CyberWire Daily - Lazarus Group updates. Cybercrime's GDP. New Zealand a Chinese espionage target? ZTE and Huawei criticized. BND will continue to monitor Frankfurt hub. Google's knowledge panels.
Episode Date: June 1, 2018In today's podcast we hear that the Lazarus Group may be on (relative, selective) good behavior. A study suggests that if cybercrime were a country, it would have a GDP comparable to Russia's. The Ca...nadian Security Intelligence Service warns, in the nicest way possible, that Chinese spies are out to get New Zealand. ZTE and Huawei come in for more criticism. The BND gets a court victory in Leipzig. Google's ground-truth algorithms are looking a little truthy. Joe Carrigan from JHU ISI with follow-up on listener comments from last week’s iOS vs Android discussion. Guest is Todd Inskeep from BAH with highlights from a talk he gave at RSA on NotPetya. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Lazarus Group may be on good behavior, relatively speaking.
A study suggests that if cybercrime were a country, it would have a GDP comparable to Russia's.
The Canadian Security Intelligence Service warns,
in the nicest way possible,
that Chinese spies are out to get New Zealand.
ZTE and Huawei come in for more criticism,
the BND gets a court victory in Leipzig,
and Google's ground truth algorithms are looking a little truthy.
The ground truth algorithms are looking a little truthy.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 1st, 2018.
North Korea's Lazarus Group has continued to target financial institutions for cyber theft,
but it appears to be on its good behavior, for now at least, with respect to U.S. institutions.
The restraint is generally thought to be part of the DPRK's charm offensive during the run-up to the June 12th Kim-Trump summit.
A subunit of the Lazarus Group, which researchers at OnLab track as the Andarial Group,
has been active against South Korean targets.
It's been using an ActiveX ZeroDay in its campaign. Bleeping Computer's been told by an anonymous source
close to the investigation that the ZeroDay is being used to exploit Samsung SDS A-Cube
installations. A great deal of North Korean hacking has been designed to obtain money to
redress Pyongyang's sanctions-induced and command-economy-induced financial shortfalls.
But states, of course, are not the only perpetrators of financial and other forms of cybercrime.
As cyberspace grows in importance to commerce and indeed daily life,
criminals flock there for the Willie Sutton-esque reasons that that's where the money is.
Bromium commissioned a study by criminologist Michael McGuire at Surrey University.
Dr. McGuire concluded, as Dark Reading reports,
that if cybercrime were a country, it would have the world's 13th largest gross domestic product.
By his estimation, crooks now pull in $1.5 trillion annually.
He breaks their takedown as follows.
$860 billion from illicit or illegal online markets.
Those are markets like the old Silk Road.
$500 billion from intellectual property theft.
$160 billion from data trading.
$1.6 billion from crimeware as a service.
And $1 billion from ransomware.
billion from crimeware as a service, and one billion from ransomware.
McGuire notes that in some precincts of the internet, including those regions collectively called the dark web, the line between legitimate and criminal enterprise is a blurry gray area.
He thinks there's now what he calls the web of profit. As he puts it, quote,
companies and nation-states now make money from this web of profit. They also acquire data and competitive advantages from it
and use it as a tool for strategy, global advancement, and social control, end quote.
This is tied to the emergence of what he calls platform criminality
and the increasing commodification of attack tools and exploits
that are traded in online criminal-to-criminal markets.
That black market operates very much like the legitimate markets we're all accustomed to,
complete with customer ratings, fax, help sites, and so on.
If you've used Amazon or Uber, you'd probably feel at home in a criminal market fairly quickly.
Given the vast scale on which cybercriminals operate,
and even if Maguire's conclusions are exaggerated by any reckoning, it's still pretty vast,
it would seem to be a matter of some urgency to increase the criminals' cost of doing business.
To put this into perspective, $1.5 trillion is roughly Russia's GDP.
Whether President Putin counts the significant financial cyber intake of the Russian mob in the country's GDP is unknown.
Seems doubtful.
