Patching: the good, the bad, and the ugly. Script kiddies and disinhibition (with a caution about attribution). Industry notes, RSA, and Valentine's Day.
David Bittner: [00:00:03:17] When it comes to patching, we've got the good, the bad and the ugly. But mostly the good. Dridex is back. Brussels airport hacker turns out to be a literal script kiddie, with the emphasis on the kiddie. Moscow treason trials shut down Russian cooperation with Western law enforcement. And Robert Lord from Protenus returns to tell us about their breach barometer report for the healthcare industry. A look ahead to RSA, and some Valentine's Day advice.
David Bittner: [00:00:35:15] Time for a moment to tell you about our sponsors, CyberSecJobs. If you're an information security professional seeking your next career or your first career, check out CyberSecJobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruiting packages designed to meet your needs. Here's one of the current hot jobs, Wakemed is looking for an information system security officer to help safeguard sensitive information. You'll find this and other great opportunities at CyberSecJobs.com. That's CyberSecJobs.com. And we thank CyberSecJobs for sponsoring our show.
David Bittner: [00:01:37:24] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, February 10th, 2017.
David Bittner: [00:01:48:05] We often hear about the importance of patching and two stories today offer cautionary tales on why it's important and why it's important to do it right. First, why it's important. Unpatched WordPress instances have been clobbered with defacements at an increasing rate this week. Sucuri, the firm that discovered and disclosed the now swatted bug to WordPress, has been tracking attacks and finds that as of yesterday more than 1.5 million pages had been hit. WordPress quietly fixed the problem in its API back on the 26th January with release 4.7.2. The patch was rolled out quietly in the hope that hackers would overlook the vulnerability WordPress was closing, but that hope was apparently in vain. A number of industry observers would strengthen that observation, saying that the hope was foreseeably, inevitably in vain, since patching a vulnerability unavoidably discloses that vulnerability to the ill-intentioned. So WordPress users are advised to patch. It's the old versions that are being hit hard.
David Bittner: [00:02:49:16] Second, why it's important to do it right. NASA's Inspector General has released a report on industrial control system security within the space agency. NASA sensibly commissioned the study because of the extent to which operational technology has evolved away from manual systems, toward increasingly comprehensive automation. Among the findings was this, application of a security patch to software used to control a large engineering oven, caused a reboot that stopped the oven's monitoring equipment from running. This effectively disabled both temperature control systems and impeded alarm activation, causing a fire that burned undetected for three and a half hours. So, check patches for unintended consequences before applying them. And managers, when IT says they're verifying that the patch is okay to apply, remember, that they have good reason to do so.
David Bittner: [00:03:42:15] According to authorities in Belgium and the United States, the post-massacre cyberattack on Brussels International Airport last March proves, surprisingly, and troublingly, to be the non-ideological work of a Pittsburgh minor, described in news reports as a child. There's no sign of ISIS inspiration or commitment, just another awful example of online dis-inhibition, and another lesson in the importance of remaining circumspect in attribution.
David Bittner: [00:04:11:23] Treason arrests of current and former FSB officers in Moscow are said to have effectively muzzled Russian cooperation with Western law enforcement operations. They've clammed up, as Fidelis's John Bambenek described it. Since the FSB officers are accused of giving information to the Americans, you might think twice before doing something that could be misconstrued as espionage.
David Bittner: [00:04:36:00] In industry news, Accenture buys VeriSign's iDefense Security Intelligence Service to augment its cyber threat intelligence offerings. Evidence.io and its remediation platform pick up 22 million dollars in a Series C investment and threat intelligence exchange TruSTAR attracts five million dollars led by Storm Ventures.
David Bittner: [00:04:57:15] Next Tuesday is St. Valentine's Day and since we know a thing or two about our listener demographic, we're pretty sure that many of your thoughts are turning to a romantic dinner for two at Arby's. As you offer your significant other the Horsey Sauce, however, you may be troubled by Arby's disclosure yesterday to Krebs On Security that the restaurant chain has been the victim of a data breach. Jeff Hill, Director of Product Management at Prevalent Inc. reminds us that this is part of a pattern. "When the retail industry is attacked, it very often manifests as a point-of-sale infection. And point-of-sale device infections nearly always originate at a third party." He cites the famous Target breach, traced to an HVAC contractor, as one of the more famous examples. He goes on to say, "Studies vary, but it is generally recognized that at least 40% of all enterprise breaches originate at a third party vendor. In the retail space, that figure is likely much higher."
David Bittner: [00:05:55:09] So, a reminder of the significance of third-party risk. But to return to the silver lining in this story, the good news is that Arby's reports they've remediated the point of sale system problems. And so you may squire your betrothed to the local food court without unusual risk of losing your pay card information. Any other romantic risks and you don't need us to tell you, February 14th is a positive minefield of such risks, are solely your responsibility. Brothers and sisters, you know who you are. Mes semblables, mes freres.
