The CyberWire Daily Podcast 7.10.20
Ep 1127 | 7.10.20

The importance of staying up-to-date. Conti ransomware gains as Ryuk fades. Germany warns of Chinese companies’ data collection. Huawei’s fortunes in Canada and UK. Hushpuppi update.

Transcript

Dave Bittner: Unpatched and beyond-end-of-life systems are, again, at risk. Conti ransomware appears to be steadily displacing its ancestor Ryuk in criminal markets. Are privacy laws as consumer friendly as they are often taken to be? There may be some grounds for doubt. German security services warn of the espionage potential of Chinese companies' data collection. Huawei skepticism grows in Germany, Canada and the U.K. Zully Ramzan from RSA on zero trust. Our guest is Conan Ward from QOMPLX on the unfortunate reality of cyber insurance in light of the third anniversary of NotPetya. And Ray Hushpuppi says the feds didn't extradite him; they kidnapped him. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 10, 2020. 

Dave Bittner: At the week's end, there's more news of attacks against unpatched or outdated systems. The first one affects Citrix systems. Attackers are actively scanning for recently patched vulnerabilities in Citrix Application Delivery Controller, Citrix Gateway and the Citrix-SD-WAN WANOP appliance, the SANS Institute reports. Users are urged to apply the patches as soon as possible. When Citrix issued the patches at the beginning of this week, there were no signs that exploits existed for the vulnerabilities, but that's changed. SANS says its honeypots have found attempts at exploitation. So, again, patch as soon as possible. 

Dave Bittner: The second issue affects systems that are out of date and no longer supported. A Zoom zero-day has been found that affects older Windows systems - Windows 7 and earlier - that are beyond their end of life. Too many of these remain in use, according to a report on the 0Patch blog. Exploitation could enable an attacker to execute arbitrary code on the victim's device. ZDNet says Zoom is working on a fix. The company said, "Zoom takes all reports of potential security vulnerabilities seriously. This morning, we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it," end quote. The zero-day is another reminder of the degree to which the continued use of systems beyond end of life represent a threat to security and privacy. Acros Security, proprietors of 0Patch, has put out a mini-patch to hold affected users over until Zoom has finished addressing the issue. 

Dave Bittner: Security researchers Pierre Kim and Alexandre Torres report finding vulnerabilities in widely used Fiber-To-The-Home and Optical Line Termination devices sold by Shenzhen-based C-Data. ZDNet observes that, of the seven vulnerabilities found, the most serious is the hardcoding of Telnet accounts in the firmware. These grant intruders full administrative access to the devices. Twenty-nine C-Data models are affected. The devices are used by ISPs at the point where fiber optics connect to the end users' ethernet connections. Kim and Torres published their warning without notifying C-Data, and they did say they did so because they believe that some of the vulnerabilities were intentionally placed in the devices. 

Dave Bittner: BleepingComputer reports that Ryuk ransomware is fading while its malware sibling Conti, which with Ryuk shares code, is rising. Carbon Black researchers share some details of Conti's workings. This represents a shift in the criminal markets and not really either an increase or decrease in the overall threat of ransomware. The same precautions you should take to protect yourself against this kind of extortion remain as important as ever. 

Dave Bittner: But Conti does represent an evolutionary upgrade over Ryuk. It is, for example, manually controllable by its operators. That might seem a step back since we're accustomed to thinking of automation as, well, newer, better and shinier in every respect. But that's not true in this case. It enables subtler operation. Carbon Black said, quote, "the notable effect of this capability is that it can cause targeted damage in an environment in a method that could frustrate incident response activities. A successful attack may have destruction that's limited to the shares of a server that has no internet capability but where there is no evidence of similar destruction elsewhere in the environment" - end quote. 

Dave Bittner: Data brokers continue to collect information for the benefit of advertisers, and TechCrunch concludes that existing laws seeking to inhibit them are unlikely to do so, at least as those laws and their attendant regulations now stand. Duo Security ran its own test of the California Consumer Privacy Act and decided that even finding out what data were collected is just about prohibitively difficult. Preventing their sharing with third parties seems even harder. Chinese companies and their products have continued to attract fresh skepticism from governments that formally welcomed or at least tolerated them in their national markets. The AP says that yesterday's annual report of Germany's BfV, the domestic security agency, warned that consumers providing information to Chinese companies may also be providing it to the Chinese government. Thomas Haldenwang, the agency's director, told reporters that "any customer here in Germany who uses such a system shouldn't be surprised if this data is abused in Beijing. We can only warn against this" - end quote. By such a system, Herr Haldenwang meant not only obvious big Chinese companies whose business deals in large quantities of information, companies like Tencent and Alibaba, but even smaller, easily overlooked outfits like bike sharing apps. The grounds for the BfV's suspicions are the legal obligations Chinese companies have to provide data to the Chinese government. 

