Pensacola under cyberattack. Notes on ransomware. The US Justice Department IG report on Crossfire Hurricane. Who let the bots out?
The city of Pensacola is hit hard by an unspecified. Cyberattack riot ransomware descriptors may cause data a loss a new variant of snatch ransomware of AIDS. Antivirus protection the. US Justice Department's Inspector General has reported on the FBI's crossfire hurricane investigation nation. Another unsecured database exposes P.. I keep an eye out for patch Tuesday updates and it's prediction season so cyber scoop. Let's the pots south and now a word from our sponsor the upcoming cybersecurity already conference for executives. The Johns Hopkins University Information Security Institute and Ankara will host this event on Wednesday March twenty fifth in Baltimore in Maryland on the Johns Hopkins home would campus. You can find out. More at ISI DOT J H U Dot Edu and Click on sixth annual cybersecurity conference. It's for executives. Learn about the do's and don'ts of risk management with industry leaders and other cyber professionals check out the details at ISI DOT J H U Dot Edu Eighty you click on the sixth annual cybersecurity conference for executives and we thank Johns Hopkins University Information Security Institute for sponsoring our show funding for this cyber wire. PODCAST is made possible in part by McAfee security built by the power of harnessing harnessing one billion threat sensors from device to cloud intelligence that enables you to respond to your environment and insights empower you to change it. McAfee the device vice to cloud cybersecurity company go to McAfee dot com slash insights from the cyber wire studios data tribe. I'm Dave Bittner with with your cyber wire summary for Tuesday December eleventh two thousand nineteen the city of Pensacola Florida has disconnected most of its networks in response to a cyber attack that hit over the weekend. The attack began early Saturday. The Pensacola News Journal says hours. After Saudi military pilots undergoing training at Pensacola Sakala Naval Air Station murdered three. US sailors and was subsequently shot by local police. The timing of the cyber attack raised speculation that it might be connected to the shooting which according to the New York Times authorities are investigating as a possible terrorist incident but so far no such links have been found. The the motivation behind the cyber attack remains unclear. The city hasn't said for example whether it's received ransom demands the city has said that no personal information appears appears to have been compromised but the investigation is still young and still ongoing. Pensacola is working with the FBI on the case the decryption specialists at MCI soft warned that the criminal provided Rieck ransomware descriptors may damage larger files the decrypted truncates big files and MC soft oft finds that this can result in an recoverable data loss decrypt if you must but better to restore from secure backups and better yet to avoid infection in the first place while we're on the subject of ransomware researchers at security firm Sophos labs report finding an evolved version of snatch ransomware that avoid some antivirus protections by causing windows to reboot in safe mode the US Justice Department late yesterday released its Inspector General's report on the FBI's 2016 Crossfire Hurricane Investigation Crossfire. Hurricane was open to look into allegations of Russian influence in President Trump's campaign as the Washington Post summarizes the report. The I G found that the F. B. I. had grounds to open an investigation but that the investigation itself was marred by serious failures. Those failures are particularly evident. NBC News says in the way the FBI obtained and used Faisal warrants and in its handling an assessment of confidential human sources. Reading through the report. We see that the most prominent confidential human source mentioned or C. H. S. as the I G teaches us to call all such persons is Christopher Steele the British national. Who provided the Kompromat of the steele dossier to various parties including opposition research shop fusion John? GPS The FBI cited information from steel in its application for Vice Award to surveilled Carter page then a foreign policy adviser to the trump campaign. The process of obtaining Faisal warrant requires that the request based on verified information that verification according to the I G was less than fully successful in one instance for example. The bureau submitted a Yahoo News Article in verification of some of steals claims without noting that the article was based on information. Shen from steel with apologies. To Ludwig Wittgenstein this is a little like buying a second copy of a newspaper to confirm the stories. You read in your first copy. The I found that the process of securing the warrant was marred by serious performance failures by the supervisory and non-supervisory agents with responsibility over the Faisal applications. Since page. The I G report says did indeed have contact with Russian intelligence officers but he did so with the knowledge of an unnamed. US Agency he was providing finding information that agency page has said was the CIA in general. The report suggests that the inquiry was handled carelessly and under the spell of the sort of targeted fixation investigative agencies frequently tempted. There's no finding a political bias in the bureau but those disposed to look for it. We'll find indeed indeed have already found plenty of circumstantial evidence of it mostly surrounding eagerness to swallow the steele dossier hook line and sinker. Those dispose to dismiss S. political bias are focusing on the Geez finding that the F. B. I. had grounds to start an investigation the F. B. I.. Immediately accepted the report's recommendations and says has it's moving to strengthen applicable procedures oversight mechanisms application security firm very code recently published the latest update to their state of software. Where security? Report Chris. Why so Paul is? CTO and co-founder at very code and he takes us through their findings customers that scan their software. Th- wear for vulnerabilities on a more frequent basis. End Up fixing vulnerabilities faster so it shows that just a a process change can lead to more secure software so based on what