CyberWire Daily - Traditional sabotage at Natanz. CISA’s ICS strategy. DDoSecrets’ server seized by German police at the request of the US. COVID-19-themed phishing infrastructure taken down. Cyberespionage.
Episode Date: July 8, 2020The Natanz blast looks like traditional sabotage. CISA releases its strategy for securing industrial control systems. Authorities in Germany seize DDoSecrets’ server pursuant to a US request. Micros...oft takes down COVID-19-themed BEC and phishing infrastructure. FBI Director denounces China’s cyberespionage. Joe Carrigan helps review personal privacy measures for ios and Android. Rick Howard speaks with Steve Moore from Exabeam with insights from a year spent interviewing CISOs. And some DDoS and ransomware attempts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/131 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Natanz blast looks like traditional sabotage.
CISA releases its strategy for securing industrial control systems.
Authorities in Germany seize DDoS secret server pursuant to a U.S. request.
Microsoft takes down COVID-19-themed BEC and phishing infrastructure.
The FBI director denounces China's cyber espionage.
Joe Kerrigan helps review personal privacy measures for iOS and Android.
Our guest is Steve Moore from Exabeam with insights from
a year spent interviewing CISOs and a look at some DDoS and ransomware attempts.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, July 8th, 2020. It appears increasingly likely that the explosion at Iran's
Natanz nuclear facility was sabotage and not a cyber attack. Eurasian Times has a summary of
the emerging consensus. The connections, if any, between the Natanz incident and damage recently
worked elsewhere in Iran remain unclear, Haaretz notes, but it does
seem that Iran's nuclear program figures on some adversaries' target list. As usual, international
tensions can be expected to bring cyber conflict in their train, but the explosion at Natan seems
to have been produced by an old-school infernal machine physically introduced into the facility's premises.
So case almost closed on claims of a cyber attack.
The U.S. Cybersecurity and Infrastructure Security Agency yesterday released its strategy document,
Securing Industrial Control Systems, a Unified Initiative.
The agency describes its strategy as a multi-year focused approach to improve CISA's ability to anticipate, prioritize, and manage national-level ICS risk.
The goals enunciated in the document are, first, empower the ICS community to defend itself.
Second, coordinate whole community response and mitigation capabilities to respond to the most significant ICS threats and incidents.
Third, vastly improve the community's capability to ingest, synthesize, and provide actionable intelligence to ICS asset owners.
Fourth, inform ICS investments and proactive risk management of NCFs, that is, national critical functions.
Fifth, unify capabilities and resources of the federal government.
Sixth, move to proactive ICS security. And finally, drive positive, sustainable, and measurable changes to the ICS risk environment.
Vice reports that police in Germany have seized the server used by DDoS Secrets, the aspiring successor to WikiLeaks.
DDoS Secrets doesn't yet know why the server was taken, but the group's leader reasonably assumes it has to do with the Blue Leaks program of doxing of some 200 U.S. police departments.
German news outlets report that the public prosecutor said the server was seized provisionally in response to a request for preliminary security in the context of international legal assistance in criminal matters.
It was taken on Friday pursuant to a U.S. request.
It will be up to the Federal Office of Justice to determine whether the server and its contents
will eventually be turned over to U.S. authorities.
whether the server and its contents will eventually be turned over to U.S. authorities.
And good hunting Microsoft.
The company's digital crimes unit has taken down infrastructure criminals were using to run COVID-19 phishing scams against consumers.
The takedown was authorized by the U.S. District Court for the Eastern District of Virginia,
and it affected key domains used for business email compromise attacks against targets in more than 60 countries.
At a speech before the Hudson Institute yesterday, U.S. FBI Director Wray denounced Chinese intelligence
operations as serving Beijing's ambitions to become the world's dominant power, according
to Axios.
The Communist Party of China, director Ray said,
believes it's in a generational fight to become the world's sole superpower
and that Beijing's assertiveness in cyberspace
is a consequence of the strategy that flows from that belief.
Industrial espionage and attendant theft of intellectual property
figures prominently in that strategy.
Ray called the losses to IP theft in particular one of the largest transfers of wealth in history.
But there are other dimensions to the conflict in cyberspace than this.
A pervasive threat to privacy is one of these.
Quote,
If you are an American adult, it is more likely than not that China has stolen your personal data.
Our data isn't the only thing at stake here.
So are our health, our livelihoods, and our security, end quote.
And the Bureau's being kept busy too, quote,
we've now reached the point where the FBI is opening a new China-related
counterintelligence case approximately every 10 hours, end quote.
Chinese cyber operations have drawn increasingly strong responses elsewhere.
