CyberWire Daily - Bear hunt in the Bundestag. Kaiji botnet described. Cryptojacking. Joint US-UK warning against attacks on COVID-19 response. Contact tracing. Puppy scams.
Episode Date: May 5, 2020A pretty Fancy Bear hunt in Germany. A new IoT botnet surfaces. Cryptojackers exploit a Salt bug. Bribing an insider as a way to get personal data. The UK’s NCSC and the US CISA issue a joint warnin...g about campaigns directed against institutions working on a response to COVID-19. Britain’s contact tracing app starts its trial on the Isle of Wight. Ben Yelin from UMD CHHS on AI inventions and their pending patents, our guest is Matt Glenn from Illumio on why companies should break up with their firewalls. And don’t get puppy scammed--you’re looking for wags in all the wrong places. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_05.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A pretty fancy bear hunt in Germany.
A new IoT botnet surfaces.
Cryptojackers exploit a salt bug,
bribing an insider as a way to get personal data,
the UK's NCSC and the US CISA issue a joint warning about campaigns
directed against institutions working on a response to COVID-19.
Britain's contact tracing app starts its trial.
Ben Yellen on AI inventions and their pending patents potential.
Matt Glenn from Illumio is our guest, and he wonders if companies should break up with their firewalls.
And don't get puppy scammed. You're looking for wags in all the wrong places.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, May 5th, 2020.
Reuters reports that German authorities have issued a warrant for the arrest of Dimitri Baden,
a GRU operator wanted in connection with a 2015 hack of the Bundestag.
The Süddeutsche Zeitung calls the warrant a bear hunt,
because of course the authorities think Mr. Baden is working for
Fancy Bear. He's a person of interest elsewhere, too. There are a number of people in the U.S.
Justice Department who'd like to hear from him about the 2016 hack of the Democratic National
Committee. Researchers at Intezer have identified a new Linux-based botnet they're calling Kaiji.
It's apparently the work of a developer in China,
and it's designed to infect IoT devices in order to herd them into a botnet adapted to
distributed denial-of-service attacks. ZDNet reports that Kaiji gains access to targeted
devices via SSH brute force attacks. Pentest partners say they've demonstrated a disturbing proof of concept,
a crying wolf attack against Commercial Aviation's Traffic Alert and Collision Avoidance System, TCAS.
It's possible to induce ghost contacts in the system,
and some aircraft might automatically respond to such false reports by altering course.
The potential risk to flight safety is obvious.
ThreatPost points out that the ghosts
won't show up on radar and that pilots may well trust, probably will trust, radar more than TCAS,
but the proof of concept remains troubling nonetheless. Crypto miners continue to exploit
vulnerabilities in the SALT remote task and configuration framework. Computer Weekly writes
that Zen Orchestra users have been affected,
as have users of the Ghost blogging platform.
The Register reports that DigiCert has also been affected.
The UK's National Cyber Security Centre, NCSC,
and the US Cyber Security and Infrastructure Security Agency, CISA,
this morning released a joint advisory warning that APT groups are
targeting both health care and essential services. While such attacks could either be state-sponsored
or the work of criminal gangs, and while both kinds of threat actors have been active during
the pandemic emergency, APT, Advanced Persistent Threat, has come to be functionally equivalent to
state-sponsored threat actor. The advisory summarizes the goals of the campaigns as follows,
quote, APT actors are actively targeting organizations involved in both national
and international COVID-19 responses. These organizations include healthcare bodies,
pharmaceutical companies, academia, medical research organizations, and local governments.
APT actors frequently target organizations in order to collect bulk personal information,
intellectual property, and intelligence that aligns with national priorities.
The pandemic has likely raised additional interest for APT actors
to gather information related to COVID-19.
For example, actors may seek to obtain intelligence on national and international health care policy or acquire sensitive data on COVID-19-related research.
The threat actors are actively scanning for specific vulnerabilities in their target systems,
specifically Citrix vulnerability CVE-2019-19781 and vulnerabilities in virtual private networks products from Pulse Secure,
Fortinet, and Palo Alto Networks. They're also engaged in large-scale password spraying attacks.
The UK has been particularly concerned to block these threats, which have been particularly
active against the country's biomedical research sector. The Wall Street Journal calls NCSC's
response a pivot and reports that measures
are being taken to protect institutions engaged in vaccine research. The venerable firewall is a
tried-and-true component of cybersecurity, tirelessly keeping watch over your network,
keeping the bad stuff out. But some say there's a tendency toward over-reliance on firewalls,
and a closer look is in order.
