Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
August 13, 2019.
Black Hat and Def Con
We wrap up our coverage of last week's Las Vegas conferences today with a few observations general and specific.
Building management system vulnerabilities.
During Def Con, McAfee researchers Douglas McKee and Mark Bereza detailed a critical vulnerability they discovered in building management systems made by Delta Controls. The flaw in Delta’s enteliBUS Manager (eBMGR) could allow for remote code execution leading to manipulation of physical processes.
The researchers used a fuzzing tool to find a buffer overflow vulnerability that crashed the system after they sent it exactly 97 malformed packets. Analyzing the core dump after the crash allowed them to track down the memory address where the crash occurred, which eventually led them to discover the specific function that could be overwritten to create a remote shell using Netcat.
McKee and Bereza then went to work observing all the normal functions of an eBMGR and used what they saw to write malware that performed the same functions. This approach could be used to take control of all the eBMGR’s functions remotely. While McAfee’s test case was carried out with physical access to the device, an attacker could perform all of this over the Internet starting with only the IP address of the targeted device.
The researchers emphasized that Delta Controls was commendably responsive to their disclosure, describing the company’s reaction as the “gold standard” of how an organization should conduct itself when presented with a vulnerability in one of its products. Delta actively worked with McAfee to develop a patch, which was released in June.
Although a fix is available, however, the researchers said that as of Saturday there were still around five hundred vulnerable machines connected to the Internet, and now it’s up to the owners of the products to apply the patch.
CISA and election security.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) put in an appearance at Def Con's Voting Village to describe how NCATS, CISA's National Cybersecurity Assessments and Technical Services is supporting election security. According to Infosecurity Magazine, NCATS offers its services free to eligible Federal, state, and local authorities. Those services include:
The Cyber Hygiene service. This is an external vulnerability scan of an organization's permeter, conducted continuously and automatically.
The Phishing Campaign Assessment. This six-week engagement sends a series of six different phishing emails to the organizations it supports, representing such familiar scams as the Nigerian prince scam, highly targeted spearphishing, and so on. It's a relatively light-handed way of assessing organizational gullibility and, more importantly, raising awareness about the risks of email social engineering.
The Risk and Vulnerability Assessment, a two-week remote penetration test.
The Critical Product Evaluation, which tests and validates equipment on behalf of the election officials it supports. The evaluations are conducted in partnership with several laboratories.
CISA is still a relatively young agency, and it's interesting to see the portfolio of services it's evolving.
Why cheap insurance may not be a good thing, in the long run.
Cyber insurance policies currently fetch a surprisingly low premium, as TechTarget notes from discussions it heard at Black Hat. The low cost is a supply-side phenomenon: a lot of insurers are working to get into the market, and they're competing on price. But the low premiums being charged probably mean that the underwriters are still working without the actuarial data and models they need to be fully comfortable with the risk they're accepting in transfer from their customers. Expect prices to change as the actuaries catch up with the consequences of cyber incidents.
Congratulations to the Plaid Parliament of Pwning.
Carnegie Mellon University's competitive hacking team took top honors for the fifth time in seven years at Def Con this year. Def Con's capture-the-flag is generally seen as the world cup of hacking. Congratulations to the Triple-P.
Notes on swag and booth diversions.
Socks continue to be a popular giveaway. If you left Black Hat barefoot, you did so by choice and not necessity. T-shirts remain another standby. CrowdStrike had a big line at their booth for shirts emblazoned with the company's cartoon representations of threat actors. And if you weren't able to get to Vegas, ask those colleagues who made the trip if they spent any time in Demisto's ball pit. (Trust us: admit it or not, they probably did.) Farewell to Las Vegas, until next year.
By the CyberWire staff
The UN Security Council panel studying North Korean hacking concluded, according to the AP, that Pyongyang has made at least thirty-five financially motivated cyberattacks against seventeen countries as it works to fund its weapons-of-mass-destruction programs. The most common operations are attacks against the SWIFT bank funds-transfer system, attacks against cryptocurrency exchanges, and cryptojacking to mine alt-coin directly.
Anomali says it's observed the BITTER APT operating against Chinese government targets. The apparent cyberespionage campaign is thought to operate out of India, as Help Net Security reports.
