Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > Cyber Threat Analysis Report Volume 1 Edition 5

Why is it so hard for us to pay attention to cybersecurity?

With a daily deluge of cyberattacks, hacking incidents, data breaches and malware campaigns, it appears that – finally – many organisations now understand that cyber security is an important issue that needs to be taken seriously from the board down. But if three quarters of organisations view cybersecurity as a high priority, then around a quarter don’t rate it as important. Indeed, 20 percent of businesses say that cybersecurity is seen as a fairly low or very low priority, with 22 percent of charities saying the same.

No one is in the cybersecurity business, they’re just in business. This doesn’t make them bad people, it makes them good business-people. No one is rewarded for being the most secure retailer in the X space, they’re rewarded by making their numbers. As long as risks can be mitigated to an acceptable degree, and the cost of failure is still less than how much money can be made, this is not a situation that is going to change. The cost of the most epic breaches – spread out across millions of customers, pennies at a time – is painless to everyone, so no one is incentivized to do more.

Utilities are under cyber threat, so what they can do about it?

Critical infrastructure networks are increasingly being targeted by cyber criminals. Utility providers, in particular, are more frequently having to deal with data breaches as hackers look to disrupt or even destroy supply of vital services. So serious is the threat that the U.S. Department of Homeland Security set up a new centre devoted to helping protect critical assets — from banks to electric companies to manufacturing plants.

If you’re forward thinking you should be talking about cyber threats in the context of legitimacy, not down-time, lost productivity, and stock prices. The city of Atlanta, the California DMV, the city of Del Rio Texas, Garfield county Utah, Albany New YorkWest Haven Connecticut, Muscatine Ohio, Valdez Alaska, voting machines and tally systems, power and water…Is this a trend, or just a whole lot of data points that point in one direction? If you remember Iraq post-invasion, he who provides order and services receives the support of the people. When the city, the county, the state, the power co-op is no longer functional, what steps in is what rules. Movie plot scenario? It is one that’s playing out all around the world right now.


Bayer contains cyber attack it says bore Chinese hallmarks

German pharmaceutical company Bayer has contained a cyber attack it believes was hatched in China. Bayer found the infectious software on its computer networks early last year, covertly monitored and analysed it until the end of last month and then cleared the threat from its systems. “There is no evidence of data theft,” Bayer said in a statement, though a spokesman added that the overall damage was still being assessed and that German state prosecutors had launched an investigation. “This type of attack points toward the ‘Wicked Panda’ group in China, according to security experts,” the spokesman added, citing DCSO, a cyber security group set up by Bayer in 2015 with German partners Allianz, BASF and Volkswagen.

Take two units of security and call me in the morning. Industrial espionage is the obvious leading candidate; all those Chinese people you see at your favorite warehouse store buying carts full of vitamins aren’t opening GNC stores. The social credit system notwithstanding, there are just some things no population is going to stand for, and sub-standard pharma is one of them. And as we’ve seen countless times before; stealing makes more sense than starting from scratch. I mean, it worked for the west.

UK govt selects STIX 2, TAXII 2 standards for cyber threat intelligence

The UK government has revealed the new standards to be used by its various departments for exchanging cyber threat intelligence. Entrusted with the responsibility to select the new standards for cyber threat intelligence exchange, the Open Standards Board has picked the Structured Threat Information Expression (STIX 2) and the Trusted Automated eXchange of Indicator Information (TAXII 2) standards.

Hurrah! Its 2019 and the UK has agreed upon standards! Information sharing: that thing that has been recommended by every panel, working group, commission, and study since the PCCIP (if not before). To be fair, this is good news in the sense that players can reduce costs and waste, and increase the speed at which they operate, but the thought of 20-odd years of ad hoc-ing it is a reminder that the only people taking this seriously is us.

Deepfake Malware Can Trick Radiologists Into Believing You Have Cancer

One of the problems with convincing people to take computer security seriously is that it’s, in a word, boring. Every now and then, however, someone demonstrates a flaw with the potential to break through the walls of ennui surrounding the topic and register with the public consciousness. Israeli researchers have likely done just that, by demonstrating that malware running on CT and MRI machines can either inject realistic images of cancerous growths — fooling trained diagnosticians — or remove said tumors from the screen entirely, leaving technicians convinced no disease was present when it very much was.

The next evolution of evil. When ransomware was ascendant I opined that variations would emerge. Expose-ware was an example: I’ve copied your files, pay me or I’ll publish it all online for the world to see. Particularly dangerous in communities where what you do behind closed doors might get you killed if made public. “Misdiagnose-ware” is a little more complicated of an idea, but when you look at how big medical and insurance fraud is, not having cancer but having the film that says you do could be a windfall to the unscrupulous (the reverse is almost too dark a scenario to articulate).

