Hacking the Czech Foreign Ministry. Microsoft patches new wormable bugs. More controversial human review of AI. Insecure links, exposed databases, and a California vanity plate.

Dave Bittner: [00:00:03] The Czech Senate wants action on what it describes as a foreign state's cyberattack on the country's Foreign Ministry. Microsoft warns against the wormable DejaBlue set of vulnerabilities. More humans found training AI. Insecure airline check-in links. Exposed databases involve BioStar 2 and Choice Hotels. The latter was held at a third-party vendor. And the LAPD doesn't find a vanity license plate with the letters N-U-L-L particularly funny. 

Dave Bittner: [00:00:37]  And now a message from our sponsors, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:01:25]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [00:01:52]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 14, 2019. 

Dave Bittner: [00:02:00]  Citing intelligence from the Republic's National Cyber and Information Security Agency, the Czech Senate has concluded that a foreign state power was responsible for recent attacks on the Foreign Ministry. The Senate doesn't name the foreign state, but Reuters says that Czech news outlets are calling the attacks a Russian operation. Denik N reported that the incident took place in June. There's been no comment from Czech officials so far. The Czech counterintelligence service BIS in its last annual report did assert that Russian intelligence operators had conducted cyber-espionage campaigns against the Foreign Ministry. 

Dave Bittner: [00:02:38]  We have no wish to keep calling wolf, wolf, or more precisely, worm, worm, because the large-scale worm infestation expected from BlueKeep has yet to appear. On the other hand, that risk is hardly over. And yesterday, Microsoft released patches for a similar family of vulnerabilities being called DejaBlue affecting the remote desktop protocol. BlueKeep was a risk to unpatched Windows 7 instances and to any earlier versions of Windows out there, but DejaBlue affects Windows 7 and more recent versions up through the most current ones. Redmond warns that there are seven new vulnerabilities in that new family. Two of those are regarded as particularly serious in that they could be wormable, exploited to deploy a worm that could propagate from one infected system to others. Microsoft advises patching immediately. Simon Pope, director of incident response at the Microsoft Security Response Center, blogged yesterday, quote, "it is important that affected systems are patched as quickly as possible because of the elevated risks associated with wormable vulnerabilities like these, and downloads for these can be found in the Microsoft Security Update Guide," end quote. 

Dave Bittner: [00:03:49]  Facebook has been paying contractors to review user interactions with its products, Bloomberg reports. The social network is the latest to receive scrutiny over the practice. Google, Apple, Amazon and Microsoft have all been found doing this, most commonly in human-AI interactions with such digital assistants as Siri, Alexa and Cortana. Facebook had offered users of its Messenger the option of having their voice chats transcribed. It hadn't made it clear, however, that human operators would check the quality of the automated transcription. The social network says it stopped this practice about two weeks ago after seeing the reputational hot water in which similar reviews landed Amazon and Apple. 

Dave Bittner: [00:04:29]  In fairness to Facebook and the other companies who have had humans review user interactions with AI, none of them appear to have done so with any nefarious intent. They do seem to have been working to improve the user experience. If anything, the incidents serve as a reminder that artificial intelligence, for all its power and commercial promise, remains an immature technology deeply dependent upon human trainers. 

Dave Bittner: [00:04:53]  Wandera reported yesterday that British Airways has been sending insecure, unencrypted check-in links to passengers. The links include passenger details - last name and confirmation number - to make it easier for passengers to log in to the British Airways site. Unfortunately, that information also makes it possible for hackers to do the same, and to move on to acquire other personal information connected with booking a flight, including email addresses, telephone numbers, British Airways loyalty program membership numbers, flight times and seat numbers. Neither paycard data nor passport numbers appear to be exposed. British Airways, which the U.K.'s Information Commissioner's Office last month hit with a proposed $221 million fine, says it's working to fix the problem. 

Dave Bittner: [00:05:40]  These days, the buildings in which we live and work likely contain a variety of security and automation systems to control everything from who gets in to the temperature inside the building. As you might expect, those systems come with their own security concerns. Elisa Costante is head of OT innovation technology at Forescout. 

Elisa Costante: [00:05:59]  Most of the buildings we live in or we work in are actually controlled by legacy building automation system. And with legacy, we mean systems that have been there for quite a while because they represent a lot of investment for facilities' owners or facility managers. So we are speaking of quite old-fashioned technology, I would say. The new usage that we do with this system was not in the mind of the designers. So for instance, we rely on systems that use protocols that are unauthenticated and unencrypted, which means that if you basically manage to get a handle on this basic operation method, because those systems need to communicate with each other, you actually can get access to a lot of information. And plus, it's not only information, but, actually, if you manage to enter this net and send the right command, you can ask the basic automation system to behave the way you want in a very easy way. 

