In today’s podcast, we hear warnings of Russian recon “degradation” of the North American power grid. Information operations in Russia’s hybrid war against Ukraine. Factions in Yemen’s civil war contest cyberspace (and fiber optic cables). Eternal Silence exploits systems not patched against EternalBlue and EternalRed. Dell tells its customers to reset their passwords. And the US indicts two Iranians for deploying the SamSam ransomware. Emily Wilson from Terbium labs with unintended consequences of GDPR. Guest is Francis Dinha, founder and CEO of OpenVPN, discussing the VPN landscape.
Dave Bittner: [00:00:03] Warnings of Russian recon degradation of the North American power grid, information operations in Russia's hybrid war against Ukraine, factions in Yemen's civil war contest cyberspace and fiber optic cables. EternalSilence exploits systems not patched against EternalBlue and EternalRed. Dell tells its customers to reset their passwords. And the U.S. indicts two Iranians for deploying the SamSam ransomware.
Dave Bittner: [00:00:38] And now, a word from our sponsor ObserveIT. (Singing) It's the most wonderful time of the year. Well, sort of. We're talking about budgeting season. Most cybersecurity professionals agree that they need more budget. Unfortunately, many organizations wait until a costly incident occurs to provide the budget their security teams need. A case in point - insider threats cost organizations, on average, $8.76 million per year, according to a Ponemon Institute survey. But 34 percent of cybersecurity professionals named lack of budget as a major barrier to establishing an effective insider threat management program. So how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives an in-depth look at insider threat budgeting, including determining top cost centers, evaluating your organization's risks and, especially, making the case to management for a dedicated insider threat management line item. Visit observeit.com/cyberwire and check out ObserveIT's Guide to Budgeting for Insider Threat Management today. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 29, 2018.
Dave Bittner: [00:02:18] Security firm FireEye warns that Russian threat actors are conducting opportunistic and worrisome reconnaissance of the North American power grid. FireEye calls the group they've been monitoring TEMP.Isotope, but it's better known as either Dragonfly 2.0 or, of course, Energetic Bear. TEMP.Isotope seems interested, for now, in collection and not disruption. Some of that collection is thought to be designed with a view to improving Russian power distribution, but it's difficult to read much of the rest as anything other than battlespace preparation.
Dave Bittner: [00:02:53] It's worth noting that Energetic Bear has concentrated on intelligence collection and that it's operated to a great extent through phishing and watering hole attacks. Even reconnaissance takes a toll. It certainly doesn't amount to a grid takedown or to a disruption of service, but it does amount to what FireEye calls degradation in the counterintelligence sense. It consumes security resources. It wearies security teams. It forces certain defensive responses, and, of course, it can lay the groundwork for some future disruptive attack. This is part of battlespace preparation.
Dave Bittner: [00:03:30] Russia's Ukrainian battlespace is already well-prepped. It's also newly kinetic in the Sea of Azov as Russian naval units have fired on and seized some Ukrainian vessels. Ukraine has declared martial law in parts of the country. Information operations have also begun. Ukrainian objections to attacks on shipping are nothing more, in Moscow's telling, than an electoral ploy to prop up Ukrainian President Poroshenko in preparation for the March elections.
Dave Bittner: [00:03:59] Besides, they were in Russian territorial waters and got what they had coming to them. And anyway, the incident has been blown out of proportion. Expect more of this, and don't look for consistency. It's what sticks that counts. Information operations are nothing if not opportunistic. And expect kinetic attacks in this hybrid war to be accompanied by offensive cyber operations.
Dave Bittner: [00:04:23] Another kinetic war, the one in Yemen, is spilling over into cyberspace. The Saudi-backed government and the Iran-backed Houthi rebels are contending for control of the internet, blocking opponents, collecting intelligence and conducting some online banditry. The Houthis have been particularly active in cyberspace, as noted by foreign policy. The leverage control of cyberspace brings to the combatants has helped set some of the faction's physical objectives. The fiber optic cables that run through the Sana'a region are especially prized and are thought to be the source of a good deal of the Houthis' operational intelligence.
Dave Bittner: [00:05:01] On the consumer side of cybersecurity, VPNs, virtual private networks, are a popular solution for privacy - obscuring who you are, security - obscuring the data you're exchanging, and geography - obscuring where you're located. But what about the business and enterprise case for VPNs? Francis Dinha is founder and CEO at OpenVPN. And he joins us to explain.
Francis Dinha: [00:05:26] The first use case is mostly remote access, basically giving mobile workers, say, if you're working from home - or even in a lot of cases right now, where a lot of resources and data is being deployed on a cloud and now you want to give access to your employee - a remote access, but mostly secure access to all your resources, to all your services. That is deployed, say, on Amazon cloud, AWS, on your, you know, virtual private cloud or on your private network for remote workers. So VPN is used for remote access to your, basically, network resources that are deployed in a private cloud or a private network.
Francis Dinha: [00:06:10] There is also another case for managing devices. So for instance, when you have companies who are deploying "internet of things" - we have, for instance, a company - air conditioning company where they deploy all these air conditioning units, and they use VPN to basically monitor and control - remotely control all these different devices. So that's more of an internet of things.
