The CyberWire Daily Podcast 8.8.19
Ep 902 | 8.8.19

Hacking in the Gulf region. Vulnerability research into airliner avionics. Phishing and ransomware move to the cloud. EU data responsibilities. US bans five Chinese companies.

Transcript

Dave Bittner: [00:00:03] Tensions in the Gulf are accompanied by an increase in cyber optempo. A warning about vulnerable airliner avionics. Phishing is moving to the cloud, and so is ransomware. Android's August patches address important Wi-Fi issues. An EU court decision clarifies data responsibilities. The U.S. bans contractors from dealing with five Chinese companies. And be on the lookout for bogus Equifax settlement sites. 

Dave Bittner: [00:00:34]  Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7/365 security operation center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to Black Hat USA this year, visit Akamai at booth 1522 to take part in their Crack the Code challenge. Akamai - intelligence security starts at the edge. Learn more at Akamai. That's akamai.com/security. And we thank Akamai for sponsoring our show. 

Dave Bittner: [00:01:38]  Funding for this CyberWire podcast is made possible, in part, by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(X) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 8, 2019. According to the Wall Street Journal, Bahrain has sustained incursions into the networks of its National Security Agency - whose mission is criminal investigation - the Ministry of Interior, the first deputy prime minister's office, the Electric and Water Authority and manufacturer Aluminum Bahrain. Bahrain believes the activity was the work of regional rival Iran and that the activity directed against the electricity and water authority amounted to staging and rehearsal for an attack on critical infrastructure. The U.S. Maritime Administration has issued a formal warning of Iranian cyber operations against shipping in the region. It singles out GPS interference in particular as a likely form of attack. 

Dave Bittner: [00:02:43]  As Boeing continues to debug the troubled 737 MAX avionics, code for the company's 787 appears to have been exposed on an unprotected server, WIRED reports. Ruben Santamarta, the security researcher with IOActive who found the exposed code, says that the software is vulnerable to attackers who could pivot from the aircraft's in-flight entertainment system to safety-critical avionics, including flight controls and sensors. Attackers could, Santamarta maintains, exploit memory corruption vulnerabilities in the noncritical systems to establish themselves in the aircraft and then move from there to critical avionics. 

Dave Bittner: [00:03:22]  Boeing denies that this is a possibility and rejects Santamarta's claim that he's found a path that could make it so. The company maintains that security barriers effectively segment the 787's onboard networks in ways that make such an attack impossible. Santamarta and others who reviewed the vulnerabilities he says he's found agree that they don't represent an immediate material threat to flight safety. But they argue that their presence suggests a troubling laxity in software security engineering. Santamarta is presenting his work at Black Hat this week. 

Dave Bittner: [00:03:57]  One of the challenges of attending a major industry trade show is optimizing the limited amount of time available for meetings, keynotes, presentations and social events. Experienced attendees have their own strategies for making the most of their time at events like Black Hat. Robert Huber is chief security officer at Tenable, and he took a few minutes away from the show floor to share his insights. 

Robert Huber: [00:04:19]  Of course you're going to expect to see the normal parade of solution providers on the floor and, you know, sponsorship and discussions. But there's a lot of conversation that take place outside of the venue itself, which are usually related to either nascent problems or up-and-coming solution providers that are addressing problems that either, for one reason or another, just haven't matured yet or gotten traction. And those are the areas of my own particular interest 'cause they're probably addressing issues that I have at the fore whether that was driven by, you know, Wall Street Journal effect, if you will, or, you know, just moving into newer technology areas and issues that don't have defined solutions readily available. And you know, I'll say - you know, interestingly enough, some of the areas that are getting attention are those things that kind of sit on the periphery that have been out there for a while, which is just overall risk management, right? And what I mean by that is there's a lot of solutions out there that will portend to try and measure and assess your program. Nobody's done it really well at the risk level. And when I say risk, I'm usually talking about cyber risk, but also the risk management level, enterprise risk management. 

Robert Huber: [00:05:24]  So you're starting to see a lot of solution providers who are new to the market - new entrants to the marketplace and - not wide adoption yet. So there - a lot of them are in, you know, beta releases or, you know, have a few GA customers where they're trying to take what I would generally say are a lot of those subjective components of a security program where you may answer questions - so whether that's, you know, some type of, you know, framework questionnaire or something related to maybe the insurance industry - and try to give an assessment of your program, which, in and of itself - that's fairly simplistic. I mean, you can do that with a spreadsheet, right? But to do - to be able to do that and then track that over time and tie it to, you know, your resources you apply against the problem and track progress and learn and gain insight from that and tie that to business context and a risk - those are the conversations I'm interested in. And those are some of the solution providers I'm speaking with that are, like - again, like I said, new entrants to the market. Most folks wouldn't recognize the names. 

