CyberWire Daily - Huawei legal and security updates. A shift to personalized spam in attacks on retailers. “Hollywood hacks” in Eastern European banks.
Episode Date: December 7, 2018In today’s podcast we hear that Huawei’s CFO remains in Canadian custody, perhaps facing extradition to the US. All Five Eyes have now expressed strong reservations about Huawei on security ground...s. They’ve been joined in this by Japan and the European Union. Proofpoint sees a shift in cybercrime toward more carefully targeted and thoughtful social engineering. Kaspersky describes “DarkVishnaya,” a criminal campaign using surreptitiously planted hardware to loot Eastern European banks. Justin Harvey from Accenture discussing what should be in your incident response “go bag.” Guest is New York Times national security correspondent David E. Sanger, discussing his latest book The Perfect Weapon. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Huawei's CFO remains in Canadian custody, perhaps to be extradited to the U.S.
All five eyes have now expressed strong reservations about Huawei on security grounds.
They've been joined in this by Japan and the European Union.
Proofpoint sees a shift in cybercrime toward more carefully targeted and thoughtful social engineering.
Kaspersky describes Dark Vishnaya,
a criminal campaign using surreptitiously planted hardware to loot Eastern European banks.
And New York Times national security correspondent David E. Sanger joins us to discuss his latest book, The Perfect Weapon.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 7th, 2018.
China has demanded that Canada release Huawei CFO Meng from custody, but in custody she seems likely to remain.
Canadian police arrested Ms. Meng in Vancouver as she was transiting through the city's airport.
The decision to arrest her was a Canadian decision.
Prime Minister Trudeau says it was a judicial matter
and properly conducted by an independent judiciary.
The arrest appears to have been opportunistic rather than well-planned in advance.
It's not known if an Interpol red notice was out for Ms. Meng.
The U.S. is generally expected to seek Ms. Meng's extradition,
hearings for which could occupy weeks or even months. Canada and the U.S. have an extradition
treaty of longstanding, one of whose provisions is that the crime charged must be a crime under
the laws of both countries. In any case, Huawei has politely expressed its confidence in Canadian and American
justice. The U.S. is investigating not only violation of sanctions imposed on Iran,
but financial crimes as well, specifically involving money laundering. Huawei is thought
to have used HSBC as a conduit for illicit transactions with Tehran. HSBC was fined and entered into a deferred prosecution agreement
with the U.S. Justice Department back in 2012
in connection with violations of U.S. sanctions and money laundering laws.
The arrest is taken as a strong signal of U.S. determination to enforce sanctions.
It's also believed likely to sharpen the ongoing Sino-American
trade war, with IT market leadership at stake. Observers wonder whether China will retaliate
for U.S. measures against Huawei and ZTE, and Russia for Kaspersky's exclusion from U.S.
government systems with their own legal or extra-legal action against U.S. companies.
Such a response from China would be more troubling than one from Russia.
Trade ties and technology interconnection is much more pronounced with China.
And, of course, Huawei remains under suspicion in all five eyes of posing a security risk.
The U.S. intelligence community has regarded the company as a deniable cat's paw for Chinese intelligence services since at least 2010.
Australia has been close behind the U.S. in voicing extreme skepticism about the company.
This was seen in Australian efforts to prevent Huawei from participating in a telecommunications cable service being established in Papua New Guinea,
and in recent moves to exclude Huawei from Australia's 5G network build-out.
Mike Burgess, head of the Australian Signals Directorate, warned just this week that Huawei's devices could pose a threat to water and power infrastructure were they to be used in those networks.
New Zealand put similar restrictions in place over the past week. BT, the British telecommunications
giant, has announced it's dumping Huawei equipment, to the chagrin of some British
business partners of Huawei. And MI6 director Alex Younger warned in a speech Monday that cell
towers and other communications infrastructure could be vulnerable to compromise. He told an
audience at St. Andrews University, quote,
we need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken
a very definite position, end quote. Canada may be the last of the Five Eyes to reach this conclusion,
but it seems to be moving swiftly in that direction.
