Dave Bittner: [00:00:02] The kittens haven't scratched much so far, but the US government and others are warning organizations to be alert to the likelihood of Iranian cyberattacks in retaliation for the combat death by US missile of Quds Force Commander Soleimani. Fancy Bear is the usual suspect in the case of the Austrian Foreign Ministry hack. Patch your Pulse Secure VPN servers if you've got them. ToTok is back in the Play Store. And there's an executive who turned out to be an insider threat.
Dave Bittner: [00:00:38] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:32] Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:05] From the CyberWire studios at DataTribe, I'm David Bittner with your CyberWire summary for Tuesday, January 7, 2020.
Dave Bittner: [00:02:05] So far, no Iranian cyber operations more serious than the defacement of the Federal Depository Library Program have come to public knowledge. As The New York Times points out, that action amounted to picking some pretty low-hanging fruit, more target of opportunity than high-value target, more nuisance fire than fire for serious effect. The group that claimed responsibility calls itself the Iran Cyber Security Group Hackers, but even people disposed to look for the hand of Tehran aren't concluding that this crew is actually working for Iran. They're at least as likely to amount to nothing more than sympathetic hacktivists.
Dave Bittner: [00:02:43] It's certainly possible for an organization to play well below its usual game, either deliberately as a way of preserving deniability or inadvertently just because they came out flat. But the US government continues to warn that Iran's cyber capabilities are far from negligible and to assess the risk of Iranian cyberattack as high.
Dave Bittner: [00:03:03] The Chertoff Group outlines the likeliest forms Iranian cyberattacks might take. These include destructive wiperware, ransomware, distributed denial-of-service, supply chain attacks and actions against operational technology.
Dave Bittner: [00:03:17] CISA, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, has released a terse warning not to underestimate Tehran's capabilities. In a follow-up to its director's tweeted advice to take a look at what Iran's cyber operators have attempted and accomplished in cyberspace during recent years, CISA singles out four incidents as particularly worthy of study as sources of lessons learned. They are, in chronological order, first, distributed denial-of-service actions against the US financial sector from late 2011 through mid-2013; second, unauthorized access to control systems at the Bowman Street Dam in Rye, N.Y., in August and September of 2013 - a curious incident we've had occasion to mention before.
Dave Bittner: [00:04:05] Third, a whack at the Sands Las Vegas Corporation in February 2014, during which customer data were stolen, and other information was wiped. Why the Sands? Well, owner Sheldon Adelson had made some bellicose public remarks about what might be done to restrain Iran's nuclear ambitions. And as casino.org reminds us this week, Tehran took exception; and fourth, a long-running operation by the Mabna Institute, Tehran's favorite cyber contractor, from 2013 through 2017, during which academic data, intellectual property and credentials were stolen for the benefit of the Islamic Revolutionary Guard Corps. According to the US Department of Justice, this effort affected 144 US universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the US Department of Labor, the Federal Energy Regulatory Commission, the state of Hawaii, the state of Indiana, the United Nations and the United Nations Children's Fund.
Dave Bittner: [00:05:12] All of these represent capabilities Iran demonstrably has. CISA recommends five steps every enterprise should take to harden its cyber defense posture. Disable all unnecessary ports and protocols. Step up monitoring of network and email traffic. Review network signatures and indicators for focused operations activities. Monitor for new phishing themes and adjust email rules accordingly. And follow best practices of restricting attachments via email or other mechanisms. Patch externally facing equipment, focusing attention first on critical and high vulnerabilities that allow for remote code execution or denial-of-service on externally facing equipment. Keep track of PowerShell usage and limit it to those users who actually need it. And finally, ensure the backups are current and stored in an accessible location that's air-gapped from the enterprise network.
Dave Bittner: [00:06:01] CyberScoop reports that the Multi-State Information Sharing and Analysis Center - that's the MS-ISAC - has also quietly warned its members to beware of Iranian cyberattacks. And New York State's Department of Financial Services has also advised the banks and other institutions it regulates that they may well receive the attentions of Iranian hackers. So the warnings are out.
Dave Bittner: [00:06:24] Whether you're a mobile API provider or an app developer, you know that cyber criminals are increasingly targeting mobile APIs. Tom Tovar is CEO at mobile integration as a service company AppDome, and he offers helpful insights on mobile app API security.
Tom Tovar: [00:06:42] As we evolve, and as our expectations grow with the technologies around us, there's more and more appetite and more and more demand for mobile APIs to provide the data and the services that mobile apps need to consume to give us all that great stuff.
Dave Bittner: [00:07:00] Can you give us an example or two of how in our day-to-day we'd be interacting with these things?
Tom Tovar: [00:07:05] Yeah. Every time we use a mobile app, the app has to do a number of things in order to give us that content. It has to access our location. It - and some of that it can get from the device itself, but then it has to provide recommendations based on our location or answers to the questions that we ask based on our location, and that those answers and those recommendations often come from external sources which are driven by APIs.
