The CyberWire Daily Podcast 11.16.22
Ep 1705 | 11.16.22

Getting tangled up in the blockchain. RDS vulnerabilities. The language of fraud. An offer of help to the G19.


Dave Bittner: Blockchains, cryptocurrency exchanges and the risks they present. Vulnerabilities in Amazon RDS may expose PII. A study of the language of fraud. Tim Starks from the Washington Post's Cybersecurity 202 on a lagging DHS cyber doomsday report. Our guest is Ashif Samnani of Cenovus Energy with insights from the world of OT cyber. And President Zelenskyy offers the benefit of Ukraine's experience with cyber warfare to the G-19. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 16, 2022.

Blockchains and cryptocurrency exchanges, and the risks they present.

Dave Bittner: A report from Moody's says that the cryptocurrency ecosystem's vulnerability to cyberattacks is restricting the sector's growth. Moody's says this trend was most recently highlighted by the hack sustained by FTX shortly after the exchange filed for Chapter 11 bankruptcy last week. Moody's explains that applications built on the blockchain rely on a tangle of technologies that opens them up to attacks. The report explains the ecosystem relies on a series of technological layers, such as the user interface, smart contracts, the blockchain program and the hardware infrastructure. Each segment can be susceptible to vulnerabilities. In particular, smart contracts, programs running automatically when predetermined conditions are met, present novel challenges. 

Dave Bittner: Whereas bugs can remain hidden for a long time in conventional applications, hackers can easily identify flaws in a smart contract because their code is often open-source. Their automated nature and ability to hold crypto assets also enable thieves to exploit logical errors to steal funds. Moody's researchers note that more attacks are now targeting decentralized finance companies compared to centralized finance. Not only do they hold large sums of cryptocurrency, but they're also susceptible to many of the same issues that affect crypto exchanges. The recent collapse, bankruptcy and compromise of the FTX crypto exchange bring many of these vulnerabilities into relief. CoinDesk describes a hack sustained by FTX several hours after the exchange filed for bankruptcy. Unknown hackers stole more than $600 million from FTX crypto wallets. WIRED outlines the efforts industry and law enforcement are taking to track the stolen funds. 

Vulnerabilities in Amazon RDS may expose PII.

Dave Bittner: Mitiga released research today discussing the exposure of PII in Amazon Relational Database Service snapshots. Amazon RDS is a platform-as-a-service that provides a database platform based on optional engines such as MySQL and PostgreSQL. And RDS snapshots are used to help back up databases. Researchers discovered RDS snapshots that were shared publicly for hours, days and weeks, both intentionally and by mistake, and created a way to exploit the issue to mimic attackers. The team created an AWS-native technique to extract information from RDS snapshots. Researchers found that the total number of snapshots seen in the month analyzed was 2,783, and of those, 810 were exposed during the time frame being analyzed. Eighteen hundred fifty-nine of the snapshots were exposed for only a day or two. This was also discovered to be occurring worldwide. 

Dave Bittner: The Mitiga team says that an email should be sent from Amazon notifying you of a public snapshot in your account after sharing a snapshot publicly. There is also a tool called AWS Trusted Advisor that recommends steps to improve your environment in different ways - costs, performance and security. Public snapshots will cause the Trusted Advisor widget to warn of an action recommended. Provided in the research as well are ways to check for public snapshots. 

A study of the language of fraud.

Dave Bittner: So, let's talk fraud for a couple minutes. The crooks do, and they speak it fluently. A report from Visa and Wakefield Research describes the effectiveness of the language used in social engineering attacks. The researchers found that 48% of respondents believe they can recognize a scam, but 73% are susceptible to common phrases used by scammers. As you might expect, the language that appears in the most successful scams usually suggests urgency. These attempts at fraud contain phrases such as - win online free gift card, free, giveaway, exclusive deal, act now, limited time offer, urgent, click here and action needed. They're calculated to induce the sort of haste and suspension of the mark's critical faculties that's likely to induce them to click here right now. 

Dave Bittner: One interesting side finding that emerged in the study is that self-confidence seems inversely correlated with a user's actual ability to withstand swallowing the phish bait hook, line and sinker. The researchers found that respondents who are confident in their ability to recognize scams are actually more likely to fall victim to them, and people tended to think that others - not themselves - would be more susceptible to scams. The study found, while consumers feel confident in their own vigilance, the vast majority - 90% - are concerned that friends or family members may fall for potential scams that include emails or text messages asking people to verify their account information, asking about overdrawn banking accounts and notifying them about winning a gift card or product from an online shopping site. It's nice that people are concerned for their loved ones, but they might benefit from some realistic self-examination. 

Dave Bittner: Our culture desk has long argued that Americans in particular overvalue self-confidence. Maybe because of too many viewings of "The Wizard of Oz" during childhood. Anywho (ph), if you think you're too smart to fall for the snake oil salesman's ballyhoo, guess what? You've probably already ordered a case or two. Come to think of it, didn't Oz the Great and Terrible start out selling snake oil at a fair in Omaha? 

President Zelenskyy offers the "G19" the benefit of Ukraine's experience with cyber warfare.

