CyberWire Daily - Looking for that threat actor “likely based in Russia.” SolarLeaks and a probably bogus offer of stolen files. Notes on Patch Tuesday.
Episode Date: January 13, 2021Speculation grows that the Solarigate threat actors were also behind the Mimecast compromise. SolarLeaks says it has the goods taken from FireEye and SolarWinds, but caveat emptor. Notes on Patch Tues...day. Joe Carrigan has thoughts on a WhatsApp ultimatum. Our guest is Andrew Cheung of 01 Communique with an update on quantum computing. And farewell to an infosec good guy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Speculation grows that the Soloragate threat actors
were also behind the Mimecast compromise.
Solar Leaks says it has the goods taken from FireEye and SolarWinds, but caveat emptor.
Notes on Patch Tuesday, Joe Kerrigan has thoughts on a WhatsApp ultimatum.
Our guest is Andrew Chung of O1 Communique with an update on quantum computing.
And farewell to an InfoSec good guy.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, January 13th, 2021.
According to the Wall Street Journal, well-informed observers are moving toward the view that the threat actors responsible for the SolarWinds compromise are also likely to have been behind
the Mimecast certificate incident.
are also likely to have been behind the Mimecast certificate incident.
The Journal puts it, quote, The Mimecast hackers used tools and techniques that link them to the hackers
who broke into Austin, Texas-based SolarWinds Corporation,
according to people familiar with the investigation, end quote.
Mimecast had been a SolarWinds customer, but not recently,
and apparently not within the period in which its own certificate became compromised.
How Mimecast was hit remains unknown,
and the journal's anonymous sources appear to have reached their tentative conclusion
on the basis of TTP similarities alone.
Acting CISA Director Wales thinks more U.S. federal agencies
will find themselves affected by the
SolarWinds supply chain compromise, CyberScoop reports, so other shoes may remain to drop.
Some, let us presume, loser, or more probably crew of losers, presenting their own self or selves as
the threat actor responsible for the SolarWinds compromise, is out there online under the hacker name SolarLeaks.
SolarLeaks is offering SolarWinds product source code,
all including Orion plus customer portal dump for just a quarter of a million dollars.
And FireEye private red team tools, source code, binaries, and documentation for another 50 grand.
private red team tools, source code, binaries, and documentation for another 50 grand.
Or you can get both, plus an unspecified whole shebang of stuff they're still sorting through for the low, low price of a cool million Yankee dollars.
Come on, Huggy Bear is on vacation and we've all gone crazy.
Serious buyers only, says they.
So hop to it, wealthy elite.
Or not.
Do we really need to say that there's a greater
chance your Aunt Matilda has the winning Powerball ticket than that Solar Leaks really has these or
any other goods? But seriously, forget Powerball and Aunt Matilda for now. Fleeping Computer says
it tried to contact Solar Leaks through the contact email address the offer provided, but
there was no joy there.
Whether the SolarLeaks site is what it purports to be remains unconfirmed,
as does whether it actually has any of the stolen files it mentioned in its offer.
The SolarLeaks domain is registered through NJALA,
a registrar favored by Russian intelligence services.
There's a certain similarity also between the diction in the Solar Leaks come on
and what we're familiar with from the shadow brokers.
To be sure, Solar Leaks lingo isn't the full-on scriptwriter Hekawi favored by the shadow brokers,
but it does have a mannered uncertainty about tents and articles that is vaguely reminiscent of the brokers.
What's missing from the solar leaks
offer, of course, is a promise of delivering files from U.S. government agencies known to
have been compromised. And to be sure, there's nothing out there offered as a sample. Sure,
solar leaks did say that nothing in this life is free, but that's what you'd say if you were
bluffing too. Anywho, here are some of the likelier possibilities. First, Solar Leaks could be a
poseur, and this has two sub-possibilities. Solar Leaks is either a grifter trying a long-shot con
in order to make a few bucks from the curious, the gullible, or the self-important, or they're
just some collection of skids rattling the internet's cage for the lulz. Either one of
these is possible. Second, solar leaks could be for real,
and they could represent a cyber gang
who prepped and executed the supply chain campaign
with the intention of monetizing it.