Nor is such suspicion confined to the Five Eyes. Japan has decided to exclude both Huawei and its smaller competitor ZTE from government contracts. And this morning, the European Union's Technology
Commission warned that Huawei constituted a threat, specifically citing the risk of mandatory
backdoors installed in its equipment at the behest of Chinese intelligence services.
Huawei, of course, denies that it does any of this, but sentiment is running strongly against Chinese hardware manufacturers.
A large Chinese information operations campaign seems already to form part of a response.
operations campaign seems already to form part of a response.
The Guardian has a long account of an image-building campaign Beijing is conducting to shift the center of world civilization in the direction of the Middle Kingdom.
This involves purchasing and operating media outlets.
Such simple stuff as putting paid content into newspapers.
Those inserts you see, like Shanghai is open for business,
or young entrepreneurs of Guangdong welcome you, cultural centers, and so on.
This presents a contrast with the shadowy trolling and false fronts characteristic of Russian information operations.
It will be worth watching to see what success the Chinese campaign has.
Turning to more ordinary stories of cybercrime, Proofpoint warns of an emerging
threat to U.S. retailers. TA-505, as Proofpoint calls the criminal group behind Lockheed and
Drydex ransomware campaigns, uses highly personalized attachments in a phishing campaign
that spreads remote manipulator system and flawed AIME malware, rats, and backdoors.
manipulator system and flawed AIME malware, rats and backdoors. The attachment is typically a malicious Word document that represents itself as a scan. The personalization consists of making
the document look as if it came from the company being targeted, which of course makes it more
likely that an employee might open it. One aspect of the personalization is including the company's
logo in the document lure.
Proofpoint sees this an instance of a shift in the criminal market.
TA-505 had, through 2017, been a black market leader with massive phishing campaigns.
And shouldn't there be some related metaphor for that kind of phishing?
Something related to bottom trawling, perhaps?
Those massive indiscriminate efforts,
Proofpoint mentions smash-and-grab ransomware campaigns,
are less common because they're less profitable.
Some of that is due to increased general awareness of commonplace phishing tactics.
Some of it may be due to the way altcoin values have cratered in 2018.
In any case, more effort, better targeting, smaller scale,
and more thoughtful engineering seem to be the trend.
Kaspersky Lab describes a crime wave it's investigating
that's cost Eastern European banks millions.
ZDNet calls it Hollywood hacking because it uses the kind of techniques
one usually sees in a heist or caper movie,
but far less often in real life.
In this case, the criminals physically enter a bank,
attach small, cheap hardware to the bank's networks,
leave the devices in place, and then retire to remotely drain funds.
The hardware normally used is either a cheap laptop,
a Raspberry Pi board, or a bash bunny malicious thumb drive.
Kaspersky won't name the affected banks because of security and non-disclosure concerns,
but they say the losses have been high.
Of the three kinds of hardware the criminals are using,
the laptops are obviously the easiest to spot, but even those go unnoticed. A Raspberry Pi or a bash bunny are much easier to deploy unobtrusively. Kaspersky says the
criminal operations, which it calls collectively Dark Vishnaya, have been going on since last year.
It's worth reminding people that physical security often intersects cyber security.
Dark Vishnaya is a good example of how.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. I need to get out of town in a hurry. But when it comes to incident response, you're making the case that a go bag is something that perhaps you need to have in your arsenal. That's exactly right.
A go bag is not just for your consulting incident response team, which I run, but it's also could be
for your incident responders and commercial and government clients or companies as well.
In our go bag, we could be called at any point to get on
a plane and travel halfway around the world in order to respond to an incident. So it's important
that we have everything lined up, ready to go, just like you see in the movies with, let's say,
the FBI hostage rescue team. They've got their go bags. Well, on a cyber level, we've got the same thing.
