The CyberWire Daily Podcast 8.8.17
Ep 408 | 8.8.17

Power grid risks. Update on the Mandiant employee hack. "Mr. Smith" holds HBO for ransom. Shipping industry looks for GPS backup. DHL sees a NotPetya windfall. Google patches ten Android remote-code execution vulnerabilities. NIST issues a Cybersecurity Workforce Framework.

Transcript

Dave Bittner: [00:00:00:18] The CyberWire podcast is made possible by listeners like you who support us through our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:04] A security incident at EirGrid, a misconfigured server in Texas and a demonstration of photovoltaic system hacking prompt power grid security concerns. Updates on the Mandiant employee hack. "Mr Smith" holds HBO for ransom but says, "No, he's really a good guy." The shipping industry looks for GPS backup capability and shippers not hit by NotPetya enjoy an increase in business. Google patches ten Android remote code execution vulnerabilities and NIST issues a Cybersecurity Workforce Framework.

Dave Bittner: [00:00:49:22] We've got a message from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free White Paper that explains these new but proven technologies at e8security.com/ai-ml. We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analyst scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the human something unexpected? Cut through the glare of information overload and move from data to understanding. Check out e8security.com/ai-ml and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:57:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 8th, 2017.

Dave Bittner: [00:02:08:03] It's come to light that Irish power utility EirGrid sustained a security breach earlier this year, apparently a man-in-the-middle attack through Vodafone's Direct Internet Access Service. It was a data collection operation, not an attack on power distribution itself, but the incident is attributed to an unspecified "state sponsored hacker" and it's worth noting that attacks on Ukraine's power grid were preceded by collection. So whether this is battlespace preparation or a more ordinary intelligence service sweeping in what's there to be swept up remains to be seen.

Dave Bittner: [00:02:41:22] And, of course, infrastructure is vulnerable to more obvious, less exotic risks as well, including the now familiar issue of inadvertently exposed databases. UpGuard's Chris Vickery found a misconfigured Rsync server that exposed customer data, involving critical infrastructure for the City of Austin, Texas, and such private companies as Dell, Oracle and Texas Instruments. The server is maintained by Power Quality Engineering. The data exposed, Vickery said, includes schematics, plans and of course credentials.

Dave Bittner: [00:03:14:24] We've seen reports on the vulnerability of solar power systems to hacking. Recent reports that solar power systems were vulnerable to attack are on one obvious level unsurprising. Why should solar be immune to attacks when coal, diesel, nuclear, wind and hydropower generation systems aren't?

Dave Bittner: [00:03:31:20] The answer of course is that solar systems are themselves connected to the grid and unless you're truly living off the grid, in that fishing camp you've retired to in the Aleutians, say, well, you may not be interested in solar systems but a hacked solar system might be interested in you. Research into vulnerabilities in SMA solar systems shows that a successful attack could well cascade across the grid as a whole.

Dave Bittner: [00:03:56:16] The research, conducted by Willem Westerhof, a security engineer at ITsec Security Services in Amsterdam, took as its starting point the increasing number of photovoltaic installations on the grid, their high degree of Internet connectivity and the interconnection of the power distribution system itself.

Dave Bittner: [00:04:14:15] The European grid has over 90 gigawatts of photovoltaic capacity in it. Causing that capacity to fluctuate suddenly could induce load balancing issues that could severely disrupt the grid as a whole.

Dave Bittner: [00:04:27:12] Westerhof also says the vulnerabilities he disclosed still haven't been patched.

Dave Bittner: [00:04:33:00] It can be a challenge to keep your business critical applications patched and up to date. The folks at Onapsis Research Labs provide intelligence on Oracle and SAP security threats. We spoke with their Chief Technology Officer, Juan Pablo Perez-Etchegoyen, about vulnerabilities affecting Oracle business critical applications.

Juan Pablo Perez-Etchegoyen: [00:04:52:18] This is not an SAP program, it's a program of the business critical applications. Because all these applications are very complex with prototype protocols, heavily integrated, heavily customized, very critical. We started researching on Oracle E-Business Suite and a new research project that we started early this year, we went deeper into Oracle E-Business Suite and identified a lot of different vulnerabilities. One of the most critical vulnerabilities was patched by Oracle in the latest CPU was an arbitrary reports download or arbitrary download of files from the Business Suite. We were able to go deeper into the web interface and understanding how it works, which are the components, and because of that we were able to identify multiple vulnerabilities and overall we've reported over 250 already to Oracle.

Dave Bittner: [00:05:48:09] And what has Oracle's response been to your reporting? Have there been patches issued?

