Peter Kilpe: [00:00:04] WhatsApp with Brazil's runoff election? Hacktivism hits Davos in the Desert. Kraken Cryptor ransomware gets an upgrade. Remote code execution vulnerabilities disclosed in two classes of systems. Healthcare.gov breach under investigation. More calls for retraction of the spy chip story. Cozy Bear calls for proper internet governance. U.S. on effects of influence ops. Notes on industrial control system cybersecurity, with an emphasis on attending to the obvious.
Dave Bittner: [00:00:39] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence of course, but nowadays it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report, "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire, and we thank Cylance for sponsoring our show.
Peter Kilpe: [00:01:36] Major funding for the CyberWire is provided by Cylance.
Peter Kilpe: [00:01:39] From the CyberWire studios at DataTribe, I'm Peter Kilpe, executive editor, sitting in for the vacationing Dave Bittner with your CyberWire summary for Tuesday, October 23, 2018. As Brazil's elections enter their final phase, WhatsApp messaging in that country is seeing a surge in politically oriented questionable stories. What effect they'll have on the outcome remains to be seen. Runoff voting will conclude on October 28.
Peter Kilpe: [00:02:03] The murder of Jamal Khashoggi in Saudi Arabia's Istanbul consulate continues to arouse international outrage. Turkey's President Erdogan addressed the death earlier today in an address to his Development and Justice Party, calling for Saudi Arabia to be more forthcoming about its role in the death and suggesting that any trial be held in Turkey. Hackers have defaced the Davos in the Desert site with a picture showing both Khashoggi and, behind him, a sword-wielding Saudi Crown Prince Mohammed bin Salman. The site has been taken down. The attack looks like hacktivists' work.
Peter Kilpe: [00:02:36] BleepingComputer says it's receiving attention from the masters of the Kraken Cryptor ransomware, who released version 2.0.6 of their tool over the weekend.
Peter Kilpe: [00:02:46] There are two new recent reports of remote code execution bugs. Zimperium reports finding such vulnerabilities in FreeRTOS, the open-source OS widely used in embedded systems. The bugs' effects are seen across the IoT spectrum, from smart homes to critical infrastructure. And Cisco's Talos says it's found remote code execution flaws in Live Networks LIVE555 Streaming Media RTSPServer. Exploitation could trigger a stack-based buffer overflow.
Peter Kilpe: [00:03:16] U.S. authorities continue to investigate a breach in healthcare.gov that affects about 75,000 people. Hackers got in through the federally facilitated exchanges. These exchanges are designed to help brokers and others make it easy for citizens to sign up for benefits. The government is restoring the system, and it'll be warning those whose data were lost.
Peter Kilpe: [00:03:36] Amazon and Super Micro joined Apple in demanding that Bloomberg retract its story about Chinese supply-chain poisoning of motherboards with spy chips. There's still neither confirmation or retraction of the story. But at this point, Bloomberg is standing effectively alone.
Peter Kilpe: [00:03:51] We've mentioned Brazil's elections, but of course the U.S. midterm elections are also upon us. U.S. National security adviser Bolton is in Moscow for talks with Russian leaders. The principal topic is the future of the INF arms control treaty, which the U.S. is considering leaving over what it characterizes as long-running Russian cheating. But he also addressed yesterday Russian election meddling. He spoke on a Russian radio program where he was asked to comment on the recent U.S. indictment of a Russian national on charges related to election influence operations.
Peter Kilpe: [00:04:22] Mr. Bolton said he told Russian officials that their attempts to affect the 2016 elections had no effect on the elections' outcome. But those efforts did, he advised them, quote, "sow enormous distrust," unquote, of Russia among Americans. That distrust has become a major obstacle to achieving agreement on issues, even when Russian and American interests converge. Bolton said, quote, "just from a very cold-blooded cost-benefit ratio, you shouldn't meddle in our elections because you're not advancing Russian interest," unquote. He hopes he was persuasive, but these talks have been tense once.
Peter Kilpe: [00:04:57] Russia's FSB intelligence service recommends that the internet be brought under, quote, "proper governance," unquote. Few will receive this as unproblematic, good government advice, but there you have it. Cozy Bear has your interests at heart, or that's what Cozy would have you think. After the break, we'll hear a recent conversation Dave had with Awais Rashid from Bristol University. They'll be discussing supply chain security.
