CyberWire Daily - DPRK RAT in the wild. Vulnerable WPA2 4-way handshake implementations. Black Hat notes. Sanctions and retaliation. RoK to reorganize Cyber Command. PGA and ransomware.
Episode Date: August 10, 2018In today's podcast we hear that US-CERT is warning of a North Korean RAT. Researchers find vulnerable WPA2 handshake implementations. A sales call results in inadvertent data exposure. Notes on Black ...Hat: circumspection, hype, barkers, and artificial intelligence. Russia braces for US sanctions and promises retaliation. South Korea will reorganize its Cyber Command. The PGA is hit with ransomware. Guests are Andrei Soldatov and Irina Borogan, authors of the book The Red Web. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. CERT warns of a North Korean rat.
Researchers find vulnerable WPA2 handshake implementations.
A sales call results in inadvertent data exposure
Notes on Black Hat
Circumspection, hype, barkers, and artificial intelligence
Russia braces for U.S. sanctions and promises retaliation
South Korea will reorganize its cyber command
And the PGA is hit with ransomware.
From the Black Hat Conference in Las Vegas, it's a nice place to visit, but I wouldn't want to live here, I'm Dave Bittner with your CyberWire summary for Friday, August
10th, 2018.
U.S. CERT has warned of a new remote-access Trojan released by North Korea.
McAfee and Intezer have conducted joint research into Pyongyang's attack tools,
and they've found considerable code reuse.
Some of the code that continues in use goes back to 2009's Bramble,
one of the earlier malware strains to come from the DPRK.
Code reuse is an obvious labor saver.
Intezer is particularly confident that DPRK code reuse offers strong evidence for attribution.
They call it the malware's DNA.
More evidence of the importance of secure implementation comes from the Netherlands.
evidence of the importance of secure implementation comes from the Netherlands.
Researchers at KU Leuven report finding vulnerabilities in implementations of the widely used WPA2's
four-way handshake. And Engadget
reports that Amazon Web Services accidentally exposed GoDaddy
information in the course of a sales call with a domain host.
Sales staffs, take note.
This isn't how you become a closer.
Black Hat has wrapped.
The event was an occasion of expected hype
but also some introspection by the security sector.
The initial keynote by Google's Parisa Tabriz
urged those in attendance to commit to the long work of enhancing security
by working through fundamental causes, picking well-thought-out, achievable objectives, and working toward increased collaboration
with those outside the security industry.
Tabriz, who leads both Chrome Security and Project Zero at Google, offered what amounted
to a plea for well-structured, modestly hyped, and disciplined engineering.
And there did seem to be some introspection going on,
albeit mediated by more noise than a state fair's midway.
Curiously, the barkers' pitches in the booths that packed the exhibit floor
seemed more modest and introspective than did many of the briefings,
which tended toward spectacle and alarmism.
The Martians have landed, and the man is out to get you.
If there was one theme that emerged from listening to the Barkers,
who, it must be said, were often quite interesting,
it was that the industry recognizes one of the first principles
of North American economic reality.
Capital is cheap, and labor is expensive.
The solutions they pitched offered to save the users time.
That's not simply time to detection or time to response, but the time employees would need to
commit to using the solution, defending an enterprise, or remediating an attack. The
solutions on offer also promised that they would de-skill some of the more advanced forms of
technical expertise, thereby enabling junior
analysts and other personnel to function at higher levels. Artificial intelligence was,
as expected, very much a presence on the floor at Black Hat. The vendors offering artificial
intelligence and machine learning were too numerous to count. There was some healthy skepticism about
the larger and more extreme claims for AI.
We stopped by one of the leading AI security firms, Silance,
well known for its commitment to using artificial intelligence in security solutions, and asked if they would claim complete detection of unknown threats with mathematical certainty.
Their quick, direct, reassuring, and justifiably irritated answer was,
of course not, no one can do that, it's impossible.
But that AI has considerable utility and security seems beyond question.
Perfect insight and omniscient detection aren't preconditions of usefulness.
One vendor that wants very much for people to understand why algorithmic certainty is
impossible with respect to detection is Komodo.
They were keen to explain that detection of unknown threats is a formally undecidable problem,
a fact they think is insufficiently appreciated.
Their alternative to what they would describe as naive and dangerous reliance on machines is default deny protection coupled with default allow usability.
This morning, Komodo issued what it calls a zero-day challenge,
inviting AV users, endpoint security vendors, and others
to submit any malware sample of their choice.