Juan Pablo Perez-Etchegoyen: [00:05:53:06] Well, these specific issues I was mentioning was patched. Other of the issues that we reported were patched. They are still working on other issues as well but, yeah, they have been-- actually they have been very responsive in these specific vulnerabilities. We reported them in April and in July there was already a patch for this one and some others as well. I assume they take this very seriously because of the, the nature of the application, how critical it is and also how critical these vulnerabilities are.

Dave Bittner: [00:06:26:24] And so you've discovered these vulnerabilities through your research. Was there any sense that any of these vulnerabilities were being exploited in the wild?

Juan Pablo Perez-Etchegoyen: [00:06:35:16] Well, that's the hardest part of all this, right? It's very challenging to identify if someone is actually abusing of those vulnerabilities in the wild. We have not seen any evidence but that doesn't mean that they are not being exploited.

Dave Bittner: [00:06:51:01] And so for those people out there who are using some of these Oracle applications, what's your advice to them?

Juan Pablo Perez-Etchegoyen: [00:06:56:14] We understand that the patching process in business critical applications is really complex. Most of the times they do not even get the, the change matching windows or, or they get a very small time frame to do changes. But despite that, the recommendation is to apply the patches. Go back to your DBA teams and make sure they understand how critical these vulnerabilities are and how important it is to be up to date in the NIST applications in terms of patching.

Dave Bittner: [00:07:26:17] That's Juan Pablo Perez-Etchegoyen, you can see why most of his friends just call him JP, he's from Onapsis.

Dave Bittner: [00:07:35:11] To follow up on the story of the 31337 Group's hack of a Mandiant employee, corporate parent FireEye's investigation appears to confirm its initial take on the incident. It appears to have affected one employee's online accounts and any damage seems to have been limited and now contained. A tip of the hat by the way to Jason DeFillippo at the Grumpy Old Geeks podcast for pointing out that 31337 translates to "Elite" in hacker-speak. Of course it does.

Dave Bittner: [00:08:05:10] "HBO is falling," or so "Mr Smith" would have everyone believe. More Game of Thrones material has been released and the attackers' motive has come into clearer focus. They're asking for millions in extortion payment from HBO. A letter from the hackers, they sign as "Mr Smith" says, quote, "Our demand is clear and non-negotiable, we want, and the amount has been redacted, dollars to stop leaking your data. HBO spends 12,000,000 for market research and 5,000,000 for GOT7 advertisement. So consider us another budget for your advertisements," end quote. Well, that's one way of thinking about it, we suppose. "Mr Smith" also says implausibly that it's not about the money, that they wish HBO all the best and just want to become the cable giant's partner. Their claim of white hat status is of course not being taken seriously. The incident remains under FBI investigation and most observers think the most damaging leak has been that of the script to an as-yet-unreleased episode of Game of Thrones.

Dave Bittner: [00:09:10:09] The shipping industry continues to experience material effects from the NotPetya infestation that spread outward from Ukraine beginning this past June. Not all those effects however have been bad ones. At least one shipper, German package delivery outfit DHL, was not hit by the malware epidemic and has seen an increase in its business, as frustrated customers shift their trade from infected shippers to DHL.

Dave Bittner: [00:09:35:17] The maritime shipping industry is concerned about the vulnerabilities of GPS and is looking to reestablish manual navigation as a backup should GPS suddenly turn unreliable. GPS represents an attractive target for cyberattack by criminals, hacktivists or nation-states, and even as efforts to harden it proceed, the logistics sector seems to be preparing for the worst, in the form of regaining various old-fashioned kinds of navigational expertise.

Dave Bittner: [00:10:04:10] Google issued its August Android update yesterday. The fixes patched ten critical remote code execution bugs.

Dave Bittner: [00:10:11:18] In the US, NIST has released its new Cybersecurity Workforce Framework. Special Publication 800-181 was circulated yesterday. The goal of the framework, developed by NIST-led National Initiative for Cybersecurity Education, or NICE, is to promote cyber workforce development.

Dave Bittner: [00:10:31:01] The NICE framework establishes a "common, consistent lexicon to describe cybersecurity work by category, specialty area and work role." It also provides a list of knowledge, skills, abilities and tasks for each such work role. It's hoped that the framework will help foster the emergence of clear training, education and career paths for cybersecurity.

