Dave Bittner: The Natanz blast looks like traditional sabotage. CISA releases its strategy for securing industrial control systems. Authorities in Germany seize DDoSecrets' server pursuant to a U.S. request. Microsoft takes down COVID-19-themed BEC and phishing infrastructure. The FBI director denounces China's cyber-espionage. Joe Carrigan helps review personal privacy measures for iOS and Android. Our guest is Steve Moore from Exabeam with insights from a year spent interviewing CISOs. And a look at some DDoS and ransomware attempts.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 8, 2020.
Dave Bittner: It appears increasingly likely that the explosion at Iran's Natanz nuclear facility was sabotage and not a cyberattack. EurAsian Times has a summary of the emerging consensus. The connections, if any, between the Natanz incident and damage recently worked elsewhere in Iran remain unclear, Haaretz notes, but it does seem that Iran's nuclear program figures on some adversary's target list. As usual, international tensions can be expected to bring cyberconflict in their train, but the explosion at Natanz seems to have been produced by an old-school infernal machine physically introduced into the facility's premises. So case almost closed on claims of a cyberattack.
Dave Bittner: The US Cybersecurity and Infrastructure Security Agency yesterday released its strategy document, "Securing Industrial Control Systems: A Unified Initiative." The agency describes its strategy as a multiyear, focused approach to improve CISA's ability to anticipate, prioritize and manage national-level ICS risk. The goals enunciated in the document are, first, empower the ICS community to defend itself. Second, coordinate whole community response and mitigation capabilities to respond to the most significant ICS threats and incidents. Third, vastly improve the community's capability to ingest, synthesize and provide actionable intelligence to ICS asset owners. Fourth, inform ICS investments and proactive risk management of NCFs - that is, national critical functions. Fifth, unify capabilities and resources of the federal government. Sixth, move to proactive ICS security. And, finally, drive positive, sustainable and measurable changes to the ICS risk environment.
Dave Bittner: Vice reports that police in Germany have seized the server used by DDoSecrets, the aspiring successor to WikiLeaks. DDoSecrets doesn't yet know why the server was taken, but the group's leader reasonably assumes it has to do with the BlueLeaks program of doxxing of some 200 US police departments. German news outlets report that the public prosecutor said the server was seized provisionally in response to a request for preliminary security in the context of international legal assistance in criminal matters. It was taken on Friday, pursuant to a US request. It will be up to the Federal Office of Justice to determine whether the server and its contents will eventually be turned over to US authorities.
Dave Bittner: And good hunting, Microsoft. The company's Digital Crimes Unit has taken down infrastructure criminals were using to run COVID-19 phishing scams against consumers. The takedown was authorized by the US District Court for the Eastern District of Virginia, and it affected key domains used for business email compromise attacks against targets in more than 60 countries.
Dave Bittner: At a speech before the Hudson Institute yesterday, US FBI Director Wray denounced Chinese intelligence operations as serving Beijing's ambitions to become the world's dominant power, according to Axios. The Communist Party of China, Director Wray said, believes it's in a generational fight to become the world's sole superpower and that Beijing's assertiveness in cyberspace is a consequence of the strategy that flows from that belief.
Dave Bittner: Industrial espionage and attendant theft of intellectual property figures prominently in that strategy. Wray called the losses to IP theft in particular one of the largest transfers of wealth in history, but there are other dimensions to the conflict in cyberspace than this. A pervasive threat to privacy is one of these - quote, "if you are an American adult, it is more likely than not that China has stolen your personal data. Our data isn't the only thing at stake here. So are our health, our livelihoods and our security," end quote. And the bureau is being kept busy, too - quote, "we've now reached the point where the FBI is opening a new China-related counterintelligence case approximately every 10 hours," end quote.
Dave Bittner: Chinese cyber operations have drawn increasingly strong responses elsewhere. France had, like the UK, decided to give Huawei a limited place in its 5G infrastructure build-out. But again, like the UK, that place is turning out to be more limited than Huawei would've hoped. Chinese participation in France's infrastructure is now expected to top out at 13%, Bloomberg reports.
Dave Bittner: Stephen Moore is vice president and chief security strategist at Exabeam and host of a podcast titled "The New CISO," which is celebrating completion of its first year of publishing. Our CyberWire chief analyst Rick Howard spoke with Steve Moore about insights gathered in a year of speaking with CISOs.
Steve Moore: Organizations have to pay attention to the observations of their defensive teams. They have to utilize those observations to make changes in their environment on an ongoing basis. If they don't, if it doesn't drive audit, if it doesn't drive budget and if that's not a feedback loop, you will fail. You will fail, and it's going to be ugly.
Rick Howard: Well, I think a lot of us are struggling with that whole idea because, you know, the security community gets it, but we've struggled conveying those problems to business people. I wonder if you have any insights about how we could change our tune to make that better.
