Cybersecurity Fabric: The Future of Advanced Threat Response
Today, it is not enough to protect your assets by collecting high quality threat intelligence – organizations need inline detection & mitigation at line-speed to protect themselves from incoming or existing threats on the network. As cyber strategy shifts towards a “Zero Trust” model, your organization needs to ensure that every device, user, workload, or system is being monitored with a Cybersecurity Fabric. Join LookingGlass for our upcoming webinar October 2, 2pm EST to learn more.
September 6, 2019.
News from the 10th Annual Billington CyberSecurity Summit
The 10th annual Billington CyberSecurity Summit concluded yesterday in Washington, DC. Here are a few highlights from yesterday's sessions.
Warfighting in the fifth domain. Major General Dennis Crall, US Marine Corps, presently serving as Deputy Principal Cyber Advisor and Senior Military Advisor for Cyber Policy in the Department of Defense, framed military cyber policy thusly: "This is all about outcomes." He offered three salient considerations for US military cyber policy:
"Lethality." This has three aspects: authorities (and these need to be not only the right ones to authorize sound operations, but they also need to be "deep enough" to enable forethought and anticipation), processes (which need to be repeatable, and to enable operators to use the authorities they've been given), and capabilities (a trained force with the tools necessary to accomplish a mission).
"Partnerships." Such partnerships are both domestic (where partners often have authorities the military lacks) and international (where allies cooperate to share information within a framework that affords a common level of protection).
"Reform." At bottom this is a way of keeping faith and trust by applying scarce resources in the most effective and affordable ways possible.
CISA's vision. It's clear that the 2020 US elections will be the first big test of the Department of Homeland Security's youngest agency. Christopher Krebs, Director of the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, discussed the vision he expressed for CISA at Auburn University earlier this summer. The agency has, he said, five principles of execution and two goals. The principles are:
Operate with the statutory authority to collaboratively lead critical infrastructure protection.
Work consistently with Constitutional rights and national values.
Execute and engage as one agency, in one fight, as one team.
CISA's goals are to "defend today" and "secure tomorrow." The agency's priorities include securing government networks (and this includes rendering appropriate support to state and local governments), securing elections, protecting soft targets and crowded places, and defending industrial control systems. "In 2020, we're going to lead," Krebs concluded, returning to the central challenge of election security. "We're not going to let the Russians or the Chinese in."
Three lessons the United Kingdom has drawn from recent cyber history. Ciaran Martin, CEO of the UK's National Cyber Security Centre, began his talk with an appreciation of the US-UK Special Relationship. He cautioned the audience that as they heard his lessons learned, they must bear in mind that the US and UK, while sharing much history and many values, remain in many respects very different countries. The lessons derive from the realities of the environment in which we live. We're defending open, digital societies. Prosperity is a social concern, and critical infrastructure presents a serious national risk. Cyber security is at base about defending a way of life. We face a formidable set of adversaries. Russia is a determined, aggressive, disruptive opponent. Our commercial environment today is one in which our businesses are under routine, continuous Chinese assault. North Korea and Iran are active and implacably hostile. Transnational cybercrime has become, cumulatively, a grave threat to the digital economy. And state actions have come to have serious collateral effects quite apart from the effects they're designed to have on their intended targets. Both WannaCry and NotPetya illustrate this. Operating in this world has led Martin to three conclusions. First, "Government matters." The Internet is a public good, but well-intentioned calls for public-private partnership have proven a recipe for inaction. Instead, governments should take responsibility for detection, resilience, and making technology safer. Second, we must "think carefully about our own footprints." Cyberspace may be an operations domain, but fundamentally it's a peaceful domain, and we must act with this in mind. Finally, governments need to look to the future, and that means looking for effective deterrence.
The event was widely covered by the media. Some of the stories filed on the Summit are linked below. We'll finish our own coverage of the event early next week. (In the meantime, a quick cautionary pro tip to consumers of news: "crypto" is not necessarily synonymous with "alt-coin," or "cryptocurrency." And that's no secret.)
By the CyberWire staff
More reports have emerged on China's extensive work to track and monitor its predominantly Muslim Uyghur minority. State security services, Reuters says, have compromised telecommunication network in several Asian countries with a view to keeping track of the activities of Uyghur travelers. The affected networks have been found in, at least, Turkey, Kazakhstan, India, Thailand and Malaysia.
Other notes on Chinese activity focus on what appears to be a systematic effort to turn leaked Equation Group tools to Beijing's operational advantage. A Check Point study of China's Buckeye group (also known as APT3 or UPS team) has followed up earlier work by Symantec and taken a look at Buckeye's Bemstour tool. Check Point concludes, with appropriate reservations about the inevitable uncertainty of such assessments, that Bemstour has adapted the Equation Group's EternalRomance exploit to its own purposes. As the researchers put it in their conclusion, "attack artifacts of a rival (i.e. Equation group) were used as the basis and inspiration for establishing in-house offensive capabilities."
The job search service Monster.com has been affected by a data breach at an unnamed third-party, a recruiting firm that's a Monster customer. TechCrunch notes that Monster did not notify affected individuals of the breach because in their view the data, once sold, becomes the responsibility of that third-party, and Monster says it did notify the errant customer that they had a problem.
