Cyberattacks that may not have been. Ropemaker corrupts email after delivery. Concerns about companies working for intelligence services.
Dave Bittner: [00:00:04:03] Two potential state cyberattacks look more like, respectively, an accident and a conventional crime. US Government officials double-down on warnings of Kaspersky connections to the Kremlin. And Australia's government isn't buying Huawei's protest that it's not working for the PLA either. Ropemaker attacks could inject malicious code into email after it's been delivered. And some teasers on the Chertoff Group's Security Series.
Dave Bittner: [00:00:35:04] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than Artificial Intelligence. Unless maybe it's Machine Learning. But it's not always easy to know what these could mean for you. So go to e8security.com/ai-ml and see what AI and Machine Learning can do for your organization's security. In brief, they offer not a panacea, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and Machine Learning are the technologies that can help you do it. So visit e8security.com/ai-ml and see how they can help address your security challenges today. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:33:03] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, August 24th, 2017.
Dave Bittner: [00:01:43:06] We begin with two cautionary tales of commendable caution. First, the US Navy hasn't ruled out the possibility that a cyberattack may have contributed to the collision between the destroyer USS John S. McCain and a merchant tanker in the Straits of Malacca off Singapore this week. That possibility, however, now seems increasingly unlikely. The commander of the US 7th Fleet has been relieved, his seniors have "lost confidence" in his leadership of the Fleet.
Dave Bittner: [00:02:11:23] Suspicion that there could have been a cyberattack at the root of the tragedy was based on a priori possibility that navigation technology could be affected by a threat actor. Indeed, there were reports in June of GPS spoofing conducted by Russian operators against shipping in the Black Sea. That spoofing appears to have been a trial or proof-of-concept.
Dave Bittner: [00:02:32:08] There were other reasons to find the collision suspicious. It was the fourth collision involving a 7th Fleet ship in less than a year, which struck many observers as far too high for coincidence. The investigation continues and is likely to be thorough. We'll follow the story as it develops, but for now at least, it seems the incident was one of seamanship, not cybersecurity.
Dave Bittner: [00:02:54:17] The other story is out of Ukraine, which today celebrates the anniversary of its independence. Authorities in Kyiv have been concerned that the anniversary would see some renewal of state-sponsored cyberattack, which by consensus means Russian-directed. The sorts of attacks the country sustained include the BlackEnergy grid hacking incidents and, of course, NotPetya, the pseudo ransomware attack that moved quickly from its initial Ukrainian infestations to become a pandemic. Many of the concerns expressed centered on a pseudo ransomware rerun, and it appeared briefly that such a campaign was in progress.
Dave Bittner: [00:03:30:04] The web server of Crystal Finance Millennium, an accounting software firm based in Kyiv, has been found compromised with Purgen ransomware. But this attack seems simply criminal, not state-directed as was the case with NotPetya. Purgen has been on the servers since August 18th, according to Kaspersky Labs, and security firm ISSP's analysis of the malware indicates that it's in all likelihood conventional ransomware being distributed with the aim of extorting money from its victims.
Dave Bittner: [00:03:59:23] The two stories are worth considering. They indicate the high degree of readiness people now have to see cyberattacks, especially state-directed espionage and sabotage, behind incidents that may in fact be simply criminal or accidental. It's good that general awareness of cyber risk is high, and that people also understand the degree to which cyberspace has become a domain of international conflict. But it's also important to bring some healthy skepticism to the discussion. Attribution and even understanding can be notoriously difficult, and, for all the warnings we've seen over the past two weeks of an impending cyber Pearl Harbor, or cyber 9/11, it's worth reflecting that we're at least as likely to experience a cyber Tonkin Gulf incident, where what we perceive as an attack turns out in the end to have been nothing at all.
Dave Bittner: [00:04:48:07] Christopher Pierson is Chief Security Officer and General Counsel for Viewpost. A secure payment network provider. And he's a regular guest here on the CyberWire. I caught up with him after Black Hat and DEFCON for his take on the trends he sees coming from those shows.
Christopher Pierson: [00:05:03:07] DEFCON this year was interesting. Three real kind of high level takeaways from the event. The first was that, when you take a look at application security, we still are not addressing this correctly. The services, the devices, the things that are being built, we're not building security in from an engineering perspective. So, I think that's the first and foremost thing that we have to tackle. We have to make sure that we're building new products, new services, new devices securely and safely. And that starts with good engineering, good QA, good testing and good service security awareness in the applications, first and foremost.
