The CyberWire Daily Podcast 3.6.19
Ep 794 | 3.6.19

5G worries. Whitefly vs. SingHealth. Speculative execution bug.


Dave Bittner: [00:00:03:16] Australia's former prime minister warns Britain about Chinese tech companies. Symantec says Whitefly was behind SingHealth's massive data breach. Iranian hackers show code overlap. Intel CPUs are vulnerable to another speculative execution flaw. The NSA hasn't been using its domestic phone surveillance program lately. Sharing code presents dangers. And Google will ban political ads in Canada.

Dave Bittner: [00:00:36:16] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security but what about security at the edge. With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero day vulnerabilities, with 24/7 365 security operation center support around the globe and over 300 security experts in house, Akamai surrounds and protects your users wherever they are. At the core, in the cloud or at the edge. If you're going to RSA this year, visit Akamai in the North Hall, booth 6153, to take part in their Crack the Code challenge for an opportunity to win a new 3D printer. Akamai: intelligent security starts at the the edge. Learn more at Akamai, that's a-k-a-m-a-i dot com slash security. And we thank Akamai for sponsoring our show.

Dave Bittner: [00:01:45:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 6th, 2019.

Dave Bittner: [00:01:53:03] The US isn't alone in its concerns over a prospective Chinese role in 5G networks. Former Prime Minister of Australia, Malcolm Turnbull, strongly warned Britain against using equipment produced by Huawei or ZTE in its upcoming 5G network, the Sydney Morning Herald reports. In a speech given to the Henry Jackson Society in London last night, Turnbull said Australia's decision to ban Huawei was based on advice from the country's own intelligence agencies and not because of external pressure from the US. He pointed to the fact that there are only four major 5G vendors in the world, two of which are Chinese. He added that it "beggars belief" that none of the Five Eyes countries has a leading 5G vendor. Turnbull said that, when assessing the potential danger posed by these companies, "it's important to remember that the threat is a combination of capability and intent. Capability can take years or decades to develop ... but intent can change in a heartbeat."

Dave Bittner: [00:02:56:08] Symantec published a report today on the group behind last year's SingHealth data breach. The group, which they've dubbed "Whitefly," primarily targets organizations based in Singapore, although links to attacks in other nations suggest that it may be part of a larger intelligence gathering operation. The researchers describe Whitefly as “a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organizations and maintaining a long-term presence on their networks.” The group’s primary goal is “stealing large amounts of sensitive information,” and it uses a wide variety of custom-built and open-source malware tools to do so. Its targets include organizations in the healthcare, media, telecommunications, and engineering industries. A Symantec spokesperson told Reuters that they believe it's a state-sponsored espionage group, but they're not certain which state it's working for. The cyberattack against SingHealth occurred in June 2018 and resulted in the theft of personal data belonging to 1.5 million patients. Singaporean officials stated at the time that they believed a state-sponsored actor was responsible, although they didn't share further details.

Dave Bittner: [00:04:12:03] Palo Alto Network's Unit 42 has identified potential code sharing between two threat groups linked to Iran. Unit 42 found that the Chafer threat group targeted Turkish government entities late last year using a Python-based payload they’ve named “MechaFlounder.” The initial download URL of this payload contains a parameter that’s been spotted in many campaigns carried out by Chafer and the Oilrig threat group. The researchers also note that malware code used by both groups shares a number of common variable names, and the tools exhibit similar functionality. Based on these links, however, they aren't confident enough to combine the two groups. Researchers at LogMeIn, makers of the LastPast password management tool, have used anonymized data gathered from their users to get a better picture of where things stand when it comes to how folks are creating, reusing, and managing their passwords. Gerald Beuchelt is Chief Information Security Officer at LogMeIn.

Gerald Beuchelt: [00:05:14:09] Overall, if you really look at the big picture, a moderately good environment where people that are using LastPast are starting to have overall a security score that ranges, depending on where you are and what you do, in the 50s. So the average score across all our reports that we looked at was 52 out of 100. Which is an internal score that takes into consideration length of password and uniqueness across different sites, which means that people are already taking password security quite seriously but there's also still some room for improvement. We've also seen some regional differences so the scores in the US, Europe and other parts of the world are higher or lower, sometimes even across industries. There's not a huge variability though so, for example, it's not like the US is in the 90s and the rest of world is in their 30s. There is a certain level of general awareness about the password security, but at the same time there is also generally speaking a lot of room for improvement.