Dave Bittner: [00:10:58:00] Now a word from our sponsor, the upcoming Cyber Security Conference for Executives. The Johns Hopkins University Information Security Institute and COMPASS Cyber Security will host the event on Tuesday, September 19th in Baltimore, Maryland, on the Johns Hopkins Homewood Campus. You can find out more and register at thecyberwire.com/jhucompass. This year's topics will include threats and innovation responses to them, cybersecurity regulations, cloud security and third party vendors, high profile digital forensics, your rights in a digital age and building your enterprise's cybersecurity road map. Learn about the current and emerging cybersecurity threats to organizations and how executives can better protect their enterprise's data. Check out the details online at thecyberwire.com/jhucompass. And we thank the Cyber Security Conference for Executives for sponsoring our show.

Dave Bittner: [00:11:57:22] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back.

Joe Carrigan: [00:12:03:17] Hi, Dave.

Dave Bittner: [00:12:04:03] Alright, so we are going to wade in to a conspiracy theory.

Joe Carrigan: [00:12:07:12] I love conspiracy theories. Are we talking about chemtrails, because that's my favorite?

Dave Bittner: [00:12:10:00] No, no. No, no, no, it's not chemtrails, it's not, it's not Bigfoot, it's not nothing. But, but, okay, so here's, here's the scenario. You're having a conversation with a friend, you are not logged into your-- any computer or anything like that and you're just talking about something, you're talking about some product that you might be interested in and immediately after that you start seeing ads for that product.

Joe Carrigan: [00:12:33:16] Uh huh, odd because-- it, it's interesting because yesterday I had this conversation with another person as well.

Dave Bittner: [00:12:41:05] Yep. Me too actually.

Joe Carrigan: [00:12:42:07] She was saying that she has noticed a, a trend in her advertising that has to do with conversations, things she's not necessarily searched for. Everybody knows when you search for something on Google or when you use Gmail, or Facebook, you start getting targeted ads. But what she has said she's noticed, and I've noticed this too and apparently you've noticed, is that things that you've discussed in conversation are now coming up in ad engines. And you're pointing to a conspiracy theory mindset but it's certainly not outside the realm of possibility, right?

Dave Bittner: [00:13:14:10] It's not and so Google and Facebook deny that they're doing this. Of course, we know that our devices are capable of listening to us, that's how, you know, things like when your summoning things like Siri and Alexa and so forth, they always have to be monitoring sound for that to work.

Joe Carrigan: [00:13:31:02] They have to be listening, right.

Dave Bittner: [00:13:31:21] So it's within the realm of possibility. There was actually a story in the BBC about this where they contacted some researchers who-- they sort of spun up an app in a couple of days that was a proof of concept that this sort of thing could happen. You could set-- they were using an Android phone and it could listen and not use a lot of battery power and send the things that it heard to a nearby PC that could then be used to target ads and so forth.

Joe Carrigan: [00:13:55:09] Right, but all you need to do is just upload it to some cloud service and you've got it.

Dave Bittner: [00:13:59:19] What I'm skeptical about is this seems like the kind of thing that if it were so, researchers researchers would be all over this, security researchers would be all over this and it wouldn't be that hard to figure out if it were actually happening.

Joe Carrigan: [00:14:11:06] It is a good research topic, I think. I think maybe there is somebody out there working on a PhD that would like to take this on as their-- one of their research papers.

Dave Bittner: [00:14:19:22] Well, and I haven't found any-- anything other than anecdotal evidence, which we agree anecdotal evidence is not evidence.

Joe Carrigan: [00:14:29:08] Right, it's anecdotal or it's evidence.

Dave Bittner: [00:14:30:09] That's right. So-- but there's tons of anecdotal evidence about this. People are convinced that it's happening.

Joe Carrigan: [00:14:34:24] Right, everybody has stories.

Dave Bittner: [00:14:36:18] On the other hand, the sophistication with which these tracking systems work, I think could fool you into thinking that perhaps it was listening to a conversation when it actually wasn't.

Joe Carrigan: [00:14:48:16] Correct. It would be simple enough to find out if it's happening from our phones listening to what we're talking about.

Dave Bittner: [00:14:53:21] I would think so. So here's what I propose. If we have any listeners who have actual data about this, I'm not looking for anecdotes, I'm looking for a scenario where someone has actually studied this and looked into it to try to conclude whether it's actually happening or not, please let us know. You can contact us on Twitter, it's @thecyberwire, or you can send us an email, it's questions@thecyberwire.com. We'll talk about it here, we'll probably talk about it on Grumpy Old Geeks coming up this week and see if we can get to the bottom of it.

Joe Carrigan: [00:15:25:12] All right, I like that idea.

Dave Bittner: [00:15:26:20] All right, thanks, Joe.

Joe Carrigan: [00:15:27:23] My pleasure, Dave.

Dave Bittner: [00:15:31:02] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.