Proofpoint has released a study of PsiXbot, a modular information-stealer described early this year by FoxIT. A new version of the malware is out in the wild, turning up in both phishing campaigns and exploit kits. The malware has added additional modules and a new way of connecting to DNS servers. Proofpoint regards the upgrades as evidence of the threat actors' determination to compete in the competitive criminal-to-criminal market. They don't identify the gang responsible, but they observe without comment that PsiXbot checks a potential victim to see if that target is likely to be Russian. If it is, PsiXbot exits.
Glasswall Solutions issued a report this morning in conjunction with Forcepoint on spearphishing trends. They find that it's growing more evasive. An analysis of twenty-five-million email attachments concluded that IP theft and compromise of client confidential data represent the highest risks.
Influence operations targeting next year's US elections are arguably already underway, NextGov notes. They're inexpensive and low-risk.
Today's issue includes events affecting China, Costa Rica, Gambia, Guatemala, India, Democratic Peoples Republic of Korea, Republic of Korea, Kuwait, Liberia, Malaysia, Malta, Nigeria, Pakistan, Poland, Russia, Saudi Arabia, Slovenia, South Africa, Tunisia, United Kingdom, United Nations, United States, and Vietnam.
Bring your own context.
University cybersecurity programs are typically directed toward professional preparation. Academic programs are receiving feedback from the businesses who hire their graduates.
"One of the problems was [that students] didn't understand governance, for example - governance and interacting with teams and leadership - that kind of workplace rapport that's needed. So we've leaned in on governance and teaching best practice, alignment, training, risk management. And then lastly, what I heard, and very strongly, from business was that technology students were coming out, and they didn't have a grasp of how technology drives the business. They knew - they thought technology was, according to the folks we interviewed as part of building our programs, they thought technology was about technology, when really, in most businesses and most government technology operations, your job is to drive the business. There was a lack of understanding of how to communicate around the business of technology. There was a lack of ability to talk to people who weren't in the technical end of the business, for example, people in the C-suite. So we made sure that our programs are all teaching those skills, and we're doing it in a very practical way."
—Ralph Russo, director of information technology programs for Tulane University's School of Professional Advancement, on the CyberWire Daily Podcast, 8.12.19.
And that's how one university is using the feedback to shape its program.
What are the best practices and tools for SecOps in 2019?
Read the 2019 SANS Security Operations Survey report for key insights & strategies from principal SANS Instructor Christopher Crowley & SANS Director of Emerging Technologies John Pescatore. Download your copy now.
ON THE PODCAST
In today's podcast, out later this afternoon, we speak with our partners at the University of Maryland, as Jonathan Katz discusses Apple’s clever new cryptographic protocol. Our guest, Mike Overly from Foley and Lardner LLP, talks about the US House of Representatives' hold on the State Department’s proposal for a Bureau of Cyberspace Securities and Emerging Technologies.
Cyber Warrior Women Summer Social: Sip and Paint(Columbia, MD, United States, August 21, 2019) Join the Cybersecurity Association of Maryland, Inc. (CAMI) for the annual Cyber Warrior Women Summer Social, an all-about-fun-and-networking event! We're adding an artistic element to this year's event with a wine glass painting exercise. No previous art experience required.
Second Annual DataTribe Challenge(Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at www.datatribe.com/challenge.
Dateline Black Hat and Def Con
Why cyber insurance policies are so 'ridiculously cheap'(SearchSecurity) At Black Hat 2019, experts from the cyber insurance market discussed how it is growing rapidly but expressed concerns about the lack of actuarial data and proper risk assessments behind those ultra-cheap cyber insurance policies.
