CyberWire Daily - Slack closes a vulnerability. Email tracking in a court martial. Restrictions on doing business with Huawei come into place. A case of responsible disclosure.
Episode Date: May 17, 2019A Slack vulnerability is disclosed and fixed. And this is not as seen on TV: a real NCIS investigation is likely to occupy real JAGs for some time to come, with implications for military and civilian ...cyber law. The US is moving rapidly on Huawei and its associated companies: it’s now much harder for US companies to do business with them, and there’s likely to be fallout in other countries as well. An exposed database affords an instructive case of responsible disclosure. Joe Carrigan from JHU ISI on USB device encryption and best practices. Guest is Mike Kijewski from MedCrypt on security for new and legacy medical devices. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A slack vulnerability is discussed and fixed,
and this is not as seen on TV.
A real NCIS investigation is likely to occupy real jags for some time to come,
with implications for military and civilian cyber law.
The U.S. is moving rapidly on Huawei and its associated companies.
It's now much harder for U.S. companies to do business with them,
and there's likely to be fallout in other countries as well.
And an exposed database affords an instructive case of responsible disclosure.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 17, 2019.
Tenable this morning reported a vulnerability in the business cooperation tool Slack.
The flaw is now fixed, as it had been earlier disclosed to Slack.
It affected the Slack desktop application for Windows version 3.3.7.
It has been fixed in version 3.4.
It had been possible for an attacker to send a malicious hyperlink via a Slack message.
Once clicked, the link would change the document download location path
to a file share the attacker owned.
This could have enabled theft or manipulation of other documents
subsequently downloaded within Slack.
As noted, the problem has been fixed,
so users would be wise to update to the latest version.
There's no indication that the vulnerability was ever exploited in the wild.
The U.S. Navy may have put trackers in emails destined for defense counsel and news media
covering a military trial involving leaks, Military Times reports.
The Naval Criminal Investigative Service is investigating media leaks surrounding a high-profile case
in which a Navy special operator is charged with
murder and a Navy officer is charged with conduct unbecoming an officer in an associated case.
The Navy judge presiding over the case had imposed a gag order to help ensure fair due
process for the defendant, and NCIS was trying to find who was violating that order.
In any event, the Navy judge advocate prosecuting
the case sent emails to, among others, defense counsel with a tracking image embedded below the
signature block. A Navy Times editor was among those who received the email with the tracker.
It was designed to identify the recipient machine's IP address and report it to a server in San Diego.
It normally requires a subpoena or court order to acquire IP addresses or other metadata,
Military Times says.
Military Times is a sister publication to Navy Times, both papers belonging to the Sightline
media group.
A Navy spokesman told Military Times that this is about the defendants, Senior Chief
Edward Gallagher and Lieutenant Jacob
Poitier, quote, receiving a fair trial with due process in the military justice system, end quote.
The spokesman, Captain Greg Hicks, declined to comment specifically on the tracking code,
but said, quote, following continuing and ongoing violations of the federal protective order,
NCIS initiated a separate investigation into violations of that
protective order. That investigation is ongoing, end quote. Captain Hicks did not say whether the
Navy obtained a search warrant or subpoena in connection with the emails. He did say that,
quote, the media was not and is not the focus of the investigation. The focus of the investigation
is squarely on identifying unauthorized disclosures that violate the judge's protective order. An NCIS spokesman said that,
quote, during the course of the leak investigation, NCIS used an audit capability that ensures the
integrity of protected documents. It is not malware, not a virus, and does not reside on
computer systems. There is no risk that systems are corrupted or compromised.
This, of course, satisfies no one who was troubled by the telltale code.
Military Times points out that maybe this is a violation of existing privacy laws,
including the Electronic Communications Privacy Act,
and defense counsel have complained about the potential for abuse.
The law here may be unsettled, but several state bar associations are on record against the use of such tracking technology.
This sort of investigation, by the way, for those of you who watch NCIS on TV,
is actually a lot more typical of the cases NCIS works on than the harem-scarum stuff you see on the small screen.
on than the harem-scarum stuff you see on the small screen.
Wednesday's U.S. Executive Order on Securing the Information and Communications Technology and Services Supply Chain declared a state of emergency under the International Emergency
Economic Powers Act, the National Emergencies Act, and Section 301 of Title III, United
States Code.
