Learn how security can fuel innovation rather than hinder it.
Development velocity is accelerating with DevOps methodology adoption, yet security is still not well-integrated into the coding and deployment processes. It’s viewed as an obstacle. Security teams are falling further behind as their manual processes and controls can’t scale at the same rate as development. This paper discusses how by shifting security left in the development process, it’s no longer an obstacle to velocity, innovation and competitiveness. Instead, it’s an asset.
The Week that Was.
April 1, 2018.
By The CyberWire Staff
Ransomware in Atlanta and Baltimore.
Atlanta's ransomware attack is proving difficult to remediate (ZDNet). While some of the previously disconnected city systems came back online early this week, recovery still remains incomplete. The criminals' deadline expired this Wednesday, but the attackers had already taken down the portal they'd established for payment (NPR). The ransom amount, $51,000 in Bitcoin, seems small in comparison with the disruption the attack caused (Business Insider). The city is said to have received multiple warnings that its systems were vulnerable (too vulnerable for confidence about resilience—all systems are vulnerable to some extent), but did not address them (Atlanta Journal Constitution).
Last Sunday the city of Baltimore suffered an outage in its automated 911 call management system. The city reverted to manual dispatching systems before recovering its systems after a few hours. Baltimore's CIO called the incident a "self-inflicted wound." The ransomware entered the city's computer-aided dispatch system for 911 and 311 (non-emergency services) after IT teams troubleshooting a communications problem changed a server firewall and inadvertently left a port open for about a day. The city believes hackers scanning for open ports found and used it as a target of opportunity (Baltimore Sun).
The attacks, particularly the incident in Atlanta, are seen as likely to be repeated in other cities (Mercury News). SamSam ransomware is expected to appear in other attacks (WIRED).
Find out how enterprises can be equipped with a continuous 360° view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them. Simulate, validate and remediate every hacker’s path to organizational critical assets.
WannaCry is still out and about.
(Naked Security). Boeing has stressed that the attack had a negligible impact on its operations and that it was swiftly contained and neutralized (Fifth Domain). Boeing's account of their incident response will be interesting once it's available. WannaCry is particularly worrisome for industrial control systems that use Windows Embedded, which shares Windows 7 vulnerabilities and is difficult to patch (Naked Security). Less capable and more poorly resourced organizations should take note, however: WannaCry remains active, and enterprises should defend against it (Fox News).
Struggling with your DLP? It's time to rethink your data loss prevention strategy.
Traditional data loss prevention tools aren’t cutting it anymore. Why? They are high-maintenance and require endless fine-tuning. They often miss insider threats. They stymie communication between security and other departments. And they slow down endpoints, leading to crashes and failures that drive users crazy. Learn from ObserveIT why DLP tools aren’t getting the job done in 2018 and how you can stop data loss in its tracks. Read Now.
Under Armour fitness app compromised.
Sports apparel manufacturer Under Armour disclosed Thursday that data associated with 150 million users of the company's fitness app MyFitnessPal had been exposed. The information at risk is said to include usernames, email addresses, and hashed passwords. The company began investigating on March 25th, when it discovered that an unauthorized party had accessed the data in February (Verge). Under Armour's public disclosure four days after realizing that there had been a problem seems commendably fast, especially given the company's notification of affected users before making a general announcement yesterday. Investigation and remediaton are in progress.
Outmaneuver your most sophisticated cyber enemies—automatically.
Cyber attacks are getting more sophisticated. Cybercrime and data breach costs will reach the billions and even trillions in the next few years. These are things we already know. But what are you doing to help your cybersecurity teams (who are already stretched thin) mitigate the billions of threats? The ScoutShield threat intelligence gateway keeps your overburdened teams from throwing in the towel by blocking threats automatically – making their lives easier and saving you from cyber attacks. Watch our video to learn more.
Tensions over Salisbury nerve agent attack.
