CyberWire Daily - Fancy Bear indictments. VPNFilter found in Ukrainian water-treatment chlorine plant. Comment spam. Speculative execution side-channel attacks. MDM exploits in India.
Episode Date: July 13, 2018In today's podcast, we hear that Special Counsel Mueller has secured an indictment of twelve Russian intelligence officers for hacking during the 2016 US presidential elections. Ukraine finds VPNF...ilter in a water treatment facility. Comment spam returns. Speculative execution issues. Mobile-device-management tool used against smartphone users in India. The US Army directly commissions two cyber operators—congratulations, First Lieutenants. Ben Yelin from UMD CHHS on California’s consumer privacy ballot measure. Guest is Martin Hellman, professor emeritus at Stanford University and known for his work on Diffie–Hellman key exchange. His new book is A New Map for Relationships: Creating True Love at Home and Peace on the Planet. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Special Counsel Mueller secures an indictment of 12 Russian intelligence officers
for hacking during the 2016 U.S. presidential elections.
Ukraine finds VPN filter in a water treatment facility.
Comment spam returns.
Speculative execution issues.
Mobile device management tools have been used against smartphone users in India.
The U.S. Army directly commissions two cyber operators.
Congratulations, First Lieutenants.
Operators, congratulations, First Lieutenants.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for this lucky Friday, the 13th of July, 2018.
This afternoon it was announced that Special Counsel Robert Mueller,
who's been investigating matters related to hacking during the 2016 U.S. elections,
has secured 12 more indictments.
The accused are all Russian nationals,
all, in fact, officers of Russia's GRU Military Intelligence Service.
The indictment, unsealed a few hours ago,
outlines a conspiracy.
The GRU officers, the document says,
quote,
knowingly and intentionally conspired with each other and with persons known and unknown to the grand jury The GRU officers, the document says, presidential election, steal documents from these computers, and stage release of the stolen
documents to interfere with the 2016 U.S. presidential election. End quote. The charges
outline the now-familiar Fancy Bear story, which it traces to at least March 2016, when the
conspirators hacked email accounts of employees and volunteers working on Hillary Clinton's
presidential campaign,
including the emails of campaign chairman John Podesta. The indictment offers an interesting overview of Russian organization for a cyber campaign. Ground zero of the operation was 20
Komsomolesky Prospect in Moscow, where GRU Unit 26165 was located. Unit 26165 had, or has, a subunit whose mission includes, quote,
targeting military, political, governmental, and non-governmental organizations with spear phishing
emails and other computer intrusion activity, end quote. The typical fish bait used represented
itself as being from Google. Another subunit of 26165 was charged with malware
development, including the ex-agent implants used against the Clinton campaign and the Democratic
National Committee. There was another GRU outfit, Unit 74455, this one located at 22 Kirov Street,
Moscow, in a building the GRU calls The Tower.
This was where the SOC puppeteers worked, and their part of the operation was to coordinate release of stolen documents through DCLeaks and Guccifer 2.0 personas, the promotion
of those releases, and the publication of anti-Clinton content on social media accounts
operated by the GRU.
on social media accounts operated by the GRU.
Thus, DCLeaks and Guccifer 2.0 are explicitly called out as fake persona the GRU used to lend a veneer of hacktivism to their work.
DCLeaks represented itself as a group of concerned Americans,
at least three of whom, all catfish, had names.
Alice Donovan, Jason Scott, and Richard Gingrey.
This was a principal conduit for information operations.
So, Unit 26165 got the discreditable emails from the Clinton campaign and the DNC,
and Unit 74455 employed them in the GRU's information operations campaign.
The social engineering tactics are familiar ones,
spear phishing and impersonation of an individual's email address, off by just one character.
The malware implants included keylogging and screenshot functionality that enabled credential
theft. They began covering their tracks after the DNC, suspecting something was up, hired what the indictment calls Company One, almost certainly CrowdStrike,
to investigate and remediate the incident.
