ArchiveCyberOODA Original

Cyber Threat Analysis Report Volume 1, Edition 4

NIST’s Ron Ross on the state of cyber: ’We literally are hemorrhaging critical information’

After Chinese hackers infiltrated a Navy subcontractor’s computer network and stole a trove of highly sensitive data on submarine warfare, it spurred the government to revise the standards that contractors must follow to ensure government data is properly protected data. What the hackers took was “the equivalent of the stealth technology for the Air Force,” said Ron Ross, a fellow at the National Institute of Standards and Technology who focuses on computer security. “We literally are hemorrhaging critical information about key programs.”

Better security for thee… For an industry that prides itself on the contributions it makes to national security and defense, companies that make up the DIB has always been fairly resistant to improving their own security postures, the people they employ at corporate, as well as the products they make. Yes, when your margins are in the single digits the idea of spending money on anything is hard to swallow, but not if you don’t spend it on better security – in this line of business – what’s the point? Are you in it to see us win it, or are you a war profiteer?

 

UK cyber security officials report Huawei’s security practices are a mess

As Huawei makes its bid to roll out 5G, a UK government oversight board is not exactly thrilled with the company’s security practices—or how it makes software. In November of 2010, Huawei entered into an agreement with the government of the UK to allow extensive security reviews of Huawei’s hardware and software. In a report the HCSEC Oversight Board warned that Huawei had failed to make long-promised changes to its software development and engineering practices needed to improve security. In addition, audits and reviews by the HCSEC had found “further significant technical issues in Huawei’s engineering practices.”

You can’t trust anyone these days. The US is right to view Huawei technology with a jaundiced eye, but by the same token we can’t fault other countries from wanting a good deal (see Germany). Yet in this age of concern over supply chains, it’s important to note that just about no one makes networking gear in the US of A, and the demand for the ability to quickly scan even ‘safe’ gear for mods and implants at scale is at an all-time high.

 

Norsk Hydro cyber attack: What’s new?

Norwegian aluminum producer Norsk Hydro ASA was hit by ransomware-wielding attackers. The company lost no time in reacting and responding to the attack – they notified the authorities, called in experts to help, and (very laudably) committed to keeping the public informed.

$40M. That’s the current total bill for cleaning up this particular mess. That’s probably close to several orders of magnitude more expensive than a sound back-up scheme would have been. Your regular reminder that ransoms are expensive lessons, but they’re cheaper than self-righteousness.

 

Jared Kushner’s use of WhatsApp raises concerns among cybersecurity experts

Jared Kushner’s unusual decision to use WhatsApp to communicate with foreign leaders and conduct government business has raised concerns among cybersecurity experts that highly sensitive government communications could be at risk of exploitation by foreign governments and hackers.

Or just the company itself. Or maybe a side deal the company did with someone else you don’t even know about. Echelons-above have always been allowed to operate under different rules and while abhorrent to our ilk, this is no different. Think about the last time you tried to argue for a more secure posture that was overruled by a ‘business decision’ or someone ‘accepting the risk.’ That, only by people who have no intention of taking the fall for something going sideways. If we can’t stop DCIs from playing fast and loose with IT, I’m not sure why we’re fretting about the Dauphin-in-law.

 

Facebook Succeeded In Killing Cybersecurity Like It Did Privacy

One of Facebook’s most notable successes over the past decade and a half is the way in which it has so completely upended how we see privacy. Today a quarter of the earth’s population hands their most intimate details over in realtime to a private company to commercialize. Most importantly, those two billion users no longer care when that company shares their data with myriad companies all over the world to misuse or when it loses their data through breach after breach after breach after breach. It seems that like privacy, Facebook has taught the world to no longer care about cybersecurity.