Robert Huber: [00:06:20]  But when I have a conversation at the board level, those - I mean, that's what I'm trying to relate to the board. And quite honestly, most folks are - you know, on my side are using spreadsheets and PowerPoints to relate that information. And I think these - there's an opportunity there for solutions in that space in particular to try to start not only correlating the answers to all those, you know - a lot of subjective questions to represent the risk to the enterprise. But then there's those conversations of, OK, how do we tie that back to real, quantifiable metrics and telemetry? So - and then that's my interest - right? - because most security practitioners operate in the realm of, you know, day-to-day operational metrics, and we have an understanding what that means. But at the higher level, the conversation - the executive level or to the board - it's really hard to relate those two. So I think there's still a gap between what I'll call is the, you know, end point solution - things are providing real protection, detection, telemetry types of information - that conversation and the board-level conversation. 

Dave Bittner: [00:07:20]  I imagine for you, when you're walking around a show like Black Hat and people glance at your name badge and they see the position and that you're with a company as well-known as Tenable - probably, their eyes widen, and they smell blood in the water. And they think, oh, here's someone I want to talk to sell my wares or hit up for a job or something like that. From your perspective, what's the best way to communicate a message to someone like you? What's the best way for someone to respect your time in a trade show situation like this? 

Robert Huber: [00:07:52]  You know, that's a great question, and I get that internal - you know, Tenable's a solution provider, and, you know, we're always trying to figure out ways to approach the market space. You know, for myself in particular, I will say, regarding resources, looking for talent - I'm always open to that conversation. So if somebody wants to have that conversation, I'm all ears. You know, it's - whether it's for just Tenable or, you know, to help other folks out - right? - we're all in this together. When I'm walking the floor, though, if - I will engage directly with the providers I'm interested in to solve a problem I'm trying to address, right? So it's very apparent when I walk in. Very rarely do I walk in and just say, tell me what you do. I'm there for a specific reason. I really only have limited time when I'm on the showroom floor, so I'll go down there - in fact, I have a list of probably seven or eight vendors. And I'm going to make a specific point to go visit with them, see the tech in person, understand what the problems they're trying to solve. And of course, I'll have follow-up conversations, you know, after that, but when I'm down there, you know - I hate to say this - I'm all business. I mean, I head to the areas I know I want to be, and then everything else, I just shut out. 

Dave Bittner: [00:08:50]  Yeah. You've done your homework. 

Robert Huber: [00:08:51]  I have, absolutely. I mean, that's part of my job. Certainly, you know, as I have team members that are here, they do the same thing, but I will put the message out to my larger team to say, who should I be talking to? What questions do I need to be asking? And that's to help us solve problems we're trying to address within Tenable, so that's - I make that my business to do that. 

Dave Bittner: [00:09:09]  Bob Huber is chief security officer at Tenable. 

Dave Bittner: [00:09:13]  Researchers at Proofpoint this morning released a report on a phishing campaign that hosts its landing pages in the cloud. They observed the campaign late last month, and they say it's continuing. It spoofs the branding and email transaction format of DocuSign, and the landing pages it directs its victims to are hosted in the Amazon public cloud. As Proofpoint notes, this remains a relatively uncommon practice. Using enterprise-grade services like AWS is snazzier than the more familiar tactic of employing consumer services like Dropbox or Google Drive. Proofpoint thinks Amazon has been commendably vigilant in trying to take down such abuses of its services, but the security firm warns that you should be alert to the possibility that the DocuSign transactions you're seeing may not be what they appear. 

Dave Bittner: [00:10:02]  A report on ransomware by security firm Vectra also concludes that extortionists are devoting more attention to files stored in the cloud. As Vectra puts it, encrypting files that are widely available on the network is faster and more efficient than encrypting files on every single host device. Their research also suggests that ransomware gangs are increasingly looking for organizations with deep pockets and valuable data on the familiar grounds that that's where the money is. Of course, smaller, unprotected enterprises will continue to receive their share of opportunistic attention from petty skids. Franklin Parish in Louisiana is working to defend itself from just such a crime this week. This represents a continuation of the criminal activity that led the governor of Louisiana to declare a state of emergency last week. 

Dave Bittner: [00:10:50]  Android's August patches are out. Among the fixes are patches for two vulnerabilities Tencent's Blade Team called QualPwn, CVE-2019-10539 and CVE-2019-10540. Both are Wi-Fi issues that are potentially serious because they might be exploited without user action. 

Dave Bittner: [00:11:12]  The European Union's Court of Justice has rendered a decision on joint controllership of data. The case, Fashion ID, involved responsibility for collection, storage and analysis of data collected by web sites that might embed, say, a Facebook like button on a page. In brief, the law firm Cooley says in a summary of the judgment, websites containing embedded third party content can be joint controllers of data collected and transmitted by such code, but they're not responsible for any subsequent processing of that data by the third party. The decision was rendered under the EU's older Data Protection Directive, but it will also apply to the concept of joint controller under the General Data Protection Regulation. Cooley notes that the joint controllership is a broad concept that arguably applies to such things as the use of cookies, and the law firm expects the decision to have significant implications for the ad tech industry. And as the GDPR has taught the world, Europe isn't like Vegas. What happens in Europe doesn't stay in Europe. 

