Malware in nuclear plant business system, but not in control systems. Facebook versus inauthenticity and spyware. Twitter refuses political ads. NIST wants comments. Cyber risk a factor in credit ratings.
Dave Bittner: [00:00:03] The Kudankulam Nuclear Power Plant confirms it had malware in a business system but that control systems were unaffected. Franchising coordinated inauthenticity. Facebook deletes NSO Group employees. Twitter says it will no longer accept political ads. NIST wants your comments. And Moody's appears ready to consider cyber risk in its credit ratings.
Dave Bittner: [00:00:30] And now a word from our sponsor, Coalfire. When organizations stand up new services or move existing applications to the cloud, IT security efforts need to be coordinated with business units and partners. The common question inevitably arises, is security the cloud platform provider's responsibility, or is it the customer's responsibility? To optimize data security, you must clearly articulate who owns what, identify security gaps and determine who will close those gaps. With the introduction of the high-trust shared responsibility program, there's now a solid path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of high-trust CSF certifications since 2011, and they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the high-trust cloud assessor, at coalfire.com/hitrust. That's coalfire.com/hitrust. And we thank Coalfire for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud. Intelligence that enables you to respond to your environment, and insights that empower you to change it - McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:09] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 31, 2019. Reports of a cyber incident at India's Kudankulam Nuclear Power Plant have been confirmed. Reuters quotes a statement from the Nuclear Power Corporation of India Limited, acknowledging that it had found malware on a computer connected to administrative systems but that control systems were unaffected. Various sources say the malware was DTrack, an information stealer associated with North Korea's Lazarus Group. DTrack has recently affected Indian financial and research institutions.
Dave Bittner: [00:02:48] It's worth noting that malware in a business system doesn't necessarily mean that a control network has been compromised. Sometimes attackers have been able to pivot from business to control systems, as they did in Ukraine. But in other cases, like that of the Wolf Creek plant in Kansas, they haven't. The descriptions of what happened at Kudankulam sound, so far, more like Wolf Creek than they do Kyiv. But it's still a matter of concern.
Dave Bittner: [00:03:13] Yesterday, Facebook announced that it had taken down 35 accounts, 53 pages, seven groups and five Instagram accounts for coordinated inauthenticity. All originated in Russia and have been connected to Russian oligarch Yevgeniy Prigozhin, commonly called Putin's chef, as The Washington Post reminds everyone. Their messaging focused on Africa, specifically, on Madagascar, the Central African Republic, Mozambique, the Democratic Republic of the Congo, the Ivory Coast, and Cameroon. The campaign's objective was election influence, generally aligned with Russian regional objectives. But there's also some informed speculation in circulation that the campaigns may represent in some fashion the emergence of a kind of franchise model into this form of information operations. The troll shops may also be working on behalf of local political factions.
Dave Bittner: [00:04:07] Ars Technica reports that Facebook has cancelled accounts belonging to NSO Group personnel. The cancellations seem fairly extensive. By some reports circulating on Twitter, most NSO Group employees have been affected. The NSO people banned received a message from Facebook's Instagram platform that said, quote, "your account has been deleted for not following our terms. You won't be able to log into this account, and no one else will be able to see it. We are unable to restore accounts that are deleted for these types of violations," quote.
Dave Bittner: [00:04:38] The action follows Facebook's subsidiary WhatsApp filing of a lawsuit against NSO Group. WhatsApp's beef comes down to this - they claim NSO Group used WhatsApp to serve Pegasus, which is correctly described as both spyware and as a lawful intercept product, on about 1,400 devices. WhatsApp complains that the targets included attorneys, journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials. NSO Group has said it's done nothing wrong and that it intends to contest the lawsuit vigorously. As far as the Facebook deletions are concerned, NSO Group hasn't commented. Facebook says they're welcome to appeal if they think the deletion is unfair.
Dave Bittner: [00:05:22] Yesterday, I spoke with Tanya Janca about her decision to leave Microsoft to co-found Security Sidekick. Our conversation continues with insights on the security challenges her new company is looking to face head on.
