CyberWire Daily - Following K3chang. Bulgaria’s tax agency breach. An alternative currency gets some incipient regulatory scrutiny. Why towns are hit with ransomware. A hair-care hack.
Episode Date: July 19, 2019K3chang is out, about, and more evasive than ever. Data breached at Bulgaria’s National Revenue Agency has turned up online in at least one hacker forum. Facebook’s planned Libra cryptocurrency re...ceived close scrutiny and a tepid reception on Capitol Hill this week. Emsisoft offers some common-sense reflections on why local governments are attractive ransomware targets. Please patch BlueKeep. And a hair care product is vulnerable to hacking. Johannes Ullrich from the SANS Technology Institute with tips on ensuring your vulnerability scans are secure. Guest is Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States, and coauthor of the book The Fifth Domain. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ka-chang is out, about, and more evasive than ever.
Data breached at Bulgaria's National Revenue Agency
has turned up online in at least one hacker forum. Facebook's planned Libra cryptocurrency Thank you. patch Blue Keep, and my interview with Richard Clark, co-author of the new book The Fifth
Domain.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, July 19th, 2019.
ESET reports on recent activity of Kachang, an elusive threat group engaged in cyber espionage.
Most of Kachang's recent targets have been in Slovakia, Belgium, Chile, Guatemala and Brazil.
ESET studiously avoids attributing Kachang, but they do observe that since its discovery by FireEye in 2013, Kachang has been associated with China.
The recent campaigns show improved backdoors and greater evasiveness.
In MITRE's threat group taxonomy, Kachang is also known as APT15 and sometimes as Vixen Panda or Playful Dragon.
Hacked Bulgarian tax information has begun turning up in various discreditable hacker online neighborhoods.
ZDNet says that the person who posted it, a gentleman going by the name Instakilla,
obtained it from a download link carelessly displayed by a Bulgarian television news report.
Instakilla crowdsourced a solution to the password and has now made the data available.
He's not worried about doing so.
He's a Bulgarian citizen, but since he's not the original hacker,
Mr. Killa doesn't feel accountable for anything.
So he's got that going for him.
Maybe.
But the alleged original hacker has now been identified.
Computing magazine citing Bulgarian sources
identifies the suspect as Kristian Boykov, age 20.
Mr. Boykov had been employed by TAD Security,
apparently in a cybersecurity training role.
This is consistent with early reports
that said the perpetrator was a white-hat pen tester gone bad.
Bulgarian social media are a Twitter with talk
that some of his students were members of the police cyber
squad that collared him. So good job, Teach, although it's always better to get an apple
on your desk than a set of steel bracelets. In 2017, Mr. Boykoff had exposed and disclosed
security issues affecting the country's Ministry of Education, which publicly praised him for his
efforts. The present episode is therefore a sad comedown.
The police say that the tax agency hack wasn't even particularly artful.
This seems to be figuring in Mr. Boykoff's defense.
His attorney suggests that Mr. Boykoff was too skillful and resourceful
to have pulled off what looks like the work of a skid.
Skid or not, the data were compromised.
The way the case has proceeded is interesting. Mr. Boykoff would originally have faced up to five years in prison upon conviction,
but a letter from Bulgaria's National Revenue Agency explained to the justice system that the
data they lost wasn't really critical infrastructure, and so now a conviction seems likely to bring just
a fine. The National Revenue Agency isn't really making what the lawyers call an admission against interest here.
The agency is itself liable to fines over a data breach, perhaps as high as $22 million.
Facebook's plans for Libra received close congressional scrutiny this week.
The concerns are familiar, but the regulatory way forward is,
as Wired points out, unclear.
Should Libra be regulated like a bank,
an investment, a contract?
And how might necessary regulation
preserve the decentralization
that makes altcoins so interesting
in the first place?
The Group of Seven's central bankers
are also cool to the notion,
at least in its pure buccaneering and unregulated libertarian form.
Emsisoft reflects on the recent wave of ransomware hitting U.S. local governments.
The firm suggests that counties and towns are vulnerable because of outdated systems and big attack surfaces.
Over a third of local governments rely on technology that's at least a generation
behind the current state-of-the-art, and the towns and counties offer so many different
public web services that they're inevitably exposed to attack. SC Magazine and others
continue to report that hundreds of thousands of devices remain unpatched against Bluekeep.
Do give some thought to patching. If not for yourself, think of what you're doing to herd immunity.
And finally, as we all learned in elementary school,
fire is a good servant but a bad master.
So here's another thing to worry about that wouldn't have occurred to us before.
Hair straighteners can be hacked.
Now, for those of you in the security community
who aren't necessarily fashion-forward or especially grooming-conscious,
we'll explain what a hair straightener is.
A hair straightener is a device that uses heat to texture hair.
Since there's at least a marketing, if not always a clearly functional reason to render all sorts of devices smart,
this has now been done to some models of hair straightener.
But assuming you wanted a hair straightener in the first place, why would you want a smart one?
Well, so it could communicate with stuff to maximize your attractiveness, obviously.
