CyberWire Daily - South African ports invoke force majeure over cyberattack. Documents indicate Iranian interest in control systems attacks. Dark web wanted ads. Cyber diplomacy. Lousy cafeteria food?
Episode Date: July 27, 2021Transnet declares force majeure over cyberattack on South African port management. The IRGC apparently is Googling a bunch of stuff about gas stations and merchant ships. Kaseya’s denial of paying r...ansom has legs. Criminal coders like obscure languages. The AvosLocker gang is looking for pentesters, access brokers, and affiliates. The US and China hold “frank and open” conversations about, among other things, cyber tensions. Ben Yelin explains the tech implications of President Biden's recent executive order. Our guest is Eve Maler from ForgeRock on their 3rd annual Breach Report. And, hey NSA, what did you have for lunch today? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/143 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Transnet declares force majeure over cyber attack on South African port management.
The IRGC apparently is googling a bunch of stuff about gas stations and merchant ships.
Kaseya's denial of paying ransom has legs.
Criminal coders like obscure languages.
The Avos locker gang is looking for pen testers, access brokers and affiliates.
The U.S. and China hold frank and open conversations about cyber tensions.
Ben Yellen explains the tech implications of President Biden's recent executive order.
Our guest is Eve Mailer from ForgeRock on their third annual breach report.
And hey, NSA, what did you have for lunch today?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 27th, 2021. MoneyWeb reports that South Africa's Transnet has declared force majeure and thus claimed relief from liability in a letter to its customers,
acknowledging that what was initially described as disruption on an IT network
amounted to an act of cyber attack, security intrusion, and sabotage.
The letter explains, quote,
Investigators are currently determining the exact source of the cause of compromise
and extent of the ICT data security breach sabotage.
Transnet is implementing all available and reasonable mitigation measures
to limit the impact of this compromise.
End quote.
Declaration of force majeure is unusual and indicates a major interference with Transnet's ability to deliver services.
According to Bloomberg, operations at South Africa's six major container ports have been disrupted,
and Transnet's recovery remains a work in progress.
Sky News has obtained and published documents it believes represent planning by the Shahid Kaveh unit of Iran's Revolutionary Guard Corps for cyber attacks against ships and oil facilities.
and oil facilities. The documents also indicate an interest in satellite communication systems,
especially as they're used in maritime operations and in building control systems.
Western firms, particularly companies in the UK, the US, and France, figure among the intelligence targets. What Sky News describes as a security source with knowledge of the 57-page bundle of five research reports,
anonymously told the news outlet that they, that is the IRGC, are creating a target bank to be used whenever they see fit.
The Shahid Kaveh documents included observations on shipboard ballast systems and the pumps that control them.
observations on shipboard ballast systems and the pumps that control them. There were also discussions of retail-level vulnerabilities in automatic fuel gauges and tank management systems
at filling stations. Disruptions to those systems, the document said, could result in disruption of
the fuel supply and explosion of fuel station tanks through access to the control equipment.
and explosion of fuel station tanks through access to the control equipment.
The observations on satellite communications concentrated on two systems,
the Seagull 5000i, which provides phone, fax, and other data services via a satellite link, and the SeaLink CIR.
As Sky News notes, the documents don't contain any particularly sophisticated insights or evidence
of deep research into the systems the authors discuss. Indeed, much of the material seems to
be the result of Google dorking, simply pulling research results and compiling them into a report.
So, alarmism about imminent Iranian cyberattacks on ships and filling stations would be premature at best
and not a sign that Iran has developed and deployed significant capability to exploit
control system vulnerabilities. That Iran, like most other countries, is interested in cyber
attack capabilities is well known. So the Sky News documents are interesting but don't really
present cause for alarm.
In fairness, we would be remiss if we didn't point out that some interest in vulnerabilities at this level
is equally consistent with defensive as offensive planning,
but potential targets would be wise to look to their defenses.