Francis Dinha: [00:06:40] Another use case would be points of sales. For instance, there is a company that uses our OpenVPN for basically points of sales in different restaurants, where they utilize internet. But then what they do is they use the VPN to tunnel all that information and send and exchange all that information for point of sales going to the data centers.
Francis Dinha: [00:07:04] And believe it or not - and even in some certain cases - even car, like Tesla. Tesla uses VPN - an open VPN - to tunnel all their traffic, all things related to software updates or when it comes to whether they have the Google Map for their navigation for updating that. That, again, goes all the way to their private data centers and basically being able to exchange information remotely and securely. So it's all - for businesses, it's all about remote access.
Francis Dinha: [00:07:37] There is another use case for businesses. It is also that I want to make sure, as an IT person, I have a full control for all the information that's basically exchanged between the employee device and even the internet. So in a way, this is a use case for security. So I would be able to tunnel all the traffic from that device and making sure that I can block certain content. I can scan. I can block spam. So it's mostly for threat management and intrusion preventions.
Francis Dinha: [00:08:11] So all that stuff - it's VPN is used as a tool, also, for the IT organization to control that level of information and to provide that level of service, you know, mostly for security. So it's very close to the cloud security for the consumer. But this is where the businesses basically have that use case of remote access but also the security - the cloud security, as well.
Dave Bittner: [00:08:38] And so when an organization is shopping around for a VPN provider, what are the types of questions they should be asking?
Francis Dinha: [00:08:45] It depends what is their use case. The type of the question that they need to ask is what kind of protocols they are supporting. Are they supporting OpenVPN protocols? Are they supporting IPsec? OK, what kind of authentications mechanism do they have? Do they have dual factor? Do they support second-factor authentication? Is it a certificate base? So all these security questions that they have to ask - the other thing they have to ask is on the server side.
Francis Dinha: [00:09:15] Do you have a self-hosted solution? Can I host this on my network or on my own cloud without having to go through your cloud because I don't want my traffic to go you through your cloud? If it's OK, maybe in some cases, I don't mind my traffic to go through a third-party provider. Is it a self-hosted? Can I deploy this on my cloud private network? What kind of authentication, also, mechanism is support? Does it support the active directory? Does it support RADIUS, LDAP? Does it support SAML?
Francis Dinha: [00:09:46] What kind of access control do you provide on your VPN solutions? Do you provide me tools where I can basically have different access for different groups, different organization or different groups within my own organization? For instance, I have a sales organization. I have engineering organization. I have different access, you know, privileges there that I can set, right?
Francis Dinha: [00:10:08] So there are all these kind of questions a business have to ask. I mean, it's really unlike consumers. The consumer use case is very simple. I'm connecting to a third-party VPN provider. All my traffic is flowing there. And I'm getting pretty much just the service to access internet. But in this use case for business, we're talking about basically remote access to a private network, a private resources or private cloud and also to tunnel all the traffic for securing that traffic through their network as well.
Dave Bittner: [00:10:44] That's Francis Dinha from OpenVPN.
Dave Bittner: [00:10:49] Security researchers at Akamai report that the UPnProxy vulnerability that enables exploitation of the Universal Plug and Play protocol is now being used to hit unpatched devices behind router firewalls. Attacks use EternalBlue and EternalRed, which the Shadow Brokers released and said were NSA exploits against targeted computers.
Dave Bittner: [00:11:11] Akamai calls the campaign EternalSilence. As Akamai points out, this was bound to happen eventually. More than 45,000 routers are believed to be compromised so far. It's worth noting that the vulnerabilities these exploits use have been patched for some time, but there's clearly no shortage of unpatched systems out there.
Dave Bittner: [00:11:32] Dell has warned of an attempted breach of its networks and has taken the precaution of resetting customer passwords. The computer company told dell.com customers that it detected unauthorized activity in its network on November 9. Dell believes that some unknown parties tried to access names, email addresses and hashed passwords.
Dave Bittner: [00:11:53] The company says there's no conclusive evidence that whoever was in its network was able to get any data, but it wants its customers to reset their passwords and make them strong ones. And should those customers have followed the bad but common practice of reusing passwords on other accounts, they should reset those too.
Dave Bittner: [00:12:12] A U.S. federal grand jury has indicted two Iranian nationals on charges related to distribution of SamSam ransomware. The U.S. attorney for the District of New Jersey has charged Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer, and two substantive counts of transmitting a demand in relation to damaging a protected computer.
Dave Bittner: [00:12:46] The most well-known and consequential SamSam infestation was the one that took so much of the city of Atlanta offline. And other high-profile cases were also named in the indictment, including the extortion attempts at the MedStar Medical Center in Baltimore, the Port of San Diego, the University of Calgary and the Colorado Department of Transportation. The FBI calls the effects of SamSam staggering. Some 230 entities were infected with SamSam.
