CyberWire Daily - The FSB warns Russian businesses to up their security game--the Americans are coming. SonicWall’s investigation of a possible cyberattack. DIA and commercial data brokers. OPC issues. Robota.
Episode Date: January 25, 2021Russia’s FSB warns businesses to be on the lookout for American cyberattacks after the White House says it’s reserving its right to respond to the Solorigate cyberespionage campaign. SonicWall inv...estigates an apparent compromise of its systems. Senator asks the US DNI for an explanation of DIA purchases of geolocation data from commercial vendors. OPC issues described. Andrea Little Limbago from Interos on the tech "naughty list" of restricted or sanctioned companies. Rick Howard previews his first principles analysis of Microsoft Azure. And a happy birthday to the word “robot,” now one-hundred years young. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/15 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russia's FSB warns businesses to be on the lookout for American cyber attacks after the White House says it's reserving its right to respond to the Saloragate cyber espionage campaign.
SonicWall investigates an apparent compromise of its systems.
A senator asks the U.S. DNI for an explanation of DIA purchases of geolocation data from commercial vendors.
OPC issues are described.
Andrea Little-Limbago from Interos
on the tech naughty list of restricted or sanctioned companies.
Rick Howard previews his first principles analysis
of Microsoft Azure.
And happy birthday to the word robot,
now 100 years young.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, January 25th, 2021. Russia's FSB has issued an alert on the threat of targeted computer attacks, warning businesses of increased likelihood of U.S. cyber attack.
Quote,
In the face of constant accusations against the Russian Federation by representatives of the United States
and their allies of Russian involvement
in organizing computer attacks, as well as threats from their side of retaliatory attacks on the
Russian Federation's critical information infrastructure, we recommend taking the
following measures to improve the security of information resources, end quote. ZDNet
characterizes the FSB alert as a signaling response to remarks by the new U.S. administration last Wednesday.
Referring to Soloragate, a representative said,
We reserve the right to respond at a time and manner of our choosing to any cyber attack.
U.S. officials have attributed the cyber espionage campaign to Russia, which has denied responsibility.
have attributed the cyber espionage campaign to Russia,
which has denied responsibility.
The FSB's alert amounts to an anodyne but sound list of 15 cyber hygiene best practices,
and who could object to that?
Lawfare has published a piece on the risks Solarigate poses to control systems,
and specifically the SolarWinds Orion Platform Supply Chain Compromise,
the authors are concerned to remind people that the issues the Orion Compromise opened up
could very easily spread to control system networks,
whether in the industrial Internet of Things
or in such networks as are used to control building HVAC systems.
Late Friday evening, SonicWall disclosed that it had been the victim of
a coordinated attack on its internal systems by highly sophisticated threat actors
exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.
The company initially believed that NetExtender VPN had been compromised,
but has revised its assessment to conclude that this product is safe.
A possible zero-day in the SMA-100 series remains under investigation.
To summarize the state of their product security, according to the company,
the SonicWall firewalls, NetExtender VPN client, the SMA-1000 series,
and SonicWave access points are all unaffected by the vulnerability.
The SMA-100 series, as we noted, is still under investigation,
but SonicWall is offering guidance on mitigations users can apply against the possibility that there's a problem.
The U.S. Defense Intelligence Agency responded to an inquiry from Senator Wyden, Democrat of Oregon, acknowledging that the DIA provides funding to another agency that purchases commercially available geolocation metadata aggregated from smartphones.
The memo went on to explain that, quote, DIA purchases location data generated by phones located outside the United States and inside the United States.
DIA's data provider does not supply separate streams of U.S. and foreign location data,
and DIA processes the location data as it arrives to identify U.S. location data points,
which it segregates in a separate database.
DIA personnel can only query this database of U.S. location data
when authorized by the Chief of Staff and DIA's Office of General Counsel.