As we've seen, Kaseya yesterday responded to speculation that it had paid off the R-Evil gang
to obtain a decryptor with a categorical denial that it had either paid ransom or negotiated with the extortionists.
There's no word on reasons for the non-disclosure agreement Kaseya asked customers to sign
and which prompted much of the speculation that the ransom had been paid.
But, as experts interviewed by ZDNet note, there's nothing inherently nefarious about an NDA.
BlackBerry reports a trend. Cybercriminals are using uncommon programming languages to help
evade detection. This isn't entirely new either, as BlackBerry says, but
the languages Go, D, Nim, and Rust currently seem to be in favor with criminal coders.
Malwarebytes reports that the relatively young ransomware gang that operates Avos Locker is
advertising on the dark web for both employees, especially access brokers and pen testers with experience in active directory networks, as well as affiliates.
In their marketing emails to their victims, the AvosLocker runners lapse into the current cliches, warning the affected organizations that their files have been locked with military-grade encryption.
that their files have been locked with military-grade encryption.
The U.S. and China yesterday concluded two days of high-level talks about a range of issues that include, from the U.S. side, human rights concerns,
the security of Taiwan, and what the U.S. sees as Chinese misbehavior in cyberspace.
A State Department communique described discussions
as frank and open, which is customary foggy-bottom speak for salty and contentious.
The U.S. was represented by Deputy Secretary of State Wendy Sherman, who traveled to China
for discussions with State Counselor and Foreign Minister Wang Yi and other PRC officials.
Counselor and Foreign Minister Wang Yi and other PRC officials. The U.S. said it welcomed competition and, while it didn't seek conflict with the People's Republic,
wouldn't hesitate to defend and advance its own interests.
And finally, how's your cafeteria treating you nowadays? Nice food? Stable prices? Good value?
Nice food, stable prices, good value.
Apparently, the NSA cafeterias at Fort Meade are disappointing,
serving less-than-toothsome food at prices that seem both high and unstable.
Motherboard is covering this story,
and it took them a Freedom of Information Act request to get the inside skinny on the diners' complaints.
A lot of them are concerned with the eggs, sodas, and salads,
which are not perceived as being necessarily a good value,
and also about the disparity between the prices of chicken at two different locations.
The FOIA researcher who got copies of the complaints,
and hats off to you, Ms. Emily Crose,
quotes one of the disgruntled NSA types as summing up,
With all the problems going on with the redacted cafeteria,
an increase in pricing should be the last thing they are worried about.
Some of the dissatisfied customers seem more concerned about fluctuations in price.
Since the changes cited amount to between six and twelve cents, the objections seem more matters of an outraged sense of order than they do a financially based complaint.
Our government service desk speculates that this probably means linguists are heavily overrepresented in the complaint box, since this kind of thing seems more up their alley than it does, say, the alleys of computer engineers or intelligence analysts,
but of course that's just speculation.
It could also be U.S. Army personnel offering suggestions,
since it's a long-standing tradition in the senior service to regard an invitation to complain about food
as an occasion for joie du combat, which would place a much happier construction on the
whole incident. One experienced and anonymous source told us, those critters, meaning GIs,
would sh** plutonium and hydrazine if it gave them a chance to complain.
Maybe that's just the way things are at the redacted cafeteria, which is what we now intend to call any restaurant we might open in the future.
But are things bad in the other four eyes?
Maybe.
An anonymous source close to the intelligence community told Motherboard,
maybe not the worst cafeteria I've ever eaten in,
but worse than the time I ate at a U.S.-run military-based mess hall,
anonymous source said, adding, for comparison,
the equivalent cafeteria in Australia was much better but not exciting, and the Canadian one
was somehow worse, though that might just be because I ate there so many more times.
If you're eating at one of these facilities from Sheltonham to Canberra,
feel free to vent to us in an email.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. The team at identity and access management platform provider ForgeRock recently released
their 2021 Consumer Identity Breach Report, tracking the trending targets and financial
impact of breaches over the last year. Eve Mailer is chief technology officer at ForgeRock.