Steve Moore: Yeah, a lot of thoughts on that as well, but what I will say is that, tactically, we have to remove the snark. And I can - I know this firsthand.
Rick Howard: Oh, that's a good one, yeah.
Steve Moore: We have to - when we create artifacts, let's say around an incident, it has to be very fact-based. And maybe the one thing I did that changed the direction, even related to the breach, is as we had these observations, it's what did you observe? What was the trend of what you observed, so is it in concert with other things? What was the immediate response? And then I want you to put your consulting hat on. This is controversial, but put that hat on and say, OK, be strong enough to say you've extinguished all your available resources. So as a leader, you say, look; either I need additional budget and cooperation, if, in fact, that's what you need, or, I need outside experts brought in to get you a final answer to this. So, for example, you've had an incident and you don't have the ability due to some gap to give a final answer to say are we compromised or are we not, related to this, and so...
Rick Howard: I really like that idea. I've used that in my career, also, when you've stretched your team as far as they can go, right? And I've gone to the boss and said, yes, boss, I can do this new thing that you want me to do, but that means I need to drop one of these five things that you already had me doing. Just so you know, that's what we're doing. And it may not cause him to change his mind or cause her to change her mind, but at least they know that that's what's - they're impacting those other things you've got going.
Steve Moore: Absolutely. You have to roll up - then what I mentioned earlier is to say, OK, how am I articulating this? Can somebody who's nontechnical - so, for example, the observations from the SOC or the equivalent of the SOC, that has to be tracked and managed and worked outside of technology.
Rick Howard: Sure.
Steve Moore: If it's not part of the risk register - and you can't submit every incident, but if you know that 63 of your last 100 incidents or cases, let's say, involve a weakness or a lack of a control or have a gap in visibility and now you can't do your job as a defender and as a responder, if that's not getting tracked in a nontechnical way, that organization is vastly flawed. So when I give advice to companies to say, how do you prevent a breach, how do you recover from one, it's these kinds of things I spend most of my time on.
Dave Bittner: That's our own Rick Howard speaking with Steve Moore from Exabeam.
Dave Bittner: India is standing by its intention to block TikTok as a collection threat, a policy that WIRED sees as an example of the market working against invasive, unregulated technology. The social platform is also facing headwinds in the US, where Reuters reports that both the Federal Trade Commission and the Justice Department are investigating allegations that TikTok is in violation of a consent decree reached last year that was designed to protect children's privacy. The Center for Digital Democracy, the Campaign for a Commercial-Free Childhood and other groups asked in May that the FTC look into their claims that TikTok failed to delete videos and personal information about users age 13 and under, as the consent decree had specified. U.S. Secretary of State Pompeo had said earlier this week that the U.S. government was considering a ban on TikTok for what he characterized as its collection of information on behalf of the Chinese government.
Dave Bittner: Bloomberg Law reports that Mexico's central bank sustained but successfully parried a cyberattack yesterday. Banco de Mexico said that the denial-of-service attempt lasted about half an hour and caused brief, intermittent outages before it was finally stopped and service returned to normal.
Dave Bittner: EDP Renewables North America, a renewable energy subsidiary of Energias de Portugal, has disclosed a data breach. The company characterizes it as unauthorized intrusion into its networks but says it believes no customer data was compromised. SecurityWeek calls the incident a Ragnar Locker ransomware infection.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting story came from WIRED. This is written by David Nield, and it's titled "How to Passcode-Lock Any App on Your Phone." Now, Joe, I have to ask you - let me just set up a little scenario here. You're...
Joe Carrigan: OK.
Dave Bittner: You're with a group of friends, and you say to your friend, oh, I have to show you this photo. This is a funny photo. Let me - just look at this photo, or just look at this cute picture of my dog or my child or whatever.
Joe Carrigan: With me, it's more likely to be memes.
Dave Bittner: OK, all right. Here's a funny meme - very good. So you bring it up on your phone and you hand your phone over to your friend, and your friend looks at the phone and they laugh - ha, ha, ha - and then they start scrolling. They start flipping through your photos. Now, I don't know about you, but this creates a certain amount of anxiety in me (laughter).
Joe Carrigan: Yes.
Dave Bittner: So it's like, what are you doing? 'Cause my - I think most of us, we consider our mobile device to be a very intimate device.
Joe Carrigan: Yes.
Dave Bittner: And we have so many things about our life on this. And so what do you do then? So when someone starts flipping, how do you respond?
Joe Carrigan: I snatch my phone back.
Joe Carrigan: That's what I do.
Dave Bittner: Right, OK. Very good, very good. Well, this article is basically about how you can prevent folks from looking beyond what you intend them to look at.
Joe Carrigan: Right.
