Patch Tuesday notes. Pokémon Go (of course), ICS security, energy recon, fansmitters.
Dave Bittner: [00:00:03:10] Patch Tuesday overviews: Industrial Internet-of-things issues. Air gaps and fansmitters. Paycard breaches. Bay Dynamics gets $27 million in Series-B funding. Markets process Imperva's disappointing results. SWIFT turns to BAE for cyber security. Pokémon Go gets some fixes, but trainers choose well.
Dave Bittner: [00:00:28:03] Time to take a moment to tell you about our sponsor, Netsparker. You know when you want automated security, you want it to be, well, automatic. Netsparker delivers truly automated web application security scanners. It can be surprisingly labor intensive to scan websites, and other solutions need a lot of human intervention. To take one example, with other scanners, you have to configure URL rewrite rules to properly scan a website. Not with Netsparker. They say it's the only scanner that can help identify the setup and configure its own URL rewrite rules. Visit Netsparker.com to see how Netsparker's no-false-positive scanner frees your security team to do what only humans can. Don't just take our word for it. If you want a free trial, go to Netsparker.com/CyberWire for a 30 day fully functional version of Netsparker Desktop. Scan your websites with no strings attached, with Netsparker. That's Netsparker.com/CyberWire. We thank Netsparker for sponsoring our show.
Dave Bittner: [00:01:29:08] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 13th, 2016.
Dave Bittner: [00:01:35:08] Yesterday was Patch Tuesday, and the customary set of fixes emerged from the big fish in Redmond and some of its smaller yet still significant pilot fish. Sysadmins should be busy this week and next. As we all know, but still need to be reminded, patch management is one of the best security best practices.
Dave Bittner: [00:01:53:02] Microsoft issues fixes for 11 bugs, six of them critical, that address more than 40 flaws. Connoisseurs of Patch Tuesdays consider this a relatively light load. 15 of the bugs fixed were in Internet Explorer, 13 in its successor browser, Edge. One set of patches closed a printer vulnerability Vectra Threat Labs discovered. If left unpatched, these flaws could exploit networked printers to install malicious drivers. Other patches address ways in which attackers could have bypassed some Office security features, and close off ways in which malicious documents could be created to serve as vectors for malware infection.
Dave Bittner: [00:02:29:00] Adobe patched as well, plugging some 50 holes in its widely used and oft-exploited Flash Player browser plugin and in the popular Adobe Reader.
Dave Bittner: [00:02:37:19] Open-source content management system Drupal was a little late to the party, but was a most welcome arrival this morning with fixes to "critical" remote control execution vulnerabilities in some contributed modules. The SANS Internet Storm Center reports that Drupal core is not affected.
Dave Bittner: [00:02:54:08] Google and Niantic continue to grapple with some of the security issues raised by their wildly popular Pokémon Go. Niantic has now limited the permissions the game asks for to, “Know who you are on Google” , and “View your email address.” Formerly, the game had automatically scooped up permissions to access essentially all things Google about its player: Gmail, Google docs, etc. Other issues, including the possibility of the game's locking iOS users out of their Google accounts, remain to be addressed.
Dave Bittner: [00:03:22:07] The augmented reality game has drawn other attention. For one thing, as Motherboard puts it, Pokémon Go's endgame is, "To get you to walk into Chipotle." This seems a reasonable enough business model, and no more nefarious than many other forms of advertising, but the geocaching in the augmented reality system has its dangerous and unseemly aspects too. Reports persist of inattentive players being led into risky neighborhoods, and even ambush muggings. It's sad to report, in greater Washington DC, both the Holocaust Memorial and Arlington National Cemetery have had to ask players not to pursue virtual Pokémon in what ought to be recognized as sacred spaces.
Dave Bittner: [00:04:01:02] So, players, update your games and enjoy them, but remember that while Charmander might be a virtual being, you remain an embodied one.
Dave Bittner: [00:04:09:06] Turning to the Internet-of-things, especially its industrial control system precincts, the energy sector cyber recon tool SentinelOne found associated on the dark web with the “Furtim” campaign continues to look like the work of a state security service. The malware seems tailored to specific European energy companies, but utilities worldwide are taking note of their vulnerability to cyber threats.