Attacks using usernames and passwords increased 450 percent in 2020. So that was the cause of
1.48 billion breached records. So that's one thing, not good thing.
Wow. What else?
So that's one thing, not good thing.
Wow.
What else?
So for the third consecutive year, unauthorized access, so partly caused by usernames and passwords being used, was the most common type of breach, and that accounted for 43%
of breaches.
Another thing was that healthcare, again, was the most common targeted sector.
So that accounted for about a third of all breaches, 34% of those breaches.
And it also, again, had the highest average cost to enterprises per compromised record at $474
per record. When you look at the overall financial impact here, what stands out to you? I mean,
impact here. What stands out to you? I mean, who got hit the worst?
Well, unfortunately, it was the tech sector, something we know a lot about. The tech sector in aggregate paid the highest cost of recovery at $288 billion, and they had 1.6 billion records stolen in total.
That's the technology sector there.
So what are the overall recommendations then
for organizations and folks out there
to better protect themselves?
What are you suggesting?
Well, the biggest thing that organizations
and people can do really is,
if you can, stop using passwords to protect
accounts. And that's really kind of a zero-trust approach that people have been hearing about.
And I suspect that everybody has really been hearing about this more and more,
particularly with the recent White House cybersecurity executive order, which puts
such a big emphasis on zero-trust architecture, which is really just about
trying to draw protection closest to all of your most sensitive resources to minimize the blast
radius if something is really compromised. And, you know, passwords are just really the least
secure and least pleasant way to protect an account or a resource.
They're most deployable these days, and that's kind of unfortunate,
but there's so many other ways to protect accounts with strong authentication, multi-factor authentication.
And these are ways that we can protect our most important things better, really.
Was there anything that stood out to you as being particularly surprising in this year's report?
Anything that strayed from where you expected it to go?
I would have to say that maybe the cost of breaches for businesses,
maybe the GDPR fines actually jumping so high.
I'm having to think of it because we saw that GDPR fines jumped 40% globally. And when you
think about GDPR having been under enforcement for a couple of years, that's really quite striking.
So that's something that people really need to watch out for.
When it comes to things like ransomware attacks, the most important thing we need to worry about is sometimes when the attacks are coming from inside the house, so to speak. And that's where
what we in the identity world call identity governance. So when you're looking for perhaps
somebody who might have been an insider who maybe
was fired is no longer with a company and you need to be sure that you haven't actually extended
privileges longer than you should have and identity governance practices are something that
really need to be taken care of in the case where somebody could have inserted some kind of malware
or ransomware or something like that
after the point when they really shouldn't have been around.
So identity governance and administration, sometimes called IGA,
is something extremely important to be looking after.
That's Eve Mailer from ForgeRock. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the Caveat podcast.
Ben, great to have you back.
Good to be with you again, Dave.
A story here from The Verge.
It's titled Biden Signs Executive Order Targeting Right to Repair, ISPs, Net Neutrality, and More.
There's a lot in this recently signed executive order.
Can you take us through some of the things here that apply to
our audience? Sure. So this is a very broad executive order signed on July 9th. The general
goal is to promote competition, and it mostly has to do with technology, which is why we're talking
about it on this podcast. Right, right. One thing we've talked about before are these so-called
right-to-repair regulations. Yeah. Originally, the effort was going to be geared toward farming equipment.
You know, you had this issue where people would buy John Deere tractors in order to get the doohickeys and gadgets needed to fix the products when they were deficient.
You had to go to the manufacturer.
Right.
You couldn't, you know, buy it on the market and do it yourself.
Because tractors are now software.
Right, which they are.
Yeah, they are.
Right, right.
So what this executive order does is starts an effort
to be spearheaded by the Federal Trade Commission
to limit powerful equipment manufacturers
from restricting people's ability to use independent repair shops
or DIY repairs.
And this is going to cover all electronics,
so it is no longer just farming equipment.
I'm surprised that this effort hasn't happened sooner.
