The future of an open, secure, and resilient internet is anything but certain. CFR’s Digital and Cyberspace Policy program cuts through the rhetoric to help you understand the politics of cyberspace. Through their “Net Politics” blog, reports, briefings, and interactive tools, the program’s leading cyber experts analyze the emerging global rules of cyberspace. Subscribe to their bimonthly newsletter to get their insights in your inbox.
The Week that Was.
July 16, 2017.
By The CyberWire Staff
G20 meetings and their non-implications for Russo-US cyber cooperation.
That joint US-Russian cybersecurity unit briefly mooted last Sunday had a life of just twelve hours and change on Twitter, but it excited plenty of comment and opposition. Democratic members of Congress promised to pass legislation precluding this sort of cooperation between the two countries in cyberspace (Washington Times), but that was an act of supererogation. The proposal, as much musing aloud (or musing atwitter) about the possibility as it was anything approaching the basis for an agreement, was dead-on-arrival (Politico). And DOA on a bipartisan basis, too (Radio Free Europe/Radio Liberty).
Traditional and next generation antivirus (AV and NGAV) leave you blind to sophisticated and state-sponsored malware, while endpoint detection and response (EDR) burdens your security team with too many alerts and manual processes. enSilo provides a single lightweight security agent that unifies NGAV and automated EDR capabilities to detect and block malware pre and post infection. See how enSilo’s comprehensive endpoint security solution was able to stop WannaCry and NotPetya out-of-the-box at Black Hat USA.
National aims and hybrid warfare.
NotPetya is now by general consensus ascribed to a Russian operation directed principally against Ukraine, but producing as a side-benefit plenty of disruptive chaos in much of the rest of the world. The near-term goal is erosion of trust in other nations' institutions and practices (Techgoondu). The long-term goal is respect, and a place for Russia in the sun (Foreign Affairs).
Former Secretary of State Madeline Albright offered some perspective on information hierarchies at a recent Atlantic Council event. She noted the disruptive effect that readily accessible information technologies had on the Soviet Union during the Cold War's endgame (Medium). (Such technologies, notably cassette tape recordings, seem four decades on risibly primitive, but they had considerable effect, not only on the decline and disintegration of the Soviet Union, but on such other period phenomena as the Islamic revolution that deposed Iran's Shah.) We haven't yet learned, she and others think, how to compensate for the ability of state-run information technology to introduce disinformation into online sources that tend to look like the sort of non-hierarchical, friends-and-family informal sources of information people tend to go with. In some ways the highly centralized news media of repressive regimes made it easier: during the Cold War you could take it to the bank that Pravda was pushing lies. Now? It can be hard to tell where some particular meme originated, and many will lack the skepticism or energy to run such memes to ground truth.
Russia's Foreign Ministry claimed late Friday that its email servers were hacked with "grave consequences." The attacks, the Ministry said, took place last month and originated in Hungary and Iran (Moscow Times). There are also reports of doxing attempts, some successful, against online accounts of US experts on Russia (Foreign Policy). No firm attribution so far in either case.
Infosec pros worth their salt know the key to security is risk management
You can’t make sound security decisions if you don’t know what your risks are, where they are, and what’s involved in addressing them. GRC 20/20’s white paper explains how Xacta 360 delivers the situational awareness you need while automating labor-intensive tasks associated with managing IT risk and compliance.
NATO offers Ukraine cyber assistance; US eyes threat to its power grid.
NATO announced, in a joint press conference held by Secretary General Stoltenberg and Ukraine's President Poroshenko in Kiev, that NATO would be assisting Ukraine by giving it tools necessary to investigate Russian cyberattacks (Fifth Domain | Cyber). (This represents international cooperation and not an invocation of NATO's Article 5 commitment to collective defense. In 1997 the Charter on a Distinctive Partnership established the NATO-Ukraine Commission, and Ukraine has talked about applying for NATO membership, but Ukraine is not now a NATO member, and Article 5 doesn't apply.) Such cooperation presumably falls somewhere in the range of responses Western intelligence insiders are coming to believe will be needed to deter Russian cyberattacks from continuing to work "mayhem" (Independent).