Permission to query DIA's database of commercially acquired U.S. device location data
has been granted five times in the past two and a half years.
End quote.
Senator Wyden has asked Director of National Intelligence Haynes for an explanation.
The New York Times characterizes this form of collection as a loophole in existing U.S. law
that some legislators, Senator Wyden among them,
hope to correct with more specific, comprehensive privacy legislation.
Clarity today released a summary of flaws in the Open Platform Communications Network protocol.
They've been working on identifying the vulnerabilities and disclosing them to affected vendors since last year
and are now beginning a public review of what they've learned.
Three major vendors have already addressed the issues,
and Clarity recommends that users update their systems to the latest versions. The three vendors are Softing Industrial Automation, GMBH, Kepware PTC, and Metricon
Honeywell. All have provided fixes for OPC issues. And people are marking the 100th anniversary,
the centennial, of the word robot, coined by Karel Čopek in his play R.U.R.
The initials in the play's title stand for Rosamovie Universali Roboti. R.U.R. also works
in the direct English translation, often appended as a subtitle, Rosam's Universal Robots. Čopek's
story is about a factory that produces artificial humans,
for which he coined the word robot from the Czech robota,
which connotes a drudge, a forced worker, like a serf.
Rossum's robots aren't mechanical.
They're fabricated from biological material,
so they're closer to Blade Runner's replicants than to Robbie the Robot.
But robots they were, and they're very algorithmical in their manner.
Chopik's word has found its way into most modern languages. So this week we take a break from the
internet and find a copy of RUR, Reddit, and spare a thought for Mr. Chopik. We won't give you any
spoilers, but what the heck, it's robots,
so, you know, it doesn't end entirely happily.
Although at the end of it,
all the robots themselves seem to be doing as okay
as any robot can.
And when you're through with RUR,
don't worry, it's short.
Find a copy of Chapik's War with Newts
and see how someone in the 1930s
saw with blinding clarity how memes,
in a sense understood, but in the bigger picture completely uncomprehended,
take root and spread.
We won't give you any spoilers, but, oh, what the heck,
it's all about committing to an identity.
British readers will especially like the newt who picks up his worldview
from Fleet Street.
Worldview from Fleet Street.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I am pleased to be joined once again by the CyberWire's Chief Analyst
and Chief Security Officer, Rick Howard.
Rick, always great to have you back.
Thank you, sir.
So this week, you are launching an eight-episode series,
and you're examining your first principal ideas, but you're doing it within the framework of the big three cloud provider services, which is Microsoft, Amazon, and Google.
Bring us up to speed here.
What are you getting at here?
Well, the cloud revolution really got its start back in 2006 when Amazon rolled out AWS.
really got to start back in 2006 when Amazon rolled out AWS. Microsoft followed suit with a competing service in 2010 with Azure. And then Google came to the game with Google Cloud Platform
or GCP in 2012. And by the way, Dave, I can never remember what GCP stands for, so I have to say it
every single time. And there are other players in the market
like Oracle and IBM come to mind,
but the big three that most security executives talk about
are Amazon, Microsoft, and Google.
Ike, you know, you say Amazon started in 2006.
I cannot believe, it doesn't seem like it's been that long.
Tell me about it.
We're just too old, my friend.
So what I've noticed, though, is that our entire security community has been running at full speed, heads down now for years,
thinking, you know, tactically about the technical widgets required to get these new environments running
and then flipping switches and turning dials on those widgets to provide some sort of security.
So I figured it was time to take a beat and consider the strategic picture.
How do you think about cloud deployments through a first principle lens?
How do you implement these four keystone strategies that I've been going on and on about in each
of these environments?
And then more importantly, how do you orchestrate those strategies not only in hybrid cloud environments, but also in SaaS applications, mobile devices, and data centers back at headquarters as a single system of systems?
What do we need to know going into this?
Is there any prep work that listeners should do before binging this series?
No, no prep work, no homework for you, Dave.
