CyberWire Daily - Escalation in the Gulf as a US air strike kills Iran’s Quds commander. Travelex and RavnAir continue their recovery from cyberattacks. Taiwan’s memes against misinformation.
Episode Date: January 3, 2020The US and Iran trade fire in Iraq, and a leading Iranian general is killed in a US airstrike. A corresponding escalation of cyber operations can be expected. Currency exchange Travelex continues to o...perate manually as it works to recover from what it calls “a software virus.” There’s speculation that the RavnAir incident may have been a ransomware attack. And Taiwan adopts an active policy against Chinese attempts to influence its elections. Johannes Ullrich from the SANS Technology Center on vulnerabilities in Citrix NetScaler installations. Guest is Derek Manky from Fortinet on what to expect in AI for 2020. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. and Iran trade fire in Iraq,
and a leading Iranian general is killed in a U.S. airstrike.
A corresponding escalation of cyber operations
can be expected. Currency exchange Travelex continues to operate manually as it works to
recover from what it calls a software virus. There's speculation that the Ravenair incident
may have been a ransomware attack, and Taiwan adopts an active policy against Chinese attempts to influence its elections.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
January 3rd, 2020. In a case where the kinetic operations of a hot war can be expected to be accompanied by cyber operations, Iran has promised retaliation for the U.S. airstrike in the outskirts of Baghdad earlier today
that killed Iranian Major General Qasem Soleimani,
commander of the Islamic Revolutionary Guard's Quds Force.
One of Soleimani's principal collaborators, Iraqi Militia Commander Abu Madi al-Muhandi,
was also killed. The Quds Force is
responsible for unconventional warfare and intelligence. Its commander reports directly
to Iran's supreme leader, the Ayatollah Khamenei. Reuters cites U.S. sources as saying the strike
was intended to disrupt further plans by militia aligned with Iran to attack U.S. targets,
including the U.S. embassy in Iraq. Iranian to attack U.S. targets, including the U.S.
embassy in Iraq.
Iranian operations against U.S. assets and interests have long been asymmetric and, despite
recent rocket and mob attacks, are likely to remain so.
The Defense Department's statement quoted at length by The Atlantic said, quote,
General Soleimani was actively developing plans to attack American
diplomats and service members in Iraq and throughout the region, end quote. The U.S.
holds General Soleimani responsible for recent attacks on U.S.-led coalition bases,
including one in late December that killed an American contractor. General Mark Milley,
chairman of the U.S. Joint Chief of Staff, said yesterday, quote,
General Soleimani was widely regarded as an effective leader who traveled widely and worked intelligently to build Iranian influence in the Arab world.
He had overtly supported Iraqi Shiite militia,
which accounts for his presence in the vicinity of Baghdad.
Observers expect an increase in cyber conflict, and The Telegraph took a look at the current
state of Tehran's capabilities. Tehran claims to have some 100,000 cyber warriors, and while
this total is almost certainly considerably exaggerated, Iran's capabilities in cyberspace aren't negligible.
Most of their attacks in recent years have been directed against regional rivals,
especially the threat group oil rigs campaigns against Saudi targets,
but Iranian outfits have hit U.S. targets in the past.
The U.S. Justice Department, for example, in February 2018,
secured federal indictments against nine Iranian nationals associated with the Mabneh Institute,
an organization that serves as a cyber operations contractor for the Revolutionary Guard Corps.
Charges included conspiracy to commit computer intrusions,
conspiracy to commit wire fraud, computer fraud,
unauthorized access for private financial gain, wire fraud,
and aggravated identity theft. The indictment alleges that their victims included approximately
144 universities in the United States, 176 foreign universities in 21 countries,
five federal and state government agencies in the United States, 36 private companies in the United
States, 11 foreign private companies,
and two international non-governmental organizations. This, of course, represents
a small sample of what Tehran's cyber operators might be capable.
Travelex, a major London-based international currency exchange, is still working to restore
online services after finding what it called a software virus in its systems on
New Year's Eve. The exchange is still able to conduct in-person transactions manually,
and it has reassured customers that no personal data were compromised.
Little information has been forthcoming about the attack on Ravenair, but it is known that
maintenance software peculiar to the airline group's Dash 8 twin-turbo-propped aircraft was affected.
How or why the attack occurred remains unknown,
but the register quotes speculation that this may have been a ransomware incident.
We stress this is speculation.
The story is developing. The investigations are still in progress.
Taiwan's government has adopted a rumor control program
that appears to be enjoying some
success, the Wall Street Journal reports, against Chinese disinformation campaigns mounted against
the island republic's elections. Taipei's policy has combined a close relationship with social
networks to ensure swift takedown of coordinated inauthenticity with very active outreach to push
back against fake news.
When they find disinformation, they quickly debunk it in social media
and try to have the debunking take the form of an easily understood and transmitted meme.
This Tuesday, Taiwan's legislature passed a law President Tsai Ing-wen fast-tracked
with a view to counteracting Beijing's influence operations.