Dave Bittner: [00:12:15]  The U.S. General Services Administration, Department of Defense and NASA have issued an interim rule that restricts contractors from purchasing from five Chinese firms - Huawei, ZTE, Hikvision, Hytera and Dahua. It's entitled Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. The ban goes into effect on August 13. The comment period is open for 60 days from the time the rule is posted to the Federal Register. The prohibition addresses concerns that Chinese equipment represent a security risk. Huawei has a court challenge pending to the National Defense Authorization Act that provides authority for the ban. The company argues that the NDAA represents an unconstitutional bill of attainder. Separately, three Republican senators have asked Google to explain why it had cooperated with Huawei to develop smart speakers for home use. 

Dave Bittner: [00:13:11]  And finally, don't be gulled by a bogus Equifax settlement site. The U.S. Federal Trade Commission does maintain a legitimate site where you can submit your claim, but the FTC also warns that there are some crooked fake sites out there. How can you recognize a phony Equifax settlement come-on? Well, for one thing, the FTC won't charge you to submit a claim. So if you must get something from Equifax to make you whole again, insist on the genuine FTC-approved article. A hundred and twenty-five bucks aren't worth getting pwned over. 

Dave Bittner: [00:13:47]  And now a message from our sponsor ObserveIT. 

Unidentified Person: [00:13:52]  Great party, huh? 

Dave Bittner: [00:13:54]  Yeah. Yeah, great party. Could you excuse me for just a moment? Hey, you. What are you doing? Oh, no, looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss. 

Unidentified Person: [00:14:13]  Did someone say trouble? I bet I can help. 

Dave Bittner: [00:14:16]  Who are you? 

Unidentified Person: [00:14:17]  To catch insider threats, you need complete visibility into risky user activity. Here. I'll show you how ObserveIT works. 

Dave Bittner: [00:14:25]  Wow. Now I can see what happened before, during and after the incident, and I'll be able to investigate in minutes. It used to take me days to do this. 

Unidentified Person: [00:14:34]  Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it. 

Dave Bittner: [00:14:40]  But wait. What's your name? Oh, well. Thanks, ObserveIT, and whoever she is. 

Dave Bittner: [00:14:48]  ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire. 

Dave Bittner: [00:15:07]  And continuing our coverage of the Black Hat conference, joining us from the show floor is Matt Aldridge. He is a senior solutions architect at Webroot. Matt, what are you seeing there? What is the overall mood there down on the floor? 

Matt Aldridge: [00:15:20]  So it's been a relatively positive mood. I wouldn't say it's significantly different to previous years. You know, every year, you kind of sense increasing maturity in the industry as a whole. Particularly, you know, as people are harnessing technologies in more sophisticated ways, they're getting to grips with the realities of some of the threats and things like that. There's definitely an increasing evolution, shall we say, in how people are dealing with threats, pushing towards more automation and things like that. 

Dave Bittner: [00:15:53]  In terms of the messages that you're seeing out there from the vendors on the floor, is there an overarching theme this year? 

Matt Aldridge: [00:16:01]  I wouldn't say there's one overarching theme. There's so many different solutions providers doing - you know, telling so many different stories. But like I said, automation and taking more work away from analysts because there's just not enough people to go around is a big theme. Getting more sophisticated with the use of tools and technologies such as machine learning, getting cleaner inputs into machine learning models, so - you know, putting more steps in the chain to clean the noise out and getting more value out of those systems, you know, to make the whole process more efficient. Getting back to basics is a big thing. It's easy to look at all the latest toys and the new techniques and forget to keep on top of the traditional things. You know, password security, backups - all the traditional stuff is still very important. And then remembering the human factor - you know, there's a lot of people talking about the human factor; about, you know, looking after and training staff, sending out phishing campaigns to, you know, help people learn from their mistakes in a controlled way rather than waiting until they're actually hit by real attacks. You know, from our own threat report, we've seen that there's a 70% drop in people clicking on malicious phishing links after just 12 months of awareness training program. So these things do make a real difference, and people are the first link in the chain for protecting against any kind of new attacks. 

Dave Bittner: [00:17:45]  What is your own personal strategy when you're faced with a trade show like this and you want to - you've got information that you want to gather for yourself? How do you go about doing that? 

Matt Aldridge: [00:17:55]  So for me, it's difficult. Time management is difficult at something like this. You know, I have a lot of responsibilities with the company I represent, so I have to spend time on our booth and, you know, demonstrating solutions, explaining the services that we have. When I get time out, I'm often in meetings, so it's - just having everyone here in one place is fantastic to actually physically get together, spend time, talk through things. That's really, for me, the key value - is actually getting that face time with people in the flesh and, you know, getting the real kind of honest story of the challenges people are facing and start working on how we can help with that. 

Dave Bittner: [00:18:40]  Well, Matt Aldridge, I hope the rest of the show goes well for you, and safe travels as you head back home. 

Matt Aldridge: [00:18:46]  Awesome. Thanks, Dave. Great to speak to you again, and keep well. 

Dave Bittner: [00:18:54]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:07]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.