Dave Bittner: [00:06:58]  Now, are these systems generally segregated from each other? Or is there a sort of a central control system for multiple systems? 

Elisa Costante: [00:07:06]  In most of the cases that we have seen, there is no segregation. What that means is that, basically, your surveillance system is on the same network where your heating system is and on the same network where your access come from in. And this is actually one of the things that we exploited in our research when we actually showed through the proof-of-concept malware how you can exploit the vulnerabilities in the weakest of your systems in order to get access to all of your most critical systems. 

Dave Bittner: [00:07:36]  Well, walk us through what was the proof-of-concept malware that you developed? 

Elisa Costante: [00:07:40]  So what we did is with a basic automation approach that is composed of three subsystems, we had a surveillance network, and we had a management network - surveillance system and management system and an access control system. And we put them on the same network. So we apply no segmentation, which is something that we have seen to be quite realistic. And what we did is, OK, let's look at how vulnerable these systems that are in our lab are. So we spent some time into identifying and finding vulnerabilities. We found some database, but also for some of the devices we have in our lab, during the time that we were doing our experiments, another company came out with some database for one of the IP cameras that we had in our lab. So we decided to recycle and treat those database to create exploits for those databases. 

Elisa Costante: [00:08:32]  We eventually managed to do was that completely automated malware that was managing to enter into the network from an IP camera. And from the IP camera, it was moving to a Windows machine that was vulnerable to some different connections, and from that Windows machine eventually arrived to the most critical device that we have in our lab, which is a controller that was controlling the access control system. So it was the controller in charge that define and decide who would get access to critical areas. Now, this critical area in our case was our lab that is managed (unintelligible) at the center. And what the malware managed to do once it had arrived at this controller - it basically was having access through the vulnerability, find the critical vulnerabilities on the device to get the access to, basically, the fourth device and delete the link of the users (ph) so no one has access to that area. Imagine if you block access to people in an emergency room or in an operation surgery in a hospital. 

Dave Bittner: [00:09:38]  So what are your recommendations for organizations to better protect themselves? 

Elisa Costante: [00:09:42]  First of all is awareness - awareness about the fact that when we speak about cybercrimes and cyberattacks nowadays, we are not speaking only about data, but we are more and more often speaking about cyber physical attacks. So that just can actually have an effect in a lot of life now that they do life (ph) and on the things that are surrounding us. 

Elisa Costante: [00:10:03]  And after, we need to have this device visibility first because there is nothing you can do unless you know how your network is composed of, how it looks like with other devices, how they are vulnerable. Do I have devices that are on the same network and they shouldn't be in the same network because one of them is extremely vulnerable and the other one is extremely critical? 

Elisa Costante: [00:10:27]  And so once you have this visibility, what you can do is actually create a strategy that, if you have risks, reduces your highest risk. And this strategy might include continuous monitoring, so for instance, being alerted every time that something strange, anomalous or suspicious happens on your network, and eventually move to a full ideally segmentation of your network where you are sure that only the devices that are supposed to speak with each other for a clear reason - they are. 

Dave Bittner: [00:10:59]  That's Elisa Costante from Forescout. 

Dave Bittner: [00:11:03]  VpnMentor has found the biometric data of some 1 million people exposed online in an unprotected database. The data were held by BioStar 2, a web-based smart-lock platform that controls access using fingerprints and facial recognition. The information exposed includes employee personal information and unencrypted usernames and passwords. The exposure was discovered on August 5, disclosed on August 7 and resolved on August 13. 

Dave Bittner: [00:11:32]  That's not the only exposed database disclosed this week. Comparitech says it collaborated with researcher Bob Diachenko to find an exposed MongoDB instance belonging to Choice Hotels. They disclosed their finding to the hospitality chain, but, unfortunately, criminals got there first and left Choice Hotels a ransom note for 0.4 bitcoin, which at current exchange rates comes to about $3,800. The database held guest information, including names, email addresses and phone numbers. Most of the data amounted to test data and didn't refer to actual customers, but some 700,000 of the records did. 

Dave Bittner: [00:12:11]  Choice Hotels says the data were hosted on a vendor's server and that Choice Hotels' own system had not been exposed. The data were exposed for four days. Choice Hotels told Comparitech, quote, "we have discussed this matter with the vendor and will not be working with them in the future. We are evaluating other vendor relationships and working to put additional controls in place to prevent any future occurrences of this nature. We are also establishing a responsible disclosure program, and we welcome Mr. Diachenko's assistance in helping us identify any gaps." 