Cybersecurity is not the issue we (as practitioners) think it is. When there is no clear and obvious risk to the user, who in their right mind would take action as radical as leaving a social media platform (or shopping at Target, or Home Depot, etc.)? When the measure of corporate success (financials) aren’t impacted for more than a quarter (often less), who in their right mind allocates more resources to a cost center? When ‘the greatest transfer of wealth in history’ nor the next ‘biggest breach ever’ can spur congressional or presidential action, who in their right mind is concerned about government overreach? There is an argument to be made: we might be secure enough. Society is OK with the status quo, and the associated costs, and we work against that tide at the cost of our mental and emotional health.

 

Stop Ignoring Those ‘Update Your Device’ Messages

This week, internet security researchers woke up to disturbing news. An attacker had installed malware on as many as half a million Asus-brand computers running the Windows operating system. What made this story notable was how it was accomplished: the attacker compromised the Asus servers used to send periodic operating system and security updates to customers. In other words, as far as the customer could tell, the malicious software came directly from the manufacturer, complete with its digital stamp of approval.

Now is the time to panic. At least that’s what a lot of ‘experts’ effectively said to varying degrees. Lord save us all from the tyranny of edge cases. Updating your OS or installed software when you get an update/patch notice is one of the easiest and most effective defenses you have against known problems. The 10 minutes of inconvenience could literally save you millions. Yes, most everything is crap, but it’s crap that works the vast majority of the time.

 

The US Military Is Creating the Future of Employee Monitoring

The U.S. military has the hardest job in human resources: evaluating hundreds of thousands of people for their ability to protect the nation’s secrets. Central to that task is a question at the heart of all labor relations: how do you know when to extend trust or take it away? The DSS believes artificial intelligence and machine learning can help. The goal is not just to detect employees who have betrayed their trust, but to predict which ones might — allowing problems to be resolved with calm conversation rather than punishment.

There is an old Army adage: if they’re not b****ing, something is wrong. The problem is not being able to detect discord or dissatisfaction – you don’t need AI for that – but effectively managing the people who feel that way. One need only look at the events leading up to actions like those taken by PFC Manning to realize that the subsequent breach was entirely preventable; the failing was in the chain of command. Training for supervisors on how to deal with this particular human factor is arguably a more powerful weapon against this particular threat, but it doesn’t have a correspondingly sexy buzzword.

 

Major U.S. Chemical Firms Hit by Cyberattack

Operations at two major US-based chemical companies, Hexion and Momentive, were disrupted recently by a cyberattack reportedly involving LockerGoga, the ransomware that recently hit Norwegian aluminum giant Norsk Hydro. Hexion and Momentive said they had been working on restoring networks and resuming normal operations after suffering “network security incidents” that prevented access to certain IT systems and data. They both claimed that their manufacturing systems are on different networks and continued to operate normally with limited interruptions — the attack appears to have mainly impacted “corporate functions.”

Movie plot threat? This sort of thing gets particularly scary when you realize how horribly things can go at a chemical plant. The separation of OT and IT networks in these cases – fairly standard practice – seems to have worked, but you don’t have to have much exposure to industrial environments to realize how loosey goosey the demarcation between admin and ops networks can be, and that the ‘air gap’ industrial security people tout isn’t (not if you want that vendor SLA to hold up). Industrial environments are the last great bastion of ‘security by obscurity’ and we allow them to get away with it, literally at our peril.

 

The Anatomy of a Hack: Perception vs. Reality

The number of data breaches has skyrocketed in recent years. Contrary to popular belief and Hollywood story lines, cyber-attacks are rarely carried out by legions of highly sophisticated coders gone rogue, deploying the most advanced techniques to penetrate organizations’ perimeter defenses. Reality paints a very different picture: cyber adversaries are no longer hacking to carry out data breaches ― they’re simply logging in by exploiting weak, stolen, or otherwise compromised credentials.

If cybersecurity were that sexy, we’d all be better looking. Cybercrime is a business, and like any business, you spend as little money and energy as you can to get the biggest return you can. No one uses a powerful tool or exploit if they can get in an open door. It does not help that victims use words like ‘sophisticated’ (completely meaningless) and ‘nation-state’ (says who?) as a CYA tactic: can’t blame someone who get beat by the MSS, SVR, or NSA, right?

