Dave Bittner: [00:00:03:23] Finland’s data protection authority is investigating reports that Nokia 7 Plus smartphones are sending data to a Chinese telecom server. Thousands of API tokens and cryptographic keys are exposed in public GitHub repositories. The US government warns that certain cardiac devices can be hacked from close range. A North Carolina county government is dealing with its third ransomware attack. The Chertoff Group's Adam Isles joins us with insights on supply chain risks and transportation and Magecart groups go after bedding companies. That'll keep you up at night.
Dave Bittner: [00:00:44:02] It's time to take a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infoseg analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:45:06] From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Friday, March 22nd, 2019.
Dave Bittner: [00:01:53:02] Finland's data protection authority is investigating a potential data breach violation following a report that some Nokia 7 Plus smartphones developed by HMD Global were transmitting sensitive data to a Chinese server. NRK reported yesterday that every time one of the phones was switched on or the screen was unlocked, it sent an unencrypted data packet containing the phone's geographical position, SIM card number and serial number to a server belonging to China's state-owned telecommunications company. HMD Global, a Finnish company that develops Nokia-branded phones, said the issue was due to a glitch in the phone activation software which was patched last month. The company says its phones erroneously included software meant for the Chinese market. This explanation would make sense, because the Nokia 7 was a China-exclusive product before a newer version was released for the global market. Collecting data when a phone is first activated is a standard industry practice, as it allows telecom companies to activate the phone’s warranty. It’s also possible that the activity was required for Chinese phones in order to comply with local data collection laws.
Dave Bittner: [00:03:06:07] The report caused additional concern, however, since it came at a time of heightened apprehension about potentially backdoored Chinese technology. HMD’s phones are manufactured by Foxconn in China, so some researchers believe the issue is worth looking into further. Finland’s data protection ombudsman agrees, so he’s ordered an investigation. He believes that this at least looks like a violation of GDPR. HMD holds that no personal information was transmitted but that’s going to be a hard sell if the phones sent location data without users’ consent. It’s worth noting that Nokia itself doesn't appear to be involved in this situation, although the phones still bear its name. The company sold its mobile phone business to Microsoft in 2014 and the business was taken over in 2016 by former Nokia executives at HMD.
Dave Bittner: [00:04:00:10] More than 100,000 GitHub repositories have exposed API tokens and cryptographic keys, due to poor coding practices. Researchers from North Carolina State University scanned millions of public GitHub repositories looking for text strings that resembled tokens or keys, and discovered more than 200,000 exposed keys spread across more than 100,000 projects. They see thousands of new keys appearing every day, 81% of which aren't removed within two weeks.
Dave Bittner: [00:04:33:11] Yesterday, the US Department of Homeland Security and the FDA warned that the Conexus wireless telemetry protocol used in certain Medtronic cardiac devices can be hacked from up to 20 feet away. Two teams of security researchers discovered the vulnerability in sixteen different models of Medtronic implantable defibrillators. The Conexus protocol, which uses radio frequency to communicate between devices, doesn't implement encryption, authentication or authorization. An attacker in close proximity could modify or inject data between the devices and their control units. The devices have some mitigations built in and Medtronic is working to develop further safeguards. The company says the risk of physical harm to patients is low, since an attacker would have to be so close. The devices are also only vulnerable when they're in “listen mode,” which is deactivated throughout most of the day. The FDA urges patients to keep their monitors plugged in, saying that, quote, “the benefits of remote wireless monitoring of an implantable device outweigh the practical risk of an unauthorized user exploiting these devices’ vulnerabilities,” end quote. The vulnerability does not extend to any pacemakers.
Dave Bittner: [00:05:51:18] Orange County, North Carolina is dealing with its third ransomware attack in six years. Orange County spokesman Todd McGee told a local CBS affiliate that the malware shut down systems in the sheriff’s office, the register of deeds and the local library, among others. Some systems have been restored but the county doesn't know how long the full recovery will take. McGee said the attack was likely due to someone clicking on a malicious link, adding that it could have spread from the public computers at the library. Terence Jackson, the CISO of Thycotic, told the Information Security Media Group that he wonders if the county paid the previous ransoms, encouraging additional attacks, or if the problem is simply poor cyber hygiene. Chris Morales from the threat detection firm Vectra believes the county was targeted because attackers know that local governments struggle to fund adequate security measures.
Dave Bittner: [00:06:47:11] And finally, RiskIQ revealed two Magecart attacks which compromised the websites of the pillow manufacturer MyPillow and the mattress company AmeriSleep. In the case of MyPillow, attackers placed a skimmer by registering a domain and injecting it into the LiveChat script in MyPillow's website. The skimmer was placed in late October but hasn't been active since November 19th. AmeriSleep was compromised by a long-running campaign from December 2016 to October 2017. Two months ago, however, the attackers returned and injected skimmers into payment pages on AmeriSleep's website. The domain used by these skimmers has since been taken offline but AmeriSleep's website is still compromised and the company hasn't answered RiskIQ's attempts to inform them.
