What should a new CISO's priorities be at 30, 60, and 90 days?
A CISO’s first 90 days on the job are a window of opportunity to establish credibility, earn the support of other leaders, and make contributions with a positive impact. Coalfire has recommendations that will help newly-hired CISOs quickly add value and set the stage for a long-term success.
The Week that Was.
April 28, 2018.
By The CyberWire Staff
Orangeworm hits healthcare sector.
Researchers at Symantec report the emergence of a data theft campaign targeting the healthcare sector (Dark Reading). At least, the first take is that it's data theft, but whether the goal is intellectual property or personally identifying information remains unclear. It's also unclear who's behind it, but initial speculation holds criminals the likelier suspects as opposed to nation-state intelligence services (SecurityWeek). The targets appear to be x-ray and MRI devices (Bleeping Computer).
Become a Cyber Spartan and Defend the Gates of America. At Invictus International Consulting we are hiring DevOps, Cloud, Security Engineers, and Cyber Weapons Developers to serve our government and commercial clients. Join us.
Spoofing hotel master keys.
The proof-of-concept may be a bit obsessive (F-Secure researchers spent about a decade and a half on it) but the results are eye-opening. Door-opening, too. The researchers showed that they could use a Proxmark RFID card reading tool on an expired keycard you might find in any hotel's trash to make a master key that can open any room in a hotel. The hack works on Vingcard Vision Locks. The proof-of-concept narrows down the master key possibilities and then, in about twenty tries over a minute, gives the hackers a master. The researchers disclosed their findings to Vingcard's parent, Assa Abloy, a year ago, and the company has developed and issued a patch. But as is so often the case with such devices, it's likely that the patch hasn't been universally or even widely applied (WIRED).
And here's another thing for travelers to worry about: vulnerable ski lifts. White hats determined that controls on lifts used in Austria and made by Dopplmayr/Garaventa were susceptible to remote starting and stopping, and to manipulation of "safety distance parameters." The researchers disclosed the flaw to the manufacturer, which addressed them promptly (HackRead).
New research into industrial threats and vulnerabilities.
Dragos and OSIsoft jointly authored and released a new white paper this week that presents a modern-day challenge of defending industrial environments and discusses how the Dragos-OSIsoft technology integration helps asset owners respond effectively and efficiently. Download the white paper, "Solving a Brew Mystery: Digital Forensics With the Dragos Platform and OSIsoft PI System," free.
Why Atlanta was vulnerable to ransomware.
Briefly, observers put it down to a combination of new leadership and old, outmoded IT infrastructure. The SamSam ransomware extortionists asked for $51 thousand to release the affected files, which the City of Atlanta apparently decided not to pay. The cost of remediation and recovery has been high: about $2.7 million in emergency IT and security contracts, and it's still not over, either (StateScoop).
Do security ratings protect you from a data breach? You need LookingGlass 24x7 monitoring.
There’s a lot of talk about “continuous monitoring” in the marketplace. At LookingGlass, we are clear that it is NOT a database or look-up service. Our Third Party Risk Monitoring solution is the only managed service in the marketplace that offers 7x24x365 monitoring for real-time notifications of compromises and data breaches, all human-vetted to reduce false positives. Want to know more? Contact LookingGlass now for an exclusive offer.
UK's NCSC continues warnings.
Warnings against the possibility of attacks against critical infrastructure, especially power grids, continue. Last Sunday Ciaran Martin, head of GCHQ's National Cyber Security Centre, said that GCHQ is on "heightened alert" for Russian activity expected to follow the Salisbury nerve agent attack (National).
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Jihadist messaging, and extremist messaging generally.
ISIS is in decline; al Qaeda seems to be in the ascendant. Their messaging continues, now in competition (War on the Rocks).
Terrorists and other extremist groups have excelled at marketing, not hacking per se. Maybe the Internet in general and social media in particular are structurally disposed to foster the organic growth of extremism, quite apart from the direction of state-controlled trolls. A long essay in the New York Times concludes that by their nature social media tend to breed extremism—"attention, praise and a sense of importance and agency" are easy to come by online. And who wouldn't want those, especially if you're young, frustrated, and feeling disrespected? And worse yet, the algorithmically discerned rate of engagement is self-reinforcing, serving more like-minded messages until the recipients come to believe that what they're reading is good, normal, mainstream, common sense, even if that common sense has induced them to seriously consider ramming a car into a crowd of people the driver is convinced are enemies of history, a deity, a race, a gender, and so on.
A piece in WIRED follows René Girard is seeing the root of the trouble as "mimetic desire" and "mimetic exhibitionism." So the fault may be in us as much as the platforms. Facebook has a new ad campaign in which the company expresses contrition and firmly resolves to sin no more. Besides, it was all really an accident. They just had a naive, panglossian view of human nature. Now they're sadder and wiser (WIRED). There are many calls for regulation, but how these might work are unclear. The public utility analogy has been considered, but there are problems there as well (WIRED).
