The CyberWire Daily Podcast 4.16.21
Ep 1313 | 4.16.21

International reactions to US sanctions against Russia (positively reviewed in Europe and the UK, but panned by Russia). Continuing threats to the cold chain. Natanz back in business? Data breach notes.

Transcript

Dave Bittner: Are you a hiring manager or recruiter? Could you benefit from a cost-efficient and easy way to train your new staff in cyber? We know that it can be expensive and time consuming to ramp up new hires. That's why CyberWire Pro is available at a discount to large groups, so that you and your team can get up to speed and stay there. CyberWire Pro brings the most important information in a concise and easily retainable way, all while saving you time. Contact us to get your special group pricing at thecyberwire.com/contactus. That's thecyberwire.com/contactus.

Dave Bittner: The European Union expresses solidarity with the US over the SolarWinds incident. The U.K. joins the U.S. in attributing the incident to Russia. Russia objects to U.S. sanctions and hints strongly that it intends to retaliate. IBM discloses new cyberthreats to the COVID-19 vaccine cold chain. Iran says Natanz is back in business. Kevin Magee from Microsoft looks at the security of startups. Our guest is Brad Ree from the ioXt Alliance with results from their Mobile IoT Benchmark report. And data breaches hit people who park and people who read. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 16, 2021. 

Dave Bittner: The European Council has expressed soft solidarity with the U.S. on the impact of malicious cyber activities, notably the SolarWinds cyber operation, which the United States assesses has been conducted by the Russian Federation. The EC's principal interest, as expressed in its statement, is to call for the development of international norms to inhibit attacks on the ICT supply chain in particular. That call is consistent with the aspirations expressed by the White House in yesterday's statement. 

Dave Bittner: ZDNet says that the U.K. has joined the U.S. in attributing the SolarWinds compromise to the Russian organs. Russia dismisses the British stance as idle me-too-ism; Whitehall is just going along with its Yankee cousins. The Guardian quotes Sergei Naryshkin, head of Russia's SVR - that's Cozy Bear, if you're keeping track of the malign menagerie on your score card - saying that U.S. sanctions introduced yesterday were an unfriendly step, which in his opinion is also poorly considered, that would contribute to the destruction of international stability. 

Dave Bittner: The Hill reports that Russian authorities denounced the sanctions as illegal and rumble about retaliation in kind. Reuters quotes Kremlin spokesman Dmitry Peskov as saying, quote, "We condemn any intentions to impose sanctions, consider them illegal, and in any case, the principle of reciprocity operates in this area, reciprocity so that our own interests are ensured in the best possible way," end quote. That is, what's sauce for the Moscow goose is equally sauce for the U.S. gander - sanction us, and we'll sanction you back. 

Dave Bittner: Reciprocity isn't necessarily symmetrical. Indeed, in this case it can't be. The U.S. isn't vulnerable to Russian economic restrictions, for example, in the way interruption of trade with the U.S. and its allies is a pain point for Moscow. But expect such measures as expulsion of a comparable number of U.S. diplomats from their Russian stations. This happened during the last round of reprisal for Russian hacking, when the previous U.S. administration expelled 60 Russian diplomats, and Russia responded by giving 60 American diplomats the boot. 

Dave Bittner: Immediately after imposing the sanctions, U.S. President Biden waved the carrot of high-level talks to ameliorate tensions between Washington and Moscow, NBC News reports. The U.S. sanctions against Russia have received general bipartisan approval from Congress. If anything, congressional barking suggests that Capitol Hill is ready for an even harder line than the one the administration has actually taken. 

Dave Bittner: Among the Russian organizations affected by U.S. sanctions were six companies. The U.S. Treasury Department names them as Positive Technologies, ERA Technopolis, Nobelists, Neobit, Advanced System Technology - AST - Pasit and SVA. The biggest fish in Treasury's net is Positive Technologies. Quote, "Positive Technologies is a Russian IT security firm that supports Russian government clients, including the FSB. Positive Technologies provides computer network security solutions to Russian businesses, foreign governments and international companies and hosts large-scale conventions that are used as recruiting events for the FSB and GRU," end quote. 

Dave Bittner: MIT Technology Review devotes a long article this week to Positive Technologies. It's a billion-dollar operation, a tech unicorn whose research into vulnerabilities is widely respected and often quoted. That's fine, of course, but U.S. intelligence services have also concluded that Positive Technologies provides offensive cyber tools, consulting on such operations and even direct operational support to Russian espionage agencies. Positive Technologies works with a range of Russian agencies, but it's thought to be especially close to the FSB, whom it provides exploit discovery, malware development and even reverse engineering of cyber capabilities. 

