CyberWire Daily - Ukraine says it blocked a second wave of NotPetya attacks. Notes on hybrid warfare and the challenges of sharing data. Will the EU get a right to repair?
Episode Date: July 6, 2017In today's podcast we hear about the Ukrainian police raid on Intellect Service and their seizure of M.E. Doc servers. Ukraine's Interior Ministry says this stopped a second wave of NotPetya. A...ffected companies continue to recover from the NotPetya infestation. US Cyber Command prepares to parry hybrid warfare. Spyware campaign hits Chinese-language news services. The EU considers adopting a "right to repair." Joe Carrigan from the Johns Hopkins University ponders always-on cameras. Dan Larson from CrowdStrike on fileless attacks. Medical information-sharing runs into problems in the UK. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ukrainian police raid intellect service and seize EMI dock servers.
Ukraine's interior ministry says this stopped a second wave of NotPetya. Affected companies continue to recover from the NotPetya infestation. I'm Dave Bittner in Baltimore with the latest on the latest news. information sharing runs into problems in the UK.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, July 6th, 2017.
It seems that EMI-DOK, the Ukraine's widely used equivalent of TurboTax, was the way the attackers behind NotPetya got their malware onto its victim systems.
Ukrainian authorities certainly think so.
On Thursday, they raided Intellect Service,
whose ME-Doc tax accounting software is believed to be the initial source of Petya, Netya, NotPetya,
which we'll henceforth simply call NotPetya.
They seized servers they say were primed to release a second wave of the non-ransomware.
Affected firms' recovery from NotPetya continued this week, but slowly and painfully.
The shipping industry in particular appears to be taking the lessons of NotPetya to heart,
especially as it increasingly depends upon robotic material handling equipment in ports and on increasing use of autonomous vehicles.
Manufacturing was also hit, and companies have yet to fully recover in that sector either.
Consumer goods manufacturer Reckitt Benkiser said Thursday
that manufacturing disruption by NotPetya had cost it, so far, £100 million in lost revenue.
UK-based Reckitt Benkiser produces several brands you may be familiar with,
including Dettol, Harpic, Gaviscon, Clearasil, and Durex.
It's unsurprising that adoption of new technologies increases attack surface,
but it's striking to see the extent to which recovery from NotPetya
drove logistics firms in particular to manual fallbacks
and shut down manufacturing lines entirely.
Intellect Service says it's not responsible for the malware and that its networks had
been compromised by hackers.
Those hackers, Ukraine continues to maintain, were in the service of Russian government,
which attribution, of course, Russia continues to deny.
People purporting to be the controllers of NotPetya gave Motherboard an apparent demonstration
of ability to decrypt affected files, but the demonstration was too limited to carry
conviction.
Security experts continue to regard NotPetya as not having been ransomware at all.
Most observers are inclined to credit Ukraine's suspicions, and other governments remain wary.
Germany, for one, expects to be on the receiving end of attempts to disrupt its September elections.
That country's domestic security service doesn't think there will be an effort to support one
candidate over another, but rather that hostile actors, read Russia, will seek generally to
discredit German political institutions.
A researcher at the University of Southern California says he's found signs
that the same Twitter bots that opposed Clinton's presidential campaign in the U.S.
did the same to Macron's in France.
His paper is still under review, but early reports say he thinks he's found signs of bots for hire
that lie dormant until called into campaign season service.
higher that lie dormant until called into campaign season service. If such operations constitute Russian hybrid warfare, recently concluded U.S. Cyber Command exercises afford
some insight into how at least one Western power sees itself parrying them. Cyber operations are
increasingly integrated with more traditional electronic warfare and signals disciplines,
and even information operations are finding
their way onto the battlefield. The University of Toronto's Citizen Lab
reports a cyber espionage campaign targeting Chinese-language news sources. No attribution,
but it looks like the Chinese government. The Chinese-language sources being surveilled are
generally located outside of China proper and primarily serve the Chinese
diaspora. The hackers appear to be located in the PRC itself. So Citizen Lab isn't saying it's the
Chinese government, but it's the Chinese government. Coincidentally or not, online
leaks about corruption have begun playing a larger role in Chinese domestic politics.
a larger role in Chinese domestic politics.
Fileless attacks continue to be an expanding threat, and we check in with CrowdStrike's Dan Larson for some updates on protecting yourself against them.
It starts by not writing anything to disk, thus the term fileless.
No files are written to disk.
But it doesn't end there.
Typically after that, they will use built-in tools like PowerShell or WMI to live off the land to accomplish their goals.
And then the third characteristic is that they persist in a very stealthy manner.
So they set up backdoors that a traditional tool wouldn't be able to detect or prevent.
So help me understand, the attack itself is
fileless, but it can make changes to existing files? Yeah, exactly. So I think it's important
to understand the backstory here a little bit to understand the motivation of the attacker. So
they work from the assumption that the industry standard protection is in place, right? And
antivirus technology, in their minds anyway, is likely to be installed on
the endpoint, and that's the thing they need to get around. Ten years ago, that was pretty easy.
You know, all you had to do was make a new variant before the AV company could update their signatures,
and you'd have an easy go of it. But a really important thing happened ten years ago,
which is the AV company started using cloud-based reputation services that would
identify the prevalence and provenance of new samples.