Dave Bittner: [00:05:25] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on “A Comprehensive Approach to Security Across the Digital Workspace” will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:06:25] And I'm pleased to be joined once again by Professor Awais Rashid. He's a professor of cybersecurity at the University of Bristol. Welcome back. We wanted to talk today about cybersecurity issues in supply chains.
Awais Rashid: [00:06:38] The key thing that I wanted to raise was that we often think of cybersecurity in the context of an organization that we want to protect. But many threats actually arise from the supply chain itself. For instance, in any organization - for example, think of an organization with critical national infrastructure. It will have many complex supply chains with a number of other parties providing software and hardware components, third-party services. There will be distributors involved. There will be transporters involved, engineers and third-party staff coming on site. And all that creates a much more complex environment than we normally think of as cybersecurity within the confines of a single organization.
Awais Rashid: [00:07:25] The challenge comes is that we normally focus our efforts on protecting the network and the infrastructure and the information of the organization in question, which is, of course, very important. But not enough attention is often paid from the threats that arise from the supply chain. And we have seen various examples where, actually, threats arising in the supply chain then actually end up impacting the organization under consideration.
Awais Rashid: [00:07:49] How do we deal with this kind of issue? I think the key thing has to be to think of the supply chain as a socio-technical ecosystem that includes technologies but a multitude of organizations as well. And all the cybersecurity practices of the various actors within the supply chain actually then have an impact on the overall security and resilience of the whole supply chain itself.
Dave Bittner: [00:08:13] And in terms of an organization, you know, setting budgeting for these sorts of things, I guess it's really a matter of having to look outside of your own organization and make sure that you have the resources to be able to properly vet everyone in your supply chain, yes?
Awais Rashid: [00:08:29] Yes. I think it's a resourcing question. But also, it's a risk-taking question. So at a strategic level, when decisions are being made about particular organizations coming as part of the supply chain to Europe, you have to ask the question - and not only just what kind of security certification or compliances do they have - for example, things like ISO 27001 - but what are their actual security practices? And would those security practices have an impact onto your organization?
Awais Rashid: [00:08:59] If you look at Stuxnet as an example, the worm spread through potentially infected USBs or machines being carried into the nuclear power plant by third-party engineers. And that's the kind of threat that arises. And the kind of practices at an organization in the supply chain have an impact on what happens to you.
Dave Bittner: [00:09:19] Awais Rashid, thanks for joining us.
Peter Kilpe: [00:09:25] We're in Atlanta for the 2018 ICS Cyber Security Conference organized by SecurityWeek. We'll have updates on the proceedings throughout the week. Industrial Control Systems' security company CyberX is among the many vendors at the conference. And this morning, they've released their 2019 ICS and IIoT risk report. Their findings are based on traffic captured from 850 production networks across various industrial sectors in many countries around the world.
Peter Kilpe: [00:09:52] Their major conclusions are not surprising. They found that passwords in plaintext, direct connection of industrial systems to the internet and weak implementation of antivirus tools continue to be common across the sector. All of these vulnerabilities, of course, have led to industrial security problems in the past. NotPetya, last year's big shocker, has apparently shocked some operations into positive changes. Among those positive changes has been the decrease in industrial use of Windows XP and other legacy operating systems. But still, a lot of exploitable weaknesses are still out there. CyberX says it's found unpatchable Windows instances in just over half the industrial sites studied.
Peter Kilpe: [00:10:28] Here's some high-level details from their observations of traffic from industrial sites. Sixty-nine percent of those sites permit plaintext, unencrypted passwords to cross their network. The air gap that long protected legacy systems is now officially a myth. CyberX found that 40 percent of the sites they observed have at least one operational technology connection to the public internet. Those OT systems are also increasingly connected with business IT networks, which isn't much better. Many operations don't run even minimally acceptable antivirus protection. Automatic updating of signatures would set a minimally acceptable bar. But more than half of those sites CyberX looked at didn't even go that far.
Peter Kilpe: [00:11:08] Despite some top-down reform in the wake of last year's NotPetya pseudo-ransomware attacks, 53 percent of the sites were still running outdated, beyond-end-of-life Windows systems. And finally, 16 percent of the sites had at least one wireless access point. Many of these are misconfigured. Many of the issues of hygiene the report raised were echoed by presentations by other companies at the conference this morning. Senior representatives of Schneider Electric, Siemens and Rockwell Automation pointed out that they still see, when they visit industrial facilities, poor awareness of risk profiles. They see, for example, that organizations continue to scramble with asset management during incident response. It's bad practice to wait until you're under attack before you ask questions like, how many of these devices do I have? And where are they? And what are they connected to? They're also struck by the way sound configuration management practices are disregarded. They have seen some encouraging developments, however. Boards, for one thing, are showing a significantly increased level of awareness about the seriousness of industrial cybersecurity.