Part of the track covering involved the creation of Guccifer 2.0,
when the DNC said the Russians were behind the hack.
This persona asked to be taken at face value as a Romanian successor to the original Guccifer,
Marcel Lazar Lehel, a hacker of celebrities and politicians who's currently a guest of the U.S.
Bureau of Prisons. Guccifer 2.0 was not a particularly convincing imposter,
too obviously a camel that is a horse designed by committee, and not at all a hipster hacker.
The Russian officials are charged with various counts of conspiracy,
aggravated identity theft, money laundering,
and, of course, illicit access to computers.
It is, of course, unlikely in the extreme
that any of these GRU hoods will ever wind up in a Yankee courtroom,
but on the other hand, you never know.
Someone might go to the Maldives on a
honeymoon, or more likely a retirement vacation, there to be scooped up by local authorities and
handed over to U.S. Marshals for extradition. One more question. So much for Fancy Bear,
but is Cozy Bear feeling left out by all the attention her sister's getting?
It's worth noting that NATO's meetings this week
arrived at some resolutions committing to operations in cyberspace.
The discussions were particularly direct
in calling out hostile disinformation campaigns as a threat.
Reports this week offer new details on probable Russian information operations
directed against French and U.S. elections.
And President Trump has said he intends to ask President Putin about Russian hacking
during their upcoming summit.
The indictment should render that particular conversation livelier.
Ukrainian authorities say they've detected and stopped a VPN filter attack against a
chemical plant engaged in chlorine distribution to water purification
plants. Details are still emerging, and the investigation is in its early stages.
BPN Filter is a modular attack platform that shares some features with dark energy,
well adapted to information stealing. It's not clear whether or how the attack might
have produced physical damage, but a cyber operation that touched water distribution would be alarming.
Cisco's Talos Group has found a carefully constructed, highly targeted campaign
against a small number of smartphone users in India.
The hack is interesting because it uses a mobile device management system
similar to those enterprises used for legitimate purposes
in order to gain control of its victims' phones.
Comment spam has resurfaced on WordPress blogs.
The malicious comments direct the unwary to World Cup betting sites.
Bloggers, click your comments with caution.
Following revelation of the spawn of Spectre chip issues,
Intel released notes on patches and mitigations
for newly discovered speculative execution side-channel vulnerabilities.
Chrome's site isolation feature is offered as a mitigation for Spectre-class bugs.
Russia resumes its path toward Internet autarky,
with its parallel Internet set to reach significant initial milestones at the beginning of August.
It may not make economic sense, but that's not the point.
Observers say it's technically possible,
but it wouldn't be the sort of thing you would attempt without a certain obsessiveness about controlling the flow of information.
Australia has succeeded in excluding Huawei from an undersea communications cable
that would serve the Solomon Islands and Papua New Guinea.
The cable transits Australian territory,
and authorities in that country have been concerned about the security threat
Huawei's participation might have posed.
And finally, the U.S. Army, as planned,
has issued its first two direct commissions into its new cyber branch.
The officers enter as first lieutenants. It's a sign of the times that the senior service is now looking for hacking chops the way it's traditionally looked for JDs, MDs, and RNs.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
As you may have heard, California recently passed some sweeping new privacy laws.
We spoke with legal expert Ben Yellen about the new standards as they were being voted on.
His early take on their importance holds up well.
So this is going to be one of several items on the California ballot this fall, as there always are. Being a native Californian, you have to read up, you know, on
100-page voter guides just to make it to the voting booth. And here we're going to, our
California voters are going to be voting on a very important issue, and that's the California
Consumer Privacy Act.
It's qualified for the ballot. It has a sufficient number of signatures.
And what the measure would do is it would give consumers the right to ask companies for certain information about them that is collected, sold, or disclosed to third parties.
And it would allow customers to ask to whom and where that information has been collected, sold, or disclosed.
