CyberWire Daily - WannaCry's back and the industrial IoT's got it. Business email scams hit the unwary (and most of would count as unwary). Testimony on Russian election influence operations. Grid security.
Episode Date: June 22, 2017In today's podcast we hear that WannaCry's still here—just ask Honda and the Australian state of Victoria. North America and Europe work to secure their grids against CrashOverride. The US Congress ...hears testimony about Russian election influence ops: they didn't change the vote, but did they ever shake people up. Business email compromise scams hook sophisticated victims. The Queen's Speech says that, whatever else Brexit may mean, it won't mean a GDPR exit. Johns Hopkins University's Joe Carrigan review the ease of listening in on RF traffic. Asaf Cidon from Barracuda Networks on the increased threat from ransomware. And what's all this about CISOs and root canals? We didn't know that was an alternative to bearing bad news to the Board. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Wanna cry is still here?
Just ask Honda and the Australian state of Victoria.
North America and Europe work to secure their grids against crash override. The U.S. Congress hears testimony about Russian election influence ops. Thank you. about CISOs and root canals. We didn't know that was an alternative to bearing bad news to the board.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 22, 2017.
WannaCry is today's news as well as yesterday's.
An infestation of control systems on Monday forced Honda to shut down a production facility in Japan.
Traffic cameras in the Australian state of Victoria
were also infected.
This infestation was traced to a third-party contractor's mistake.
The industrial Internet of Things
may be inherently more susceptible to disruption
by this strain of ransomware
than are conventional IT enterprises.
While many enterprises proofed their IT systems against WannaCry by closing a port and updating
their software, things are not so simple in the industrial IoT. Many quite respectable,
industry-standard industrial control systems are built on older versions of Windows,
and patching them is not as simple as patching Windows out of the box.
of Windows, and patching them is not as simple as patching Windows out of the box.
The operating systems are, say, Windows XP as modified by SCADA vendor so-and-so, and they also touch and interact with a wide variety of process control systems.
A Kaspersky study reports that industrial control systems are being infected at disturbingly
high rates.
Kaspersky also says that IoT devices manufactured in Taiwan and Vietnam
are often accompanied by malware. The two countries' position as leading producers of
low-cost IoT devices, particularly cameras and DVRs, makes their manufacturers attractive targets
of compromise. Crash override and its threat to the power grid is receiving attention at the
highest levels of the U.S. government.
President Trump has been meeting with senior advisors, both official and unofficial,
to develop a defensive response to the threat.
The Federal Energy Regulatory Commission is meeting today with representatives of the European Union,
Canada and Mexico on risks to the electrical grid.
The U.S. Department of Energy intends to release a study
of grid hacking next week. Europe's power industry is also at work on grid defense. In the case of
the EU, the most recent developments involve an agreement this week between the European Network
for Cybersecurity, ENSYS, and the European Network of Transmission System Operators for Electricity,
ENSO-E.
The two bodies undertake to develop regulations, standards, practices, and protective measures against cyber attack.
ENSYS will provide the cyber expertise.
ENSO-E will contribute the operational knowledge and experience.
We are quickly approaching the mid-year point for 2017, and one of the issues most experts agreed would be a big one this year is ransomware.
And be a big one, it has, thanks to high-profile attacks like WannaCry.
Asaf Sedon is vice president of content security services at Barracuda Networks, and he shares his outlook on ransomware.
In a sense, we are gaining a lot of ground. You know, it's becoming more and more standard in a variety of security solutions, you know, obviously email security, but also other email security solutions like web filters, firewalls that, you know, various technologies to block ransomware like sandboxing are really becoming a standard.
And more and more customers and businesses and even
consumers are aware of the problem and are taking steps to prevent it. But of course,
the attackers are also increasing the attack and the reach of the attack. So for example,
WannaCry was really interesting. So the actual ransomware itself was not that exotic. It exploited vulnerability in the Windows SMB protocol,
especially in older versions of the Windows operating system. But what was actually more
interesting about it was the fact that it was a worm where once it did infect the network,
it would go within the private network of the organization and try to find other computers
that it can attack.
So generally speaking, the attacks are becoming much more rampant. It's become a very provable and repeatable economic model for the attackers that it's also becoming worse in the sense. So
I'd say the threat has gone up, but also the defenses have gone up lockstep with it.
And as the ransomware threat continues to evolve
and change along the way, are we seeing the evolution of recommended defenses against it?
Yeah. So early on, you know, I think the most common way to defend from ransomware was,
you know, endpoint. So, you know, your classic antivirus was, you know, trying to employ more sophisticated
antiviruses that actually look at the behavior of the files, not just the signatures of the files.
And after that, you know, people started going after the actual attack vectors, or in other words,
how did this malicious file even get to the endpoint in the first place? And so that's why
email protection against ransomware became more and more popular. And finally, we've seen an extra layer, which is,
let's assume that one of these ransomwares could get through. Not every security system is
completely perfect and people end up clicking on various files. And then that's why folks are
really focused on the backup side of it to make sure that if you do get, you know, if your files do get hijacked, then you can easily restore.
So I think we've just seen this evolution of a multilayer approach where there's technologies now inserted at different layers of the stack to really make sure that, you know, to mitigate the problem.
