CyberWire Daily - US Army bans DJI COTS drones. Amazon will scan AWS customers' S3 buckets for public accessibility. Recommendations for election security. Marcus Huchins pleads not guilty to Kronos-related charges.
Episode Date: August 7, 2017In today's podcast, we hear that the US Army bans, immediately, all use of DJI commercial-off-the-shelf drones. We discuss two known unknowns and offer some background on Defense acquisition practices.... Amazon will begin scanning AWS customers' buckets for publicly accessible data. Dale Drew from Level 3 Communications offers his view on hacking back. White hat hackers offer recommendations for election security. And Marcus Huchins, a.k.a. MalwareTech, pleads not guilty to Kronos-related charges and makes bail. Supported by E8 Security, Johns Hopkins University, and Domain Tools. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K.
The U.S. Army bans all use of DJI commercial off-the-shelf drones.
We discuss two known unknowns and offer some background on defense acquisition practices. Amazon will begin scanning AWS customers' buckets for publicly accessible
data. White Hat hackers offer recommendations for election security. And Marcus Hutchins,
aka MalwareTech, pleads not guilty to Kronos-related charges and makes bail.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, August 7, 2017.
The U.S. Army last Wednesday ordered all units to immediately stop using DJI drones.
The order, which came to public attention over the weekend, derives from unspecified concerns over cybersecurity,
with the directive citing, but not quoting, two classified studies of drone vulnerabilities.
DJI, a Chinese firm, had been criticized in the past by consumers for collecting too much about users, including geolocation data. In particular, it required users to report certain
information said to be necessary for safer drone flights
and better compliance with geofencing.
Users who elected not to provide the information would find that their drones
would be either severely limited in range and endurance or disabled entirely.
Exactly what worries the U.S. Army is unspecified, but speculation centers on two possibilities,
either the risk of collection against army operations by a Chinese company
that could presumably share the information gathered with its government,
or the possibility of drones being disabled remotely by either the vendor or hackers.
Such concerns are of course not mutually exclusive.
The order to take the drones out of service came last week from the G357, the Deputy Chief of Staff Operations Plans and Training.
It was explicit and peremptory.
All DJI products are to be taken out of service from drones to software to controllers and down to the batteries that power them all.
So what, you might ask, is the U.S. Army doing buying drones from a Chinese manufacturer?
This is perhaps worth a quick explanation in terms of the U.S. government's acquisition system.
It's been pointed out in coverage of the incidents that these are COTS purchases.
They're purchases of commercial off-the-shelf systems.
There is no program of record buying commercial drones from China or elsewhere.
That is, there's no acquisition program that appears in the Future Years Defense Plan,
the so-called FIDIP, through a Program Objective Memorandum, POM, that makes the program a
line-item record in the defense budget.
Programs of record are the sorts of acquisition programs through which tanks, attack helicopters,
and the like are acquired.
It's been recognized for some time that the defense acquisition process, while admirably
suited to buying big, long lead-time items surrounded by plenty of watchdogs and litigation
—think shipbuilding, for example—is less suitable for buying things whose technology
evolves rapidly, are relatively inexpensive, and probably don't require extensive militarization.
are relatively inexpensive and probably don't require extensive militarization.
So notoriously, IT purchases have tended to be encumbered rather than facilitated by the acquisition system. In areas where civilian technological development outpaces military
development, it makes sense to authorize quick purchases of relatively low-cost items.
Drones are a good example, and DJI drones, also called quadcopters,
they carry cameras mostly for photographers and hobbyists. They can be bought online for between
$500 and $3,000. DJI drones were Kotz purchases. Two interesting questions remain open. First,
what vulnerabilities is the U.S. Army worried about? And second, why does the ban cover just DJI?
Why would their products be particularly objectionable?
There are lots of other photo drones out there of comparable performance and price,
and many of those are made in China too,
but the G3 singled out DJI for mention in dispatches.
The story is developing.
Turning to data breaches, it's been noted that many of this year's high-profile incidents
have so far been cases of inadvertent exposure of databases stored in clouds.
In particular, customer misconfigurations of Amazon Web Services' S3 buckets
have embarrassed users across several sectors,
political consulting, journalism, government contracting, and so on.