Dave Bittner: [00:12:43]  And, finally, the Los Angeles Police Department is in its full, humorless, Joe Friday mode. A gentleman who presented at DEF CON last week who goes by the hacker name Droogie decided he would get himself a vanity license plate for his ride, but nothing so obvious as BOO BOO or 3RDEMMY or PWR HAUS or LITIG8, all of which have been seen on the 405 out and about in the City of Angels. Droogie liked and purchased NULL, both as a good joke and a gesture of invisibility in the direction of the Golden State's famously big-brotherish Department of Motor Vehicles. 

Dave Bittner: [00:13:19]  Anyhoo, it turns out that the software used to administer parking tickets sent him all the tickets for which it didn't have the actual license plate - that is, for which the value was null. It came to more than $12,000. The LAPD fixed about half of the tickets so far, but, just the facts, sir, tickets continue to show up. The DMV and the LAPD both advise him to change his license plate, but Droogie is hanging tough, and the software vendor behind the systems isn't budging, either. We're sure there's a serious lesson here about the automation of police operations and so forth, but, hey, Officer Bill Gannon, where are you? From the basin to the valley, from the desert to the sea, they need your good humor. But somewhere, Jack Webb is smiling. 

Dave Bittner: [00:14:09]  Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:15:26]  And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. I wanted to touch base with you today on cybersecurity insurance and get some of your insights on that. 

David Dufour: [00:15:39]  Great to be back, David. And this is a topic that I'm super interested in. It's kind of interesting because, you know, I'm an engineer in cybersecurity, but I do see this coming up a lot, and it's a good discussion point and something people really need to think about. 

Dave Bittner: [00:15:51]  All right. Well, let's dig in. What are your thoughts here? 

David Dufour: [00:15:53]  Honestly, I think there's a lot of value in looking at cybersecurity insurance for some organizations. And, in fact, there could reasonably be more value than maybe buying that next hundred-thousand-dollar tool that's going to protect your network. And you need to take the time to understand the risk and the benefit. For example, insurance might protect you from a breach that occurred, and you aren't that exposed to a breach, so you don't need to buy that new network monitoring tool. You don't need to buy that solution that is expensive and you have to bring on cybersecurity resources where, because you're not so exposed or not in an industry that has a lot of interest to attackers, an insurance policy could be the better solution for you. 

Dave Bittner: [00:16:37]  Is this a matter of sort of taking a risk-based approach of taking a look at your vulnerabilities and your strengths and deciding where the best place is to spend your money? 

David Dufour: [00:16:47]  That is exactly what it is, David. And there's a couple of things you've got to watch out for, honestly. And I'm not a lawyer. I'm not giving, you know, specific advice. I want people to think about this. A lot of organizations are starting to offer cybersecurity insurance. They're underwriting policies for folks. If you're a medical provider or some organization that needs compliance, it's arguable that cybersecurity insurance is something that's very important for you because for compliance metrics, there can be litigation, things of that nature. But if you're that welder I sometimes talk about in Oklahoma who all he wants to do is send out his invoices at the end of the month, it might not be that big a deal for you to have that cybersecurity insurance to protect your shop if you've got good backup. 

David Dufour: [00:17:29]  The key, though, is, David, there are a lot of organizations that are now trying to offer cybersecurity insurance. And you need to look for insurance people that have underwritten policies that maybe have gone through paying out, that have gone through litigation to really understand that they have that track record that the policy will be used and you're able to enforce it and get some money back because there's a lot of folks that are saying, well, we'll provide you insurance, except if you're hacked, we're not going to help you recover - you know, things like that. 

Dave Bittner: [00:17:58]  Right. 

David Dufour: [00:17:59]  You've really got to spend the time to understand what the policy covers. 

Dave Bittner: [00:18:02]  Yeah, and things like deductibles and, you know, all that. None of us - you or me or probably most of the people listening to this show - are insurance experts. So you need to work with somebody you trust to make sure that you're going to be well taken care of. And ask those questions. 

David Dufour: [00:18:20]  Well, that's exactly right. It goes down to looking for someone that maybe isn't new in this industry, that's been doing it for a while. But in addition, you, as the person looking for a policy, have a responsibility for understanding the requirements of that policy. Do you have compliance requirements if you get it? Do you have, you know, things that that policy requires you to implement in your organization? What is that policy going to cover? Is it going to cover your brand protection if you do get attacked and data is taken out? Will they help you, you know, with the media coverage, or are they just going to help you get data back? And things like how do you prove that the hard drive didn't go bad in the server, that it was a hacker? You've really got to understand how you're going to be able to get money or recourse out of that policy. Don't just sign up for something and think you're covered. 

Dave Bittner: [00:19:08]  All right. Well, it's good advice. David Dufour, thanks for joining us. 

David Dufour: [00:19:12]  Yeah. Great being here, David. 

Dave Bittner: [00:19:18]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:31]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.