CyberWire Daily - Solorigate: targeting, collateral damage, or staging? The Cyberspace Solarium has some advice for US President Biden. URKI breach. British Mensa thinks over a data exposure.
Episode Date: February 1, 2021Untangling Solorigate, and distinguishing primary targets from collateral damage (or maybe side benefits, or maybe battlespace preparation). Congress asks NSA for background on an earlier supply chain... incident. The Cyberspace Solarium Commission offers the new US Administration some transition advice. Rick Howard hears from the hash table on Microsoft Azure. Andrea Little Limbago from Interos on the intersection of COVID and cyber vulnerabilities. And the week gets off to a rough start for smart Britons. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/20 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Untangling solarigate and distinguishing primary targets from collateral damage.
Congress asks NSA for background on an earlier supply chain incident.
The Cyberspace Solarium Commission offers the new U.S. administration some transition advice.
Rick Howard hears from the hash table on Microsoft Azure.
Andrea Little-Limbago from Interos on the intersection of COVID and cyber vulnerabilities.
And the week gets off to a rough start for smart Britons.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 1st, 2021.
As the U.S. government and industry continue to untangle the effects of Solargate,
Bloomberg reports speculation that Russian intelligence services may have been especially interested in what they could glean from tech and cybersecurity firms over the course
of the SolarWinds supply chain compromise. Insight into defenses and cyber tools would have been
particularly valuable. They're valuable, as Recorded Future's Alan Liska told Bloomberg,
because, quote, if you can compromise security infrastructure, you essentially have the keys to the kingdom
and can run around undetected, and we're dealing with an advanced adversary
who's looking for this kind of access, end quote.
Four cybersecurity companies have reported attacks, FireEye, Mimecast, Qualys, and Fidelis.
The threat actor is being tracked for now as UNC2452.
IT and cyber firms didn't, however, comprise the entire list of private sector targets.
InfoSecurity magazine notes that the Sunburst vulnerability has been determined to affect a number of manufacturing companies.
Kaspersky Cert found that targeting broke down as follows.
32.4% of all victims were industrial organizations,
with manufacturing 18.1% of all victims, by far the most affected.
This was followed by utilities at 3.2%,
construction 3%, and transportation and logistics just under 3%, and oil and gas 1.3%.
Computing says that while most of these targets may well have been collateral damage from a supply chain attack
whose primary interest lay elsewhere, and that there are no particular signs of a secondary attack against them,
Kaspersky researchers didn't rule out the possibility that such attacks might
be staged. In any case, the industrial concerns affected by the supply chain compromise are
international. The countries affected, according to computing, are, in addition to the obvious
United States, Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan, and Uganda.
The global spread is reminiscent of what was observed in an earlier supply chain campaign, not Petya.
The probable primary target was Ukraine, but the malware was felt around the world.
target was Ukraine, but the malware was felt around the world.
SolaraGate has provoked congressional interest in an earlier incident, a 2015 breach of Juniper Network servers, in which the attackers made small changes to code for the Dual-EC-DRBG
encryption algorithm. NIST had promulgated the NSA-developed algorithm as a standard for encryption in 2006.
Bloomberg Law reports that two senators and eight representatives have signed a letter
asking NSA Director Nakasone to explain whether NSA, years before General Nakasone's watch,
had effectively backdoored the encryption in ways that enabled a hostile intelligence service
to compromise the software supply chain.
The Cyberspace Solarium Commission has produced a transition book for the new U.S. administration.
They recommend three steps for immediate action.
First, establish the office of the National Cyber Director.
Second, develop and promulgate a national cyber strategy.
And third, improve the
coherence and impact of existing government cybersecurity efforts and further strengthen
partnerships with the private sector. The document also outlines several priorities for the
administration to take under advisement. UK Research and Innovation, known by its acronym UKRI,
an arm of Her Majesty's government that concerns itself with investing in British science and research,
has disclosed that it's presently coping with a ransomware incident.