The new law makes political activities that serve external hostile forces crimes,
and the proscribed activities include not only spreading disinformation,
but also making certain political donations and holding certain campaign events.
The external hostile forces are, of course, to be found along the straits on the mainland.
The program may hold some lessons for other governments
concerned about hostile information operations during election seasons.
It's only fair to note that Taipei's program hasn't been free of domestic controversy.
The opposing nationalists, the Kuomintang,
have charged that the whole effort is simply motivated to benefit
the ruling Democratic Progressive Party.
The Kuomintang favors closer relations with China, which the Democratic Progressives do not.
In any case, observers say they've seen some abatement in Chinese influence operations.
But correlation isn't, of course, necessarily causation,
and there is a school of thought that sees this as just a case of Beijing
having concluded that the Guomingdong candidate doesn't have a realistic shot at winning,
and so are just cutting their losses. One lesson other governments might study with profit is the
apparent effectiveness of humor in developing memes against misinformation. One odd rumor
that required debunking held that the government intended to fine hairstylists
who gave a customer both a dye job and a perm within one week
and that the fines would amount to the equivalent of $33,000.
The country's head of government, Premier Zhu Chengcheng,
took to Facebook with a picture of himself as a young man complete with a full head of hair
and an accompanying picture of himself in his current state as an egg-balled 72-year-old. He captioned the post by
saying, although I have no hair now, I wouldn't punish people like this. And he added a winking
caution to the effect that dying and perming within seven days really damages your hair,
and in severe cases you'll end up like me.
His post got about 56,000 likes and more than 6,500 shares.
The young Mr. Su looks very serious, but the current Mr. Su has a big grin.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's the Dean of Research at the SANS Technology Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
I know you have been tracking some issues with Netscaler, some Citrix things here.
Can you bring us up to date? What are you looking at?
Can you bring us up to date? What are you looking at?
Yes. So on devices are usually,
well, your perimeter. So it's not that you could say, hey, just hide these devices deep inside
your network. In particular, in configurations, we use the device, for example, as an SL VPN endpoint to expose internal applications.
There isn't really much you usually have in front of it.
And that's exactly sort of the configuration that's sort of vulnerable here.
Citrix only published a workaround, meaning rules to block access to the vulnerable URLs.
They have not actually published a patch yet. And with all
the holidays affecting sort of 70% of the globe, I think this hasn't really gotten the attention
it really should have gotten. Of course, you should apply the workaround really quickly.
There is luckily no proof of concept exploit at this point. But I looked at the code on these devices. It's pretty messy.
It's sort of what you would expect from a vendor that doesn't really worry too much about security, like any security vendor putting applications out there.
It took me a day, maybe less, to sort of come up with a partial exploit for it.
So I wouldn't be surprised if there is already some exploit
in the underground
that's targeting specific devices.
And that's really
the game here, right? That's the race against
time. When
the vulnerability gets publicized,
it's not just the good guys who are
racing to develop a patch.
The bad guys are often running as well.
Correct. And I think one reason actually that and I'm just speculating here, but one reason
that Citrix did not publish an actual patch is that it would be very obvious what the
vulnerability is.
By actually publishing the workaround, they sort of gave you what you need to protect
yourself for now without releasing too much details about your vulnerability.
Like part of the vulnerability here is literally where they commented out part of the input validation.
So some developer at some point decided, hey, that input validation is maybe too strict, maybe for debugging purposes.
They commented out.
I guess QA got cut down along the way.
So they didn't catch that when they made that code live
about five years ago.
And since then, this particular parameter, for example,
has not been validated.
Wow. Yeah.
Isn't that interesting how things can just hang around
in the code for years and years?
And I think it's a little bit of a trend these days
where researchers and the bad guys are really looking at these perimeter devices closely.
Users ask for more and more features in these perimeter devices, meaning more and more code that's not exposed at your perimeter.
We have seen like, for example, that FortiGate direct reversal vulnerability last year and a couple others.
Basically, you know what you ask for when you want more features, you'll also get more bugs.
Right, right, right.
They giveth and they taketh away.
All right.
Well, Johannes Ulrich, as always, thanks for joining us.
My guest today is Derek Menke.
He's Chief of Security Insights and Global Threat Alliances at Fortinet.
Our conversation focuses on artificial intelligence in cybersecurity. It's a topic
that's been beat up quite a bit thanks to overzealous marketing in the sector,
as Derek Menke addresses. If we look at AI as a whole, using machine learning models and
actionable artificial intelligence on things like voice recognition and other applications
has been much more mature.
Looking at cybersecurity specifically, there has been a lot of overreach, I think, with it.
When you look at marketing of AI as this universal solution that's going to be introducing
self-healing networks and all of these things, Well, I think that's certainly part of the future.
The reality where we sit today, I believe we're entering into a second generation.
So backing up around two to five years ago in cybersecurity,
most applications of AI have been antivirus-driven.
