Cyber concerns about naval and maritime shipping operations. AWS S3 data exposure. Game of Thrones hack. NHS breach? Killer robots. Scareware.
Dave Bittner: [00:00:01:04] If you are a fan of the CyberWire, the best way you can show your support is by going to patreon.com/thecyberwire and signing up to become a regular supporter. Thanks.
Dave Bittner: [00:00:14:07] Maritime hacking worries, with potential risks to navigation, cargo handling, and manifest data. ISIS increases online terror inspiration even as the Caliphate's physical territory shrinks to insignificance. Another misconfigured AWS S3 bucket exposes business data. "Mr. Smith" says he's going to release the Game of Thrones season finale. The UK's NHS may have been breached. Google pulls 500 backdoored apps from the Play store. Fear of robots. Fileless cryptocurrency miner is installed through EternalBlue. And Scareware scares web surfers.
Dave Bittner: [00:00:52:19] We've got a message from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven technologies at e8security.com/ai-ml. We all know that human talent is as necessary to good security, as it is scarce and expensive, but machine learning and artificial intelligence can help your human analyst scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that, while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach, in fact unsupervised machine learning can show the humans something unexpected, cut through the glare of information overload and move from data to understanding. Check out e8security.com/ai-ml and find out more. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:59:24] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bitter, in Baltimore with your CyberWire summary for Tuesday, August 22nd, 2017.
Dave Bittner: [00:02:10:19] Worries about maritime hacking continue. Monday's collision between the destroyer USS John S. McCain and the merchant tanker Alnic MC in the Straits of Malacca has aroused speculation that shipboard navigational and safety systems might have been deliberately interfered with. This is, we note, speculation. Such suspicions are based, it's important to say, on a priori possibility overlaid with what observers are calling an unusually high rate of collisions involving the US Navy: there have been four such collisions, all of them in the Western Pacific, over the past year. The US Navy is investigating, and undertaking an immediate review of seamanship throughout the fleet, surely sensible steps. The results of the inquiry will be of considerable interest. In the meantime, spare a thought for the sailors missing or injured in the collision.
Dave Bittner: [00:03:01:06] There is one ship-system hacking threat that's more than speculative. People are now recalling the incident on June 22nd in which Russian operators engaged in GPS spoofing that affected navigation in the Black Sea. That's being cited as a proof-of-concept, and not as attribution. If there were some form of cyberattack in the Western Pacific, both China and North Korea would be the usual suspects.
Dave Bittner: [00:03:26:17] Pseudo Ransomware similar to NotPetya may have been implicated in the reported incident at China's Shengli oilfield. Information on whatever happened at Shengli remains as sparse as it is suggestive: there have been no updates since Reuters broke the story Monday.
Dave Bittner: [00:03:44:04] Another misconfigured Amazon S3 bucket has exposed its data. This time the affected business is hospitality booker Groupize. The exposure was found by researchers at Kromtech, the security company that counts MacKeeper among its brands. Kromtech reported their findings to Groupize on August 9th, Groupize had rendered the data inaccessible by August 15th. The information exposed included business and personal data in the form of contracts, paycard credentials, names, and so on.
Dave Bittner: [00:04:17:06] "Mr. Smith" is threatening to release the season finale of Game of Thrones. The hacker's ransom demands are still unmet by HBO, and this is probably HBO's best course of action, and so "Mr. Smith" has posted material that indicates he may have indeed obtained the material he claims to hold. "Mr. Smith's" second release of stolen HBO material last week was less impressive than the first round.
Dave Bittner: [00:04:41:16] How prepared is your organization in the event of a new zero-day and how do you know if your incident response plan, assuming you have one, will be effective in protecting you and minimizing risk. We checked in with Dan Larson, from CrowdStrike for some strategies organizations can adopt to help them get ahead of the problem.
Dan Larson: [00:04:59:21] Well they need to think about it in three phases. You know, what can you do ahead of time, you know, hardening the environment and that sort of thing can be helpful, but what really moves the needles is doing exercises, like penetration testing, red teaming, tabletop exercises, doing an overall risk assessment, even basic stuff, like getting an IR retainer in place. Those things will help you immensely understand your exposure and help you minimize both the likelihood and the impact of an event. But then if we move forward and we think about, you know, at the point of an attack, you know, what can you do if there is software in your environment that has a zero-day vulnerability, obviously, endpoint security products have anti exploit capabilities and it's important that you have those, that you turn them on, that you keep them up to date and you do that work. In fact, new products include new technologies, machine learning, artificial intelligence, behavioral analytics, that significantly move the needle in your ability to stop zero-days.