Now, what's particularly unique about this measure is that it would give customers a potential cause of action, even if they cannot prove that their information was collected by a third party. So that's, you know, the main issue we see in a lot of litigations having to do with electronic privacy is that oftentimes a person does not know that
their information has been collected, whether it be by the government or some sort of third party
private organization. And under our constitution and under our legal system, you generally have
to have standing to make it in a court of law. You have to prove that you yourself have been injured. And that's often very difficult. What California is
attempting to do with this ballot initiative is establish standing by statute. So every customer
within the state would have a cause of action, even if they couldn't prove, even if they didn't
have any evidence that their information had been sold to a third party, they could bring litigation
against the entities that collected that information. And that would absolutely lead
to a lot of litigation, especially if word of mouth gets around that it's a successful way
for people to claim damages. Everybody wants their piece of the pie,
and it's something that could really tie up courts.
And I also think, you know, this is an instance where most of the major tech companies are located in California,
and I think they have to start thinking very carefully now,
five months in advance of the election, about compliance
and how they're going to adjust to a world in which this measure is adopted by the voters.
I also anticipate that there will be a lot of organized opposition to this.
Whether that proves successful, obviously most people in principle are going to want
to protect their personal information.
So it'll be interesting to see how the technological companies and their allies try to sway the public otherwise.
Now, given the size of California's economy, what would be the trickle down of this to how these companies deal with privacy for folks throughout the rest of the U.S. and the world?
Yeah, I mean, really, this is a scalability problem.
We saw it with what happened in Europe with GDPR,
where you had this new data privacy law,
and because such a large customer base was in Europe,
once the company has to change its policy for one jurisdiction,
all of us got a million notifications saying that Google's policies,
Facebook's privacy policies have been
updated. You know, it'll just become your standard business practice to adopt your
privacy standards. And, you know, I don't have the exact figures in front of me, but I think
California itself is the world's eighth largest economy. So, you know, if they're adopting these
stringent standards with such a broad customer base, I think it's going to be in the interest of the tech companies to adjust their privacy settings, their terms of service.
They generally don't want to have 50 separate terms of service arrangements with all 50 states in the United States.
So, you know, they're going to try to come up with procedures
and practices that comply with the most stringent standards. And if this measure were adopted,
the most stringent standards would be in California. All right. Well, we will keep an
eye on it as always. Ben Yellen, thanks for joining us. Thank you.
Thank you. My guest today is Martin Hellman.
He's Professor Emeritus of Electrical Engineering at Stanford University and perhaps best known for his invention of public key cryptography
in cooperation with Whitfield Diffie and Ralph Merkle.
In 2015, he won the prestigious Turing Award along with Whitfield Diffie and Ralph Merkle. In 2015, he won the
prestigious Turing Award along with Whitfield Diffie. He's the author of a number of publications,
the most recent of which he co-authored with his wife Dorothy, titled A New Map for Relationships,
Creating True Love at Home and Peace on the Planet. In March 1975, the National Bureau of
Standards, as it was then called, promulgated or put forth a proposed data encryption standard for commercial, actually for governmental unclassified use, but for sensitive data.
And of course, it was going to become a commercial standard as well.
With Diffie and I, my colleague in crime, a partner in crime, and I realized that the 56-bit key size
was at best marginal. It's kind of like having a thousand combinations for a combination lock.
It's great for locking up your bike, but not so great for locking up $100 million worth of
information. And so we wrote some nice letters to NBS, which they pretty much ignored.
And after about six months, so now we're getting toward the later part of 1975, we started to get more pointed.
And we realized that this was, in fact, not a bug, but a feature.
NSA didn't want a publicly available standard that they could not break.
And so we started to contact Congress, the media, trying to create some interest in solving what was fundamentally a political problem.
And two high-level NSA employees flew out from Maryland to meet with us and told us, you're wrong, but please be quiet.
If you continue talking this way, you're going to cause grave harm to national security.
Of course, that makes no sense.