A researcher with CSIS Security Group describes "Joker" Android spyware. Computing reports that Joker has been found in twenty-four Play Store apps.
Today's issue includes events affecting Argentina, Australia, Austria, Belgium, Brazil, China, Cyprus, Denmark, Egypt, European Union, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kazakhstan, Kuwait, Malaysia, Myanmar, NATO/OTAN, Netherlands, Norway, Poland, Portugal, Qatar, Russia, Saudi Arabia, Serbia, Singapore, Slovenia, Spain, Sudan, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States, and Vietnam.
Bring your own context.
Remember Rowhammer? It's still out and about.
"So, basically, at a high level, what [Rowhammer] allows an attacker to do is if they have control over, you know, one portion of memory, say memory location A, but they don't have control over memory location B, they can, nevertheless, by making a bunch of changes to memory location A, effect changes in memory location B. And, of course, you can see that that's going to be quite dangerous if memory location B is going to be holding some cryptographic information.... Previous Rowhammer-based exploits just violated integrity. So, basically, they allowed the attacker to modify the key and thereby mess things up for some cryptographic computation that was being performed. And what the researchers have now shown is that they can use that information to actually now learn the key itself.... And gradually over time, they can learn certain bits of information about that portion of memory, which may contain a key. And then they can further use existing algorithms to then bootstrap from the little bit of information they can learn to eventually recover the entire key."
—Jonathan Katz, of George Mason University, on the CyberWire Daily Podcast, 9.4.19.
Conduct secure and anonymous research on the open and dark web.
If you are doing online research, the common web browser can betray you by exposing you and your organization to cyber attacks. Authentic8, the maker of Silo Cloud Browser and Silo Research Toolbox, ends this betrayal. Silo insulates and isolates all web data and code execution from user endpoints, providing powerful, proactive security even if you are gathering data and collections across the deep and dark web. Learn more.
Second Annual DataTribe Challenge(Online, October 1, 2019) Register now for a chance to be DataTribe's next world-class company. Finalists will split a $20,000 prize, and the winner may receive $2m in funding from DataTribe. Contestants have until October 1st to apply at www.datatribe.com/challenge.
Zero Day Con(Washington, DC, USA, October 22, 2019) Zero Day Con hosts a day of expert discussion on security approaches to regain control over your systems, data, and information. Join us to examine insights, security technologies, and key priorities to secure your systems. Get a 30% discount for Labor Day using code LABOR30.
OMB's CyberStat program is 'evolving'(FCW) Following an audit that found the Office of Management and Budget could be making better use of the cybersecurity reviews, Federal CISO Grant Schneider said agency is looking at revamping the program ahead of next fiscal year.
Cox Previews CDM Program Office Priorities for FY2020(MeriTalk) Kevin Cox, program manager for the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program, today detailed several priorities for the program office in FY2020 that begins next month. Those include focus on the Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm, the new dashboard ecosystem, enterprise mobility management, cloud security, and protection of high-value assets.
No, NASA Did Not Say It's Developing Its Own Cryptocurrency(Gizmodo) Let’s get one thing straight right now: “crypto” means “cryptography.” It does not mean “cryptocurrency.” Unless you’re a person who thinks the blockchain is the future, that is, which is how we ended up with the dumbest news cycle this side of a measles outbreak.
UPSynergy: Chinese-American Spy vs. Spy Story(Check Point Research) Earlier this year, our colleagues at Symantec uncovered an interesting story about the use of Equation group exploitation tools by an alleged Chinese group named Buckeye (a.k.a APT3, or UPS team). One of the key findings in their publication was that variants of the Equation tools... Click to Read More
Monster.com says a third party exposed user data but didn’t tell anyone(TechCrunch) An exposed web server storing résumés of job seekers — including from recruitment site Monster — has been found online. The server contained résumés and CVs for job applicants spanning 2014 and 2017, many of which included private information like phone numbers and home addresses, but also email ad…
#privacy: “Joker” trojan signs users up for premium subscriptions(PrivSec Report) A new Android trojan dubbed “Joker” has been discovered with malware dropper and spyware capabilities in 24 Google Play Store apps. In a blog post, researcher Aleksejs Kuprins from CSIS Security Group described how he had observed the Joker on Google Play. It was detected in 24 apps with over 472,000 installs in total. It …
URGENT/11 - New ICS Threat Signatures by Nozomi Networks Labs(Nozomi Networks) A well-known RTOS (Real-Time Operating System), widely used in industrial sectors, is at risk from a series of 11 vulnerabilities dubbed URGENT/11. Nozomi Networks Labs conducted research on the vulnerable devices and has released threat signatures for URGENT/11 that identify threats in typical industrial networks without generating high numbers of false positive alerts.