David Bittner: [00:06:33:05] Finally, of course, we'll be in San Francisco next week. That's right, in the City by the other bay, covering RSA 2017, the annual Woodstock of the cybersecurity industry. We've been linking to some forward looking pieces on the conference and we'll be reporting on what we see and hear around the event. In the meantime, here are some of the stories we'll be watching. The Innovation Sandbox is always interesting and the start ups chosen to compete have over the years become some of the industry's more influential players. The Sandbox runs Monday, we'll be there for it. The conference provides many opportunities for a look at the interplay of technology, commerce, and policy. It will be interesting to see, for example, what technologies the Department of Homeland Security's Science and Technology Directorate has queued up for transition. And, of course, we'll be talking with interesting companies, large, small, and medium. If you see us around the Moscone Center, be sure to stop us and say hello.
David Bittner: [00:07:31:09] Time for a message from our sponsor, E8 Security. Once an attacker's in your network, there's a good chance they'll use command and control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like, newly visited websites, visit to a website that doesn't have the features a legitimate site usually does, like a high number of pages, a fully qualified domain name or a distinct IP address. Or the association of a website with a limited number of user agents. It's tough for a busy security team but it's easy for E8's behavioral intelligence platform. For more on this and other use cases, visit e8security.com/dhr and download their white paper. That's e8security.com/dhr. E8 Security, Detect, Hunt, Respond. And we thank E8 for sponsoring our show.
David Bittner: [00:08:28:23] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, once again, we find ourselves back looking at the playpen child porn case. We've got some interesting developments here, bring us up to date.
Ben Yelin: [00:08:45:04] Back in 2015 and we talked about this before. Federal Investigators temporarily began operating this playpen child pornography site for 13 days before shutting it down as part of what they called a network investigative technique to try and find IP addresses of the users of this service. One of those users was a guy by the name of Jay Michaud who lives up in Vancouver, Washington. He allegedly logged on to this playpen site while it was being run by the Federal government. He was arrested and prosecuted. The judge as part of the prosecution, asked for the source code used to target this defendant and instead of providing that source code, the FBI decided to keep to classified. Without the source code, the case can't go forward, the prosecution can't go forward. The Federal government has dropped its appeal on the case and has allowed this individual, Michaud, to go free.
Ben Yelin: [00:09:44:17] We were just talking about it before, this is one the luckiest people in the country. He was caught using child pornography but because the Federal government has bigger fish to fry in the form of the source code, he's going to be able to evade prosecution.
David Bittner: [00:10:00:04] Take us through the big picture of this, we have someone who has serious charges against him, but instead of pursuing that case, the government decides to step back and live to fight another day?
Ben Yelin: [00:10:14:15] There are 135 cases like this nationwide and courts are bearing jurisdictions. So, it's possible there could be a friendly judge somewhere that could go through with the prosecution without asking for the source code. Generally a defendant in the criminal case has a right to what's called a Frank's Hearing, which is to determine the sufficiency of the interrogation methods used to get evidence to arrest a person. It's possible there could be a judge that could deem the investigatory process sufficient without looking at the source code. Since there are so many cases across so many jurisdictions, it's certainly possible. In that case, in order to protect the code, it would not be in the government's interest to continue to prosecute cases where they would have to reveal the code. Of course, the result of that is people have committed a federal crime, viewing child pornography are going to evade prosecution. I think the way the Federal Government sees it, that's a small price to pay in order to protect the integrity of the source code.
David Bittner: [00:11:20:23] Is there a way the Government can take that off the table?
Ben Yelin: [00:11:24:21] It's going to be really hard. Defendants have a constitutional right to confront the evidence against them and to know exactly which evidence produced the incriminating information that led to their charges. As I mentioned, they're entitled to this so-called Frank's Hearing and there could be judges who are going to be satisfied with the evidence without seeing the source code. But if a judge isn't, then there are very few options that the Federal government has.
David Bittner: [00:11:55:22] Ben Yelin, thanks for joining us.
David Bittner: [00:12:02:09] Time to take a moment to thank our sponsor Palo Alto Networks. Feel free to visit them at go.paloaltonetworks.com/secureclouds. Businesses and their data are flocking to the cloud. It's no longer just a convenient place somewhere out there to store things. It's become a viable, integral part of almost all enterprise level organizations. Palo Alto Networks understands this and the fact that your data and applications are distributed across the private cloud, the public cloud, software as a service environments and any number of configurations in-between. Make sure your data and apps are secured and protected, wherever they may be. Palo Alto Networks has the broadest, most comprehensive cybersecurity for private cloud, public cloud and software as a service environment because secure clouds are happy clouds. Find out how to secure yours, get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.
