South African ports invoke force majeure over cyberattack. Documents indicate Iranian interest in control systems attacks. Dark web wanted ads. Cyber diplomacy. Lousy cafeteria food?
Dave Bittner: Transnet declares force majeure over cyberattack on South African port management. The IRGC apparently is Googling a bunch of stuff about gas stations and merchant ships. Kaseya's denial of paying ransom has legs. Criminal coders like obscure languages. The AvosLocker gang is looking for pentesters, access brokers and affiliates. The U.S. and China hold frank and open conversations about cyber tensions. Ben Yelin explains the tech implications of President Biden's recent executive order. Our guest is Eve Maler from ForgeRock on their third annual breach report. And hey, NSA, what did you have for lunch today?
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 27, 2021.
Dave Bittner: Moneyweb reports that South Africa's Transnet has declared force majeure, and thus claimed relief from liability, in a letter to its customers, acknowledging that what was initially described as disruption on an IT network amounted to an act of cyberattack, security intrusion and sabotage. The letter explains, quote, "investigators are currently determining the exact source of the cause of compromise and extent of the ICT data security breach sabotage. Transnet is implementing all available and reasonable mitigation measures to limit the impact of this compromise", end quote. Declaration of force majeure is unusual and indicates some major interference with Transnet's ability to deliver services. According to Bloomberg, operations at South Africa's six major container ports have been disrupted, and Transnet's recovery remains a work in progress.
Dave Bittner: Sky News has obtained and published documents it believes represent planning by the Shahid Kaveh unit of Iran's Revolutionary Guard Corps for cyberattacks against ships and oil facilities. The documents also indicate an interest in satellite communication systems, especially as they're used in maritime operations, and in building control systems. Western firms, particularly companies in the U.K., the U.S. and France, figure among the intelligence targets. What Sky News describes as a security source with knowledge of the 57-page bundle of five research reports anonymously told the news outlet that they - that is, the IRGC - are creating a target bank to be used whenever they see fit.
Dave Bittner: The Shahid Kaveh documents included observations on shipboard ballast systems and the pumps that control them. There were also discussions of retail-level vulnerabilities in automatic fuel gauges and tank management systems at filling stations. Disruptions to those systems, the document said, could result in disruption of the fuel supply and explosion of fuel station tanks through access to the control equipment. The observations on satellite communications concentrated on two systems - the Seagull 5000i, which provides phone, fax and other data services via a satellite link, and the Sealink CIR. As Sky News notes, the documents don't contain any particularly sophisticated insights or evidence of deep research into the systems the authors discuss. Indeed, much of the material seems to be the result of Google dorking, simply pulling research results and compiling them into a report.
Dave Bittner: So alarmism about imminent Iranian cyberattacks on ships and filling stations would be premature at best and not a sign that Iran has developed and deployed significant capability to exploit control system vulnerabilities. That Iran, like most other countries, is interested in cyberattack capabilities is well-known. So the Sky News documents are interesting but don't really present cause for alarm. In fairness, we would be remiss if we didn't point out that some interest in vulnerabilities at this level is equally consistent with defensive as offensive planning, but potential targets would be wise to look to their defenses.
Dave Bittner: As we've seen, Kaseya yesterday responded to speculation that it had paid off the REvil gang to obtain a decryptor with a categorical denial that it had either paid ransom or negotiated with the extortionists. There's no word on reasons for the non-disclosure agreement Kaseya asked customers to sign and which prompted much of the speculation that the ransom had been paid. But as experts interviewed by ZDNet note, there's nothing inherently nefarious about an NDA.
Dave Bittner: BlackBerry reports a trend. Cybercriminals are using uncommon programming languages to help evade detection. This isn't entirely new, either, as BlackBerry says. But the languages Go, D, Nim and Rust currently seem to be in favor with criminal coders.
Dave Bittner: Malwarebytes reports that the relatively young ransomware gang that operates AvosLocker is advertising on the dark web for both employees, especially access brokers and pentesters with experience in Active Directory networks, as well as affiliates. In their marketing emails to their victims, the AvosLocker runners lapse into the current cliches, warning the affected organizations that their files have been locked with military-grade encryption.