Peter Kilpe: [00:12:09] And of course, concerns about liability will always exert a powerful influence on business. Legal exposure will grow with the IoT in all its forms. As the number of internet-connected devices in our lives continues to increase, there are increasing concerns about legal liability from the manufacturers of those devices should connectivity lead to a breach of security, privacy or physical safety. IJay Palansky is litigation partner at Armstrong Teasdale LLP. Dave had a chance to talk with him about these issues.
IJay Palansky: [00:12:37] I come to this as the lead counsel in the class action that followed from Charlie Miller and Chris Valasek's hack of a Jeep Grand Cherokee back in 2015. And we just got class certification in that case, which means that it looks like we've got about 220,000 vehicles, and we're proceeding on behalf of the owners and the people who leased all of those. And really this, I think, as far as I know, is sort of a first-of-its-kind case.
IJay Palansky: [00:13:08] But I also believe that it's the tip of the iceberg. And so I think that where we're at right now is that things are about to change very significantly. I think that there hasn't been a lot of activity in this area in terms of civil lawsuits or enforcement lawsuits relating to IoT cybersecurity vulnerabilities. But I think that we're right on the precipice of that really changing.
Dave Bittner: [00:13:30] And can you give us some examples of how we might see that change play out?
IJay Palansky: [00:13:34] Well, I mean, that's really the big question here. So first of all, there are a couple of conditions that have to be met in order for lawsuits to be brought. And most of those conditions haven't really held up until now. But those things are changing. So for example, cybersecurity for IoT devices is not necessarily where it needs to be by and large. And when they start to get hacked, when people start to get injured, whether it's an economic injury or through some sort of cyber physical effect and where there's attribution, those are the cases that are really ripe for lawsuits.
IJay Palansky: [00:14:11] And with cases like the Jeep hack case that are working its way - working their way through the courts, you're going to have a playbook for plaintiffs to consult. And as that happens, there are going to be more and more cases brought. Now, how those are going to play out is a really interesting question. The legal principles that apply aren't going to be any different by and large than the legal principles that apply to other types of lawsuits. The question is, how are they going to be applied?
IJay Palansky: [00:14:38] And there are a whole bunch of questions all wrapped up into that. But I think probably, the most interesting one is that almost irrespective of what the particular legal theory is, ultimately, the plaintiff is going to need to show that the defendant, whether it's the manufacturer of the product or of a component or the person who designed the software or whatever it may be, didn't live up to their standard care. And so the really big question is, how do we determine what the standard of care is for a particular IoT device?
IJay Palansky: [00:15:10] And from my perspective - I usually represent defendants, even though in the Jeep case, I represent the plaintiffs. But coming from a defense orientation, the question is, if you were facing the possibility of a lawsuit like this, what do you need to do to make sure that that determination and the health of your company isn't put in the hands of a judge or jury that probably doesn't know very much about cybersecurity and isn't going to be very well-equipped to make that determination about what the right level of care is for a product?
Dave Bittner: [00:15:42] And so where do you think that's going to lead? I mean, I think about, you know, for your average consumer, when we're met with some sort of device like this that's software-intensive and, of course, the first thing we do is we click through some sort of EULA where we, basically, sign away all of our rights and agree that if anything bad happens, it's completely our fault. Once we've headed down that path, where can it lead to?
IJay Palansky: [00:16:04] Well, I think that where it's going to lead to in the next few years as you get more of these hacks and more lawsuits is a situation where there are going to be a lot of organizations in the IoT space who are unprepared. And there is going to be a wave of lawsuits where the rules and the implementation of the rules is going to be unclear, which leads to significant risk. It's very difficult to predict how that, ultimately, is going to play out.
IJay Palansky: [00:16:31] What I can tell you is that I would be very surprised if there weren't a lot of lawsuits and if there weren't a lot of companies in the IoT space who were hit with very big verdicts or compelled to settle for very big numbers based on cybersecurity inadequacies or faulty design in their products.
Peter Kilpe: [00:16:53] That's IJay Palansky from Armstrong Teasdale. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Peter Kilpe: [00:17:06] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Peter Kilpe: [00:17:22] Thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Peter Kilpe: [00:17:29] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, and I'm Peter Kilpe sitting in for Dave Bittner. He'll be back next week. Thanks for listening.