The Internet as a whole does seem to produce disinhibition so thorough as to amount to a mania. See, for example, the treatment of (innocent) relatives of the recently arrested (alleged) Golden State Killer, himself tracked by police taking advantage of the immature market for DNA-based ancestry tracing. They followed him down that family tree, and now amateur detectives, vigilantes, and activists are busily engaged in hacking at that tree (Motherboard).
And the assumption that near-universal connectivity must be a good thing is increasingly being called into question. This is not an argument for disconnecting, but rather a reminder that acquaintance and familiarity can be as likely to breed enmity as understanding (Foreign Affairs).
Fake news and content moderation.
Much of the discussion of content moderation concentrates on manifestly objectionable stuff, like cannibalism. But Facebook's attempts to moderate what people post have run up against the problems of attempting to apply a set of rules that would admit of little judgment or appreciation of context (WIRED). Those problems aren't significantly different for an army of moderators than they are for a set of algorithms.
There are other issues of popular delusion. Did you know that drinking from plastic water bottles causes cancer? Neither does anyone else, but 43% of people surveyed by researchers at University College London and the University of Leeds believe this nonetheless (Times). This fraction is worth bearing in mind in discussions of fake news as tech companies come under increased pressure to do something about it (Wall Street Journal). Why should Twitter be any more effective than, say, Francis Bacon or the authors of the Port Royal Logic?
Outrageously cynical fake news.
Certain forms of disinformation seem to call for denunciation as an obvious response. A good example has been on display in connection with the Organisation for the Prohibition of Chemical Weapons (OCPW) and its inquiry into the chemical agent attacks by the Assad regime against civilians in the Syrian town of Douma. Russia has claimed to have evidence that the attack never happened, that the victims were phony, and that it's all just an atrocity story cooked up by the British, the Americans, and so forth. In support of this claim they presented footage of a 2016 short film that dramatized an earlier chemical attack in Syria. The 2016 film never represented itself as anything other than dramatization (Radio Free Europe | Radio Liberty).
Britain and France in particular are having none of it. The French reaction was particularly direct: that country's ambassador to the Netherlands (the OPCW is headquartered in the Hague) called the Russian disinformation an "obscene masquerade" (Radio Free Europe | Radio Liberty).
This isn't the first time Russia has produced bogus evidence in support of false propaganda claims. In November of last year Russia's Ministry of Defense released what it called "irrefutable proof" of American combat support of ISIS. The gun camera footage offered was in fact imagery from a popular smartphone game, "AC-103 Gunship Simulator: Special Ops Squadron" (BBC).
Obscene or not, Russian information operations aren't always so easily debunked or countered (CyberDB).
The misbehavior is Russian, and the G7 will be on it, says the UK (Deutsche Welle). Cold War veterans are offering comparisons and contrasts between current tensions and those that obtained between Churchill's "Iron Curtain" speech in 1946 and the Soviet Union's collapse in 1991 (War on the Rocks). Here's one comparison: the Kremlin has again begun to talk about the Americans in terms of Wild West cowboys waving Colt Peacemakers (Washington Examiner). This time around the showdown is cyberspace, instead of the OK Corral (or Checkpoint Charlie).
Different approaches to information operations.
China goes for mass marketing, and observers think this likelier to have more effect at home than abroad. The government is establishing "Voice of China" to centralize its global outreach (Foreign Policy). Attempts to influence foreign opinion have hitherto included the establishment of centers at foreign universities, but that approach may also be wearing thin, as Texas A&M a week ago closed two Confucius Institutes after they were criticized as a posing a threat to national security (Heritage). The Lone Star State seems to be a tough audience. In January the University of Texas turned down funding from the China-United States Exchange Foundation, a Hong Kong organization thought to be a government propaganda operation (South China Morning Post). Such outreach programs are also to a significant extent inward-looking, with an intended audience of Chinese students studying abroad as well as the Chinese diaspora (Foreign Policy).
Hacking back in Georgia.
Tech firms are urging Georgia's Governor Nathan Deal to veto a bill that might criminalize many forms of vulnerability research while authorizing hacking back at attackers. It's the second half of the bill that Microsoft and Google (they sent a joint letter to the US state's governor) object to. The legislation, Senate Bill 315, would create a new crime: unauthorized computer access." Microsoft and Google disliked the implications of an exemption for "cybersecurity active defense measures that are designed to prevent or detect unauthorized computer access" (Atlanta Journal-Constitution).
Grey market ransomware services? Or legitimate risk management tool?
Proven Data Recovery, a business that offers to help ransomware victims recover their files, is believed to operate by paying the ransom, and then charging its client a premium for the decryptor the extortionists deliver. This doesn't seem to be illegal, but some are questioning the business model (Graham Cluley). If you're going to pay the ransom, which you probably shouldn't, you might as well cut out the middle man.
Old SAP configuration issues persist.
Proper configuration of the SAP Message Server ACL should mitigate the risk: to succeed, an attacker would need access to the Message Server internal port with a default configuration in the ACL (SecurityWeek).
A rose by any other name would smell as sweet...
...and the National Protection and Programs Directorate would be just as much in charge of security if it were called the Cybersecurity and Infrastructure Security Agency (Federal News Radio). Right? Or maybe not. But the NPPD would still like permission to change its name. This inside baseball of agency equities will be worth watching.