US Energy Secretary Perry said this week that the threat to power plants (nuclear and otherwise) is real, and that Government and industry are working to address it. Recent probes have been ascribed to Russian threat actors (there are some perceived similarities to BlackEnergy campaigns), and the Departments of Homeland Security and Energy are working with infrastructure owners on cooperative defense (Washington Post). Congress has asked that it be kept informed (Roll Call), and has made its own distinctive contributions to the alarum (Watertown Daily Times).
If you’re in search of top notch cybersecurity powers, a great starting point is DNS Forensics. This new approach leverages both human and machine intelligence to unearth malicious infrastructure. This white paper will illustrate the effectiveness of domain name intelligence in your investigations as well as demonstrate examples of a DNS-centric strategy so you can apply this to your own security approach.
NotPetya: costly misdirection.
Booz Allen has published research that suggests NotPetya may have been in large part misdirection. Researchers think they've discovered evidence that Telebots (a.k.a. Sandworm, that is, most believe, Russia's GRU) used the destructive campaign to conceal traces of long-running, widespread cyber espionage against a large number of targets. The evidence is, of course, circumstantial, but suggestive (Booz Allen Hamilton Cyber4Sight).
Outside of the widespread disruption within Ukraine, NotPetya seemed to hit the shipping and manufacturing sectors hardest. Shippers, prominently including Maersk and FedEx's TNT unit, have largely restored operations, but they continue to assess damage (LoadStar). Manufacturers have been quicker to estimate and disclose the financial consequences of the attack. At week's end Paris-based Saint-Gobain, a multinational producer of construction material, said that it probably lost $230 million in sales due to the attack, or about one percent of first-half revenue (The Street).
Those sectors are not alone, however, in being on the qui vive: the National Health ISAC warned its members about the risk posed by both WannaCry and NotPetya (NH-ISAC Threat Intelligence Committee). Some national initiatives that should affect defense against such broad attacks are coming online as well. In either late July or early August, India expects its National Cyber Coordination Centre (NCCC) to begin operations (Economic Times). The Indian government expects the Centre's traffic monitoring capabilities to prove useful in detecting and responding to large scale attacks.
Seeking a new cyber security career in San Antonio?
If you're a cyber security pro looking for your next career, check out the free CyberTexas Job Fair, August 1, in San Antonio. It’s hosted by ClearedJobs.Net, and open to both cleared and non-cleared professionals and college-level students. You’ll connect face-to-face with industry leaders Accenture, Booz Allen, Delta Risk, IPSecure, ISHPI, AT&T, Lockheed Martin, NSA and more.
Cyber autarky, the crypto wars, and restrictions on the Internet.
China has announced plans to block VPNs no later than February 2018. VPNs have been some of the principal cracks in the Great Firewall, and Beijing is determined to patch those holes next year at the latest. Their control is unlikely to achieve the perfection they seek, but those controls will prove onerous (PC Magazine).
Australia proceeds, in the face of skepticism that such measures could actually work, with plans to restrict strong, end-to-end encryption (ITNews). And, while HM Government has also mooted controls on encryption within the United Kingdom, a former GCHQ director has come out strongly on the pro-crypto side. Robert Hannigan called encryption "overwhelmingly a good thing," and a good thing that in any case can't be legislated away (Register). Hannigan is neither blind nor indifferent to the uses terrorists have found for encryption, but he thinks such proposed measures as mandated backdoors likely to be both ineffective and damaging to Internet users as a whole (BT).
What's up with Kaspersky Lab?
Reporting by Bloomberg detailed indications of ties between Kaspersky Lab and Russian intelligence services. The lede says, "Emails show the security-software maker developed products for the FSB and accompanied agents on raids." The story was carefully hedged and pointed out that "Most major cybersecurity companies maintain close ties to home governments." The sort of cooperation detailed by emails Bloomberg obtained indicated that Kaspersky did work on security software for the FSB and provided distributed denial-of-service protection tools (some of which included geolocation of DDoS actors and sensitive "active countermeasures" that can be used against such actors). There are also allusions in the emails to being responsive to requests "from the Lubyanka side."
The story was hedged and measured, but nonetheless cast Kaspersky in a damaging light, and Kaspersky wasn't slow to respond. It called the reporting biased, and politically motivated, a willful misrepresentation of innocent "business chatter." The company says it works with many law enforcement agencies worldwide (undeniably true) and that it isn't doing anything for Russian security services that it hasn't done for, say, citing its work in the CoinVault incident, the Netherlands. Their statement specifically denies both geolocating hackers and "hacking back" It also denies claims that it said the emails were authentic (Kaspersky).
