The CyberWire Daily Podcast 6.22.17
Ep 376 | 6.22.17

WannaCry's back and the industrial IoT's got it. Business email scams hit the unwary (and most of would count as unwary). Testimony on Russian election influence operations. Grid security.

Transcript

Dave Bittner: [00:00:01:00] If you have not yet done so, we hope you'll take the time to check out our Patreon page on patreon.com/thecyberwire. There are lots of great options there for you to help support our show. Thanks.

Dave Bittner: [00:00:13:24] WannaCry is still here, just ask Honda and the Australian state of Victoria. North America and Europe work to secure their grids against CrashOverride. The US Congress hears testimony about Russian election influence ops. Business email compromise scams hook sophisticated victims. The Queen's Speech says that, whatever else Brexit may mean, it won't mean a GDPR exit. And what's all this about CISOs and root canals? We didn't know that was an alternative to bearing bad news to the Board.

Dave Bittner: [00:00:50:00] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence, unless maybe it's machine learning. But it's not always easy to know what these could mean for you. So go to e8security.com/cyberwire and see what AI and machine learning can do for your organization's security. In brief, they offer not a panacea, not a cure all but rather an indispensable approach to getting the most of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So visit e8security.com/cyberwire and see how they can help address your security challenges today. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:48:00] Major funding for the CyberWire podcast is provided by Cylance. I've Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 22nd, 2017.

Dave Bittner: [00:01:58:12] WannaCry is today's news as well as yesterday's. An infestation of control systems on Monday forced Honda to shut down a production facility in Japan. Traffic cameras in the Australian state of Victoria were also infected, this infestation was traced to a third-party contractor's mistake. The industrial Internet-of-things may be inherently more susceptible to disruption by this strain of ransomware than are conventional IT enterprises. While many enterprises proofed their IT systems against WannaCry by closing a port and updating their software, things are not so simple in the industrial IoT. Many quite respectable, industry standard industrial control systems are built on older versions of Windows, and patching them is not as simple as patching Windows out-of-the-box. The operating systems are, say Windows XP, as modified by SCADA vendor so-and-so, and they also touch and interact with a wide variety of process control systems.

Dave Bittner: [00:02:55:24] A Kaspersky study reports that industrial control systems are being infected at disturbingly high rates. Kaspersky also says that IoT devices manufactured in Taiwan and Vietnam are often accompanied by malware. The two countries' position as leading producers of low-cost IoT devices, particularly cameras and DVRs, makes their manufacturers attractive targets of compromise.

Dave Bittner: [00:03:20:17] CrashOverride and its threat to the power grid is receiving attention at the highest levels of the US Government. President Trump has been meeting with senior advisors, both official and unofficial, to develop a defensive response to the threat. The Federal Energy Regulatory Commission is meeting today with representatives of the European Union, Canada and Mexico on risks to the electrical grid. The US Department of Energy intends to release a study of grid hacking next week.

Dave Bittner: [00:03:48:05] Europe's power industry is also at work on grid defense. In the case of the EU, the most recent developments involve an agreement this week between the European Network for Cyber Security (ENCS) and the European Network of Transmission System Operators for Electricity (ENTSO-E). The two bodies undertake to develop regulations, standards, practices, and protective measures against cyberattack. ENCS will provide the cyber expertise; ENTSO-E will contribute the operational knowledge and experience.

Dave Bittner: [00:04:20:07] We are quickly approaching the mid-year point for 2017 and one of the issues most experts agreed would be a big one this year is ransomware, and be a big one, it has, thanks to high profile attacks like WannaCry. Asaf Cidon is Vice President of Content Security Services at Barracuda Networks. And he shares his outlook on ransomware.

Asaf Cidon: [00:04:40:16] In a sense, we are gaining a lot of ground, you know, it's becoming more and more standard in a variety of security solutions. You know, obviously email security but also other email security solutions like web filters, firewalls that, you know, various technologies to block ransomware like sandboxing are really becoming a standard. And more and more customers and businesses and even consumers are aware of the problem and are taking steps to prevent it.