While properly configuring your data buckets is the data owner's responsibility
and not the cloud provider's,
Amazon is working to lend a helping hand by scanning for publicly available S3 buckets
and asking the bucket's owners if they really do want their data to be generally available.
Whitehats, who looked at voting machine vulnerabilities for the recent conferences in Las Vegas,
have recommended ways of making elections more secure.
Wired distilled their suggestions into a five-step path to more secure elections.
First, retire old, outdated, and vulnerable machines.
Second, secure registration systems and voter databases.
Third, require security audits of any polling system that uses electronic voting
machines. Fourth, make patching machines easier. Loosen up procurement rules and practices if
that's necessary to getting upgrades done. And fifth, improve poll workers' training to make
them more alert for election hacking. Marcus Hutchins, aka MalwareTech, the researcher
credited with inadvertently flipping WannaCry's kill switch,
is out on bail after pleading not guilty in a U.S. court.
He was arrested by the FBI in Nevada last week after attending DEFCON and Black Hat.
He's facing charges related to creation and distribution of the Kronos banking trojan.
Prosecutors say that Hutchins admitted developing Kronos, but that was before he
lawyered up and pled not guilty. They also allege that he was involved in offering Kronos for sale
in various dark web markets. The case is likely to set important precedents for vulnerability
research. Lawyers who've written about the case comment that the prosecution has what they
characterize as an aggressive theory of the crime. Security researchers think that theory sufficiently aggressive to chill legitimate
vulnerability research, including developing proof-of-concept exploits, writing innocent
code that criminals could obtain and repurpose, engaging with black and gray hats in various
online venues, and so on. challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney Plus.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Dale Drew.
He's the Chief Security officer at Level 3 Communications.
Dale, great to have you back.
You know, we see from time to time people have this notion that organizations should be allowed to hack back.
When someone comes at them, they should be able to not only to defend but to strike back.
What's your take on this?
I think the idea of hackback is a signal of the frustration that we cannot into them, get access to that system, remove the application that's attacking them, and potentially either delete or recover data that's been stolen from them.
So, for example, there's Tom Graves, who is a Republican out of Georgia, has introduced a bill in Congress called the Active Cyber Defense Certainty. And this isn't the first hackback legislation that's been proposed, but it was one that was sort of released as the result of the impact of WannaCry. My biggest concern about things like hackback legislation is just the law
of unintended consequences. As an example, when you're getting attacked by a system and you now
have the cover, the legal cover, to be able to break into that system the same way the bad guy did and be able to stop the attack.
You don't know the system you're breaking into.
You don't know the purpose that this system is doing.
So you don't know if it's a medical device.
You don't know if it's a mission critical system.
And then you're relying on the forensic capability of the victim to be able to figure out which application and which user is causing the damage. And you're giving them the authority to alter that system.
You're giving the authority to kill the application or delete the user or alter the system state so
no one else can break in, as well as deleting data that you believe might be your data. But who knows
what you're actually potentially deleting on the system? And so one is, you know, what happens when you put that sort of power and authority into someone else's hands and they cause unintended consequences?
Because the bad guy is breaking into somebody else's computer to break into yours.
And so you're going to break into that other company's computer to to try to stop it.
But you could be causing damage.
The other one is, while that might be
eventually legal in the US, you might be accessing systems outside the US. And so you don't know
where your legal authority begins and ends because the internet is a global apparatus.
It's not a US-based apparatus. You might be legal in the US, but breaking the law internationally.
And if you cause damage on that computer internationally, you're liable
for it. Where the bad guy is liable for it only if they can get caught, you're liable for it because
you're doing it under the color of law, apparently the color of law. And then the last one that I'm
worried about is just this sort of ambiguous definition of an attack. How do you distinguish
the notion of you defending your infrastructure from being attacked by doing a hackback versus a cyber attack against your competitors claiming that they attempted to break into you?
So this could give people a license to be able to justify breaking into other people's computer systems and claiming that, you know, I got port scanned
by somebody or somebody went to my web page and it was really suspicious. And so I'm hacking back
and it turns out that it was a competitor. So I think this really opens the door to a significant
amount of unintended consequences that will not really move us forward in evolving our
security capability of stopping the bad guys. Dale Drew, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.