The company will run it through its Valkyrie verdicting engine
to see if the samples pass through.
Komodo promises to publish Valkyrie's failures as well as its successes.
The company's CEO, Steve Subar, views the challenge as a contribution to cutting through
what he sees as industry hype. He also sees it as a contribution to better, more transparent
testing of tools and services. The Russian government is bracing for U.S. sanctions and
has promised retaliation in kind. The U.S. sanctions and has promised retaliation in kind.
The U.S. sanctions are directed first against Russian breaches of chemical weapons treaties
in the Novichok incident, which Russia denies, and second against election meddling.
The second class of sanctions, which Russian sources suggest the Kremlin thinks are soon to be tightened
by the U.S. Congress, appears to be the more threatening.
Russia also continues to deny election-related influence operations,
but few believe that either.
A full-blown series of tit-for-tat sanctions would seem to play into U.S. strengths.
It's difficult to see the economic bite Russian measures against the U.S. might have,
so there may well be an upsurge in cyber operations against U.S. targets,
whatever Moscow might be saying now.
South Korea's troubled cyber command is about to undergo reorganization.
Seoul's Defense Reform 2.0 plans will rename the organization
as the Cyber Operations Command
and strip it of its former responsibilities for psychological operations.
The Republic of Korea knows it lives in a very rough neighborhood of cyberspace
and it wants a dominant capability there,
but it also doesn't want a repetition of the domestic election meddling scandals
Cyber Command had become enmeshed in.
Finally, the PGA was hit with a ransomware attack just before its current gold championship tournament got underway.
Investigation and remediation are in progress, but there's widespread speculation that the ransomware used was a strain of BitPaymer.
The hoods want their ransom in cryptocurrency.
The register's headline and deck are worth quoting.
cryptocurrency. The Register's headline and deck are worth quoting. Oh, for putt's sake. Golf.org,
PGA, bunkered up by ransomware attack just days before tournament. That's rough. Bet they were well teed off. If you've been looking for a pun, forget about it. The Register's headline writers
have used up the world's supply. Well done, Register.
have used up the world's supply.
Well done. Register.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
Last night, as the Black Hat conference was winding down, our partners at Terbium Labs hosted a special event featuring a discussion with Russian authors Andrei Soldatov and Irina
Borogon. Their latest book is titled The Red Web, the struggle between Russia's digital dictators and the new online revolutionaries.
Our first book, which was published in 2010, was about Russian security services.
But a few years later, by 2011, when we got the so-called Moscow protests
prompted by the Arab Spring to some degree,
we realized that new technologies,
specifically social media, became a very important thing for the Russian political life.
And we decided to look into what's going on with the Russian Internet.
And as it happens, it was the moment the Kremlin started paying attention to the Internet
and actually started a huge offensive on internet freedoms.
And right since 2012, we got all kinds of things from internet filtering,
censorship, and advanced surveillance.
So actually, the book is a combination of these things.
It's an investigation of how we got to 2015-2016 in terms of internet freedoms and connectivity
and activities of activists and journalists and so on and so forth.
So for our listeners here in the United States, how is it different in Russia than it is here
in terms of how the surveillance state is run and operated? You know that here in the United States,
your security services have big possibilities
to intercept electronic information and surveil on people
because you have the best communications in the world
and the best surveillance facilities and also data storage.
Russia is a country not so advanced in technical direction.
They mentioned, but this is an authoritative state, so the authorities are very interested
on gathering information on people, especially on citizens, especially if they are some kind of dissidents or some
kind of opposing the Kremlin or just have another point of view than the Kremlin.
So if here in the United States mass surveillance is in place, in Russia they are talking about
targeted surveillance, and the targets are activists,
opposition politicians, dissidents and people with different opinions than the Kremlin.
Part of what your book covers is the rise of President Putin. Can you describe for us
how did his rise to power parallel how they're doing things when it comes to surveillance and
how he chooses to go about that?
Yeah, it's actually quite interesting that when Vladimir Putin became the chief of the Russian Security Service in 1998, that was exactly the moment that the FSB got interested in the 1990s a system of surveillance we inherited from the Soviet Union,
which mostly dealt with phone lines and regular phones.
And it was very totalitarian because it was mostly actually developed by the KGB.
It was updated, but nevertheless it was still a KGB creature.