And so they were saying, yeah, right. Right. What they were saying is you're right. But if you keep talking this way, you're going to cause grave harm to national security. Their concern was
that we were in telling the American public, American industry and even parts of the American
government how to protect their secrets better. We were also telling criminals, foreign governments,
terrorists how to protect their secrets as well. It's an unavoidable trade-off.
And so I had to figure out what to do. Take me through that decision-making process, because as you describe it in the book, there's a good bit of nuance here.
Oh, it was quite amazing, yes. So I went home that night to figure out the right thing to do.
My intellect was telling me the right thing was to go public with this, that NSA should not make a decision all by itself in secret about what was best for the country because they were an interested party.
And on the other hand, I had and also in the United States was the most is was and is the most computerized nation in the world.
Whereas in those days, the Soviet Union, our main adversary, had almost no computers especially in uh commercial use personal use so i went home
to figure out the right thing to do because these nsa people were telling me just the opposite
and while i'm trying to figure out the right thing to do an idea pops into my head forget about what's
right and wrong you've got a tiger by
the tail. You'll never have a better chance to make an impact on the world, to be famous,
infamous, whatever. Run with it. Now, who would want to jeopardize national security
for those reasons? I mean, that would be egotistical. And so at the time, actually,
now I liken it to a movie where you know how the devil's on
an actor's shoulder and the angels on the other side whispering in his ear sure that was the devil
whispering in my shoulder and at the time i thought i was able to brush the devil off my
shoulder and make a rational decision to go public that it was the right thing to do but five years
later i realized that i had fooled myself. And while I did make
the right decision, and we do know that because Admiral Bobby Inman, who was director of NSA at
the time, has since said in an interview about four or five years ago that it was the right
decision, I realized that I had fooled myself about my motivation. Now, there's another part
of the book where you describe an interpersonal communication you had, interaction with Admiral Bobby Inman. He was the director of NSA in the late 70s. And you two got together, but you came into that meeting with some preconceived notions.
And this was 1978, so a couple years after that first meeting.
We had gone public.
We did have a fight.
There were congressional hearings.
And I get a call from Inman's office saying the director would like to meet with you if you're open to it when he's in California in a week or two.
I think it was.
And so I jumped at the opportunity because we had been fighting but never directly. It was all indirect, never talking to one another.
And Inman shows up in my office, let's say a week or two later. And the first words out of his mouth,
which I'll never forget are, it's nice to see you don't have horns. Because that's how I was being
described at NSA. That devil on my shoulder had been integrated into me in their eyes.
And I look back, I look back at him and I looked at his head and I said, same here, because I had been portraying NSA as the devil incarnate.
You know, and that's what people do in these fights.
And I have to give Inman the credit for opening that door.
There's one other thing he told me that was really important.
He said, I'm meeting with you against the advice
of all the other senior people at the agency,
but I don't see the harm in talking.
And that was an out-of-the-box way to think
and it's one that I've since adopted
both because of that and for other reasons,
primarily to save my marriage and to make my marriage better. Asking more
questions. My wife and I summarize it as get curious, not furious.
So our initial meeting, Inman's and mine, was very cautious
but out of that we are now actually good friends
and he signed a statement of support about eight or ten years ago that i'd
written up for work i was doing to encourage a risk assessment of nuclear deterrence how risky
is it to depend on destroying the world in an effort to keep the peace my own research leads
me to believe it's horribly risky and i felt that the international scientific community should
look at this in more detail
and Admiral Inman was one of the key signers of that statement.
Now he wouldn't have signed it if he didn't agree, but he also wouldn't have signed it if he didn't trust me.
Well, Marty, I have to say it was a real pleasure speaking with you.
Thank you so much for taking the time. I really appreciate it.
Like I said, it was a real honor and a real pleasure to get to spend this time with you.
Well, thank you, and thank you for reminding me of a wonderful period in my past life.
That's Martin Hellman.
His new book, co-authored with his wife Dorothy, is A New Map for Relationships, Creating True Love at Home and Peace on the planet.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and
cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up
for Cyber Wireire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio,eltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.