Dan Larson: [00:05:59:19] But I also think it's really important to note that this notion of stopping the threat at the point of the attack is a guaranteed way to solve the problem. What we have learned, over the last couple of years, you know, I can just use WannaCry with Eternal Blue and Double Pulsar as an example. As much as everybody wants to block those at the point of attack, we have learned that security products, as a whole, have not been very effective in zero-days. So, for example, the testing company, MRG Effitas, at the time of that attack, rounded up all the security products and found that only three of them, and keep in mind, there's more than 100 of these available, and only three of them could stop the exploit at the time of the attack. If we accept that as the new reality, we then have to start asking the question, okay, if we have this general problem of stopping things at the point of attack, especially when there are zero-days, you know, how can I still end up in a secure state? And that's why now there's a lot of conversation around understanding, sort of post exploitation activity.
[00:07:03:12] If I work from the assumption that, you know, a breach is inevitable, that it's going to happen to me, what can I do to reduce the impact of that event, or to basically stop the malicious activity before it becomes a full blown breach? Or before the real damage is done? And that's where new solutions, especially EDR products, with their behavioral logic, you know, they're looking for telltale signs of attacker behavior. So it could be credential theft, it could be privilege escalation, it could be lateral movement. It could even be trying to encrypt files or destroy files or leak files. These are all criminal or adversary behavior that we can now understand as the attack is happening on the end point, and not only detect that malicious activity, but block it. So there's kind of, you know, cascading reduction of risk as you go through the process, you know. Be as prepared as you can. Implement the best prevention tech you can at the time, or at the point of attack, but you have to accept the reality that that'll never be 100% effective. So you need to think about, you know, what happens in the case where the attacker is successful and gets on the network? And do you have the tools, process and technology to mitigate the event before the real damage is done.
Dave Bittner: [00:08:21:20] That's Dan Larson from CrowdStrike.
Dave Bittner: [00:08:26:00] Britain's National Health Service has sustained a breach in its SwiftQueue appointment service. The hacker, or hackers, claiming responsibility represents himself, or herself, or themselves as performing a public service, exposing security flaws. The incident is under investigation, but SwiftQueue says that it simply doesn’t hold the quantity of data the hackers claim to have accessed.
Dave Bittner: [00:08:50:03] Google has pulled about 500 apps from its Play store. They contained compromised versions of development kit Igexin that effectively installed a backdoor for spyware.
Dave Bittner: [00:09:02:07] There are many worries about the robot menace being expressed this week. Elon Musk is the most prominent celebrity robophobe, he's warning of the dangers of combat-capable robots armed to kill, and calling for some sort of convention to restrict their deployment. It's perhaps worth noting in this regard that similar worries have been around for well over a hundred years, the first inhumane robot on record, which appeared before the word "robot" was coined, is probably the Whitehead automotive torpedo, widely condemned at the turn of the Twentieth Century as the "devil's device." Still, there have been advancements in lethality since Whitehead's day, and the automotive torpedo was limited in range and not susceptible to hacking, so Musk's concerns aren't frivolous. A more proximate threat, however, may be the exposure of industrial robots to cyber threats. Observers are especially spooked by recent demonstrations by IOActive of the hacking of "cobots"—robots that collaborate with one another in various industrial processes.
Dave Bittner: [00:10:03:22] Researchers at Trend Micro notice the convergence of three tech trends in a single threat. They've found, trend one, a cryptocurrency miner that's surreptitiously installed using, trend two, EternalBlue for distribution. And the miner is, trend three, fileless. Trend Micro detects the winner of this trifecta as "TROJ64_COINMINER.QC".
Dave Bittner: [00:10:29:13] In industry news, eSentire announces that it's received a significant growth equity investment round from Warburg Pincus. The amount is not yet publicly available, but it's believed to be unusually large.
