CyberWire Daily - Stop the presses—the presses were stopped by ransomware. Video security system found vulnerable to oversharing. Changes in US DoD leadership. An arrest in Moscow, a court ruling in Baltimore.
Episode Date: January 2, 2019In today’s podcast, we hear that US newspapers sustained a major cyberattack—possibly ransomware—over the weekend that disrupted printing. The attack is said to have originated overseas, but att...ribution so far is preliminary, murky, and circumstantial. Home security video system is found to have hard-coded credentials. Changes in US Defense leadership. An American is arrested in Mosow on espionage charges. And alleged NSA leaker Hal Martin wins one and loses two in court. Ben Yelin from UMD CHHS on whether remotely wiping a mobile device could be considered destruction of evidence. Guest is Steve Durbin from the ISF on using a human-centered approach to building security teams. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2019_01_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
U.S. newspapers sustained a major cyber attack over the weekend,
possibly ransomware, that disrupted printing.
The attack is said to have originated overseas,
but attribution so far is preliminary, murky, and circumstantial.
A home security video system is found to have hard-coded credentials.
There are changes in U.S. defense leadership.
An American is arrested in Moscow on espionage charges.
And alleged NSA leaker Hal Martin wins one and loses two in court.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, January 2, 2019.
Happy New Year, everybody.
Great to have you back.
Hope you got some rest over the holiday break.
Over the weekend, print operations at several major U.S. newspapers were disrupted by a cyber attack.
Saturday editions of the San Diego Union-Tribune, the Baltimore Sun, the Chicago Tribune, the New York Times, the Wall Street Journal, the Los Angeles Times, the Annapolis Capital Gazette, the Hartford Courant, the New York Daily News,
the South Florida Sun-Sentinel, and the Orlando Sentinel saw their additions delayed as the
attacks on print plants affected production. The attack, which is believed to have involved a
variant of Ryuk ransomware, targeted Tribune Publishing, but not all of the affected papers
were Tribune properties. Tribune sold both the San Diego Union Tribune and the Los Angeles Times in 2018,
but both papers still used Tribune Publishing's print plant. A number of the other affected
papers, including the New York Times and the Wall Street Journal, contract to use Tribune
printing services for at least portions of their press run, which is how they came to be affected.
As the New York Times put it, they were collateral damage in the attack. for at least portions of their press run, which is how they came to be affected.
As the New York Times put it, they were collateral damage in the attack.
Tribune Publishing stressed that no customer information was compromised in the incident.
The first signs of the attack surfaced Thursday,
were believed to have been contained by Friday,
but returned with considerable effect on Saturday.
Sources in a position to know, according to the New York Times, said anonymously that, quote, we believe the intention of the attack was to disable
infrastructure, more specifically servers, as opposed to looking to steal information.
Attribution remains murky, but the Los Angeles Times says the attack is believed to have originated
outside the United States. Neither Tribune Publishing nor the affected papers have reported receiving ransom demands,
but the incident seems consistent with a ransomware attack.
Security companies KnowBefore and Checkpoint have pointed out circumstantial similarities
between this attack and operations of the North Korean government.
The ransomware employed in the attack, Ryuk, is regarded as an evolved
version of Hermes, a strain of malware previously attributed to Pyongyang's Lazarus Group.
For its part, security firm CrowdStrike thinks Eastern European criminals are the probable
culprits. They point to some evidence that the attackers may have used TrickBot, which has
surfaced in attacks against financial institutions,
to deliver the malware.
In any case, it's too early to come up with any definitive attribution,
especially since criminal groups and espionage agencies show an increasing disposition to beg, borrow, or steal one another's attack code.
The security companies discussing several of the affected papers
have said they found Ryuk in their systems,
but so far that's as far as the evidence takes us.
The U.S. Department of Homeland Security is investigating.
With a new year ahead of us, there's no relief in sight to the talent shortages faced in the security industry.
One approach to making the pool of potential candidates deeper is to look within your own organization
and take a more human-centric approach. Steve Durbin is managing director of the ISF,
the Information Security Forum, and he offers these thoughts.
Pulling together the security workforce typically means you're going to have to go
hunting in different parts of the organization, assuming you're a large corporation, of course, for people who have been doing bits and pieces of this over some while. And that is one of the challenges for
corporations. How do we get this very much more high level strategic perspective on our security
workforce? How do we pull them together from the different parts of the organization that they're
currently sitting in and get them all focused in the same direction.
I think it's about really playing to the strengths that exist in most large-scale organizations today.
