Podcast Episode 90: WannaCry zombie haunts Boeing, UL tests for cyber security and Harvard war games election hacking

In this week’s podcast, Episode #90: has the WannaCry ransomware returned from the dead? We talk with an expert from Juniper Networks about what might be behind the outbreak at Boeing. Also: Underwriters Lab and Johnson Controls join us on the podcast to talk about a recent milestone: UL’s award of the first ever Level 3 certificate for cyber security. And we speak with one of the organizers of one of an election security table top exercise last week at Harvard’s Kennedy School. 

WannaCry: It’s alive…IT’S ALIVE!!!!

A Boeing factory worker. The company revealed disruptions linked to the WannaCry malware last week. Image courtesy of Boeing.

In something reminiscent of a zombie movie, news broke last week that the WannaCry encrypting malware was back from the dead and – reportedly – spreading within the network of aircraft maker Boeing Corp. But how? Wasn’t WannaCry stopped cold back in May of last year, when a UK-based researcher unwittingly tripped the malware’s “kill switch” by registering an obscure domain he found buried in its code? Was the Boeing infection evidence of a new WannaCry variant making the rounds?

[Read some of Security Ledger’s WannaCry coverage here.]

Our first guest, Mounir Hahad, the head of threat research at Juniper Networks, says “probably not.” More likely, Hahad says, is that the malware on Boeing’s network was awakened – zombie like – from a long slumber and began spreading within the company’s network. In our first segment, we talk with Mounir about how something like that could happen at a sophisticated firm like Boeing and what companies can do to protect themselves from ransomware and other threats.

[You might also like to listen to: Podcast: WannaCry: It’s The Exploits, Stupid and Parsing The Cyber Executive Order]

UL tested and approved…for cyber security

For years, experts have been saying that we need “an Underwriter’s Lab for cyber security.” Well, now we have one. And its Underwriters Lab.  In our second segment, we go behind the news from last week that Underwriter’s Lab officially certified the first product that meets its highest level of third-party cybersecurity standards: UL2900-2-3 for Life Safety and Security. The product that earned that distinction is a VideoEdge network video recorder manufactured by Johnson Controls.

[You might also want to read: Black Box Device Research reveals Pitiful State of Internet of Things Security]

 

We invited two people into the SL studios to speak about that: William Brown, a Senior Engineering Manager in the Cyber Protection Program at Johnson Controls and Neil Lakomiak, the Business Development Director at UL.  We talk about what goes into the Level 3 certification, what this means for the future of connected products, and whether UL-certified cyber secure products will get a nifty cyber secure UL sticker (spoiler alert: they won’t).

Voters on line
An event at Harvard University taught election workers what to expect in a cyber attack. (Image courtesy of Missouri Secretary of State.)

Election workers: to your battle stations!

With the 2018 midterm elections just months away, secretaries of state across the US are scrambling to get their election systems hardened against expected intrusions and other mischief by hackers linked to the government of Russia or other threat actors.

One of the big challenges is cultivating cyber security known how within state and local elections offices. In our final segment, we speak with Caitlin Conley, one of the organizers of Defending Digital Democracy, a program at Harvard’s Kennedy School’s Belfer Center.

Conley was part of a large scale, multi day election security table top exercise last week featuring more than one hundred election officials from across the country, including more than one Secretary of State. We invited Conley into our studios to talk about the event, what kinds of threats and attacks the exercise modeled and where recently passed election security funding may be best put to use.