Christopher Pierson: [00:05:44:06] Second, the cloud controls. Cloud controls are definitely, definitely gaining in wisdom, gaining in expertise. At this point in time, I think there's kind of a full shift from both Black Hat and DEFCON, in terms of acceptance within the server security community. That there are a sufficient number of, and type of, and diversity of cloud controls that are there to protect and safeguard data that we are storing in those instances. And then third, this kind of focusing on the user, the end user, and how are we actually enabling them for security. Are we actually providing them the security controls that they need, in a transparent manner? So that, we're moving security away from their task, their goal, their to-dos, because whether it be patching or anti-virus or VPN or our firewalls. Certainly we're seeing the same patterns exist in users, year after year, without little change.
Christopher Pierson: [00:06:42:18] We need to do something differently there, almost like the card based world of chip and pin and moving into a tokenized basis for electronic transactions, as opposed to mandating that PCIB, this requirement of the mom and pop shop. So really pushing that further up the food chain. So those are kind of three high level takeaways from DEFCON in terms of overall observations.
Dave Bittner: [00:07:06:03] What about incentivizing? You know, we talk about, particularly with IOT devices, if the manufacturer has no incentive to do anything other than build a cheap device that people will buy on Amazon and the user has no incentive to change the password or even update the firmware on the device if a vulnerability is discovered. How do we put in proper incentives to make these things safer?
Christopher Pierson: [00:07:29:08] Yeah, I think that this is an area that we have to get better at. I mean, I can see this in really two different areas. So first, incentivizing companies to build safer, more secure products. Also, make sure that they're adequately updated, that the firmware's being updated, that they're staying on top of things once these products are pushed out into the market. It isn't simply good enough to produce the device, you have to maintain the device in a safe and secure fashion, especially with IOT, as these devices make their way into the homes. And I think that we can do a lot there through tax incentives and other types of economic incentives for companies.
Christopher Pierson: [00:08:08:02] The other thing that I think is interesting is, is that on the build process, I think that there's a role for tax incentives to play in hiring. So for example, maybe one out of every 30 individuals at the company, if they have a job that is, you know, security development life cycle engineer, where they're actually taught cybersecurity practices, best practices in engineering. You know maybe OWASP Top 10 or SANS Top 20 threats. If they're actually taught about those and can more safely code with those in mind, there'd be some type of economic incentive that's paid back to the company. Maybe it's half their salary as a tax rebate, maybe there's something in terms of education dollars, so that you can actually take your current engineers and existing engineers and go ahead and provide for education that's free and clear and sponsored in some form or fashion. Maybe even by the government. And get education and training on secure development practices, into the hands of the engineers.
Christopher Pierson: [00:09:08:04] That's probably one of the biggest things. We need to stop, we can't necessarily stop everything on the back end in terms of firmware updates and patching and all the rest, we have to tackle this problem on the front end, which is better end codes, safer end code, cybersecurity being a part of each product and service and really built in on the front end. I think if we have some large scale IOT, especially IOT, outages in this area or impacts in this area, that impact to the personal safety and privacy of the home, I think you may see some movement in the right direction. But without that, the consumer is still fairly ill-informed. And our products, I mean, especially from DEFCON, the number of hacks of IOT devices and the ease of penetration in the IOT, like Capture the Flag exercise. Oh, it's just mind-boggling. Very, very easy hacks, very easy compromises, very easy vulnerabilities, that should never have been in the products, should never have rolled out to market with some of those easy hacks.
Dave Bittner: [00:10:08:06] That's Christopher Pierson from Viewpost.
Dave Bittner: [00:10:12:02] The United States Government, in the form of both the FBI and the White House cybersecurity lead, continues to express concerns that Kaspersky products could be, in effect, virtual moles, working for Russia's FSB and reporting back to Moscow.
Dave Bittner: [00:10:26:13] Australia's Government is similarly cautious about Huawei, which it wishes to block from installing a communications cable for the Solomon Islands, that would transit Australian territory and networks. In this case the concern is that Huawei products are a cat's paw for Chinese intelligence services. Both Kaspersky and Huawei say the suspicions are groundless, and point out that the business they do with Moscow and Beijing is legitimate. No different from what a Silicon Valley company might do for Langley or Fort Meade.