Tanya Janca: [00:05:36] We're trying to make sure that you know all of the apps and APIs that you have. So our tool goes out and finds all of them, which I know is not sexy. Inventory's not sexy. But you can't protect stuff if you don't own the stuff, if you don't know you have it. And I did so much incident response, David, for things where, I didn't know I owned it. And that is the worst day of your job as an application security engineer. That's the worst incident ever. You have no idea what it is, and your data's for sale on the dark web or, like, it's being attacked and you don't even know where it is so you can't even block the attack.
Tanya Janca: [00:06:15] I was a developer for a really long time, 17 years, before I switched full time to security. And just so many security people getting in my way - don't you know I have deadlines? I've got a feature. I need to do this. And they'd be like, well, if you just send it to us, when this guy gets around to it, he's going to scan it with this thing. There's going to be, you know, all this crap wrong. No one's going to explain to you what it is. So we put our tool not in the pipeline, which, I realize people are like, that's sacrilege. But you don't run it manually. It runs itself. So it just lives on your network as an invisible proxy after your DNS.
Tanya Janca: [00:06:54] And so every time you visit anything, it just - it catalogs it. It's like, did you know you own this? 'Cause this isn't on the list you gave us. You should check it out 'cause it belongs to you. It lives on your network, or it's living in your club. Or did you know that, you know, the business bought this SAS tool and that's living on your network now? FYI. This is phase one of our road map, and we have more that we're planning once we perfect the tool with this stuff. I'm so excited.
Dave Bittner: [00:07:23] I have to say, one of the things that I always enjoy when I have the opportunity to chat with you is that you are so unapologetically you.
Tanya Janca: [00:07:33] (Laughter).
Dave Bittner: [00:07:35] And I mean that as a compliment. I mean, I think in this world, the sort of buttoned-down world in which we live, and particularly in information security, when it can be so serious and there are big things at stake, the energy and the enthusiasm that you bring, I find refreshing. And I wonder, have you found that sometimes people try to push back on that? Has it been a challenge for you to maintain your sense of self in a world that might not always react positively to it?
Tanya Janca: [00:08:10] A little bit of pushback, but mostly those people just go sit in a different talk or don't read my blog. I have had some feedback from conference talks, like, she's, you know, like, so bubbly and effervescent, it's hard to take her seriously when she's not being serious. I am serious. It doesn't mean I can't be in a good mood about it or be really excited that I made this giant pipeline or whatever the thing is that I did. Like, sometimes people do react badly. But those people are in the wrong talk. 'Cause you can't please everyone.
Tanya Janca: [00:08:44] You know, one other area of pushback that I've gotten is from old-school security people that do not want a change. And they don't talk to developers, and they feel that all the security problems in software are all the developers' faults. I actually read a talk about it because I had so many bad experiences as a developer with security people. It took me a long time. And...
Dave Bittner: [00:09:08] Yeah.
Tanya Janca: [00:09:09] ...You know, the first time I had someone run a VA scanner on my app, he found a bunch of things wrong with it. And I'm like, you know, what's this? I've never seen this before. And he was like, if you were a good developer, you would know. You should know. And then, you know, it took me three times to pass the scanning tool. And then I finally did. I was like, wow, that was really hard. And he was like, if you were a good developer, there never would have been any problems with your app.
Dave Bittner: [00:09:35] (Laughter).
Tanya Janca: [00:09:36] And it's like, what type of punishment - like, why would you - why would you speak to another person that way? But then when I learned about, you know, scanning tools, and I learned about hacking and pen testing, and app sec and solving problems, I was like, that guy has no idea what he's talking about. He...
Dave Bittner: [00:09:55] Right.
Tanya Janca: [00:09:55] He refused to give me hope 'cause he had no clue. And he just doesn't know the answers and doesn't - and is too afraid to be vulnerable and admit he doesn't know. Especially some workplaces, where you can't admit you're wrong - and I'll just admit I'm wrong.
Dave Bittner: [00:10:13] Yeah.
Tanya Janca: [00:10:13] Like, even in an interview that's being recorded, sometimes I get asked a question. I'm like, you know what? I don't know the answer to that. And I'm like, but I can find out, or...
Dave Bittner: [00:10:22] Yeah.
Tanya Janca: [00:10:22] ...You know, maybe this or that. And we've set up, like, places in our industry where people feel like you're not allowed to ask for help and you're not allowed to admit you're wrong. And then that is when bad things happen. That is when developers are like, no problem, I'll write my own encryption algorithm (laughter) or something else, right? And, oh, no.