Dave Bittner: There are, however, other concerns being voiced in Berlin. Horst Seehofer, Germany's interior minister, said that the government had yet to reach its political decision on whether to permit Huawei to supply equipment to the country's cell service providers. But he sounded a distinctly cautious note. He told reporters, quote, "when it comes to critical infrastructure in the energy supply or now with 5G lines, we have to consider how we can protect ourselves" - end quote. Huawei also received a grilling in the U.K. where Parliament's Science and Technology Committee heard from a company senior British executive, vice president Jeremy Thompson, who testified to the company's willingness to permit its employees to freely express themselves and that the company represented no extraordinary threat to civil liberties. His evasive answer, however, to a question by committee chair Greg Clark about his views of the new Hong Kong national security law undid much of the intended effect of his testimony and probably did Huawei's case little good in Westminster. The Telegraph bluntly says that chairman Clark tied Mr. Thompson in knots. And in one of the other Five Eyes, Canada, which had remained on better terms with Huawei than its four Anglophone sisters, global news reports that experts see official opinion moving toward a more restrictive approach to the companies. 

Dave Bittner: And finally, the first outline of the defense of Ramon Olorunwa Abbas is now growing clearer. The Nigerian national is well known as an Instagram influencer under the name of Ray Hushpuppi, who is currently facing U.S. federal charges alleging his involvement in internet scams. Mr. Hushpuppi's attorney says his extradition to the U.S. from Dubai was illegal and amounted to kidnapping - seems like a bit of a reach, but we shall see. 

Dave Bittner: My guest today is Conan Ward. He's CEO at QOMPLX:UNDERWRITING, a New York-based insurance company. Our conversation centers on the complex reality of cyber insurance in light of the third anniversary of not NotPetya. Here's Conan Ward. 

Conan Ward: At that point in the market place when NotPetya hit, you had a - some disagreements over what we call in the industry affirmative or non-affirmative or silent cyber coverage. And so, you know, in traditional property and casualty products, there are exclusions that have existed for a very, very long time. And so, you know, two of those kinds of exclusions that are almost universal are war and fidelity, this idea of an employee behaving dishonestly or in a criminal way. Well, those are two of the more important sources of loss and mayhem with respect to an owned network of a potential customer. And so just saying something like, oh, well, we'll cover cyber inside of a property policy, you know, in many ways, isn't really the right approach. And I think customers liked it because they felt like they were getting a coverage grant for free or for not a lot of money. But the reality is that product isn't designed to do - to cover a cyber network. 

Dave Bittner: What are your recommendations for folks who are concerned that they don't want to be just, you know, checking off compliance check boxes. You know, cyber insurance, check, we've got it. You know, how do they go out there and know that they're properly covered? 

Conan Ward: Yeah, I think they should look at a variety of the coverage. I think most of the dedicated cyber policies do some of that. You know, they almost all have a crisis management element. They have third-party coverage, first-party coverage. You know, most of the exclusions that clients would worry about are gone. I think that the bigger challenge for some customers is, can they buy enough cyber - dedicated cyber-coverage to fulfill their needs. And defining those needs in terms of financial quantification, I think we, as an industry and working with the clients, have to help clients quantify better what their security profile would dictate in terms of more of a stochastic financial view of risk because that informs a lot of different things. You know, it informs how much you spend for resilience, how much you spend on prevention and how much insurance you should buy and what you should spend for it. 

Dave Bittner: Is there any talk in the industry or any fear in the industry that cyber insurance could end up similar to the way we - the situation we have with, say, flood insurance, where it has to be underwritten at a federal level because the potential losses are so significant? 

Conan Ward: You know, I think that's a reasonable question. There is certainly a huge role for private enterprise in this whole thing. And, you know, I think we as an industry and the client base have to do more work to quantify the kinds of losses that we think of as truly catastrophic. You know, if we think about $3 billion in loss from not - you know, that's a big number, but in the context of 9/11, or, you know, a Category 5 hurricane hitting Miami, or half of California falling into the ocean, you know, $3 billion is not a big number. Are there possible numbers a lot bigger than $3 billion? To be sure. Cyber is unique in as much as there's a lot more - it's a lot more like terrorism. It's got a game theory quality to it where you've got adversaries on both sides trying trying to outwit each other. 

Conan Ward: And so if the adversaries get the upper hand and have some artisan-level malware that impacts everybody at the same time and brings down a bunch of the web service providers, you could well be looking at the kind of catastrophic event where it would make sense for some federal involvement. But that would be at a very, very high level, and that kind of risk is worrisome. It's a systemic, non-banking kind of risk that, you know, I would argue with nuclear, biological, radiological terrorism, EMP weapons, other acts of war, you know, there is definitely a place for the federal government in those things, but not to crowd out industry. And I think, you know, I think industry can handle most of what goes on. But again, you know, there is always that smaller probability of an artisan-level attack that can take down multiple web service providers and really put the economy on its heels. 

Dave Bittner: That's Conan Ward from QOMPLX:UNDERWRITING. If you want to hear an extended version of this interview, head on over to thecyberwire.com. You can find it there in the CyberWire Pro section. 

Dave Bittner: And I'm pleased to be joined once again by Dr. Zulfikar Ramzan from RSA. Zulie, it's great to have you back. I want to touch today on Zero Trust. It's a hot topic, and I'm curious what your take is on it. How do you come at this? 

