In this week’s Security Ledger Podcast (#87) we speak with Priscilla Moriuchi of the firm Recorded Future about China’s efforts to cover up delays in publishing information on serious and exploitable software security holes. Joe Slowick of the firm Dragos Security joins us to talk about the hacking groups targeting industrial control systems and Ken Munro of the firm Pen Test Partners tells us why the UK’s new report on securing the Internet of Things isn’t worth the paper it’s written on.
China manipulates Vulnerability reports, and history
If the utopian vision of the Internet that emerged in the 1990s was of a platform that connected and gave voice to billions of voiceless and powerless people in the world, what’s emerged in the last ten years looks a lot more dystopian, as governments in Russia, China, Syria and Egypt have bent the Internet and technology to serve decidedly undemocratic and repressive agendas.
Rather than being a record of human thought and expression, the Internet is starting to look a lot more Orwellian. It is the wires connecting Big Brother’s ever watching eye, the Ministry of Truth that pumps out lies and the Memory Hole that allows incontrovertible facts to disappear into the ether.
At least those were my thought after speaking this week with Priscilla Moriuchi, the Director of Strategic Threat Development at the firm Recorded Future. Moriuchi is behind a bunch of research RF has released in the last six months on China’s National Vulnerability Database (CNNVD) that shows it is managed by that country’s Ministry of State Security (akin to the CIA) and that CNNVD was delaying publication of notices on serious, exploitable software holes.
In research released last week, Recorded Future warned that Chinese authorities are apparently altering the publication dates of CNNVD reports on serious and exploitable vulnerabilities to match those of the US NVD and to cover up the already noted delays in releasing information on those holes domestically.
In this podcast, Priscilla and I talk about that research and why China’s governing Communist Party might feel the need to delay publication of already public data. The behavior, Moriuchi said, fits with a much larger pattern of behavior in which China uses its control over the Internet in that country to rewrite truth and shape reality for its billions of citizens.
Then there were 5: the hacking groups targeting ICS
It has been almost a decade since the Stuxnet worm woke the world up to the threat of malware attacks on industrial control systems. But it is only in the last couple years that ‘in the wild’ attacks on critical infrastructure have become common. Hacks on Ukraine’s electric grid and, most recently, on an industrial refining facility in the middle east show that malicious actors and nation states are interested in poking around ICS environments – if not destroying them outright.
What is the state of hacking for industrial control systems? In this second part of the Security Ledger podcast, we sat down with Joe Slowick an adversary hunter at Dragos Security, which specializes in industrial control system. Dragos has recently come out with a report identifying no fewer than five groups active in the ICS space. To start off our conversation, I asked Joe to talk about how Dragos identifies ICS hacking groups and how it distinguishes them from other malicious actors.
All Bark and no Bite: UK’s IoT Security Report
The UK government is just the latest to issue a report raising alarms about insecure devices connected to the Internet of Things. In a new report out from The UK Department for Digital, Culture, Media & Sport on Wednesday (PDF) calls for joint government and industry action “as a matter of urgency.” It argues for a “fundamental shift” in the burden of securing connected devices from consumers to the manufacturers of those devices.
Those are stirring words. But our final guest, Ken Munro of the firm Pentest Partners, thinks they’re empty ones. In our final segment this week, Ken and I talk about the new report, what it gets right and where it falls short. We also talk about what’s really needed to secure the Internet of Things. (Hint: its not more standards!)
Correction: an earlier version of this blog post misstated Priscilla Moriuchi’s first name. The article has been corrected. PFR March 12, 2018