CyberWire Daily - May hands Putin an ultimatum (and cyber conflict is expected). HenBox spies on Uyghurs. Vixen Panda creeps in UK targets by backdoors. Changes at US State Department, CIA. SINET ITSEF notes.
Episode Date: March 13, 2018In today's podcast we hear that Britain has given Russia an ultimatum: explain by midnight how your nerve agent got to Salisbury or face the consequences. Russia calls it nonsense. Cyber conflict b...etween the two countries is widely expected. Palo Alto's Unit 42 finds HenBox Android spyware. NCC Labs describes Chinese backdoors used against UK Government and industry targets. President Trump replaces Secretary of State Tillerson with DCI Pompeo. Gina Haspel is tapped as next DCI. Awais Rashid from University of Bristol on cyber physical systems. Guest is Tom Badders from Telos on obfuscation as applied to threat intelligence. And a wrap-up of SINET ITSEF. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Britain gives Russia an ultimatum.
Cyber conflict between the two countries is widely expected.
Palo Alto's Unit 42 finds henbox android spyware.
NCC Labs describes Chinese backdoors used against UK government and industry targets.
President Trump replaces Secretary of State Tillerson with DCI Pompeo.
Gina Haspel is tapped as the next DCI.
And a wrap-up of Cynet Itsef.
signet itself.
I'm Dave Bittner with your CyberWire summary for Tuesday, March 13, 2018.
UK Prime Minister May has demanded an explanation from Russia, by midnight tonight, of the March 4 attempted assassination by nerve agent of former GRU officer Sergei Skripal and his daughter Yulia.
Russia will not comply.
Foreign Minister Lavrov dismissed any notion of Russia complicity as nonsense.
Essentially, no one believes this.
The poison was an unusual nerve agent, Novichok, developed by the Soviet Union during the Cold
War's endgame.
No other country is known to have stocks of Novichok.
The British view, which Prime Minister May expressed directly
when she had the Russian ambassador summoned to the Foreign Office for an explanation,
poses Russia with a dilemma.
Either Russia lost control of the nerve agent,
or Russia committed a direct action in Salisbury, England.
Neither horn of the dilemma is a palatable one for Russia to grasp,
and it seems unlikely that there's any face-saving way of slipping between the dilemma's horns.
The Prime Minister said,
quote,
This attempted murder using a weapons-grade nerve agent in a British town
was not just a crime against the Skripals.
It was an indiscriminate and reckless act against the United Kingdom, putting the livesripals, required medical treatment after the attack.
Hundreds of others were offered chemical decontamination, so this assassination attempt was more indiscriminate than most.
Russia is not in a repentant mood.
Speaking for the Russian Foreign Ministry,
Maria Zakharova dismissed the Prime Minister's talk as so much theater.
As reported by CNN, Zakharova said,
quote,
This is a circus show in the British Parliament.
The conclusion is obvious.
This is another information and political campaign based on provocation. Before composing new fairy tales, let someone
in the kingdom tell you about how the previous ones about Litvinenko, Berezovsky, Parapilchny,
and many others ended. The last three named are other Russians who were murdered in the UK.
They are generally thought to have been assassinated by Russian security services
for spying on behalf of Western governments.
Skripal himself had been convicted in Russia of spying for MI6.
He was released to live in the UK as the result of a US-brokered spy swap.
Prime Minister May's language has been unusually direct.
Quote,
Should there be no credible response,
we will conclude that this action amounts to an unlawful use of force
by the Russian state against the United Kingdom.
End quote.
The UK has darkly promised some form of retaliation.
Sanctions, expulsions and so forth would be the norm,
but they may have more in mind.
Home Secretary Rudd said the retaliation may be covert or clandestine,
which taken with last week's Cabinet statement on cyber defense is being read as hinting at
retaliation with some form of cyber attack. That, in turn, is expected to summon further
Russian retaliation. The U.S. has deplored the attack and says it stands firmly with its ally.
Have you considered that testing your network for vulnerabilities may draw undue attention
to it?