Zulfikar Ramzan: Zero Trust - as you noted, Dave, it's been an incredibly hot topic. It's predicated on this very nice notion of, you know, never trust, always verify. And this is meant to replace this age-old adage of trust, but verify. And the goal with zero trust is that in a security context, trust is kind of a negative notion, right? The idea is that if I am trusting something, that usually means I am implicitly required to trust it without really having any assurance that it's trustworthy. And so what you want in security is not to trust something. You want systems that are trustworthy. You want to avoid what you have to trust because that's usually a bad assumption to make in many cases. And so I think the goal with zero trust is fundamentally, how do I reduce my trust service? How do I minimize what I need to trust? And so in that way, I think it's become very attractive but I think also has many pitfalls associated with how you implement it correctly. 

Dave Bittner: Well, let's go through that. What are your concerns? 

Zulfikar Ramzan: So first of all, I think it's important to realize that the idea of zero trust - even though the nomenclature is relatively recent, produced about 10 years ago by John Kindervag, an analyst at Forrester - the notion itself - the concepts underlying zero trust have been around for a lot longer. So if you look back in the '70s, you know, Saltzer was talking about least privilege. You know, in the late '70s, the early papers on cryptography, the Rivest, Shamir and Adleman paper and the Diffie and Hellman paper talked about certificate authorities in the context of them being trusted authorities. And it was noted that trust was a negative notion in that context. Ken Thompson gave a wonderful lecture in '84 when he won the Turing Award called "Reflections on Trusting Trust." 

Zulfikar Ramzan: And so many of these notions have been around for a long time. So first of all, people should not think that zero trust is something that's brand-new. Many of the technologies in the industry have already evolved to help organizations manage and reduce their trust surface. So I think that's the first thing to keep in mind. 

Zulfikar Ramzan: The second thing to keep in mind is that, at a fundamental level, zero trust is not a reachable goal, right? You're never going to get to the point where trust is zero because ultimately, it's just too complex. I mean, maybe I trust - maybe I've got a device, and I've been able to do some elements of being able to monitor that device, but that might not be enough. I mean, the reality is that, do I know about every line of code on that device? Do I know how that code was compiled? Do I know about every software component? And at some level, you kind of run out of the ability to really dig that deeply. And so I think we never get to zero trust, but it's more of a journey. I think it's healthy to have a zero trust mindset but never to expect fully to reach zero trust. 

Dave Bittner: What are your recommendations for people to dial that in, to put forth a reasonable effort, you know, balancing all their available resources, you know, funds, all those sorts of things? 

Zulfikar Ramzan: Yeah. So I think the main thing is to keep in mind that there's no sort of one technology that gives you zero trust. It's not like some vendor says - and a lot of vendors have done this in their marketing material. They say, zero trust everywhere. And they give this implication that they can help you solve your zero trust woes, that they're one piece of the puzzle. 

Zulfikar Ramzan: But the reality is that zero trust, to get it done correctly or to really approach zero trust in any organization, requires a variety of technical capabilities. You have to have strong authentication with a risk agent, so you can ensure that all resources are accessed in a secure manner regardless of location. You may want to have Identity Governance and Lifecycle and various types of access control mechanisms around knowing that access control is handled on a need-to-know basis and is strictly enforced. And finally, you also do need monitoring solutions. That includes network monitoring from logs and packets to endpoint to cloud and SAS and beyond, maybe PIoT paths and IoT and so on and so forth, so you can inspect and log all traffic, which is a critical component of being able to always verify, right? If you don't have visibility, how do you know the things are going in the right way? 

Zulfikar Ramzan: So I think that, really, those elements are key approaches to making sure you have a complete technology stack for being able to address these issues. But really, the more important point is that these issues help you get towards zero trust. But really, zero trust has to be not just a mindset. You've got to think about the right strategy you want to use to approach zero trust. In that vein, I tell people, look. Take a risk-oriented approach. There are many things you can do that would help reduce your trust surface, but only a handful may make sense for your organization. So for example, you know, if you look at something like client-side TLS, that would help organizations achieve zero trust because in a way, you're really enforcing that your clients are included as part of the authentication process and creating strong mutual authentication. But ultimately, client-side TLS would be a terrible idea if you're an e-commerce vendor because that would prevent your customers from getting to your assets. 

Zulfikar Ramzan: And so even though there's a technology that's helping you get to zero trust, it may not be the right technology for your environment. And there may be many paths towards reducing your trust surface. The real focus has to be, in my mind, a risk-driven approach that accounts for your overall business priorities. 

Dave Bittner: All right. Well, Zulfikar Ramzan is the chief technology officer at RSA. Thanks so much for joining us. 

Zulfikar Ramzan: Absolutely. Thank you so much, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, Proofpoint's ObserveIT, the leading people-centric insider threat management solution. Learn more at observeit.com. 

Dave Bittner: Don't miss Research Saturday. My guest is Maggie Jauregui. She's a security researcher at Intel. And we'll be discussing the firmware blind spots that impact security. That's Research Saturday. Do check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.