But maybe a couple of things just to keep in mind, right?
Then the first thing is that all cloud offerings
provide some kind of networking infrastructure
designed for their customers' automation workloads.
And these come in the form of infrastructure
and platform subscriptions.
And then the second thing is that all cloud providers
offer software as a service or SaaS products to help you manage your workloads in those environments.
Sometimes they provide them as part of the infrastructure service, and sometimes, you know, you have to pay extra for them.
I bring this up because it might be useful to consider IaaS stuff and PaaS and SaaS subscriptions as individual products that are managed by different product management teams
within the larger company.
Depending how old they are,
you can consider some of them to even be startup products.
I mean, in other words,
some of them are more mature than others.
Can you give us some examples?
Yeah, so Google launched Cloud Identity
as a SaaS product in 2018.
Microsoft launched Azure Active Directory in 2019.
And these products might be fantastic,
but they're only three years old.
You know, how mature can they be?
And just because they have a big brand name over them
doesn't mean that they are completely ready for prime time.
And that's especially true for security products.
Amazon released their AWS Network Firewall in 2020. You can't expect
that product to have the same feature set and maturity that the traditional firewall vendors
like Check Point, Cisco, Palo Alto Networks, and Fortinet have in theirs. So this week you are
kicking things off and you're going to be examining Microsoft Azure. That's right. We'll do Microsoft
first, then Amazon, then Google,
and then we'll wrap
everything up
with how the big
security platforms
play in those environments.
All right.
We're looking forward to it.
It is CSO Perspectives.
It is part of CyberWire Pro.
You can find that
on our website,
thecyberwire.com.
Rick Howard,
thanks for joining us.
Thanks, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Andrea Little-Dimbago.
She is the VP of Research and Analysis at Interos.
Andrea, it's always great to have you back.
I want to talk today about this notion of sort of tech naughty lists,
that there are certain companies that have found themselves sanctioned throughout the world
and the impact of that. I wanted to get your take on what's going
on here. Yeah, no, actually, I love the term naughty list. I first heard it from Megan Brown,
so I'm going to give her credit for when I first heard it. But really, it encompasses the range of
restricted entity lists that companies are finding themselves on that basically means that they
have limited ability to trade and export with the United States. Or there are EU versions, there's the UN sanctions.
But really in the US, the US has been hitting just a rapid pace of adding on to this list.
There are a couple of different areas to touch upon. One would be the commerce's restricted entity list. And that has basically skyrocketed
over the last two years for adding Chinese companies. And so in 2019, they added 142
companies to that list from China. And while the majority were Huawei, and I think that's the one
that everyone, that garners everyone's attention. So it's Huawei and Huawei affiliates. And most of those are for
various kinds of security concerns. It extends well beyond that. Actually, then 2019 was 142.
2020, so far, there have been 106 additional ones added. So over the last two years, you get over
200 Chinese companies added to this restricted list. And it ranges from some of the security designations, such as Huawei,
but also extends into for their role in surveillance and repression of the Uyghurs in China,
to also to WMD, you know, for trying to circumvent some of the WMD restrictions.
So it's for a broad range of reasons.
And that's just commerce's restricted
entity list. And so, you know, again, it's sort of the who's who in the zoo in the U.S. with some
of these lists because there's more than one list. So it's very hard for companies to maintain,
you know, stay on top of this for compliance. This year alone, there was a time this summer
when it was almost every two weeks commerce was adding a couple dozen more companies to this list.
It was a pretty rapid pace.
So that's hard to stay on top of.
But then on top of that, if you're working with the federal government, there's now Section 889 of the National Defense Authorization Act that basically says that five companies and their affiliates, so it's Hightera, Hikvision, Huawei again, ZTE, and Ahua,
affiliates, so it's Hightera, Hikvision, Huawei again, ZTE, and Ahua, their products cannot be within the ecosystem of federal contractors that are working with the government. And why that is,
it sounds like only five companies, but it's actually much more than that because it's five
companies and their subsidiaries and affiliates. And so I did, you know, spend a couple of weeks
looking into that and came up with over 900 different.