Asaf Cidon: [00:05:10:00] But of course the attackers are also increasing the attack and the reach of the attacks. So for example, WannaCry was really interesting. The actual ransomware itself was not that exotic; it exploited a vulnerability in the Windows SMB protocol, especially in older versions of the Windows operating system. But what was actually more interesting about it was the fact that it was a worm where, once it did infect the network, it would go within the private network of the organization and try and to find other computers that it can attack.

Asaf Cidon: [00:05:44:21] So generally speaking, you know, the attacks are becoming much more rampant, it's become a very provable and repeatable economic model for the attackers that it's also becoming worse in a sense. So the threat has gone up but also the defenses have gone up lock step with it.

Dave Bittner: [00:06:02:23] And as the ransomware threat continues to evolve and change along the way, are we seeing evolution of recommended defenses against it?

Asaf Cidon: [00:06:10:24] Yes, so early on I think the most common way to defend from ransomware was, you know, end point. So your classic anti-virus was trying to employ more sophisticated anti-viruses that actually look at the behavior of the files, not just the signatures of the files. And after that, you know, people started going after the actual attack vectors or in other words, how did this malicious file even get to the end point in the first place? And so that's why, you know, protection against ransomware became more and more popular. And finally we've seen you know, an extra layer which is, let's assume that one of these ransomwares could get through, not every security system is completely perfect, and people end up clicking on various files and then that's why I kind of really focus on the back up side of it, to make sure that if your files do get hijacked then you can easily restore.

Asaf Cidon: [00:07:09:04] So I think we've just seen this evolution of a multi layer approach where there's technologies now inserted at different layers of the stack to really mitigate the problem. So generally speaking I'd say for companies that have really gone with this kind of multi layer approach, are pretty immune to ransomware at this point in time. Most of the hacks we see now around ransomware in the news are in cases where they didn't have all the layers or a certain part of the company or organization wasn't fully protected. So there are ways today to effectively deal with this problem.

Dave Bittner: [00:07:47:14] That's Asaf Cidon from Barracuda Networks.

Dave Bittner: [00:07:52:08] The Queen's Speech is out in the UK. This annual document, outlining Her Majesty's Government's policies, is unusual this year for its commitment to data security. Specifically, it removes any doubt, or at least most doubts, that the United Kingdom's exit from the European Union will also entail an exit from the EU's General Data Protection Regulation and its attendant privacy safeguards. Whatever else Brexit means, it apparently won't mean saying farewell to GDPR.

Dave Bittner: [00:08:22:11] US Congressional hearings on Russian election meddling conclude that many states were prospected, twenty-one to be exact, but also that vote counts were not manipulated. The meddler, as represented in testimony, is by consensus Russia, and its activity, while not unprecedented in motivation or intent, was unprecedented in its use of the Internet.

Dave Bittner: [00:08:44:02] Senator Rubio pointed out in the course of the hearings that voter fraud was unnecessary, at least from the Russian point of view. If the Russian objective was to undermine trust in the American electoral system, mission accomplished.

Dave Bittner: [00:08:57:10] In addition to undermining confidence in election processes, Russian services seemed interested in gathering personally identifying information that they made some use of in spearphishing attempts. That use of compromised data suggests the potential seriousness of Republican National Committee contractor Deep Root Analytics' inadvertent exposure of voter information on an unsecured Amazon S3 account.

Dave Bittner: [00:09:22:08] Kaspersky Labs has brought an antitrust complaint against Microsoft before the European Commission. The basis of the complaint is Kaspersky's allegation that Microsoft is using its dominant market position to unfair advantage, by disabling, in Windows 10 security software other than Windows Defender. This week Microsoft said that, well yes, Windows 10 does block some security products, but that's due entirely to compatibility issues, not to any attempt to favor Windows Defender. Most of the industry press views this as a left-handed confirmation of one of Kaspersky's allegations.

Dave Bittner: [00:09:59:02] Business email scams continue to bite. A New York State judge lost more than a million dollars when an email spoofing her attorney instructed her to transfer just over a million dollars to a certain bank account. She did so and the controllers of that bank account promptly shifted the money to a different account in a Chinese bank, where, of course, it's gone baby gone.

Dave Bittner: [00:10:20:19] It would be easy to regard this as astonishing carelessness, but not so fast. The scam was carefully crafted and its victim not notably clueless. The criminals knew she was negotiating the purchase of an apartment and baited the hook accordingly. So all who've never fallen for a con, feel free to cast the first stone, but we won't.