So maybe Russia's doing better than the rest of us tend to think.
A report by the Canadian Security Intelligence Service concludes that Chinese espionage and influence in New Zealand has reached a critical point.
The report was delivered at an academic conference and so doesn't necessarily reflect CSIS official views,
and CSIS has hastened to express its solidarity
with fellow Five Eyes services in New Zealand.
The report reflects ongoing Five Eyes suspicion
of Chinese companies and organizations.
The U.S. Congress is considering holding ZTEs
and Huawei's feet to its own fires
of scrutiny, and a court case in Australia describes ZTE as a company built to spy and bribe.
Germany's BND intelligence service wins a surveillance case in a Leipzig court.
It can continue to monitor traffic in a Frankfurt-based hub operated by Daces.
Daces.
Daces had complained to the Federal Administrative Court that BND was in violation of German privacy law
because so much of the traffic the BND monitored crossing the hub was domestic
and therefore off-limits to surveillance.
But the court tossed their case out,
concluding that legitimate security interests justified the monitoring.
The hub in question is one legitimate security interests justified the monitoring. The hub in
question is one of the largest in the world. Frankfurt, it's worth noting, is the center of
the German financial markets, roughly analogous to the American Wall Street or the city in the UK.
Google's efforts at content moderation, or at least flagging, have produced some preposterously
tendentious results.
The search giant's reliance on Wikipedia for moderation may be damaging Wikipedia.
The problem, as reported in Wired, Motherboard, and elsewhere,
apparently arose from Google's prim attempt to provide a ground truth in the form of its Featured Snippets tool that produces knowledge panels
designed to let the naive researcher in need of epistemic protection know what's a fact, Jack.
Anyway, they rely on Wikipedia for their info, apparently in a pretty automated way.
Because Wikipedia is crowdsourced and dynamically edited,
it's possible for a contributor to ride a hobby horse very hard indeed, if only briefly.
That's why Google this week soberly informed researchers
that the ideology of California's Republican Party was Nazism, which of course, as far as we know,
it's not. Such shenanigans are fairly well distributed across the political spectrum.
Motherboard has a useful rundown of past factoids Google has served up.
Quote, it's worth mentioning that in the past,
these same knowledge panels have falsely shown
that various presidents were KKK members,
that MSG causes brain damage,
and that Barack Obama is king of the United States
and was planning a coup.
End quote.
We're pretty sure none of this is actually true either,
even that stuff about MSG.
In fairness to Wikipedia,
fact-checkers have found that it compares favorably with conventional encyclopedias,
and sensible users don't find it difficult to exercise appropriate good judgment.
And besides, Wikipedia does tend to correct itself when a contributor goes rogue.
Google's knowledge panels, however, seem to do at least four things. First, they provide quick information. So far, so good. Second, however, they also divert traffic that would have
otherwise gone to Wikipedia. That's less good. Third, they come with all the solemn authority
of Google, as if they were carved on tablets of virtual stone, delivered from the digital smoke and fire of Mountain View itself.
And fourth, they provide almost no context for reflective, skeptical judgment.
And that, unless you're looking up something easy like Manny Mercado's batting average,
is no bueno at all.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
and joining me once again is joe kerrigan he's from the johns hopkins university information security institute joe welcome back hi dave we got some follow-up from our conversation last
week where you and i were having a friendly respectful conversation about uh ios and android
we need more friendly disagreements that's's right. That's right. It was very civil.
And a listener wrote in
and he said,
Hello, gentlemen. I know this is a minority opinion,
but I don't trust the Play Store apps.
In fact, I do think
sideloading is better, but if
and only if you have a really trusted
source. For me, as
for a lot of people, that source is
FDroid. The amount of time and
detail these folks put into the entry for each app is impressive, apart from the fact that it
must be open source. They also redline entries that promote for non-free services or add-ons
that aren't updating or have changed their source code license since this version and probably other
non-open source friendly things. And he goes on to say that basically if it doesn't come included with the box, which
is the phone, he only uses stuff from F-Droid.
