CyberWire Daily - German police have a suspect in #hackerangriff. Cyber espionage awareness campaign. Cyber cold war in the offing? US political operators learn from Russian trolls. WikiLeaks on the record.
Episode Date: January 8, 2019In today’s podcast, an arrest has been made in #hackerangriff: a student in the German state of Hessen. The US begins a campaign to heighten businesses’ awareness of cyber espionage. Observers see... a coming “cyber cold war,” with China on one side and a large number of other countries on the other. Facebook is following a widening investigation into the use of inauthentic accounts, ads, and sites in recent US elections. WikiLeaks’ lawyers tell news media to stop defaming the organization and its founder. Emily Wilson from Terbium Labs on the nine lives of a credit card. Guest is Robb Reck from Ping Identity on NIST password guidance. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2019_01_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An arrest has been made in the German Doxing case.
The U.S. begins a campaign to heighten businesses' awareness of cyber espionage.
The U.S. begins a campaign to heighten businesses' awareness of cyber espionage.
Observers see a coming cyber cold war with China on one side and a large number of other countries on the other.
Facebook is following a widening investigation into the use of inauthentic accounts, ads, and sites in recent U.S. elections.
And WikiLeaks' lawyers tell news media to stop defaming the organization and its founder.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 8th, 2019.
The BKA, the German Federal Criminal Police, have made an arrest in the Doxing case.
They pulled in a 20-year-old man, a student in Hessen.
The suspect has not been named publicly, presumably because of his relatively tender years and German privacy laws.
He had no previous criminal record and was living with his parents. He told police that his motivation was anger
and disaffection with politics generally. The Frankfurter Allgemeine says that one of the
suspect's acquaintances, a 19-year-old from Heilbronn who works in IT, is being questioned
as a witness but is not himself a suspect. The student who's been arrested says he worked alone
and the authorities appear to think that's correct.
A more extensive report will be out from the Justice Ministry later this week, but it's worth reviewing some of what's known about the case.
First, a great deal of material was collected and leaked, for the most part through a now-suspended Twitter account,
belonging to someone who went by the nickname God, with the middle character a coy
zero as opposed to an honest O. Second, the material wasn't particularly discreditable or
scabrous. It was anodyne, things like rental car agreements. Third, it affected all political
parties except one far-right group, the ADF, or the Alternative for Germany. And fourth, speculation about attribution centered on two theories.
It was generally believed that the long-running doxing was the work of either the Alternative for Germany or, naturally, the Russians.
The ADF's apparent immunity to doxing struck people as fishy, and a bet on Russian mischief is usually a safe one.
boxing struck people as fishy, and a bet on Russian mischief is usually a safe one.
Unlike, say, our Baltimore Ravens, Moscow almost always covers the point spread.
But in this case, no, it was an apparently solitary and alienated student.
The lesson, again, is that attribution is a dicey business.
The BKA says the student made a full confession, said he acted alone because he
was annoyed by his victim's public statements and wished to expose them. The police also say
there was no apparent political motive, except of course insofar as annoyance with public figures
counts as a political motive. Concerns about Chinese cyber espionage persist and even spread, with some observers
thinking that Beijing may be badly overplaying its hand, particularly with respect to its detention
of Canadian citizens in apparent and obvious retaliation for the arrest in Vancouver of Huawei's
CFO. The U.S. government, with the NCSC in the lead, yesterday warned companies of all sizes about the threat of cyber espionage
NCSC is undertaking a public education and awareness campaign to recommend best practices for self-protection
Chinese espionage is the principal concern, but such best practices would be broadly applicable to a range of threats
such best practices would be broadly applicable to a range of threats.
NIST recently finalized their updated password recommendations, NIST 800-63B Password Guidance,
and there are several notable changes in their recommendations from previous versions.
Rob Reck is Chief Information Security Officer at Ping Identity. He joins us to review what's new. In June of 2017, NIST released new password guidance. And this password guidance took
the place of the old guidance that we're all familiar with, which is the, you know,
eight characters, upper and lowercase with a number and a special character as a part of it.
And really has a more holistic or programmatic way of looking at password requirements.
So there's a lot of different details, including different levels of assurance that you need to look at.
But I think it really boils down to a few key changes that I can summarize.
Number one, they do have a minimum password length of eight characters, which is not a change.
Although they say they do now enforce that you need to have a longer maximum.
So that's one of the challenges you'll see in a lot of implementation of passwords is that they'll have a maximum password length, sometimes as low as eight as well,
or maybe 20 characters.
And they're saying your maximum has to be at least 64 characters.
And of course, it's better if you can have a higher maximum than that.