Yeah. And it goes beyond having packed several outfits and so on. We also travel with technology that help us accelerate our work. So we've got the tools that we use. So we have our own USB
drives that have all of our tools, our forensic collection kits, our endpoint detection and
response software. We also are quite heavy users of Splunk. So we've got that in our arsenal as
well on our laptop ready to go. And in fact, many of us travel with several laptops, up to two or
three at a time. So we've got our normal corporate laptop, and then we've got our analysis, our beefy laptop that has ungodly amount of CPU and disk and memory ready to do a forensic analysis.
You're the guys I don't want to get behind at the airport.
Yes, although a lot of times our go bags are in what we call the Pelican cases. These are hard-scale cases that look like something you'd ship a weapon
or very expensive audio-visual equipment.
And that holds a lot of our encrypted USB drives
that have little pin codes on there
so we don't have to remember,
oh yeah, did our team member encrypt that driver?
We take data privacy
and the communication of data safely very seriously. So we don't leave
it up to the user to encrypt the USBs. We do it ourselves with the pin pads. We also travel
many times with what we call minions. These are suitcase servers, probably about the size of a
20-inch monitor and a little bit thicker than that.
It has a monitor built into it.
Sometimes they make them with keyboards that flip down as well.
And these have the power of about 10 laptops.
If we need to run Splunk for all of our forensic investigations,
if we need to load up to 100 forensic images to do analysis,
we can do that on the Minion, and they're very portable.
And if that is not enough, we also have a refrigerator-sized, actually a half-refrigerator-sized rack-mount server that we can actually ship out via FedEx or UPS to get to the client side if we need to do additional analysis.
the client side if we need to do additional analysis. In addition to that, our go bags also have right blockers and technology designed to do quick forensic collection amongst systems
in the enterprise, as well as things that you wouldn't really necessarily suspect to be in a
go bag, things like projectors. You never know where in the world we're going to go or if we're going to be in a war room without the ability to project on the wall. So we
travel with projectors as well, including several other types of mobile technologies. For instance,
mobile phone collection kits we have in addition to your standard array of networking gear. So sometimes
we've got little tap span port hubs that we can deploy in the field and start to get to collect
network forensic data in addition to our own ability to phone home. So clearly our own wireless
access points to be above and outside of the network that we're working at at any given client.
I'm imagining you rappelling in from a helicopter.
That's the vision I have in my mind's eye.
It's not too far off from that, I suppose?
Not too much.
I think we have our helicopter on order, so we'll hopefully get delivery of that next year.
We'll see if you get budget approval on that one.
All right, Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is David E. Sanger. He's national security correspondent and senior writer for the
New York Times. He's the author of several bestselling books on national security and foreign policy,
the most recent of which is The Perfect Weapon, War, Sabotage, and Fear in the Cyber Age.
Cyber has emerged over the past 10 years as the primary way that countries seek to undermine and compete with each other in a short of war way.
And by short of war, I mean attack each other, spy on each other, manipulate each other,
using techniques that are not likely to bring about a major military conflict.
And that's why the book is called the perfect weapon because cyber is
cheap it's deniable it's easily targeted you can dial it up and you can dial it down in other words
it's the opposite of a nuclear weapon you can actually control its effects and target it very
carefully and it can sometimes be difficult to figure out where it is that an attack came from.
And so my fascination as somebody
who has covered national security for many decades,
been a foreign correspondent for The Times,
covered national security and foreign policy in Washington
for many years,
has been the emergence of a technology
that is as game-changing as the
invention of the airplane was, in some ways as game-changing as the invention of the atom bomb
was, but very different ways, as a new power of influence and a leveler, because it's so cheap,
that allows much weaker and smaller and broke countries to challenge far more powerful ones.
To what degree do nations respect the capabilities of each other when it comes to the cyber domain?
Again, I'm thinking about with nuclear weapons.
You test a nuclear weapon or even as they were used in World War II.
Well, that's a pretty big demonstration of the capabilities of these weapons.
And it strikes me that I don't know that we've seen a similar tester or a demonstration of capabilities in the cyber domain.
It seems to me that it's more possibilities so far.
Is my perception accurate there?