Dave Bittner: [00:07:42:03] And now a word from our sponsor, LookingGlass Cyber Solutions. When it comes to digital business risk, you don't want a general admission perspective. Get a backstage pass for the LookingGlass digital business risk roadshow this spring to learn the industry latest on effective third party risk management tactics to protect your employees, customers and brand. Taking a proactive security posture to combat today's sophisticated threat actors and a cybercriminal mastermind's insights on manipulating your organization's cyber strengths and weaknesses. Come see LookingGlass in a city near you. The tour includes Atlanta, Charlotte, Chicago, San Francisco, New York City, DC and Houston. They hope to see you at the show. To learn more about the roadshow and register, visit their website lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass for sponsoring our show.
Dave Bittner: [00:08:45:22] And joining me once again is Malek Ben Salem. She's the senior R&D Manager for Security at Accenture Labs. Malek, it's great to have you back. We wanted to touch today on a presentation from Accenture about securing the digital economy. What do we need to know here?
Malek Ben Salem: [00:09:04:00] Hi, Dave. Thanks for having me. Yeah, so this is a paper that we have recently published. It's based on a survey that we've conducted with a number of our clients and we wanted to look at the fundamentals of the Internet. We know, right, and businesses know that they're dependent on the digital economy and the Internet for growth. But what we've been realizing and what a lot of CEOs have been realizing recently is that that growth is dependent on trust. We need to build trust with clients. So creating an online account today, purchasing from a website, downloading an app, is more than an exchange of data and an exchange of goods or services but really it's an exchange or a transaction that is based on trust. The building of that trust with the current state of the Internet seems to be complex and we're not sure whether that is feasible. So this is a study to see what can be done today by CEOs to improve-- not only improve their security posture but also improve our digital economy as a whole for everybody.
Dave Bittner: [00:10:26:16] Okay. So what are some of the details?
Malek Ben Salem: [00:10:29:02] We know that without trust the future of our digital economy is potentially at risk. The Internet is unable to sustain the digital economy due to several reasons. Number one is its evolution. We know the Internet started or evolved from a military asset where security considerations were based on preventing physical failures to an open infrastructure where security issues are more sophisticated. The existing Internet protocols are not secure, so that's one factor. The other factor is this IOT effect. We expect, you know, probably 50 billion IOT devices on the Internet. We do have an identity crisis. If you go back to 2006, an average person had to maintain six passwords, where today that average has gone up to 27 passwords. Regulations are changing so, you know, the flow of data is changing based on that change of regulations. And the cost of insecurity, according to a study that Accenture has conducted, the cost actually over the next five years within the private sector may amount to a lost opportunity of $5.2 trillion in revenue opportunities that are lost because of this loss in trust in the digital economy. So something has to be done and this is beyond just securing infrastructures but rather something that businesses have to do across ecosystems.
Dave Bittner: [00:12:12:03] So what are the recommendations? What do you all propose?
Malek Ben Salem: [00:12:15:20] So we do propose continuing the technology investments, what we call, you know, continuing to do the work underground. So that's the technology investment securing the infrastructure, the plumbing underneath our digital economy. But also, and more importantly, what we recommend to CEOs is focusing on governance so joining forces with other companies to govern globally, creating an Internet security code of ethical conduct for each industry, being proactive with standards, particularly with principle-based standards, you know, like trusted AI, explainable AI, ethically aligned design, promoting consumer control of digital identities, you know, taking privacy as a digital human right and then committing to sharing information about cyberattacks across industries, across an ecosystem. That's from the governance side.
Malek Ben Salem: [00:13:18:17] But we also have recommendations about the business architecture. So, obviously, CEOs need to prioritize security by design. They need to make sure that their line business leaders are accountable for security and that they protect the entire value chain. So we have recommendations related to technology investments. We've been, you know, doing that, we continue to make those recommendations but we also have strong recommendations on adopting best practices and ethical conduct for each industry and around governance across business ecosystems.
Dave Bittner: [00:14:02:02] Alright. Well, it's an interesting paper. Certainly a lot of ground covered there. Again, what's the title if folks want to hunt it down?
Malek Ben Salem: [00:14:10:07] Securing The Digital Economy: Reinventing The Internet For Trust.
Dave Bittner: [00:14:15:19] Alright. Malek Ben Salem, thanks for joining us.
Malek Ben Salem: [00:14:18:07] Thank you, Dave.
Dave Bittner: [00:14:23:13] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own end points here at the CyberWire and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes, but you know what, the bad guys know all about it too. It will stop the skids but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer, not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:15:29:20] My guest today is Adam Isles. He's a Principal at The Chertoff Group where he helps clients evaluate their security risk management programs. Adam Isles previously served as Deputy Chief of Staff at the US Department of Homeland Security. He joined us from The Chertoff Group's Washington DC offices to discuss management of supply chain risk.
