In today's podcast we hear that Singapore's SingHealth has sustained a major data breach: authorities speculate it may have been the work of a nation-state yet to be determined (or at least named). A third-party data exposure affects major manufacturers, including car makers. The Aspen Security Forum concludes with sobering warnings from senior US Government officials and the private sector of election interference and the prospects of a "cyber 9/11." Ecuador may be tiring of Mr. Assange. Rick Howard from Palo Alto Networks revisiting the notion of a metaphorical cyber moon-shot.
Dave Bittner: [00:00:03] Singapore's SingHealth sustains a major data breach. A third-party data exposure affects major manufacturers, including carmakers. The Aspen Security Forum concludes with sobering warnings from senior U.S. government officials, and the private sector of election interference and the prospects of a cyber 9/11. And, Ecuador may be tiring of Mr. Assange.
Dave Bittner: [00:00:31] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And, like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report, "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at The CyberWire. And we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:32] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 23, 2018. A major breach in SingHealth developed over the weekend, affecting approximately 1.5 million citizens of Singapore. The data, which were taken over a period of eight days before the exfiltration was discovered, included name, national registration identity card number, address, gender, race and date of birth. For some 160,000 patients, the data taken included details of medicines they'd received. Singapore officials, while acknowledging the value the data could have if monetized by criminals, think the operation was run by a nation-state. Many have praised the government's response. FireEye pointed out to BleepingComputer that detection within eight days is orders of magnitude below the regional norm of 498 days. But the incident has prompted calls for a reboot of Singapore's Smart Nation initiatives.
Dave Bittner: [00:02:35] Researchers at security firm eSentire report seeing an increase in exploitation of consumer networking devices, GPON routers manufactured by Dasan and D-Link. This doesn't appear to be a highly targeted campaign. Indeed, the attack pattern suggests that a botnet is in use and that the exploitation is opportunistic. Users are advised to bring patches up to date, review credentials to ensure they haven't left the defaults in place and consider disabling remote access and universal plug and play capabilities.
Dave Bittner: [00:03:09] The New York Times, Infosecurity Magazine, TechCrunch and others report security firm UpGuard's claims that Level One Robotics, which supplies major industrial firms, especially car manufacturers, left 157 gigabytes of data exposed on a publicly accessible server - data from VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp, including assembly line schematics, plant floor plants, robotic configurations, request forms for ID badges and VPNs, and nondisclosure agreements. The data also includes various bits of personal information on Level One employees - scans of passports and driver's licenses are mentioned - as well as some Level One business data, including contracts, details of bank accounts and invoices. UpGuard says the data were left exposed on an rsync server that lacked either user or IP restrictions and that the data kept there were accessible to any client that connected to the rsync port.
Dave Bittner: [00:04:12] The Aspen Security Forum wrapped up Saturday after clear, direct warnings from senior U.S. intelligence and law enforcement officials that Russian hacking remained a significant threat to the U.S. Director of National Intelligence Dan Coats warned of the possibility of a cyber 9/11. What might such a cyber 9/11 look like? Other symposiasts said essentially that the worst-case scenario would involve disruption of critical infrastructure, especially water distribution, the power grid and the financial system. And they thought the prospect of terrorists, nonstate actors, getting their hands on attack tools developed by nation-states was the most worrisome possibility.
Dave Bittner: [00:04:53] Homeland Security Secretary Kirstjen Nielsen called out Russian interference in elections, saying, quote, "I agree with the intel community's assessment full stop. Any attack on democracy, which is what that was, whether it is successful or it is unsuccessful, is unacceptable. I absolutely believe their assessment," quote.
Dave Bittner: [00:05:14] According to an account in Fortune, warnings about election interference came from the private sector, as well. Microsoft's Vice President for Customer Security Tom Burt said that Redmond had identified three spear-phishing campaigns directed against campaigns in the U.S. midterm elections. They traced the incidents to a threat actor Microsoft believes to be associated with Russia's GRU military intelligence agency. Burt declined to say who the three targeted candidates were, but he did say that, quote, "they were all people who, because of their positions, might have been interesting targets from an espionage standpoint, as well as an election disruption standpoint," end quote. Burt did add that, so far, at least, the Russian services don't seem to be as aggressive as they were in 2016. Still, it's early. As he observed, we may still see attempts to infiltrate universities, think tanks and social media in support of more effective phishing campaigns. As Burt noted, quote, "there's a lot of time left before the election," quote.
Dave Bittner: [00:06:18] Deputy Attorney General Rod Rosenstein said Russia's not the only cyber power everyone ought to be concerned about. While Russia is just one tree in a growing forest - presumably a pretty big tree - he also called out the worrisome and increasing threat of cyberattack by three other familiar nation-state actors - China, North Korea and Iran.