Machine learning models that have been put in place specifically to recognize malicious code patterns to be able to, you know, recognize that, push out signatures to block those,
right? That's been a traditional approach to AI. It's been a monolithic model,
meaning that it's cloud-based. So it's basically one learning node where, you know, all the viruses
will feed in and you can do through that model, do the processing and then push out some sort of decisive pattern to other organizations where those security
appliances sit to be able to act on that. So in reality, what we need is an actionable AI system,
right? Artificial intelligence that can actually take decisive action with a very low risk of
false positive. And again, right now, the current state of the industry is this first generation of AI,
which is mostly driven towards code blocking and antivirus.
And so where do we stand in terms of that next generation being within our reach?
Yeah, so we're starting to enter this now.
I'm seeing it around the industry.
We're also doing this at Fortinet as well.
And what I'm seeing is that basically
in the second generation is extended reach
to those learning model nodes.
So instead of just having this monolithic brain,
if you will, in the cloud, that's doing all the processing
and that's relying on everything to input into it.
We're seeing now extended reach in the second generation of AI,
which is a regional learning system.
So now you're basically extending
the same success that you've had
for machine learning models in the Cloud,
and putting them onto on-premises,
so regional sites, different verticals,
different environments, different nodess, different environments,
different nodes of inspection for traffic, different types of traffic.
All of this now is entering into the second generation of AI, where those regional learning nodes extend into the cloud. So now they're also collecting data and feeding the cloud based off
of its learned results, right? So then the cloud model can still take that extra input from these regional brains,
do some additional processing and crunching,
and then distribute that out to security appliances.
You know, I think there's been so much messaging about AI,
so much marketing, and even to the point of hype.
Do you have any insights on the organizations who are offering these services?
How should they be formatting their messaging?
How should they be getting the word out to the folks who might be buying these things
to kind of cut through that hype, to spread the word about what it's really useful for?
In the security industry, most people rely on data sheets,
and those can be quite biased sometimes, right? I mean, it depends on your data sets, on your test
environments, and all those things. I really believe in third-party testing, right? So,
you know, we do this with NSS Labs as an example, ICSA, VB100, which does testing for proactive
detection. Again, these are the sorts of things I think, I believe you really have to put the rubber to the road
and from a marketing campaign standpoint,
show that this can be effective,
show use cases, show examples,
like real world examples that we're actually seeing out there,
not just numbers on a data sheet, right?
I think that's a really good approach.
It's easy to walk through things like, you know, APT groups.
Quite recently, a big engineering project that we're taking a 40-net is a playbook development,
so creating playbooks on attackers and adversaries, and then really showing how
your technologies can relate to these real-world attacks that are quite well documented now. You
know, MITRE documents a lot of other things too.
So, I mean, it's an education standpoint for people to be more aware of these threats,
but also show how AI can stack up to that.
You know, especially it gets even more important and interesting, I think,
as we enter into the third generation of AI.
I mean, it's 2020 now.
We've just turned into 2020, but not really that far away, I don't think.
And what can we expect to see when it comes to that third generation?
In the future, I believe that we're going to get into this federated machine learning models where you have different devices doing their own machine learning, but peer to peer.
So talking to each other and being able to pass data.
So it's much quicker and then actually, you know, be able to act on that
data. So it's like a regionalized response, completely on-premises. So more of a distributed
AI as a system model. That's going to allow for a lot of fascinating cases, I think. Obviously,
you have a much quicker response, which is, by the way, incredibly important because I often talk
about the weaponization of artificial
intelligence, how attackers are going to be able to leverage AI to, you know, get in and out of
networks much quicker. So yeah, the future of these, this federated machine learning model,
where you have all these different parts of the attack surface that you're covering with different
machine learning nodes, appliances and models that can all interconnect and talk to each other.
You know, only then I think once we get into that model that we can start getting into these,
I think what's been kind of promised before, talked about, this futuristic scene of, again,
autonomous security, self-healing networks, and so forth.
A big journey that we're going into is threat intelligence. So I think artificial intelligence,
applications of that for threat intelligence is also going to be a very important thing in the
future. We're already starting to use it. What we're starting to see now, you know,
with threat intelligence is using AI to build playbooks, right? And so playbooks are obviously
a complete guided map, mostly using the MITRE ATT&CK framework,
but a complete guided map to how an ATT&CK group is moving.
You know, what regions are they operating in?
What verticals are they hitting?
What's their infrastructure look like?
What do their tools look like?
How are they moving?
A lot of that's pattern-based, right?
And so by using machine learning and artificial intelligence
for threat intelligence is really important
because it starts exposing, you know, it's a lot quicker to see things that the human eyes can't
see, you know, exposing patterns, exposing, doing trending and forecasting to attacks and how they've
been moving and where they may move in the future. So predictive analysis as well. That's also a
really interesting scenario that we're already starting to unravel a bit. So, you know, interesting things, right?
That's Derek Menke from Fortinet.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.