ArchiveBusinessCyberOODA Original

Cyber Threat Analysis Report Vol 1, Edition 7

Cybersecurity Concerns Becoming a Bigger Part of M&A Due Diligence

Unreported data breaches have disrupted several major M&A deals in recent years, including Marriott International’s merger with the Starwood hotel chain, TripAdvisor Inc.’s acquisition of Viator Inc., and the Verizon-Yahoo Inc. deal. “I don’t think only 50% of the companies that do M&A need to worry about this. I think 100% of the companies that do M&A need to worry about this,” said one source.

Caveat Emptor. Buyers unleash accountants to ensure they’re not buying someone else’s financial disaster; they make essentially no effort to see if they’re buying someone else’s data breach or other security nightmare (and odds are they are). Its 2019: if you’re not taking into account the IT aspects of an organization, whether it is an acquisition, teaming agreement, or joint venture, I would argue that you’re negligent.

 

Riviera Beach pays massive ransom to hackers following cyber attack, official says

A spokesperson confirms the City of Riviera Beach has paid a massive ransom to computer hackers following a costly cyber attack in May. LEVICK Public Relations released a statement to WPTV on Tuesday that read: “City Council determined, by unanimous vote, that instructing the City’s insurance carrier to pay the ransom was in the best interest of Riviera Beach residents.” The ransom payment came just weeks after Riviera Beach agreed to spend almost $1 million to fix and replace compromised computer equipment.

“Florida man” story: ransomware edition. Riviera Beach is just the latest in a growing list of cities (in and out of the sunshine state) to fall victim to ransomware. Only Lake City seems to have held anyone accountable (though let’s not tar and feather a guy who probably didn’t have what he needed to do a proper job just yet). If governments want to remain open they have to take this threat seriously, and allocate resources accordingly. This is hard, especially in smaller towns where the money and talent simply isn’t there, but this is rapidly becoming a problem that is just as important as election integrity and foreign interference. If government can’t operate, then is there a government? What fills the void? If you’re not familiar with post-invasion Iraq, you don’t want to know.

 

US wants to isolate power grids with ‘retro’ technology to limit cyber-attacks

The US is very close to improving power grid security by mandating the use of “retro” (analog, manual) technologies on US power grids as a defensive measure against foreign cyber-attacks that could bring down power distribution as a result. “This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult,” they said in a press release last week, after the bill, named the Securing Energy Infrastructure Act (SEIA), passed the Senate floor.

Old School or Old Fools? Some technologists and security experts decry this effort as not just a literal but a figurative step backwards. ‘If we just used the right technology, secure technology, all would be well.’ Because that’s been working so well everywhere else. Even if perfectly secure replacement technology were available today (its not), no element of critical infrastructure is going to swap out old for new in a meaningful time-frame (do you have any idea how much that would cost?). ICS/OT security measures and laws implemented today will have an impact on our grandchildren, not before.

 

The national security risk no one is talking about

A little-known government data collection initiative at the U.S. Securities and Exchange Commission (SEC) threatens to create a target-rich environment for cyber criminals and state actors, such as China, to steal the personally identifiable information (PII) of every American who has money in the stock market. After the 2010 stock market “Flash Crash,” the SEC required broker-dealers, trading venues and stock exchanges to report all stock trades and customer information to a single database, known as the Consolidated Audit Trail (CAT). While the SEC argues this expansive new database would allow it to analyze market events quicker, it never considered the national security risks of storing the PII of every American investor in a central location.

Another day that ends in “Y.” If you’re like most of the audience, your PII – and much more expansive and intimate details of your life – have been stolen a dozen times over. I’ve forgotten more about my life than the MSS knows, and that sucks, but it is what it is. The CAT is a bad idea, because the SEC isn’t hack-proof (to be fair no one is), but of all the things to worry about, this isn’t particularly high up on my list.

 

Cybersecurity Experts Worry About Satellite & Space Systems

As nation-states and rogue actors increasingly probe critical infrastructure, policy and technology experts worry that satellite and space systems are on the front lines. Information from satellites fuel a great deal of today’s technology, from the intelligence gathering conducted by nation-states, to the global positioning system used for vehicle navigation, to the targeting used by “smart” weapons. Little surprise, then, that cybersecurity and policy experts worry that the relative insecurity of satellite systems open them to attack.

The final frontier is closer than you think. You’d be surprised at how easy it can be to put your own personal sputnik into orbit, and that you can communicate with and control it from the ground with gear from Radio Shack. We tend to think that because highly capable satellites require millions in investment and maintenance (technical and human resources) that security is commensurate with the scientific level of effort exerted (its not). Not a new issue to be sure, but one that gets increasingly more significant the greater our dependence on flying blinky boxes.

Austrian Banks Defend Themselves in First Cyber Attack War Games

Austrian banks were found to be “by and large” well prepared to defend themselves from hacker attacks after the country’s financial regulator staged its first cyber war game. The one-day exercise consisted of 170 fake attacks launched by 100 experts, testing the defense of banks, technology providers and public authorities, financial regulator FMA and the central bank said in a statement. The scenarios included blackmail attempts helped by malicious software, attacks that targeted system software and online banking apps as well as the shutdown of ATMs and websites.

Bless their hearts. Its 2019 and we’re congratulating ourselves on something that should have a 20 year history. Not quite the fawning coverage of hack the pentagon from a year or two ago, but the same problem: bad guys don’t care about your rules of engagement. There is nothing too sensitive to pwn. Offensive testing on easy things, or just getting into offensive testing now, isn’t realistic, which means you’re not learning serious lessons. Testing is not a guarantee that you’ll be able to withstand the efforts of a real adversary, but a lack of frequent and serious testing ensures you will definitely fail.