Dave Bittner: [00:13:15] The extortionists took in about $6 million in ransom payments. But that was the least of the damage. The SamSam infestation caused around $30 billion - that's billion with a B - in damage to the public and private institutions it affected. Both Mr. Savandi and Mr. Mansouri are presently outside the reach of U.S. law enforcement. But they'd be well-advised not to vacation in places where an extradition treaty with the U.S. is in force.
Dave Bittner: [00:13:43] They also face sanctions from the U.S. Treasury Department. And those will have some effect, whether the gentlemen are in custody or not. Treasury has added, for the first time, digital currency identifiers to the targets on its sanctions list. And it's helpfully provided guidance on how people involved with those currencies can help block transactions. This is expected to be precedent-setting.
Dave Bittner: [00:14:07] It's worth noting that this law enforcement operation was an international one. The cooperating agencies included, the FBI says, the U.K.'s National Crime Agency and West Yorkshire Police, as well as Canada's Calgary Police Service and the Royal Canadian Mounted Police.
Dave Bittner: [00:14:29] And now a word from our sponsor Edgewise. If you've been following cybersecurity news in the past year, you've probably heard the phrase, zero trust security more than once. The tl;dr of zero trust is to never trust and always verify every connection in your environment. That all may sound well and good, but the next questions are how, why and where to begin. If you're in search of a guide to help you get from zero to zero trust, Edgewise networks has you covered. They recently published "Zero Trust Security for Dummies" to help organizations like yours understand what zero trust security is and how it can prevent breaches in your cloud or data center. "Zero Trust Security for Dummies" has the answers to all your zero trust questions. And the book is available for free. You can download it at edgewise.net/cyberwire. That's edgewise.net/cyberwire. And we thank Edgewise for sponsoring our show.
Dave Bittner: [00:15:39] And I'm pleased to be joined once again by Emily Wilson. She's the fraud intelligence manager at Terbium Labs. Emily, welcome back. You know, certainly GDPR has been top of mind. And one of the things you've been tracking is this possibility that there might be some unintended consequences as the result of GDPR kicking into place. So what's going on here?
Emily Wilson: [00:16:01] One of the news stories that caught my eye recently is this, you know, feedback from the ICO - this is the Information Commissioner's Office out of the U.K., where they're talking about an issue of too many breach reports coming in. The commissioner there, you know, mentioned this issue in a talk they gave at a cybersecurity conference recently, saying that they're getting something like 500 calls a week since GDPR kind of came into play back in May. And, you know, something like a third of these are actually not something that you would need to report.
Emily Wilson: [00:16:34] And beyond that, they're getting people who don't have enough information or can't provide information - you know, aren't in a position to talk more in-depth about, you know, what the issues are in a given situation. I think it's interesting because I don't think any of us would have thought we'd get to a point where there are too many breaches being reported. You know, if we're getting 500 calls a week, I think that speaks to at least some of the volume that we weren't hearing about until now that people didn't have a reason to report until now.
Emily Wilson: [00:17:02] And I think it puts the community in an interesting situation because, you know, we're facing kind of two things here. One, we have the opportunity to get real insight into the frequency of how many data breaches are actually occurring or how many data breaches people think are occurring. And then also, we're seeing some confusion over the process, right? In the meantime, we have companies that seem overly willing to comply, whether because they're concerned about consequences or because, frankly, they need help.
Emily Wilson: [00:17:28] And then in the meantime, who's not reporting? Who are we not hearing from? Who does have a good grasp on the situation and is thinking, you know what - I'm going to just let this one slide and see if they find out?
Emily Wilson: [00:17:38] Something that got my attention from this, some coverage about this comment from the commissioner was, you know, concerns about too many notifications coming in and the problems that can have with breach fatigue and notification fatigue for consumers. And it is a difficult line because, you know, we want that information to come in. I think as a community, we need it to come in.
Emily Wilson: [00:17:59] We need to know what the baseline looks like. We need to know how bad it is and in which ways it's bad so that we can make some progress here and see what we have in common and work on this together. But also, what do we do for consumers? Consumers can't process something like, you know, 500 notifications a week.
Dave Bittner: [00:18:15] Right.
Emily Wilson: [00:18:16] And so how do we work with this data? Because I think we should be collecting it. I think we should be getting as much information about this as we can, if for no other reason than it would be good to know if 250 of the calls each week are coming from companies who haven't had a data breach but have sent email to the wrong - you know, the wrong outside contractor, right? Maybe we wouldn't call that a breach. But if that's a consistent, you know, security concern or a consistent issue of data compromise, then we should be recording that. We should use this to our advantage. But it seems like that's, you know - that's not really how the ICO is set up right now. And so what can we use to fill that space?
Dave Bittner: [00:18:54] Yeah, yeah, it continues to evolve as we face this new reality. Emily Wilson, thanks for joining us.
Emily Wilson: [00:19:00] Thank you.
Dave Bittner: [00:19:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.
Dave Bittner: [00:19:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
Edgewise is the industry’s first zero trust platform that stops breaches in the data center and cloud by allowing only verified software to communicate. Using machine learning, Edgewise recommends adaptive policies that eliminate 98% of the network attack surface and protects the rest. Learn more at edgewise.net/cyberwire.