Close, but not entirely. So you're absolutely right that the nuclear age began with a far larger and more fearsome demonstration of power.
And it actually affected how we thought about and dealt with nuclear weapons for the succeeding 70 years, because after Hiroshima and Nagasaki, there was no value in hiding what our capability was.
Everybody knew what our capability was. We knew what our capability was. We knew what our
capability was, but we had demonstrated it to the world. And thus, we could sort of have an open
debate about how we wanted to go use that capability. And that debate ended up in a
completely different place than it started, right? I mean, you had MacArthur wanting to use nuclear
weapons against North Korea and China. During Vietnam, as we now know,
General Westmoreland wanted to bring nuclear weapons into South Vietnam in case he needed
to use them in North Vietnam. But by the late 70s and 80s, we had basically decided we would
only use nuclear weapons as a matter of national survival. In cyber, we've never had our Hiroshima and Nagasaki moment. So what's
happened is countries believe that if they talk much or demonstrate much of their cyber activities
or even admit to them, that somehow it impedes their power by revealing too much. I actually
think the opposite is the case. It's one of the reasons it's gotten in the way of our deterrence. Perhaps the biggest case where the issue of respecting another nation's powers have come along has been in the election hack, where President Obama thought about retaliating against the Russians when it became clear that they had been behind the hacks of the DNC, John Podesta's email and so forth.
the hacks of the DNC, John Podesta's email, and so forth.
But he hesitated, as I describe in the book,
because of the fear that the Russians would come back on election day.
And when they did, they might attack the actual voting machines.
Now, one of the things that you advocate in the book is this notion of creating sort of a Geneva Convention framework
for cyber arms control.
Where are we when it comes to establishing those sorts of norms? Very early stages, and most of it hasn't been
terribly successful. There was an early effort that I was impressed with that was done by the
United Nations, a group of experts, but that floundered about a year ago with the Russians and the Chinese
getting in the way of it. The United States itself is part of the problem here. And the thought of a
Geneva Convention is initially somewhat appealing because treaties don't work in the cyber age.
There are just too many players, and many of them are non-vernmental actors who don't sign treaties, you know, criminal groups, teenagers, all sorts of patriotic actors.
So having an agreement between the United States and Russia and China wouldn't get you very far. Convention tries to protect civilians in ordinary combat is another matter, because while it's
unenforceable, it begins to set a norm of behavior. And that norm is important. It's the reason some
people get dragged up in front of the criminal court, right, in the Hague. In the digital world,
the idea of a digital Geneva Convention would be, again, to protect civilians, to sort of
say, what targets should be off limits? And if we were making a list, we could come up with some
election systems. The electrical grid, hospitals, nursing homes, emergency communication systems.
You can think of a pretty good list. The problem with that is I suspect that even the U.S. intelligence community would object
to signing the U.S. up to those because they would say, do you want to limit the president
if he thinks that he can avoid a war by messing with another country's elections?
Where do you see this going? How do you see it playing out when you look toward the horizon?
Where do you see, what do you think we're going to find
ourselves in the coming years? It's a really good question. This is accelerating dramatically
as a weapon for states, as a set of defensive measures, and the problem's growing more complex,
of course, by the Internet of Things. If we think that we have 12 or 13 billion Internet of Things
devices now, it'd probably be well over 20 billion by 2020, by most estimates. All of those increase
the attack space that countries can attack. We have to think of ourselves right now as sort of
at the end, where we were in air power at the end of World War I.
We knew the airplane could fly.
We knew that there had been some skirmishes in the air.
The Red Baron, people up against the German early airplanes during World War I.
But the weapon had not been decisive.
It didn't become decisive until World War II.
You have to think of cyber in sort of the same terms.
We've seen the early skirmishes.
We haven't seen the true capabilities of the weapon.
Our thanks to David E. Sanger for joining us.
The book is The Perfect Weapon, War, Sabotage, and Fear in the cyber age.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals
and cybersecurity leaders
who want to stay abreast
of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.
That's ai.domo.com.