I mean, it's something that you'd think would be supported
on all sides of the political spectrum
because it does foster competition.
Independent shops can come in and say,
we can fix all different types of devices.
And we shouldn't confine the market just to the manufacturer of the device.
As it relates to big tech, there are some anti-monopolization aspects to this executive order.
There is now a mandate to require, and I quote, greater scrutiny of mergers, especially by dominant internet platforms.
Who could they mean there?
Yeah, exactly.
We won't name names, but I think you can figure it out.
So they're talking about the acquisition of what they call nascent competitors, serial mergers.
I think we know exactly what they're referring to here.
It's cases that we've talked about on this podcast
and on the Caveat podcast.
I think that's part of a broader effort
to try and cut down on consolidation in the industry,
which is really hurting consumers.
They're also, as part of this executive order,
under the purview of the FTC,
going to place more rules on surveillance and data collection.
That's something that's going to have downstream impacts
on technology companies around the world.
There's even a provision on patent policy reform
that they talk about in this article.
So it's kind of an omnibus executive order
designed to spur competition
and cut down on the consolidation of the tech industry.
Yeah. Some stuff here for the FCC as well, and cut down on the consolidation of the tech industry.
Yeah. Some stuff here for the FCC as well, going for better broadband.
Oh, yeah. So there's this provision that tasks the FCC, Federal Communications Commission, to require ISPs to report prices and subscription rates,
and preventing ISPs from making deals with landlords that limit tenants' options.
I'm quoting from the article here.
I don't know if this is the case in many locations where our listeners live, but I used to live
in Baltimore City, and there was a deal between Comcast, or should we say a company that goes
unmentioned.
There was a deal between one cable company and the city that essentially made Baltimore City
inaccessible to all of the competitors
of that one company.
And it was really nice to move out to Baltimore County
where that's not the case
and you have more competition.
Instead of a monopoly, you have a duopoly, right?
Yeah, exactly.
At the very least, maybe a triopoly.
So you have very, in some parts of the country,
there is only one internet service provider
unless you want to go out
and seek some of the less common alternatives.
It's something that's both not good for competition
and very detrimental to the consumer
because that one company has very little incentive
to provide good customer service.
So I think this is a promising step that's been taken here.
Can you put this in perspective? I mean, what is the degree to which this executive order has
actual power to make things change? I think it really does. I mean, a lot of it is tasking
federal agencies with coming up with rules and regulations. That's a cumbersome process.
It sometimes takes a long time. They have to draft a rule, come up with a notice of proposed
rulemaking, go through the rulemaking process, solicit notice and comments. So we might be
talking about a relatively extended time period here, but I think the executive order has teeth.
One, it states what the administration's policies are vis-a-vis these anti-competitive practices.
It gives instructions, specific instructions to agencies to help accomplish these goals.
And I'll also add, it doesn't seem that there's been much pushback on this executive order from either side of the political spectrum. I think reflecting particularly a Republican party that is more
skeptical of consolidation in the tech industry, particularly as it relates to social media,
because they feel, I think quite reasonably, that there isn't enough competition in that market.
So we really haven't seen the type of pushback that you'd normally get to a
large sweeping executive order from a opposing political party.
So I think, you know, what's in this executive order is going to have teeth and it's going to
be sustainable. Yeah. Also, I think of interest to folks in the tech industry, he's calling on
the FTC to ban non-compete clauses, which are very common in this industry. Very common in this
industry. I mean, it's more egregious in other industries
where fast food restaurants have non-compete clauses
and that ruins people's job prospects
and has them wedded to one company
even if they're being treated poorly.
It happens to a much larger degree in the tech industry
where it's much more difficult to switch jobs
even if you're unhappy somewhere,
just because you've signed one of these non-compete clauses.
So I think a lot of our listeners who work in this industry
would be very appreciative
if they're not being tied down by these contracts.
Yeah, absolutely.
All right, well, Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Trey Hester, Elliot Peltzman, Puru Prakash, Justin Sabe, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.