Dave Bittner: They talk about locking stuff. We're talking about iOS and Android.
Joe Carrigan: Yep.
Dave Bittner: Some apps allow you to do this on their own, for example, like the Signal app, Dropbox. You can lock the app separate from locking the phone.
Joe Carrigan: Correct.
Dave Bittner: And this is a good thing.
Joe Carrigan: I would agree.
Dave Bittner: But it's a little trickier on iOS because iOS doesn't give you the amount of sort of granular control over the system that you get over on Android. So what I like about this is that they have some clever workarounds for how you could lock up apps. One of them is you could use Screen Time, which is an app - sort of not an app. It's a functionality of iOS that allows you to limit the amount of screen time you get on various apps.
Joe Carrigan: You set the Screen Time to zero and then you have to override it?
Dave Bittner: Correct, correct. So if someone tries to change apps, then they have to put in the passcode, which presumably they wouldn't have, or Face ID - wouldn't unlock with Face ID 'cause it's not you who's looking at it.
Joe Carrigan: Right.
Dave Bittner: And then the second one was Guided Access, which is an accessibility function. And with that, if you have that enabled, you can triple-tap one of the buttons on the phone, and that keeps you from switching apps without entering the phone's passcode.
Joe Carrigan: Really?
Dave Bittner: And this is great - yeah. So this is great, like, if you want to let your kid play a game on the phone or, again, if you want someone to be able to not switch away from photos. Doesn't really solve the problem of them flipping through photos, right?
Joe Carrigan: Right, right.
Dave Bittner: But - so it's a little different on Android. Now, I know you're an Android user. So you...
Joe Carrigan: Yep.
Dave Bittner: ...Have a little more control over there.
Joe Carrigan: Yeah. Yeah, of course we do because it's better over here, Dave.
Dave Bittner: (Laughter) I see. Go on.
Joe Carrigan: Android does let third-party apps do their thing, and I have a couple apps on here on my phone that require their own authentication. This article on WIRED is talking about an app called Norton App Lock, which allows you to just go ahead and lock specific apps on your device. So if you want to lock, say, Facebook so that if you're handing somebody a picture - look at my cute, little puppy - then they can't go scrolling through your Facebook feed and, you know, post things on your Facebook feed to say, you know, I think I'm going to go public with this, but I am a furry. So...
Dave Bittner: (Laughter) You're hitting kind of close to home there, Joe.
Joe Carrigan: I know, Dave.
Dave Bittner: (Laughter).
Joe Carrigan: That joke is never going to die, I don't think.
Dave Bittner: Oh, OK.
Joe Carrigan: I'm kind of touchy about my technology, Dave.
Dave Bittner: Yeah?
Joe Carrigan: Like, my computer at home, no one is allowed to even touch it. (Laughter) It's...
Dave Bittner: Really?
Joe Carrigan: That is my computer, right? If you want a computer, you have a computer. Use your computer. Everybody has their own computer. It's kind of like your own personal space, and I feel the same way about my phone. So I don't just hand my phone. I've never - you know, my kids have never said, I want to play a game; hand me your phone. No, you can't play a game on my phone. And the absolute case in point for that is my mom, who has let my nephews play on her Chromebook. And in order for me to get the stuff off the Chromebook that those kids somehow manage to install, I had to...
Dave Bittner: Right.
Joe Carrigan: ...Powerwash the Chromebook, which is a function of the Chromebook. So, no, I don't let other people, particularly kids, handle my computers because you never know what they're going to do. So...
Dave Bittner: Yeah.
Joe Carrigan: But that's me. You know, that's me. I'm kind of a meticulous person with my PC. My office is in disarray, but my computer is well maintained, right? It's...
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: All the files are in the right places. All the software that I want installed is installed. None of the software I don't want installed is not installed. It's just the way I like it, and I don't want you clicking on some link while you're on my computer or on my phone.
Dave Bittner: Now, one of the things they point out here in the article is that the Android store, being the Android store - and I have to nudge you back a little bit there, Joe.
Joe Carrigan: Yes, of course.
Dave Bittner: There are plenty of bad apps there that claim this functionality but are full of ads and...
Joe Carrigan: Yep.
Dave Bittner: ...Who knows what else?
Joe Carrigan: Yeah.
Dave Bittner: So you have to be careful as you do. And again, seems like they had good luck with the Norton App Lock app, so that's WIRED's recommendation.
Joe Carrigan: I would stick with that. That's a good recommendation. Norton's a trusted company.
Dave Bittner: Yeah, yeah. All right, well, fun stuff. Be careful out there, and don't hand your phone over to anybody you don't trust. Or if you're Joe, don't hand your phone over to anybody (laughter).
Joe Carrigan: That's right.
Dave Bittner: All right, Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.