Dave Bittner: [00:10:56:22] The security firm Mimecast warns of "Ropemaker," a method of altering the content of emails after they've been received. A threat actor could inject malicious content via remote CSS files. Mimecast hasn't seen Ropemaker used in the wild, yet.
Dave Bittner: [00:11:13:15] We were at the Chertoff Group's Security Series in Palo Alto, California yesterday, and we'll have accounts of the proceedings tomorrow. As a teaser, however, we'll ask two questions that the Chertoff Group posed to the audience. First, what does a medieval scholastic and Catalan poet have to do with Artificial Intelligence? And second, since when did being disruptive become a good thing and not something that earned you a trip to the vice principal's office? Write your answer 500 times on the blackboard, Silicon Valley. Look for answers to these and other questions raised at the conference in tomorrow's CyberWire Daily News Briefing.
Dave Bittner: [00:11:53:04] Time to tell you about some research from our sponsor Delta Risk. Every year Delta Risk conducts hundreds of cybersecurity assessments, including penetration testing for a wide range of commercial and public sector clients. Their pen testers identify the attack vectors, bad actors most commonly used to get initial access to a network. Download Delta Risk's eGuide. Hackers Secrets Revealed: Five Lessons Learned from Security Assessments, to get the full technical findings from external pen tests, otherwise known as ethical hacking. You'll find this guide at deltarisk.com/lessons-eguide. Delta Risk LLC, a Chertoff Group company, is a global provider of strategic advice, cybersecurity and risk management services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:12:52:19] Joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe welcome back. You sent over an article about some legislation that was introduced by Senator Richard Blumenthal, he's a Democrat from Connecticut, about medical device, security and privacy and things like that, fill us in here.
Joe Carrigan: [00:13:12:04] Right, well there's a large problem with the security of medical devices and being that our institute is a Johns Hopkins affiliate, we've actually spent a lot of time looking at these things. And there are vulnerabilities out there in all these devices. I think in the article I sent you there's a horror story about one device that had like 70 some vulnerabilities in it. And in talking with people like Kevin Fu from the University of Michigan, and some folks up at Dartmouth. We work on a project called the Trustworthy Health and Wellness Project, where we talk about exactly this issue.
Joe Carrigan: [00:13:45:08] One of Kevin's points is that a standard statement from these device manufacturers is, just put it on a secure network. Because, you know, we're not really worried about working on security right now. And to an extent there's a real needs based issue here, and the story that was first enlightening to me is that when a doctor is working on somebody, on a patient, that if the security of the device gets in the way of the doctor providing the care, that security is going to go away. Because, your security is impacting the provision of potentially lifesaving care. The doctor in the emergency room never hears from the patient, "make sure that my data stays secure." It's always, "make sure my heart is beating." "Make sure I can breathe." "Get these bullets out of me."
Dave Bittner: [00:14:31:24] Right.
Joe Carrigan: [00:14:32:08] Those kind of things. So it's not really a very high priority. But it is a real problem. So what Senator Blumenthal's legislation does, one of the things it does, is it tries to provide a report card for these devices, I don't know exactly what he means by report card. But apparently it's a security assessment of some kind of these devices, the devices have to go through this assessment before they're available for sale.
Dave Bittner: [00:14:58:03] And on the surface that sounds reasonable. But you have some concerns.
Joe Carrigan: [00:15:02:01] I do. My concern is who's going to be doing the testing? How is that going to be provided? Are these medical device manufacturers going to go out to third-party testing organizations, whose product will essentially be a wink and a nod? You know, "hey, your product's good to go."
Dave Bittner: [00:15:17:10] For the low, low price of--
Joe Carrigan: [00:15:19:04] Low, low price of, yeah. For $1,000 dollars I'll give you a really good report card. There definitely needs to be some supervision of this process, I think.
Dave Bittner: [00:15:27:03] Yeah. Well I mean it's good to see I suppose that it's risen to the level of getting attention from folks like Senator Blumenthal.
Joe Carrigan: [00:15:35:02] I'm happy to see it being talked about at this level.
Dave Bittner: [00:15:37:08] Yeah. Alright well we'll keep an eye on it. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:15:40:21] My pleasure Dave.
Dave Bittner: [00:15:44:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. Especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using Artificial Intelligence, visit cylance.com.
Dave Bittner: [00:15:56:04] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.