They specifically say all printable characters should be allowed, including spaces.
This, of course, enables people to do things like have passphrases instead of having just a normal
password. And then a big change is they get rid of the complexity requirements. They're no longer
saying you have to have a number, you have to have a special character as a part of it. And
they're also getting rid of the requirement around having a schedule-based password expiration. So we're all familiar with this expectation that your password expires every 90 days or so.
So how do they do this, right? It sounds awfully dangerous. Well, the way they do it
is they now are requiring that every password that you consider using gets compared against a
database of known bad passwords. So you may be familiar with Troy Hunt's Have I Been Pwned
database. Sure. A good example of one of those. So every password as it's being set or used
should be compared against that database to see is it known to be bad out in the wild.
So that helps mitigate some of that risk. You know, as you start thinking about all those easy
passwords someone could use if there's no complexity, well, all those passwords are
already going to be as a known breach password, right? They also require that MFA is a requirement for any sensitive
password, at least, and they have removed SMS as an acceptable two-factor to use as your MFA.
So between the known breached list of passwords and MFA, they believe they're getting pretty good
security. For the folks who fall under this, the folks who are actually out there on the ground who have to use this, what are the practical implications?
Yeah, you know, I'd say number one, it is a lot better usability for your users. They, you know,
they don't have to go change and learn a brand new password every eight months, as long as they
haven't been breached. But it isn't super easy to implement. You know, we don't have yet, like
Active Directory doesn't have a really easy way for you to do this on-premise.
Microsoft has been working on it in their Azure AD, and companies like Ping have found ways to
implement this with our solutions. But if you're just trying to do it on your normal on-premise
system, it's not a plug-and-play setting to turn on in your AD. So you have to think about things
like, where do you put this? If you can
do it in the directory itself, that's good. But if you don't have a directory that supports it,
you need to do it inline, maybe through a password-changing website. Or maybe if you
have single sign-on through the place where you're signing in, you can implement that password check.
So you're seeing, is this a breached password? Is this a known good password?
So while it's not too bad to check passwords,
you know, while they're sitting in the directory itself,
it might be easier for you to check it as they're signing in.
So you're getting that password in clear text
and you're not having to compare a hash.
You actually get the real password itself
that you can hash on your own.
Because one of the elements you have trouble with
is if you're salting your passwords
and you definitely should be salting your passwords,
you can't necessarily tell from the hash what password it is you're looking at.
Now, these are guidelines from NIST. So what is the authority behind these? Is it up to individual agencies to say, yes, we're going to adopt these, and so these are the rules here
from now on? Yeah. So the expectation is over time, this is going to become the de facto
password standard for the industry. NIST is the one who created the original standard. And if you
look at the vast majority of our corporate security policies and standards out there
have adopted NIST's guidance to do it. And as a vendor, myself running security at a vendor,
I have a lot of customers who are expecting me to stay up to date with what is the industry best practice for passwords.
And we expect over the next two to five years to start seeing a lot more companies moving toward this.
I think in the federal government that it's going to start to be an expectation as enforcement happens, as the agencies start to update their policies and standards.
That's Rob Reck from Ping Identity.
policies and standards. That's Rob Reck from Ping Identity.
The Czech Republic has ordered an investigation of security risks it thinks Huawei and ZTE devices might pose and is considering a ban. Australia's government has taken a line as stiff as its
Five Eyes sisters, especially the American ones, on further incursions of Huawei into the country's
infrastructure. The Australian Broadcasting Corporation reports that there's growing
grassroots concern about the Huawei-built pre-5G cell boxes people see around Sydney.
Japan has effectively banned government purchases of Chinese telecom equipment
from this year going forward. The concerns, of course, involve security,
and Huawei is currently holding talks with Japanese authorities to negotiate some relaxation of that ban.
The company is said to be offering to buy more Japanese-made components
in the hope that this will help allay security concerns.
Most of the talk about the espionage concerns surrounding Chinese
equipment manufacturers has been about Huawei, with ZTE a respectable second.
It's unlikely that these worries will be confined to just those two companies.
A Bloomberg op-ed thinks more manufacturers are likely to receive hostile international scrutiny,
with Lenovo mentioned as the company most likely to be next
in the barrel. A cyber cold war, complete with spheres of influence, is widely predicted.
Facebook's investigation into Democratic inauthentic election influence operations
widens. Operation Birmingham, said to have been funded by wealthy party donor and LinkedIn billionaire Reed Hoffman,
appears to have worked to influence the Alabama 2016 special senatorial election
in favor of the eventual narrow winner, Senator Doug Jones.
