CyberWire Daily - NATO and UK to Russia: hands off elections and infrastructure. More trouble for Huawei, and maybe for others. Notes from the Cyber Investing Summit. Equifax downgraded over 2017 breach. Is it art?
Episode Date: May 23, 2019The UK and NATO send Moscow a pointed message about the consequences of meddling with either infrastructure or elections. More companies, including ARM, decide they won’t be working with Huawei. Oth...er Chinese companies seem headed for US blacklisting. Moody’s cuts Equifax’s rating over its 2017 breach. Notes from last week’s Cyber Investing Summit. And we may not know much about art, but we know what we like. Justin Harvey from Accenture on the ongoing threat of USB devices. Tamika Smith speaks with Sydney Freedberg Jr. from Breaking Defense about his article, “Can NSA Stop China Copying Its Cyber Weapons?” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The UK and NATO send Moscow a pointed message about the consequences of meddling with either infrastructure or elections.
More companies,
including Arm, decide they won't be working with Huawei. Other Chinese companies seem headed for U.S. blacklisting. Moody's cuts Equifax's rating over its 2017 breach. Notes from last week's
cyber investing summit. And we may not know much about art, but we know what we like.
We may not know much about art, but we know what we like.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 23, 2019.
The UK's National Cyber Security Centre has warned 16 NATO allies of Russian activity directed against infrastructure and government networks.
Today's disclosure came from Secretary of State for Foreign Affairs Jeremy Hunt,
speaking before a gathering at the NCSC.
Mr. Hunt said that, quote,
Russia's intelligence services are targeting the critical national infrastructure of many countries in order to look for vulnerabilities.
He called it a global campaign that also seeks to compromise central government networks.
NATO Secretary General Jens Stoltenberg, who appeared with Mr. Hunt, warned Russia that NATO has a full range of responses to cyberattacks available, and that Moscow shouldn't count
on the Atlantic Alliance being reluctant to use them.
The tough line comes shortly after the European Union decided to enact a system for sanctioning
people and states that engaged in cyber attacks.
It also comes as voting begins for European Parliament.
More companies are severing business ties and plans with Huawei.
In this round, they're not American companies.
British chip giant Arm will join Intel and Qualcomm in stopping business with Huawei.
According to internal memorandum obtained by the BBC,
Arm has told its employees to stop contact with Huawei personnel.
The Washington Post says that Vodafone and BT Group have decided to suspend plans to
include Huawei phones in their 5G networks. The armed decision is regarded as particularly
damaging. Huawei denies posing a security threat and says it considers the blacklisting politically
motivated. The Telegraph lists other Chinese companies thought likely to wind up in Huawei's boat.
Surveillance equipment vendors Hikvision and Dahua,
facial recognition providers Cloudwalk and SenseTime,
drone maker DJI, and of course, Huawei's smaller rival, ZTE.
Hikvision's and Dahua's billionaire founders are said in particular to have taken a big financial bath
that got deeper and soapier
at midweek as the U.S. seemed to turn its attention to them. In their case, concerns
about security are joined by international distaste for the company's role in enabling
Beijing's domestic surveillance policies. Sidney Friedberg is deputy editor at BreakingDefense.com.
He and his colleague, Teresa Hitchens, recently published a story titled,
Can NSA Stop China Copying Its Cyber Weapons?
The Cyber Wire's Tamika Smith spoke with Sidney Friedberg.
There was a release from Symantec, which, like all the big antivirus companies,
very carefully tracks threats around the world, which was then picked up by the New
York Times that said Symantec doesn't want to offend anybody who actually has nuclear missiles.
So they say Buckeye and Equation Group, but those are in fact their code names for China
and the National Security Agency, said that basically we already knew that some cyber weapons programs are used
to get in other people's networks from NSA had been leaked previously. There were some in
WikiLeaks gotten loose and been picked up other players, including the Chinese. But recently,
they found evidence the Chinese were using some of these NSA tools before that leak happened.
So how did they get them? And what
Symantec deduced, you know, using their technical means, so I'm not qualified to say, you know,
independently whether this was right or not, probably happened is when the software was
copied, the malware was copied onto the target network in China to spy on the Chinese, it didn't
erase itself or didn't erase enough of itself so that they
actually were able to copy the software used against them and shoot it back, not at us,
but at other targets, including some of our allies. So the blueprint didn't self-destruct.
This is the tricky part about cyber warfare. I mean, if I drop a bomb on a country,
it blows up, right? I mean, there are bits and pieces. If it duds, yeah, they can take it apart and see how it works. But it's not like it's carrying its own blueprint around with it, right? I mean, there are bits and pieces. If it duds, yeah, they can take it apart
and see how it works, but it's not like it's carrying its own blueprint around with it, right?