And it was that moment when things really changed for the attacker.
They said, just making a new file as an evasion technique won't work anymore.
So I need to step up my game.
I need to do something other than just make new variants. And while there's a number of things we're doing now, the most common one is exploit
kits. So you simply have to visit a website. You don't have to download a file. You don't have to
execute anything. You visit a website. It looks for vulnerability. And if it's able to exploit
the vulnerability, it will start running in memory.
People have to understand that this kind of technique is the new normal.
According to our own data, when we respond to incidents, eight out of ten times the initial infection was from a phylus attack.
And even bigger, broader data sets like the Verizon Data Breach Report, they say it's 50-50.
So this is not an exotic,
you know, special kind of attack that's limited to small groups of people. This is the new normal for everyday attackers, regardless of what their motivation is. And it's not something that's just
reserved, you know, for big governments or big business. This is the reality of the new threat
landscape for all of us. That's Dan Larson from CrowdStrike.
The UK's Information Commissioner's Office, the ICO,
ruled this week that the Royal Free National Health System Trust
illegally shared data with Google's DeepMind.
Although the data was anonymized,
the ICO ruled that since the NHS Trust shared the data
without the knowledge and consent of the 1.6 million patients involved, the Trust was in violation of the Data Protection Act.
The implied consent that Royal Free and Google argued didn't fly, especially since Royal Free didn't conduct its required privacy assessment until after it had shared the information with DeepMind.
Royal Free will be fined up to £500,000.
A 20% discount is available for early payment. Computing notes darkly that, quote, after 25 May
next year, when the EU's General Data Protection Regulation, the GDPR, comes into force, the ICO
would be empowered to levy a much bigger maximum fine against both parties. It seems worth noting that whatever problems may surround this particular information-sharing arrangement,
sending patient files via Snapchat, as some NHS doctors in the UK are said to be doing,
there being few good alternatives available to them, hardly seems an improvement.
Some see a silver lining even in the looming wall cloud that is GDPR.
A piece in Healthcare Informatics argues that GDPR will have a salutary effect
by driving faster international adoption of interoperability standards,
including HL7's FHIR, the Fast Healthcare Interoperability Resources.
Still other observers see GDPR as fostering the growth of a healthy security culture.
Time will tell, actually about 10 months from now,
whether the optimists or the pessimists had it right.
The European Parliament considers adding a right to repair to the EU's enumerated cyber rights.
The proposed measure is being characterized as a blow against planned obsolescence, expected
to have collateral benefits in terms of sustainability, environmental friendliness, and in the creation
of jobs in repair shops.
And finally, remember the crackers with attitude, straight out of North Wilkesboro or maybe
Moorhead City?
The first member copped a plea back in January, and he's received two years at Club Fed.
Confederates await their fate in U.S. and U.K. courts.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. is a passionate artist who puts her career on hold to stay home with her young son. But her
maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
Thanks, Dave.
You know, you and I have talked before about always-on devices that monitor in your home,
things like TVs and smart devices.
I want to touch on some of these cylinders that are always listening,
things like Amazon has Alexa, Google has their Google Home.
Apple recently just announced that they're going to be coming out with a HomePod.
That'll be coming out later this year.
But then also Amazon has their Echo Look camera, which is interesting.
It's a camera designed to go in your dressing area.
It seems like they're targeting women mostly to help them with fashion recommendations and things like this.
It's got a built-in fashion sense or something. Yeah, yeah. And that's all well and good.
But I imagine you probably had the same thought that I did.
What could possibly go wrong?
No, let's put a camera in the bedroom where you're changing your clothes.
Exactly.
But you wanted to make the point that, in general, you think Amazon does a good job with security.
I think they do.
I think that they do a very good job of security.
But there is no such thing as perfect security and a perfectly secure system. While one of the people I try, I'm an Amazon customer. I
enjoy being an Amazon customer. I've never had a problem with them. Some of the things that they've
done have actually impressed me. For example, the way they check users' passwords by essentially,
what I'm assuming is cracking them and then letting users know, you need to change your passwords to make these more secure.
That's a proactive security measure, and I love seeing companies that do that.
Yeah, maybe there's a market for an Amazon Look cover or some kind of doily that you put over the, you know.
Right.
Once you're dressed, you pull it off, you do the big reveal and say, hey, how do I look now?
Or you just don't keep it in a place where you're not changing.
Or maybe like you suggest a cover.
I think that might be the best thing because I can't think of a place in my house where I'm 100% sure that I'm not going to be walking around in a state that I'm okay with everybody seeing me.
That's right.
Well, you shouldn't have to think about it.
Inside your own home, you shouldn't have to think about it. Inside your own home, you shouldn't have to think about it.
Exactly.
And I go back to the story about when the Amazon Echo came out,
and I was excited about it.
This sounds great.
And I said to my wife, we should get one of these.
And then she says, I can't believe you, of all people,
want to put essentially a bug in your house.
And I was like, oh.
Yeah.
Yeah.
I hadn't considered that.
Yep.
Convenience over security, Joe.
People choose convenience every single time.
They do.
All right.
Joe, thanks for joining us as always.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.