The federal market is ripe with opportunity for SaaS, IaaS, and PaaS providers. More federal agencies are tapping into the cloud, and it’s getting faster and cheaper to achieve FedRAMP authorization. Download Coalfire’s 2019 FedRAMP Securealities report to learn how to take advantage of the rapidly expanding federal market.
The Week that Was.
August 10, 2019.
By the CyberWire staff
What do you buy with ill-gotten cyber gains? If you're Mr. Kim, a few implosion weapons and some launch vehicles.
Reuters on Monday saw a report on North Korean cyber operations the United Nations Security Council received last week. Pyongyang's extensive, state-operated cybercrime program has raised some $2 billion since its inception. The starting date of the cybercrime operations isn't stated in the fragments of the report so far released, but Computing observes that the UN significantly tightened sanctions on North Korea in 2006. Pyongyang is thought to use the money to pay for its weapons of mass destruction, essentially its nuclear and ballistic missile programs. Foreign banks and cryptocurrencies are the principal targets.
Cyber operations accompany regional tension in the Middle East
According to the Wall Street Journal, Bahrain has sustained incursions into the networks of its National Security Agency (whose mission is criminal investigation), the Ministry of Interior, the first deputy prime minister’s office, the Electricity and Water Authority, and manufacturer Aluminum Bahrain. Bahrain believes the activity was the work of regional rival Iran, and that the activity directed against the Electricity and Water Authority amounted to staging and rehearsal for an attack on critical infrastructure.
The US Maritime Administration has issued a formal warning of Iranian cyber interference with shipping in the region. The principal concern is GPS spoofing.
How can industrial organizations stay ahead of ICS adversaries and proliferating threats?
Dragos identified the most dangerous threat to ICS, XENOTIME (the activity group behind TRISIS), has expanded its targeting beyond oil and gas--illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about how taking an intelligence-driven approach to ICS cybersecurity can help organizations stay ahead of the latest threats to ICS environments.
Fancy Bear sniffs the IoT.
Microsoft reports that Strontium (also known as Fancy Bear or APT28, that is, Russia’s GRU military intelligence service) has undertaken a campaign to breach enterprise networks by exploiting poorly secured IoT devices: printers, video decoders, and voice-over-IP phones. Redmond says that in April its researchers discovered “infrastructure of a known adversary communicating to several external devices.” Once in, the attackers would seek to pivot to more interesting targets. At least two of the corporate victims had left default passwords in place. A third had outdated software. The campaign’s goal is unknown.
Wicked Panda seems to be moonlighting.
FireEye released a report at Black Hat on APT41, a Chinese group that’s been observed executing espionage operations as well as financially motivated criminal campaigns. APT41 (also called "Wicked Panda") is known for targeting the video game industry. FireEye observed a significant shift in the group’s activities in late 2015, when it moved from intellectual property theft towards strategic intelligence, collecting from industries including healthcare, telecoms, and technology. But APT41 has continued to hit the video game industry for apparent personal financial gain. The operators appear to be moonlighting with Chinese authorities turning a blind eye.
65% of SOC analysts say they have considered quitting or a career change
Research conducted by Ponemon Institute and Devo discovered that a number of issues are driving frustration in the SOC:
Visibility: 65% say they lack visibility in to IT security infrastructure
Interoperability: SOCs do not have high interoperability with existing security intelligence tools
Alignment: 81% are not aligned or only partially aligned with business objectives
The result? Analyst burnout and SOC ineffectiveness. Download the full report to learn how to address the key sources of SOC challenges.
More destructive modes of extortion.
Comparitech reports that a bookseller and publisher in Mexico, Librería Porrúa, left a MongoDB instance publicly accessible. The bookseller was warned by researchers July 15th that its database was accessible, but apparently was unable to secure it in time. Criminals claim to have copied the data, then wiped them. They've demanded 500 Bitcoin, almost $6 million, to restore the data. The affected database contained 2.1 million customer records, according to Information Security.
Another destructive attack, GermanWiper, is destroying files in victim systems and then demanding ransom for their presumably impossible restoration. BleepingComputer says the infection vector is a phishing email, the phishbait is a polite inquiry about a job opening from "Lena Kretschmer."
Is your company passionate about empowering women to succeed in the cyber security industry?
The CyberWire’s 6th Annual Women in Cyber Security reception is a networking event that highlights and celebrates the value and successes of women in the cyber security industry. Leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum can connect with each other to strengthen relationships while building new ones. Consider sponsoring the event. Limited sponsorships are available. Visit our website to learn more.
Human review of digital assistants raises privacy issues.
Apple and Amazon are changing how their digital assistants handle users' commands and ambient conversations. Apple told TechCruch it would suspend human "grading" of Siri's responses. Users will be given the choice of opting into or out of such grading. Bloomberg reports that Amazon has also given users the option of declining human review of interactions with Alexa. Microsoft's Skype service and Cortana digital assistant also came in for suspicion, but SecurityWeek quotes Microsoft as saying that its contractors listen to Skype calls and interactions with Cortana only after receiving user permission.
