Pulitzer-winning journalist and web producer Byron V. Acohido is the founder and executive editor of Last Watchdog, a pioneering security webzine. LW delivers analysis, news videos and guest essays of and for the global cybersecurity community. The content you will find here is uniformly comprehensive, balanced, accurate and fair.
On Friday, Oct. 12, the Pentagon disclosed that intruders breached Defense Department travel records and compromised the personal information and credit card data of U.S. military and civilian personnel.
The Associated Press, quoting a U.S. official familiar with the matter, reported that the breach could have happened months ago, but was only recently discovered. At this juncture, as many as 30,000 federal employees are known to have been victimized, but that number may grow as the investigation continues.
The Pentagon has since issued a statement conceding that a department cyber team informed leaders about the breach on Oct. 4. Pentagon spokesman Lt. Col. Joseph Buccino now says that DoD continues to gather information on the size and scope of the hack, and is attempting to identify the culprits.
It does appear that this is another example of attacks successfully penetrating a weak supply chain link, underscoring the importance of addressing third-party risks.
Buccino disclosed that authorities are examining a “breach of a single commercial vendor that provided service to a very small percentage of the total population” of Defense Department personnel.
The sad truth is that many of the affected individuals in the DoD breach had been victimized in other large and small-scale breaches over the past few years, including 2015’s Office of Personnel Management catastrophe.
You’ll recall that in the OPM breach, the cyber intruders stole a a staggering amount of highly sensitive information – deep personnel records for 21.5 million federal employees and contractors. In that caper, criminals got away with Social Security numbers, passwords, and in some cases, fingerprints. The OPM breach put most federal workers since the year 2000 are at risk.
Then in August 2017, the FBI arrested a Chinese national suspected of helping to create the malware used in the OPM breach. It will be interesting to see if there is a nation-state tie-in to this latest attack.
It’s not as if big government agencies and most enterprises aren’t making an effort to stop breaches. After all, Gartner forecasts worldwide information security spending will top $124 billion in 2019.
Yet, despite this expenditure of resources and good intentions, the treasure trove of personally identifiable data on the Dark Web just continues to grow, enabling fraudsters and steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information.
For example, the personal and credit card information obtained in the DoD breach could be crossed referenced with data obtained from the OPM breach and other widely publicized private sector breaches.
Cyberattacks will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also make sure that all third party partners have equal cybersecurity measures in place.
About the essayist: Michael Magrath is Director, Global Regulations & Standards, OneSpan, Inc.
(Editor’s note: LW has supplied consulting services to OneSpan.)
In today’s geopolitical terrain, nation-state backed cyber criminals are widening their targets and starting to zero in on their adversaries’ business and industrial sectors, using more and more sophisticated weaponry to do so.
With the bulls-eye on a country’s financial Achilles heel, state-sponsored attackers are sowing chaos, disruption and fear. And the risks are multiplying as more digital devices become connected in insufficiently secured environments.
Monitoring and management of many existing industrial control systems’ (ICS) embedded devices, like pumps, valves and turbines, are ancient in technological terms. And until recently, security surrounding operational technology (OT) – the networks that run production operations – have been siloed, or air-gapped, from information technology (IT) operations, which work in the corporate space. Isolating OT operations from public networks like the internet had once been considered best practice.
Dismantling the silos
But Gartner and others now recommend merging OT and IT security. Convergence of the two in the industrial internet of things (IIoT) makes for better communication and access to online data and processes, but it also flings the door wide open for nefarious activity by cyber criminals. Espionage scenarios that once were the basis of movies and novels now have become real-life exploits.
I talked to Phil Neray, vice president of industrial security at CyberX, a company founded in 2013 that operates a platform for real-time security of the industrial internet.
Read on to learn what Neray has to say about industrial security, then hear a more in-depth discussion on the subject on the accompanying podcast:
As organizations digitize their operations and add more sensors and other devices to the production environment, they increase their real-time intelligence and efficiency. With more connectivity between OT and IT the attack surface is broadened.
And by compromising activities on the IT side, stealing credentials, deploying phishing emails, and infecting websites with drive-by malware, criminals can infiltrate the OT network.
At the operational level, critical industrial sectors are dependent on technology developed 10 to 15 years ago and that aren’t regularly patched. “It’s time to upgrade security to a modern, multi-layered approach and realize that firewalls are no longer sufficient,” Neray says.
Expensive collateral damage
Cyber warfare is a piercing, straight-shooting arrow in an attackers’ quiver. Countries with limited military might and financial resources can create a more level battleground for themselves by engaging in cyber battles.
