CyberWire Daily - State Department cybersecurity issues. Iron Group's pseudoransomware. Bristol Airport's deliberate recovery. State of cryptojacking. Facebook offers campaigns help. US cyber strategy. Mirai masters.
Episode Date: September 19, 2018In this podcast, we hear that the US State Department has acknowledged an email breach. The criminal gang Iron Group is hitting targets with data-stealing and data destroying pseudoransomware. Bristol... Airport continues its slow recovery from whatever hit a at the end of last week. A cryptomining study is out. Facebook offers help to political campaigns. The new US cyber strategy is out. ICOs get regulation. Mirai masters get suspended sentences in recognition for the help they've rendered the Government. Daniel Prince from Lancaster University with thoughts on asset-based risk assessment. Guest is Ray Watson from Masergy on soft targets. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_19.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. State Department acknowledges an email breach.
The criminal gang Iron Group is hitting targets with data stealing and data destroying
pseudo ransomware. Bristol Airport continues its slow recovery from whatever hit at the end of last
week. A crypto mining study is out. Facebook offers help to political campaigns. The new U.S.
cyber strategy is out. ICOs get regulation and Mirai masters get suspended sentences in recognition
for the help they've rendered the government.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 19, 2018.
The U.S. State Department confirms that it sustained a breach of its unclassified email system
with hundreds of staffers' information affected.
Hundreds is said to amount to about 1% of the department's workforce.
The breach occurred earlier this year, and the principal concern is exposure of personal information.
The department acknowledged the breach after Politico obtained and asked about a sensitive but unclassified memo
dated September 7th. At that point, State said, yes, they had sustained a breach,
that it was, of course, a sensitive matter that remained under investigation,
and that it had notified the employees whose data were exposed. The department told Politico,
quote, this is an ongoing investigation and we are working with partner agencies,
Politico, quote, this is an ongoing investigation and we are working with partner agencies as well as the private sector service provider to conduct a full assessment, end quote. The private sector
service provider would be Microsoft. The State Department uses Office 365 to handle its unclassified
email. The State Department has received a good deal of stick over the incident, and while State is by no means the only offender,
it's recently come under senatorial scrutiny over some reports by internal and external investigators
that suggest that all is not as secure as it should be over in Foggy Bottom.
A letter on September 11th from Senators Wyden, Democrat of Oregon,
Paul, Republican of Kentucky, Markey, Democrat of Oregon, Paul, Republican of Kentucky,
Markey, Democrat of Massachusetts,
Gardner, Republican of Colorado,
and Shaheen, Democrat of New Hampshire,
tasked the department with failure to meet federal cybersecurity standards,
particularly with respect to authentication.
Within security, there's the common notion of hard versus soft targets.
To a certain degree, that's self-explanatory, with hard targets having the most sophisticated and in-depth defense.
There's a good bit of nuance when it comes to soft targets, and Ray Watson from Masergy joins us to explain.
Soft targets is one of those words kind of like cyber security or cloud that really depends on the context in which it's being used. But in general, for something to be a soft target, it typically is a smaller budgeted company.
It usually has less likelihood to do full incident response after an issue.
And when we talk about what is a soft target, you usually talk in terms of the three S's,
which would be the amount that they spend on cyber defenses, the sophistication of both the defenses and the response,
and then also the ongoing support that they would be expected to receive.
Now, does a soft target typically know that they're a soft target?
Yes and no.
target typically know that they're a soft target? Yes and no. I think that there's definitely some groups out there that recognize that trying to defend themselves from adversaries on the public
internet is probably outside of what they can do in their day-to-day operations. Specifically,
churches and nonprofit groups and NGOs might be particularly aware of the fact that they
are somewhat soft targets.
But then there are some other folks out there where there's a lot of debate about whether we would classify this as a soft target.
And the best example of this is our SCADA and industrial control systems, whereas a lot of people consider those to be – because of the large – the size of the attack surface, they consider those to be soft targets.
Whereas a lot of the other folks on the other side are saying, you know, we're doing absolutely
everything we can to harden those, to patch those and to get them so that they're actually hardened.
So, but to contrast that to me, I mean, I think you make a good point that there's certainly no lack of attention being paid on SCADA systems.
So you're saying it's really the size of the attack surface.
Despite trying to batten down the hatches, they may still have some, I guess, a soft underbelly, if you will.