Dave Bittner: [00:10:48] That is the one and only Tanya Janca. She is the CEO and co-founder of Security Sidekick.
Dave Bittner: [00:10:56] Twitter has decided that it won't try to fact-check or police paid political content. They'll simply no longer accept political ads. The exclusion affects ads for candidates and issues but not voter registration drives. The move is getting mixed reviews. Some think it's a sensible and evenhanded way of handling inauthenticity and influence operations. This is, basically, Twitter CEO Jack Dorsey's view, who's tweeted that influence and reach should be earned and not something one should be able to purchase. Others think the decision to decline political ads is a way of getting Twitter out of the censorship business altogether.
Dave Bittner: [00:11:31] But there are skeptics on this matter. At best, Twitter seems to have kicked the problem down the road. The platform is surely right when it says that fact checking social media at scale is practically impossible. But it's not clear that deciding what's a campaign or issue ad will be much easier. And of course, many people read Twitter's announcement as a shot at Facebook's recent refusal to fact-check political ads, a way of saying, hey, everybody, we're better than the House of Zuckerberg.
Dave Bittner: [00:12:00] In the U.S., the National Institute of Standards and Technology, better known by its acronym, NIST, has asked for comments on proposed cryptographic standards. The two draft standards in question deal with digital signature standards and recommendations for discrete-logarithm based cryptography, elliptic-curve domain parameters. NIST's goal is to develop sound standards that will help ensure these technologies are implemented securely. If you have thoughts on either of these, NIST would like to hear from you within the next 90 days.
Dave Bittner: [00:12:31] And finally, credit rating company Moody's made a presentation at EnergyTech 2019 on the credit and financial implications of cyber risk. Control Global welcomed Moody's perspective as providing those responsible for control system security a key to the boardroom. The highest risk sectors are the ones, as Control Global puts it, that, quote, "rely on technology, are highly interconnected and have limited ability to revert to manual operation," end quote. Cyberattacks that have an operational impact can be expected to have an effect on credit ratings. We've seen insurance affect security practices and risk calculations that can now be expected to affect credit. Even if you're self-insured, as some power utilities are, everybody needs credit.
Dave Bittner: [00:13:21] And now a word from our sponsor, KnowBe4. Having spent over a decade as part of the CIA's Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leading cyber operations against terrorists and nation-state adversaries. She's seen firsthand how the bad guys operate. She knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yourself a hard target. Get the inside spy scoop and find out why Rosa, now KnowBe4's SVP of cyber operations, encourages organizations like yours to maintain a healthy sense of paranoia. Go to knowbe4.com/cia to learn more about this exclusive webinar. That's knowbe4.com/cia. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:14:22] And joining me once again is Ben Yelin. He's the program director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security. Ben, always great to have you back. We had an article come by. This is from a website called Hackaday that primarily is for hardware hackers. And it's written by Jenny List. And the title is "Europeans Now Have the Right to Repair, and that Means the Rest of Us Probably Will, Too." What's going on here?
Ben Yelin: [00:14:48] So any time we get a refrigerator, dishwasher, et cetera, there's sort of an expectation that if one of the parts doesn't work, we can just return it to the manufacturer and, you know, they'll give us one in working condition, or they'll fix whatever issue is affecting that device.
Dave Bittner: [00:15:07] Sure. Warranties.
Ben Yelin: [00:15:08] Exactly. The truth is that in the United States, at least, there aren't rigorous legal protections for warranties for those devices. And that leaves the consumer behind. You know, obviously, this is to the delight of manufacturers, who don't want to have to pay to produce a new item.
Dave Bittner: [00:15:29] Well, also I can imagine if my dishwasher breaks down and I look for a replacement part, I'm handy. I'm capable of doing something on my own. But those replacement parts have been discontinued. That means instead of fixing it, I'm going to have to go out and buy a new dishwasher.
Ben Yelin: [00:15:45] Exactly.
Dave Bittner: [00:15:45] Yeah.