Russia has begun retaliating for diplomatic expulsions in response to the Salisbury nerve agent attack. On Thursday Foreign Minister Lavrov summoned US Ambassador Huntsman to tell him Russia will match the US expulsion of sixty Russian diplomats by sending an equal number of Americans home. The Russian government will also match the US closure of the Seattle consulate by shuttering the American consulate in St. Petersburg (New York Times). The Russian government had earlier expelled British diplomats and ordered the British Council to cease its activities in Russia (BBC).
Foreign Minister Lavrov also requested that Ambassador Huntsman explain remarks to the effect that the US might seize or freeze certain Russian financial assets in the US (Sputnik). British Prime Minister May is considering suspending trading of Russian bonds on London exchanges—such bonds are an important source of financing for Russian sovereign debt (Washington Post). Clearly potential financial sanctions are a greater worry to Moscow than are diplomatic maneuvers (WTVA).
Russia has denied any involvement in the Salisbury nerve agent attack, calling the evidence the UK has "a hoax." Russian sources have also suggested the incident is either a British or an American provocation, aided and abetted by the Czech government, which Moscow hints could have provided stocks of Novichok nerve agent to the provocateurs (Medium).
Essentially no one believes this, but Sputnik reports that Foreign Minister Lavrov also said Russia intended to convene an emergency meeting of the Organisation for Prohibition of Chemical Weapons in what Russia calls "a bid to start a dialogue and establish the truth" (Sputnik). The Organisation for the Prohibition of Chemical Weapons (OPCW) is an intergovernmental group composed of the 192 signatories to the Chemical Weapons Convention. It's headquartered in the Hague, and works to enforce chemical weapons control and non-proliferation measures.
The retaliation that most concerns Western countries, particularly the UK and the US, is the prospect of Russia executing a cyberattack against electrical power grids that's been long under preparation.Yulia Skripal is out of critical condition, upgraded to stable and able to talk, which is a happy surprise to the many who'd thought her unlikely to recover at all. Her father's condition remains unchanged, and he had yet to regain consciousness (Times). The Russian consulate in London has demanded to see Ms Skripal; it's part of their duty of care toward Russian citizens. But in this case the demand may be turned down.
Multilateral coordination among countries concerned about a threat from Russia appears to be growing (New Atlanticist). US policy toward Russia is rapidly hardening (New Atlanticist). Politico reports that officials in both Congress and the Administration really don't want to take any meetings right now with the Russian ambassador.
You should check out this week’s episode of Research Saturday. Ryan Kalember, Senior Vice President of Cyber Security Strategy at Proofpoint, shares their research on how “Leaked source code for Ammyy Admin turned into FlawedAmmyy RAT." Have a listen to learn about this malware.
Ecuador takes away Julian Assange's Internet.
On Wednesday Ecuador's London embassy yanked the WikiLeaks' founder's Internet. The Government of Ecuador holds that his pro-Russian tweeting over the Salisbury nerve agent attacks violated the written undertaking Julian Assange gave when he was granted asylum not to use the Internet to damage Ecuador's international relations. They're also not thrilled, apparently, by his social media engagements around Catalan independence or the condition of his room (Guardian).
Assange's WikiLeaks, characterized by US officials in the past as "a non-state hostile intelligence service" (Los Angeles Times) shows other signs of wearing out its welcome as it grows increasingly indistinguishable from a Russian stooge (Times). If and when Mr. Assange loses Ms Pamela Anderson (granted, a big "if," see the Daily Mail or the Twitter feed of Ms Anderson's foundation, which is equally against both fur and Ecuador's treatment of Mr. Assange), it will be like President Johnson losing Walter Cronkite and thus America: the casual goodthinkers and slacktivist pilotfish will move on to something more interesting.
Moscow's line has from the outset been that this is all provocation and war-mongering (Medium).
The applied psychology of information operations.
Cambridge Analytica's claims of extraordinary capability to sway opinion with targeted precision are probably overblown (Quartz).
