CyberWire Daily - Updates on supply-chain seeding reports. DDoS in Ukraine. GAO reports on US weapon system cyber vulnerabilities. Bugs exploited by Mirai persist. Patch note and toe dialing.
Episode Date: October 10, 2018In today's podcast we hear that there's no consensus, yet, on Bloomberg's report of Chinese seeding attacks on the IT hardware supply chain. Ukrainian fiscal authority sustains DDoS attack. GAO report...s on cyber vulnerabilities in US Defense Department weapon systems. Xiongmai DVRs and cameras still exhibit bugs exploited by the Mirai botnet. Patch notes. And a lizard toe-dials from a veterinary clinic—he wasn't a patient; just visiting. Robert M. Lee from Dragos with insights on the Bloomberg hardware supply chain story. Guest is Stephen Cobb from ESET with results from their recent AI and ML silver bullet survey. For links to today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_10.html Support our show  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
There's no consensus yet on Bloomberg's report of Chinese seeding attacks in the IT hardware supply chain.
We've got Robert M. Lee from Dragos joining us to provide his take on the story.
Ukrainian fiscal authority sustains a DDoS attack.
The GAO reports on cyber vulnerabilities in U.S. Defense Department weapon systems.
Chiang Mai DVRs and cameras still exhibit bugs exploited by the Mirai botnet.
We've got some patch notes.
And a lizard toe dials from a veterinary clinic he wasn't a patient
just visiting
from the cyberwire studios at data tribe i'm dave bittner with your cyberwire summary for
wednesday october 10th 2018 bloomberg doubles down on its report of Chinese hardware supply chain seeding
with on-the-record corroboration from Sepio Systems.
Sepio is quoted as saying that it found the malicious implants and equipment belonging to one of its clients,
a telecommunications company it can't name because of a non-disclosure agreement.
AT&T, Verizon, and Sprint told Bloomberg they're not affected.
agreement. AT&T, Verizon, and Sprint told Bloomberg they're not affected. Motherboard reports that CenturyLink, Cox, and Comcast also denied being the affected telco. Norway's National Security
Authority also said, according to Bloomberg, that it has been aware of an issue with respect to
super micro devices since June, but that it couldn't confirm the specifics of Bloomberg's
report. The U.S. Department of Homeland Security denied investigating the matter,
but Bloomberg notes that the investigation mentioned in their report would be one conducted by the FBI.
The FBI has declined to comment.
There's no consensus yet as to whether Bloomberg's report is true, and the story is still developing.
Apple has sent a strongly worded, direct, and detailed denial of the alleged incident to Congress.
The U.S. Senate Commerce Committee is considering hearings on the matter.
A little later in the show, we'll hear from Robert M. Lee from ICS security firm Dragos
with his take on the Bloomberg story.
Ukraine's state fiscal service has been under denial of service attack since Monday.
There's no attribution yet in the brief report filed by Reuters, but the attack continued through yesterday at least.
The U.S. Government Accountability Office reported yesterday that investigation finds Defense Department weapons systems remain vulnerable to cyber attack.
remain vulnerable to cyber attack.
Connectivity and automation are important enablers of system effectiveness,
but GAO thinks the Pentagon was in effect late to the cybersecurity party and is still playing catch-up.
Progress is being made, the GAO says,
and it urges the Department of Defense to maintain its momentum.
They suggest that the acquisition officials make more use of NSA
in reviewing the cybersecurity of the systems whose development they oversee.
NSA indicated to the investigators that they'd be willing and able to provide such support.
Researchers at security firm ESET recently surveyed security professionals to gauge their attitudes towards AI and machine learning.
Stephen Cobb is a senior security researcher at ESET.
In our survey, we found that a large percentage of larger companies
have some form of machine learning, they think, in their endpoint protection products.
A significant percentage are looking at AI machine learning as something of a silver bullet
to really give an advantage
not only in their protective capabilities, but also in addressing this big problem we
have with the cybersecurity skills gap.
So well up into the 75% range, looking at it as potentially improving their security and assisting them in
their ability to cope with security with fewer people potentially. That's all very good.
Unfortunately, there's two sides to this, one of which is that machine learning and artificial
intelligence are not protected technologies.
They're things which malicious actors can use as well.
And one of the interesting findings in our survey was,
although there's a lot of enthusiasm for AI and ML in security products amongst companies,
there's also a fairly high level of awareness that there is hype around this,
and also an awareness that this same technology could be used maliciously.
So this was actually, to me, very encouraging that two-thirds of the people, and this was a
survey if you take it across the US, the UK, and Germany, two-thirds thought that malicious use of AI would increase the number of attacks
and also make those attacks more complex and harder to detect.