Dave Bittner: [00:04:32:19] Both the US House and the Senate are looking into critical infrastructure protection this week. We heard from Ray Rothrock, CEO of RedSeal, about the regulatory issues involved. He thinks the payment card industry might provide a cautionary example. “Critical infrastructure organizations need to act immediately", warning that compliance with sound standards is central to protecting the people from attacks. He calls for upgraded network models, automated analysis and auditing, and alignment with industry best practices. He also counsels against delay. "Delays rarely result in what the various parties hope, as demonstrated by previous delays in the Payment Card Industrial Data Security Standard. However, I hope the extra time means compliance and resilience are on the horizon.”
Dave Bittner: [00:05:18:02] Booz Allen recently published an industrial cyber security threat briefing. We spoke with Scott Stables, the chief technologist for industrial cyber security at Booz Allen about the report.
Scott Stables: [00:05:28:10] The type of attack and perhaps the motivation behind the attack is changing. So, we've seen less interest in oil and gas utilities, and a change towards whatever coal manufacturing or high tech manufacturing: critical manufacturing. That could potentially be due to interest in alternative motivations for attack. So, perhaps less of the nation state and more of the organized criminal elements are looking towards making money out of conducting attacks against manufacturers of equipment, product and so on.
Dave Bittner: [00:06:08:02] Scott Stables says, the report reveals a troubling combination of vulnerability and high stakes.
Scott Stables: [00:06:14:04] Right now, there's a general unpreparedness I think from the operational technology support organizations to secure and lock these things down. They may not understand the vulnerabilities or the threat associated with the equipment. The other part I think is that the consequence of failure of some of these components of our critical infrastructure is measured in a different way. If you bring down an IT system you may cause some financial loss, but if you bring down an OT system you could cause some issue that results in a cataclysm at an event: at a refinery; an outage on one of the hottest days of the year, for example, that could cause some significant impacts to large amounts of people.
Dave Bittner: [00:07:00:18] In Booz Allen's report, one third of operators reported some kind of breach in 2015. Stables says, "The motivations of these attackers varies".
Scott Stables: [00:07:09:10] If you look at the nation-states, for example, we characterize them in two buckets. Ones that are getting in, establishing some kind of persistent presence there, access and doing reconnaissance, and essentially doing nothing else: just waiting potentially for who knows what, but just waiting. There are others who are going in there very directly, and causing some kind of disruption or impact. If you look at the Ukraine example, that's exactly what happened there. So, depending on who you are, you have a different motivation. It's all driven geo-politically. Some of it may be driven by espionage or potentially looking at getting inside a network for theft of IP, for example. The report talks about the motivations for three or four different nation-states in that respect.
Dave Bittner: [00:08:02:05] I asked Scott Stables what in the report he found most surprising?
Scott Stables: [00:08:06:07] In a fairly simple environment, there's an awful lot that you can do in terms of basic things like cyber hygiene: network segmentation, understanding what you have on the network, for example. What devices do you have there? When was the last time you did an inventory? I believe that many of the root causes--, and 88 percent, I think, of the incidents initiated on the enterprise network, could have been avoided if you implemented some basic approaches to cybersecurity. I think, what's driving that? Maybe it is some of this operational technology verses IT; lack of integration discussion; cooperation in the firms. Maybe it's not. I think, as an organization, you need to implement better interaction between these types of the organizations to get on the same page and do the basics. I think that's probably the biggest takeaway.
Dave Bittner: [00:09:12:11] You can download a copy of Booz Allen's Industrial Cyber Security Threat briefing, on their website.
Dave Bittner: [00:09:19:10] Returning to payment card standards and the related issues of point-of-sale security, Tripwire's Tim Erlin, director of IT security and risk strategy, commented on the recently reported breach at Omni Hotels. “The bright spot in this breach appears to be that Omni Hotels detected the activity themselves. Many breaches in the past have been detected, not by the compromised business, but by third parties noticing fraudulent activity. Security professionals at retailers should use this incident to drive a review of the controls on their own point of sale systems.”