Russia, North Korea and Iran have employed sophisticated, well-trained soldiers on these frontlines in recent times.
Damage to a nation’s critical infrastructure networks, including pharmaceutical companies, logistics firms, food production, energy or petrochemical plants can impose massive environmental, financial and psychological damage. Their intent is to disrupt society and establish power.
Fancy Bear, a Russian cyber espionage group serving political interests, has used spear phishing, malware and zero-day attacks to advance its agenda, including election manipulation.
NotPetya, considered one of the most destructive cyber attacks, completely destroyed global shipping company Maersk’s computer network in 2017. The company’s IT team got the network back online in a record 10 days, but cost Maersk between $250 million and $300 million. These sorts of strikes impose collateral damage as the effects of one attack trickle down to third-party businesses and operations.
What’s to be done? In the face of these widening threats, cyber targets must not stand pat. Neray lays out the complex challenge:
“At a policy level, the United States must be much more vocal and let Russia know it’s not okay to attack civilian infrastructure. Diplomacy and other tools like sanctions must be used, but policies are in disarray right now.
“On the one hand, we have extreme and warranted concerns about state-sponsored threats to our elections and critical infrastructures. On the other hand, the only actions we can take are sanctions against firms and individuals such as those announced last month by the Treasury Department against alleged Russian actors.
“The fundamental economy is ‘you can’t make a state responsible for the actions of its citizens, but at the same time it’s so easy for a state to hide its own actions against individuals and firms.’ How do you set effective policies under those conditions?”
Being vigilant and proactive
Organizations and industries don’t have to remain sitting ducks. Instead of jumping into recovery mode following an attack, they can be vigilant and set up safeguards ahead of time, including:
•Good security audits. “Most organizations don’t know what security they have because devices have been added in an ad hoc way over time” Neray says. Often they’ve been “tracked manually, in a spreadsheet or the authors are unknown.” Knowing what’s in place is the first step.
•Managing vulnerabilities. Devices are hardly ever patched, plus they often have other vulnerabilities, like only being protected by plain text passwords. Recognizing security shortcomings and prioritizing remediation is critical.
•Continuous monitoring. Putting in place continuous monitoring with behavior and anomaly detection allows an organization to know if attacker is in the network, even in the earliest phases. Security operations teams are alerted about any unusual activity and can track down and mitigate the threat.
As attackers become emboldened, U.S. companies and infrastructure are more at peril. It’s unknown how far nation-states will gamble on digital intimidation in the face of military retaliation.
But despite the grim circumstances, there are bright spots emerging. There is more regulatory movement afoot. The EU passed the network and information systems (NIS) directive, which specifically applies to critical infrastructure systems. It includes American companies with global operations in Europe. Noncompliance includes hefty penalties and fines of as much as $20 million.
Management and boards of directors also are becoming more knowledgeable of cyber risks and are assigning resources to the problem.
So while the political impetus to step up U.S. industrial control security currently may be lacking, industries must continue to increase self-regulation to protect their bottom line and the nation as a whole.
Last Watchdog’s Denise Szott contributed to this report.
(Editor’s note: LW has supplied consulting services to CyberX.)
Remember how we communicated and formed our world views before Facebook, Twitter, Instagram, Reddit, CNN and Fox News?
We met for lunch, spoke on the phone and wrote letters. We got informed, factually, by trusted, honorable sources. Remember Walter Cronkite?
Today we’re bombarded by cable news and social media. And Uncle Walt has been replaced by our ‘friend circles.’
This is well-understood by those with malicious intent and hacking capabilities. And this is why they’ve adopted social media as the go-to platform for spreading malware and propaganda.
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, has been studying this development closely. I spoke with Hahad at Black Hat USA 2018. Give a listen to our full conversation on the accompanying podcast. Here are a few takeaways:
Faked social media
It’s human nature to trust people a little more who are in your circle of friends. We’re wired to relax our judgment and click more quickly on items sent by someone we’re familiar with, be it an image, a document, a video clip or a webpage link.
It goes further than that, Hahad argues. He contends that a lot of us tend to more quickly believe the information shared by our circle of friends, and that we often fail to verify and think critically. And this is exactly what Hahad and his team of security analysts observed during the 2016 elections.
“The most publicly visible aspect is swaying voter opinion on certain questions,” he explains. “That has been happening through the fake accounts we know of, through a lot of the fake websites that have been specifically put up to promote certain views, and some of that was to mostly sway discourse.”