The company is right to be concerned about the possibility of reputational damage: in 2016 $374 million of Kasperky's $633 million in sales came from Western Europe and the United States (Bloomberg). The US customers have included Federal agencies and some of their contractors. The FBI in June began an inquiry into the possibility of security issues involving Kaspersky (Register), and the Senate Intelligence Committee opened hearings early in May about the Intelligence Community's use of Kaspersky products (SC Magazine). There are measures before both the House and Senate Armed Services Committees to bar the purchase of Kaspersky products and services by the Defense Department (NPR).
Early this week the General Services Administration got ahead of Congressional action by removing Kaspersky ("after review and careful consideration") from two of the GSA's procurement vehicles that are open to any agency's use: Schedules 70 (Information Technology) and 67 (Photographic Equipment and Related Supplies and Services). It's not, as some have reported, an outright ban, but rather the removal of the company's offerings from two contracting mechanisms. Agencies remain free to hire Kaspersky under other vehicles, but the action does remove an easy avenue for the company to sell into the Federal Government. The GSA did eventually elaborate in the anodyne language typical of the US Federal acquisition community: “GSA’s priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes.” (HackRead). So there you have it. Some see incipient protectionism, others see a Trumpian shot across Putin's bow, but still others see a cautious decision by Civil Service middle management. (If you bet on form, put your money on number three. If you're the type to see wheels within wheels, then bet the trifecta.)
Vault7's weekly leaks.
WikiLeaks continues to flog alleged CIA tools from its Vault7. This week's release involves another manual, this one for an Android intercept tool, "HighRise" or "TideCheck," effective against Android versions from 4.0 through 4.3 (Ice Cream Sandwich and Jelly Bean). The leaked document bears a December 2013 date, so it's possible that, if the tools it describes are real, they've been updated to keep pace with newer Android versions. HighRise purportedly intercepts SMS text messages and forwards them to a collecting server. Because installing the tool requires physical access to and interaction with the target device, it seems likely that HighRise was at least as much (probably more) a communications tool for field agents as an interception implant. (Bleeping Computer).
When lawful intercept gets lawless.
Instability and allegedly widespread corruption render accounts of lawful intercept tools used against journalists and activists in Mexico troubling (Cipher Brief). An investigation by the University of Toronto's Citizen Lab concluded that NSO-developed tools sold to the government of Mexico were used against people investigating the disappearance of a large number of students (Foreign Policy). Forty-three students disappeared after clashes with police in 2014 in what has come to be known as the Iguala Mass Disappearance (New York Times).
Another data breach traced to misconfiguration of Amazon Web Services S3 buckets.
This is not, observers hasten to note, Amazon's fault: the fault lies not in the cloud, but in how the users configure their part of it. In this case Verizon sustained a major data breach: some 14 million subscriber records are reported to have been affected. The big US telecom provider acknowledged the breach, but they did say they thought reports of its seriousness overblown (Naked Security).
As has been the case with many other big breaches, this one appears to have been induced by a third party. The data were exposed on an unprotected Amazon S3 server controlled by Nice Systems, a Verizon vendor. People who called customer services over the past six months are affected. The data on display included some credentials, and so security experts are advising Verizon customers to at the very least change their PINs.
And, of course, enterprises need to consider their exposure to third-party risks, as it seems the cause of the data exposure lay in that Verizon's vendor: Nice Systems. Experts also urge everyone to pay more attention to how their AWS S3 buckets are configured (Threatpost). This represents the third significant data breach this year traceable to AWS S3 misconfigurations by vendors. The earlier incidents were the exposure of Republican National Committee information by Deep Root Analytics and the exposure of sensitive but unclassified information from the National Geospatial Agency by Booz Allen contractors. All inadvertent misconfigurations, all affecting organizations that weren't noticeably slipshod, and all, apparently, too easy to commit.
And a healthcare breach is traced to a rogue employee.
London-based Bupa, the healthcare firm that disclosed a data breach Wednesday, says it wasn't hacked—a rogue insider, now fired, exposed the information (Infosecurity Magazine).