Tom Batters is from Telos, and he joins us to make the case that obfuscation and the
use of cloud infrastructure can make it harder for adversaries to make sense of what you're
up to.
Cyber threat intelligence professionals are attempting to do their
research and investigation and fort attacks using standard or their own basic networks
from inside out. And many times what happens is cyber criminals are just sitting out there listening to see who's doing what to find vulnerabilities for attack. from corporate or enterprise networks through the use of cloud-based obfuscated networks
that are separate from the enterprise networks.
So basically, do your work to identify threats
on a separate network than your own.
So take us through the details of that. How can you test your network using a separate network than your own. So take us through the details of that. How can you
test your network using a separate network? So really, when you test your network, you want to
do that from the outside in, right? You want to find out who's looking at your network and who
can get into your network. So using an unobfuscated or managed attribution network that will hide your identity, hide your location,
and encrypt all of your data so that no one can attribute your activities to you.
So it sounds to me like with this security comes a certain level of increased complexity.
How do you balance that complexity against the potential for the increased security?
So from the user's perspective, it's fairly simple. From the user's perspective, they get a,
They get a, say, for example, a VPN profile that when they're connected to that, it automatically connects them to this infrastructure.
So from a user's perspective, it's not complex at all.
From a network development perspective, it's just a matter of setting up nodes in a virtualized environment,
go to AWS, go to Azure, go to any number of different cloud providers, buy a VPS for 30 to 50 to 60 bucks a month, and buy a number of them, tie them together with the software,
and create a network. There is quite a bit of complexity in setting up the network,
knowing how to configure it, and ensuring that the end user's device that's being used is
configured such that there is no digital exhaust that is not planned coming from that device into the network.
I see.
That's a lot of the problem is, you know, once you set up your browser to access the internet,
to do your threat intel or do your any kind of business communications using the internet,
typically there are digital exhaust, digital breadcrumbs that are put
out from your device.
And that's what causes many of the issues, of course, for cyber criminals accessing your
network.
So ensuring that the attack surface is eliminated is key to the capabilities of these obfuscated networks.
That's Tom Batters from Telos.
Palo Alto Network's Unit 42 this morning published a report on Henbox,
a family of Android malware that represents itself as legitimate apps available on third-party app stores.
Henbox is spyware, an information stealer that seems designed to target China's Muslim minority.
Unit 42 doesn't offer attribution,
but the target set strongly suggests
a Chinese government domestic intelligence operation.
NCC Group reports that a Chinese threat actor, APT-15,
also known as Mirage, Vixen Panda, or Playful Dragon,
has been actively prospecting
British government agencies and defense contractors through a series of back doors.
The U.S. government has, for reasons of national security, stopped Broadcom's attempted hostile
takeover of Qualcomm.
The AP reports this morning that U.S. President Trump has dismissed Secretary of State Rex Tillerson.
Director of Central Intelligence Mike Pompeo is said to be his replacement.
President Trump tweeted a summary of the decision,
quote,
Mike Pompeo, Director of the CIA, will become our new Secretary of State.
He will do a fantastic job.
Thank you to Rex Tillerson for his service.
Gina Haspel will become the new Director of the CIA, the first woman so chosen. Congratulations to all. In other statements, President Trump thanked Secretary Tillerson for his service,
expressed appreciation for his work,
but also indicated that he and Tillerson hadn't really been thinking along the same lines for some time.
Gina Haspel, the new prospective director of Central Intelligence,
is a career intelligence officer who joined the agency in 1985.
She became the CIA's deputy director last February.
She had previously served under former DCI John Brennan
as active deputy director of the National Clandestine Service.
We wrap up our coverage of CINinet's annual ITSEF conference today.
Among the many interesting takeaways from the conference were the importance of resilience,
clarity about one's own enterprise, the relative likelihood of falling victim to a
mundane threat, and the shifting regulatory landscape.
Speakers emphasized that most of the damage done by attackers was accomplished not through rare, exotic, and sophisticated attacks using never-before-seen zero-days, but through social engineering, credential stuffing, and attacks on unpatched systems using known exploits.
Cyber hygiene was therefore much recommended to all.