Matt Glenn is vice president of product management at data center and cloud computing security company Illumio.
If you think about the original firewall, it was basically the perimeter of an enterprise versus the internet.
It was sort of the thing that was making sure that the internet couldn't get inside of your enterprise.
So you were either on the good side of the firewall or the adversarial side of the firewall.
And it is a great perimeter device.
The challenge has been, and I think that most of your listeners will sort of see this, is that the threats are no longer popping through from the outside in.
There's a lot of internal things that happen,
right? So the first thing that a bad actor will try to do is infiltrate. How do they try to
infiltrate? Malware. So instead of it coming in, you know, someone trying to, you know,
pierce the firewall, what they're doing is they're relying on somebody clicking on a bad link,
downloading something bad onto their devices. And then, you know, suddenly that threat is now behind the
firewall. And so what did organizations begin to do? They began to put more and more firewalls
inside of their enterprises. And that is just, you know, that creates a lot of complexity to
manage all those different firewall rules. And now you're creating more and more perimeters inside
of our enterprise, which, you know, from and more perimeters inside of our enterprise,
which, you know, from a security strategy perspective is a good idea, right? And I think,
you know, when Wi-Fi came in, you know, the access of the network was, you know, literally piercing outside of the four walls of a building. So, you know, we see people putting more and more
firewalls like in front of their data centers, right? And now, I think the new sort of threat landscape is,
you know, we have our perimeter firewall.
Our users, you know, are going to get impacted at some point.
I have some customers where they actually have people working for organized crime
that come into an organization as a developer.
So the assumption is that you've already been breached.
That's sort of the new mindset of CISOs. So how do you basically ensure that the breach that has already taken place,
and you have to assume breach, that it can't spread? And the answer to doing that is segmentation.
So the first thing that a CISO will do is to say, oh, let's buy more firewalls to do that. Well,
so will do is to say, oh, let's buy more firewalls to do that. Well, the problem is that driving more and more firewalls into your data center is costly and disruptive in that, you know, you may have to
re-architect your data center to insert them. And I think that's why things are starting to break
down in the report that we put out. The state of security segmentation sort of speaks to that point.
What is the transition like? If someone wants to adopt what you're proposing here,
how is that turnover period? What is that like for them?
Here is the good news about it. There is no change to the underlying infrastructure to do it. There's
no sort of modification of the network. In fact, at a lot of customers, the question is, who owns this? Most frequently, we do see
that network teams own the segmentation problem because, you know, segmentation is
classically a networking problem, okay? The good news is you don't have to
modify the network in any way, shape, or form. What organizations do and what I
always tell customers to do is start by concentrating on the people in process.
And what do I mean by that?
Work out the process for how you're going to do the brownfield segmentation.
Target like, you know, nine, ten applications and build that up.
It's not very hard to do once you sort of target those people in process to go into your brownfield and, you know, take care of segmentation, but without breaking any applications.
That's Matt Glenn from Illumio.
The UK today began to pilot its contact tracing app on the Isle of Wight.
Matt Hancock, Secretary of State for Health and Social Care,
gave the islanders a bucking up.
The Telegraph quotes him as saying,
we'll learn a lot, we'll use it to make things better, and we want to hear from you.
Where the Isle of Wight goes, Britain goes.
The British system is something of an outlier among the more recent approaches to contact tracing,
in that it represents a centralized approach to collection and analysis of data.
The Telegraph has a description of how the app is intended to work.
It's an opt-in system
that uses Bluetooth for sensing proximity and that depends upon self-reporting of positive diagnoses.
A skeptical piece in the Register outlines some of the challenges confronting the NHSX-developed
app, and a second Register article reports that NHS has informed Parliament that it intends to
retain the data it collects even after the pandemic passes.
The centralized collection and analysis, and the plans to continue to use data for research,
has led to calls for close legislative oversight of the system, Computer Weekly says.
The inadvertent exposure of a contact tracing database in India has aroused suspicion of such efforts' security and privacy,
SC Magazine observes. The Washington Post has an overview of how such suspicions are currently
being manifested around the world. In the U.S., while there are other projects under development,
the joint Apple-Google exposure notification app has attracted the most interest.
It's decentralized, opt-in, and will not use location tracking, Reuters reports.
And finally, not all human-animal interaction during the pandemic has come in wet markets.
There's been a striking rise in the rate of animal adoptions as people look for companions
during a time of isolation, with Wired having gone so far as to say that animal shelters are empty.
That's clearly an exaggeration, at least if taken generally and literally,
but it does seem that pet adoption is up significantly.