you gathered here in this report. What are your recommendations so the recommendation is to make a cultural change of Not Having a separate security team be the people people that test. Software decide what to fix and then essentially harangue the development team to fix issues not on the development teams schedule or when it's best for them they recommendation is to get Management in the Development Organization to take ownership for this and use I use as evidence things like the state of security report. Which says you're going to have much more secure software actually with less effort it's going to be easier for you to produce more secure software and get that buying the executive team and then push it all the way down to the individual development teams where they will take ownership for securing the software and the security team then becomes a consultant? They become someone that helps this process work. But they're not there in the daily meetings. eatings saying you know. Should we fix this bug anymore. The security team takes ownership of that and gets trained to have some expertise so they actually know What they're doing then they build it into their process and they think about getting better and better over time? was there anything In the report. That was surprising talking to you. A any unexpected results came through. Well we did something which was a little different this time. which was we didn't just look at how often scanning was done? We looked at the pattern of the scanning. So was it steady. Was It on a daily basis. A weekly basis was irregular. Was it something where it it would seem to hap hazard like why are they scanning now and wise a lot of intense gaining over this period or what we call Bercy which was long periods of time were no scanning activity happens that a month or two of intense scanning activity and then a long period of time with none and that kind of showed us that they were scanning only as they got close to the release cycle and We didn't know what to expect from breaking development teams into those three categories steady irregular regular and burst so the recommendation is scan on a steady basis or even in a regular basis but don't go long periods of time without scanning that almost guarantees. Your product is GonNa be less secure kind of reminds me of you know the the frantic cleaning of the house. That takes place before Thanksgiving or when family's coming over and you you when you have done it in a while you start throwing things into closets and you pay for it later absolutely. I think that's a great analogy at the high level. When we say like is software you know getting more secure or less secure? We saw over the ten year period. That we've been doing it. A lot of vulnerabilities that are well known like sequel injection or sort of at the same percentage rate that they were ten years ago we had twenty three percent of APPs. Ten years ago had one or more sequel injection vulnerabilities and here in two thousand nineteen twenty four percent of APPs. Have One more sequel Jacksonville vulnerability so it's crazy. I think that if you look zoom out and look at the big picture not much has changed as far as you know are people fixing these problems or not or or introducing these problems album so we sell a lot of work to do as an industry and we hope that these recommendations that come out of the report where we see what you know. Particular development teams are doing really. Well we can percolate that through the industries so that becomes the average way of doing things and you know everyone gets better not just these teams that have a great process. That's Chris why. So Paul from Vera Code The day now seem somehow incomplete without news that MIS configured cloud database has exposed a great deal a personal information and today unfortunately is complete tech crunch reports that the British penetration company fight us has found another one. It's an AWS WS bucket belonging to a company that tech crunch and fight US declined to name. The company's business is the processing of applications for copies of US birth certificates the exposed. Those database holds more than seven hundred fifty thousand applications. Such applications contain a considerable amount of personally identifiable information including according to Tech crunches which is look at the material the applicants name date of birth current home address email address phone number and historical personal information including past addresses. Names is a family members and the reason for the application such as applying for a passport or researching family history. That's a lot Amazon. said it would notify the unnamed company. WHO's bucket it is that needs to well do something about it today? Of course is patched Tuesday so be on the lookout for updates from Microsoft and Adobe expected expected sometime this afternoon. We'll have notes on the fixes tomorrow and finally it's also prediction season and the cybersecurity industry has been busy making them. We do link to those in our daily news briefing and we encourage those interested to look there for the sectors virtual crystal ball. But we'd be remiss if we didn't mention one outstanding standing and very funny aggregation of twenty twenty four castes. It's in Cyber Scoop by all means give it a look. The publication decided to turn the AI loose on the predictions addictions to Guam them all together and they didn't stop there either. They let the bots do the writing to as the editor says in her disclaimer. The article is all generated. They did through Markov chains and is only super lightly. Edited for clarity. Those Markov chains are rattling better than the cash boxes that encumbered Jacob Marley when he visited Ebeneezer these are scrooge. There most inciteful prediction we thought was prediction number. Eight more security officers will get worse. Tell it brothers and sisters we particularly really like the way the bots attributed quotation to Carl von Clausewitz at the end of every section a riff on his famous dictum. That war is the continuation of politics by other means. A few of our favorites were war is merely the continuation of the evolution in cloud security or war is merely the only way to monetize ing Iot network attacks attacks and more is merely the marketing deployed so bravo cyber scoop