Have Your Users Made You an Easy Target for Spear Phishing?
Many of your organization’s email addresses and identities are exposed on the internet, and are easy for cybercriminals to find. With email’s enormous attack surface, cybercriminals are able to launch potentially devastating social engineering, spear phishing and ransomware attacks on your organization. Try KnowBe4’s Email Exposure Check Pro for free today, and see how you can identify the at-risk users in your organization by crawling business social media information and hundreds of breach databases.
Android's August patches are out, including fixes for CVE-2019-10539 and CVE-2019-10540, WiFi issues that could potentially be exploited without user action.
Crime and punishment.
Investigators are working through the digital exhaust of the El Paso and Dayton shooters, and are finding the sadly familiar disinhibition and self-absorbed nihilism so often seen among those who've made the ascent into a life lived online. The El Paso shooter admired the Christchurch killer who murdered worshippers in a New Zealand mosque, expressed hatred for Hispanics, and appears to have been active on 8Chan, Bellingcat reports. Heavy has a profile of the Dayton shooter: a progressive socialist and devotee of "pornogrind" metal music; he was active in social media.
A Pennsylvania man, Blair Strouse, has been sentenced to two-and-a-half years in Federal Prison for threatening his estranged wife and her family. US Attorney William McSwain is quoted in Patch explaining that "It's not an excuse to say that you were just mouthing off. If you threaten serious bodily injury or even death over the internet, that is a federal crime with consequences."
The US Justice Department announced Tuesday the indictment of Pakistani national Muhammad Fahd for "conspiracy to commit wire fraud, conspiracy to violate the Travel Act and the Computer Fraud and Abuse Act, four counts of wire fraud, two counts of accessing a protected computer in furtherance of fraud, two counts of intentional damage to a protected computer, and four counts of violating the Travel Act." Fahd allegedly bribed workers at AT&T's facility in Bothell, Washington, to disable AT&T proprietary locking software on customers' phones, which would enable the unlocked phones to be used in any compatible network.
Investigation into the possibility that the alleged Capital One hacker hit other enterprises continues. According to Computing, however, Amazon says it's found no evidence that the organizations mentioned by Paige Thompson, nom-de-hack "erratic," were actually compromised. The FBI is investigating, the Wall Street Journal reports. Not all the possible victims are in the US. Cyberint has a useful rundown of the evidence that's aroused suspicions that "erratic" may have had more targets than just Capital One, but some observers think Ms Thompson may have been engaged in clumsily handled vulnerability research, with the aggressive chatter the kind of gasconade those living the researcher lifestyle are known to indulge. The Verge points out the difficulty of distinguishing legitimate research from criminal hacking.
Samantha Davis, a former aide to Senator Maggie Hassan (Democrat of New Hampshire) pleaded guilty on July 30th to two misdemeanor counts of aiding convicted hacker Jackson Cosko in his crimes. Politico reports that Ms Davis had given Mr. Cosko keys to Senator Hassan's office knowing that he intended to tamper with computers there, and that she also lied about the matter to investigators. Mr. Cosko has been sentenced to four years in prison for doxing Republican Senators who supported the nomination of Justice Brett Kavanaugh to the Supreme Court.
Courts and torts.
Cisco has agreed to an $8.1 million settlement with the Justice Department prompted by a whistleblower's report that the company had sold video surveillance equipment that was vulnerable to hacking. Cisco's Chief Legal Officer wrote on the company's blog that the security issues arose in equipment produced by Broadware, a company Cisco acquired in 2007. Broadware's gear was intentionally designed with an open architecture for greater customer flexibility, but that flexibility came at the price of a "theoretical" possibility of hacking. Cisco says there's no evidence that any systems were in fact accessed by unauthorized persons. Reuters says whistleblower James Glenn received a bit more than $1 million under the False Claims Act.
On July 30th Capital One was sued in the US District Court for the District of Columbia in a class action initiated by a Connecticut man who identifies himself as a Capital One customer, Reuters reports. This was the first of several other expected lawsuits. By the end of the week a second class action lawsuit, this one a state case filed in California, alleged negligence on the part of both Capital One and GitHub. ZDNet notes that naming GitHub in the action is surprising. The plaintiffs allege that GitHub negligently permitted Social Security numbers to be posted to its site, and that the service actively encourages hacking. That latter claim derives from the existence of legal GitHub repositories devoted to hacking, penetration testing, cybersecurity, reverse engineering and the like.
While it may in principle be relatively easy to recognize Social Security numbers, GitHub says the accused hacker, "erratic," didn't post any Social Security numbers to its service. Last Saturday, a GitHub spokesman emailed, "GitHub promptly investigates content, once it's reported to us, and removes anything that violates our Terms of Service. The file posted on GitHub in this incident did not contain any Social Security numbers, bank account information, or any other reportedly stolen personal information. We received a request from Capital One to remove content containing information about the methods used to steal the data, which we took down promptly after receiving their request."