The Executive Order directs the Secretary of Commerce to take the lead in
minimizing the risk from companies controlled by foreign adversaries, read China. Its immediate
effect is to clamp down on the use of Huawei technology in the U.S. The U.S. Commerce Department
immediately banned Huawei and 70 of the company's partners. The measure will also affect U.S. exports.
of the company's partners. The measure will also affect U.S. exports. Broadcom, Qualcomm, Intel,
and Oracle, among others, will henceforth find it difficult to sell to Huawei, the Wall Street Journal points out. Strictly speaking, commerce placed the Chinese company and its partners on
an entity list. Doing business with them will require a special license. The entity list applies
to both imports and exports.
China's government has called the executive order and its attendant enforcement actions a
wrong course and promises to resolutely defend Chinese companies from Washington's depredations.
Beijing sees the affair as a move in a trade war.
U.S. allies may be nudged by both prudential policy and the Vosner arrangement to
follow suit. Vosner is an arms export control regime whose 42 signatories undertake to cooperate
on restricting trade in not only conventional weapons, but dual-use articles that have both
military and civilian uses. Cyber tools are among the dual-use items the arrangement addresses.
U.S. allies are also concerned that giving Huawei too large a share
in their national infrastructure could inhibit intelligence sharing
with the United States.
Of the Five Eyes nations, the U.S. and Australia take the hardest line
on the risks posed by Huawei products and services.
The other three eyes, Canada, New Zealand, and the United Kingdom,
are uneasy about the Chinese company,
but more ambivalent than the Australians and Americans.
France's President Emmanuel Macron's reaction to the U.S. executive order
is representative of that in other allied countries.
It's not France's perspective to move against Huawei or any other company,
but France is determined to take measures to secure itself.
That said, President Macron suggested that a trade war was in no one's interest.
So why do companies and governments do business with Huawei?
The company's gear is good enough, and besides, it's generally the low-cost option.
It's so low-cost, in fact, that a number of Huawei skeptics consider the pricing
unsustainable, a low-ball campaign for market penetration that will change once the customers
are locked in. Ever taken an online survey, maybe to enter a sweepstakes for prizes?
Sure you have. Most of us have. Of course, such surveys and sweepstakes are marketing instruments
and a large Elastisearch database containing such information as name, physical address, email address, IP address,
phone number, date of birth, and gender was found exposed online by independent researcher Sanyam Jain.
Jain, who Bleeping Computer says is affiliated with the GDI Foundation,
tracked the data back to marketing firm Path Evolution,
a subsidiary of iFicient.
He disclosed the exposure to the company,
which promptly secured the data.
iFicient has pointed out that the data
didn't include social security numbers,
credit card numbers, or passport numbers,
so they fell short of the FULs,
so beloved of hacker black marketeers,
and short of the kind of personal information covered by various U.S. state laws.
But it's still an embarrassing lapse,
and iFicient is both shoring up its security and notifying people affected by the disclosure.
But iFicient's response to Zhiyun's disclosure was, Zhiyun said, refreshing.
They thanked him and took action.
All too often, the response to this kind of disclosure, he suggested to bleeping computer,
is to be either ignored or threatened with legal action.
So, an unfortunate lapse, but a nice tale of responsible disclosure, responsibly received.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigrigan he's from the johns hopkins university information
security institute and also my co-host over on the hacking humans podcast joe it's great to have you
back it's good to be back dave uh we had a report come by this is from a company uh called apricorn
and they manufacture hardware encrypted USB data storage devices.
And they came up with a report.
They did a survey of over 300 people across a bunch of different industries examining ways that they use USB devices.
Correct.
So trying to sort of take a look at what are people doing right and what are people doing wrong.
Right.
And what did they find here?
They found that 91% of the respondents claimed that encrypted USB drives were important,
but only 58% said that they regularly use encrypted USB devices. So that's interesting.
Yeah. Well, let's just walk back a little bit here. When we're talking about an encrypted USB
drive, what's the practical implications of that? I'm not exactly sure how the product that Apricorn sells works, but presumably it's a
hardware level encryption so that everything on the device is encrypted and that if you don't
have the keys to get into that device, then you're never going to open it.
Right. So if I lose this drive in a parking lot or something, somebody who picks it up,
it's going to be worthless to them. It's going to be worthless to them, right?
There's other ways you can do it.
I think SanDisk has a product that's
similar that runs software
that encrypts the drive.
And then, of course, there's the
free solution. You could use
VeriCrypt, which is an open source encryption
product that lets you create
encrypted volumes or
encrypt entire volumes like a USB
drive, that's actually the solution I use to keep my important stuff encrypted on my USB drives.