Dave Bittner: The U.S. and China yesterday concluded two days of high-level talks about a range of issues that include, from the U.S. side, human rights concerns, the security of Taiwan and what the U.S. sees as Chinese misbehavior in cyberspace. A State Department communique described discussions as frank and open, which is customary Foggy Bottom-speak for salty and contentious. The U.S. was represented by Deputy Secretary of State Wendy Sherman, who traveled to China for discussions with State Councilor and Foreign Minister Wang Yi and other PRC officials. The U.S. said it welcomed competition, and while it didn't seek conflict with the People's Republic, wouldn't hesitate to defend and advance its own interests.
Dave Bittner: And finally, how's your cafeteria treating you nowadays? Nice food? Stable prices? Good value? Apparently, the NSA cafeterias at Fort Meade are disappointing, serving less-than-toothsome food at prices that seem both high and unstable. Motherboard is covering this story, and it took them a Freedom of Information Act request to get the inside skinny on the diners' complaints.
Dave Bittner: A lot of them are concerned with the eggs, sodas and salads, which are not perceived as being necessarily a good value, and also about the disparity between the prices of chicken at two different locations. The FOIA researcher who got copies of the complaints - and hats off to you, Ms. Emily Crose - quotes one of the disgruntled NSA types as summing up, with all the problems going on with the redacted cafeteria, an increase in pricing should be the last thing they are worried about.
Dave Bittner: Some of the dissatisfied customers seem more concerned about fluctuations in price. Since the changes cited amount to between 6 and 12 cents, the objections seem more matters of an outraged sense of order than they do a financially based complaint. Our government service desk speculates that this probably means linguists are heavily overrepresented in the complaint box since this kind of thing seems more up their alley than it does, say, the alleys of computer engineers or intelligence analysts. But of course, that's just speculation. It could also be U.S. Army personnel offering suggestions since it's a long-standing tradition in the senior service to regard an invitation to complain about food as an occasion for joie de combat, which would place a much happier construction on the whole incident. One experienced and anonymous source told us those critters, meaning GIs, would [expletive] plutonium and hydrazine if it gave them a chance to complain.
Dave Bittner: Maybe that's just the way things are at the redacted cafeteria, which is what we now intend to call any restaurant we might open in the future. But are things bad in the other Four Eyes? Maybe, an anonymous source close to the intelligence community told Motherboard. "Maybe not the worst cafeteria I've ever eaten in, but worse than the time I ate at a U.S.-run military base mess hall," anonymous source said, adding, "for comparison, the equivalent cafeteria in Australia was much better, but not exciting. And the Canadian one was somehow worse, though that might just be because I ate there so many more times," end quote. If you're eating at one of these facilities, from Cheltenham to Canberra, feel free to vent to us in an email.
Dave Bittner: The team at identity and access-management platform provider ForgeRock recently released their 2021 Consumer Identity Breach Report, tracking the trending targets and financial impact of breaches over the last year. Eve Maler is chief technology officer at ForgeRock.
Eve Maler: Attacks using usernames and passwords increased 450% in 2020. So that was the cause of 1.48 billion breached records. So that's one thing - not good thing.
Dave Bittner: Wow. What else?
Eve Maler: So for the third consecutive year, unauthorized access - so partly caused by usernames and passwords being used - was the most common type of breach. And that accounted for 43% of breaches. Another thing was that health care, again, was the most common-targeted sector. So that accounted for about a third of all breaches, 34% of those breaches. And it also, again, had the highest average cost to enterprises per compromised record at $474 per record.
Dave Bittner: When you look at the overall financial impact here, what stands out to you? I mean, who got hit the worst?
Eve Maler: Well, unfortunately, it was the tech sector, something we know a lot about. The tech sector, in aggregate, paid the highest cost of recovery at $288 billion. And they had 1.6 billion records stolen in total. That's the technology sector there.