Dave Bittner: A note from our linguistics desk - Positive Technologies has an English name. A number of media outlets have spelled the company's name in a way that makes it look Russian, but it's not. It's simply pronounced Positive Technologies, transliterated into Cyrillic and then transliterated back into the Roman alphabet. 

Dave Bittner: IBM warns that the COVID-19 vaccine cold chain, the refrigerated logistics necessary to ship and store vaccines, remains an attractive target for active cyberattack. The company's Security X-Force says that its recently discovered an additional 50 files tied to spearfishing emails that targeted 44 companies in 14 countries in Europe, North America, South America, Africa and Asia. The campaign impersonates an executive from Haier Biomedical, IBM says, going on to explain that this is a major Chinese biomedical company that is purported to be the world's only complete cold chain provider. 

Dave Bittner: So why would someone be interested in these particular targets? The vaccine cold chain is an international one, with participation by companies from many nations active in several sectors and by governments, international organizations like UNICEF and various non-governmental organizations. So there's a great deal to find. IBM recommends that everyone involved with the cold chain stay vigilant and that they check TruStar Station for updates. 

Dave Bittner: Whatever somebody - probably Israel - did at Natanz - probably a bomb - the enrichment facility seems back in business and now producing 60% Uranium-235, or so Iranian authorities tell Reuters. 

Dave Bittner: And finally, are yinz thinking of parking in Pittsburgh? Yinz out of luck. A Pittsburgh Parking Authority's app has been breached by some jagoff, the Pittsburgh Tribune says, although not exactly in those words. About 20 million drivers, or at least parkers, are affected. And since the Steel City has just north of 300,000 residents, the arithmetic-savvy listener will soon conclude that this must be wider than the Monongahela Valley, deeper than the Allegheny River, and it is. Yinz don't even need to be a Carnegie Mellon grad to figure that out. It's a third-party problem deriving from a breach at the Park Mobile service detected at the end of March. Why do we mention Pittsburgh in particular? We just like talking about yinz, and besides, we saw the article in the Trib. 

Dave Bittner: It is becoming more and more the norm that if you buy any type of electronic device, there's a companion app that goes along with it. In my own life, I've got apps for my bathroom scale, lights and appliances and even my son's fancy new electric scooter. The folks at the ioXt Alliance recently partnered with the team at NowSecure on a report titled "Mobile IoT Benchmark: The State of Mobile App Security." Brad Ree is CTO at the ioXt Alliance. 

Brad Ree: So the ioXt Alliance is a organization of leading IoT and device manufacturers who are really working to basically address the cybersecurity concerns for smart home, smart building and cellular IoT spaces, all of which have nothing to do with this mobile application. However, in the last six months, what we did was we realized that in all of these connected devices, there's the device, but there's also the companion application. 

Brad Ree: So from that, we've launched a mobile application certification program. And we've worked with NowSecure, who's one of our authorized labs, to help set up the certification program. And more importantly, they went and did a market survey of what the landscape of connected apps look like. And so that was the genesis of where the report came from, with many of these findings ultimately being rolled into our certification program. 

Dave Bittner: Are there any trends here in terms of, you know, certain types of devices tend to be more attentive when it comes to security? 

Brad Ree: So the biggest trend that I actually see out of this is that many of the developers, or at least the managers over the development teams, were surprised at the results. So for the most part, many people, you know, think that they're following, you know, best practices and everything, but it's only when you sort of get that third-party assessment that libraries may have been included that had some issues, or, you know, developer code that was left in and not fully thought through was left and exposed. So like I say, unfortunately, the biggest trend is a little bit of a surprise on many at the developer side. 

Dave Bittner: Interesting. Now, tell me about the process of certification. What do folks have to do to go down that pathway, and what are the benefits? 

Brad Ree: Sure. Well, we have a couple of different ways that we're certifying devices and everything. So we went in first to find a standard that is testable and scalable. And what we really mean by that is it has to be able to address the hundreds of thousands of devices or the millions of apps out there and everything. So we have a self-cert program, where developers can come in and basically run through the questionnaire and everything themselves. Or we also have, working with labs like NowSecure and some of our other authorized labs, can have third-party assessments. And then a bunch of our labs have also been working on - like NowSecure has some tools that they offer that manufacturers can do some automated scans to look for the low-hanging fruit of the security issues. 

Dave Bittner: Are there any things that folks can do who are the consumers of these devices in terms of, you know, having any assurances that the combos that they're using are as secure as they think they should be? 

Brad Ree: Yeah, there's a couple of things. There is a little bit of a challenge, which is where ioXt Alliance is really trying to step in with having a certification that is public and visible and everything else. But, you know, I would caution consumers when they're installing apps and permissions are being requested, they should think twice about what that permission is. Don't just blanket accept everything. I'll throw a great example. We had a - took a look at a - it was a manufacturer of air conditioners. And their mobile app for controlling an air conditioner was actually asking for both access to the microphone and recorded sessions. And I contend there's very few air conditioners that need to have access to any kind of recording material. 