Sure. And that sort of comes from the national security implications when they talk about things like terroristic targets, right? It has to do with
the surface area divided by the amount of defenses that you have, you know, available to it. So,
and in the cyber world, it's a little bit different because there's also entire categories
of places that hold your data, that hold your data as a consumer or your data as a business,
that their entire business should be considered somewhat of a soft target.
And the reason I'm even bringing this up is because what was in the news a couple days
ago was the Russian Orthodoxy Church had been breached by one of the nation states hacking
groups that were out there.
And it really made me think of the fact that so many churches out there have data that we wouldn't necessarily want shared about us to the world and certainly data that we wouldn't want added to an online big data profile in some government database out there.
But it's not really something that we talk about when we talk about defenses.
And then just the very, very next day, Air Canada leaked around 20,000 records for their passengers. And even though everyone
thought at first, well, how sensitive could that data be? It actually turns out that several
thousand of them had their full passport information saved into their profile. So in that scenario,
it's not just the fact that the attack surface is wide. It also has to do with the fact that
it's not necessarily protected with the high levels of things such as multi-factor authentication or rotating passwords or even
firewalls, et cetera, that are out there to protect that data. One of the best examples to think about
when we talk about protecting soft targets is the fact that adversaries almost always are looking
for points to either pivot or to make lateral
movement. CyberWire had a guest on the other day by the name of Fred Knipe, and he actually brought
up one of the best examples of this that I've ever heard, which was when we think about the
massive data breach at Target, that of course came in from what I would consider a soft target,
which was their HVAC vendor that had perpetual
access to their systems. And so even though Target may have hardened all of their points of ingress
for their corporate network, their extranet access to their partners actually had this big of an
effect. And I will tell you that another example of this that kind of really brings this to mind is when we think about bed
bugs because business travelers are very very likely to bring bed bugs into their homes not
because they're staying at dodgy hotels and and hostels etc but just simply because they're
staying at so many hotels right and when you think in terms of protecting your own home from pests
or any kind of infestations like that,
it's very, very easy to pick something up basically in a remote hotel
that maybe didn't necessarily take good care of that.
That's Ray Watson from Masergy.
His Twitter handle is RayRedacted.
Palo Alto Networks is tracking Iron Group,
a Chinese-speaking criminal gang that's distributing pseudo-ransomware.
The malware steals and then destroys data.
The ransom demand is just misdirection.
The malicious code self-propagates across affected networks
using backdoors exposed in a hacking team breach.
This does appear to be a criminal data theft operation,
unlike earlier episodes as NotPetya,
which is generally regarded as having been a state-directed campaign.
Bristol Airport still hasn't recovered from the ransomware-like attack
it sustained at the end of last week.
Authorities have been unclear on just what the attack was.
While they've said they didn't pay
any ransom, they've stopped short of calling it ransomware, period, or even ransomware full stop,
as they might put it in western England. Nor is there any insight being offered into how the
airport's systems became infected. The most publicly visible effect of the attack was the
terminal's departure boards going offline.
The caution the airport is showing is generally met with approval,
and many observers have noted that Bristol continued flight operations without delay or undue disruption.
Ransomware, or even malware similar to so-called ransomware, if we must so describe it,
has proved difficult to eradicate from an infested enterprise.
Just ask the city mothers and fathers of Atlanta, Georgia,
another place where passenger-facing systems at an airport were affected.
In that case, the ransomware was much more widespread, with Atlanta's airport Wi-Fi
seeming almost an afterthought among the disturbed networks.
seeming almost an afterthought among the disturbed networks.
ESET points out that two other airports sustained notorious ransomware attacks last year.
Both were in Ukraine.
Kiev was hit by a Petya version in June, and Odessa was attacked with a Bad Rabbit variant in October.
The Cyber Threat Alliance has a new study out on crypto mining.
Among their more interesting points is an observation that a cryptojacking incident in an enterprise
should be regarded as what they call a canary in a coal mine,
a warning sign that something's wrong with security and that the enterprise is open to more immediately damaging attacks.
They also point out that even as cryptojacking grows in sophistication, its lower reaches have been commoditized.
The script kiddies can readily get attack tools on the black market.
And of course, the widespread persistence of eternal blue vulnerabilities
so often exploited by cryptojackers affords evidence that patch management
remains an unsolved problem of cyber public health.