Overblown or not, enforcement officers from the UK's Information Commissioner's Office raided Cambridge Analytica's London headquarters last weekend (TechCrunch). Cambridge Analytica acting CEO Alexander Tayler, standing in for the suspended Alexander Nix, said the company believed the data they obtained had been gotten in accordance with both Facebook's terms of service and applicable data protection laws, and that Cambridge Analytica is not the villain the public has been led to believe it is (First Post).
Ars Technica reported that Facebook has indiscriminately collected and retained data from Android devices, including call logs, with numbers of contacts, and the date, time, and duration of calls. Facebook's explanation is that "call and text history logging is part of an opt-in feature" for users of Messenger or Facebook Lite on Android. The company began to ask for explicit permission to access SMS and call data in 2016 after complaints that their previous way of obtaining opt-in was an "OK" button that approved "keeping all of your SMS messages in one place."
Last Sunday Facebook took out a full-page print ad in the Washington Post, the New York Times, the Wall Street Journal and six British papers. The ad apologizes for not better protecting users' data. Writing in the first-person singular, CEO Zuckerberg writes, "You may have heard about a quiz app built by a university researcher that leaked Facebook data of millions of people in 2014. This was a breach of trust, and I’m sorry we didn’t do more at the time. We’re now taking steps to make sure this doesn’t happen again." So the company continues to frame the scandal as a relatively restricted app issue. Zuckerberg says, "Finally, we’ll remind you of which apps you’ve given access to your information — so you can shut off the ones you don’t want anymore," and he closes with a "Thank you for believing in this community. I promise to do better for you." He also this week declined to appear before a Parliamentary inquiry in the UK that's investigating fake news (TechCrunch).
Facebook also scrambled this week to upgrade its privacy protections (Naked Security). One of the most widely remarked changes in the social media platform is its consolidation onto a single page of the permissions users give for access to and use of their data. It had formerly been spread over some twenty different pages, making about as solid a contribution to informed consent as the industry's customary turgid and lengthy EULAs.
Public sentiment isn't good, as people remember earlier remarks associated with the company that derided users for their gullibility with respect to privacy (Monday Note). Facebook may also be losing friends in Silicon Valley (Quartz). Apple, for one, has taken trouble to point out that, unlike some other companies, it's never treated its customers as if they were products (Ars Technica). All troubles aside, however, Mr. Zuckerberg is thought unlikely to face the music the way Marissa Meyer did at Yahoo!, or Trevor Kalanick did at Uber. He's expected to keep his position (Engadget).
Crime and punishment.
A report from a Justice Department Inspector General finds that the FBI mishandled communication over its requests that the San Bernardino shooter's county-issued iPhone be unlocked. Had there not been a Cool-Hand-Lukish failure to communicate, this particular skirmish in CryptoWar III might have been avoided entirely (Federal Times).
There are other engagements in CryptoWar III coming, however. The US Department of Justice (especially its FBI) are meeting with researchers who claim to have a third-way that will satisfy both sides of the controversy (Naked Security). Such a mutually acceptable compromise seems very unlikely to us, but we'll keep you posted.
Terry Albury, and FBI Special Agent assigned to the Minneapolis Field Office, has been charged with unauthorized transmission of classified national defense information to a journalist, apparently to the Intercept. FOIA requests suggested to investigators the Intercept already had the classified material they requested and eventually published (MPR News).
The FBI will receive more uncomfortable attention from the Justice Department's Inspector General. The IG has opened an inquiry into “compliance with legal requirements” in applications the Bureau filed with the U.S. Foreign Intelligence Surveillance Court relating to an unnamed US person (Federal Times).
Courts and torts.
Cambridge Analytica and Facebook are in hot Chicago water. Cook County, Illinois, charged them a week ago Friday with violations of Illinois anti-fraud laws for compromising users' privacy (Ars Technica).