What I mean by that is it's about advantage of some of those well-established HR practices to build out a diverse workforce of capable individuals that map across to the challenges that you're facing.
And if we think about the way that perhaps security has traditionally gone about doing it, that perhaps is not the way that it's being done. So it is about really trying to identify the skill sets that are required
right the way out into the strategic period that you're working through, determining where
you have those skill sets in your organization. They may be coming from the business. Very often
when I talk to senior executives about how can they build out a sustainable security workforce,
they're surprised when I say,
well, don't just look in the technical area, look in the business area. You know, if we're trying to
put in place a security enablement for your corporation, we need to understand how the
business is working. And let's take some of those business people, put them into the security
function. If we're trying to get awareness programs going? Well, marketing, training, they're adept at doing that kind of thing. So let's involve them. So I think that
for a lot of organizations, it's about taking a much more holistic approach to the way in which
they go about building out their security workforce and calling on some of the skill
sets that they already have in the enterprise that are pretty well suited to solving some of these challenges.
And so how do you suppose you put together an environment that will attract those people
from other parts of the organization who may not be accustomed to the culture, the care
and feeding of the cybersecurity workforce?
Yeah, and I think there's a little bit, it depends on the organization here, Dave. But, you know, part of it is about perhaps overcoming some of the prejudice that might exist.
I mean, there are some, you know, very well embedded views, aren't there, of what security is all about.
It's very technical. It can be dull.
They're the guys who tell us what we can't do.
The reality of security and cyber in particular today is that it's a hugely fast-moving,
very dynamic environment. Why? Because things are moving so very, very quickly. And I think that what
we need to be doing in order to attract the right sorts of skill sets in there is to stop insisting
on this host of specific technical skills. You know, you have to have a CISSP. You have to have a certain amount of experience and qualifications.
Because the reality is that that just eliminates a large portion of current prospective information
security professionals who could very well have a key role to play.
That's Steve Durbin.
He's managing director of the ISF.
Durbin, he's managing director of the ISF.
Security firm Rapid7 has disclosed hard-coded credentials in Guardzilla home surveillance video systems.
They contain a shared Amazon S3 credential for storing saved video data.
This means, in effect, that all users of the Guardzilla all-in-one video security system
could access one another's saved home video.
Rapid7, which credits researchers at Zero Day All Day with the discovery,
recommends that users of the system not enable Godzilla's cloud-based information storage.
There are a few changes at senior levels of the U.S. Defense Department and intelligence community.
Secretary of Defense Mattis is out, moved on earlier than the February
exit his resignation letter had specified. He's been replaced on an acting basis by Patrick
Shanahan, the Deputy Secretary. No permanent replacement has been named. Principal Assistant
to the Secretary of Defense Dana White has also left the Pentagon to be replaced on an acting basis by Charles E. Summers Jr.
The National Geospatial Intelligence Agency, the NGA, will also receive a new director in February,
as Robert Cardillo, who's led the agency since 2014, will be succeeded by Rear Admiral Robert Sharp,
currently head of Naval Intelligence.
In Russia, a U.S. citizen has been arrested on suspicion of espionage.
The FSB says that Paul Whelan, security lead for automotive parts manufacturer BorgWarner,
will be charged with spying. Whelan was in Moscow for the wedding of a friend.
Details of the case are sparse, and Whelan's family rejects the notion that he was spying.
Observers speculate that
the arrest represents retaliation for recent U.S. arrests of Russian nationals on espionage charges,
especially the arrest of Maria Butina, who last month took a guilty plea in a U.S. spying beef.
Alleged NSA leaker Hal Martin succeeded in having incriminating statements he made during a 2016 FBI raid on his house suppressed.
He wasn't Mirandized.
But physical evidence the Bureau's special agents collected,
including large quantities of classified material squirreled away
in Mr. Martin's Maryland residence, remains admissible.
The failure to read him his rights seems curious.
The government said it was a non-custodial interview and that Mr. Martin was free to leave at any time.
But their having entered his house armed and announced by flashbangs,
and their having handcuffed him,
led U.S. District Judge Richard D. Bennett to conclude that the interview was custodial, as they say,
and that the special agents should have Mirandized Mr. Martin,
no matter how otherwise friendly the interview may have grown over the hours they were together.
Many observers have noted that the warrant to search Mr. Martin's property
came in the wake of some ambiguous tweets he posted that could be read as having suggested
he had secrets to offer. But of course, Twitter is a notoriously low-context medium, and Mr. Martin's posts could
be entirely innocent. He's charged with 20 counts of willful retention of national defense
information. The former NSA contractor's trial is scheduled for this coming June 17th.