Facebook has joined the companies offering to help political
campaigns stay more secure during the U.S. midterm elections. The social media platform
is offering to help the campaign set up two-factor authentication. The U.S. Defense Department has
issued a new cyber strategy. That strategy assumes a contested cyberspace in both war and peace and has the following major goals.
Mission assurance, enhanced U.S. military advantage, defense of critical infrastructure, securing defense information and systems, and expanded cooperation with all partners, U.S. government, industry, and allied.
A U.S. federal district court has decided to allow juries to apply security law to cases involving initial coin-offering fraud.
This is expected to set a precedent for more regulatory action in ICO markets.
Regulatory agencies are now thought likely to have fewer inhibitions about treating ICOs like securities. The three young hackers responsible for the Mirai botnet
are getting their sentences suspended.
Instead of jail time, they're cooperating with the FBI.
The three, all still in their 20s,
are Paras Jha, 22, of Fanwood, New Jersey,
Josiah White, 21, of Washington, Pennsylvania,
and Dalton Norman, 22, of Materi, Louisiana.
They assisted in the Kiloho Spotnet takedown and also helped mitigate distributed denial of service attacks that exploited a Memcash vulnerability.
Prosecutors put a good word in for them yesterday, and the federal judge responsible for their case in Alaska sentenced them each to five years probation.
So stay on the straight and narrow, kids.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, targeting your executives and their families at home. Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince. He's a senior lecturer in cybersecurity at
Lancaster University. Daniel, welcome back. We wanted to talk today about asset-based risk
assessment and some potential problems there.
What can you share with us?
Well, thanks for having me back on.
So a lot of the work that we're doing here at Lancaster is really looking at the effectiveness of cybersecurity risk assessment and risk management,
particularly in industrial control system space.
particularly in industrial control systems space.
But one of the problems that we're kind of coming across now is that a lot of the risk assessment processes
are based on health and safety processes,
particularly in process automation, industrial control,
and or quality control sort of risk management processes.
And within those kinds of environments and those techniques,
you often assume that, well, you regularly have a non-malicious threat agent. In fact,
often you don't have a threat agent whatsoever. So if you think about quality control, the process
that you're putting the systems through, it's part of a standard physical degradation, for example.
If you're thinking about health and safety, you're not really thinking about there being
somebody maliciously trying to tamper with any of the systems. But when you talk about
cybersecurity, there's always a threat agent that is trying to maliciously undermine the systems
that you've put in place. And when we look at the standard
risk assessment processes, although we often see the threat agent captured in the standard formula,
you need somebody to take advantage of the vulnerability and so on, they're not really
factored in as effectively as the assets. All really risk assessment processes stemming from
quality control and health and safety
stem from understanding all of your assets and then building up the risk profile from those.
What we're trying to advocate and starting to develop work on is actually thinking about the threat agent
and how they process and how they work through the systems.
And one of the things that we're finding that's quite interesting is
the asymmetry in information
between the threat agent and the defender.
And so as a defender,
you often know the whole of your network.
What an attack from a threat agent might look like
is completely sort of nonsensical
from your point of view
because you know everything.
But from the attack agent's point of view,
threat agent's point of view, the path that they're taking to achieve their goals
is completely sensitive. So we're looking and trying to look at new
processes where we can factor in more threat agent
kind of knowledge and rebalance that against the
asset-based approach and seeing if we can get better risk
management concepts that come through from that.
Can you give us an example? What does that exactly look like?
So I think one of the key things for us is that asymmetry of information.
When you're planning and thinking about just your assets, you're thinking about what's important to you.
sets. You're thinking about what's important to you.
But one of the key things when we look at attacks,
we really need to frame that as what is important to the attacker to achieve their goals. And that also allows you to
bring in this idea that you're potentially just collateral damage
to be able to achieve a higher order effect because you're
part of a supply chain.
So you're a link to another company or another organization that the attacker is trying to get to.
It's not that your information and your assets aren't important.
It's just they have to use those or that's the easiest way that they've decided,
the attackers have decided to get to their ultimate goal.
And so one of the things we're finding is it's taking out that kind of almost egocentric, we're the most important part of the attack. And so you can start to develop better defense and remediation techniques by balancing out what's important to you, but also what's important to the attacker.
Hmm. No, it's an interesting insight. As always, Daniel Prince, thanks for joining us. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. CyberWire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.