Dave Bittner: [00:10:43:07] Do you have a guilty conscience over something? Find yourself looking over your shoulder while you're getting in some screen time? Well, the guilty flee when no one pursueth, or so they say. Scareware has reappeared in Japan, where people browsing over to adult sites find themselves greeted by a convincing warning that appears to be from the National Police Authority, telling the sites' users that the jig is up and the National Police want a cut. Be reassured, users, the National Police want you to know it's not them. You're fleeing when no man pursueth. And think about it, are the police actually likely to fine you online? The National Police do advise Internet users to be cautious about where they go and what they do online, but that's because of the risk of cybercrime, not because the police are watching.
Dave Bittner: [00:11:28:09] And there's an extortion scam being run against users of adult sites in Australia. This one is different in that it's openly criminal, with no pretense to being a law enforcement operation. The crooks demand payment, in Bitcoin, of course. If you don't pay up, they'll expose you, and that exposure will include "posting video," a threat the specifics of which we'll leave as an exercise for you, our listener. In any case, the guilty flee where no one pursueth, but the righteous are as bold as the lion. So be righteous to each other, friends. Be righteous.
Dave Bittner: [00:12:06:07] Now I'd like to tell you an upcoming Webinar from our sponsor Delta Risk. With threats to the healthcare industry at an all time high, IT and information security professionals in hospitals, healthcare provide firms and insurance firms have more concerns than ever about patient data and business continuity. In the 45 minute webinar, "Preparing for Cyber Risks to Healthcare Operations. Be Ready not Sorry" experts from Stanford Children's Health, Delta Risk and Huntzinger Management Group will discuss essential elements of how to respond to a cyberattack and properly prepare a business continuity plan. Save the date for August 23rd at one p.m. Eastern time, by visiting deltarisk.com/resources/webinars. Delta Risk LLC a Chertoff Group company is a global provider of cyber security services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com and reserve your seat for this interactive discussion. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:13:12:09] Joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also director of the Maryland Cyber Security Center. Jonathan, welcome back. You know, you and I were talking about an article that came by, that was talking about some claims improvements in encryption and you were a bit skeptical of it, and it really brought us to the notion that, with a subject this complex, how do you sort through and make sure that someone isn't trying to sell some snake oil?
Jonathan Katz: [00:13:40:15] Yeah, that's a great question, and I can imagine, actually, that for people out there who are not experts in cryptography, when they're reading something on the Web, or they're reading about some new product, it can be very difficult for them to tell whether something is an actual advance in technology, or whether it's really a lot of marketing hype. And the one thing that I usually look for, in particular, is number one, that the algorithm, the new crypto system that's been touted, should be described very clearly and publicly. You want the system to be out there. You want it to be secure, even in the event that people know all the details of the system. Of course, not the secret key that's being used, but all the details of the algorithm. And you actually want people to go and study the algorithm and look for potential flaws, or to analyze it and show that it's secure. So one of the first things I look for is that they make the algorithm public and they clearly describe it, and also have it analyzed and peer reviewed by the scientific community.
Dave Bittner: [00:14:36:03] Now when you're looking over a press release from someone who's, you know, claiming some new breakthrough, are there certain things that stand out to you that maybe point to perhaps it not being everything that it claims to be?
Jonathan Katz: [00:14:47:20] Yeah, so besides what I just mentioned, the other things I look for are a lot of marketing buzzwords that actually don't have any technical meaning. So I'm looking at this particular article you forwarded me and they're talking about using what they call heuristic random wave envelopes. And I have no idea what that is. I've never heard that term before. Maybe it's a term from physics. It's not a term in cryptography, and so I can't really tell what that is. And the fact that they can't explain what it is in simple English, kind of is a warning sign to me that they're just trying to obfuscate things, rather than clarify things.
Dave Bittner: [00:15:21:04] So looking at it from the point of view of a company who's trying to develop new technology, doesn't that kind of box them in, if people are resistant to them having trade secrets, or is cryptography just an area where trade secrets might not be the best thing to have?
Jonathan Katz: [00:15:36:19] No, I think absolutely, you don't want trade secrets in this area. What you want is algorithms that are widely published and so, in fact, one of the first things I look for when I'm looking at a new company in China to evaluate their technology, and this actually goes beyond crypto, is a white paper, just explaining, number one, what the technology is doing, how it's different from prior work, and then also an explanation at some level, in some technical detail, of the protocol itself.
Dave Bittner: [00:16:01:20] That's a good cautionary tale. Jonathan Katz, as always, thanks for joining us.
Dave Bittner: [00:16:07:21] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. Thanks to all of our supports on Patreon. We really do appreciate it. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.