This is possible, but seems unlikely.
For one thing, it shows more patience
than crooks normally display.
For another, it's not clear how the stuff
known to have been stolen could be readily monetized.
If they really were aiming at theft of something, they could easily cash out.
This seems like a lot of trouble to go to just to pick up a lot of fools you could hawk in a carding forum.
So, not too likely.
Third, solar leaks could be for real and represent a misdirection effort by a member of Huggy Bear's brood.
be for real and represent a misdirection effort by a member of Huggy Bear's brood. Recall that Russian influence operations historically tend to aim at increasing the adversary's friction.
They're disruptive, not constructive, entropic, not ordered, and this kind of thing is just more
friction. It's like sending Kevin Mandia a postcard to dunk on FireEye. This seems a real possibility.
dunk on FireEye. This seems a real possibility. Fourth, SolarLeaks could be for real, but its purpose is just to crow, as if that postcard to FireEye's Mandia the FBI is looking at was really
done to count coup. Maybe, but whooping it up seems more cowboy than Cossack, so probably not.
Finally, SolarLeaks could represent misdirection
by some other hitherto implicated nation-state.
Again, maybe, but that really is a priori speculation.
If we had to bet, we'd go for door number one or door number three,
but that's our own a priori speculation.
Yesterday's Patch Tuesday saw software updates from several companies,
including SAP, who released 10 security notes,
seven of which represented updates to earlier fixes,
Adobe, whose security bulletins addressed
Adobe Photoshop, Illustrator, Animate, Campaign Classic,
InCopy, Captivate, Bridge,
and Microsoft, which according to Security Week,
dealt with 83 issues, 10 of
them critical, one of which is undergoing active exploitation.
One of Microsoft's patches addresses a Windows Defender flaw, and the Zero Day Initiative
speculates in its Patch Tuesday summary that this particular issue was exploited in the
Soloragate cyber espionage campaign.
We end today on a sad note.
The information security world lost one of its own this month.
Jonathan Kleinsma, most recently head of threat research at Risk IQ,
and a friend of this show, lost his life to cancer last Wednesday.
He was just shy of his 30th birthday, taken far too soon.
We wish him peace and his family consolation.
He'll be missed. Thank you. Calling all sellers, Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Our guest today is Andrew Chung, CEO of Zero One Communique,
a company that's developing a number of post-quantum cryptographic systems for security.
Andrew, welcome to the Cyber Wire.
Thank you. Pleasure to be here.
Before we dig into the details of some of the goings-on when it comes to post-quantum cryptographic systems.
Can you give us a little of the backstory and sort of where we stand today?
What is the significance of,
when we're talking about quantum computing,
why is that important?
Yeah, well, that's a very good question.
So quantum computer can be explained in a layman term
as an extremely fast computer.
We're talking about millions of times faster than a conventional supercomputer.
You're not talking about 100 times faster.
You're talking millions of times faster. useless because they can compress the over a century time needed to kind of
hot cracking and encryption in use today to become just a few seconds.
So that's the problem a quantum computer is having on the bedrock of
cybersecurity today.
And we are providing the shield,
or you can call the quantum safe encryption
to withstand that excessive computing power.
Do you find that there's some skepticism from people
that this is going to happen so quickly?
It seems to me as though there's a sense
that it's always a little bit off in the future,
you know, no matter when you ask.
Exactly.
You know, this is just like any, I think we are rewriting one of those best examples,
like COVID, you know, people ignore it until it happens.
And this is, we are human beings, and human beings tend to be like that.
When they see a problem, they say, oh, I'll act when it is here.
But this is a very serious issue because when it comes, it's not like overnight you can convert your system to become quantum safe.
It takes time to do it.
And even more scary is that hackers today,
they can grab your data while your data today is encrypted. So even if they grab your data,
it's meaningless. That's okay. They can grab your data, but then they just simply
put it aside and wait until after Q Day to decrypt your stuff. So the protection should already be
encrypt your stuff, right?
So the protection should already be protected today,
not on Q Day or even shortly before Q Day.
And it is very scary.
The only fact that people know is that many nations are also pouring billions and billions of dollars
in quantum computing research.
