progress
here and see what we have in common and work on this together.
But also, what do we do for consumers?
Consumers can't process something like 500 notifications a week.
And so how do we work with this data? Because I think we should be collecting it. I think we should be getting
as much information about this as we can. If for no other reason, then it would be
good to know if 250 of the calls each week are coming from companies
who haven't had a data breach but have sent email
to the wrong outside contractor. Maybe we wouldn't call that a breach,
but if that's a consistent security concern or a consistent issue of data compromise,
then we should be recording that. We should use this to our advantage. But it seems like that's not really how the ICO is set up right now. And so what can we use to fill that space?
Yeah. Yeah. It continues to evolve as we face this new reality. Emily Wilson,
thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.