An appeal by an ex-Goldman Sachs software engineer convicted of stealing code from his former employer turns on the meaning of "tangible." The appeal takes a curiously dualistic view of information: "bits and bytes" aren't "tangible" in the sense of the applicable statute because information isn't actually physical. A panel of judges in the New York Court of Appeals will therefore be ruling on the metaphysics of code theft. The law under which the coder, Sergey Aleynikov, was convicted antedates by some years the technologies involved in the case (New York Law Journal). He apparently doesn't dispute that he saved the code to Germany, which while no doubt in its own way is a highly spiritual place, as our German desk assures us, is also a physical location, between France and Poland.
Patching and disclosure.
Microsoft is looking into a researcher's report that its Meltdown patches may have inadvertently exposed systems to exploitation. Attackers are said to be able easily to read from, and write to, memory (SecurityWeek). Redmond did release an out-of-band patch Thursday for Windows 7 and Windows Server 2008 (Bleeping Computer).
Apple also patched late this week, fixing security issues in iOS, watchOS, tvOS, and Xcode. Most of the vulnerabilities involved privilege escalation (Bleeping Computer).
VMware has acquired E8 Security, a leading entity and user behavioral analytics shop. Their intention is to integrate E8's technology into VMWare's Workspace ONE platform (ZDNet). AppRiver has picked up email security shop Roaring Penguin; terms weren't immediately available (Channele2e). Cellebrite has sold a "non-core" business unit to ESW Capital. The Mobiligy unit focuses on commercial mobile forensics (CTECH). OPAQ Networks has acquired FourV Systems, and intends to integrate FourV's GreySpark intelligence platform into their cloud security systems (BusinessWire).
Palo Alto Networks closed its acquisition of Evident.io (PRNewswire). In the Low Countries, Belgium's Proximus continues to push into the European managed security market with its acquisition of Dutch provider ION-IP (Light Reading). Thales is making a run at Gemalto, and Gemalto is happy to be acquired (BusinessWire).
The pace of M&A activity suggests ongoing consolidation within the cybersecurity sector, which some see as a good thing (Help Net Security). But Palo Alto's CEO warns that consolidation can exact a price for industry as a whole by reducing innovation (Axios).
Kenna Security, the predictive cyber risk shop, closed a $25 million Series C round this week (PRNewswire).
Start-up Aella Data emerged from stealth this week. The company offers an "AI-driven, pervasive breach detection system" (BusinessWire). Verint is considering a spin-off and IPO for its security intelligence unit. The company had been seeking suitors to buy the division, but didn't find a suitable purchaser (CTECH).
Raytheon is pushing for more government services work, unlike some other peers among the big integrators who've spun out or sold off service units. But this probably doesn't mean acquisitions: as the Washington Business Journal puts it, this is Raytheon's "bet on itself."
Venafi has looked back at its last business year and it likes what it sees: subscription revenue grew by more than 40% (Venafi).
The recent debut of lawful intercept shop Grey Heron induces some speculation that they're connected with the old Hacking Team, and may even represent a rebranding (BoingBoing).
The US Federal Communications Commission is the latest to take action against Chinese hardware manufacturers, specifically Huawei. While some see national security as a fig leaf for protectionism (TechDirt) the FCC has said it will withhold Government funds from wireless carriers who use Huawei equipment (Entrepreneur).
What's going to be trendy at RSA in two weeks? In order, from most trendy to least trendy (but least trendy at RSA is still pretty trendy by any reasonable standard), that would be IoT, ransomware, GDPR, IoT devices, devops, blockchain, Equifax, WannaCry, threat hunting, Bitcoin, deep learning, and devsecops. So says a study by Wade Baker, RSAC Advisory Board Member, Partner at Cyentia Institute and Professor at Virginia Tech, who subjected RSA paper submissions over the past decade to natural language processing and Cyentia's classification system (Help Net Security).
Today's issue includes events affecting China, Czech Republic, Russia, United Kingdom, United States.
ON THE PODCAST
Research Saturday is up. This week's podcast features a discussion with Proofpoint's Senior Vice President of Cyber Security Research Ryan Kalember, who describes how they've been tracking FlawedAMMYY, a newly discovered remote access trojan, and what they've found in the course of the hunt.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.