You know, somebody can steal a plane from you. I mean, that happened with defectors in the Cold
War. People would fly Russian planes to us. But even though you had the physical thing,
you didn't have the blueprint. Well, a cyber weapon is a computer program. It is a line after line after line of
code. It is its blueprint. There is no distinction between the blueprint, the thing that tells you
how it works and how to build it and the thing itself. So by using it just by and putting it
into action, it has to go on the targets machine. It has to copy itself. And the stuff that is
copying on their machine has to be the stuff that tells you how to build it, because that's what the code is.
So staying on that point, if we know that at this point, the cyber weaponry is highly dangerous,
is there any way that they're thinking about creating a tamper resistant method and stopping
the development of what they're doing now? This is a big debate I tapped into, me and my colleague, Teresa Hitchens, who helped me with
the story, asking experts in this field, you know, can we actually make this stuff that's
tamper-resistant? You know, this tape will self-destruct in three seconds, right, from the
old Mission Impossible series. Can you do that with cyber weapons? And yes, you can, to an extent. You don't have to have this
stuff leaving itself around or copying itself willy-nilly across the internet, which kind of
happened with Stuxnet, for example. It was probably the thing we and the Israelis built
to damage the Iranian nuclear program, but it also got into the wild. It didn't destroy anything that
wasn't targeted at, but it had copies all over the place that people could find in the reverse engineer.
It's possible to create something that doesn't copy itself like that and erases what copies it made.
But at some point, as it's executing the code during the attack, that code has to be on the system.
It has to be in the target's computer. And that means if they are actually able to watch what's happening in their own computer in real time, which is a perfectly reasonable security system to have for other
purposes anyway, they can record the code before it erases itself. So this is possibly an inherent
weakness of cyber weapons, a way they're a double-edged sword that physical weapons are not.
So what's next?
That is tricky. I mean, the NSA, I've heard people say, you know,
the NSA had gotten a little cocky about its ability to penetrate other people's networks
and not get penetrated in return. And that, you know, disclosures like Snowden and so forth
were a humbling experience. So I would hope, you know, obviously no one is giving me secret briefings, I'm a reporter, but I would hope that NSA, United States Cyber Command, and other U.S. agencies that use cyber weapons are being much more careful about, you know, who has access to the code, and much more careful about what part of the code actually has to go on
the target machine as opposed to you would be operating remotely and what part and how that
code erases itself after it's done its mission and technically those are all things you can do
but there may be you know a limit as i said to that or a point where there you know there is
always going to be some vulnerability
to this kind of weapon, because it's a weapon made up for information.
Thank you so much, Sidney, for joining the program.
My pleasure.
Sidney Friedberg is a deputy editor of the online publication Breaking Defense. He wrote the article
Can NSA Stop China Copying Its Cyber Weapons? You'll be able to read more about this article at BreakingDefense.com.
Equifax continues to suffer from its 2017 breach.
Moody's downgraded the credit bureau's outlook from stable to negative,
citing long-term effects of Equifax's security and infrastructure costs.
CNBC quotes Moody's as saying,
this is the first time a cyber incident
has driven such a downgrade. We have a few quick notes on last week's cyber investing summit in
New York City. First, one of the consequences of the move to 5G appears to be greater dependence
on satellites to carry internet traffic. This will, in all likelihood, require that new generations
of communication
satellites be reprogrammable, and with such flexibility comes vulnerability. What can be
reprogrammed can also be hacked. So look to the skies, security people. And in a keynote,
Roger Thornton, AT&T Cybersecurity's Vice President of Products and Technology,
asked how we wound up with 3,000 or so cybersecurity companies.
Do we need that many?
He noted that consolidation of cybersecurity companies is already underway.
Of those 3,000-some firms, Thornton said,
the revenue of the top five companies accounts for some 10% of the sector's total revenue.
That's far from an oligopoly,
but it does suggest the industry is
ready for some consolidation. And finally, we don't know much about art, but we know what we like.
And we're liking this a lot, although maybe not to the tune of 10,000 Benjamins. What's this we're
talking about? We're talking about art, friends. The work in question is The Persistence of Chaos,
a piece by Gao O'Dong that consists of a laptop running WannaCry and other malware
that's up for auction with bids starting north of $1 million.
Don't worry, the installation is air-gapped.
The Persistence of Chaos is 10.3 by 1.2 by 7.3 inches.
At 2.8 pounds, it's clunky for a tablet alternative, but quite svelte as a piece of cyber sculpture.
The malware includes I Love You, My Doom, So Big, Critic's Favorite Wanna Cry, Dark Tequila, and Dark Energy.
