CyberWire Daily - The importance of staying up-to-date. Conti ransomware gains as Ryuk fades. Germany warns of Chinese companies’ data collection. Huawei’s fortunes in Canada and UK. Hushpuppi update.
Episode Date: July 10, 2020Unpatched and beyond-end-of-life systems are (again) at risk. Conti ransomware appears to be steadily displacing its ancestor Ryuk in criminal markets. Are privacy laws as consumer friendly as they’...re often taken to be? There may be some grounds for doubt. German security services warn of the espionage potential of Chinese companies’ data collection. Huawei skepticism grows in Germany, Canada, and the UK. Zully Ramzan from RSA on zero trust. Our guest is Conan Ward from QOMPLX on the unfortunate reality of cyber insurance in light of the 3rd anniversary of NotPetya. And Ray Hushpuppi says the Feds didn’t extradite him; they kidnapped him. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/133 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Unpatched and beyond end-of-life systems are, again, at risk.
Conti Ransomware appears to be steadily displacing its ancestor, Rayak, in criminal
markets. Are privacy laws as consumer-friendly as they're often taken to be? There may be some
grounds for doubt. German security services warn of the espionage potential of Chinese
companies' data collection. Huawei skepticism grows in Germany, Canada, and the UK. Zuli Ramzan
from RSA on Zero Trust. our guest is Conan Ward from Complex,
on the unfortunate reality of cyber insurance
in light of the third anniversary of NotPetya,
and Ray Hushpuppey says the feds didn't extradite him,
they kidnapped him.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, July 10th, 2020.
At the week's end, there's more news of attacks against unpatched or outdated systems.
The first one affects Citrix systems.
Attackers are actively scanning for recently patched vulnerabilities in Citrix Application Delivery Controller,
Citrix Gateway, and the Citrix SD-WAN WANOP appliance, the SANS Institute reports.
Users are urged to apply the patches as soon as possible.
When Citrix issued the patches at the beginning of this week,
there were no signs that exploits existed for the vulnerabilities, but that's changed.
SANS says its honeypots have
found attempts at exploitation, so again, patch as soon as possible. The second issue affects systems
that are out of date and no longer supported. A Zoom zero day has been found that affects older
Windows systems, Windows 7 and earlier, that are beyond their end of life.
Too many of these remain in use, according to a report on the Zero Patch blog.
Exploitation could enable an attacker to execute arbitrary code on the victim's device.
ZDNet says Zoom is working on a fix.
The company said,
Zoom takes all reports of potential security vulnerabilities seriously.
This morning, we received a report of potential security vulnerabilities seriously. This morning,
we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it, end quote. The zero day
is another reminder of the degree to which the continued use of systems beyond end of life
represents a threat to security and privacy.
Acros Security, proprietors of ZeroPatch, has put out a mini-patch to hold affected users over until Zoom has finished addressing the issue.
Security researchers Pierre Kim and Alexandre Torres report finding vulnerabilities in widely
used fiber-to-the-home and optical line termination devices sold by
Shenzhen-based CDATA. ZDNet observes that of the seven vulnerabilities found, the most serious is
the hard-coding of telnet accounts and the firmware. These grant intruders full administrative
access to the devices. 29 CDATA models are affected. The devices are used by ISPs at the point where
fiber optics connect to the end-user's Ethernet connections. Kim and Torres published their
warning without notifying C-data, and they did say they did so because they believe that some
of the vulnerabilities were intentionally placed in the devices. Leleeping Computer reports that Ryuk ransomware is fading while its malware sibling, Conti,
which with Ryuk shares code, is rising.
Carbon Black researchers share some details of Conti's workings.
This represents a shift in the criminal markets and not really either an increase or decrease
in the overall threat of ransomware.
The same precautions you should take to protect yourself against this kind of extortion
remain as important as ever.
But Conti does represent an evolutionary upgrade over Rayak.
It is, for example, manually controllable by its operators.
That might seem a step back,
since we're accustomed to thinking of automation as, well, newer, better, and shinier in every respect.
But that's not true in this case.
It enables subtler operation.
Carbon Black said, quote,
The notable effect of this capability is that it can cause targeted damage in an environment
in a method that could frustrate incident response activities.
A successful attack may have destruction that's limited to the shares of a server
that has no internet capability,
but where there is no evidence of similar destruction elsewhere in the environment.
Data brokers continue to collect information for the benefit of advertisers,
and TechCrunch concludes that existing laws seeking to inhibit them are unlikely to do so,
at least as those laws and their attendant regulations now stand.
Duo Security ran its own test of the California Consumer Privacy Act
and decided that even finding out what data were collected is just about prohibitively difficult.
Preventing their sharing with third parties seems even harder.
Chinese companies and their products have continued to attract fresh skepticism from
governments that formerly welcomed or at least tolerated them in their national markets.
The AP says that yesterday's annual report of Germany's BFV, the domestic security agency,
warned that consumers providing information to
Chinese companies may also be providing it to the Chinese government. Thomas Haldenwank,
the agency's director, told reporters that any customer here in Germany who uses such a system
shouldn't be surprised if this data is abused in Beijing. We can only warn against this.