France had, like the UK, decided to give Huawei a limited place in its 5G infrastructure build-out,
but again, like the UK, that place is turning out to be more limited than Huawei would have hoped.
Chinese participation in France's infrastructure is now expected to top out at 13%, Bloomberg reports.
Stephen Moore is vice president and chief security strategist at Exabeam
and host of a podcast titled The New CISO,
which is celebrating completion of its first year of publishing.
Our CyberWire chief analyst Rick Howard spoke with Steve Moore
about insights gathered in a year of speaking with CISOs.
Organizations have to pay attention to the observations of their defensive teams.
They have to utilize those observations to make changes in their environment on an ongoing basis.
observations to make changes in their environment on an ongoing basis.
If they don't, if it doesn't drive audit, if it doesn't drive budget,
and if that's not a feedback loop, you will fail. You will fail.
And it's going to be ugly.
Well, I think a lot of us are struggling with that whole idea. Cause you know, the security community gets it,
but we've struggled conveying those problems to business people.
I'm wondering if you have any insights about how we could change our tune
to make that better.
Yeah, a lot of thoughts on that as well.
But what I will say is that tactically we have to remove the snark.
And I can start, I know this firsthand.
We have to, we have to,
when we do, when we create artifacts, let's say around an incident, uh, it has to be very fact
based. And maybe the one thing I did that changed the direction, even related to the breach is as
we had these observations, it's, what did you observe? What was the trend of what you observed?
So it did it, is it in concert with other things? What was the trend of what you observed? So is it in
concert with other things? What was the immediate response? And then I want you to put your
consulting hat on. This is controversial, but put that hat on and say, okay, be strong enough to say
you've extinguished all your available resources. So as a leader, you say, look, either I need additional budget and cooperation, if in
fact that's what you need, or I need outside experts brought in to get you a final answer to
this. So for example, you've had an incident and you don't have the ability due to some gap
to give a final answer to say, are we compromised or are we not related to this? And so.
to say, are we compromised or are we not related to this?
And so I really liked that idea.
I've used that in my career also, where when you've stretched your team
as far as they can go, right?
And I've gone to the boss and said,
yes, boss, I can do this new thing that you want me to do,
but that means I need to drop one of these five things
that you already had me doing.
Just so you know, that's what we're
doing and it may not cause him to change his mind or cause her to change her mind but at least they
know that that's what's they're impacting those other things you got going absolutely um you you
have to roll up then what i mentioned earlier is to say okay how am i articulating this can somebody
who's non-technical, so for example, the observations
from the SOC or the equivalent of the SOC, that has to be tracked and managed and worked
outside of technology. If it's not part of the risk register and you can't submit every incident,
but if you know that 63 of your last 100 incidents or cases, let's say, involve a weakness or a lack of a control or have a gap in visibility, and now you can't do your job as a defender and as a responder, if that's not getting tracked in a non-technical way, that organization is vastly flawed.
So when I give advice to companies to say, how do you prevent a breach?
How do you recover from one? It's these kinds of things I spend most of my time on.
That's our own Rick Howard speaking with Steve Moore from Exabeam.
India is standing by its intention to block TikTok as a collection threat,
a policy that Wired sees as an example of the market working against invasive,
a policy that Wired sees as an example of the market working against invasive, unregulated technology.
The social platform is also facing headwinds in the U.S.,
where Reuters reports that both the Federal Trade Commission and the Justice Department are investigating allegations that TikTok is in violation of a consent decree reached last year
that was designed to protect children's privacy.
The Center for Digital Democracy,
the Campaign for a Commercial-Free Childhood, and other groups asked in May that the FTC look
into their claims that TikTok failed to delete videos and personal information about users age
13 and under, as the consent decree had specified. U.S. Secretary of State Pompeo had said earlier
this week that the U.S. government was considering a ban on TikTok
for what he characterized as its collection of information on behalf of the Chinese government.
Bloomberg Law reports that Mexico's central bank sustained but successfully parried a cyberattack yesterday.
Banco de Mexico said that the denial of service attempt lasted about half an hour
and caused brief intermittent outages before it was finally stopped and service returned to normal.
EDP Renewables North America, a renewable energy subsidiary of Energias de Portugal,
has disclosed a data breach. The company characterizes it as unauthorized intrusion into its networks,
but says it believes no customer data was compromised.
Security Week calls the incident a RagnarLocker ransomware infection.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast. Hello, Joe.
Hi, Dave.
Interesting story came from Wired. This is written by David Neald, and it's titled,
How to Passcode Lock Any App on Your Phone. Now, Joe, I have to ask you, let me just set
out a little scenario here. You're with a group of friends, and you say to your friend,
oh, I have to show you this photo.