Ben Yelin: [00:15:46] Which means you, you know, can't go to your local home supply store and do it yourself, even if you are a handy person. Right. So the upshot of this article is that the European Union is introducing new rules governing what's called repairability. The law in the EU will mandate that certain household appliances and other devices - so they're talking about washing machines, dishwashers, refrigerators, TVs, anything you can think of. Any of those items for sale within the EU have to have a guaranteed period of replacement part availability. And those replacement parts must be designed so that they can be worked upon with standard tools, whatever that means. So probably things one would one would have in their toolbox.
Dave Bittner: [00:16:32] Right.
Ben Yelin: [00:16:33] So how does this affect us in the United States? So as we saw with the GDPR, when you have a rigorous regulatory standard that comes out basically on anything that applies to the European Union, multinational corporations are going to be forced to change their policies writ large to apply. So you and I got a million different emails when GDPR was going into effect saying...
Dave Bittner: [00:16:57] (Laughter) Yes, we did.
Ben Yelin: [00:16:57] ...We've updated the Verizon terms of service.
Dave Bittner: [00:16:59] Right.
Ben Yelin: [00:17:00] The reason they did that is, you know, the European Union is such a huge marketplace. They're going to have to make these changes for all of those customers, anyway. They might as well do it for all of their customers across the globe. And I think that applies to what's happening here with this repairability law. Because it's being introduced in the European Union, device manufacturers are going to have to adjust their business practices to comply with this law. And while they're doing that to comply with the European law, it's necessarily going to filter down to the United States. And this could potentially be very, very good news for consumers.
Dave Bittner: [00:17:39] Yeah. I think the part that caught my eye was the part about the requirement to have standard tools because I think, particularly with electronic devices, it seems like they'll have some bizarrely shaped screwdriver necessary. You know, here's our new dodecahedron-shaped screwdriver that you must have in order to unscrew this, and you can't go buy that at the local hardware store.
Ben Yelin: [00:18:06] Yeah. I'm very curious as to how they - yeah, how they define standard tools. As someone who's put together a lot of IKEA furniture recently...
Dave Bittner: [00:18:13] (Laughter) Yes.
Ben Yelin: [00:18:13] ...Nothing is ever completely standardized.
Dave Bittner: [00:18:15] Right. Right.
Ben Yelin: [00:18:16] You know, there's going to be one screw that works, yeah, as you said, with this particular device.
Dave Bittner: [00:18:21] At least IKEA has the - you know, at least they're kind enough to include the tools with the...
Ben Yelin: [00:18:28] Exactly.
Dave Bittner: [00:18:29] They have to. You're putting it together yourself.
Ben Yelin: [00:18:30] The manufacturers - now, you know, maybe that's something we'll see as a result of this law in the European Union, is...
Dave Bittner: [00:18:36] Interesting. Right.
Ben Yelin: [00:18:36] They'll prepackage the tools with the device.
Dave Bittner: [00:18:39] Right. Is it cheaper to throw in a customized screwdriver than to change all the screws in the device?
Ben Yelin: [00:18:46] Almost certainly, I would say yes. Now, I wonder if I...
Dave Bittner: [00:18:48] (Laughter).
Ben Yelin: [00:18:48] I wonder if that would satisfy the terms of the repairability. My guess is that it probably would. Of course, there's the problem of, you get this device. You put the package in some corner of your basement. It has the tools in it.
Dave Bittner: [00:19:04] Right.
Ben Yelin: [00:19:04] Five years later, you clear out your basement. Ten years later, the device breaks. And so is there still sort of a repairability element? The other sort of downside to consumers that they mention in this article is that the repairs don't have to be directly available to the consumer. They can just be available to the manufacturer. So the spare parts, in other words, aren't going to be made directly available to the consumer. They're going to be released to the appliance repair trade.
Dave Bittner: [00:19:35] I see.
Ben Yelin: [00:19:36] So that means the consumer is going to have to go seek those spare parts from the repair trade. So that could be - that's another, you know, hurdle that the consumer is going to have to go through to get access to something that would fix these devices.
Dave Bittner: [00:19:51] Yeah. That's interesting. All right. Well, it'll be fun to see how this trickles down to us here in the States, but interesting development. Ben Yelin, thanks for joining us.
Ben Yelin: [00:20:01] Thank you.
Dave Bittner: [00:20:07] And that's the CyberWire.
Dave Bittner: [00:20:08] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:19] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.