End quote. By such a system, Herr Haldenwank meant
not only obvious big Chinese companies whose business deals in large quantities of information,
companies like Tencent and Alibaba, but even smaller, easily overlooked outfits like bike
sharing apps. The grounds for the BFV's suspicions are the legal obligations Chinese companies have to provide data to the Chinese government.
There are, however, other concerns being voiced in Berlin.
Horst Seehofer, Germany's interior minister, said that the government had yet to reach its political decision
on whether to permit Huawei to supply equipment to the country's self-service providers,
but he sounded a distinctly cautious note.
He told reporters,
When it comes to critical infrastructure in the energy supply or now with 5G lines,
we have to consider how we can protect ourselves.
Huawei also received a grilling in the UK,
where Parliament's Science and Technology Committee
heard from a company senior British executive, Vice President Jeremy Thompson,
who testified to the company's willingness to permit its employees to freely express themselves
and that the company represented no extraordinary threat to civil liberties.
His evasive answer, however, to a question by committee chair Greg Clark
about his views of the new Hong Kong
national security law undid much of the intended effect of his testimony and probably did Huawei's
case little good in Westminster. The Telegraph bluntly says that Chairman Clark tied Mr. Thompson
in knots. And in one of the other five eyes, Canada, which had remained on better terms with Huawei than its four Anglophone sisters,
Global News reports that experts see official opinion moving toward a more restrictive approach to the companies.
And finally, the first outline of the defense of Ramon Alaronwa Abbas is now growing clearer.
The Nigerian national is well known as an Instagram influencer
under the name of Ray Hushpuppi, who's currently facing U.S. federal charges alleging his
involvement in internet scams. Mr. Hushpuppi's attorney says his extradition to the U.S. from
Dubai was illegal and amounted to kidnapping. Seems like a bit of a reach, but we shall see.
Calling all sellers.
Salesforce is hiring
account executives
to join us
on the cutting edge
of technology.
Here, innovation
isn't a buzzword.
It's a way of life.
You'll be solving
customer challenges
faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Conan Ward. He's CEO at Complex Underwriting, a New York-based insurance company.
Our conversation centers on the complex reality of cyber insurance in light of the third anniversary
of NotPetya. Here's Conan Ward.
At that point in the marketplace, when NotPetya hit, you had some disagreements over
what we call in the industry affirmative or non-affirmative or silent cyber coverage.
or silent cyber coverage. And so, you know, in traditional property and casualty products, there are exclusions that have existed for a very, very long time. And so, you know, two of those
kinds of exclusions that are almost universal are war and fidelity, this idea of an employee behaving dishonestly or in a criminal way.
Well, those are two of the more important sources of loss and mayhem with respect to
an owned network of a potential customer.
And so just saying something like, oh, well, we'll cover cyber inside of a property policy,
you know, in many ways isn't really the right approach.
And I think customers liked it because they felt like they were getting a coverage grant for free or for not a lot of
money. But the reality is that product isn't designed to do, to cover a cyber network.
What are your recommendations for folks who are concerned that they don't want to be just,
you know, checking off compliance checkboxes,
cyber insurance check, we've got it. How do they go out there and know that they're properly covered?
Yeah, I think they should look at a variety of the coverage grants. I think most of the dedicated
cyber policies do some of that. They almost all have a crisis management element.
They have third-party coverage, first-party coverage. Most of the exclusions that clients
would worry about are gone. I think that the bigger challenge for some customers is,
can they buy enough dedicated cyber coverage to fulfill their needs?
And defining those needs in terms of financial quantification,
I think we as an industry and working with the clients
have to help clients quantify better what their security profile would dictate in terms of more of a stochastic
financial view of risk, because that informs a lot of different things.
It informs how much you spend for resilience, how much you spend on prevention,
and how much insurance you should buy and what you should spend for it.
Is there any talk in the industry or any fear in the industry that cyber insurance could end up similar to the way we,
the situation we have with, say, flood insurance, where, you know, it has to be underwritten at a federal level because the potential losses are so significant?
You know, I think that's a reasonable question.
There is certainly a huge role for private enterprise in this whole thing.
And, you know, I think we as an industry and the client base have to do more work to quantify the kinds of losses that we think of as truly catastrophic.
If we think about $3 billion in loss from not pet, yeah, that's a big number.
of a 9-11 or a Category 5 hurricane hitting Miami or half of California falling into the ocean,
$3 billion is not a big number. Are there possible numbers a lot bigger than $3 billion? To be sure.
Cyber is unique in as much as there's a lot more. It's a lot more like terrorism. It's got a game theory quality to it where you've got adversaries on both sides trying to outwit each other. And so if the adversaries get the upper hand and have some artisan level malware that impacts everybody at the same time and brings down a bunch of the web service providers, you could well be looking
at the kind of catastrophic event where it would make sense for some federal involvement, but that
would be at a very, very high level. And that kind of risk is worrisome. It's a systemic non-banking
kind of risk that, you know, I would argue with nuclear biological,
radiological terrorism, EMP weapons, other acts of war, you know, there is definitely a place for
the federal government in those things, but not to crowd out industry. And I think, you know,
I think industry can handle most of what goes on. But again, there is always that smaller probability of an artisan-level attack that can take down multiple web service providers and really put the economy on its heels.