And they won't tell you what they have.
It's very, very scary.
Marching from here between now and Q Day.
Right.
All right.
Well, Andrew Chung, thank you so much for joining us.
My pleasure. Thank you. I approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story from Ars Technica.
This is written by Dan Gooden,
and it's titled,
WhatsApp Give Users an Ultimatum,
Share Data with Facebook or Stop Using the App.
Isn't that nice?
What do you think about this?
You know, I thought to myself,
I'll bet Joe has thoughts on this.
So, Joe, what are your
thoughts? Yeah, I have been on the verge of wanting to delete my Facebook account for so long. And
this kind of behavior is exactly why. Facebook bought WhatsApp, I think back in 2014,
for a large sum of money. WhatsApp was or is an end-to-end encryption communication app, right?
Yeah.
And once it got acquired by Facebook, of course, everybody was like,
well, that's the end of that.
And it turns out, well, yeah, that is the end of that.
It only took a few years.
It just took a little while.
But now they have these terms of service, TOS,
that if you don't agree to them by February,
it will not let you continue to
use the app. So the data that WhatsApp collects includes your phone number, other people's phone
numbers stored in your address books, profile names, pictures, status messages, including what
the user, when the user was last online, right? Diagnostic data collected from the log apps. I
actually don't have a problem with that one. That one's actually kind of important from a development standpoint. But under the new terms,
Facebook reserves the right to share collected data with, quote, its family of companies.
That's a big family.
That is a big family. And you're not going to have the choice of that anymore. So until next month, that data
has always been separated from the vast pile of Facebook data. After next month, it will be
integrated into it. And if you don't agree to that, you can't use the service anymore.
Right. There is another article on The Verge that is interesting. It says,
Signal sees surge in new signups
after boost from Elon Musk
and WhatsApp controversy.
So users are evacuating WhatsApp
and heading over to Signal.
In fact, I signed up for Signal today
because I didn't use it before,
but I probably should have been.
I'd been using Telegram
as my end-to-end encryption messenger service. But Signal, I think,
is better, and it doesn't collect any data at all. It's run by a foundation. It's supported
by donations. I like that model a lot better for communicating securely. That's, I think,
the better way to go. This whole thing, though, Dave, there's been talk in Washington about breaking up some of
these large tech giants like Facebook and Google. I don't know about, or I guess Alphabet, it
wouldn't be Google. I don't know about Alphabet, but I think it might be time to break up Facebook.
And this is just my opinion, not the opinion of my employer or anybody else. This is solely Joe Kerrigan's opinion. But I think that Facebook is a company that we need to actually
look at that from a consumer protection standpoint and make sure that, I mean, because the amount of
data that they're collecting about people is staggering. And the ways they're collecting it
is also staggering. Yeah. Yeah. You know, it's, I think the thing that gets my goat is that they,
there's no granularity here. It's all or nothing. You either share, share it all or just, okay,
fine. Go away. You know, if we, you're not going to let us do this, we don't want you.
Right. Well, guess what? I think, I think Mark that you're, uh, you're about to lose me.
Right. I'm sure he'll still lose sleep over it, just like he did when I shut down
my Facebook account. He'll cry himself to sleep on his pillow stuffed with billion-dollar bills.
Right, right. You know, even if you're not on Facebook anymore, they still track you.
They do. They still track you around the web. So, I mean, I think you're right. I think there's a
case to be made for breaking up some of these big tech companies,
but I also think there's a case to be made for giving users control of this information
in a much more meaningful way.
So hopefully we'll see some political will in the coming years,
or hopefully sooner than later, that we can get control of this for ourselves,
that all this information can't just be shared around without us.
Let us opt in.
In the very least, let us opt out.
Yes.
Without having to not use the...
Anyway, I'm rambling.
Everybody knows what I mean here.
Right.
Yeah.
It's frustrating, though.
Can you tell it's frustrating, Joe?
It is frustrating, and I can tell.
Yeah, I can tell.
All right. Well, Joe Kerrigan, Joe? It is frustrating, and I can tell.
Alright, well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Share the wonder.
Listen for us on your Alexa smart speaker, too. Thank you. Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Tina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.