CyberWire Daily - Espionage, influence, summits, and elections. What counts as a luxury? An iCloud warrant raises cryptowars speculation. Microsoft's GitHub acquisition. Facebook's coziness with Shanghai?
Episode Date: June 6, 2018In today's podcast, we hear that TempTick and Turla are interested in the US-North Korean summit. That summit might not take up many cybersecurity issues. Where did North Korea get all that digita...l rope they want to hang the West with? It seems we competed to sell it to them, more-or-less unwittingly. Russian influence ops continue to give lies their bodyguard of truth. The FBI gets a warrant for a high-profile iCloud account. Microsoft outbid Google for GitHub—what will Redmond do with all that code? Facebook may have a complicated relationship with Shanghai. Johannes Ullrich from the ICS Stormcast podcast on deserialization. Guest is Ameesh Divatia from Baffle on GDPR and cloud data privacy. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Temptic and Turla are interested in the U.S.-North Korean summit.
That summit might not take up many cybersecurity issues.
Where did North Korea get
all that digital rope they want to hang the West with? Russian influence ops continue to give lies
their bodyguard of truth. The FBI gets a warrant for a high-profile iCloud account. Microsoft
outbid Google for GitHub. What will Redmond do with all that code? And Facebook may have a
complicated relationship with Shanghai.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, June 6, 2018.
The U.S.-North Korean summit, still on for June 12, approaches.
According to security firm FireEye,
interest in the meetings by other powers, notably Russia and China, is said to have prompted an increase in cyber espionage targeting South Korea. The two threat groups FireEye calls out specifically
are TempTik, a Chinese outfit hitherto best known for its collection against domestic dissident or otherwise suspect
groups, and Turla, best known for its Trojan of the same name. Turla is a Russian government
group that's been active at least since 2008. It's generally believed to be associated with
Russia's FSB. North Korean operators have been relatively quiet with respect to U.S. targets
on relative good behavior as
leader Kim prepares to meet President Trump in Singapore next week. But North Korean hacking
remains a matter of considerable international concern to the U.S. and others. That said,
however, the summit may not address cybersecurity to any significant extent, at least if various
advisors and members of the U.S. foreign policy establishment
are listened to. Advisors and various policy mavens are recommending that President Trump
concentrate on nuclear affairs, leaving cybersecurity for another time. Nuclear
arms reduction will be a tough enough challenge, they say, without adding equally difficult
cybersecurity tensions to the agenda.
But here's a question.
The DPRK is more or less cut off from the larger global economy,
yet its ruling elite seem to have little difficulty getting online,
and its cyber operators continue to infest networks worldwide.
So where does North Korea get the hardware and software it needs to operate online, particularly the tools its elite needs to use the Internet?
Cyber intelligence firm Recorded Future concludes that they get it mostly from the U.S.,
but in roundabout ways, using spoofed identities or third-party cutouts.
This part of its sanctions regime may be more porous than the U.S. government would like.
The stuff Pyongyang has been able to get its hands on tends to be older but still quite
serviceable.
Items Recorded Future has been able to identify include iPhones, Windows XP and Windows 10
devices, Samsung Galaxies up to the S8 Plus, and MacBooks.
One of the more curious loopholes the DPRK has used to move goods
involves differential interpretation of what counts as a luxury good. These are generally
prohibited by international sanctions, and consumer electronics are commonly classed as
prohibited luxuries, but varying national and UN criteria have contributed to a murky picture of
this trade. As far as third-party enablers are
concerned, some of these have been North Korean shell operators. Glocom and its network of front
companies is a leading example, and of course some large international companies. ZTE is in
American hot water, for example, over evasion of sanctions against Iran, but also over evasion of sanctions directed
against the DPRK.
Concerns about Russian election meddling persist in the U.S. and elsewhere.
These concerns generally come down to fear of influence operations and of amplified,
divisive, hyper-partisan narratives, as opposed to direct disinformation.
The goal fundamentally remains erosion of public
trust and confidence in the institutions of civil society. Here again, lies receive a bodyguard of
truth. There's usually some truth somewhere in even the most hyper-partisan narratives.