And I use it by creating a volume, an encrypted volume that takes up a certain portion of the
drive. The reason I do that is because I still need to have these drives available for unencrypted
usage. I mean, encryption is not always important.
For example, if I'm going to give a presentation to somebody, right, I'm going to give a presentation
to a group of people, and I have that presentation on a USB drive, right, I'm going to show everybody
in the room and show everybody in the world what this presentation is if they wanted to
watch it.
So I really don't care if this information is discovered,
but I do need a way to quickly and easily put it on somebody else's computer
without having to worry about do they have the VeriCrypt software installed
or do they have the SanDisk software installed.
Right.
Or even just have the key or the password.
Right, or do I have the keys or the password?
Might not want to reveal.
Plug it in, copy my presentation over, and deliver my presentation.
So, I mean, again, we have to decide what's information we want to protect and what's information we don't want to protect.
Now, obviously, there's lots of information we want to protect.
And if that information needs to be protected, then when it's on a USB device that's considered data at rest, right, we should definitely be encrypting that information through some means.
that information through some means. Yeah. And this whole notion of kind of the USB device promiscuity of going from one computer to the other. I think about public health and
on the one hand, there's washing your hands and the other hand, there's inoculation.
Right. And it seems to me like you should try to be protecting your devices from both ends,
And it seems to me like you should try to be protecting your devices from both ends.
Correct. You know, informing your users not to just plug these things in and out willy-nilly.
Right.
But also have whatever mechanisms that are on the machine that might get plugged into
to whenever something gets plugged in to take a look at that.
And before you go off and load something or run something,
you know, have some kind of software on there to take a look at whatever might be on there
and scan to see if there might be any problems.
Yeah, absolutely.
And additionally, there are other things out there.
Malicious hardware is just a bank of capacitors.
It stores up all the power that gets sent to the USB drive over time and then feeds
it back all at once in an attempt to burn out the motherboard.
It just zaps it.
Yeah.
Yeah.
So don't ever plug anything you find in.
I'm not saying those devices are rare.
Those motherboard destroyers are rare, and they're kind of costly, but –
Better safe than sorry.
Better safe than sorry.
Yeah.
Your bigger risk here is finding malware or getting malware on something, and I don't like the idea of using the free devices at conferences.
I've even gone so far as to hand them out at a conference, but –
Because your boss told
you you had to. No, it's just a piece of swag that we had. But before we did that, I actually had
one of my students go through on a Raspberry Pi and delete everything off those things. Because
where do you get those things? They come from some marketing supplier. You don't know what the
supply chain on that marketing supplier is. They're buying those devices from the lowest bidder.
Yeah.
Right?
Yeah.
So we ran a complete wipe on everything before we handed it out.
Huh.
And we don't hand them out anymore.
Yeah.
Just because we just don't think it's good practice to hand them out.
Right.
Right.
All right.
Well, this company, Apricorn, who makes these, obviously they have a little bit of interest
in making people want to use encrypted USB drives.
Which is not a bad idea.
Not a bad idea.
But, you know, just be mindful.
It's not a completely unbiased look at this.
Right, right, right.
All right.
Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Mike Kajewski.
He's CEO and founder of MedCrypt,
a company that helps medical device manufacturers improve their cybersecurity.
Our conversation centers on the current security state of medical devices,
steps that producers of those devices are taking to better secure them, and how appropriate regulation may take a part in moving things forward.
The majority of medical devices that are being used today
were designed without really any thought about cybersecurity
when the devices were developed.
And there could be a couple of reasons for that.
It could be that device vendors were assuming that these devices
were being used on a hospital network,
and the hospital network and the
hospital network was inherently secure and therefore the devices themselves didn't need
to have these security features or it could be that the device vendors just didn't think that
you know security was an issue who's ever going to hack a medical device you know is this a
sort of an apocalyptic scenario that is reserved for you know know, terrorist movies? Or is that, you know, actually a real
practical concern? And I think going forward, there are challenges when designing a medical device
in prioritizing clinical features over cybersecurity features. So for example,
you know, the number one priority of a pacemaker is that it always continues to keep the patient's
heart beating. And when you're designing a pacemaker, that's, the number one priority of a pacemaker is that it always continues to keep the patient's heart beating.
And when you're designing a pacemaker, that's obviously the most important thing that you need to be designing the device.
Well, how many clinical features can an engineering team put off to the future in return for implementing some security features to ensure that that device is functioning safely?
