CyberWire Daily - Hacking Old Man River. Nation-state cyber conflict: objectives and norms of behavior. Australia's new cyber laws. ATM campaign. Lawsuits, and the Dread Pirate Robert asks for pardon.
Episode Date: August 16, 2018In today's podcast we hear that cyber threats to river traffic have intermodal implications. Nation state hacking, Presidential Policy Directive 20, and international norms of cyber conflict. The trag...ic consequences of overconfidence concerning communications security. Australia's new cyber laws are more legal hammer than required backdoor. A campaign of ATM robbery nets millions worldwide. A cryptocurrency speculator sues the phone company, a spyware firm sues a former employee, and the Dread Pirate Roberts would like a pardon. Johannes Ullrich from SANS and the ICS Stormcast Podcast, on lingering legacy passwords in Office documents. Guest is Phil Neray from CyberX on the National Risk Management Center being spun up by DHS. For links to all today's stories, check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_16.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber threats to river traffic have intermodal implications.
Nation-state hacking by the familiar four,
Presidential Policy Directive 20,
and international norms of cyber conflict, the tragic consequences of overconfidence concerning
communications security, Australia's new cyber laws are more legal hammer than required backdoor,
a campaign of ATM robbery nets millions worldwide, a cryptocurrency speculator sues the phone company, a spyware
firm sues a former employee, and the dread pirate Roberts would like a pardon.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, August 16th, 2018.
I'm Dave Bittner with your Cyber Wire summary for Thursday, August 16, 2018.
The FBI is warning of cyber threats to a sometimes overlooked sector of transportation infrastructure, inland waterways.
Those include the rivers, canals, dams, locks, and intermodal facilities that serve water traffic in the U.S.
There's a great deal of ship and barge traffic in U.S. rivers, especially in the Mississippi Basin, and the disruption to that traffic would have an intermodal ripple effect
on road, rail, and air transportation. NSA alumnus Rob Joyce gave an account of
nation-state hacking at DEFCON last week. The rogues' gallery was populated by a familiar four, Russia, China, North Korea, and Iran.
Espionage is pervasive, to be sure, but the four countries have distinct interests.
Russia is heavily invested in traditional espionage, in developing the potential for cyber sabotage,
and in pursuing disruptive information operations against its targets.
disruptive information operations against its targets. China, whose activities have subsided somewhat but which can be expected to return to or exceed their former vigor should a full-blown
trade war with the U.S. erupt, has typically been interested in industrial espionage,
in the theft of trade secrets for the benefit of Chinese industry and the country's larger
economic place in the world. Iran has recently been preoccupied with working against regional rivals,
particularly Sunni Muslim powers like Saudi Arabia,
but they have shown an interest in U.S. targets in the recent past.
Joyce doesn't call this out specifically, at least as his remarks are being reported,
but many think Iran likely to return to direct theft and financial fraud
as renewed sanctions bite deeper into the country's economy.
In this, Tehran would be following the unfortunate example of Pyongyang,
whose North Korean hacking teams operating as the Lazarus Group and other threat actors
have long been involved in fraudulent wire transfers and other forms of bank account looting.
A recent example of what appears to be a North Korean campaign of theft
has been seen in the looting of ATMs associated with India's Cosmos Bank.
$13.5 million is said to have been drained from machines in some 28 countries.
This particular raid, as computing and other sections of the international press are pointing out,
came shortly after an FBI warning that something like this was afoot.
The investigation is still young, but the early signs point toward the DPRK's Lazarus Group.
President Trump is reported to have loosened, in various unspecified ways,
the constraints on U.S. retaliatory cyber operations that have been in place since
President Obama's promulgation of Presidential Policy Directive 20.
PPD 20 is secret but in outline generally familiar, thanks to illicit leaking and more
or less licit hinting.
Too much of both, probably.
PPD 20 is said to have established some guidelines under which the U.S. might undertake to hack foreign targets.
It's thought that the current revision to the policy PPD-20 embodied
probably take the form of greater delegation of authority to conduct offensive operations in cyberspace.
Relaxation of certain restrictions seems consistent with public comments from U.S. Cyber Command,
particularly General Nakasone's remarks about just what it means for the military
to be sworn to support and defend the Constitution of the United States.
The problem of nation-state hacking has prompted renewed calls
for a better, clearer set of international norms for cyberspace.
These might be modeled on the existing laws of armed conflict.
We heard from the Cloud Security Alliance, the CSA, on the matter via email.