What's your take on this?
My take on this is that F-Droid is a secondary market where you can go and install these
apps.
And if all this is accurate, and I've looked at
F-Droid, but I can't find any policy on there, but I have no reason to doubt what the listener
is saying, then F-Droid is probably fine. The concern I have here with that is that can you
get by with all those apps that are on F-Droid and none of the apps that are then in the Android
marketplace? Yeah, a lot of those apps have advertising in them in the Android marketplace, and they probably don't go through as rigorous of a testing cycle at the Android marketplace. Yeah, a lot of those apps have advertising in them in the Android marketplace, and they probably don't go through as rigorous of a testing cycle at the Android
marketplace as they do at F-Droid. So you might say that F-Droid is more of a walled garden than
the Android marketplace. Because of that community aspect. Because of the community aspect. Everything
is open source, and that means the code has to be available for inspection. And that's not the case in the Android store.
So you have this pretty strict standards, I suppose,
of if you want something in here,
it has to have gone through these community-enforced checks.
Yes.
So I would go ahead and say that F-Droid's probably okay for sideloading,
but only if you know what you're doing.
Because once you enable on Android the ability to load from other sources other than the Android marketplace, you can unload them from anywhere, even just having them copied
over from your computer. And we have seen examples, it rarely happens, but it has happened,
where there's been some sort of, what do you call it, I guess an infection of some open source
software. Yes. Someone has gone in and changed some code for bad reasons.
Yeah, I remember Privilege Escalation Attack where they changed a Boolean operator to an assignment operator.
So instead of testing, it actually elevated the privileges automatically.
Yeah.
So something to look out for.
But it sounds like this community has their guard up for those sorts of things.
Right.
They're probably doing the best that they can to prevent it.
Yeah, F-Droid's probably the exception to the rule. And of course, there is nothing like this on the
iOS side. It just simply doesn't exist unless you
jailbreak your device. Which is getting harder and harder. Yeah.
Alright, well, thanks to this listener for writing in. Certainly interesting information.
And as always, Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
deny approach can keep your company safe and compliant.
My guest today is Todd Inskeep. He's a principal with Booz Allen Hamilton in their commercial cybersecurity consulting group. When the NotPetya pseudo-ransomware attack hit last
summer, he found himself in the middle of it, working to protect his clients and his team
members in the midst of a rapidly evolving, somewhat chaotic situation. I was acting as the
CISO, the chief information security officer for one of our clients. Imagine you come into what
you think is going to be kind of the normal day
at the office, right? There's always a lot of activity going on between the information security
and IT as you're working at a fairly significant Fortune 1000 company. On this particular day,
things seemed to start okay. And then we started getting email from our employees embedded
at the supplier and at the client who were actually impacted by NotPetya. Hey, their computers are
down. These things are happening. And we're now trying to figure out, well, what do we need to do?
What is this thing? How is it spreading? And you start searching for information.
You go to all your resources, in this case, the NHISAC, to CNN, to Twitter. There's not a lot of
news, particularly starting out early in the morning. You're trying to figure out what is it,
what do I need to do? And almost immediately, we get kind of the first question.
Well, we've got network connections to these two companies. Maybe we should cut those off.
And because we had people with their computers embedded at these companies,
maybe we should cut them off too. We don't know what it is. We don't know how it's spreading.
And so we're trying to make those
first couple of decisions. What do we think it is? How do we make sure it doesn't impact us
any more than it already has? So describe what is that process like? What did you ultimately decide?
And what were the bits of information that made you take the choices that you did?
So certainly there was some bits of information.
There was information on Twitter
that people were seeing companies going down,
that computers were locked up.
There was a little bit of news,
and it seemed to be spreading very rapidly.
And so it was a process then of myself,
the head of the IT team,
really just talking for a couple of minutes, looking at the
email evidence we had from our own teams and saying, look, we're just going to stop everything.