Now, it was interesting that some of your results were that
people had different views in the US versus the European survey respondents.
Yes, it was very interesting.
And I would characterize it like this.
In the US, there's been more adoption of AI ML solutions,
more, I think, confidence based in those,
more positive attitude,
but also in the US, a higher awareness that it might be hype
as well. In Germany and the UK, the two other countries that we looked at,
there was lower adoption, less fear that it might be hype. And so you have this sense that
maybe in Europe, they're proceeding a little bit more conservatively towards the adoption of these technologies.
And they may be, one could hypothesize, they're doing a more measured approach.
That's Stephen Cobb from ESET. You can find detailed results from their survey. That's on the ESET website.
That's on the ESET website.
SEC consult researchers have found critical vulnerabilities in Chiang Mai technologies widely used in inexpensive DVRs and security cameras.
Krebs on Security complains that Chiang Mai is effectively an internet polluter,
spreading vulnerabilities like cheap sludge.
The site points out that Chiang Mai components provide the vulnerabilities that the Mirai botnet exploited,
and that unlike other manufacturers such as Huawei,
Xiongmai has done little, if anything, to fix its problems.
SEC Consult gave up trying to get the manufacturer to patch,
and Krebs thinks Xiongmai richly merits naming and shaming.
We've got some notes on patches and upgrades.
its naming and shaming. We've got some notes on patches and upgrades. Intel's ninth-generation core processors include hardware protection against two variants of the Spectre and Meltdown
speculative execution vulnerabilities. Among the 50 or so Microsoft patches were fixes addressing
Jet Database Engine bugs and a Privilege Escalation Zeroday actively exploited in the wild by the Fruity Armor APT group.
And finally, we ask, have you ever faced the embarrassment of butt dialing?
We're asking you for a friend, of course.
This happens when, phone in back pocket, you sit and inadvertently apply pressure to the phone
in ways that cause it to make a call.
Here's a similar issue a marine mammal veterinary clinic in Hawaii faced.
Foot dialing.
The Keikaiola Marine Mammal Center on the Big Island,
known for taking care of monk seals,
was issuing a bazillion phone calls the other day,
as the Associated Press puts it.
The bazillion recipients would answer, but there was no one on the line.
Silence, like a failed robocall from a telemarketer.
Kay Kai Ola received many complaints to the effect of, why are you calling me incessantly?
The hospital director, veterinarian Dr. Claire Simeone, came in to investigate the problem after
receiving repeated calls herself. She found a gecko tap dancing vigorously on the touchscreen
of one of the facility's Polycom phones. As she tweeted, there is a gecko tap-dancing vigorously on the touchscreen of one of the facility's Polycom phones.
As she tweeted,
There is a gecko sitting on the touchscreen of the phone making calls with his tiny gecko feet.
This gecko has called me 15 times and everyone in our recent call list.
No reptiles were harmed in the resolution of this story.
The dancer was picked up and placed on a plant outside,
where he belongs.
Hawaiian Telecom pointed out to Keikaiola
that this should never have happened
because geckos are terrestrial lizards, not marine mammals.
No evidence points to this being any kind of supply chain attack.
It's just a case of happy feet.
It's just a case of happy feet.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak. Learn more at blackcloak.io. And joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, welcome back. Certainly
a lot of attention in the past week or so from the story that came out from Bloomberg Business Week.
This was the big hack, how China used a tiny chip to infiltrate U.S. companies.
I think as interesting as this story is, and it is interesting,
is the sort of blanket denials that we've seen from the organizations mentioned in the story.
I just want to check in with you on this.
What's your take?
There's so many different elements to the story,
which obviously and appropriately are concerning folks.
One aspect of it is hardware supply chain hacks
are something that we've long thought about
and been concerned about,
and it's extremely difficult to sort of work around them.
But we haven't really seen a disclosure of a real one
with some counterfeit technology and stuff,
but not really a hardware hack.
But everyone's concerned about it.
So hardware hacks are real, and we are concerned about it.
But at the same time, the details of the story
and sort of the background of the story really don't make sense.
So there's been some folks that come out.
Joe Fitz is one of the folks who's been a hardware expert
and well aware of what goes on with these pieces
and also was a name source in the story of
how these kind of compromises occur. And when he and others that were actually involved in the
story came out, they said, look, nobody ever called me for fact checking. I actually disagree
with the principle of some of that. The story, a lot of the details don't make sense. We see
blanket denials from these companies, which is not normal.
It's normal to say no comment or whatever, but it's not normal to come out and vehemently disagree with it.
We have DHS came out and disagreed with it.
We have Rob Joyce on Twitter, previous White House cyber coordinator, and still at the NSA comes out and goes, I don't know, this is too accurate. I mean, it's unheard of to see so many strong rebuttals.
