Hacktivism threatened over embassy move. Significant probe of an industrial plant. That was no BGP error. TV blues.

Dave Bittner: [00:00:00:16] Thanks again to all of our supporters on Patreon. You can find out more at: patreon.com/thecyberwire.

Dave Bittner: [00:00:09:13] Anonymous calls for action against US and Israeli government sites. FireEye reports a significant attack against an industrial plant, possibly involving nation-state reconnaissance. A lot of Internet traffic was briefly rerouted through Russia yesterday, possibly deliberately, for unclear reasons. There's some TV troubles. And if toys are getting too connected, consider a puppy; it's interactive.

Dave Bittner: [00:00:38:22] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company, whose patented technology continuously analyzes the entire Web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to, and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytic talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive, and your intelligence more comprehensive and timely, because that's what you want: actionable intelligence. Sign up for the Cyber Daily email, and every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay a step or two ahead of the threat. Go to: recordedfuture.com/intel to subscribe for free threat intelligence updates. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:47:17] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, December 14th, 2017.

Dave Bittner: [00:01:59:04] Anonymous is unhappy with the US decision to move its embassy in Israel from Tel Aviv to Jerusalem. The hacktivist collective has called for worldwide unremitting attacks on Israeli and US government sites. Nothing so far. Anonymous has had indifferent success in the past with its OpIsrael, but of course such threats bear watching.

Dave Bittner: [00:02:19:11] Security company FireEye reports a significant attack on an unnamed industrial plant. Reuters, quoting ICS security experts at Dragos, calls it a "watershed" event. The attacker hit Triconex industrial safety technology supplied by Schneider. Triconex is widely used in the energy sector, including oil and gas, and nuclear power generation. Dragos says the affected plant was in the Middle East. Industrial security firm CyberX is more specific, saying the plant is in Saudi Arabia.

Dave Bittner: [00:02:50:23] FireEye suggests there's evidence the attackers were working on behalf of a nation-state, which one is not specified. Its researchers think the attack may have been reconnaissance gone awry. The hackers appear to have inadvertently tripped safety systems into fail-safe mode, thereby shutting down plant operations. It's good the systems failed safely, as intended, but the possible implications of the reconnaissance are disturbing, since it seems to have been aimed at learning how to dis-enable safety systems during an attack. Graceful degradation under attack is of course far better than catastrophe, and a catastrophic attack against such industrial control systems has catastrophic potential indeed.

Dave Bittner: [00:03:33:18] The Bitfinex cryptocurrency exchange is back and in operation, having recovered from this week's distributed denial-of-service attack. Speculative interest in Bitcoin and other crypto currencies is rising. The principal German stock exchange is considering opening trading in Bitcoin futures, for example, so Frankfurt could join Chicago in serving this market. And with such trading interest, criminal interest rises proportionately.

Dave Bittner: [00:03:59:22] Yesterday traffic to and from some very large companies was briefly routed through what Ars Technica calls a hitherto unknown ISP in Russia. The companies whose traffic was affected include: Microsoft, Google, Facebook, Apple, Twitch, NTT Communications, and Riot Games. This doesn't appear to have been an ordinary Border Gateway Protocol (BGP) error. Monitoring services including BGPMon think it may have been intentional. The "cherry-picking" of targeted companies strikes observers as odd, and so does the fact that, as Ars Technica puts it, the hijacked IP addresses were broken up into smaller, more specific blocks than those announced by affected companies, an indication the rerouting was intentional.

Dave Bittner: [00:04:45:23] The Russian "autonomous system" AS 39523 was the apparent cause of the redirections. It added BGP table entries saying in effect it was the proper origin of the 80 or so prefixes affected. Why the redirection was done is unclear, but observers note it as another instance in which a system designed for parties who trust one another falls short in the Internet as it exists today.

Dave Bittner: [00:05:10:15] With the holidays approaching here in the US, financial institutions and non-profits alike are working overtime to prevent fraud, abuse, and even money laundering. These days they're turning to artificial intelligence to help root out anomalous transactions and cut down on false positives, all while staying compliant.

Dave Bittner: [00:05:28:13] FICO is one of a host of companies who provide these sorts of services, in their case with their TONBELLER Suite of tools. We spoke with Torsten Meyer, Vice President of Risk and Compliance Solutions for FICO.

Torsten Meyer: [00:05:41:09] Artificial Intelligence is a very proper tool, in order to enlighten the dark spaces in your customer base. So, for instance, in the past banks used to use rules; rules which described known behavior. Now, and even more in the future, artificial intelligence will help to detect, by using self-learning algorithms, unknown, unexpected behavior. So artificial intelligence will help a lot to uncover so far unknown criminal behavior and methodologies, and that's what banks like to have, not to only rely on rules, but use artificial intelligence, self-learning algorithms to detect the unknown. That's one part. For the larger institutes even more important, to reduce the number of false positives.

Dave Bittner: [00:06:47:24] The financial industry is certainly heavily regulated. Are there are specific challenges with integrating artificial intelligence into an environment that has so many rules of its own?

Torsten Meyer: [00:06:59:08] So far we use analytics in addition to rules. The simple reason why we do that is that typically regulators are not ready to accept artificial intelligence based systems only. Technology and sophisticated applications, maybe it's 50 to 60% of what a financial institution needs to do in order to be compliant. They need to have internal procedures in place. The top management needs to see the importance of being compliant, in order to protect at least reputation. The most valuable good they have to protect is their reputation.

Dave Bittner: [00:07:48:18] That's Torsten Meyer from FICO.