The second aspect was less publicized, but it is a technique regularly used in the past to compromise users and businesses. The bad actors went phishing to gain access to candidates’ inner circles, like the DNC hack. It’s all about gaining insider intelligence and gain control of devices and networks, and then using it against the candidate – now or later.
The evidence is deep and clear that the 2018 elections are under attack, as hackers have attempted to break into voter databases and compromise voting software and machines.
“What has been real captivating recently is the attacks coming from random people that you may not know within your circle of friends,” he told me. “It has become a ‘let me compromise a first layer of friends and then use their account to send you the true malware and links that I want you to click on.’”
Big distinctions are emerging when comparing 2018 election tampering to 2016. This time around Facebook, Twitter, Google, Reddit, Instagram and other media sites profess to be prepared to deal with threat actors spreading disinformation.
Indeed, the social media companies are in good position to monitor for activity distributed by the Russian botnets that were so prevalent in spreading false and divisive memes in the 2016 election. And they have the technical chops to keep the Russian propaganda botnets in check.
However, a new variable is in play this time around. This is a midterm election, with no national presidential race. Disinformation campaigns – and any election tampering — will be carried out state by state and county by county.
Dishonorable actors by necessity must localize their attacks. That said, Hahad expects smaller scaled attacks targeting specific locations and candidates. Collectively, these attacks could turn out to be just as effective at this local scale, as the nationwide attacks were in swaying the 2016 presidential elections.
Smaller, localized attacks will be much more difficult for the social media giants to detect and deter.
“The signal is getting lost in the noise,” says Hahad. “It is important for the platforms deploying the analytics to try and focus on some of the areas, some of the demographics that really matter, and apply techniques on a smaller scale.”
This is stacking up to be an enormous challenge for Twitter, Facebook, Google et. al. Hahad argues that the burden lies squarely with the social media platform providers to step up and do all that they can to remove the shroud of an overtly manipulated election.
Yet there is nothing, really, to compel them to act honorably and for the greater good of the country. Our one hope is that the powers that be at Twitter, Facebook, Google et. al, will recognize the value of preserving the democratic principles and institutions that made their existence possible – and can assure their futures.
Last Watchdog’s Sue Poremba contributed to this report.
(Editor’s note: LW has provided consulting services to Juniper Networks)
The recent hack of social media giant Reddit underscores the reality that all too many organizations — even high-visibility ones that ought to know better — are failing to adequately lock down their privileged accounts.
An excerpt from Reddit’s mea culpa says it all: “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
It’s safe to assume that Reddit has poured a small fortune into security, including requiring employees to use SMS-delivered one-time passcodes in order to access sensitive company assets.
But here’s the rub: Reddit overlooked the fact that SMS 2FA systems are useful only up to a point. It turns out they can be subverted with just a modicum of effort. SIM card hijacking, for instance, is a scam in which a threat actor persuades the phone company to divert data to a new address. And then there’s SS7 hacking, which leverages known flaws in the global SMS infrastructure to intercept data in transit — including passcodes.
In fact, SMS attacks are being refined and improved daily. This is because they are useful in targeting big companies. This summer alone, in the wake of the Reddit hack, British mobile phone retailer Carphone Warehouse, ticketing giant Ticketmaster, telecom company T-Mobile and British Airways disclosed huge data compromises of similar scale and methodology. And just last week, online retailer Newegg was hit by the same gang that nicked British Airways.
I interviewed Tal Guest, Principal Product Manager at Bomgar, an Atlanta-based supplier of identity and access management systems to supply some wider context. We spoke at Black Hat USA 2018. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length:
LW: Can reliance on SMS two-factor authentication give companies a false sense of security?
Guest: There still are risks. Studies have come out showing that SMS is not the best method for two factor, from a security standpoint. There are different attacks, specific to SMS, that make it easy to get the pass code.
That’s what happened here. The attackers were able to use one of those methods of getting access to their text messages. They were able to authenticate themselves and get into Reddit’s environment.
LW: Why have privileged accounts become so heavily targeted?
Guest: Privileged credentials are the way to get access to sensitive data. These attackers are using automated ways of going in and trying to infiltrate your network using a brute force attack, or a rainbow table attack, or just buying credentials off of the Dark Web.
And then once they get that foothold, the next step is to be able to move laterally. And the way you do that is with privileged credentials, you need some additional authentication, in order to maneuver around the network.
LW: So threat actors are looking for that access path?