Why the Navy is giving agencies, industry a much-needed wake-up call on supply chain risks

On page 6 of the Navy’s recent report about its cyber readiness, there is a jaw-dropping confession: “The systems the U.S. relies upon to mobilize, deploy and sustain forces have been extensively targeted by potential adversaries, and compromised to such an extent that their reliability is questionable.”

Forward…from the sea, right after we wipe and rebuild. Hard to project power when the fleet is dealing with the blue screen of death. To the uninitiated it is hard to communicate just how complicated building and operating a modern weapons platform is, and it is just as baffling to try and comprehend how all that effort could amount to naught because procurement is all and security is an afterthought. We learn the hard way, and this is certainly a hard and catastrophically expensive lesson that should be promulgated immediately and regularly to drive the point home: you can’t trust it to work if you don’t build it right.

Leadership turnover at DHS and Secret Service could hurt US cybersecurity plans

Departures of top officials at Secret Service and DHS will add to an already difficult public-private disconnect on cybersecurity. Kirstjen Nielsen in particular has a rare set of cybersecurity and enterprise risk skills that helped DHS in its initiatives to protect companies in critical industries, such as finance, energy and water.

Make way for a crony placeholder. There was a time when an administration of this sort could have served as a platform for smart, skilled, and knowledgeable experts that weren’t part of the old boy’s network or political machines to assume positions of responsibility and authority and inject new thinking. It’s pretty clear at this point however that while that might still be technically true, there is no motivation at the top to do anything meaningful, merely sensational, and who wants to waste their time in that kind of environment?

Craigslist Founder Funds Security Toolkit for Journalists, Elections

A gift from Craigslist’s founder Craig Newmark is funding the development of cybersecurity toolkits for journalists and elections offices ahead of the 2020 US elections. The toolkits, which will be developed by the Global Cyber Alliance (GCA), are intended to “protect journalists and media outlets from cyber-attacks that are designed to either manipulate public opinion or expose sources, enable election boards or other bodies to leverage the latest in cybersecurity protections to preserve election integrity and help ensure that all votes are accurately recorded and counted, and secure nonprofit community organizations that work to uphold the right to vote.”

A hand up or a hand out? There are numerous groups that need such help, but it is unclear to me why we’re so generous with our efforts. If this is a priority, it should be treated – and funded – as such. Non-profit doesn’t mean no-money, as the marble foyers and mahogany paneled walls of a lot of non-profits will attest. For those who operate independently, or who are truly on skeleton budgets, noblesse oblige, but for everyone else the conundrum of pricing applies: people don’t value and use things they don’t pay for.

New Mirai Variant Targets More Processor Architectures

A recently discovered variant of the Mirai malware is targeting more processor architectures than before, which allows it to attack a wider range of Internet of Things (IoT) devices. Mirai’s source code was publicly released in October 2016, and various threat actors built their own iterations of the malware in order to target additional device types. A version that emerged earlier this year aims at devices specifically intended for businesses.

We have not seen the full negative impact IoT will have on our lives. The net benefits we’ve reaped to date are fairly one sided; we get convenience, providers get a metric ton of data on us that they can exploit for profit (we foot the bill). When IoT goes rogue at scale, the only people who will really suffer are customers/users, as we can’t stomach pushing liability onto those who make trivially exploitable products. How resilient are you and your family? If the answer is ‘not very much’ then look at your Alexa, Nest, and ‘smart’ fridge with a jaundiced eye.

Samsung Galaxy S10 Fingerprint Sensor Duped With 3D Print

The Samsung Galaxy S10 fingerprint sensor can be fooled in a hack that takes a mere 13 minutes and involves a 3D printed fingerprint. The researcher first took a picture of his own fingerprint, then transferred that picture to Adobe Photoshop and created a 3D print. From there, he used the 3D print to physically sign on to his phone.

First, buy a 3D printer… Saints preserve us from the tyranny of edge-cases.

Outside-the-box malware is getting more common, security researchers warn

Malware authors have been experimenting with unusual malware formats, presenting new challenges for the security industry. Most malware authors have become lazy in the past few years, copying code and techniques from each other. A few, however, “have invested in really fresh ideas,” building tools that are often difficult to detect by antivirus software and pose challenges to human researchers,” Aleksandra Doniec, malware intelligence analyst at Malwarebytes, tells CSO.