 

Watchdog raises concerns over Duke’s request to recover $137M for cybersecurity upgrades

Consumer advocacy group Public Citizen filed a protest with the Federal Energy Regulatory Commission (FERC) on Tuesday over Duke Energy’s request to recover $137.4 million in capital investments from ratepayers for cybersecurity upgrades. The timing of Duke’s request has raised suspicions considering the North Carolina utility earlier this year received a $10 million fine from the North American Electric Reliability Corporation (NERC) for cybersecurity violations, the highest on record for a utility. The watchdog group also wants FERC to scrutinize these types of requests more skeptically, especially given Duke’s poor track record when it comes to the oversight of its cybersecurity initiatives, Slocum told Utility Dive.

Everyone wants better cybersecurity; nobody wants to pay for it. This is Duke’s responsibility, but customers are delusional if they think this was going to come out of hide. This is, in fact, the same model your bank, a retailer, or credit card company uses, you just don’t notice the $.0001 increase in prices and fees. Having said that, it sounds like at least some of those funds should go towards PMP classes, because if there is anything worse than no cybersecurity projects, its s****, poorly managed cybersecurity projects (also knowns as very expensive ways to introduce new and exciting vulnerabilities).

 

American Security Requires a Cyber-Savvy Congress

On March 13, Arkansas Sen. Tom Cotton and Oregon Sen. Ron Wyden submitted a bipartisan letter to the Senate sergeant-at-arms asking for an annual report tallying the number of times Senate computers have been hacked. Cotton and Wyden should be lauded for requesting greater clarity regarding government cybersecurity. Yet this important and reasonable petition reveals an unfortunate reality: We expect our lawmakers to enact policy protecting our nation from cyberattacks when they don’t even know whether their own computers have been hacked. For the sake of national security, this must change.

An admirable sentiment, but not one that is likely to lead to significant change in any meaningful time-frame. The recent increase in elected officials who are veterans of our most recent wars is seen as a positive step for things-martial, but despite being in the third decade of the ‘information age’ we’re still looking at less than a literal handful of representatives or senators who have true expertise in things-cyber. A host of cyber-related bills over the past decade plus have gone nowhere. The fact that cyber hasn’t killed yet doesn’t help (in a twisted way); booms and blood are what rightfully get the priority when it comes to political action. History and human nature tell us that our elected representatives will bone up on these topics when the body count reaches unacceptable levels.

 

March Madness Scams Give Attackers Fast Break

Researchers have seen March Madness-related phishing scams, fake domains and adware spike as cybercriminals take a pass at tournament viewers. While security concerns regarding popular sporting events – from the World Cup to the Super Bowl –  is nothing new, researchers say that cybercriminals are becoming ever more trickier in avoiding detection. Making matters worse, because many March Madness games have tipped off during work hours, viewers have been streaming them during office hours – opening businesses to all kinds of risks should they click on the wrong link.

Deny espn.com at your company firewall. No? Well then consider this your regular reminder that the bad guys will use any and every trick to lure your people into complacency.

 

Half of All Attacks Aim at Supply Chain

Attackers these days want to ‘own’ your entire system, including partners and suppliers. Increasingly sophisticated attacks that target supply chains, counter-incident response and lateral movement within a network are quickly becoming the new normal in the corporate security threat landscape. “At this point, it’s become part and parcel of a cybercrime conspiracy. Using their victim’s brand against customers and partners of that company. They’re not just, say, invading your house — they’re setting up shop there, so they can invade your neighbors’ houses too.”

The answer is “zero trust.” The idea that the ‘castle’ metaphor for enterprise security is dead, and that in this borderless environment you should take no relationship for granted. Remember that Target was pwnd through a contractor. If I were targeting the JSF I’d go after all the third-tier, widget-making subs whose IT was set up by the owner’s nephew and whose trust relationships would take me all the way into Lockheed Martin. Such ‘vertical integration’ as it were is far more likely to produce dividends over the long haul.

Michael Tanji

Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.