The CSA's CEO, Jim Revis, said,
The CSA perspective is that we would like to see an international dialogue on the use of cyber weapons in warfare.
Computer technology was long ago weaponized,
but there would be tremendous value in having a global understanding in how this can be used and clarifying that attacks targeting cyber infrastructure for civilian uses,
such as hospitals, should be forbidden. We will eventually see treaties in this area as we gain
a more mature understanding of the space. It's worth noting that prohibitions, really inhibitions,
of attacks against targets that people use simply as ordinary human beings,
and not as combatants, like medical facilities, water sources, and so on,
have evolved into formal rules of kinetic conflict over the past century.
Many would hope to see these extended to cyber conflict as well.
The Secretary of the U.S. Department of Homeland Security recently announced the launch of the National Risk Management Center,
with the mission of guarding the nation's banks, energy companies, and other industries from major cyberattacks that could cripple critical infrastructure.
Phil Nireh is from security company CyberX.
I think that the launch of the center is important.
I think that the launch of the center is important.
It is an acknowledgment that cyber threats to our critical infrastructure are serious and that we need to handle them in a centralized and coordinated way.
And we've seen, you know, over the last few months,
acknowledgments from the administration and from various intelligence agencies that we know the
Russians have been in our critical infrastructure. We know they're targeting not just our energy
sector, but also other sectors like pharmaceuticals and oil and gas and chemicals. And we know that
we have other adversaries like Iran and North Korea that are trying to do the same thing.
So I think the idea of centralizing our response
and centralizing the way we deal with these threats is a good thing. I think information
sharing is a good thing. And coming up with some common ways of defending against these threats
is important. What is missing so far, though, because we've had ISACs before, we've had groups that share information across sectors
about threat actors and campaigns. What we're missing, though, are minimum standards of due
care, minimum standards of security monitoring across all these sectors. NERCSIP was a good
first step, but it's just for the energy sector. And it was designed a couple of years ago before these more sophisticated threats came into play.
So it's missing some key things like being able to monitor a network continuously to detect a breach or an intrusion. information systems directive that the EU put into place in April. That would be more, I think,
what we need in terms of giving the industry guidance on a comprehensive set of minimal
requirements for security. Now, you had some points you wanted to make about Fancy Bear,
specifically. You think there's some things that folks may be overlooking?
Well, the thing about Fancy Bear that's You think there's some things that folks may be overlooking?
Well, the thing about Fancy Bear that's interesting is, you know,
different industry groups have been tracking them for years.
If you look at the group, they have a long history of doing nefarious cyber things across the world, right? In July 2008, they hacked Georgian ministries in advance of a Russian military invasion.
It was probably the first time we saw a coordinated cyber and kinetic attack.
In 2011 to 2014, they infected U.S. energy firms with black energy malware.
In 2015, they destroyed equipment belonging to a French broadcaster, TV5.
They tried to make it seem like it was an Islamic terrorist group, but later we found that it was them.
They compromised German Bundestag members in 2015.
They compromised U.S. defense contractors in 2015 and 2016.
2015 and 16. They're more famously known for two destructive grid attacks in the Ukraine,
one in December 2015, one in 2016. And with the recent indictments by the DOJ related to interference in our 2016 presidential election, officers that were named in that are all GRU officers, GRU being the Russian
Military Intelligence Agency. You know, in one of your recent podcasts, you said, you know,
the goal is disruption and chaos. And if you think about, you know, disruption and chaos
that was caused in Ukraine by shutting down portions of the grid in the middle of winter,
I mean, I don't think anybody really died. and it wasn't a catastrophe from a safety point of view or environmental point of view,
but it certainly goes a long way to creating disruption and chaos in the society.
We also believe that Fancy Bear, or at least the GRU, was responsible for NotPetya. You know,
the cost of NotPetya, the economic impact of not Petya
is in the billions of dollars, including, you know, critical infrastructure and industrial
ICS systems that were down for days or weeks or months at a time, causing the companies
to report huge losses.
So, you know, that's a different type of impact.
That's an economic impact as opposed to a kinetic impact or an electrical grid impact or an attempt to influence our political process.
That's Phil Nire from CyberX.
Foreign policy is reporting on the immediate human consequences of inadequate communication security.
human consequences of inadequate communication security.
According to the Journal, a CIA communication system that had worked well enough in the relatively benign Middle Eastern environments, where the agency had used it earlier, failed
when it was deployed for running agents in China.