Your regular reminder that cybercrime is a business. An illicit one, but a business nevertheless. Innovation helps drive ROI in their world just like it does ours. If you don’t think you’re dealing with professionals, you’re doing it wrong.

Google Boosts Security of Google Cloud

Google this week announced a series of tools meant to increase the overall security of Google Cloud and improve customer trust in the service. The new functionality will allow users to gain better visibility into their environments, detect threats and accelerate response and remediation, mitigate data exfiltration risks, ensure a secure software supply chain, and strengthen policy compliance.

Scale: it’s really the only thing that matters. Some have started to question the wisdom of moving your computing resources to the cloud. It exposes your systems and data to more people, not less, which in their eyes increases the threat. Exposing your precious to more random strangers is one thing; exposing it to world-class talent that is subjected to background checks and who have to follow rigid security protocols is another. No offense, but can your in-house IT team have this kind of impact?

79% Indian firms lack hacking response plan

Nearly 79 per cent of Indian firms do not have a computer security incident response plan (CSIRP) in place that is applied consistently across operations, a new IBM-Ponemon Institute study said on Thursday. In the past two years, 51 per cent of Indian organisations surveyed experienced a data breach and 56 per cent experienced a cyber security incident, revealed the study conducted by US-based Ponemon Institute on behalf of IBM Security. Of the organisations that do have a CSIRP in place, 57 per cent do not test plans regularly or at all.

Why should you care about what goes on in India? Well, if you use Wipro you might want to pay attention (more below). How much of what you do touches an Indian system or developers? How reliant are you on them for support? What’s YOUR response plan when your service provider’s lack of a plan shuts their doors? If your operations depends on someone else’s resilience, better make sure they agree and can hold up their end of the bargain.

Breach at IT Outsourcing Giant Wipro

Indian IT outsourcing and consulting giant Wipro Ltd. is investigating reports that its own IT systems have been hacked and are being used to launch attacks against some of the company’s customers, multiple sources tell KrebsOnSecurity. Wipro has refused to respond to questions about the alleged incident. Earlier this month, KrebsOnSecurity heard independently from two trusted sources that Wipro — India’s third-largest IT outsourcing company — was dealing with a multi-month intrusion from an assumed state-sponsored attacker. Both sources, who spoke on condition of anonymity, said Wipro’s systems were seen being used as jumping-off points for digital fishing expeditions targeting at least a dozen Wipro customer systems.

You can’t trust anyone anymore. You trust your outsourcer with the crown jewels, and then they go and leave them lying around for anyone to pick up and walk off. As the Navy story pointed out earlier, it’s not just your network, its every network you connect to, every device in the network and everyone who had a hand in making all of it. That’s your attack surface now, and no one is really capable of dealing with it all. Zero-trust is the right idea, but it doesn’t mean the solution is easy (or cheap).

Why conducting a cybersecurity due diligence is vital in M&A deals

As security increasingly becomes a boardroom issue, cyber risks should be a focal point in M&A talks. There have been numerous high-profile examples of cyber breaches that came to light only after an acquisition. Such unfortunate cases illustrate the cyber risks associated with mergers and acquisitions, and bring to the fore the importance of cybersecurity due diligence, which involves carrying out a comprehensive audit of the cybersecurity status of a target company.

You’re buying someone else’s assets, not their problems. Like cyber insurance, the more rigorous your efforts at the start, the more likely you’re going to be able to accurately calculate risk (and justify premiums). Unfortunately, like cybersecurity in every other domain, it’s simply not given the attention it should, to the detriment of those writing the check. You ‘trust but verify’ financials, there is no reason why you shouldn’t do the same thing with their network and devices. The tools and talent are available, what’s usually lacking is the awareness and the will.

North Dakota Adopts Statewide Cybersecurity Approach

The North Dakota legislation authorizing a new unified approach to cybersecurity was signed into law Thursday by Gov. Doug Burgum. The governor, a former Microsoft executive, said Senate Bill 2110 would go far toward protecting the state’s digital infrastructure. The bill gives authority to the state’s Information Technology Department (ITD) to define cybersecurity for all of the state’s public entities — including cities and counties, state agencies, school districts and institutions for higher education.

A model approach that should be adopted nation-wide (and at the national level). The fact of the matter is that as long as such authority is dispersed, discrete agencies will always have some excuse as to why they’re not adhering to policy. To the extent that some have a legitimate point here and there, it is all too often a crutch to be used to avoid making hard decisions. To the point about legitimacy made above, the longer government at any level delays the prioritization of security, the worse their failing is going to impact the population they serve.
Michael Tanji

About the Author

Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.