Dave Bittner: [00:06:22:05] One of the things that caught my eye was that you've been tracking a real increase in the use of multi-factor authentication.

Gerald Beuchelt: [00:06:29:06] Absolutely. That's definitely something that we were very pleased to see. We have about 45 per cent of business users using MFA for access to their LastPast accounts and given the amount of password breaches and the concerns that we've see in the past, it's a really good sign in terms of people making sure that they are starting to take password security seriously, especially at the enterprise level. And it really amounts to a total increase of about 24 and a half per cent from 2017.

Dave Bittner: [00:07:08:02] So what were some of the areas where people could still use some improvement? What are some of the places where people are still coming up short?

Gerald Beuchelt: [00:07:15:22] I think it really depends a little bit on what sector you're in. So for MFA, for example, since we're just talking about that, the tech sector is currently at 31 per cent across the board which is leading the pack to some extent. I think improving multi-factor is something that's important. Making sure that there are stronger passwords that are automatically generated instead of just leveraging passwords that have been used from prior accounts and just using LastPast to store them. And then really emphasizing the unicity of the passwords across different accounts. We look at the recommendations from NIST and from other experts in this field and the basic idea is really that we want to make sure that passwords are very long and are unique across different sites and are not being reused, especially if they have been breached in the past. So, focusing on that I think is gonna drive the security score up and at the same time make sure that the overall password with hygiene and posture is gonna be better.

Dave Bittner: [00:08:25:04] It was interesting to me, one of the statistics here from the report was that 50 per cent of users didn't create different passwords for work and for personal accounts.

Gerald Beuchelt: [00:08:35:10] That is really concerning because if you think about a system administrator or somebody with access to sensitive information as part of their work environment, if they're using the same password that they've been using for LinkedIn or any of the other sites that have been breached over the last five to ten years, then those kinds of accounts are obviously at risk through credential stuffing and similar tactics which we see really on an ongoing basis across the industry. What we see is with the right education about how to share or not share passwords or how not to reuse them, how to enable multi-factor authentication, etc., we do see a significant increase in the adoption of LastPast. And ultimately what is really helpful, is really getting away from the standard ceremony of signing in by punching in your user name, punching in your your password, and go off to the paradigmthat LastPast offers, which is simply clicking on a tile in your vault in order to log in. So once you really transition users to that kind of general behavior, through the appropriate engagement, through awareness training, through other forms of education, it becomes second nature both in their private lives as well as in their work lives. And that really leads to significant adoption, and then ultimately a much better security posture.

Dave Bittner: [00:09:56:09] That's Gerald Beuchelt from LogMeIn.

Dave Bittner: [00:10:00:10] Intel CPUs are vulnerable to a new flaw stemming from speculative execution, the Register reported yesterday. Researchers from the Worcester Polytechnic Institute and the University of Lübeck released a paper on Friday outlining the vulnerability, which they call "Spoiler." The flaw “reveals critical information about physical page mappings to user space processes." In other words, it can allow a non-privileged user to discover the physical layout of virtual memory by measuring the timing of speculative operations. Spoiler increases the speed and efficiency of existing side-channel attacks to an extraordinary degree, some of which can be run by JavaScript in a web browser. The vulnerability affects all Intel core processors and will require hardware mitigations, so a patch will likely take years. One of the researchers told the Register that he doesn't expect the issue to be fully mitigated within the next five years, since microcode patches would cause a significant loss of performance.

Dave Bittner: [00:11:05:08] The National Security Agency hasn't been using it's domestic phone surveillance program to track links to foreign threats for the past six years, according to Luke Murry, the National Security Advisor to House Minority Leader Kevin McCarthy. Murry said that he's not certain if the program will start back up. He noted that the system had been running into technical issues last year related to working with telecommunications companies. A spokesman for Mr McCarthy told the New York Times that Murry “was not speaking on behalf of administration policy or what Congress intends to do on the issue.”

Dave Bittner: [00:11:42:08] Finally, Google will ban political advertising in Canada before the country holds its upcoming federal election. Google's Canada head of public policy and government relations told the Globe and Mail that Canada’s new Election Act was too difficult to comply with. The bill is intended to meant to promote transparency and hinder foreign influence in elections by requiring internet companies to keep a record of all the political ads published on their platforms. Google told the Canadian Senate in November that its advertising system is a highly-automated bidding process that chooses which ads to display in less than a second, so building a registry beforehand would require a fundamental reworking of its system. The company said the only feasible way to follow this regulation was by banning political ads altogether. Other online platforms, such as newspapers, are also struggling to find ways to comply with the law.