Guest: Absolutely. Everything today has a privileged account. It’s critical for companies to have visibility into these accounts, know what they are and how to find them. And it is important to then come up with a strategy to remediate breaches when they happen, and minimize your losses.
LW: Are companies paying enough attention to this?
Guest: They’ve come to the realization that they don’t really have a good grasp of where all these privileged credentials are, who has access to them and what kind of policy may be governing them.
We see organizations that are struggling to figure out how to gain that visibility; and for the organizations that do have that visibility, they’re struggling with how to manage all of this.
LW: So is it a matter of imposing the correct policies?
Guest: Well, first of all, it is actually knowing what it is that you’re trying to put a policy around. And then how do you execute on that policy. Is it just a business rule that you put in place? Or do you actually have technical controls and software that helps you accomplish the task of enforcing your policies?
LW: How do you avoid slowing down productivity?
Guest: There’s always a constant struggle to balance productivity with security. You’ve got a business to run. You’ve got customers to support, and products to get out. Automation can be a key to balancing that. A manual process is not going to keep up with the speed of business needs.
(Editor’s note: Last Watchdog has supplied consulting services to Bomgar.)
In March 2018, the city of Atlanta fell victim to a ransomware attack that shut down its computer network. City agencies were unable to collect payment. Police departments had to handwrite reports. Years of data disappeared.
The attack also brought cybersecurity to the local level. It’s easy to think of it as a problem the federal government must address or something that enterprises deal with, but cybersecurity has to be addressed closer to home, as well.
I spoke to A.N. Ananth, CEO of EventTracker, a Netsurion company, about this at Black Hat USA 2018. His company supplies a co-managed SIEM service to mid-sized and large enterprises, including local government agencies.
EventTracker has a bird’s eye view; its unified security information and event management (SIEM) platform includes – behavior analytics, threat detection and response, honeynet deception, intrusion detection and vulnerability assessment – all of which are coupled with their SOC for a co-managed solution. For a drill down on our discussion, give the accompanying podcast a listen. Here are key takeaways:
Security of local and state government agencies takes on a higher level of urgency as we get closer to the midterm elections.
“State and local governments are not immune to the digital transformation so their dependence on IT is as high as it’s ever been,” says Ananth. “Consequently, the security of these kinds of systems has become paramount.”
If all politics are local, elections are even more so. According to the National Conference of State Legislatures, security for elections is in the hands of local election administrators, overseen by the state’s chief election official, but protection has been lacking.
During 2016, 39 states were hacked. At least one state saw an attempt to delete voter rolls; other states discovered their election websites were hacked. How well are state and local governments equipped to handle the huge security responsibilities, not only with elections but throughout their agency infrastructure?
Let’s look at what happened in Atlanta again. As Ananth explained, the city did two things right: they had cyber insurance and they didn’t pay the ransom. However, he adds, the attack “has cost upwards of $19-20 million and untold amounts of misery in restoring the digital systems and services for the citizens, and frankly, this was a very small attack in the grand scheme of things.”
State and local governments are easy targets for cybercriminals because though computerization has taken place in state and local, the rise in security has not been quite that quick. This makes government networks even more vulnerable and hackers see them as a gold mine.
“Attackers are profit minded,” says Ananth. “They are going to attack wherever they can because they can make a buck off it. If they can do that by stealing personally identifiable information or any of the other valuable things from a government institution, whether it’s a library or a court system, they’ll do just that.”
Every type of attack on a government entity will have an impact, of course, but with the midterm election looming, there is a lot of concern about whether or not local and state governments will be able to prevent election tampering. Officials know this is an issue, Ananth says, but directives are vague. While there are some clear security steps to follow, there are also a lot of generic platitudes – be safe, be right – that are very hard to follow. “There’s a degree of bewilderment on the part of those tasked with this,” he says.
But there is also a sense of determination to not let hackers mess with our elections. No one wants to see the elections hacked, so they are determined to make sure it doesn’t happen. Except, asks Ananth, what specifically can be done to prevent a possible hack? There doesn’t seem to be a solid answer for that.
And then there is the issue of money. Who will cover the cost of securing an election? Will there be federal funding, will states pick up the bill or will costs trickle down to individual communities?
Finally, state and local governments don’t have the resources the federal government does. The FBI and intelligence agencies have capabilities to determine who the bad actors are, what they are doing and how to retaliate. It’s an authority that states don’t have.