But because it's worded in such a way, you know, I can guarantee that I don't have them all.
And then at the same time, you know, what does it include?
And so I included some of the Huawei affiliates, for instance, that were on the commerce list that are some open labs.
And, you know, whether a company is actually dealing with an open lab or not,
you know, probably not, but it still is on there, both on commerce,
and it would fall under 889.
So that's sort of a double whammy for that.
And then, you know, on top of that, there's OFAC sanctions,
but then also the Pentagon has its own list of companies associated with China's PLA.
So this list, though, doesn't have any compliance requirements. But it's one of those
things, I look at it almost as like an early indicator and warning for what the other lists
might add on. And so in June, they added 20 Chinese companies that are linked to the PLA.
Some overlap with these other lists I've talked about. Some do not. And they added 11 more in
August. And so we'll see what happens with that. And it's something to definitely keep an eye on
and to be aware of right now for compliance.
I'm thinking of, you know, a big company like Apple,
who obviously, you know, does a vast majority of their manufacturing,
happens in China.
I mean, is there some back and forth here?
Is Apple working with our government agencies, presumably, and lobbying
and saying, hey, you know, we're kind of, you know, you all love your iPhones, right? So here's
a list of companies who maybe back off of. Yeah, and so they're for sure, and writ large,
the private sector is pushing back, not only because of the disruptions that cause their own supply chains, which are already going through a lot of disruptions, but also due to just the hard nature of actually complying.
And a good example for this is that for ZTE and Huawei, for the small carriers, just to basically rip out ZTE or Huawei from their systems, they estimate it would cost
$1.8 billion for these small carriers. So there's a cost component too. So there's the supply chain
disruption component. There's the, you know, just having a hard time figuring out how to comply.
And then if you do need to comply, it's going to cost a lot of money.
Right. It's kind of an unfunded mandate, right?
Yes. And that's where, you know, again, some of the pushback is as far
as both clarifying what that list would look like. And I'm finishing up a paper with Lori Gordon on
this for National Security Institute on, you know, one of the recommendations is that to have this
one-stop shop so people can, our companies, leaders can know what companies are on the,
you know, are on any of the list and what they need to do to comply. And so we really do need
a one-stop shop for that. But then on top of that,
if we're moving in this direction,
the government does need to step in
and provide that support as needed.
And you can argue that some of these really big companies
may not need it,
but for a lot of smaller carriers, they absolutely do.
And even for the federal government,
you've got the big defense contractors,
but then there are so many different
smaller defense contractors that support them that likely will need that help or they may go under given these costs.
And so – and then actually even on top of that, as far as a different concern, China has their – introduced their own unreliable list now in response.
So we know the –
Of course they have.
Yeah, exactly.
Which, you know, not shocking, right?
Yeah, yeah.
I mean, we know there's a trade war going on.
It's a tit-for-tat environment.
So if the U.S. starts doing this, they create their own unreliable list.
They announced that in May.
And just last month, they basically expanded on it to explain how they'd go about implementing it.
And most people think that by the end of this year, some company may get on it.
And like you said, you said, Apple would be,
can you imagine if they put Apple on their list?
Right, right.
I don't, I personally, I mean,
that would really up the ante quite a bit
in the relationship.
So we'll see.
It's hard to imagine.
And yet, the past, I don't know, six months, year or so,
the unimaginable has been happening every day.
Exactly. That's exactly.
And so for me, nothing's out of the question at this point.
Right, right.
All right. Well, Andrea Little-Limbago,
thanks so much for joining us.
All right. Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field sign up for CyberWire Pro.
It'll save you time and keep you informed.
Land of 10,000 links.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security Off.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
Thank you. Nick Bilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.