And designing security features into
devices, as you can imagine, can be pretty tricky and pretty time consuming. So there's this constant
battle between clinical functionality, interoperability, ease of use for clinicians,
and actually building security features into these things so that bad guys can't do bad things with
them. Yeah, you know, one of my colleagues here, Joe Kerrigan, works at Johns Hopkins,
and he was saying that, you know, someone comes into the emergency room there, and they're not going to say, hey, my first priority is that you secure my private information.
You know, I need you to, you know, take care of this chest pain that I'm having or get these
bullets out of me. Yeah, that's exactly right. And I think, you know, maybe even a less issue is the classic problem in healthcare of who is the user, who's the customer, who's the buyer. When you have a cardiologist who's choosing a pacemaker for a patient, the cybersecurity features are probably relatively low on their list, right?
is not going to function on the hospital's network. So the hospital IT department is that concerned about it. The insurance company doesn't really have any incentive to minimize the security
risk in the pacemaker. And the medical device vendor, you know, they're just trying to build
clinical functions to differentiate their device from the competitors. So you end up with a device
that is in, you know, a patient's chest that goes home with them that perhaps has some security features.
And then you have a nightmare scenario where the FDA has to mandate a recall on a device
because they've decided that the security vulnerability found in that device is not acceptable.
Do you think there's a regulatory solution here?
I mean, certainly when I think of the medical industry, I think of things like HIPAA,
where big changes
can happen, they can come down from on high. Is that one possibility? You know, it's a really
good question. And I, before starting this company, you know, considered myself to be a, you know,
very free market, somewhat libertarian leaning individual who was very skeptical of the
government's ability to have a positive impact on you know on something in the market um but but having worked pretty closely
alongside the fda and looking at this problem i i found that number one that there that there
might not be another organization uh that has the leverage necessary to fix this problem it might
it might need to come from the FDA. And the things that the
FDA has done in the last four years to attempt to improve medical device cybersecurity, I think,
have been very measured, sort of, you know, responsible interventions and not the kind of
heavy handed anti-business, you know, legislation that some people would have you believe that the
FDA is, you know, is in the business of doing. One example of this, they've come out with two guidance documents
related to what they call post-market cybersecurity and pre-market cybersecurity in medical devices.
And as a guidance document, the first page of each of these documents says,
these are non-binding recommendations from the FDA. So lots of medical device vendors said, oh, well, these are optional because it's guidance. We
don't really need to do this. And the FDA has come out and said, no, that is not true. Safety
in medical devices is mandatory. Cybersecurity is an aspect of safety. Here is our recommendation
of how to build safe medical devices. If you do it some other way, that's fine, but it needs to
be better than this.
And people have asked them, why don't you just pass a law? Why don't you create some regulation that actually mandates that device vendors do this? And the FDA has said, well, the pace of
cybersecurity moves so quickly that if we were to make a regulation, the regulation would be
five years, if not 10 years behind what the current state of cybersecurity is. If we say,
hey, you have to use encryption on medical devices. Well, what kind of encryption? What's the key
length? What algorithms are okay? It kind of becomes a rat's nest of questions that need to
be answered that lead to this sort of heavy handed regulation that ends up being sort of
anti-business. So I think the FDA has done a great job of addressing the problem, you know,
especially this most recent guidance they put out last October. So one thing that comes up regularly
when writing these sorts of stories are the nightmare
scenarios of the Homeland episode where the vice president's pacemaker gets hacked.
And it's pretty easy to point the finger at device vendors that have been in the news
recently for having cybersecurity vulnerabilities in their devices.
But what I will say is that, number one, the clinical functionality of a medical device,
basically any medical device,
almost always outweighs the cybersecurity risk of that device. So for example, I think Medtronic
had an issue with pacemakers last fall where a vulnerability was found. Does that mean that if
your parent or your grandparent has a pacemaker in their chest, they should go get a removed?
No, absolutely not. The clinical functionality of these devices are orders of magnitude more beneficial than the cybersecurity risks are detrimental.
And I do think that, you know, from working with a lot of these bigger medical device vendors
pretty closely, they're doing a great job of changing their practices and building features
into devices. And some of them have been doing this for, you know, close to a decade and have
done a pretty good job at it. So it's, you know, the sky is not falling. This isn't a nightmare scenario.
Device vendors, I don't think, are being negligent by putting devices out there that lack security
features. I think it's more of an industry problem where, as we discussed, the incentives maybe
aren't perfectly aligned to result in, you know, really well-secured devices. And the FDA has been the organization that I think
has done the best job of changing that dynamic. That's Mike Kajewski from MedCrypt.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.