This haunting Borgesian work, concerned with the interplay of cyber and
financial space, assembles a list of the losses each strain of malware imposed,
challenging and deconstructing our preconceptions about the very ground of its reference,
which might be taken as the problematic of money and state power. Also, if you get close enough to
the screen, it's probably pretty immersive too, although you wouldn't want to leave nose prints on the display, especially if you ponied up more than a million bucks for it.
Did we mention that Persistence of Chaos is air-gapped? The concern for safety seems right.
The Persistence of Chaos was commissioned by and supported by Deep Instinct, the AI and deep
learning firm that's headquartered in New York City, which is also the headquarters of the art world.
So good for them for keeping it safe.
It's worth noting that they also lawyered up.
As the catalog puts it, quote,
the sale of malware for operational purposes is illegal in the United States.
As a buyer, you recognize that this work represents a potential security hazard.
By submitting a bid, you agree and acknowledge that you're purchasing this work as a piece of art or for academic reasons, End quote.
So, you see, it's sanitized for your protection.
We'll see if that hold harmless clause holds up in court.
So, before you chuck out that Amiga you let get infected with Bite Bandit and have stuck somewhere in your parents' garage,
think again. You could be sitting on artwork gold, friend.
So, okay, but for all the fun we're having with the persistence of chaos,
let's send a discreet bit of chaos, let's send a
discreet bit of applause, or at least a beatnik finger snap, to Deep Instinct for thinking about
cyber art. Do you know the status of your compliance controls right now? Like, right now?
know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back. You know, it seems in the news recently, not long ago,
we had a story about someone infecting some Secret Service computers,
perhaps with some thumb drives, with some USB sticks. This seems like the problem that just won't go away. It is definitely a growing concern among cyber defense organizations globally.
As we are seeing more virtualization on the desktop and more and more systems that are being cleaned and not reused after you log out,
adversaries need a means to penetrate the enterprise. And one of the easiest ways is
through USB sticks. And we have all heard of the, I guess I was going to say urban legend,
but it's not an urban legend of people finding USB sticks in the parking lot and plugging them in. I think that the best
way to really work around that growing threat is to have strong endpoint controls. First is,
we are seeing more and more organizations put in policies on the endpoint where you can't plug in
a USB stick if it's not encrypted. That serves a couple purposes. First is it would lessen the likelihood
that an adversary would just have their malware sitting there on a unencrypted USB drive. So if
they try to plug it in, oh, it's not encrypted, so I can't plug it in.
Now, when you say can't plug it in, do you mean that when you insert it in the machine,
the machine won't mount it?
plug it in. Do you mean that when you insert it in the machine, the machine won't mount it?
Correct. It does a soft mount. It determines what sort of file system it is. And if it's not an encrypted file system that's approved or an encrypted file algorithm, it can sit there,
plug in the system, but it won't actually mount it. Another way to combat this, or at least to
shorten the detection time, is to also have really good
endpoint monitoring with that telemetry going into your SIM and creating use cases on it. So
if there is an unencrypted USB mounting attempt by an endpoint, that should be flagged in the SIM.
And in fact, you can actually start to track the vendors and or the serial numbers of these USB drives. So if you
see certain types of them going through the enterprise, you can actually create some interesting
SIM monitoring use cases around that. You know, it seems to me like this is an area where you
have to be careful to not slow people down. If they need to sling these files around, you know, you could run into
a shadow IT situation. Yes, I guess that's always the counterbalance to putting in security,
which is affecting productivity. But I have to say the lesser of two evils here is definitely
putting a lockdown on your USB drives and at minimum, at least only require encrypted drives.
It's always Murphy's law that the worst thing is going to happen. You have another team in,
you have a consultancy, you have another organization that's within your company,
they ask for certain files, you can't send them because they're too big. We all do it. We all resort to USB. But I got to tell you,
the alternative of not having the USB encryption control is probably more damaging
to an enterprise cyber defense posture than forcing people to go down a possible route of
shadow IT. Yeah. And I guess just having them available, having them plentiful,
ones that have been approved, that have whatever encryption you're requiring there so that people don't have to go hunting around for them, that probably goes a long way towards helping as well.
Exactly.
And, in fact, one of the ways that we have been working through this within our team is we carry little USB drives that have keypads on them.
So it doesn't really rely upon software encryption.
It's actually hardware-based encryption.
So you plug it in, you enter a six or nine-digit code, and boom, now it's encrypted and presents it to the operating system.
Unplug it, and it's immediately encrypted.
You could throw it across the room, leave it in the airport, which is no problem for this type of hardware. I highly recommend it.
All right. Well, good advice. Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is
proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.