In the U.S., Russian influence operations have made heavy use of trolling. In Europe,
notably in Germany and Italy,
they've tended to rely upon various mouthpieces and political parties whose platforms and interests
tend to align opportunistically and not as systematically as they did in the bad old Soviet
days with Moscow's goals. An international group is being formed to counter the effects of Russian
influence operations. It will be called the Transatlantic Commission on Election Integrity.
Its two co-chairs suggest a seriousness of purpose,
former NATO Secretary General Anders Fogh Rasmussen
and former U.S. Secretary of Homeland Security Michael Chertoff.
We'll watch their activities with interest.
There are, of course, still secondary concerns about voting integrity in U.S. midterm elections.
Security company SYNAC is offering U.S. state election officials free penetration testing
to help them shore up the security of their systems.
The GDPR implementation deadline has come and gone, and as we wait to see how enforcement
will take shape, security providers are still working overtime to get the word out on proper GDPR compliance.
Amish Devaitia is co-founder and CEO at security firm Baffle, and he joins us to share advice on taking a data-centric approach to cloud security.
It is no longer adequate to just comply to certain ways of protecting data.
GDPR is different in the sense that if you lose the data, no matter how you protected it,
you are liable. It doesn't just stop there. It goes a step further where it actually talks about
the fact that security has to be always on, so always secure by default. And it has to be done by design.
Security has to be implemented by design.
The last thing that it actually says, which is relevant from what we do, is that it actually
says that any sensitive data actually be protected while it is being processed.
This is Article 25.
So during processing, not only do they say that it has to
be protected, they actually talk about the fact that it has to be what they call pseudonymized,
which means that it's either tokenized, it's masked, or the best form of protection is actually
encryption. As it turns out, any of these privacy regulations, and actually we have every state in
the U.S. actually has privacy regulations
as well when it comes to data breaches and how those are revealed. When a breach happens, and if
data is leaked and it happens to be encrypted, there is no requirement for it to be actually
announced. You don't actually have to reveal the fact that you were breached
if all you lost was encrypted data.
So encryption is really the only safe harbor that's available for an enterprise
when they get into a situation where the data is breached.
That's an interesting insight.
So if an organization takes the effort to encrypt their data,
that could save them a lot of headaches along the way
when it comes to GDPR compliance.
Exactly. And again, it's very specific in the sense that if you lose encrypted data and the keys,
you still have to reveal that. So there is a disclosure requirement for that.
But if you just lose encrypted data and not the keys, there is no disclosure requirement.
So I suppose the rationale there is that if someone gets their hands on encrypted data
without the keys, it doesn't really have a lot of use for them.
By definition, by mathematical proof, it is proven that if the data is encrypted, in a
million years with all the compute products available in the world, you cannot break encryption.
AES encryption, which is what we use, has that guarantee today.
One of the points that you make is that GDPR is going to have specific effects on folks using cloud services.
What can you share about that?
Yes. So again, GDPR is actually the first regulation that is very broad-based in the sense that it doesn't really even apply to specific companies or specific geographies or where the data is stored.
All they say is, if you are a resident of the EU,
you have a right to your data being protected.
So the data may be stored anywhere in the world,
but as long as you are an EU resident and that particular data is stolen,
that entity that actually the data processor
that collected your data is now liable.
So that completely changes the whole story
because it really doesn't matter where the data is located.
There are other data location requirements
that are also specified
where certain countries require data locality.
Data has to be in Germany or in Belgium.
GDPR itself is not necessarily focused on that.
It's only focused on the record itself, the individual data.
By definition, when you talk about data locality, it completely goes out the window because you really don't know where your data ends up.
And that's where we believe that this is going to really drive the need for what we would like to refer to as data-centric protection, or ways of protecting the individual record itself, and not just the environment, not just a file, or not just a specific repository.
It's really about protecting data at the record level.
That's Amish Devaitia. He's from Baffle.
at the record level.
That's Amish Devaitia.
He's from Baffle.
Security researchers at cyber company Lastline
have found at least three
sophisticated keylogger variants
in the wild.
They're actively targeting
financial institutions.
Cryptocurrency exchange Bitfinex
is back online
after sustaining a denial-of-service attack
that took it down for several hours earlier this week.
Former Trump campaign manager Paul Manafort
faces additional charges based on evidence the FBI collected
under a warrant for his iCloud account.
The FBI had enough evidence to obtain the warrant,
and Manafort, who had encrypted his message traffic,
found that this was insufficient to keep the
Bureau out once they had access to iCloud.