 

Alleged Cyber Attack on Russia’s Yandex Used Malware Tied to Western Intelligence

Hackers believed to be working for Western intelligence agencies “broke into Russian internet search company Yandex from October to November 2018,” deploying a malware variant called Regin that is “known to be used by the ‘Five Eyes’ intelligence-sharing alliance of the United States, Britain, Australia, New Zealand and Canada.” Yandex, which has long since expanded beyond a search engine and now has footholds in industries from ridesharing to e-commerce, is Russia’s largest tech company. It is unclear where the attack originated. 

Cats, once out of bags, are hard to put back in. The loss (or in this case revelation) of USG CNA/E tools isn’t just a security failure and technical loss, it is a political boon to our adversaries, who can blame us for being their own ‘APT’ even if we didn’t pull the trigger. Having said that, it is also a convenient cover for actual intelligence work because the use of the excuse of ‘it wasn’t me’ works both ways. Not having first-hand knowledge of operations, who is to say, but in the wild, wild west of cyberspace, nearly anything is possible.

 

NASA hackers used cheap Raspberry Pi computer in lab cyber attack, auditors say

NASA’s Jet Propulsion Laboratory was the victim of a cyber attack last year — with hackers managing to steal about 500 megabytes of data. In April 2018, someone using a Raspberry Pi gained unauthorized access to the JPL network. The attacker gained access to a user’s account and took advantage of weaknesses in the lab’s shared IT environment to expand their access and move across the network. The attacker remained undetected in the JPL network for 10 months and made off with about 23 files. Two of the files obtained in the attack contained International Traffic in Arms Regulations information related to the Mars Science Laboratory Mission.

The only thing more reliable than the sun coming up in the east is NASA getting pwnd. I think we get at least a story a year since the late 90s. As a scientific entity its predisposed to be open with information, but given the practical role it plays, one would think that some effort to adhere to basic infosec principles would have taken hold by now. Knowing what you have – or what’s using your bandwidth – is a core tenet of security, but one apparently lost on JPL administrators. Lesson learned? Probably not. 

 

Broadcom in Talks to Acquire Symantec in $15 Billion Deal: Reports

Chipmaker Broadcom is in advanced talks to acquire cybersecurity giant Symantec in a deal that could exceed $15 billion, according to several news outlets. If the Broadcom acquisition of Symantec is confirmed, it would be the second time a chip giant acquires a major cybersecurity firm. Intel acquired McAfee in 2010 for $7.68 billion and later renamed it Intel Security. In 2016, however, McAfee once again became an independent company after a sale to TPG that valued it at $4.2 billion.

Security on a chip coming soon? If you cannot innovate in your own wheelhouse (traditional AV getting its lunch taken by EDR vendors for the last several years), it’s unlikely that you’ll be able to make the necessary changes and progress going down the hardware stack. Stranger things have happened though, but the red-headed step-child that is McAfee is probably a good indicator of what is to come. 

 

FDA Warns of Potentially Fatal Flaws in Medtronic Insulin Pumps

The FDA sent out an urgent advisory warning of serious flaws in Medtronic’s insulin pumps, which are used by thousands across the U.S. Specifically impacted are Medtronic’s MiniMed insulin pumps, the MiniMed 508 insulin pump and MiniMed Paradigm series insulin pumps. Up to 4,000 patients in the U.S. have been identified using vulnerable insulin pumps – Medtronic, which has issued a recall for the products, is still working to identify more users. According to the FDA’s  Thursday warning, the security flaw could enable a bad actor to connect wirelessly to a MiniMed insulin pump and change the pump’s settings, allowing them to either deliver too much insulin, or not enough – with potentially fatal results for patients. No fix or update for the impacted products exists.

The cure worse than the disease? Implantables are the ultimate in functional devices demanded by consumers, but no one has ever asked for a functional and secure device. In large part because they probably had other things on their mind, movie plot threats aren’t on their agenda, and no one ever told them such a device was possible. ‘Why have we not seen more medical device hacks if its so easy,’ you ask? My theory is that its one thing to make off with someone’s virtual identity; it’s another to take their life. As our population ages this is going to be a much larger problem than it is today, but the risk of widespread exploitation is unlikely change.

Amazon Admits Alexa Voice Recordings Saved Indefinitely

Amazon’s acknowledgment that it saves Alexa voice recordings – even sometimes after consumers manually delete their interaction history – has thrust voice assistant privacy policies into the spotlight once again. Amazon has acknowledged that it retains the voice recordings and transcripts of customers’ interactions with its Alexa voice assistant indefinitely. The admission raises questions about how long companies should be able to save highly-personal data collected from voice assistant devices.

Your regular reminder that, more often than not, you’re the product.

 

Americans Want to Protect Their Information, but Don’t Know How: Survey

Americans are keen on security, but do not necessarily understand it. This is the conclusion of a new survey of 1,300 Americans undertaken by YouGov, which basically suggests that attitudes towards cybersecurity exceed actions taken to ensure cybersecurity. The survey shows that 66% of Americans believe they are doing everything possible to remain secure — yet only 27% attempt to verify the identity of an unknown sender when receiving an email. Sixty-two percent of Americans believe they should be responsible for the security of their data, while only 24% run a computer scan after interacting with a link they subsequently believe to be malicious.

What we have here is…failure to communicate. Cybersecurity experts don’t make this an easy topic to understand. It is a field that is both a mile wide and in each sub-discipline, a mile deep. No one knows it all, but everyone has very strong opinions, which the uninitiated are unable to parse and evaluate. When thinking about how to address a security problem, I challenge you to contemplate if it is more of a people problem than a technical one. 

 

Michael Tanji

Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.