and do go read the whole thing. It's time to take a moment to tell you about our sponsor recorded future recorded future as the real time threat intelligence company whose patented technology continuously tenuously analyzes the entire web to develop information security intelligence gives analysts unmatched insight into emerging threats and when analytical talent talent is as scarce and pricey as it is today every enterprise can benefit from technology that makes your security teams more productive than ever we hear the cyber Wire have long been subscribers to record futures cyber daily and if it helps us. We're confident it will help you to subscribe today. And stay a step or two ahead of the threat. GO-TO recorded future dot com slash cyber wire to subscribe for free threatened updates from recorded future. That's recorded future dot com slash cyberwarfare and we thank recorded future for sponsoring our show and and joining me. Once again has been yellen. He's the program director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Homeland Security. Also my co host on the caveat podcast Ben. Great to have you back to be here with you Dave interesting article. This is from the verge. something you and I have touched on over on on the caveat podcast but there's some specific here I wanted to dig in for our audience and this has to do with whether or not you have a right to sue facebook and other online in platforms and some legislation. That's being cooked up to address this sort of thing what's going on here so there was some promise In the past several months so there could be deep. Bipartisan Agreement on Federal Data Privacy Legislation. This has been a long running problem. We have this patchwork of state laws and some MM federal regulations that apply to data privacy. But we don't have uniform federal legislation so a couple of key senators The United States Senate Democrat. Maria Cantwell of Washington. A Republican Roger Wicker of Mississippi have been trying to work on a bipartisan solution. To this problem I think there is general. Bipartisan interests the skeleton of such a bill. Okay in terms of you know some of the things we all agree on like giving the FTC Federal Trade Commission Enforcement Authority on data privacy violations but a big source of disagreement is giving consumers users a private right of action against the big tech companies. What does that mean? So this would allow a legal cause of action for any user of any one of these sites or any one of these technological devices to directly. Sue that that company for damages. So oftentimes you'll see legislation. That bans a private right of action where legislation will explicitly say individual. Vigil doesn't have standing to sue on the basis of a violation of the statute i. What Senator Cantwell's proposal would say is that users do have legal standing standing to sue if they are alleging that their data has been compromised by one of these companies? You know so the positives would be having a private right of action gives these attack companies the twitter's and facebooks of the world more of an incentive to protect user data. If they're fearful about getting sued you know they might hire more our compliance officers to make sure that they're complying with this federal statute and the downside. which is something that Senator Wicker and other Republicans have talked about is that this could good lead to a flood of lawsuits and when a similar standard similar private right of action was applied to the telecommunications companies back in the nineties it did lead to a lot of lawsuits hundreds of thousands of them a corollary to that arguments senator wicker's argument which I think has a lot of merit to? It is facebook and twitter. You know they have the resources to respond to lawsuits Bayern. Wealthy Companies Mark Zuckerberg can hire the best lawyers in the country. Jack Dorsey probably could to You know it's the resources are just not going to be a problem for them. Even if they're sued by millions of users there are a bunch bunch of class action lawsuits. That's true for some of these. Smaller companies lawsuits could drive them out of business and You know so this might be a regulation that or or a change in the law that actually would benefit big tech companies at the expense of the smaller guys out there could keep the smaller smaller guys from establishing a foothold in the market. Even exactly exactly because compliance would just be far more expensive and there would constantly constantly be this threat of litigation so that might impact somebody developing a new technology where we are a new interface where they're not entirely clear if there are robust plus data protections maybe the company decides not to go through with that. Because it's too expensive to try to comply with these new federal regulations So the upshot of this you know senator wicker claims as part of this article that he doesn't think this dispute on private right of action is going to derail the entire effort to have a federal data. Privacy Bill I think Senator Cantwell has has also signaled an openness to having legislation. That does not have this private right of action. This is just going to be part of ongoing negotiations There are certainly legitimate positives and negatives or that particular provision Asian. But it's something that's going to have to be worked out in the United States Senate all right those gears turning right absolutely they always are although we don't usually associate the United States the Senate with gears turning grind very slow Anki wrenches and rust on the gears cooling saucer as they say all right. Well Ben Yellen is always thanks for joining thank you. And that's the cyber wire thanks to all of our sponsors for making the cyber wire possible especially are supporting sponsor observe it the leading insider threat management platform warm learn more at observed dot com the cyber wire podcast is proudly produced in Maryland out of the startup studios of data tribe with their co building the next generation ration- of cybersecurity teams. Technology are amazing. Cyber wire team is Elliott Peltzman. Stefan Zero Kelsey Bond. Tim No Dr Joe Kerrigan Carol. -Tario Nick Valenki Bennett. Mo- Chris Russell John Patrick Jennifer Ivan Peter Guilty. And I'm Dave Bittner. Thanks for listening