Dave Bittner: [00:06:40] Julian Assange may be wearing out his welcome in Ecuador's London embassy. That welcome has grown increasingly strained, the smiles on the hosts' faces more pained over the past year. And Ecuador is said to be considering ending the asylum Mr. Assange has enjoyed since 2012. Ecuador's government has asked him as a condition of that asylum not to interfere with the affairs of other states, and Mr. Assange agreed to that condition last year. It's been difficult for him to restrain himself, however.
Dave Bittner: [00:07:12] Ecuador apparently sees his support of Catalonian independence as a particularly objectionable breach of trust. Ecuador's President Lenin Moreno, who took office in May, has described the WikiLeaks founder as a hacker - which he doesn't mean in a good way - an inherited problem and a stone in the shoe. President Moreno will be in London at the end of this week, and there's considerable speculation that during or shortly after his visit, Mr. Assange will be handed over to British authorities. A lot of other authorities are also interested in him. The U.S. in particular would like him to account for his role in the leaks by former U.S. Army Specialist Manning.
Dave Bittner: [00:07:58] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And, they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. Thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:08:59] Joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team. Rick, welcome back. You know, a couple months ago, you told me about this notion of a cyber moonshot that your boss had floated to some folks. And I think that captured the imagination of some people. Other people are skeptical of it. But you've got an update. There's some new information about this.
Rick Howard: [00:09:24] Yeah. You're right. And, you know, the idea of a cyber moonshot has been around for years and years. But, you know, it's just been kind of a, you know, a thing, a marketing thing that vendors would glom onto. And the idea of it was inspired by President Kennedy's speech at Rice University back in the early '60s where he proclaimed that the United States would send a man to the moon and bring him back safely in 10 years, not because it was easy, but because it was hard. And that's what Americans do. We solve hard problems, right?
Rick Howard: [00:09:52] So my boss got up in front of this conference that goes on over the last few years, the Joint Service Academy Cyber Security Summit. We've been rotating this group around the academies for the various years. We did two years up at West Point. We did two years in Annapolis. And next year, we're going up to the Air Force Academy. Well, when we went to the Annapolis, my boss got up and said, you know what? I'm tired of talking about the problem. Why don't we do something about it. All right? And why don't we all get together and figure out how to do a cyber moonshot?
Rick Howard: [00:10:22] So here's the mission statement. If we wanted to make the internet safe in 10 years - not safer, but safe - what would it take? And that got everybody excited. When I talked about this on your program the last time, I got lots of phone calls, lots of emails asking how they can help. And so that's been fantastic. All right? So - but when I talk to network defenders about the cyber moonshot, OK, they want to jump right to solving the problem, right? And that's not really what we're going for with this. We're not trying to incrementally solve - making the internet safe. We're trying to identify the problems that need to be solved, knowing full well that we probably don't have solutions in place that can solve those problems. And so we are trying to identify what those problems are.
Rick Howard: [00:11:04] Now, here's the news. OK? Here's what's changed. Two big things have happened. The first, the NSTAC, the National Security Telecommunications Advisory Committee, decided to study the cyber moonshot issue this year. They've been looking at it for the past few months. And they finished their research, I believe. And they're going to publish their results. What they did was they went out and interviewed a bunch of people, bunch of organizations that did moonshot-like things in the past. They went out and interviewed NASA and other, you know - medicine research and all those kinds of things. And they kind of got a feel of what it would take to do a cyber moonshot.
Rick Howard: [00:11:40] And then, OK, the Joint Service Academy Cyber Security Summit leaders - it's all the academies and some other commercial vendors that said, why don't we take that report and try to put some meat on the bones? So what we're going to do is we're going to hold two or three workshops up at the Air Force Academy this next year to try to add some flavor to what it is - from what the NSTAC publishes, and then we'll talk about those issues at the next conference in the spring up at the Air Force Academy. So what makes this all different, OK, is that it looks like two independent organizations think this is a valid thing to do, the NSTAC and the Joint Service Academy Cyber Security Summit. So I'm optimistic that maybe we can get something going.
Dave Bittner: [00:12:26] All right. Well, it's ambitious, to be sure. If folks want to get a hold of you, if they have suggestions or just want to volunteer their time, what's the best way to contact you?
Rick Howard: [00:12:35] Yeah. Tell them hit me up on LinkedIn. And I will make sure they get on the list. And if they want to volunteer for the working groups, we're already building that list now. And if they want to come out for the conference in the spring up at the Air Force Academy, we can make that happen, too.
Dave Bittner: [00:12:48] All right. Terrific. As always, Rick Howard, thanks for joining us.
Rick Howard: [00:12:51] Thank you, sir.
Dave Bittner: [00:12:57] And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment, called, "Security, Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future” podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:14:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com.
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.