Vulnerability Summary for the Week of August 5, 2019(CISA) The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD. In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available
Threat Intelligence Bulletin: Evasive Spear Phishing(Glasswall) Glasswall Threat Intelligence Bulletins mine our Threat Intelligence Platform to explore the latest trends in evasive malware that bypasses the various security layers designed to protect an organization. This first part of a two part special Bulletin is a joint effort between Glasswall and Forcepoint, the Raytheon owned military provider of world class gateway security …
Outsourcing, Cost Cutting and the Boeing 737 Max Debacle(BlogInfoSec) When we thought that Boeing had come up with ways to mitigate the risks that resulted in two major air crashes, we learn that Boeing has been outsourcing their software development to Indian companies that hired newbie temporary programmers for as little as $9 per hour, as described in a June 28, 2019 article by Peter Robison with the title “Boeing 737 Max software outsourced to $9-an-hour engineers”
GUEST ESSAY: Why the next round of cyber attacks could put many SMBs out of business(The Last Watchdog) In the last year, the news media has been full of stories about vicious cyber breaches on municipal governments. From Atlanta to Baltimore to school districts in Louisiana, cyber criminals have launched a wave of ransomware attacks on governments across the country. Related: SMBs struggle to mitigate cyber attacks As city governments struggle to recover […]
Hiscox Cyber Readiness Report 2019(Hiscox) Our third Hiscox Cyber Readiness Report provides you with an up-to-the-minute picture of the cyber readiness of organisations, as well as a blueprint for best practice in the fight to counter the ever-evolving cyber threat.
Huawei Hires Trade Lobbyists as Sales Slow in US-China Fight(Transport Topics) Huawei Technologies Co. hired the law firm Sidley Austin to lobby on trade as the U.S. pressures allies to join it in blacklisting the Chinese telecom giant and the company finds itself increasingly mired in President Donald Trump’s trade war with Beijing.
TechOperators leads $8.1 mln round for Polarity(PE Hub) Polarity, a memory augmentation platform, has secured $8.1 million in funding. TechOperators led the round with participation from other investors that included Shasta Ventures, Strategic Cyber Ventures and Gula Tech Adventures. In addition to the funding, Tom Noonan and Dan Ingevaldson will join Polarity's board while Ron Gula will come on board as an observer.
CompTIA Security+ Surpasses 500,000 Certified Milestone(CompTIA) CompTIA provides the media with unbiased insights into the myriad of issues affecting the industry including trends in technology, research, legal issues, public policy, workforce training, and business trends.
An ICS Cyber Security Storm is Brewing: How to Prevent Staff Burnout(Nozomi Networks) Building cyber resiliency puts a lot of pressure on an organization’s security team. It requires specialized knowledge that takes time to develop, and there just aren’t enough skilled cyber experts to go around. Which begs the question: are the limited number of security experts holding the front lines in danger of burnout – and what can we do about it?
MU recognized for cyber defense research(Columbia Missourian) The National Security Agency and the Department of Homeland Security sponsor the program and gave the distinction, which will last until 2024.
DHS bug bounty program gets $44M price tag(FedScoop) A Department of Homeland Security bug bounty program, as proposed by legislation being considered in the House, would cost $44 million, according to the Congressional Budget Office. On July 17, the House Committee on Homeland Security requested CBO perform a cost estimate of H.R. 3710, the Cybersecurity Vulnerability Remediation Act, which calls for DHS to …
Fortnite champ Bugha 'swatted' while streaming(ESPN) Kyle "Bugha" Giersdorf, a 16-year-old Pennsylvanian who last month won the $3 million grand prize in the Fortnite World Cup, was "swatted" while livestreaming on Twitch on Saturday night.
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Cybersecurity Summit, New York(New York, New York, USA, August 13 - 14, 2019) The Cybersecurity Summit, New York, invites information security practitioners to learn about the latest trends in data breaches and frauds, and about mitigation strategies. ISMG’s Global Summit focuses...
Virginia Cybersecurity Education Conference(Fairfax, Virginia, USA, August 13 - 14, 2019) The goal of the Virginia Cybersecurity Education Conference is to get attendees thinking about ways to engage students at all grade levels in hands-on, meaningful educational activities related to cybersecurity.
AcceleRISE(Minneapolis, Minnesota, USA, August 14 - 16, 2019) Prepare for your future. Designed for young industry professionals like yourself, and presented by SIA, AcceleRISE brings together tomorrow’s security leaders for two-plus days of idea sharing, coaching,
The conference, hosted by SIA’s RISE community for young professionals and those new to the industry, will present blended learning sessions featuring a mix of keynotes, panel sessions, team building exercises, peer networking and workshops.
PCI Security Standards 2019 Latin America Forum(São Paulo, Brazil, August 15, 2019) Don’t miss the data security event of the year for the payment card industry. We provide you with the information and tools to help secure payment data. We lead a global, cross industry effort to increase...
Austin Cybersecurity Conference(Austin, Texas, USA, August 15, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.