Dave Bittner: And finally, in an address to the G-20 delivered by video link, President Zelenskyy offered friendly nations the benefit of Ukraine's experience of resisting Russian cyberattacks during Russia's hybrid war. He addressed the gathering as the G-19, since, in his view, Russia's assumption of the role of what he describes as a terrorist state disqualifies it from the respect and consideration due to a G-20 member. His comments to the G-20's Digital Transformation Summit commended the creation of cyber auxiliary forces and migration to more resilient cloud services as centerpieces of Ukraine's cyberdefense program. Such measures have, he said, enabled Ukraine to continue to deliver essential services, even under continuous attack, and he offered Ukraine's assistance to friendly nations interested in similarly organizing their online services. He closed with a plea for and an offer of close cooperation for cybersecurity. 

Dave Bittner: Coming up after the break, Tim Starks from The Washington Post's Cybersecurity 202 on a lagging DHS cyber doomsday report. Our guest is Ashif Samnani from Cenovus Energy with insights from the world of OT cyber. Stay with us. 

Dave Bittner: Ashif Samnani is Industrial Control System Cybersecurity Leader at Cenovus Energy. I recently spoke with him on our "Control Loop" podcast about some of the changes he's witnessed in nearly two decades in the OT and ICS world. 

Ashif Samnani: Within the OT side, I've seen the automation of discovery of new vulnerabilities and threats within the environment. The technology has been evolving. So what we've been doing in the IT space is similar to what we're now doing in the OT space, right? So there has been an evolvement in the types of technologies we've seen. Even the evolution of threats within the space have become far more apparent, right? I remember back in 2012 I was doing some research around Stuxnet. That was one of the first significant cybersecurity threats within the OT space, and now we see quite a bit relative to the OT area. Nothing as prominent as Stuxnet, but we've seen quite a bit, right? So it's just an evolving space within the OT and ICS area of cybersecurity. 

Dave Bittner: I'm curious. You know, it's practically a cliche that there's, you know, tension between the IT and the OT sides of the house. I'm wondering, in your experience, how accurate that is. I mean, there were - have we gotten to the point where teams are getting past that? 

Ashif Samnani: We're evolving now because the IT and OT space is slowly starting to converge. I'd say, let's flip back - 2012, when I first did OT cybersecurity. There was a large disconnect between the organizations - right? - between the IT and OT space when I worked at Spectra Energy, right? The business was not adopting best practices that IT dictates. Plus, you also have the mindset of an IT person going into an OT space. Typically, OT personnel are engineers. They understand the technologies a little bit better. But nowadays - right? - you're seeing the IT and OT teams working very closely because they understand that IT - OT threats are - primarily stem from IT-specific incidents, right? 

Ashif Samnani: So we're seeing tremendous adoption, especially the fact that new - like I said, new regulatory requirements are coming into place. So we need to ensure that the OT space is secured, and they're working very closely with IT. So regulatory requirements really drive a lot of the spaces. Plus also, the known incidents, for instance, like Colonial, that resonated with the OT groups, and they were concerned about their security posture. So they're working closely with the IT teams and stuff, right? I know at the current company, we work very closely with the various teams within the OT space, so we don't see much of an issue these days. But if we flashback, like, five to six years ago or even 10 years, yes, there was a significant issue in terms of working with the IT group. 

Dave Bittner: Where do you suppose we're headed here? As you look towards the next few years, any notions for how things are going to evolve? 

Ashif Samnani: Yeah. I mean, I could speak a few, right? For instance, in the OT space, the - and this has already happened - is adoption of cloud - right? - within the OT space. That's one of the things that we're facing, especially with companies such as AWS that are building, like, specific data lakes related to data historians - right? - which is not commonly found. So now what's happening is we're - the boundaries of the OT, they're changing, right? We're not only going into the IT network, but we're going to the cloud, right? So that's adoption - right? - that I see. In addition, the new technologies which are coming out that leverages AI and machine learning to detect for threats and vulnerabilities, we've seen a lot of those coming up. But I think that's growing, right? The threat and vulnerability platforms are evolving also, right? So maybe next generation, like, threat management systems are coming into play which fare better in the OT space. Typically, technologies right now based off of the architecture, they don't fare well. Sometimes we don't have that complete visibility. But I think we'll see - find better technologies within the space. 

Dave Bittner: Are you optimistic that we're going to get there, that we'll get a good handle on these things? 

Ashif Samnani: I'm very optimistic, right? I've seen this industry grow over the last 10 years, specifically the OT area. I think we'll get there, right? And as regulatory requirements come into play - another one I forgot to mention was Bill C-26, which is in Canada, right? That takes cybersecurity requirements for critical - companies that employ critical infrastructure, right? So I feel heavily confident that we will get there, right? It'll take a little bit of time, but I'm sure with the executives understanding the new requirements from a compliance standpoint and the evolving threat landscape, they'll take this a lot more seriously and consider the investment. 

Dave Bittner: That's Ashif Samnani from Cenovus Energy. You can hear the rest of our interview on the "Control Loop" podcast. Search for it on your favorite podcast app. 