Dave Bittner: So what are the overall recommendations, then, for organizations and folks out there to better protect themselves? What are you suggesting?
Eve Maler: Well, the biggest thing that organizations and people can do, really, is, if you can, stop using passwords (laughter) to protect accounts. And that's really kind of a zero-trust approach that people have been hearing about. And I suspect that everybody has really been hearing about this more and more, particularly with the recent White House cybersecurity executive order, which put such a big emphasis on zero-trust architecture, which is really just about trying to draw protection closest to all of your most sensitive resources to minimize the blast radius if something is really compromised. And, you know, passwords are just really the least secure and least pleasant way to protect an account or a resource. They're most deployable these days, and that's kind of unfortunate. But there's so many other ways to protect accounts with strong authentication, multifactor authentication. And these are ways that we can protect our most important things better, really.
Dave Bittner: Was there anything that stood out to you as being particularly surprising in this year's report, anything that strayed from where you expected it to go?
Eve Maler: I would have to say that maybe the cost of breaches for businesses - maybe the GDPR fines actually jumping so high - come to think of it - because we saw that GDPR fines jumped 40% globally. And when you think about GDPR having been under enforcement for a couple of years, that's really quite striking. So that's something that people really need to watch out for.
Eve Maler: When it comes to things like ransomware attacks, the most important thing we need to worry about is sometimes when the attacks are coming from inside the house, so to speak. And that's where what in the identity world call identity governance. So when you're looking for perhaps somebody who might have been an insider, who maybe was fired, is no longer with a company, and you need to be sure that you haven't actually extended privileges longer than you should have. And identity governance practices are something that really need to be taken care of in the case where somebody could have inserted some kind of malware or ransomware or something like that after the point when they really shouldn't have been around. So identity governance and administration - sometimes called IGA - is something extremely important to be looking after.
Dave Bittner: That's Eve Maler from ForgeRock.
Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, great to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: A story here from The Verge - It's titled "Biden Signs Executive Order Targeting Right to Repair, ISPs, Net Neutrality and More." There's a lot in this recently signed executive order. Can you take us through some of the things here that apply to our audience?
Ben Yelin: Sure. So this is a very broad executive order signed on July 9. The general goal is to promote competition, and it mostly has to do with technology, which is why we're talking about it this podcast.
Dave Bittner: (Laughter) Right, right.
Ben Yelin: One thing we've talked about before are these so-called right to repair regulations.
Dave Bittner: Yeah.
Ben Yelin: Originally, the effort was going to be geared toward farming equipment. You know, you had this issue where people would buy John Deere tractors. In order to get the doohickeys and gadgets needed to fix the products when they were deficient, you had to go to the manufacturer.
Dave Bittner: Right.
Ben Yelin: You couldn't, you know, buy it on the market and do it yourself.
Dave Bittner: Because tractors are now software.
Ben Yelin: Right, which they are. Yeah, they are.
Dave Bittner: (Laughter) Right, right.
Ben Yelin: So what this executive order does is starts an effort to be spearheaded by the Federal Trade Commission to limit powerful equipment manufacturers from restricting people's ability to use independent repair shops or DIY repairs. And this is going to cover all electronics, so it is no longer just farming equipment. I'm surprised that this effort hasn't happened sooner. I mean, it's something that you'd think would be supported on all sides of the political spectrum because it does foster competition.
Dave Bittner: Right, right.
Ben Yelin: You know, independent shops can come in and say, we can fix all different types of devices.
Dave Bittner: Yeah.
Ben Yelin: And, you know, we shouldn't confine the market just to the manufacturer of the device. As it relates to Big Tech, there are some anti-monopolization aspects to this executive order. There is now a mandate to require - and I quote - "greater scrutiny of mergers, especially by dominant internet platforms"...
Dave Bittner: Who could who they mean there? (Laughter).
Ben Yelin: Yeah, exactly. We won't name names. But...
Dave Bittner: Right. Right, the usual suspects.
Ben Yelin: ...I think you can figure it out. Yeah.