Adam Isles: [00:15:51:13] You need to take a risk based approach. Right? Not, not every supplier represents the same degree of risk. Right? You know, if you're getting a training service, that's a different level of risk than, you know, someone that's managing your payment systems. So you apply a risk based approach and you apply resources to those areas of greatest criticality and/or risk.
Adam Isles: [00:16:14:06] I think we're, we're certainly in a situation right now where we have a very disaggregated approach and, frankly, a very inefficient approach where you've got lots of resources being applied as against supply chain risk but, but in a very decentralized onesie twosie way and that, that creates major issues both for efficiency and effectiveness. From an efficiency point of view, put yourself in the shoes of a vendor where, you know, you're selling essentially the same product, be it a service, you know, software, firmware or hardware to local buyers and it's like, "Oh, my gosh, I've got to go through how many vendor risk assessment processes?" you know, none of which asks entirely the same questions, none of which has the same audit process. There's a huge amount of inefficiency involved in going through onesie twosie, you know, vendor risk assessment processes. It cries out for simplification. It cries out for, you know, some level of global or industry sector basis consensus around what does a good risk based kind of assessment process look like. You know, were we to move over time to a more standardized approach, at least across industry verticals, then you've got a real incentive on the part of vendors to say, "Look, if I meet this bar, if I make this investment bar, you know, it's, it's not only going to kind of check the compliance box but it may actually help me differentiate my offering particularly vis-à-vis the competitors that can achieve whatever good looks like."
Adam Isles: [00:17:56:11] So I think there's both a challenge and an opportunity in trying to provide a kind of a more standardized process to understanding, addressing and monitoring, you know, supply chain risk across sectors.
Dave Bittner: [00:18:12:15] And are you seeing efforts in that direction?
Adam Isles: [00:18:16:09] Yes. And I think you kind of have to, you know, take it on a kind of a sector by sector approach. I mean, the defense industrial base has dealt with this issue for, really for decades. I mean, in other words if you can't hack the Pentagon, hack the Pentagon's suppliers and, you know, you'll achieve somewhat the same effect. I mean, I-- my crew began at the Justice Department and I started at the OJ in the Criminal Division 21 years ago and, you know, when I did in the late 1990s, a book called The Cuckoo's Egg was required reading and The Cuckoo's Egg tells the story, basically, of an East German intelligence plot to, you know, compromise computers at Lawrence Berkeley National Lab to steal, you know, strategic defense initiatives, you know, Star Wars type secrets. So, carry forward to today, if you look at US-CERT alerts, what we're seeing is, is that same basic approach proliferating across sectors. So now we're moving beyond the defense industrial base to the electric utility subsector and the energy subsector and you have to look no further than, you know, US-CERT alerts from spring of last year to talk about how Russia is essentially leveraging, I think what are referred to as stepping stone attacks to move from a vendor then into a, an actual utility.
Adam Isles: [00:19:46:17] And so I think the opportunity is at a sector to try to start to achieve some level of consensus on, you know, what does good look like. I mean, and so by way of example, in the financial services sector you've seen efforts to develop kind of model contracts, you know, that would speak to at least for the acquisition of, of software, you know, what are the core terms and conditions you'd want to see in contracts. And, you know, you're also seeing, I think, kind of additional class of third party risk management vendors that are coming onto the market, you know, that are offering kind of a specialized tool that will allow greater focus into things like actual effectiveness and continuous monitoring. Those tools are being adopted to kind of varying degrees from one sector to the other. So I think where this kind of comes together is in those places where sectors come together to address security risk, places like, you know, the FS-ISAC, the electric subsector coordinating council, EEI and other sector organizations.
Adam Isles: [00:21:02:09] I think at a general level, really it's kind of a three legs of the stool approach. Whatever we're dealing with, you start by assessing a risk. That's the first leg of the stool. You don't, you don't apply the same level of security to, you know, each part of the supply chain. You focus resources on where you have the greatest risk. The second leg of the stool is mitigation. That is, okay, having done a risk assessment, what is that balance of preventive detective response and recovery going to resources that most cost effectively actually buy down risk? The third leg of the stool, I think, is one where people often fall down and that's what I refer to as risk monitoring and by monitoring I don't mean, you know, do you have like a sock that's, that's constantly monitoring. I'm talking about monitoring security systems and technology systems to ensure that they're operating as intended. Which is to say, okay, I've put a defensive countermeasure in place, is it actually operating the way I think is? Because what we see over and over and over again, endpoint detection and response tool, intrusion detection system, DLP system that someone thought they had in place wasn't actually operating as intended, and Equifax is a great example of that. Equifax actually had, you know, kind of outbound DLP inspection in place. It just wasn't working. In fact, when they figured out it wasn't working and they updated the certificate that was required to make it work, that's when they discovered that they'd been victimized by a breach.
Dave Bittner: [00:22:38:13] That's Adam Isles from The Chertoff Group.
Dave Bittner: [00:22:46:07] And that's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:22:58:20] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.