UKRI is being tight-lipped about the incident, which it says it's referred to the National Crime Agency,
the National Cyber Security Centre, and Information Commissioner's Office,
but it's known to have affected two services.
The UK Research Office's Information Service Portal for Subscribers was hit,
as was an extranet UCRI Council's use for peer review of proposals.
Both services have been suspended.
UCRI is funded by the Department for Business, Energy and Industrial Strategy
with a budget of more than £6 billion.
According to Bleeping Computer, the organization says
it has no evidence the compromised data was stolen before being encrypted
and hasn't detailed what the nature of that data was.
The incident remains under investigation.
And finally, it's been a rough start to the week for smart people over in the UK.
British Mensa, the national branch of the organization that describes itself as the High IQ Society,
has said that there has been a series of events which appear to be designed to discredit Mensa's systems.
A representative of the group told the Financial Times that,
as a result, we have handed details of these events to the Information Commissioner's Office
with a view to pursuing a criminal investigation.
How'd they get in?
Apparently, says Forbes, they had one of the Society Director's credentials.
The Society's webpage has been shut down with a charmingly retro drawing of a thundercloud
overtopping what may be a Bauhaus office building alongside the legend site under maintenance.
The British Mensa site website is currently undergoing maintenance.
We apologize for any inconvenience.
The whole thing looks circa 1998, we'd say.
Not quite a guy with a shovel and a tagline under construction, but you get the
picture. British Mensa's former technology officer, Eugene Hopkinson, resigned last week in an apparent
protest of the group's allegedly lax security practices. In particular, Mr. Hopkinson objected
to the group's failure to salt and hash members' passwords, and that it held a great deal of sensitive data about its 18,000 members,
including email addresses, passwords, home addresses, instant messaging conversations,
and, it goes without saying, pay card details.
Oh, and it also holds the IQ scores of not only members, but, wait for it,
failed applicants as well. So whether you're in
the top 2% with, say, a 174 IQ or one of the rest of us clocking in around 100, well, Mensa knows.
And so probably does whoever hacked in. What someone would do with anyone's IQ is to us a
bit of a mystery, but surely there's plenty of potential embarrassment to go around.
on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And it is my pleasure to welcome back to the CyberWire Daily podcast, Rick Howard,
our Chief Security Officer and Chief Analyst.
Rick, great to have you back.
Thank you, sir.
So last week on CSO Perspectives, you did a deep dive into Microsoft Azure
and you looked at things like zero trust, intrusion kill chains, resilience, and risk assessment.
For this week's show, you brought our experts to the CyberWire's hash table
so that they could tell you what you got wrong. How did that work out for you, my friend?
Well, as you can imagine, it's always humbling, okay? I'm always awed at how many smart people
there are out there that really know their stuff, you know, and grateful, by the way,
that they come to the hash table to help us understand some of these admittedly complex ideas.
In this show, I talked to Microsoft's lead cybersecurity architect, Mike Simos,
about resilience in the form of DDoS protections by virtue of being part of Microsoft's very large
and already protected network, and ransomware protections
with a mechanism called immutable storage. And we talked about a zero-trust construct called
management groups. That is a very unsexy name, okay, but gives Azure administrators a lot of
control over any zero-trust policy. So, at the end of these two shows,
what's your impression? I mean,
can security executives secure their cloud environments? Well, I think the simple answer
is yeah, they can. All right. Cloud vendors don't make it easier to secure your data in their
environments as compared to how we do it back at headquarters or on-prem, but they do provide an
equivalent set of tools. I did ask Rick Doughton, the Carolina health CISO, that very same question at the hash table.
And he said he thought so too.
But the one thing that still nags at him is the single vendor problem.
So once you commit to a cloud provider, Microsoft or any of them,
it will be difficult to extract yourself once you have any sizable or meaningful workloads running there.