Since demand equals opportunity for criminals,
there's also been a spike in what Naked Security calls puppy scams.
These are like romance scams, only using cute pictures of dogs as the catfish.
You send your money in for an adoption, and that money's gone with nary a puppy in sight. So, animal adoption has become
popular fish bait during the pandemic, maybe even overtaking colloidal silver as a cure for what
ails you. If you're looking for an animal to adopt, there are reputable local shelters who
can put you in touch with a pet needing a home.
There are still dogs and cats out there who could use a home.
And animal, vegetable, or mineral, don't be fooled by cute pictures that turn up in your email.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health
and Homeland Security, and he is also my co-host over on the Caveat podcast. Ben, great to have you back.
Good to be with you, Dave.
You have an interesting story to share this week. This comes from Motherboard on the Vice website,
and it has to do with artificial intelligence and some stuff from the patent office. What's
going on here? So last year, there were two patents pending
in front of the United States Patent and Trademark Office.
One for a shape-shifting food container
and another for an emergency flashlight.
The interesting thing about these inventions
is that they were not invented by a human being.
They were invented by DABUS,
an artificial intelligence system.
Now, the system was created by a researcher, a guy named Stephen Thaller. They were invented by Davis, an artificial intelligence system.
Now, the system was created by a researcher, a guy named Stephen Thaller.
But the issue in front of the patent court was whether you could grant a copyright or patent interest in something created by a non-human, created by artificial intelligence. And the Patent and Trademark Office said that inventions,
that only human beings can be inventors.
Artificial intelligences cannot be inventors.
Only natural persons have the right to obtain a patent.
So until this decision came out, the law around this was pretty vague.
Patent law referred to individuals as entities that could be inventors.
Of course, the question was whether individuals just meant natural persons or artificial intelligence.
I mean, DABIS, the artificial intelligence system, according to some definitions, might be considered an individual.
And so finally, the Patent and Trademark Office
has provided some clarity here.
What other researchers have said is
they really should allow artificial intelligence
to be able to be granted patents and trademarks
because it's sort of analogous to a senior advisor
who has mentored a PhD
student into coming up with an invention. That patent should belong to the student, the person
who's learned from the inventor and not from the inventor, him or herself. And I think what the
court is saying here is you can't make that analogy. The PhD student is a living, breathing human being, unlike the robot artificial
intelligence in this case. So sadly, our robot friends and if you actually...
We put off our robot overlords for a little while longer. They're not able to get patents.
Yes, we've bided just a little bit of time. It's so funny that on the front page of this article,
there's a picture of various robot toys
and that they just look so sad
that their patents have not been granted.
But alas, only human beings can be granted
these patent and trademark interests.
You know, a couple of things this reminds me of.
One of them they bring up in the article here.
And the first is there was the case with the monkey taking a selfie of itself
and some folks trying to say that the monkey had copyright to the selfie.
And ultimately, the Copyright Office said that no, only humans can be copyrighted.
What I love about that is PETA went to bat for the monkey,
which I guess is very on brand for PETA.
It's not just trying to get us to stop eating meat.
It's let's grant intellectual property rights to monkeys.
But, you know, good for them.
But the other thing that this makes me think of, which is not quite so lighthearted, I suppose,
is that I remember when the laws about gay marriage were
making the rounds, and there was lots of discussion about that. You know, some folks on the right
would say, well, if two men can get married, two women can get married, why can't I marry a goat?
Right? Why can't we just, why can't it, and of course the response to that is, well, a goat is not a human being.
A goat is not, you know, can't have, there's no contract law that applies.
Marriage is a contract and you can't have a contract between a human and a goat.
And, you know, obviously a half serious argument to illustrate something.
But this reminds me of that also in that, you know,
humans have rights and machines and animals do not. I don't want to get too deeply into
existentialism here. I can't claim to be an expert, but there are some things that are
unique about human beings. We are aware of our own existence. We have emotions. We have feelings.
our own existence. We have emotions, we have feelings, we have dreams and aspirations. And machines, by and large, do not have those things. Although the more advanced the machines get,
you know, as you say, they will eventually be our overlords. Maybe they'll start to develop
some of those qualities. But yeah, I mean, there is a serious point in there that
only humans can be human.
And, you know, I sort of think that might be underlying the rationale for this decision.
Yeah.
Well, it's all a simulation anyway, Ben.
We are living in a simulation.
This is just one of many universes.
And we happen to be in one of the worst ones right now, unfortunately.
Oh, there you go.
Keep your chin up, Ben.
Keep your chin up.
I will try.
All right.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you.