Dave Bittner: (Laughter).
Ben Yelin: So they're talking about the acquisition of what they call nascent competitors, serial mergers. You know, I think we know exactly what they're referring to here. It's cases that we've talked about on this podcast and on the "Caveat" podcast.
Dave Bittner: Right.
Ben Yelin: So, you know, I think that's part of a broader effort to try and cut down on consolidation in the industry, which is really hurting consumers. And they're also, as part of this executive order, under the purview of the FTC, going to place more rules on surveillance and data collection. And, you know, that's something that's going to have downstream impacts on technology companies around the world. There's even a provision on patent policy reform that they talk about in this article. So it's kind of an omnibus executive order designed to spur competition, and, you know, cut down on the consolidation of the tech industry.
Dave Bittner: Yeah - some stuff here for the FCC as well, going for better broadband.
Ben Yelin: Oh, yes. So there's this provision that tasks the FCC, Federal Communications Commission, to require ISPs to report prices and subscription rates and preventing ISPs from making deals with landlords that limit tenants' options. I'm quoting from the article here. I don't know if this is the case in many locations where our listeners live, but I used to live in Baltimore City. And there was a deal between Comcast, or shall we say a company that goes unmentioned. There's a deal between one cable company...
Dave Bittner: Right.
Ben Yelin: ...And the city that essentially made Baltimore City inaccessible to all of the competitors of that one company. And it was really nice to move out to Baltimore County, where that's not the case and you have more competition.
Dave Bittner: Instead of a monopoly, you have a duopoly, right?
Ben Yelin: Yeah, exactly - at the very least, maybe a triopoly.
Dave Bittner: (Laughing) Yeah.
Ben Yelin: You know, so you have very - in some parts of the country, there is only one internet service provider unless you want to go out and seek some of the less common alternatives.
Dave Bittner: Yeah.
Ben Yelin: It's something that's not - both not good for competition and very detrimental to the consumer because that one company has very little incentive to provide good customer service. So, you know, I think this is a promising step that's been taken here.
Dave Bittner: Can you put this in perspective? I mean, what is the degree to which this executive order has actual power to make things change?
Ben Yelin: I think it really does. I mean, a lot of it is tasking federal agencies with coming up with rules and regulations. That's a cumbersome process. It sometimes takes a long time. There has to be, you know - they have to draft a rule, come up with a notice of proposed rulemaking, go through the rulemaking process, solicit notice and comments.
Ben Yelin: So we might be talking about a relatively extended time period here, but I think the executive order has teeth. It wanted - states what the administration's policies are vis a vis these anti-competitive practices. It gives instructions - specific instructions to agencies to help accomplish these goals. And I'll also add it doesn't seem that there's been much pushback on this executive order from either side of the political spectrum. I think reflecting - particularly the Republican Party that is more skeptical of consolidation in the tech industry, particularly as it relates to social media because they feel, I think quite reasonably, that there isn't enough competition in that market. So we really haven't seen the type of pushback that you'd normally get to a large, sweeping executive order from a opposing political party.
Dave Bittner: Yeah.
Ben Yelin: So I think, you know, what's in this executive order is going to have teeth, and it's going to be sustainable.
Dave Bittner: Yeah. Also, I think of interest to folks in the tech industry, he's calling on the FTC to ban non-compete clauses, which are very common in this industry.
Ben Yelin: Very common in this industry. I mean, it's more egregious in other industries where - like, you know, fast food restaurants have non-compete clauses, and that ruins people's job prospects and has them wedded to one company even if they're being treated poorly.
Dave Bittner: Right.
Ben Yelin: It happens to a much larger degree in the tech industry, where it's much more difficult to switch jobs even if you're unhappy somewhere just because you've signed one of these non-compete clauses. So I think a lot of our listeners who work in this industry would be very appreciative if they're not being tied down by these contracts.
Dave Bittner: Yeah, absolutely. All right. Well, Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. If your company would like to reach a quarter-million unique listeners every month, send us a note at thecyberwire.com/sponsor.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.