Dave Bittner: [00:09:50:09] On the ransomware front, Heimdal warns us here in Midgard that there's a new cheap-and-nasty out there to be on the guard against. It's called "Stampado”, and this strain of ransomware is noteworthy because it doesn't need administrator access to operate. ThreatTrack published a detailed report on Cerber (recently active against Office 365 users), and Kaspersky reiterates warnings against Satana. Trend Micro has opened up a ransomware hotline for victims, and it's offering a set of recovery tools as well. In the US, the Office of Civil Rights at the Department of Health and Human Services releases new HIPAA guidance, suggesting that health care providers hit by ransomware may face penalties.
Dave Bittner: [00:10:30:07] In industry news, Bay Dynamics picks up $27 million in Series-B funding. The stock market is processing Imperva's disappointing results, and the international funds transfer organization SWIFT engages BAE to help it with cyber security.
Dave Bittner: [00:10:46:11] Finally, Pokémon Go has reached Germany, and G-Data has seven security tips for players everywhere: install the game only from a trusted source, use security software on your device, watch the permissions you give the game, be aware of your surroundings when you play, think before you chase, remember to guard your privacy, and avoid in-game cost traps. So, trainers, if you're in, say, Hessen, and you chase your Pokemanner through the streets of Hanau, past Schloss Philippsruhe, and around the statue of the Brothers Grimm, we say, viel Spass...aber seid doch vorsichtig, jungs.
Dave Bittner: [00:11:25:00] I want to take a moment to thank our sponsor E8 Security. You know, once an attacker's in your network, there's a good chance they'll use command and control traffic to do the damage they have in mind. Could you recognize it? E8's Analytics can. Here's what malicious C2 traffic might look like. Newly visited sites visit to a website that doesn't have the features a legitimate site usually does like a high number of pages of fully qualified domain name, or a distinct IP address, or the association of a website with a limited number of user agents. That's tough for a busy security team but it's easy for E8's Behavioral Intelligence Platform. For more on this and other user cases visit E8Security.com/DHR, and download their free white paper. E8 Security: detect, hunt, respond. We thank E8 for sponsoring the CyberWire...
Dave Bittner: [00:12:16:12] ...and, joining me once again is Jonathan Katz. He's a professor of Computer Science at the University of Maryland and also Director of the Maryland Cyber Security Center. Jonathan, it's commonly believed that one of the best ways to protect a computer is to air gap it: to have it not be connected to anything else, but some researchers have come up with a clever way to get around that. What are we talking about here?
Jonathan Katz: [00:12:38:14] Yes, there's some really interesting work out of Ben-Gurion University in Israel, where the researchers show that even an air gapped computer can still be used to transmit information to an attacker. So this will be providing an attacker with a way to extract potential information from a computer, even if it's not connected to the Internet.
Dave Bittner: [00:12:56:12] What were they doing?
Jonathan Katz: [00:13:00:10] Well, what they did was they used a physical channel for the communication between the computer and the attacker. So, think about if you have malware sitting on the machine: what they had the malware do was actually affect the CPU load on the computer which would in turn affect the speed of the fan that's used to cool the CPU, and that change in the rotational speed of the fan could then be picked up by an attacker who,say, had a microphone planted nearby.
Dave Bittner: [00:13:29:20] So, by changing the speed, the device can pick it up, and then they can vary the speed, and basically have some sort of binary communications with the external device?
Jonathan Katz: [00:13:39:11] Yes exactly. So, really what this shows is just that there's all kinds of ways to communicate and anything can be used as a potential communication channel. It's another example of what we might call a side-channel attack. So, rather than just relying on the network, they've here shown how to use the sound being emitted by the fan as a change of speed: as a communication channel. I think there's been earlier work by the same team that's shown how to use the temperature changes that are induced by the rate of CPU consumption of another communication channel. So, it just really shows that the hacker, or the attackers, are always thinking, and coming up with new ways to get around existing security protection.
Dave Bittner: [00:14:18:01] Alright, Jonathan Katz, thanks for joining us...
Dave Bittner: [00:14:22:04] ...and that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary and more visit thecyberwire.com. If you enjoy our daily look at cyber security news, we hope you'll help spread the word by telling your friends and co-workers about our show, or leaving a review on iTunes. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben. Our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.