That's Conan Ward from Complex Underwriting.
If you want to hear an extended version of this interview, head on over to thecyberwire.com.
You can find it there in the CyberWire Pro section.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Dr. Zulfikar Ramzan from RSA.
Zulfikar, it's great to have you back.
I want to touch today on zero trust.
It's a hot topic, and I'm curious what your take is on it.
How do you come at this?
Zero trust, as you noted, Dave, has been an incredibly hot topic.
It's predicated on this very nice notion of never trust, always verify.
And this is meant to replace this age-old adage of trust but verify.
And the goal with zero trust is that in a security context,
trust is kind of a negative notion.
The idea is that if I am trusting something,
that usually means I am implicitly required to trust it
without really having any assurance that it's trustworthy.
And so what you want in security is not to trust something,
you want systems that are trustworthy.
You want to avoid what you have to trust
because that's usually a bad assumption to make in many cases.
And so I think the goal with zero trust is fundamentally,
how do I reduce my trust surface?
How do I minimize what I need to trust?
And so in that way, I think it's become very attractive,
but I think also has many pitfalls associated
with how you implement it correctly.
Well, let's go through that. What are your concerns?
So first of all, I think it's important to realize that the idea of zero trust,
even though the nomenclature is relatively recent, introduced about 10 years ago
by John Kinderwag and analysts at Forrester, the notion itself,
the concepts underlying zero trust have been around for a lot longer.
So if you look back in the 70s,
Salter was talking about least privilege.
In the late 70s, the early papers on cryptography,
the Rivest-Shemir and Edelman paper and the Diffie and Hellman paper
talked about certificate authorities in the context of them being trusted authorities.
And it was noted that trust was a negative notion in that context.
Ken Thompson gave a wonderful lecture in 84
when he won the
Turing Award called Reflections on Trusting Trust. And so many of these notions have been around for
a long time. So first of all, people should not think that zero trust is something that's brand
new. Many of the technologies in the industry have already evolved to help organizations manage
and reduce their trust surface. So I think that's the first thing to keep in mind.
The second thing to keep in mind is that at a fundamental level,
zero trust is not a reachable goal.
You're never going to get to the point where trust is zero
because ultimately systems are too complex.
Maybe I've got a device and I've been able to do some elements
of being able to monitor that device,
but that might not be enough.
The reality is, do I know about every line of code in that device?
Do I know how that code was compiled?
Do I know about every software component?
And at some level, you kind of run out of the ability to really dig that deeply.
And so I think you never get to zero trust, but it's more of a journey.
I think it's healthy to have a zero trust mindset, but never to expect fully to reach
zero trust.
What are your recommendations for people to dial that in, to put forth a reasonable effort
balancing their available resources, funds, all those sorts of things?
Yes, I think the main thing is to keep in mind that there's no one technology that gives
you zero trust.
It's not like some vendor says, and a lot of vendors have done this in their marketing
material, they say zero trust everywhere, and they give this implication that they can help you solve your zero trust woes.
They're one piece of the puzzle.
But the reality is that zero trust, to get it done correctly or to really approach zero trust in any organization, requires a variety of technical capabilities.
You have to have strong authentication with the risk engine so you can ensure that all resources are accessed in a secure manner
regardless of the location.
You may want to have identity governance and lifecycle
and various types of access control mechanisms
around knowing that access control is handled
on a need-to-know basis and is strictly enforced.
And finally, you also do need monitoring solutions
that include network monitoring from logs and packets to endpoint to cloud and SaaS and beyond, maybe PaaS and IoT and so on and so forth.
So you can inspect and log all traffic, which is a critical component of being able to always verify.
If you don't have visibility, how do you know that things are going in the right way?
So I think that really those elements are key approaches to making sure
you have a complete technology stack
for being able to address these issues.
But really the more important point
is that these issues help you get towards zero trust,
but really zero trust has to be not just a mindset.
You've got to think about the right strategy
you want to use to approach zero trust.
In that vein, I tell people,
look, take a risk-oriented approach.
There are many
things you can do that would help reduce your trust surface, but only a handful may make sense
for your organization. So for example, if you look at something like client-side TLS,
that would help organizations achieve zero trust because in a way that you're really enforcing
that your clients are included as part of the authentication process and creating strong
mutual authentication. But ultimately, client-side TLS would be a terrible idea if you're an e-commerce
vendor, because that would prevent your customers from getting to your assets. And so even though
there's a technology that's helping you get to zero trust, it may not be the right technology
for your environment. And there may be many paths towards reducing your trust surface. The real
focus has to be, in my mind, a risk-driven approach that accounts
for your overall business priorities.
All right.
Well, Zulfiqar Ramzan is the Chief Technology Officer at RSA.
Thanks so much for joining us.
Absolutely.
Thank you so much, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.