The threats are less exotic, more familiar, and in many ways more tractable, than hype would tend to make them out to be.
And CISOs urged companies to adopt a realistic view of the direction
in which regulation will push them.
Businesses should expect to be held liable
for much of what goes on in their customers' endpoints.
Indeed, data itself may be well on the way to becoming the new endpoint.
The EU's GDPR and the U.S. Federal Trade Commission
are the two major engines driving this
shift. Sally May CISO Jerry Archer was particularly clear on this point. This represents a new reality
and there's little point in kicking against it. Instead, come to grips with how to handle it.
Finally, ITSEF speakers stressed that incident response planning and exercises that teach and
test those plans are essential to achieving resilience, which they defined as the ability to fight through an attack
and continue to do business. If that sounds military, it is. A number of industry experts
thought resilience was an area where the private sector could learn much to its profit from
soldiers. So find some old or even young soldiers, ask them about commander's intent, mission Thank you. Korean and Canadian forces, at least. You'll find details of the conference at thecyberwire.com.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Hello, dearest listener. We'll see you next time. You heard correctly, budget and luxury all in one place. So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Professor Awais rashid he's a professor of cyber security at
the university of bristol uh welcome back um we wanted to touch today on cyber physical systems
you say this is a new frontier for security fill us in here what are we talking about
we we use devices all the time we have have smart watches, smart thermostats.
We are using smart locks.
We are talking about the Internet of Things revolution.
And all these devices are effectively mini computers which control the environment.
And that's really what a cyber physical system is.
And ultimately, what we are looking at is potentially an industry estimates are that in the next few years, we may have up to 50 billion connected devices around the world.
How do we actually secure this really highly connected set of mini computers all over the
world is actually very, very complicated. We've already looked at the scenario of the Mirai
botnet, where a number of these connected devices were actually repurposed to launch a very large-scale denial-of-service attack.
And ultimately, these devices interconnect with the other connected environment that we have.
For example, the workplaces, our homes, and so on, in intricate ways, and often implicitly.
And users often do not fully understand what kind of complex interconnection they're going on.
And that really is the next challenge for security.
So how do you actually secure this highly connected set of lots and lots of small devices?
Do you think we're looking at a situation where there needs to be some sort of, for example,
international standards for a minimum standard of security for these sorts of things?
I think the problem is more complex in the sense that standards are a very good thing.
They provide a baseline, but they often lag behind technological developments,
and they also often have to cater for the lowest common denominator.
I think the key thing here is that when we are designing these devices, we need to think about what are the security implications of these devices.
At the moment, many times security is a very late consideration or not a consideration at all.
People are concerned about connectivity of these devices, ease of connectivity.
They're also concerned about battery life and hence energy consumption and things like that. So often security takes a backseat and we need to really
think about security being a core feature of the devices because only by doing that,
we can actually address these kinds of issues. Similarly, we also have to think about that these
devices are not used by security experts. They are used by citizens around the world who actually deploy them in their homes.
How easy or difficult are we making it for them to actually configure the security settings
on these devices?
What do they understand?
How are we informing them?
What kind of communication is the device undertaking?
For example, you buy your smart TV.
Do you know with what or with whom
the smart TV is communicating?
Can you easily change those settings?
And the answer at the moment is unfortunately not
because it's not very easy for users to understand
what happens and what are the security implications
of the various communications that these devices do.
But also it's not really very easy to update those settings
or even understand those settings. So perhaps even having security be a feature that they brag
about before you buy it in this world where people browse through Amazon and look for the
cheapest device, perhaps security is something that manufacturers should crow about as a differentiator.
Yes, and I think we need to change that mindset,
that security has to become a differentiator,
but it has to go hand in hand with cost.
There are studies that show that if you have a more secure device,
for instance, but there is a cheaper device,
then consumers may actually opt for a cheaper device.
And so there is always an economic factor to these things.
So unless and until we can bring the cost of more secure devices down, we will continue to face these kind of problems. have better means to encourage developers in integrating security more concretely into the software and the hardware that underpins these devices.
Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.