There were also apparently unsuccessful operations against the 2018 campaigns
of Senators Blackburn of Tennessee and Cruz of Texas.
Facebook is looking into what may be systematic use of inauthentic news feeds, ads, and sites.
Senator Jones has called for an investigation.
Mr. Hoffman has said he's embarrassed and should have paid closer attention to what was going on.
The tactics employed, as described by The Washington Post,
show close attention to lessons learned from
the Internet Research Agency, the notorious St. Petersburg troll farm.
Finally, WikiLeaks circulated a confidential legal memo to several news outlets, outlining
140 false and defamatory things they should stop saying about WikiLeaks and Julian Assange.
The communique was probably prompted by reporting in The Guardian,
where stories about Mr. Assange's alleged meetings with then-candidate Donald Trump's campaign operatives are being strongly denied by WikiLeaks.
The confidential legal memo, foreseeably leaked as soon as received,
may be read full and unredacted at Ars Technica and elsewhere.
The Times of London is among those papers sniffing at the irony of WikiLeaks pleading privacy and
confidentiality, but in fairness to the House of Leaks, we must say that having read their memo,
it really is protesting inaccuracy, not intrusiveness.
Among the misapprehensions WikiLeaks' lawyers are particularly concerned to correct
are the following, that Mr. Assange is a paid Russian agent,
that WikiLeaks has members like Al-Qaeda as opposed to employees
like the ones any legitimate media outlet would have,
and that Mr. Assange not only hates the United States,
but also bleaches his hair and neglects his cat.
So, not a bene, Mr. and Mrs. United States.
Mr. Assange loves you, wears his own unredacted hair, and is good to his cat.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
and joining me once again is emily wilson she's the fraud intelligence manager at terbium labs emily it's good to have you back um you all recently posted some information about credit
card fraud uh sort of centering around what you describe as the nine lives of a credit card
that's interesting to me take us through what we're talking about here. You know, I've talked before with you and with the listeners about FULZ. These are, you know,
it's F-U-L-L-Z. These are full identity kits or full identity packs. And those usually include
something like payment card information. So a card number, expiration date, you know, CVV code,
the security code on the back It might also include
Helpful account information so in addition to the card information and cardholder details you might get
Mother's maiden name or answers to security questions and as I'm sure you can imagine these are very
Appealing to fraudsters who like to exploit all that data right it's sort of a premium
Package for sale a full a full it's everything you need to get the job done okay
And so what's interesting is at the core of that right is that credit card information because it's the thing that you can cash out most easily.
Well, getting back to the spooky dark web times, we've recently seen some listings across markets for what are called dead FULS.
And these are not what you might expect at first glance, which is a foals for a deceased
person. We're not going to get quite that macabre this early in the season. But instead, they are
foals where the vendor is actively saying, hey, this credit card doesn't work anymore, but if you
still want these identities, have at it. So it's like the day old bread of foals.
So what is the appeal? If the credit card doesn't work anymore, what's in there that they still find valuable?
A lot of things. And I think that speaks to, you know, we think about when a payment card is compromised,
you know, there's a sense that if you turn that card off, then everything is taken care of.
But depending on what other data is compromised, there's a lot more at play. And when we're talking about, you know, identity data, you can't really turn that
off the way you turn off a payment card. So, yes, it's unfortunate you can no longer exploit this
particular payment card account. But guess what? You still have names and contact information and
mother's maiden name and security question answers, which, you know, it's easy to remember
where you went to high school. So I'm sure you use that on every site. And you can do a lot with that. And you can
do a lot with that for a very long time. So from a consumer's point of view,
what's the situation here? I mean, if my credit card's been compromised or somehow I get a report
that, you know, my credit card's been up for sale on the dark web, and I get that card changed.
It might not necessarily be out of the woods.
That's right, and that gets to the idea of this nine lives of a credit card, right?
Because one compromise, even if that compromise is centered around a credit card, that may not be the end of it, right?
Just because the card is dead doesn't mean the fraud's over.
And this gets to the broader conversation that we're having in the industry at this point.
And I'm glad we're getting there, which is what do we do?
What do we as vendors, what do we as consumers do in an industry or in a world where everything is compromised or will be very soon?
You know, how do you fight the battle against identity theft when your information is out there 10 times over?
And I think this is a problem we're going to see more of.
And, you know, I think this is an example where the first thing the fraudsters want to go after is the payment card because it's easy.
You cash it out and you go away.
But they're willing to put some effort in and it's going to be very difficult for consumers to match that.
There's a whole other range of folks who are out there willing to play a longer game.
Yeah.
All right.
Well, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.