It can be done, but you're not turning that tire on a dime, right? And he told a great story. He
likens the whole problem to the single cloud, or he calls it the single cloud provider problem,
but he thinks it's very similar to the old Jimmy Stewart Christmas movie,
It's a Wonderful Life. I know you love that movie. And by the way, I love that movie,
okay? I cry every single time. When the entire town comes in to save George Bailey at the end,
you know, tears, tears in my eyes. How can you not? You're not a monster, right? I mean,
how can you not? I'm a human being. Right, right. All right, so there's a scene in the movie when
the Depression is just starting, and everybody in town is trying to get their money out of the bank that George runs.
And George, played by Jimmy Stewart, he says this.
You're thinking of this place all wrong, as if I had the money back in a safe.
The money's not here.
Well, your money's in Joe's house.
That's right next to yours.
And in the Kennedy house, and Mrs. Maitland's house, and a hundred others.
So Rick Doden's great Jimmy Stewart analogy is that if you decide that you don't like your current cloud provider anymore,
getting your data to the new cloud provider's network will be an interesting exercise.
I bet they don't make it any easier for you, do they?
I know.
Everybody likes to have that lock-in, right?
Lock-in, that's how we make our money.
All right, well, it is CSO Perspect That's how we make our money. All right.
Well, it is CSO Perspectives.
It is part of CyberWire Pro.
You can learn all about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Andrea Little-Limbago. She's the Vice President of Research and Analysis at Interos. Andrea, it is always great to have you back. I wanted to touch today on a survey
that I know you've been working on dealing with COVID and supply chains. What are some of the
cyber-related findings that you have to share with us? Right. And, you know, there were a lot
more cyber-related findings than I initially had anticipated. So over the summer, we surveyed 450
executives from some of the big corporations in the United States to really try and ascertain what kind of disruptions there were from COVID.
You know, we heard a lot.
This was during the middle of the summer.
We'd heard plenty of news about the food supply chain.
We saw it in our grocery stores.
But we wanted to get into more of a data-driven understanding of exactly what was going on. And so the survey did prove very useful in highlighting some issues that we kind of thought were there anecdotally, but it's always good to find the data actually supports it.
And so on the one hand, unsurprising, 98% of respondents felt that their supply chain disrupted.
97% felt there's some vulnerabilities
that were exposed. And again, similar numbers felt that these kind of disruptions were going
to continue in the future. At the time, we were talking about a second wave, and now it's just
really going into this ongoing wave that just keeps escalating. So there's big concern about
how that's going to be impacting. But what really was highlighted after the disruptions from COVID, one of the big
exposures for vulnerabilities was the growing concerns over cyber. And so while COVID posed
the biggest threat and risk, cyber wasn't far behind. And so I thought that was interesting.
And it did change a little bit industry to industry. The aerospace and defense industry far far and away, were the most concerned about cyber compared to some of the other industries that we interviewed.
Something like 72% noted cyber as the biggest risk that they're facing right now.
Bigger than COVID?
Just behind COVID.
They still felt COVID was large, but right on top with COVID.
And actually, in some other areas, they did rank cyber as a
bigger concern than COVID. And that's just aerospace and defense. Other industries,
COVID was by far and away number one with cyber behind a bit more. And then even concerns about
cyber looking at the future elevated even more as well. And so I thought those were interesting.
You know, the concerns, one, and this is what sort of goes back to the aerospace and defense,
you know, a lot of geopolitical forces that are underway were concerned.
But it links directly to these concerns about basically the supply chains, both in digital supply chains,
being across the globe and being concerned about various kinds of data access and data insecurity within certain countries.
And so, you know, on-shoring and reshoring away from some of these countries, you know,
already was kind of underway just due to security concerns and data risks.
But now COVID is escalating those as well.
And so I thought that was interesting.
And then other areas, you know, really really we asked several questions about digital supply chains.
You know, that's an area that keeps growing in importance.
You know, something like, you know, there was one study last year, close to 80% increase in supply chain attacks in 2019.
You know, we hear about all these, you know, like 60% of breaches linked to third-party vendors and so forth.
So we know that supply chain attacks are becoming more and more common.
And so we asked questions about digital supply chains.