Dave Bittner: [00:07:35] So what are the security applications that we run into then because of these interactions?
Tom Tovar: [00:07:41] Yeah. Well, there are a lot of things, actually. So if you can imagine an application on your phone and a set of systems out in the cloud, as it were. And it could be dozens, it could be hundreds of systems within a single mobile application. And the one mobile app is accessing all of those. One can imagine that there is a lot of information going to and fro between the mobile app and the - and those systems about us, about our purchases, about our preferences, about our whereabouts. And that information is useful obviously to us as consumers, but it's also useful to the bad guys who want to use that for nefarious purposes.
Dave Bittner: [00:08:29] You know, I can't help thinking of - from, you know, my own life in the past, you know, growing up that you had on the - on electronic devices, you had things like your UL listing - you know, that this device has been certified to meet a certain set of standards. It's been tested. Is there anything you like that in the works where you can put a badge on something that says that there's been agreed-upon standards and there's a certain level of security in this interaction that everyone has agreed to and met?
Tom Tovar: [00:08:58] Yeah. Well, I mean, the OWASP Top 10 are great benchmarks, you know. The OWASP 10 for mobile app security and the OWASP Top 10 for API security kind of go hand in hand. And any security professional will tell you that a proper security model is always a layered security model. You know, we always advocate defense in depth. You know, you'll hear security professionals talk all the time about how there's not a silver bullet, there's not one thing you can do, that you've got to do a lot of things right in order to create a proper security model. So I think the reality of it is there are best practices out in the world that, you know, API providers and mobile developers can follow. And if you'd like, I can kind of share with your listeners kind of what those things are.
Dave Bittner: [00:09:47] Yeah. Let's go through a few of them. What are some of the suggestions that you have?
Tom Tovar: [00:09:50] Yeah. Yeah. So at a minimum, what you need to do is fundamentally four things. You need to secure the access mechanisms between the app and the API. So all of the keys, the secrets, the URLs, et cetera that the app uses to access the relevant API need to be encrypted, need to be protected within the application itself. You need to also protect the payload, i.e., the data that the app - that the API delivers to the app. Then, in, a lot of cases, that data could be customer banking information. And it could be account balances. It could be all kinds of information that the API delivers.
Tom Tovar: [00:10:31] So you need to protect that application data, that API data within the mobile app itself, again, either through encryption or other mechanisms. Encryption would be the preferred. The third thing that you need to do is you need to make sure that the mobile app itself cannot be unpacked or hacked using dynamic or static analysis. So, you know, usually what we recommend are things like anti-tampering, anti-reversing methodologies. Or code obfuscation would be the fourth mechanism to basically obfuscate the entire code base so that the hacker can't know, you know, where to attack and get that information.
Tom Tovar: [00:11:12] These are the four methods that really comprise the golden rules of API security within mobile apps. And as long as developers follow these rules, APIs should be protected within mobile apps. There's still a ton of work that needs to go on within the API back end itself - i.e., within the cloud. And for that, we would point all API providers to the OWASP Top 10 for API security.
Dave Bittner: [00:11:39] That's Tom Tovar from AppDome.
Dave Bittner: [00:11:42] More observers are willing to speculate that the recent cyber espionage incident at Austria's Foreign Ministry is the work of Russia. We should caution that the evidence for this is circumstantial, almost to the point of being a matter of a priori probability along the lines of, who else is likely to be stirring up trouble in Central European ministries? But the word on the street, as summarized by Infosecurity Magazine, is that it looks like the work of Fancy Bear. Researcher Kevin Beaumont warns that REvil ransomware, also known as Sodinokibi, is exploiting unpatched Pulse Secure VPN servers as it prospects larger enterprises. The lesson is a familiar one - for heaven's sake, patch.
Dave Bittner: [00:12:25] Vice reports that Google has restored the widely mistrusted ToTok, thought to be an Emirati surveillance tool, to the Play Store. ToTok has denied allegations that it amounts to spyware and denies any connection to DarkMatter, a company widely believed to work for UAE security services.
Dave Bittner: [00:12:44] Finally, executives can be insider threats, too. The US Department of Justice has announced that one Hicham Kabbaj, formerly a senior manager working in Manhattan for a global internet company, copped a guilty plea Friday in which he admitted to one count of wire fraud before a US magistrate judge, Stewart D. Aaron. The Justice Department primly refers to Mr. Kabbaj's former employer only as Company 1, but Bleeping Computer identifies it as Rakuten Marketing. Within four months of joining Rakuten, Mr. Kabbaj began sending himself bogus invoices on behalf of a shell company, Interactive Systems, requesting payment for firewalls and various other services, none of which were apparently delivered. He sent some 52 invoices between August 2015 and April 2019.