Dave Bittner: And it's my pleasure to welcome back to the show Tim Starks. He is the author of The Cybersecurity 202 at The Washington Post. Tim, always great to welcome you back. You had a interesting report in The Cybersecurity 202 today about a plan for continuity when it comes to cybersecurity in the government and perhaps some areas where it's coming up short. Can you unpack it for us here? What's going on? 

Tim Starks: Yeah. So I love - I really do love covering cybersecurity, but this is one of those topics that sometimes when people have used the word continuity of blank, it sounds almost too nerdy for me even. But it's very important. What had been recommended by the Cyberspace Solarium Commission, which has been really responsible for a lot of what Congress has been up to the last couple of years - two years ago, they put in there a requirement for the administration to put together a continuity of the economy plan. And the idea was to riff off of the continuity of government and continuity of operations kind of plans we've been talking about since the Cold War. You know, if a nuclear device went off and - how do we keep the government functioning? How do we keep - in this case, they're talking about - how do you keep the economy functioning if there's this kind of national-level cyberattack that takes everything down? 

Tim Starks: What came up yesterday at a House Homeland Security hearing is that this plan has been sitting on the shelf and not getting hardly anything done on it. And they won't even - DHS won't even answer what it is that they have or haven't done. So Alejandro Mayorkas got confronted about that at the hearing yesterday. I called DHS to see if they would tell me anything. I called CISA. I called the White House. They all referred me to each other. So it's kind of in a bind of nobody seems to be doing anything with it, and nobody seems interested in talking about what they are or aren't doing with it. 

Dave Bittner: You have this quote in your article today where it says the decision to send the job to CISA was, quote, "pretty much setting the agency up for failure," according to Garbarino. Can you provide some context to that? 

Tim Starks: Yes. So yeah, Congressman Garbarino, he had brought this up at the hearing. What had happened was, in the spring of this year, the White House decided to direct CISA to be the lead on this. And why that's setting them up for failure, according to the congressman, was, first off, giving him the job 15 months into after it was something they were told to do means they're probably not going to finish it by January of this year, which is the - sorry - January of next year, which is the deadline. 

Dave Bittner: Yeah. 

Tim Starks: That's putting them really behind on a deadline that was probably going to be hard for them to hit anyway, in part because, you know, if you've covered the government long enough, you know they don't always set these deadlines. In fact, they rarely do. 

Dave Bittner: Right. 

Tim Starks: So that's putting them in a tough spot. And even though CISA has an increasingly growing budget - it's really swollen by billions over the last couple years - it still doesn't have - and in the conversation I had with Mark Montgomery, who was the executive director of the Solarium commission - doesn't maybe have the number of people it needs. Congress had given them $200,000 for this. But maybe that's not going to be enough if you're having to do things like decide what happens if the economy is ruined. 

Dave Bittner: Yeah, that - just that little thing. 

Tim Starks: Just that little thing. 

Dave Bittner: Yeah. Yeah. So where do you suppose we stand, then? I mean, it sounds to me like that deadline will likely come and go, but does this shine a light on it to maybe elevate its status in terms of attention, at least? 

Tim Starks: Yeah. You know, actually, one of the things I was thinking about was - I'm not not being an activist, but, you know, this is something that seems like it's not getting anywhere. And, you know, when you're a reporter wanting to hold the government to account, you hope that shining light on it will at least prompt some discussion about it. Mark Montgomery, who I mentioned just a second ago, said he's hopeful that they'll at least have a plan for a plan. So that gives you a sense of where the optimism is about what's going to unfold here. 

Tim Starks: I think that that is a reasonable guess. They'll say, OK, gosh, we didn't get this done, but here's how we're going to do it. And I didn't mention this in a story, but, you know, one of the things Mark says he's doing is working on almost basically drafting it for them to say, hey, here's what we think you should be doing. So maybe that will help them a little bit, too. If they see a version of the plan, maybe it'll trigger their imaginations to figure out how to go about doing it. 

Dave Bittner: In the time we have left here, you also, in The Cybersecurity 202, speak about Christopher Wray, the FBI director, expressing some concerns about TikTok. What's going on there? 

Tim Starks: Yes, he did get asked at the hearing about concerns about TikTok and its Chinese ownership and whether that presents any national security concerns. He did, in fact, say he has those national security concerns, but he wouldn't elaborate on what those were because he said that would be the kind of thing they'd need to do in a classified setting. So behind closed doors is probably when anybody would hear the answer to that, and it would mainly be Congress. 

Tim Starks: One thing he did add, though, is that there is the Committee on Foreign Investment in the United States, which is a very special, secretive panel that looks at the subject matter that's in its name. And he said that he has input to that, and he has made that input known. We have reported at the Post that they have a - they've agreed to a couple things, TikTok has, you know, some additional oversight, some additional cybersecurity measures that they would be expected to do. There is - a deal is not imminent. And that was as of just a few weeks ago that we reported that. So it looks like this is going to be something we're going to be wrestling with for a little while longer, to say the least. 

Dave Bittner: Yeah. All right. Well, Tim Starks is the author of The Cybersecurity 202 at The Washington Post. Thanks so much for joining us, Tim. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.