CyberWire Daily - Recovery and attribution: Petya/Nyetya/NotPetya. Cyber conflict and collective defense. Online inspiration and online censorship. The EU's regulatory big stick. Vishing Parliament.
Episode Date: July 3, 2017In today's podcast, we hear that recovery from Petya/Nyetya/NotPetya proceeds—and it's not ransomware. Ukraine says Russia's responsible. US warnings of cyberattacks on nuclear power plants may ha...ve been premature. NATO members consider when to invoke Article 5 in cyberspace. Islamist inspiration and other political discontents continue to prompt content screening in Europe. Europe is also in punitive mood with respect to regulation. Kaspersky says it will show the US its source code if that's the cost of doing business. Markus Rauschecker from UMD CHHS describes a novel use of kidnapping insurance. And, hey, Lords and Commons: that's not really Windows support asking for your password. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Recovery from Petya-Netya-Not-Petya proceeds, and it's not ransomware.
Ukraine says Russia's responsible.
U.S. warnings of cyberattacks on nuclear power plants may have been premature.
NATO members consider when to invoke Article 5 in cyberspace.
Islamist inspiration and other political discontents
continue to prompt content screening in Europe.
Europe is also in a punitive mood with respect to regulation.
Kaspersky says it will show the U.S. its source code
if that's the cost of doing
business. And hey, lords and commons, that's not really Windows support asking for your password.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, July 3rd, 2017.
Last week's Petya, Nyetya, Not Petya campaign is now clearly seen as destructive
and disruptive, and not a ransomware attack at all. By the way, we're just going to refer to it
as Petya in today's podcast, just for the sake of time. Affected organizations continue their
recovery. The experience of Maersk is instructive. Last Thursday, the shipping company told customers its operations had resumed at a now-close-to-normal rate, although some clients reported continuing difficulties.
FedEx's TNT Express subsidiary was also heavily affected, with disruptions reported into the
weekend. There's been no shortage of advice on how enterprises might respond to Petya.
They range from the simple-for-heaven-sake patch already to you-should-have-used-blockchain
and all the way to retaliation by drone strike.
Ukrainian authorities have directly and unambiguously blamed Russia for last week's Petya attacks.
They've also called in international partners, including Interpol and the FBI, to help with the investigation.
The threat actor held to be responsible is the group known as Telebots or Sandworm,
a Russian actor also associated with attacks on Ukraine's power grid, in December 2016.
Russian authorities, for their part, deny having anything to do with it, but their story finds few takers.
It's true that some Russian enterprises, notably the oil company Rosneft, were also infected,
and it's also true that Russian presidential spokesman Dmitry Peskov
called late last week for the international cooperation against cybercrime of this type.
Whether one sees infestations at Rosneft and Mr. Peskov's desire for cooperation
as exculpatory evidence or as provocation and
misdirection will depend on how historically informed one's interpretations of official
Russian motives are. Three observations are perhaps in order. First, as much as Petya was
called ransomware, the number of informed observers who think it was a campaign of
ordinary criminal extortion is vanishingly small.
Thus, an expressed desire to bring the criminals to justice is either naive or disingenuous.
Second, Rosneft itself obliquely hinted that there's maybe, just maybe,
a domestic source of the attack it suffered.
The oil company said it hoped the attack had nothing to do with ongoing legal battles
with its oligarch-owned rival, Sistema.
And third, the incident seems too closely aligned with Russian objectives in the hybrid war against Ukraine
to be a mere coincidentally criminal operation.
U.S. government warnings last Friday of phishing campaigns successfully targeting nuclear power installations
may have been premature.
In any case, the Nuclear Energy Institute said Saturday that no U.S. nuclear plants had been penetrated.
We mentioned drone strikes as a possible retaliation for Petya a moment ago.
That's surely headline writer's exaggeration.
No one has seriously suggested droning some GRU coder for whatever it is that Sandworm may or may not be up to.
droning some GRU coder for whatever it is that Sandworm may or may not be up to.
But as cyberattacks increasingly have physical effects, kinetic retaliation is more often considered.
British officials are the latest to entertain such speculation,
and NATO members are devoting some hard thought to the circumstances under which the alliance's Article 5, collective defense, might be invoked in the case of cyber attack.
Islamic groups continue to post inspirational material online.
An affiliate of Al-Qaeda in Mali has posted disturbing video of long-term hostages it's kidnapped,
and a group of foreign fighters in Syria has appeared in a pro-ISIS expose of all that's wrong with the Dar al-Harb,
sensuality, lack of compassion, indifference to the plight of the elderly, and so on.
These points are, to be sure, in tension with or outright contradiction
to the murderous practices ISIS and similar groups have sought
with unfortunate success to inspire.
But for a window into the story they're telling and the values they're offering,
this video offers some useful and sobering insight.
The European Union and some of its member states signal a determination to police data security, competitive practices, and extremist speech.