Dave Bittner: [00:13:36] The money Rakuten paid went quickly from Interactive Systems to Mr. Kabbaj's personal bank account. How did they catch him? At least some of the invoices were submitted as Word documents, and IRS investigators noticed that their metadata showed Mr. Kabbaj as the author. This raised some obvious red flags. So, hey, you can learn a thing or two from looking at the metadata. He'll be sentenced shortly by the US District Court for the Southern District of New York. And he could receive up to 20 years as special guest of Club Fed. Mr. Kabbaj's LinkedIn profile says that one of the things he does is transform business processes and streamline them with technology solutions that deliver rapid ROI. That's one way of looking at it.
Dave Bittner: [00:14:29] And now a word from our sponsor, BlackCloak. You worry about your executives' personal computers being hacked? How about their home network and all those IoT goodies they got over the holiday, or credential stuffing attacks because of their password reuse? Executives and their families are targets. But unlike the corporate network, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executive's home network and devices, which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to deploy their specialized controls that protect your executives and their families from hacking, financial loss and privacy exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we think BlackCloak for sponsoring our show.
Dave Bittner: [00:15:49] And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it is a new year here. And I thought it'd be a good opportunity for you and I to take a look back at 2019, some of the things that caught your attention, that were on your radar. How was 2019 from your point of view?
Robert M. Lee: [00:16:09] Yeah. I always love these, like, look at 2019 in review or whatever else. And they're always like, cyberattacks are bad, and people are good. It's always, like so eye-level. So I like to have a little bit more metrics with them. And we've been hard at work on the Dragos year in review as it relates to industrial control. These are things we just put out in the community that talks about, what were the actual, you know, vulnerabilities and everything else, right? And so, you know, as we were starting to compile these and actually have an answer here in the new year, I think one of the things that stands out to me with regards to the industrial control system community - then I'll talk about the enterprise and IT community.
Robert M. Lee: [00:16:46] But the industrial control system community is - I think we've reached a critical turning point - or inflection point, I should say - in the industrial control system community where there is an executive-level awareness that this is going to require a actual strategy for industrial security that's different than the enterprise. And why I say that is, 2018, I did a lot of board presentations at these companies. It was very endearing. And it was exciting to see them having these conversations. But I probably did - I don't know - 15 to 20 of them. In this year, this past year, I have started to see all of the board members that - talked to board members who - network, and similar I'm seeing the CSOs have the same kind of talking points. I'm seeing an executive-level buy-in. We've always had kind of a practitioner-level awareness, but executive-level buy-in that this is something that needs to be done and can be done.
Robert M. Lee: [00:17:40] I would like to think that 2019 is going to be that inflection point of the buy-in, not necessarily we've got everything figured out, but actually in the industrial control system community writ large, especially in electric, oil and gas and some subsectors of manufacturing. And actually, I'm starting to see it in rail now a little bit as well. But we're starting to really see a better community-wide understanding. And so I think we'll move past, you know, kind of my 2020 predictions, if you will - which I hate predictions - but move past the let's do the standard and framework and checklist and moving towards let's think about this critically. Now, is every company going to get it right? Of course not. But I think as a community, we're starting to see that awareness.
Dave Bittner: [00:18:22] Now, I mean, personally for you at Dragos, 2019 was certainly a year of a lot of growth for you. Which, I mean, can we look at that as being that there's a lot of demand out there for the types of work that you all are doing from Dragos and other companies in the space?
Robert M. Lee: [00:18:38] Yeah. And so this is where in one - like, my day-to-day, I'm such a hyper-competitive person. And if you were in my staff meetings, you would hear me like, cool, what are we doing against them? And how do we do this? And like, I'm truly hyper-competitive. But if I step back for a second, I'm just so damn proud of the fact that there's multiple ICS security vendors. There's multiple vendors going through massive growth. Like, it's just good things - to your point, that the demand is there. The market is moving, which means the community is growing, which means work is getting done. And even though there's different views on what work needs to get done, those will relate to lessons learned to figure out whose views are better accurate for different environments. And I think we're going to get in a much better place for it.
Robert M. Lee: [00:19:19] And yeah, for us, we still do like 300% growth every year. I mean, I have over 170 employees now. And this time last year, I think it was like 60 or something. It's just - every year is this massive growth. I'm excited. I don't know. I've always been kind of an optimist. There's plenty of things that scare me or make me upset. And, you know, I think some people have listened to me before go, you have all this optimism, but look at all these bad things. I'm like, no, no, no. The reason I say this, though, is I've always been intimately aware of the bad things. But I'm seeing the good things, and that's something to get excited about. It's not my underappreciation for how terrible some of these things are, including threats that could literally kill people. But it's my appreciation that our community is just amazing. And it's growing. And it's good for everybody.
Dave Bittner: [00:20:09] Yeah. All right. Well, good to look back. And Happy New Year to you. Robert M. Lee, thanks for joining us.
Dave Bittner: [00:20:22] And that's the CyberWire. For links to all of today’s stories check out our daily news brief at the cyberwire dot com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:38] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.