In this case, Naked Security has an article describing one high-end product,
the Glamorizer Bluetooth Smart Straightener, which communicates with an associated Android Glamorizer app.
The problem is that the smart system is easily hackable,
as a researcher at Pentest Partners has demonstrated.
You could, if you so wished, remotely override the Glamorizer's temperature setting
from a toasty but arguably bearable 248 degrees Fahrenheit
to a super Bradbury in Fahrenheit 455.
That's hot enough to melt iodine, selenium or tin and plenty hot enough to set your house afire.
Sure, the hacker would have to be in Bluetooth range, but how hard is that?
Anyway, dumb smart is perhaps worse than old-fashioned dumb.
Think twice before styling your hair with what amounts to a soldering iron.
Besides, trust us, your hair looks fantastic as it is.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute,
and he's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back. You know, scanning your network for vulnerabilities is an important part
of your regular cyber hygiene, but you wanted to talk today about some issues that could come up
when you do that. Yes, when you're running these vulnerability scans, one thing a lot of people are
sort of concerned of is like unintentional denial of service attacks and such.
But there's another problem that actually one of our Storm Center handlers Xavier ran into recently.
And that's the use of credentials in these vulnerability scans.
Now, a very simple vulnerability scan would basically just scan your network, check what servers are exposed,
and report on that. But that's usually not all that useful. So what you do is you actually provide
your vulnerability scanning system with credentials. It can log into systems and then find out in more
detail what the system may be vulnerable to. The tricky part here is that in order to do
this the credentials being used by the vulnerability scanning systems often have some
elevated privileges and an attacker can actually take advantage of these
credentials and use them then to attack your system if they're able to intercept
a connection that is established by the vulnerability
scanning system.
So these credentials are typically being sent in the clear?
Well, it really depends.
If they're being sent in the clear, of course, then it's really easy.
But in one particular case, if you're connecting to SMB file shares, so you have a Windows
network, you're using SMB to connect
to remote systems. In this case, you can launch what's known as an NTLM relay attack, where the
attacker essentially is getting in the middle between the vulnerability scanning system and
the target system, and then sort of playing them off against each other in order to gain access to the system without actually having to break any hashes or actually know any credentials
that are being involved. And so what's the solution here? What's the best practice to avoid this?
Well, first of all, I would not use any protocols that send credentials in clear text. So clear text protocols should be avoided anyway, you probably
don't even need to then log in using your volume management
system. Now, as far as SMB is concerned, it's a little bit
more tricky, because it's almost sort of a feature of some SMB
versions. So your real solution here is to prevent that NTLM relay attack. You should do
that by using SMP version 3 and by enabling SMP signing. That, of course, is only possible if
you're using the latest versions of Windows. Johannes Elrich, thanks for joining us.
Thank you.
Thanks for joining us.
Thank you.
My guest today is Richard A. Clark, former National Coordinator for Security, Infrastructure Protection, and Counterterrorism for the United States.
Under President George W. Bush, he was appointed Special Advisor to the President on Cybersecurity.
He's currently Chairman of Good Harbor Consulting. He's the author or co-author
of several books, the latest of which is titled The Fifth Domain, Defending Our Country, Our
Companies, and Ourselves in the Age of Cyber Threats. The book is co-authored with Robert Kanacki.
So the military talks about things as domains, land, sea, air. And over the years, they added space as the fourth domain.
Now, in the last few years, the military have talked about a fifth domain, cyberspace,
where they expect cyber war to take place. So we're calling this the fifth domain because,
not just because the book is about cyber war,
because it's also about other things that take place every day in cyberspace,
including what happens to you as an individual, what happens to corporations.
It's not just about cyber war.
One of the points you make in the book, you say that the next major war will be provoked by a cyber attack.
What leads you say that the next major war will be provoked by a cyber attack. What leads you to that conclusion? Well, the director of national intelligence this year publicly testified that
the Russian government has hacked into the controls of our power grid, and that the Chinese government,
Chinese military, the People's Liberation Army, is capable of controlling or affecting our controls for our natural gas pipeline.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. fault-deny approach can keep your company safe and compliant.
That, we suggest in the book, that creates a situation of crisis instability, where if there is tension among nations, people are going to look around for, well, how can we do signaling? Or how can
we do an initial attack that's not going to end up in killing people? And the answer is going to
be cyber. We actually had proof of that a few weeks ago, when the Iranians shot down a drone,
and the United States wanted to retaliate, the normal retaliation package was given to
the president and he initially approved it.
And it was the traditional way of retaliating with cruise missiles and bombers.
But after a while, when they thought about it in the White House, they said, no, we don't
want to go that far.
Let's just start with a cyber attack because it seems easier, less bloody, less lethal.
But the problem with cyber attacks is they do destroy things, and they provoke retaliation.
And when you get into a cycle of tit-for-tat retaliation, ultimately that ends up in a kinetic
or conventional war. The Pentagon's policy, publicly articulated policy, is that if the
United States gets hit by a cyber attack from another nation state, and if that attack is
sufficiently destructive, that we reserve the right to respond with a kinetic attack.