Companies are advised to keep an eye on departing employees, too. A study sponsored by OneLogin and released yesterday found that about half of all former employees retained access to corporate applications for some time after their departure. And the password management company notes that "Failure to deprovision employees has caused a data breach at 20 percent of the companies represented in the survey" (OneLogin).
A surge in one actual ransomware strain is reported.
The SANS Internet Storm Center has observed, over the last two weeks, a rise in spam traffic distributing NemucodAES ransomware. SANS has a good set of indicators of compromise, and they note that most good security measures will block the ransomware. But of course it's possible that it might slip through, in which case an affected enterprise might avail itself of the decryptor Emsisoft has released for this strain of ransomware.
Phishbait: one weird trick to get them to click.
Actually, it's not a weird trick, unless staying professional is weird. Instead of talking about bags under the eyes or what the producers of Game of Thrones don't want you to know, or why the crowd was cheering, try to sound like you're from HR, or IT, or Shipping and Receiving.
KnowBe4 has taken a systematic look at successful subject lines in phishing emails. The good news is that people aren't swallowing traditional lurid click bait or pleas from royal or ministerial Nigerian widows as much as they once did. The bad news is that the phishbait is getting more plausible as it grows more prosaic. The leading lures in KnowBe4's study were "security alerts, vacation and sick time policy announcements, and package delivery notifications" (Credit Union Times).
The one relatively old-school outlier came in tied at number four, "BREAKING: UNITED AIRLINES PASSENGER DIES FROM BRAIN HEMORRHAGE - VIDEO," which suggests some lingering morbid interests on the part of the workforce, although the two baits that came in tied with it ("A DELIVERY ATTEMPT WAS MADE" and "ALL EMPLOYEES: UPDATE YOUR HEALTHCARE INFO") were consistent with the new, more businesslike phishing style (Fortune).
Inset skimmers get a bit more clever.
Users of ATMs and similar card reading devices (like gas pumps) have long been warned that inset skimmers, thin hardware devices slipped into the card reader, are used by criminals to steal paycard data. There's now evidence that the crooks are getting a bit more ingenious. KrebsOnSecurity reports that they're using IR devices (the technology is similar to that used in familiar TV remote controls) to harvest the data without needing to remove or directly touch the skimmers themselves.
AlphaBay's operators haven't absconded. They've been taken down.
We saw last week widespread unfounded fears on the part of the demi-mondains who shopped there that AlphaBay was getting ready to bug out and leave its criminal customers in the lurch. That didn't happen. But this week AlphaBay was taken down in an international police operation. Authorities in Canada, the US, and Thailand shuttered the successor to Silk Road (WIRED). In a sad end to what appears to have been a dead-end life, the alleged proprietor of the dark web contraband souk died in a Thai jail cell while awaiting extradition to the US, an apparent suicide (Bangkok Post). Alexander Cazes was only 26 years old.
Industry notes: incubators, venture rounds and acquisition news.
GCHQ announced the formation of a second security incubator (Infosecurity Magazine). The US Defense Department's Rapid Reaction Technology Office continues to look for ways to foster quicker cyber acquisition (SIGNAL).
The well-known cyber accelerator Mach37 is undergoing a leadership change: Rick Gordon, Dan Woolley and Bob Stratton are no longer with the CIT unit (Washington Business Journal).
Several venture investments have been announced. Darktrace has received an investment of $75 million, which pushes the company's value to $825 million (Fortune). RiskLens has picked up $5 million in Series A investment (Marketwired). Social media security shop ZeroFox announced $40 million in Series C funding (TechCrunch). Deep Instinct raised $32 million (Globes), much of it from Nvidia (Tom's Hardware). LastLine has received $28.5 million (BusinessWire). OwnBackup raised $7.5 million in Series B (TechCrunch). HyTrust announced both that it's received an investment of $36 million and that it's acquiring DataGravity (TechCrunch).
Cisco announced its acquisition of Observable Networks (TechCrunch). Symantec is buying Skycure as a mobile security play (Dark Reading).
Edgewise Networks emerged from stealth this week with a trusted application solution (BusinessWire).
Today's issue includes events affecting Australia, China, France, Hungary, India, Iran, Israel, NATO/OTAN, Russia, Ukraine, United Kingdom, United States.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.