This is a funny photo.
Let me just look at this photo,
or look at this cute picture of my dog or my child or whatever.
With me, it's more likely to be memes.
Okay, all right, here's a funny meme.
Very good.
So you bring it up on your phone.
You hand your phone over to your friend,
and your friend looks at the phone, and they laugh, the phone and they laugh. And then they start scrolling.
They start flipping through your photos. Now, I don't know about you, but this creates a certain
amount of anxiety in me. Yes. So I'm like, what are you doing? Because I think most of us,
we consider our mobile device to be a very intimate device.
We have so many things about our life on this.
And so what do you do there?
So when someone starts flipping, how do you respond?
I snatch my phone back.
That's what I do.
Okay.
Very good.
Very good.
Well, this article is basically about how you can prevent folks from looking beyond what you intend them to look at.
Right.
They talk about locking stuff.
We'll talk about iOS and Android.
Yep.
Some apps allow you to do this on their own.
For example, like the Signal app, Dropbox, you can lock the app separate from locking the phone.
Correct.
And this is a good thing.
I would agree.
But it's a little trickier on iOS because iOS doesn't give you the amount of sort of
granular control over the system that you get over on Android.
So what I like about this is that they have some clever workarounds for how you could lock up apps.
One of them is you could use screen time, which is an app, not an app,
it's a functionality of iOS that allows you to limit the amount of screen time you get on various apps.
You set the screen time to zero and then you have to override it?
Correct. Ah. Correct. So if someone tries to change apps, then they have to put in the passcode,
which presumably they wouldn't have, or Face ID, wouldn't unlock with Face ID because it's not you
who's looking at it. Right. And then the second one was guided access, which is an accessibility
function. And with that, if you have that enabled,
you can triple tap one of the buttons on the phone
and that keeps you from switching apps
without entering the phone's passcode.
Really?
And this is great.
Yeah, so this is great.
Like if you want to let a kid play a game on the phone
or again, if you want someone to be able
to not switch away from photos,
it doesn't really solve the problem
of them flipping through photos, right?
Right, right.
So it's a little different on Android.
Now, I know you're an Android user,
so you have a little more control over there.
Yeah, yeah, of course we do,
because it's better over here, Dave.
Go on.
Android does let third-party apps do their thing,
and I have a couple apps on here on my phone
that require their own authentication.
This article on Wired is talking about an app called Norton AppLock,
which allows you to just go ahead and lock specific apps on your device.
So if you want to lock, say, Facebook,
so that if you're handing somebody a picture,
look at my cute little puppy,
then they can't go scrolling through your Facebook feed and, you know, post things on
your Facebook feed that say, you know, I think I'm going to go public with this, but I am a furry.
You're getting kind of close to home there, Joe.
I know, Dave. That joke is never going to die, I don't think.
Okay.
I'm kind of touchy about my technology, Dave. Yeah. Like, my computer at home,
no one is allowed to even touch it. Really? That is my computer, right? If you want a computer,
you have a computer. Use your computer. Everybody has their own computer. It's kind of like your own personal space. And I feel the same way about my phone. So I don't just hand my phone. I've never,
you know, my kids have never said, I want to play a game, hand me your phone.
No, you can't play a game on my phone. And the absolute case in point for that is my mom,
who has let my nephews play on her Chromebook. And in order for me to get the stuff off the
Chromebook that those kids somehow managed to install, I had to power wash her Chromebook. And in order for me to get the stuff off the Chromebook that those
kids somehow managed to install, I had to power wash the Chromebook, which is a function of the
Chromebook. So no, I don't let other people, particularly kids, handle my computers because
you never know what they're going to do. But that's me. You know, that's me. I'm kind of a meticulous person with my PC.
My office is in disarray, but my computer is well-maintained, right?
All the files are in the right places.
All the software that I want installed is installed.
None of the software I don't want installed is not installed.
It's just the way I like it, and I don't want you clicking on some link while you're on my computer or on my phone.
and I don't want you clicking on some link while you're on my computer or on my phone.
One of the things they point out here in the article is that the Android store being the Android store,
I have to nudge you back a little bit there, Joe. Yes, of course.
There are plenty of bad apps there that claim this functionality but are full of ads and who knows what else.
So you have to be careful as you do.
And again, it seems like they had good luck
with the Norton AppLock app.
So that's Wired's recommendation.
I would stick with that.
That's a good recommendation.
Norton's a trusted company.
Yeah, yeah.
All right, well, fun stuff.
Be careful out there
and don't hand your phone over to anybody you don't trust.
Or if you're Joe, don't hand your phone over to anybody.
That's right.
All right, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.