Here's another one, maybe a Rule 5 player to be named later: the House Armed Services Subcommittee on Emerging Threats and Capabilities would like to shift the Defense Information Systems Agency's (DISA’s) information technology functions and Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DoDIN) to US Cyber Command (Fifth Domain). JFHQ-DoDIN is already task-organized to report to Cyber Command, which has drawn ironic headlines ("House lawmakers propose moving cyber defense from CYBERCOM to CYBERCOM") but the change isn't entirely nugatory. It would make, the House committee thinks, for cleaner command relationships.
The Senate Foreign Relations Committee recommended confirmation of Mike Pompeo, formerly Director of Central Intelligence, as US Secretary of State to the full Senate this week (Times). The US Senate also confirmed US Army Lieutenant General Paul Nakasone to succeed Admiral Michael Rogers as Director, National Security Agency, and Commander, US Cyber Command (Politico).
Mira Ricardel, formerly of Boeing and the Department of Defense, has been appointed US Deputy National Security Advisor (Defense News). Vice President Pence has appointed retired Army Lieutenant General Keith Kellogg as his principal National Security Advisor (Bloomberg). New National Security Advisor John Bolton continues to churn through the National Security Council staff (Fox News).
Crime and punishment.
Huawei is under a US Federal criminal investigation. The Department of Justice suspects the Chinese device manufacturer of having evaded sanctions against Iran (Wall Street Journal), which is what's landed ZTE in hot American water (Nikkei Asian Review).
Europol and its partners took down Webstresser.org this week (Europol). Webstresser was one of the world's largest, perhaps the largest, distributed denial-of-service for-hire operations (SecurityWeek). Apparently any skid with a grudge could rent the service for the low, low price of $14.99 (KrebsOnSecurity).
Police in Largo, Florida, went into a funeral home and attempted to unlock the iPhone of a man they'd shot during a traffic stop with the dead man's finger. This seems at best insensitive. It also didn't work (CSO).
Courts and torts.
Verizon, whose Oath content division contains most of what used to be Yahoo!, is seeking to close the door to further lawsuits over Yahoo!'s series of breaches. The new privacy policies and terms of service, intended in large measure to bring data collection and use into compliance with GDPR, include a waiver of participation in class action lawsuits and a mutual arbitration clause. These are common to any of the services belonging to Oath, but Yahoo! is a bigger target for litigation than its corporate sisters, and so its changes have attracted more attention (C|NET). The US Securities and Exchange Commission is fining Altaba (formerly doing business as Yahoo!) $35 million for failure to disclose its 2014 data breach (JDSupra).
Microsoft issued additional patches for Spectre this week (SecurityWeek), and a major Windows 10 update is expected Monday (TechCrunch). But Microsoft is, again, not fast enough for Google. Project Zero discloses a vulnerability Redmond hasn't yet got around to correcting (Naked Security).
This week Drupal fixed a remote code execution vulnerability, CVE-2018-7602, that affects Drupal versions 7.x and 8.x. The flaw is under active exploitation in the wild, which lends urgency to patching (Help Net Security).
Apple patched MacOS, iOS, and Safari (SecurityWeek). Among the vulnerabilities addressed is an APFS password leaking issue that hadn't been much discussed in security advisories (Naked Security).
Twitter has told Kaspersky Lab that the Moscow-based security company will no longer be welcome to buy Twitter ads. Twitter cites violations of its policies, and Kaspersky says it's baffled: what policies? One must have some sympathy with Kaspersky: when Twitter was asked to say what policies Kaspersky had violated, the social media company pointed to last Fall's ban on Kaspersky products by the US Department of Homeland Security, which ban is indeed difficult to find in Twitter's terms and conditions (CyberScoop).
ZTE, which a week ago came under sanctions imposed by the US Department of Commerce, is calling the ban not only unfair, but a threat to the company's survival (Daily Star). Other countries are considering similar measures (BGR). A number of analysts think that ZTE won't be the last company to feel the pain of closer security scrutiny (CNN Money).
NTT has completed its acquisition of managed services provider Secure24 (Data Center News). Over in Wales, Shearwater has acquired another security company, Crystal IT Services, which it will rebrand as a new division: Xcina IS (Insider Media).
Red Balloon, whose Symbiote Defense is intended to secure embedded hardware, operating systems, and firmware stacks, attracted investment from In-Q-Tel (Washington Technology).
Palo Alto has closed its acquisition of SecDo (Benzinga).
Tech companies appear to be bypassing, if not (as headlines suggest) initial public offerings, then at least much of the traditional investment banking that's gone along with IPOs (WIRED).
Today's issue includes events affecting Austria, China, France, Russia, Syria, United Kingdom, United States.
ON THE PODCAST
Our weekly Research Saturday podcast is up. In this episode we talk with Mark Nunnikhoven, VP of Cloud Research at Trend Micro, who takes us through what they've learned about a backdoor that targets MacOS users. They think it's the work of OceanLotus, a Vietnamese threat group also known as APT32, hitherto known for targeted espionage against human rights groups, media organizations, research institutes, and maritime construction firms.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.