Let's cut the ties. We'll cut the network connections. We'll push those people off the
network. We'll talk to them by phone until we have a better idea of what's going on.
And it was a five-minute conversation and five minutes
of searching, trying to find anything that would tell us what was happening. Now, it turns out
that that was too slow. When you actually go look at how rapidly NotPetch is spread in an
organization, it was spreading through some of these organizations that were impacted at rates of over 10,000 computers per minute.
Very rapid spread as it grabbed credentials and used those to expand itself across an enterprise.
From a leadership point of view, how are the various folks that you're working with managing the emotional components of this?
that you're working with managing the emotional components of this? How do you make sure that nobody panics, but that also that you have an appropriate amount of concern?
That's a really great question. And I can be honest, we didn't think about the emotions very
much at all. We really focused on the task at hand. How do we protect our enterprise in the midst of this unknown thing happening?
Especially when we have not just the general
chaos that CNN is starting to report things
and you're starting to see some things on Twitter, but we know
our employees have been affected at the supplier and
at the customer. We're still trying to figure
out what does it mean for the company, but we're very clear our first job is to protect the company.
And so we make those decisions and then start to work back to what's it going to take for us to
feel comfortable to bring those computers back on our network? What's it going to take for us to feel comfortable to bring those computers back on our network? What's it going to take for us to feel comfortable to reconnect our network to that supplier that has been impacted,
to that customer that's been impacted? Looking back, having had the experience that you had,
what are the take-homes for you? How does having been through this inform the work that you do
today? The first is that I think a lot more about
having people, particularly business executives, practice and think about what kind of events might
impact their business. One of the big realizations for me was that while our company wasn't the
target of this attack in any way or shape or form. We were really collateral damage
in a way that we haven't seen very often in previous cyber attacks. There were a lot more
companies more deeply affected, even though they weren't the target. And for us, there was a
business loss that we had to report to Wall Street that had no relationship to us actually losing capability
in our technology and our IT systems. And so trying to get the executives to think more about
how cyber attacks impacting our suppliers, impacting other parts of our business than just
the IT portion of our business could impact us makes you think
about risk differently. There were a number of takeaways in terms of thinking about how this
attack spread. Like many of the attacks over the past couple of years, this attack stole credentials.
And so the ability to reuse credentials has been critical for a lot
of adversaries and a lot of the attacks in the last couple of years, particularly moving to
two-factor, multi-factor authentication becomes a critical control as we go forward. So that when
an adversary steals credentials, they can't go on an extended spree across the entire enterprise or across
multiple enterprises. You really want to limit them to a couple of uses and create conditions
that let you detect their activity earlier. And then there are a lot of little things.
One of the companies that was impacted had no printed copies of their disaster recovery plan.
So when all of these Windows machines are affected by NotPetya,
that means the server that stored your disaster recovery plan
isn't available for you to get a copy of the disaster recovery plan.
If you don't have a printed copy, you're relying on phone networks and memory
to start recovering from this disaster.
Having some simple ideas and the practice of
running through drills gives you a lot more confidence in running through that. It made me
think more about the relationships that we have. A lot of times, the CISOs of companies have built
relationships with the CISOs of other similar companies. But when we started this effort on June 27th,
I had no idea who the CISO at the supplier was.
I had no idea who the CISO at this pharmaceutical client was.
And trying to make those connections
in the middle of everything else,
when they're very busy fighting their fires,
the last thing you want to do
is be trying to
establish those kinds of relationships. Having an IT lead that I knew well could trust,
having a CIO that I'd been working with for a while, having a number of people that I could
trust that trusted me and being able to just call them on the phone, text and quickly make decisions
is invaluable. We often talk about the soft skills of leadership and communication when we're hiring
people and as we're building our teams. I can tell you there's no time when those soft skills
are more important than in the middle of firefighting. It's important for everybody to
know their role and to communicate quickly when they need guidance, but also for them to be able
to go and to trust that you know they're going to be doing the right thing. That's Todd Inskeep
from Booz Allen Hamilton.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.