A number of observers think this investigative success undermines the Bureau's rather lonely
campaign for what it calls responsible encryption, and what most other people call either backdoors
or key escrow.
Microsoft had to outbid Google to buy GitHub. Mountain View is said to have competed
for the open source code repository with Redmond. Redmond offered more. In fact, its $7.5 billion
bid amounted to 25 times GitHub's annual revenue, which is a nice premium. To put this amount in
the context of an acquisition in another industry, the aerospace sector,
Northrop Grumman is buying Orbital's ATK for $7.8 billion, a little more to be sure, but still in the same ballpark.
GitHub hosts open-source code. Orbital ATK provides, among other things, space launch services.
among other things, space launch services.
As Wired points out, GitHub hosts a surprising array of stuff,
from Bitcoin code to the Federal Republic of Germany's laws and regulations.
The code in GitHub's 85 million repositories includes software that enables the creation of things like deepfakes,
non-consensual adult content, and even roll-your-own Xbox emulators,
the last of which, for example, would hardly be welcome at Redmond on grounds of pure and probably legitimate commercial self-interest.
If Facebook and Twitter have trouble moderating content,
what's Microsoft going to do about software whose purpose is to produce the content
Facebook and Twitter are so tangled up about?
Speaking of Facebook, it appears the platform allowed at least four Chinese firms, produce the content Facebook and Twitter are so tangled up about.
Speaking of Facebook, it appears the platform allowed at least four Chinese firms, including usual suspects Huawei and ZTE, to access its users' data, often without those users' consent.
This has raised senatorial eyebrows.
Facebook, after a little initial vagueness, acknowledged its partnership with Huawei, the Senator Warner of Virginia.
And Facebook says it intends to wind up its surprising partnerships by Friday.
So get those friends while they're hot, People's Liberation Army Unit 61398.
Your relationship status may soon be changed to, it's complicated.
change to it's complicated.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology here. Innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents winning with purpose
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich.
He runs the Internet Storm Center Daily podcast, the Stormcast from the SANS Institute.
Johannes, welcome back.
Today, you had some things you wanted to share about deserialization.
What do we need to know about this? So last year, Ovasp added deserialization as one of their top 10 vulnerabilities.
And people were a little bit confused by that because it's not sort of one of those vulnerabilities you're often confronted by, like in a signal injection or cross-site scripting. But I think they actually really hit it on the nail on the head here
with that addition because we had a number of high-profile
deserialization vulnerabilities recently.
For example, WebLogic, Apache, Struts, and a lot of these frameworks.
And that's where we have a little bit of a problem with this vulnerability.
It often shows up in these frameworks, these libraries that you use.
So it may not necessarily be code that you write.
What is this all about is that, well, in languages like Java,.NET, you're dealing with objects.
Deserialization takes essentially text and converts that into an object.
Now, simplicity speaking, that sort of data converting
it into a variable. Variable, you wouldn't really associate with anything bad. But with objects,
your variable, so to speak, your object, it contains data and code. So what can happen if
you're not careful that some of the data you're reading and that you're turning into this object actually triggers code?
So deserialization is really, really dangerous because it's actually code execution.
And we have seen this, for example, with WebLogic being exploited many, many times with Apache struts where the attacker then, all the attacker has to do,
they're sending you some XML.
That's the text.
And as the server parses that XML,
converts it to an object,
code is executed.
And so what are the protections against this?
What you really have to do as a developer
is the function that's being used
to read the data.
You have to write sort of
your own custom function here,
not necessarily relying on some of the default functions.
The default functions, they're doing, well, what they're supposed to do,
but sort of without restrictions.
So whatever comes, they're turning into an object.
But what you have to make sure is that all the objects that you receive,
well, are safe to actually deserialize.
And one way to do that is to just write your own read function to do that.
In some cases, if you authenticate and verify the data
before you actually deserialize it,
so you make sure you actually receive it from an authenticated source,
you definitely, in web applications in particular,
always should first authenticate before you accept and parse any data.
So that's another sort of additional protection that you can perform.
Or, you know, digitally signed data so it can't be altered by an attacker in transit.
And that also helps to minimize the risk of deserialization somewhat.
All right. That's interesting stuff as always.
Johannes Ulrich, thanks for joining us.
Thanks.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.