For security vendors, Ananth says, securing election systems isn’t overly complicated. Election systems are composed of the same components as any other system, and there is nothing specific that needs to be added to protect them. What’s lacking, he says, is the connection between the people who are tasked to secure the system and the people who actually know how to do it. Government procurement rules make it difficult for those who know to get involved.
“Vendors are citizens just like anyone else,” he says, “and they’d be very interested to participate if they are given the chance.”
Last Watchdog’s Sue Poremba contributed to this article.
(Editor’s note: LW has supplied consulting services to EventTracker.)
Makes sense, though. Digital media and entertainment giants like Netflix, Amazon, Hulu, HBO, ESPN, Sony, and Disney are obsessive about protecting their turf. These Tinsel Town powerhouses retain armies of investigators and lawyers engaged in a never-ending war to keep piracy and subscription fraud in check.
And over the years they’ve also financed security breakthroughs – at the source-code level. These security breakthroughs have not received much mainstream attention. What they have done is proven to be wickedly effective at tracking digital assets and preserving digital rights.
I recently had the chance to meet with Mark Hearn and John O’Connor, of Irdeto, a 50-year-old software security and media technology company based in Amsterdam that has been a leading supplier of source code tracking and fingerprinting systems for big media companies.
We met at Black Hat USA 2018, where Hearn and O’Connor, came bearing a message about how these technologies, so heavily relied on by Hollywood, could play a starring role in shoring up the foundational layers of digital transformation — at the source code level.
Irdeto’s suite of products helps set-top box manufacturers protect high-value content; its technology also is used by live sports broadcasters to deter hackers from siphoning off pay-for-view sporting events.
Irdeto’s Cloakware technology is a key component in these technologies.Cloakware accomplishes this at the source-code level, through mechanisms only a hardcore programmer would comprehend.
Here’s how Hearn described it for me: “Cloakware is a collection of techniques that make reverse engineering and tampering very, very difficult. The source code that contains critical algorithms is mathematically transformed at the compile stage . . . ultimately, what we do is make it very expensive for a hacker to be able to get in and figure out the source code.”
Of course pirating still happens. But Hollywood has shelled out multi millions to support the advance of source-code security. The result: pirating, overall, has been driven down to a level that’s an acceptable cost of doing business.
“The beauty of Cloakware technology is that it is security that is built directly into the original source code,” Hearn told me. “So it is intertwined and incredibly difficult for anyone to try to pull it apart without actually breaking it.”
So how does this translate to other business verticals? Hearn pointed to the scenario of a small startup striving to build a business around a patentable software asset.
“Maybe he’s gotten some VC funding, but his whole livelihood depends on that patented algorithm remaining secure,” Hearn said. “We would actually integrate Cloakware into his source code and keep his idea safe from anyone else who might want to steal it.”
Another example Hearn cited was a company that deploys a unique version of an expensive industrial control system to several different factories. “That core software that runs in the factory would be something that we would keep someone from being able to steal,” he said.
In a business environment where DevOps, cloud computing and IoT services are proliferating, the notion of scrambling source code for every system, even every computing device tied into a network, is intriguing.
I asked O’Connor about this. He told me Irdeto is anticipating this shift and taking steps to capitalize; for instance, it recently upgraded Cloakware to work in several additional computing languages.
Here’s O’Connor’s take: “What we’ve really got here is an advanced way to protect critical business assets against reverse engineering . . . If you boil everything down, developers are building software applications and they need protections to stop people from tampering with their software, from inserting malware into the software stop, and from stealing intellectual property from that software.”
Baking in security
Hearn sees it this way: “Think about where some of the different IoT technologies are taking us. We are connecting a lot of our ecosystems that previously were protected because they were air-gapped from each other. But now we have IoT devices connecting into these ecosystems. And we have microservices that are being offered in an IoT platform. All of these different source codes are now reaching in and out of networks and ecosystems that were never meant to be connected.”
Irdeto and other suppliers of source code centric security systems are doing their part to improve delivery of source-code security technologies and tune them for wide, general use.
Hearn gave me a couple more scenarios: “It’s possible to cloak the source code you use to manage the cryptographic keys that connects up to the IoT cloud. Or you could cloak the source code of the computing device that a maintenance person uses to enter a smart building. This would help you make sure that the source code doesn’t become an attack point that let’s some get inside and provision a factory.”
It will be fascinating to see how quickly and pervasively source code security catches on, beyond Hollywood. This appears to be a promising approach. It holds potential for baking in security at a foundational level.
(Editor’s note: Last Watchdog has supplied consulting services to Irdeto)