So we've said publicly, cyber attacks on us will not just be responded to with cyber attacks on you. But it's different in cyber, and we hear that nation states are hesitant to demonstrate these resources for fear of burning those resources, that revealing them will make them less effective.
And that's why deterrence doctrine from the nuclear era doesn't port well over to the cyber era.
cyber era. Deterrence doctrine, MAD, Mutual Assured Destruction, depended upon people knowing that both sides had weapons that would work, knowing that those weapons could definitely
get through, knowing that those weapons could do a specific amount of damage. And that's not the
case in cyber. Also, in deterrence doctrine from the nuclear era, attribution was not an issue.
Attribution can be an issue with cyber attacks, because we now know that the Russians and the Chinese,
and apparently the Americans, use each other's cyber weapons to obscure who's doing the attacks.
And apparently we've all stolen each other's weapons.
But certainly nothing like that ever happened in the nuclear era.
We never had the Russians running around with the U.S. missile submarine, or vice versa.
So you're right.
We're reluctant to use a cyber weapon because once you've used it,
other people can figure out how it works and can build defenses against it.
And therefore we don't want to use a weapon unless we absolutely have to.
We can't demonstrate it.
And frankly, when we pull the trigger, we can't really be confident we know how well it will work
or what the defenses are that it'll have to overcome.
So cyber is a different kettle of fish than every other kind of combat,
every other kind of war.
Yeah, there's an interesting point you make in the book.
And you say that traditionally,
military strategists were looking for certainty
and that certainty was aligned with security.
But in the cyber domain,
uncertainty may be something that deters
military action. Can you explain that difference to us? Well, no military commander wants to attack
unless he knows there's a pretty good chance he's going to win. And in the case of cyber,
you really don't know when you launch an attack what defenses you're going to come up against.
don't know when you launch an attack what defenses you're going to come up against.
Do they already know this attack technique? Will they allow you in and then shut you down?
And the fact that we cannot be sure how effective our offensive weapons will be at any given time means that anybody advising a president or a commander should tell them, hey, boss, we don't know that this is going
to do the job.
That changes things.
And does that run counter to how military leaders are accustomed to thinking?
It's entirely counter to what they're used to thinking.
They have in the past always been able to exercise, simulate, have high probabilities of success,
know what the outcome will be. And with cyber war, they're not that sure.
When President Trump took office, there was some optimism that cybersecurity was going to be a
focus. One of his first executive orders was centered on cybersecurity. How has that played
out? Not well. He initially had a very good guy running cybersecurity policy from the White House,
the old job I had, and that was Rob Joyce from NSA, a very respected nonpartisan guy,
expert. And John Bolton, when he came in as national security advisor, got rid of
him and didn't replace him with anybody. So the old sort of cyber czar job doesn't exist. There's
no one really making policy or implementing policy across the board out of the White House.
The same thing happened in the State Department, where Rex Tillerson came in and wondered why there were people working on international cyber
norms and got rid of that office. They did, I will admit, the Trump
administration did write a really good national security policy, national
security strategy for cyber. I say it's really good because it looks a lot like the one I wrote
for Bush, but they haven't implemented it. Personally, I find it helpful in my own mind to
use public health as a metaphor for cybersecurity. If you look at the past hundred years of the
progress we've made where we've made tremendous strides in public health. And
it's not perfect. You can wash your hands and do the basics, and still every now and then you're
going to get a cold. Do you find that that's a useful comparison? No. I'm sorry.
Go on. Well, I know people are always struggling to explain cybersecurity in terms of something else that people already understand.
Right.
And one of the things that you hear a lot from people is, well, if you just have good cyber hygiene, then you wouldn't get hacked.
And I don't know what the hell that means.
I don't think anybody really knows what that means.
It's not a matter of good cyber hygiene.
It's a matter of spending money.
The companies that are spending 3% and 4% of their IT budget get hacked.
The companies that are spending 8% to 10% of their IT budget on cybersecurity do not get hacked.
That's nothing about hygiene.
It's about money.
So what's the take-home for the reader the the
average person who's going about their their life their day-to-day here in the u.s and elsewhere
what's the message you want to send home with them well cyber security affects everybody
and everything we do from whether or not it's safe to go to a hospital and being strapped up to an IV drip machine or a heart-lung machine.
It affects who gets elected, how the election processes work. It could, if we had a bad day,
bring down an airline or bring down a power grid. And it can certainly mess your own personal life
up in terms of credit card theft and other records theft. So we have a
chapter in the book about what this means to the individual and what are the things an individual
can do to increase their own cybersecurity. So individuals should do those many things that can
improve their own security, but then they should be involved in the public debate
to urge corporations they deal with and governments they deal with
to remove the threats because we know how to do it.
Well, the book is The Fifth Domain, Defending Our Country, Our Companies,
and Ourselves in the Age of Cyber Threats.
Richard Clark, thanks so much for joining us.
Great to be with you. And we'll be publishing an extended version of cyber threats. Richard Clark, thanks so much for joining us. Great to be with you.
And we'll be publishing an extended version of my interview with Richard Clark this Sunday.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.