CyberWire Daily - Iran grows more capable and assertive in cyberspace. Bots have nothing on humans when it comes to peddling disinformation. Chinese influence ops. Fancy Bear, Slingshot updates.
Episode Date: March 12, 2018In today's podcasts, we hear that security firms are warning of Iran's growing cyber capabilities, and Tehran's disposition to use them. Gossips and activists far outdo bots in spreading disinformat...ion. Memcache kill-switch should be approached with legal caution. Slingshot espionage tools active quietly in the Middle East and Africa for six years. Fancy Bear sniffs at Asia. Australia is concerned about Chinese espionage and influence operations. Jonathan Katz from UMD with his thoughts on Spectre and Meltdown. Guest is Christopher Pierson from Binary Sun Cyber Risk Advisors, with an update on SEC cyber security guidance. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Security firms warn of Iran's growing cyber capabilities and Tehran's disposition to use them.
Gossips and activists far outdo bots in spreading disinformation.
The Memcache kill switch should be approached with legal caution.
Slingshot espionage tools have been active quietly in the Middle East and Africa for six years.
Fancy Bear sniffs at Asia.
And Australia is concerned about Chinese espionage and influence operations.
and influence operations.
I'm Dave Bittner with your CyberWire summary for Monday, March 12, 2018.
Iran may be showing greater cyber capabilities and a correspondingly larger disposition to use them for espionage and surveillance, The Hill reports.
Researchers at security firm Symantec have seen an expansion of activity into Israel,
Jordan, Turkey, Saudi Arabia and the United Arab Emirates.
Security company FireEye is tracking two Iranian threat groups, APT-33 and APT-34.
APT-33 has been linked to destructive wiper attacks,
while APT-34 has so far been busy with reconnaissance of critical infrastructure targets.
The University of Toronto's Citizen Lab says that Egypt, Syria and Turkey are adapting Sandvine products to install spyware and cryptojackers.
Sandvine says it's got nothing to do with it.
Sandvine says it's got nothing to do with it.
Bots have their uses in spreading disinformation over social media, but an MIT study suggests human gossips are overwhelmingly more active in doing so.
Demonstrably false claims are jumped on, retweeted with delight by the enthusiastic and the committed.
Exploitation of memcache for DDoS attacks continues to worry security experts.
There's also some concern over a kill switch Carrero found last week.
As reported in several news outlets, Carrero thinks the kill switch, a flush-all command,
could provide a counter to very high-volume attacks the exploit can generate.
But the Register asks, is flush-all the cavalry or
questionably legal interference in someone else's computer? Cloudflare and Arbor Networks told
eWeek that flushing-all would amount to changing the contents of a non-cooperating computer.
And of course, that's illegal in many places. The U.S. Securities and Exchange Commission recently released revised cybersecurity guidance for publicly traded companies.
The last time the SEC weighed in with guidance on cybersecurity was in 2011, and of course a lot has changed since then, with larger and more frequent high-profile breaches of public companies.
companies. Dr. Christopher Pearson is CEO of Binary Sun Cyber Risk Advisors and a frequent contributor to the Cyber Wire, and he weighs in on what the new guidance means. Really what this is,
is it's supplemental guidance. It's meant to provide further interpretation on the original
guidance. And what it really does is it kind of, if you wanted to, you could break it down to three
different areas. It talks about cybersecurity risks in terms of you, publicly traded company, must dimension the risks, understand them, have policies and procedures around it, and update the public, the investor community, those people that you have a duty to.
You must go ahead and update that continually as those things change.
Second, this whole area of insider trading.
Insider trading programs, they're fairly common within publicly traded companies.
What this guidance said and makes abundantly clear is any type of trading that happens around, surrounding, just before the announcement, just after the announcement of a data breach, of a cybersecurity incident, needs to be looked over with a special scrutiny.
And there needs to be policies and procedures around this, and new companies must own this.
And then third, the area of governance.
The SEC, I mean, really, they pretty much ask two questions here.