And the findings, you know, again, prove that that is a growing concern.
And what I thought was interesting was people,
that the respondents were just as concerned about supply chain attacks
to their direct suppliers as they were to basically junior suppliers,
like those sub-tiers that are the suppliers of your suppliers of your suppliers and so forth.
Right.
And they were just as concerned about both.
suppliers of your suppliers of your suppliers and so forth.
Right.
And they were just as concerned about both.
And again, that makes sense because, you know, these supply chains are so tightly integrated,
but so complex as well,
that's hard to have visibility across.
You know, most companies don't even know
who is in their extended supply chain
when you go down to those various tiers
because it's just so complex.
And so that also means that, you know,
there are companies, you know,
downstream in your
supply chain ecosystem that likely have access to your data and you don't even know how they're
protecting their data. And so that exposes a big vulnerability. And, you know, one question we
asked was, you know, what percentage of their own data exists external to their own networks? And,
you know, on average, it was about 40% of their data exists, you know, downstream across their
ecosystem. And so, you know, that's a significant amount of data.
And if you don't know how, if you don't know what the security postures are of companies
across your ecosystem, that could be a big vulnerability.
Is there a sense that, I'm thinking in terms of uncertainty, because I think when you think
about COVID, we have a lot of uncertainty right now.
Absolutely.
We don't know the timeline for a vaccine. We don't have a clear of uncertainty right now. Absolutely. We don't know the timeline for a
vaccine. We don't have a clear sense for the success of vaccines. Is there similar uncertainty
on the cyber side of things? Yeah, I think so. And I think that it's almost the convergence of
the two as well that makes it even more uncertain. Many respondents noted that the pandemic makes
them more vulnerable to cyber
attacks. And that gets into the area, you know, given the distributed workforce that's going on,
you know, there's such, you know, it's just increasingly as hard to, you know, maintain
the tighter security controls. And we know that in March, in the race to remote work,
you know, many security controls, you know, or many security postures, you sort of let their
guard down a
little bit in the race to maintain continuation of operations. And not all those companies have
then reinstated them. And so it does, you know, the pandemic has, you know, both introduced new
vulnerabilities, but, you know, it increases that uncertainty as companies are trying to deal with
how to respond to that and how to create and heighten their security postures in this new era that we're living in. And I do think it's a new era. I mean, that's the
thing. It's very much so what life was like before and what we're going to the future, at least in
the realm of business and geopolitics, it's going to be very, very different than it was going into
COVID. And I think that companies are trying to really brace for what that future will look like.
And that's what we saw a lot too.
A bigger focus on resilience,
and it's across the board
from increasing their security postures,
having better visibility across their supply chains,
understanding the security postures of their suppliers
and their supplier suppliers.
And so as whereas in the past,
just-in-time production,
which was really popularized in the past, you know, just-in-time production, which was,
you know, really popularized in the 80s with Japan, really, you know, with a huge focus on
efficiency and optimization, you know, that, you know, coupled with these various concentration
risks in regions and through vendors, and just the increasing complexity of supply chains as
globalization really took off, you know, increased insecurity to a point that, you know, any kind of disruption across our supply chain also, it's not just a physical supply chain that gets disrupted.
It's a digital one as well.
And that's what we have seen.
And so they do, you know, companies do feel more vulnerable. for a post-COVID world. They're really focusing on resilience and agility in a law that has to do with not just with
the reshoring and onshoring of the physical supply chain,
but also how to increase greater resilience and agility
across their digital supply chain ecosystem
and across really protecting their data wherever it may go.
All right.
Well, Andrea, a little embargo.
Thanks for joining us.
Great. Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Life just got a little easier.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed
and check out the Recorded Future podcast,
which I also host.
The subject there is threat intelligence.
And every week we talk to interesting people
about timely cybersecurity topics.
That's at recorded future.com slash podcast.
The cyber wire podcast is proudly produced in Maryland out of the startup
studios of data tribe,
where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing cyber wire team is Elliot Peltzman,
Peru Prakash,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.