So generally speaking, I'd say for companies that have really gone with this kind of multi-layer approach are
pretty immune to ransomware at this point in time. Most of the hacks we see now around ransomware in
the news are in cases where, you know, they didn't have all the layers or where they, you know, a
certain part of the company or organization wasn't fully protected. So there are ways today to effectively deal with this problem.
That's Asaf Sedon from Barracuda Networks.
The Queen's speech is out in the UK. This annual document outlining Her Majesty's government's
policies is unusual this year for its commitment to data security. Specifically, it removes any
doubt, or at least most doubts,
that the United Kingdom's exit from the European Union
will also entail an exit from the EU's General Data Protection Regulation
and its attendant privacy safeguards.
Whatever else Brexit means, it apparently won't mean saying farewell to GDPR.
U.S. congressional hearings on Russian election meddling conclude that many states
were prospected, 21 to be exact, but also that vote counts were not manipulated. The meddler,
as represented in testimony, is by consensus Russia, and its activity, while not unprecedented
in motivation or intent, was unprecedented in its use of the Internet. Senator Rubio pointed out in the course of the hearings that voter fraud was unnecessary,
at least from the Russian point of view.
If the Russian objective was to undermine trust in the American electoral system, mission
accomplished.
In addition to undermining confidence in election processes, Russian services seemed interested
in gathering personally identifying information that they made some use of in spear phishing attempts.
That use of compromised data suggests the potential seriousness of Republican National Committee contractor Deep Root Analytics' inadvertent exposure of voter information on an unsecured Amazon S3 account.
Kaspersky Labs has brought an antitrust complaint against Microsoft before
the European Commission. The basis of the complaint is Kaspersky's allegation that
Microsoft is using its dominant market position to unfair advantage by disabling in Windows 10
security software other than Windows Defender. This week, Microsoft said that, well, yes,
Windows 10 does block some security products,
but that's due entirely to compatibility issues, not to any attempt to favor Windows Defender.
Most of the industry press views this as a left-handed confirmation of one of Kaspersky's allegations.
Business email scams continue to bite.
A New York state judge lost more than a million dollars when an email
spoofing her attorney instructed her to transfer just over a million dollars to a certain bank
account. She did so, and the controllers of that bank account promptly shifted the money to a
different account in a Chinese bank, where of course it's gone, baby gone. It would be easy
to regard this as astonishing carelessness, but not so fast.
The scam was carefully crafted and its victim not notably clueless.
The criminals knew she was negotiating the purchase of an apartment and baited the hook accordingly.
So all who've never fallen for a con feel free to cast the first stone.
But we won't.
Finally, a survey Lastline conducted at the 2017 InfoSecurity Europe conference
found that half of all information security professionals would prefer a root canal
to reporting a data breach to their board of directors.
Lastline looked for a silver lining.
Quote,
To this, we say to security professionals, Come on, it's show that cybersecurity has risen up the board's agenda. End quote.
To this, we say to security professionals, come on, it's not that bad.
We saw CISO communication with the board modeled Tuesday at Cynet's Innovation Summit,
and it didn't look bad at all.
Of course, a little Novocaine couldn't hurt, or laughing gas. Calling all sellers. Laughing gas? with agents, winning with purpose, and showing the world what AI was meant to be. Let's create
the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute. Joe, welcome back.
Hey, thanks, Dave.
You and I were chatting about RF radio spectrum and this notion that, you know, in the old days,
you sort of have this image in your mind of ham radio operators sitting in their basement with a big stack of equipment
and a big antenna farm and headsets and a microphone in front of them.
But RF monitoring is a lot more accessible than it used to be.
That's right.
In fact, Hackaday on June 5th had an article talking about using a device called HackRF1
to listen in on old cordless phone conversations.
So these cordless phones operate in various spectrums, 900 megahertz all the way up to
I think 5.8 gigahertz. I remember the first generation, you could actually tune them in.
If you had an AM radio that could go to the high end of the AM radio scale, you could listen on
your neighbor's conversations, or so I'm told. Or so you're told. Yeah. Well, here's the interesting
part. A HackRF1, we actually have one of these devices at the Institute.
We use it for analyzing the traffic that goes on between different devices we're trying to investigate or trying to break.
That device is now less than $300, and it has a very broad spectrum.
I think it goes up to 6 gigahertz.
You're remarkably effective.
You connect it to a Linux box, which is free. You download some free software that can interpret
the signals and bam, you're listening in on whatever is on the airwaves. Even cheaper than
that, you can get on Amazon and order a USB software defined radio. These are called software
defined radios for about 20 bucks that will listen to the broadcast spectrum for TV and radio.
And that's a device that's $20.
And there's a lot of stuff that happens in there.
For example, all the commercial airliners have these navigation transponders on them.
And you can download software that dumps those signals.
So you can see planes that are flying over your house, know which airliner it is, where it's going, and where it's coming from.
So I guess part of the notion in terms of the security aspect of this is that there's
no longer really a barrier to anyone who wants to listen into RF spectrum to do so.
Exactly.
Exactly.
There's no barrier to that in the United States.
I don't even think there's a legislative barrier to it because the concept is that the airwaves are owned by the public. So you can't assume that just because
you're broadcasting over a spectrum that doesn't come out of some off-the-shelf device, well now
it does come out of an off-the-shelf device because you can buy a relatively inexpensive
off-the-shelf device that can listen to any part of the spectrum. Right. So if you're transmitting, assume that someone out there may be listening or
certainly has the capability of doing so. Correct.
All right. Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.