So what the FSB decided to do in 1998, they decided to apply the same
scheme to the Internet. And back then it was mostly about emails. And Putin as director
of the FSB promoted this idea, and despite the resistance, and lots of ISBs, Internet
Service Providers were against it, because we were forced to pay for this new equipment.
We got lots of protests, civil society was very against it, but were forced to pay for this new equipment. We got lots of protests.
Civil society was very against it.
But nevertheless, he pushed.
And we got this legislation already by 1999.
And he had a very first meeting with internet entrepreneurs.
Surprisingly, he was quite liberal at this meeting.
And he said some good things about Internet liberties
and freedoms because
he saw that these people in the room
were mostly
loyal for him.
So it looks like for years
he got this system
of surveillance, but nevertheless
he didn't see the Internet
as a big threat. And it's all changed
in 2011-2012,
when we got the Moscow protest.
And Putin got scared, actually,
because he believed that the internet,
actually he said that,
that the internet was created by CIA.
And he still believes this,
and he believes that the US State Department
is always busy with developing a new scheme, ominous scheme
to undermine his regime.
And that's why he introduced a lot of legislation, a lot of repressive things.
Now, for the two of you being journalists in Russia, we hear stories of certainly about
journalists being killed, often under mysterious circumstances.
I mean, as investigative journalists in particular,
is this a concern for you?
Yes.
There are a lot of concerns for every honest journalist in Russia,
because the situation is not very favorable for them.
If you tell truth to the people people you're in some kind of danger
it's also about it's maybe a bit more subtle it's not only about intimidation and and killings
but the problem is that you might be deprived of your access to your audience for, we have our books published in the United States, not because we are so, well, it's such a, obviously it's a fascinating opportunity, but of course, Russian journalists want to have access to the audience of his country.
only way to get to our audience is to get our book published in the United States and then patiently wait for a translation which could happen and could not happen because
now it's up to the Russian publisher who would be brave enough to buy the license and to
translate our book into Russian, written by Russian journalists.
So it's a tricky scheme but it sort of gives you a picture of what's going on.
What do you make of what I think we perceive as a puzzling relationship between our own president, President Trump, and President Putin?
From your perspective, from the other side of things, how do you interpret that?
It's difficult to interpret because the last meeting was so so surprising for us because trump showed
himself as a quite weak and putin demonstrated that he is in power so uh it was tricky and um
for me it seemed like it seems like like putin really has has some compromising materials on Trump.
And also, to be honest, we tracked these things back in 2016
when you got the election compromised by hackers.
And it was absolutely clear from Moscow that Trump was a kind of favorite candidate for the Kremlin.
The Russian TV everywhere, Trump was promoted, and Hillary candidate for the Kremlin, the Russian TV everywhere,
Trump was promoted,
and Hillary Clinton was attacked all the time.
But to be honest, it looks like it was,
they slightly overdid it in a way,
because nobody actually believed back in 2016 in Moscow
that Trump could be the next president.
What they tried to do, they tried to weaken Hillary Clinton.
And it looks like they overdid it.
And to be honest, after that, I had some conversations with some officials from the Kremlin,
and they told me that, quite frankly, they would prefer now Hillary Clinton
because she's much more predictable, even for Moscow.
That's a really interesting insight.
For the average citizen in Russia, what is their perspective on privacy and their relationship with the Internet? Moscow and you might get in a room maybe 12 people, maybe 10, because people were not
really interested.
But then the Kremlin made a huge mistake.
They did two things.
First, they banned one of the biggest websites when you can share videos for free and you
got the number of Russian users of Tor network skyrocketing to the position number two in the world, actually.
And then they tried to block Pornhub.
That was a huge mistake.
And we got the first position, actually.
So now if you check the number of users of Tor in the world,
well, it was for the United States to occupy the first position.
Now it's Russia.
So finally, they got this message
that they should care about privacy,
they should care about circumventional tools,
and they should care about secure messengers.
So now it's getting more and more popular.
Yeah, that's fascinating
that the blockage of Pornhub
provided a powerful motivator for people to learn how to use privacy enhancing tools. privacy online, and it was impossible to explain to them that things don't matter.
But after that, they need access to Pornhub and to other information,
and they start using circumvention tools. That was great.
Our thanks to Andrey Soldatov and Irina Borogan.
Their book is The Red Web, the struggle between Russia's digital dictators
and the new online revolutionaries.
Special thanks to our friends at Terbium Labs for hosting the event and coordinating the interview.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.