They say, you board, what is your role in cybersecurity and cybersecurity risks, incidents, issues, and how are you engaging with senior management, with leadership on cybersecurity? That's what the new interpretive
guidance really focuses on, those three areas. This is a wake-up call for all public companies,
the senior management, and the boards, specifically the chairperson of the board,
the chairperson of the audit committee, if they have it, the chairperson of the risk committee,
to actually ask themselves the fundamental questions, what role is the board playing in
cybersecurity, and how is it engaging with senior management? That is something that I don't think
that they're going to be able to escape, and they're actually going to have to work with
in-house counsel, with outside experts, with CISOs, both CISOs that are at the company and
outside experts, to go ahead
and formulate a plan and a strategy around this. What we have seen as a result of, I mean, if you
think about Yahoo, they disclosed their breaches in late 2016, in September, and then later on in
late October, early November 2016, but then upped the numbers to essentially in 2017, midway through,
saying everyone had been breached. That's one example of a publicly traded company that's
involved in a merger and acquisition transaction, making a dramatic change and dramatic announcement.
And the SEC does say, hey, look, if things change, we understand that. We know that things are not
going to be perfect. We know they're going to change. You have a duty to update it if there's a material change, and I would argue many there.
And then separately with Equifax, we all know about the potential allegations around insider trading or inappropriate trades or trades that are circumspect.
But I think the most recent items are serving as a great impetus for the SEC in this regard.
So the SEC comes out with this guidance.
I'm a member of a board.
What kinds of questions should I be asking at my next board meeting?
Yeah, Dave, that's a great question.
So, I mean, realistically, they should be immediately determining who has governance over the cybersecurity risk programs.
Where is that coming in from? It's coming in from audits? Is it coming in through an enterprise risk
management committee? Where's the CISO reporting? Where's the CIO reporting?
How is that reporting relationship going? What times have cybersecurity incidents and
risks been addressed by the board? How long have those people been in the board meetings?
and risks been addressed by the board? How long have those people been in the board meetings?
I mean, there's definitely some more statistical analysis that can be done here in terms of,
is the board receiving and seeing the right people regarding cybersecurity risks? Secondarily,
are they actually, when they do see those people, when they do have that information come forward at a strategic level, are they receiving the right type of information? Are they taking action in the right manner? Do they have the right types of auditing and reporting and procedures
there? And how exactly is the board then interfacing back with management? It's not
enough that this be a one-way street. It has to be a bi-directional street. They have to be
communicating with senior management about cybersecurity risks, about strategic things
that it should be looking at, and also what things are coming over the horizon in terms of cybersecurity risks to the
business, to the enterprise. So really, it's the analyze what is currently going on in terms of
structure, meetings, people that are reporting in on this topic and subject. Second, try to figure
out from a governance reporting standpoint, is that working? Is it efficient? Also, from an
education standpoint, is the board well educated on cybersecurity and how to actually govern it?
And finally, probably one of the biggest things, and I think we're going to see this change,
and just very much so in the way that Sarbanes-Oxley did, is who on the board, when they
look to the left, when they look to the right, or look around that big circular table, who on the board
is actually the cybersecurity expert? I think that we know who the financial experts are,
because we have to understand Reince Oxley, but who is actually the member of the board
that is leading the charge strategically and governance-wise on cybersecurity? Those would
be some of the basic questions to start out with.
That's Dr. Christopher Pearson from Binary Sun Cyber Risk Advisors.
Kaspersky Lab has described Slingshot cyber espionage malware
that for six years has quietly infested systems in the Middle East and Africa.
The researchers call it sophisticated and stealthy,
an elegant product they think of
a nation-state.
They don't say which nation-state, but they do note that the debug code is written in
pretty good English.
A Kaspersky study also sees a shift toward Asia in Sophoces' interest.
Sophoces is also known as APT28, Tsar Team, and Fancy Bear.
Kaspersky describes the group as pragmatic, measured,
and agile. Also, it's Russian-speaking. Those who think the bears have gone into hibernation
as far as Western targets are concerned, however, shouldn't get too cocky.
The UK is considering sanctioning Russia for the attempted assassination in England of former GRU officer and MI6 spy Sergei Skripal.
Many think sanctions would prompt Russian retaliation by cyber attack.
A number of British officials, including some senior military leaders,
have been warning about the country's vulnerability to cyber attack,
with particular concerns for critical infrastructure,
and so considerations of how
to handle possible retaliation aren't idle.
Russia has denied involvement in the attempted poisoning by nerve agent of Skripal and his
daughter, while simultaneously suggesting that Skripal had it coming, and that other
potential turncoats should take heed and take warning.