Dave Bittner: [00:12:43:05] Now a moment to tell you about our sponsor, ObserveIT, the greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust. The ones who already have the keys. Your employees, contractors and privileged users. In fact, a whopping 60 per cent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. Most security tools only analyze computer network or system data. But to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Wanna see it in action for yourself? Try ObserveIT for free, no installation required. Go to And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:51:11] And joining me once again is Justin Harvey, he's the global incident response leader at Accenture. Justin, it's great to have you back. You are out at RSA so I wanna get your take on how the conference is going so far, but also Accenture just recently just released its cost of cybercrime report? Why don't we start with that? What does the report cover?

Justin Harvey: [00:14:14:14] Well, the cost of cybercrime report, Dave, is based upon interviews with more than 2,600 security and IT professionals at over 355 organizations worldwide, and we put together a comprehensive listing of questions and asking for data which we then merged into this final report. And the 2019 cost of cybercrime study really focuses on what our organizations are missing through cybercrime. And there are actually quite a few observations and some data points that I'd like to share with you and the listeners. The first is two types of cyber-attacks accounted for one third of the total $13 million cost to companies on average. So that means that one third of the cost of cybercrime comes from malware and malicious insiders. And the average incident cost is over $13 million. Now keep in mind, last year was $11.7 million on average and actually the cost of responding to these incidents has gone up. Another data point that I find very interesting here is also the data point not of the cost - the direct cost - of a cyberattack, but we've actually been able to articulate what companies are missing out on. And what they're missing out on is revenue.

Justin Harvey: [00:15:41:16] So in some cases over three per cent of annual revenue can be lost through a cyberattack by way of brand damage or perhaps the revenue opportunities are not there because they're not able to collect revenue from customers. Or perhaps they have to delay new services to generate that revenue. Like I said, it's three per cent for the organizations, but it's up and over $580 million worldwide when it is combined, and that number is only gonna rise as cybercrime increases.

Dave Bittner: [00:16:18:21] So in terms of recommendations based on what you gathered from the report, what can you share there?

Justin Harvey: [00:16:24:08] Well, the recommendations really come back to the same talking points that our industry has been talking about for quite some time. It's about building a cyber-resilient enterprise, one that can bounce back from a cyber attack to get back to business. A few of the highlights: automation, orchestration and machine learning technologies can be deployed and integrated over the next few years that will actually help the two key metrics that we always talk about. One, the mean time to detect. How can we get better and faster at finding the bad guys? And then finally the mean time to respond. So not only can we find the bad guys, but we can actually get them out of the enterprise faster and in a more timely manner.

Dave Bittner: [00:17:14:22] So I wanna switch gears with you. You are there on location at RSA Conference, what is your overall sense of the show this year? As you walk around, what's the overall tone?

Justin Harvey: [00:17:25:14] The theme this year is products, products, products. There are an immense amount of products and solutions and platforms and technology that is fueling this industry. And I keep saying it every year, I'm waiting for the other shoe to drop. There is a ton of investment in security technologies and products and that is showing in the RSA Conference here. This is the first year where they've actually had one contiguous show floor. And years previously it was north and south, many of your listeners know that they have Moscone Center here in San Fransisco that's been renovated and now it's one huge floor. It is a sea of vendors and technology and I'm really waiting for this market consolidation to happen. We've seen the economy kind of plateau, I guess you could say, over the last year. There has been some really high highs, really low lows. It's evening out. But there's a lot of capital investments being poured into the technology here and I can't help but think that coming to this conference that I could walk away being, let's see a new person saying "oh, do I need all these technologies? Could I do a best of breed solution-based approach for every little niche problem I have? Do I need to buy a tool?"

Justin Harvey: [00:18:46:14] And I think many of us are saying where's the people? Where's the process? Where is the emphasis on the individual in things like security awareness and training and understanding the threat landscape and really understanding the mechanics behind what the adversaries are doing and how to respond to those. And I do see some training booths, I do see some security awareness booths but I think the industry needs to take a little bit of a course correction here in getting back to what's most important, and that is the people.

Dave Bittner: [00:19:20:09] Alright, Justin Harvey, thanks for taking the time for us. Thanks for joining us.

Dave Bittner: [00:19:29:08] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at The Cyberwire podcast is proudly produced in Maryland, out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.