And at the end of the day, these journalists are relying on, for the actual sensational piece,
completely unnamed sources.
And what's concerning here is this has a real impact, not only on Supermicro,
who their stock tanked as soon as the story came out but also on all the people that use them and they're they're an extremely
widespread supplier so lots of companies are scrambling around this and to do that completely
off unnamed sources i think is a little bit irresponsible to be honest and i guess there's
two other aspects that are concerning about this number one is the technical details are not sound
so they do not make sense together so it looks like the reporters even if they
had the best of intentions conveyed from the details incorrectly even the the
pictures that people were pointing to though there's the chip those are those
are made-up pictures of what they think it should look like they're not actual
pictures of compromised boards.
The second piece is, and I think this is very close to an anemonym in tax, so I want to be careful, but worthy to note that these reporters have covered three or four major sensational stories before that were deeply incorrect and based on anonymous sources that ended up not being accurate at all.
So I don't think their intentions are misaligned.
I feel that they honestly believe what they're saying.
But we've seen them be massively incorrect on technical stories before.
They're the ones that pushed forward the BTC pipeline in Turkey.
It was hacked by the Russian government.
It was a cyber attack that caused the explosion,
although it's been easily debunked over the years,
as that was completely not true.
So to see all of this come up again,
I'm very hesitant to go with anything in the story.
I think until there's some actual proof that comes forward,
people should put this in the camp of hardware hacks are real
and we should think about them, but this story is likely inaccurate.
It's interesting, as you mentioned, to see such a wide divide between those mentioned
in the story and the reporters themselves. Bloomberg stands by the story, but as you said,
it's just so unusual to see the vehement denials that we're
seeing. Well, it's also reporters that are coming out, right, and saying how unusual aspects of the
reporting are. So it's not just the technical experts, which is very important here. But,
you know, there's been a number of really good reporters that came out and said, hey,
something is off. Like Kim Zetter, who's usually one of the best tech journalists out there and
has done this beat
much longer than most, came out and said, look, when I wrote the New York Times story,
I had fact-checkers that had to go through every single one of my sources.
And even your anonymous sources get fact-checked. I mean, just because they're anonymous doesn't
mean that you lose scrutiny. They just don't get named. But nobody in this story that we're aware of got fact-checked.
So the people that were named, like Joe, came out and said,
look, nobody ever called me and asked to fact-check.
So I think there's so many different aspects of the story that for a Bloomberg cover piece
that was essentially going to massively hurt a company,
it doesn't appear that the due diligence was done in a normal way
from either tech or journalism standards to publish this piece.
It also strikes me that, I mean, as soon as this was published, wouldn't the hunt would have been
on to find one of these motherboards to be able to point to the chip on the board? And if the
story, as the story says, if there are thousands of these out there, how hard could that hunt be?
Yeah, and so this is where we go back and forth on finding a compromised hardware is very difficult.
And doing thorough analysis of it is very difficult because, again, the picture that they showed was a fake picture.
So it's not like you could just go to the board and look for that little rice grain sized chip and look for it to be on
the board. It's not the real one. So the fact that thousands could be out there and go undetected,
I can buy that. That makes sense to me. But the fact that there was 30 companies that were in the
know, or these multiple companies that were aware of this and knew what happened
and detected it, it doesn't make sense that of all of these companies full of people that
were in the know, that everybody is keeping their mouth shut.
I mean, it's a day and age where leaks are pervasive in any industry, especially in matters of intelligence and technology.
And the fact that everyone's just super quiet right now,
and the companies that were supposedly willing to even work with the government
to say, hey, this is a big deal and we need people to know about it,
are now coming out saying, dude, that's not even close to true.
That's where the story really doesn't hold water.
Now, we know there's more coming.
So this is where Kim Zetter has, again, been extremely useful to the community in helping out and saying, look, Bloomberg is doing a series.
So there's at least two more pieces coming on Chinese espionage.
And it'll be interesting to see what they say.
But I don't know that the next stories are any less accurate because of this one or if the stories have anything to add to this one.
But at this point, nobody's going on the record.
The people that were on the record said that their intent was not actually captured.
The journalists that have covered this have shown before that they have trouble covering
technical subjects, and nobody can find proof of anything.
So I think it's just too much to take the story on face value. I think the takeaway
should be that there are, there are hardware types out there. Various state actors are absolutely
trying to compromise supply chain. It is an extremely beneficial thing to be able to do.
Uh, but it is much more difficult than people associate it with. And
this is not likely the example that people should look to just to show anything. And definitely,
it appears that's the wrong has been done to Supermicro.
All right. Well, Rob Lee, thanks for your insights.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time
and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast
is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.