Chinese security services were able to penetrate it between 2010 and 2012, roll up the CIA's
agents, and execute about 30 of them. Some estimates give
a higher toll. China's alleged recruitment of former CIA officer Jerry Chung-Hsin Lee
appears to have contributed to the intelligence failure. Lee was indicted earlier this year for
his alleged role in the matter. Australia's new cyber security laws seem to function more by penalizing non-cooperation
than by mandating back doors. So, no back doors, but the penalties for not working with police when
they ask for your help won't be chicken feed by any means. Companies that refuse to disclose
customer data upon proper request can be fined up to 10 million Australian dollars.
That's about 7.3 million in U.S. currency.
And individuals who won't open their devices to duly constituted authority could face up to 10 years in prison.
A U.S. cryptocurrency speculator says he lost 24 million dollars in altcoin
to a crook who got into his cell phone account
and that it's all AT&T's fault
for not being secure enough. In fact, it's so much AT&T's fault, says the California man,
that the phone company owes him damages an order of magnitude larger than his losses.
He's asking for $224 million to make him whole. And remember Ross Ulbricht, the dread pirate Roberts
who ran the Silk Road online contraband emporium?
He's currently serving two life sentences plus 40 years
without possibility of parole.
As anyone in his shoes would, he's angling for a pardon.
Now through a Twitter account his family set up for him.
He tells them what to tweet and they take it from there.
The Twitter feed describes
Silk Road as being not that different from eBay. Sure, there was some illegal stuff traded there,
but according to them, that was mostly just small amounts of cannabis. Mr. Ulbricht's line is that
his sentence is shocking and far too harsh for what he and his supporters characterize as non-violent offenses.
Mr. Ulbricht was, for example, originally suspected of selling murder as a service,
but that didn't make it into his final charge sheet.
There were also claims that people died of drugs bought on the Silk Road.
Unfortunately, the misconduct of some of the investigators in his case will lead some to agree that the dread pirate Roberts is being ill-used. A Secret Service agent, Sean Bridges,
pleaded guilty to stealing Silk Road bitcoins, and a drug enforcement agency man, Carl Force,
received six years for both bitcoin theft and for trying to extort Ulbricht.
Bridge and Force, may their names be remembered for infamy.
Still, it seems unlikely Mr. Ulbricht will receive his pardon. cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges
faster with agents, winning with
purpose, and showing the world what
AI was meant to be.
Let's create the agent-first future
together. Head to salesforce.com
slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. And I'm pleased to be joined once again by
Johannes Ulrich. He's from the SANS Institute. He's also the host of the ISC Stormcast podcast.
Johannes, you had a story you wanted to share today. This involves an encrypted Office document using an old default password. What do you have to share?
Yeah, this was a really interesting case here. Now, Velvet Sweatshop is nothing necessarily
associated with Microsoft. But what happened was that old, old versions of Office used this
password as a default password to encrypt Office documents.
So in these, and I'm talking about ancient versions of Office here,
when you encrypted a document, you actually didn't enter a password.
You just basically clicked,
I want the document to be protected, as they call it.
And then Office encrypted document using this password-valid sped shop.
Well, move forward a few years or a decade, and new versions of Office still support this old format.
So what they do is if they encounter an encrypted document with this default password,
they'll just decrypt it for you.
They won't prompt you for a password.
They'll just do it for you.
And apparently, malware writers have figured this out.
So what they will do is they'll send you a malicious document.
This document is encrypted using this default password.
Now, a lot of your security software doesn't know about this password.
So what they'll do is they'll just treat it as an encrypted document and forward it for you, and they won't inspect it.
But Office or Microsoft Word in this case, well, it knows about the password.
It will open the document for you like it's an unencrypted document, and will run the malicious content.
Now, is there any warning that any of this is going on?
Does Office warn you that you're dealing with a legacy encrypted document?
Nope, they really just treat it as an unencrypted document.
So really no warning here.
Of course, you may get some additional warnings later as the malicious content runs,
like for example, macro warnings and such.
But it's not like some of the other encrypted emails where they, you know, within the email,
they tell you, hey, this document is encrypted, then please use this particular password to
decrypt it. And is there any way to protect yourself? Can you disable something in Office
or is this a functionality you're kind of stuck with? You're really stuck with this.
I think the real protection here is to make sure that your security products know about this default password.
Now, I haven't really done a survey of this, so I'm not really sure how well they protect you from any of this.
All right.
It's an interesting one for sure.
It just shows you how sometimes these old things come back to haunt you.
Johannes Ulrich, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.