Smerch be onum, death to spies,
whence comes the acronym Smerch of Stalin's secret police and James Bond villain fame,
apparently continues to animate Russian counterintelligence policy.
It would seem difficult to have it both ways.
There is at least some cognitive dissonance between
it's provocation, we didn't do nothing, and see, that's what spies get.
Australia's Ministry of Defence has banned use of the Chinese-manufactured app WeChat
on its personnel's office phones.
There are two concerns here.
First, what the MOD sees as careless data exposure through the app,
and second, the strong suspicion that WeChat is firmly in the pocket of the
Chinese government, and so in the pocket of Chinese intelligence services.
Australian concerns over Chinese influence operations are at least as strong as American
worry about Russian opinion sharing.
Foreign affairs characterizes the influence as including inducements, threats, and plausible
deniability.
The problematic behavior includes buying access and influence through political donations,
such donations being routed through third-party cutouts,
co-option of Australian universities as propaganda vehicles,
and diversion of Australian scientific research to the benefit of People's Liberation Army modernization.
There's even been a full-blown political scandal in the Senate,
as one-time up-and-coming Labor star Senator Dastyare resigned in January
after getting support from a donor linked to the Chinese Communist Party
and publicly retailing Beijing's South China Sea talking points.
China's President Xi, by the way, has just been installed as effectively leader for life with the repeal of presidential term limits.
But this grant of tenure came after a parliamentary vote of approval.
So it's all good.
Right?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
You know, in the time since the Spectre and Meltdown vulnerabilities came to pass,
we've discussed them, but I thought it might be interesting to dig into some of the technical details with you
and get your perspective on it.
What do you have to share?
Yeah, these are really fascinating vulnerabilities, actually, or bugs that have been discovered. technical details with you and get your perspective on it. What do you have to share?
Yeah, these are really fascinating vulnerabilities, actually, or bugs that have been discovered.
And what's really interesting about them is, number one, how deep they go, because they're basically, they basically arise from ways that the processors on a lot of our computers have been
made to work. And so from that point of view, they're really just about
everywhere. And it's also very difficult to get rid of them or to patch them. Another thing that's
really interesting about it is just the way that the vulnerabilities arose and the causes for those
vulnerabilities. Let's dig into some of the details there. What do you mean by that specifically?
So one of the ways that modern processors work, and they do this in order to
optimize their performance, is they do something called branch prediction. So this at a high level
here basically means that if you have like an if statement, you know, if x equals one, do one thing,
and if x equals zero, do another. What your processor might do is actually execute both of
those instructions until it can figure out which one of those was the correct path that it should have taken. So it'll execute both of those in parallel, and that way,
immediately when you figure out what the value of x is, you can go ahead and take the right result.
And then the processor is supposed to throw away the result taken on the other branch,
which is no longer needed. And the flaw, basically, was that even though the processor
would do that correctly and would erase the data that it computed on the branch that wasn't taken, there would be a residue in memory based on that branch, based on the non-taken branch.
And that residue in memory could, for example, involve cryptographic keys or other cryptographic material.
And then researchers were able to show that they were in fact able to get access to that data through another complicated mechanism, that kind of a side point here almost. But they were able to
show that they were able to get access to that data, and thereby even though the data was computed
on a branch that was never actually taken, the researchers were still able to get access to that.
So it's pretty incredible, actually. Yeah, it's fascinating to me that it was such a sort of a
fundamental part of computer science. I mean, people are saying that textbooks are being rewritten based on these discoveries.
Yeah, that's right.
So this idea of branch prediction is a relatively old idea, I guess around 20 or even maybe 30 years old.
And it's fundamental in the way computer architectures are designed nowadays.
And people just never thought about the security implications of that.
So certainly people weren't thinking in that direction 30 years ago.
And even until six months ago, people just didn't think of the security implications of that.
And so now people are going to have to go back to the drawing board and think about how they can square the processor optimizations with the need for security.
the need for security. And do you think this is going to trigger a whole new line of research of people going and going back and looking at the fundamentals to see if there are security issues
lurking within? Yeah, exactly. I think it's on both sides, actually. It'll involve researchers
looking at the existing architectures and seeing whether or not they're vulnerable.
And then it'll also involve architecture experts looking at the current designs and seeing how they can fix them to make sure that they're not actually vulnerable.
All right. That's interesting stuff.
Jonathan Katz, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you.