Rockwell Automation Allen-Bradley PowerMonitor 1000 (Update A)(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 9.8
ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available
Vendor: Rockwell Automation
Equipment: Allen-Bradley PowerMonitor 1000
Vulnerabilities: Cross-site Scripting and Authentication Bypass
Red Lion Controls Crimson(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.8
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Red Lion Controls
Equipment: Crimson (Windows configuration software)
Vulnerabilities: Use After Free, Improper Restriction of Operations within the Bounds of a Memory Buffer, Pointer Issues, Use of Hard-coded Cryptographic Key
Rockwell Automation Arena Simulation Software (Update A)(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 8.6
ATTENTION: Low skill level to exploit
Vendor: Rockwell Automation
Equipment: Arena Simulation Software
--------- Begin Update A Part 1 of 3 ---------
Vulnerabilities: Use After Free, Information Exposure, Type Confusion, Insufficient UI Warning of Dangerous Operations
--------- End Update A Part 1 of 3 ---------
BD Pyxis(CISA) 1. EXECUTIVE SUMMARY
CVSS v3 7.6
ATTENTION: Exploitable remotely/low skill level to exploit
Vendor: Becton, Dickinson and Company (BD)
Vulnerability: Session Fixation
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow the Active Directory (AD) credentials of a previously authenticated user to gain access to the device.
McAfee CEO Chris Young Contemplates The Future Of Cyber Security(Forbes) Chris Young has been in the cyber security industry for a quarter of a century, having been an entrepreneur in the space, having run security businesses units within Intel, Cisco, and AOL, and now as the CEO of McAfee. In this interview, he describes how he stays current in a rapidly evolving field.
BigID announces $50M Series C investment as privacy takes center stage(TechCrunch) It turns out GDPR was just the tip of the privacy iceberg. With California’s privacy law coming on line January 1st and dozens more in various stages of development, it’s clear that governments are taking privacy seriously, which means companies have to as well. New York-startup BigID, …
Brunswick Taps Ex-US Cyber Command Chief Rogers(O'Dwyers PR) Mike Rogers, retired US Navy admiral who served as commander of the US Cyber Command and director of the National Security Agency, has joined Brunswick Group in its Washington office.
Products, Services, and Solutions
Speeding IT Visibility into OT: New Integrations with Fortinet(Nozomi Networks) Fortinet and Nozomi Networks achieved another partnership milestone with two new integrations that deliver full security visibility and management across IT and OT environments. Now with comprehensive integrations for FortiGate, FortiNAC, and FortiSIEM, we’re helping eliminate the gap between IT and OT. Read on to learn how the integrations provide full visibility across IT and OT, allowing customers to detect and respond to threats more effectively.
DigiCert Announces Post-Quantum Computing Test Kit(DigiCert) This PQC test kit is designed for technical users who want to try out the process of installing the hybrid RSA/PQC certificate (TLS or IoT). The kit will be useful for PKI architects and technical solution designers across a variety of industries
Facebook debuts vaccine education pop-up windows(CNN) Facebook, which owns Instagram, is rolling out new educational pop-up windows on both platforms to combat the spread of misinformation about vaccines, particularly anti-vaccination content.
Italy approves use of special powers over 5G supply deals(Yahoo) Italy's new government on Thursday approved its use of special powers in supply deals for fifth-generation (5G) telecom services by a number of domestic firms with providers including China's Huawei and ZTE Corporation. A government source told Reuters at the time the decision to strengthen
DOD issues draft of new contractor cyber standards(FedScoop) The Department of Defense has issued long-awaited cybersecurity standards in draft form for contractors who work with the Pentagon’s sensitive data. Version 0.4 of the Cybersecurity Maturity Model Certification (CMMC) is now live, giving contractors a glimpse into the sort of cybersecurity standards they will need to meet if they want to work on contracts that handle controlled …
The Doghouse: Crown Sterling(Schneier on Security) A decade ago, the Doghouse was a regular feature in both my email newsletter Crypto-Gram and my blog. In it, I would call out particularly egregious -- and amusing -- examples of cryptographic "snake oil."
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
RSA Conference 2020(San Francisco, California, USA, February 24 - 28, 2020) Be part of a conversation that has the power to change the world. Join top cybersecurity leaders and a dedicated community of peers as we exchange the biggest, boldest ideas that will help propel the industry...
Derbycon 2019(Louisville, Kentucky, USA, September 4 - 8, 2019) DerbyCon isn’t just another security conference. We’ve taken the best elements from all the conferences we’ve ever been to and put them into one. DerbyCon is a place you can call home, where you can meet...
Global Security Exchange (GSX)(Chicago, Illinois, USA, September 8 - 12, 2019) Global Security Exchange (GSX) is the only event that brings together security professionals from all vertical markets throughout the world to network, learn, and re-invest in the industry. It’s home for...
Insider Threat Symposium & Expo(Laurel, Mayland, USA, September 10, 2019) The National Insider Threat Special Interest Group's event is for anyone involved in Insider Threat Program (ITP) Management / Insider Threat Mitigation. Speakers will come from the White House, Missile...
Atlanta Cybersecurity Conference(Atlanta, Georgia, USA, September 12, 2019) Data Connectors brings together security professionals to discuss mitigating risk and improving their overall security posture. Eight industry speakers, an FBI/NSA/DHS keynote speaker, and a CISO Panel...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.