Dave Bittner: [00:10:42:12] Finally, a survey Lastline conducted at the 2017 Infosecurity Europe conference found that half of all information security professionals would prefer a root canal to reporting a data breach to their board of directors. Lastline looked for a silver lining, “On a more positive note, it does show that cyber security has risen up the board’s agenda." To this we say to security professionals, come on, it's not that bad. We saw CISO communication with the board modeled Tuesday at SINET's Innovation Summit, and it didn't look bad at all. Of course a little Novocaine couldn't hurt, or laughing gas.

Dave Bittner: [00:11:26:18] I'd like to take a moment to tell you about sponsor, ThreatConnect. They're offering a valuable opportunity for individual researchers to get started with threat intelligence at no cost. That's right it's free and it's called TC Open. TC Open allows you to see and share open source threat data with community support and validation. Once you sign up, you'll have immediate access to more than 100 open source intelligence feeds, access to threat incident and adversary data, the ability to collaborate on or consume active and historic indicators, incident and threat data. More importantly, you'll be able to validate your findings with peers in the growing ThreatConnect common community. Get the details and sign up today for TC Open at threatconnect.com/free; that's threatconnect.com/free. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:12:23:08] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back.

Joe Carrigan: [00:12:29:08] Hey thanks Dave.

Dave Bittner: [00:12:30:17] You and I were chatting about RF Radio spectrum and this notion that, you know, in the old days you sort of have this image in your mind of ham radio operators sitting in their basement with a big stack of equipment and a big antenna farm and a headset and a microphone in front of them, but RF monitoring is a lot more accessible than it used to be.

Joe Carrigan: [00:12:51:11] That's right, in fact, Hackaday on June 5th had an article talking about using a device called Hacker RF1 to listen in on old cordless phone conversations. So these cordless phones operate in various spectrums, 900 MHz all the way up to I think 5.8 ghz.

Dave Bittner: [00:13:12:02] I remember the first generation you could actually tune them in. If you had an AM radio that could go to the high AM radio scale, you could listen in on your neighbor's conversations, or so I'm told.

Joe Carrigan: [00:13:23:18] Or so you're told. Well here's the interesting part, Hacker RF1, we actually have one of these devices at the institute. We use it for analyzing the traffic that goes on between different devices we're trying to investigate or trying to break. That device is now less than $300 and it has a very broad spectrum. I think it goes up to 6 ghz, you know remarkably effective. You connect it to a Linux box which is free, you download some free software and it can interpret the signals. And bam, you're listening in on whatever is on the air waves.

Joe Carrigan: [00:13:57:15] Even cheaper than that, you can get on Amazon and order a USB software-defined radio, these are called software-defined radios, for about 20 bucks that will listen to the broadcast spectrum for TV and radio. And that's a device that's 20 bucks, and there's a lot of stuff that happens in there. For example, all the commercial airliners have these navigation transponders on them. And you can download software that dumps those signals so you can see planes that are flying over your house, know which airliner it is, where it's going and where it's coming from.

Dave Bittner: [00:14:31:01] So I guess part of the notion in terms of the security aspect of this is that there's no longer really a barrier to anyone who wants to listen into RF spectrum to do so.

Joe Carrigan: [00:14:40:24] Exactly, exactly. There's no barrier to that in the United States, I don't think there's a legislative barrier to it because the concept is that the airwaves are owned by the public. So you can't assume that just because you're broadcasting over a spectrum that doesn't come out of some off the shelf device, well, now it does come out of an off the shelf device because you can buy a relatively inexpensive off the shelf device that can listen to any part of the spectrum.

Dave Bittner: [00:15:07:05] Right, so if you're transmitting, assume that someone out there maybe listening or certainly has the capability of doing so.

Joe Carrigan: [00:15:13:22] Correct.

Dave Bittner: [00:15:14:08] All right, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:15:16:07] My pleasure Dave.

Dave Bittner: [00:15:19:14] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:15:31:15] Thanks to all of our supporters on Patreon. You can find out more at patreon.com/thecyberwire. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik; social media editor is Jennifer Eiben. Technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.