David Bittner: [00:13:10:24] My guest today is Robert Lord. He's the CEO and co-founder of Protenus, a company that provides privacy protection for patients and providers in the healthcare industry. He returns to the CyberWire to tell us about their breach barometer report covering 2016.
Robert Lord: [00:13:27:04] One thing that we see is a remarkable consistency from month to month on the proportion of types of breaches. We see around 40% of breaches that attributable to insiders. One issue is when we think about breaches and we think about hacking or cybersecurity incidents, we think about these external actors; individuals who are breaking into our systems and stealing data, criminal actors. But in fact, what our research reveals at least in health care, you've got hacking that makes up about 26.8% of all breaches when you look back at all of 2016. But insider threats are about 43% of all breaches. And so really what we're saying is we really need to take a closer and quantitative look to say, what do we really need to defend against and is it matching up with our broader intuition around our vulnerabilities.
David Bittner: [00:14:25:02] When you say insider threats, what's the spectrum of things that that encompasses?
Robert Lord: [00:14:29:16] Insider threats can be anything from your naively dangerous individuals. Individuals who might be taking information inappropriately home and then losing it. All the way to individuals who are systematically scraping and stealing medical records and diverting them to the black market for resale or for use against individuals. It's a pretty wide spectrum of maliciousness and sophistication. But overall, what we see is that Health care is unfortunately, not having these threats go down, not deploying any solutions to tackle them systematically across the industry. There's a real need to grow awareness of these challenges.
David Bittner: [00:15:11:05] In terms of reporting these breaches, health care is a highly regulated environment So how does the reporting, with what is made public and the delays in getting that information out, how does it all play out?
Robert Lord: [00:15:27:07] Reportable health care breaches fall into two broad categories. One is your smaller breaches that just need to be reported on an annual basis. Those can be things like faxes being mis-sent, small individual incidents that don't really need to have the scope of an immediate public notification. But any breach that involves greater than 500 patients, HHS needs to be notified immediately of that. You have a 90 day reporting window. And then those are added to what's called the Wall of Shame which is maintained by the Office of Civil Rights, responsible for administering HIPAA. That really allows you to get a sense of what are the breaches that are occurring, what are the characteristics of those breaches and how long is it taking people to respond to them.
Robert Lord: [00:16:17:14] One of the challenges that we see with that is while of course, OCR does its best and does a pretty good job on many fronts. When we went through all the breaches that were publicly reportable, we still saw that probably a third of breaches versus the OCR Wall of Shame were not being put on the OCR Wall of Shame. And so what this means is that there still is a need to have a bit more of a rigorous methodology, perhaps more of a proactive methodology to finding and reporting these breaches and making sure that there's a centralized place for people to look at all that information and understand what these trends are. We think that as hospitals and health systems, HIE's payers start to examine their security. We believe and hope that 2017 becomes the year of insider threat awareness.
Robert Lord: [00:17:06:08] It's not that anything has fundamentally changed, it's that what we believe is occurring is an awareness and a transformation in people's understanding of the fact that this is a threat that they can no longer avoid or believe is just the cost of doing business. All of this really gets to a core question and a core message that we always talk about at Protenus that we think about at the Institute for Critical Infrastructure and Technology. And that issue is how do we ensure trust in health care? How do we have the confidence to know all the way from the patient believing that their data will be protected and will be used appropriately, to the system administrator knowing that everyone who has access to that data appropriately has that access and is using it appropriately to everything i- between.
Robert Lord: [00:17:52:09] A hospital really needs to understand every single access to patient data that occurs. And the health system as a whole badly needs a set of systems and processes to feel that all of this interoperability, all this exchange of health , all of this data sharing that's been pushed and appropriately so, for improving patient care, is not done to the detriment of the privacy and security of all the patients whose data is being shared. At its core, trust in health care is a question of making sure that we understand what appropriate use of information is. And to do that, we really need a greater understanding of all the players. That means we need to understand all the users and how they normally and appropriately access data. We need to understand all of the patients and what those normal care flows should look like, what is an appropriate course of care look like. Then all the connections between those, whether it's health information exchanges, electronic health records, payers and claim management, financial systems.
Robert Lord: [00:18:49:04] Understanding both the content of the data as well as how that data flows through these health organizations is a real challenge that healthcare is facing now. But one that they're beginning to tackle, one that they understand really needs to come on to their horizon for 2017 and 2018. And one that Protenus is confident that they're going to be able to tackle successfully. Especially with new technologies coming out of the front from a variety of different areas.
David Bittner: [00:19:14:18] That's Robert Lord from Protenus. You can sign up to receive copies of their breach barometer reports on their website.
David Bittner: [00:19:25:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. For more information about how Cylance prevents cyber attacks, visit Cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Have a great weekend everybody.