Policies, procurements, and agency equities.
The Wall Street Journal reports that President Trump has responded to the killings in Dayton and El Paso by directing the Justice Department to work with state and local authorities as well as major social media platforms to identify individuals likely to commit mass killings before those individuals actually open fire. In some ways this represents an attempt to address the known-wolf problem, the problem of the bad actor--killer, hacker, turncoat, spy--whose bad actions retrospectively look eminently foreseeable and therefore eminently preventable. This is an enduring problem. The killers in Texas and Ohio, like earlier killers in California, Pennsylvania, New Zealand, and Sri Lanka, all had a social media presence that contained more-or-less obvious flags betraying their intention.
The sheer volume of information, however, gives experts the Journal spoke with pause about how feasible this approach is likely to prove. No one has yet developed fully automated tools to reliably screen for violent intent, and content moderation will probably remain extremely labor intensive for the foreseeable future, and legal and civil libertarian concerns might also prove an obstacle. But law enforcement may be able to pick up at least some indications that someone represents a violent threat. In any case, the US Administration has invited representatives of tech companies to meet at the White House to discuss how radicalization and inducement to violent extremism might be controlled in social media. Which companies have been invited, the Washington Post reports, is so far unclear.
There have been longstanding concerns that content moderation has not only been ineffectual--too slow, for example, at shutting down the Christchurch murderer's livestreaming of his massacre, and too inattentively permissive, to take another example, with respect to the manifesto the El Paso killer is now generally thought to have posted to 8Chan (see WIRED for an account of 8Chan's place in the online ecosystem)--but also too susceptible to manipulation that aligns with the political bias of the moderators. The Daily Beast has an account on how such bias has been perceived to operate recently against conservative content. POLITICO reports that the White House is circulating a draft of an Executive Order that would address such bias. The contents of the drafts are a matter of conjecture, and it's unclear how one might redress corporate or indeed any other bias by Executive Order.
On Wednesday the US Government issued an interim rule ("Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment") that restricts contractors from purchasing from five Chinese firms: Huawei, ZTE, Hikvision, Hytera, and Dahua. The ban goes into effect on August 13th; the comment period is open for sixty days from the rule's publication in the Federal Register. The prohibition addresses concerns that Chinese equipment represents a security risk, primarily an espionage risk.
Changes at the US Office of the Director of National Intelligence: Joseph Maguire will serve as acting DNI, and Principal Deputy DNI Sue Gordon has resigned, C4ISRNet reports.
An op-ed Raytheon published in TheHill advocates increased attention to corporate training programs like its Cyber Academy, designed to enable current and prospective workers to grow into security roles that are in short supply. The US Air Force's Education with Industry program (essentially an opportunity for officers to serve apprenticeships with corporations) is also commended, as are industry-academic partnerships like National Collegiate Cyber Defense Competition.
Mergers and acquisitions.
Broadcom has agreed to acquire Symantec's enterprise security unit for $10.7 billion in cash. CRN says that the Symantec brand is part of the deal. Seeking Alpha sees it as Broadcom's next move in its play to become a major infrastructure technology provider. Symantec, which as Reuters reported in July turned down an earlier run from Broadcom over price, will be left with its consumer-facing Norton LifeLock business.
Australian cloud solutions shop Rhipe has acquired Network2Share for the company's SmartEncrypt product, which Rhipe calls "user-friendly." Rhipe spent $2 million on the acquisition, Business News Australia reports.
Deal Street Asia says that Singapore's Temasek Holdings is buying cryptographic shop D’Crypt. The company's owners, its founding shareholders and StarHub, will receive $72.3 million.
ManTech has bought Virginia-based H2M Group in a move to augment its geospatial and intelligence analysis capabilities. CRN says the terms of the acquisition haven't been disclosed.
Investments and exits.
Reuters reports that Boston-based Cybereason has secured a very large investment, $200 million, from Japan's SoftBank. Cybereason intends to use the investment to "expand its global footprint and focus on developing its core offering, [the] Endpoint Protection Platform."
SecurityWeek reports that Securiti.ai has emerged from stealth with a $31 million Series A round. The San Jose-based company, founded last year, offers a privacy platform, Privici.ai, designed to enable enterprises to understand the personal data they hold, their exposure to regulatory risk, and the measures they need to take to ensure compliance with data privacy laws. The company is staffed in significant part by Elastica, Symantec, and Cisco alumni. Securiti.ai's investors include the Mayfield Fund and General Catalyst.
Capsule8 has received a "multimillion dollar" investment from Intel Capital. The Brooklyn, New York, based company protects Linux production environments, offering both on-premises and cloud solutions. Capsule8 intends to apply the investment to its go-to-market efforts.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.