Germany has enacted a law that would impose harsh penalties on services that permit hate speech.
A look to existing measures to identify such speech suggests the problem remains unsolved.
Facebook's guidelines for human curation of content carried over the social media provider
shows the difficulty of applying such measures in ways that either can't be easily circumvented,
that yield counterintuitive results, or that simply amount to censorship.
that yield counterintuitive results or that simply amount to censorship.
Those optimists inclined to see carrots may wish to consider that the sort of stick GDPR might wield against non-compliant companies was foreshadowed last week in a different case entirely.
Last week, the European Union hit Google with a record fine for anti-competitive behavior,
a cool $2.7 billion for goosing search results in its own favor.
Google will appeal, but Mountain View isn't optimistic. Google has said it expects to pay
in full. It may get worse. The EU's Commissioner for Competition followed up the regulatory finding
by encouraging companies whose business may have been damaged by anti-competitive practices
to use her report as the basis for civil suits against Google.
Kaspersky Lab will show its source code to the U.S. government,
a development that hasn't been universally welcomed in the security industry.
Kaspersky was facing a possible congressional ban on doing business with the U.S. defense sector.
Russia mauls retaliation if Kaspersky is barred from such work in the U.S.
Finally, a quick update on those assaults on the British Parliament's email system.
Over a week ago, Whitehall was subjected to a brute force campaign designed to expose
parliamentary passwords.
Late last week, MPs were warned again.
They'd been receiving phone calls from Windows, contacting them on behalf of the Parliamentary Digital Service.
As you might expect, they were calling to help with problems, and would the MPs kindly tell them their passwords,
the better to enable them to address the problem, and so on.
The actual Parliamentary Digital Service was quick to say that we will never ask you for your password.
Indeed, no one with your best interests at heart is likely to ask you for your password.
And no, that isn't Windows calling.
The boiler room background noise alone is a dead giveaway.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to
learn more. Do you know the status of your compliance controls right now? Like right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate
artist who puts her career on hold to stay home with her young son. But her maternal instincts
take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on
the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from
Searchlight Pictures. Stream Nightbitch January 24 only on Disney Plus.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Marcus Roshecker.
He's the Cybersecurity Program Manager
at the University of Maryland Center for Health and Homeland Security.
Marcus, great to have you back.
We saw a story come by via Reuters, and the headline was companies use kidnap insurance to guard against
ransomware attacks. That's news to me. What's going on here? Yeah, this is somewhat of an
interesting new approach here that some companies are taking. As you may know, companies that do
business in dangerous parts of the world may often have these kidnap
and ransom insurances so that in the event that one of their employees gets kidnapped
and held for ransom, the insurance would kick in and actually pay the ransom to release
their employee. Now, some companies are taking that kind of insurance and trying to apply
to cyber incidents, specifically ransomware incidents. So a company
will become a victim of a ransomware attack where their data is held ransom, so to speak,
and the company has to pay to get that data back. That can be very costly. So a lot of companies who
have this kidnap and ransom insurance are trying to use that insurance policy to cover their cost
for responding to the ransomware cyber attack. It was interesting in this story, they quoted a
gentleman named Bob Parisi, who works for Marsh and McLennan companies, an insurance broker.
He said, if your CFO gets kidnapped, the company is going to continue to function.
If you get a piece of malware in the system, you might have two factories that stop working.
The actual damage is probably greater.
That may be true unless you're the CFO.
Well, yes.
You certainly wouldn't want to be the CFO in that situation.
Right.
But it is certainly the case that for a lot of companies, the data that they have and that they use to conduct business is absolutely critical.
Without that data, they can't do business. It's vital that if they are victim to a ransomware
attack, that they get access to that data again as quickly as possible. So, you know, it's
interesting that companies are trying to use this kidnap and ransom insurance and are trying to
apply to ransomware incidents when that clearly
was never the intent of this kind of insurance policy. It was always intended to apply to
individuals who might get kidnapped, but not to cyber incidents. So I think it's kind of an
ingenious or a novel way of trying to get coverage. But I think what companies really should be doing
and what they really should consider is getting actual cybersecurity insurance, right? A cyber insurance policy that will actually apply
in cases of ransomware as well. Because I think in the end, the company will be much better off
having that kind of an insurance policy that will specifically apply to cybersecurity incidents and
incidents of ransomware where they know they'll be covered
and can recoup on some of those costs that are associated with the incident.
Yeah, I thought an interesting take home. The article ends talking about AIG, the insurance
company, saying that they've reduced business interruption coverage for kidnapping and ransom
policies to a million dollars for cyber extortion events. And the quote is,
insurers didn't anticipate there would be this much ransomware activity.
Yeah, unfortunately that is the case.
Ransomware is a growing threat.
It's only going to continue to grow,
and hopefully companies are realizing that
and doing everything that they should be doing to protect themselves under data.
All right, Marcus Roshecker, thanks for joining us. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard.
Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.