Dave Bittner: (Laughter) I concur. I concur. 

Brad Ree: Absolutely. So some of those - you know, those kind of things really definitely jump out. And you should just take a deep breath and not accept everything that's required, or use at least temporary permissions. 

Dave Bittner: That's Brad Ree from the ioXt Alliance. The report is titled "Mobile IoT Benchmark: The State of Mobile App Security." 

Dave Bittner: And joining me once again is Kevin Magee. He's the chief security and compliance officer at Microsoft Canada. Kevin, it's great to have you back. I know you do a lot of work with startups, and in particular, you do work with startups who are not necessarily in the cybersecurity realm. I was curious, you know, what sort of insights can you share from the work you do with those sorts of organizations? 

Kevin Magee: Yeah. Thanks for having me again, Dave. Previous, obviously, to my role at Microsoft, I was involved in a number of startups, some successful, some for not. I definitely have a preference for which ones I enjoyed being a part of. But, you know, a lot of the cybersecurity startups really think about cybersecurity up front and build it into their internal processes or not. Other startups that are not based on security or don't have a product based on security really have to keep focused on a lot of different things. And security might be pushed down and down in the priority list, which can be for what is perceived, like, the right reason. 

Kevin Magee: I'll give you the example. If you've got a product where you want user adoption to happen really quickly, so you can demonstrate to funders that you need more money, adding multifactor authentication or other sort of friction for security will actually decrease your user adoption. So making those decisions based on growth alone can leave you exposed to a lot of security problems. Working with the startups to have that discussion up front, to really look at, you know, how do we manage that risk is something I really enjoy and feel adds a lot of value to these startup founders. 

Dave Bittner: What do - what are some of the advantages that startups have these days when it comes to their security posture versus organizations that have been around for a while? 

Kevin Magee: Well, they can take a lot of advantage of decades of best practices of cybersecurity. So we've got cloud computing that comes with a lot of defaults turned on. Most of the users and startups are, you know, familiar with things like multifactor authentication or DevSecOps or whatnot. But they also don't have this sort of legacy of policies, procedures or infrastructure that was built during a different time where different legislation or it needs to be retrofitted. So they get to start from scratch. So taking advantage of getting those norms and leaning in on what's already available, but also then balancing that with making sure that you're not creating additional technical debt by avoiding security for, like I mentioned before, user adoption or other things that are relevant to the business. It can still be a challenge. 

Dave Bittner: Does having so many things that we rely on, so many of the technical aspects of running a business, having them be cloud based these days, is that overall an advantage in your estimation? 

Kevin Magee: It is, because, again, it provides a lot of security by default. It allows a lot of scale. You can very quickly and cheaply scale a startup. My first one was in the '90s. We had to buy physical servers or build them. It was really difficult to provide that level of scale if you needed compute power, which is now really cheaply available and securely available. But it also accumulates a lot of data and a lot of assets in one place that are of - really valuable for hackers to go after. So again, it's a - one of those balancing acts. How do you take full advantage of all the opportunities that cloud and new technologies offer, but making sure that you're also not becoming a very attractive target for hackers as well? 

Dave Bittner: Do you suppose that there's sort of a cultural evolution here? I'm thinking of, you know, when you start up a business, people will advise you that there are certain professionals you need to engage with. You know, you need someone to help you with your insurance. You need a good lawyer, you know, those sorts of things. Are we approaching a point where cybersecurity professionals are part of that list? 

Kevin Magee: I would like to think so. You know, having a great accountant can make sure you don't get an audit. Having a good lawyer set you up for success if you are ever sued or whatnot. So having a great cybersecurity professional at the beginning would be a great addition to your team, but often that's seen as an expense or maybe an expense that could be pushed off or reprioritized to the future, generally to the detriment of the company should an event happen. But it's certainly something that startups could take full advantage of. 

Kevin Magee: Startups also have much more to lose than the average business. If there's a compromise of a credit card, you might lose up to the credit card limit. If there's a business email compromise, an invoice may be improperly paid. But if a startup really gets hacked, maybe their IP gets stolen, and they no reason to exist anymore. Or if there's reputational damage because of a hack, they can't get funding and whatnot as well. So there's a lot more at risk for an early stage startup to get it wrong. And so it becomes super important to really get it right. 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Kevin Magee: Thanks, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cyber security leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed - fights bad breath, doesn't give you medicine breath. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Be sure to check out "Research Saturday" and my conversation with Deepen Desai from Zscaler. We're discussing a new Trojan malware that's using social engineering techniques and fake cybersecurity resume cover letters. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.