Dave Bittner: [00:07:52:08] Some TVs are found vulnerable. First, TripWire researchers have determined that many Android set-top boxes run old and insecure versions of the operating system, opening them to exploitation by attackers. The company's VERT researchers say they were able to use an approach similar to the "Weeping Angel" exploit WikiLeaks dumped from its Vault 7 earlier this year. They were able to take control of the device's integrated camera and microphone. Unlike Weeping Angel, introduced via a USB drive, TripWire's proof-of-concept didn't require physical access to the device: cracking a wifi password would do the trick.

Dave Bittner: [00:08:28:21] Second, Trend Micro has disclosed that the Linksys WVBR0-25, the wireless video bridge DirecTV's parent AT&T provides customers, is susceptible to remote code execution. Trend Micro disclosed the issue to Linksys six months ago. They're going public with it because, they say, Linksys has both failed to fix the problem, and ceased talking with the researchers who found it. Belkin, which manufactures the Linksys devices, says it furnished a firmware patch to DirecTV.

Dave Bittner: [00:09:02:02] The holiday season inevitably brings with it worries about oversharing, over-connected toys. French authorities have already said "non" to Bluetooth connected doll Cayla: it's too chatty, too open to interaction with people you'd rather not have the children hearing from, or being heard by. So there's much advice out there about how to keep the holidays more private. It's easy to find, but could we offer a suggestion? How about a puppy? They're very interactive and ours have never tried to collect any credentials. Just snacks.

Dave Bittner: [00:09:37:04] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cyber security leaders, when your CEO asks department heads for a status update, do you envy your colleagues, like the VP of Sales or CFO, who only have to pull a report from a single system? Instead of deploying a team of people to check multiple systems and then waiting for them to report back, do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cyber security leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly, and in business terms your CEO can understand. Nehemiah Security gives cyber security leaders the ability to report cyber risk in terms of dollars and cents. Visit: nehemiahsecurity.com to learn more and get a free customized demo, just for CyberWire listeners. Visit: nehemiahsecurity.com today. We thank Nehemiah Security for sponsoring our show.

Dave Bittner: [00:10:47:15] Joining me once again is Dale Drew. He's the Chief Security Strategist at CenturyLink. Dale, welcome back. I think a lot of us look towards stability, and we want to be able to measure ourself against standards, and so forth. And there are plenty of standards in this industry. But you want to make the point today that maybe standards aren't the thing that we need to look for for security.

Dale Drew: [00:11:10:24] I think the tag-line for certifications is "the good, the bad, and the ugly". I mean, the nice thing about certifications is it provides a toolkit for people to set standard expectations for how an ecosystem, or datasets are going to be protected. So it's supposed to provide some degree of comfort for people who are familiar with that standard, when they're evaluating doing business with a partner, or a vendor, something like that. So that's the good about standards. The bad about standards is that everyone largely agrees two things: one, we have too many standards. Every industry has got their own representation of standards whether it's the financial community, the manufacturing community – everyone has their own set of security standards, and each one of those has their own obligations associated with it.

Dale Drew: [00:12:05:08] The other thing is that having an infrastructure that is certified doesn't necessarily make that infrastructure secure. The biggest concern is that we're seeing people play games with the scoping statement of a standard, so that they can say a certain thing has been certified as being standard, and people take a look at that overall statement, but they're not digging into the details about what actually is in scope. What systems are in scope? What controls are in scope? Because a lot of standards basically allow you to say, I'm going to say how I'm protecting something, and I'm going to prove I'm protecting it. They don't typically say, this is what you should be protecting. There's an example that we have of a single server, within our network, that serves a number of products. And so, we have different customers in different industries, who are interested in the security of that server.

Dale Drew: [00:12:56:24] So we have no less than four certifications on that single server. That server is audited about five times a year: independent third party auditors, audited by us, and our internal auditor organization. We have 600 pages of documentation around how we are protecting that poor server. That information has to be updated every year. We have a very Herculean effort associated with managing the audit resources, working on findings, updating the documentation, and providing those accreditation packages to all the auditors, every year.

Dale Drew: [00:13:40:09] We spend more time maintaining the certification of that server than we do protecting it. If we look at the amount of investment we have, from a security perspective, protecting that server, and you equate that to a dollar; I'm spending 75¢ certifying the server, and I'm spending 25¢ protecting that server. That, to me, is upside down. So we're advocating something along the lines of a single international security standard. The one that is prominent is ISO27001, and I know I'm going to get skewered for mentioning a standard, because everyone has an opinion on what standard that they believe is the best, but we have to start somewhere. I really like the idea of an open source standard. So imagine an open source concept, policy standard, where the industry can concentrate policy and risk assessments to keep that policy up to date.

Dale Drew: [00:14:41:16] Imagine that it could allow for different certification levels: your bronze, silver, gold standard, by implementing tested and mature rating. Imagine that you could have security tools built specifically to audit the measures in that standard, that could work across each of the industries. And then, imagine things like devices could be programmed to log information that's formatted specifically for those policy events. And so, instead of just free formatted log data, I could now start directing my vendors to generate log information and audit information that denotes the policy violation that that log message represents. And then we'd have a common language across the industry on training, education, certification, security vendors, all focused on the open source standard around a single policy. I think that's really what we need. We need the ability of consolidating the ability for the industry to focus on one way of protecting our infrastructure, so we can all get around that common methodology.

Dave Bittner: [00:15:53:12] Dale Drew, thanks for joining us.

Dave Bittner: [00:15:56:22] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out: cylance.com.

Dave Bittner: [00:16:10:04] The CyberWire podcast is proudly produced in Maryland, out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:16:20:17] Our show is produced by Pratt Street Media with Editor, John Petrik; Social Media Editor, Jennifer Eiben; Technical Editor, Chris Russell; Executive Editor, Peter Kilpe; and I'm Dave Bittner. I've got a movie to catch; may the Force be with you.