And finally, the Dark Overlords are said to be back. According to Motherboard, this time they're
threatening to dox insurance companies
to prove that the 9-11 terror attacks
in New York, Virginia, and Pennsylvania
were put-up jobs by a bunch of conspirators.
Unless, of course, the insurance companies
pay the Dark Overlords a ransom.
Serious people will, of course,
ignore the conspiracy nonsense
and not pay the ransom.
Of course, when the authorities finally get not pay the ransom. Of course,
when the authorities finally get around to arresting the Dark Overlords,
we hope they remember to read them their rights. We've seen that done on TV.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at
the University of Maryland Center for Health and Homeland Security.
Ben, it's great to have you back as always.
Interesting article from the Naked Security blog over on Sophos.
This is written by Lisa Voss.
And they're asking the question, does wiping your iPhone count as destroying evidence?
What's going on here?
So this is a fascinating case.
It was a young woman
who was arrested in relation to a drive-by shooting, and the police at least suspected
that there was some sort of valuable evidence on her iPhone. And while she was in police custody,
the contents of her iPhone were completely erased. And the reason I use the passive voice there
is because she, in her defense, says that she is technologically
illiterate and would have absolutely no idea how to erase the contents of her device. Now, I think
it almost certainly is a crime to take some sort of affirmative action to delete the contents of
your device, because that is the equivalent to destroying evidence,
which of course, in and of itself is a crime. And there are lots of ways technologically to delete the contents of your device using the Find My Phone app, for example, as it relates to an
iPhone. Once that phone has been lost or stolen, you can press that kill switch and it will delete
all of that data. Now, there's no proof
that that happened in this case, although perhaps somebody who knew this suspect was looking out for
her and was able to have maybe her Apple ID or whatever and logged in for her to erase this
information. The more interesting hypothetical that this article presented is, what if there's some sort of
technology, and it may or may not exist at this point, where the device would automatically
detonate, would delete all of its information after 24 hours if a person has not logged in.
So it would contemplate a scenario where a person is afraid that their phone is going to get lost
or stolen, and that if for some reason they don't log in or enter their passcode within 24 hours, the presumption should be that it has been
stolen and therefore the device should erase itself. In that hypothetical, a person would
not have taken the affirmative step of deleting their information specifically to evade law
enforcement or specifically to conceal evidence. And I think
the standard is very different. The fact that an affirmative step at least allegedly took place
here where somebody, whether it was the defendant herself or somebody she knew, pressed that kill
switch, I think makes it different and makes it far more likely that the conviction would be upheld because she did destroy evidence.
She did press that kill switch.
But I think we're going to see cases in the future about that latter scenario.
Yeah, and I've seen instances, I believe on the iPhone you can set it up where if you
misenter a password a certain number of times, it will go into a wipeout, you know, it'll
wipe the phone.
But that requires action on behalf of the police or whoever's trying to get into it. So
it's a little different there. Right. It is different. Because again,
this hypothetical we're talking about here is where no affirmative step is taken by anybody,
whether it's law enforcement or the defendant. Presumably, the defendant would set up this
technology, not in anticipation set up this technology,
not in anticipation of concealing evidence, but in anticipation of preventing people from
gaining access to his or her information. So it's a completely innocuous act that takes place
outside the context of any sort of arrest or criminal prosecution. And I think that's,
you know, very different when we're talking about destroying evidence. And I think that that case is going to present itself. And in my opinion, I think there is a real distinction between pressing that kill switch after you've been arrested, after you know that there might be evidence against you, versus sort of a mechanical, regular operation on behalf of your device that deletes information on some sort of
circumstance, like you haven't logged into your phone within 24 hours. Now, do you suppose that
law enforcement could make the case that you'd be in some way obligated to inform them that this
device is going to detonate if not logged into in a certain amount of time? That's an interesting
question. I don't think necessarily
would ever be on law enforcement's mind. I mean, it's not going to be part of a Miranda warning
where it says, if you have your device on auto lock, be sure to disable it. A person is in
custody, so they're not going to have access to that device anyway. And then we get into potential
Fifth Amendment issues. What if you have that kill switch on? The government presents you with that device and says, turn off that kill switch. We
want to maintain this information. Then you have to take an affirmative step to potentially
incriminate yourself. And the complications here are endless. But I think the question of destroying evidence is completely different
if there hasn't been that affirmative step post-arrest where the information has been deleted.
All right. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.