CyberWire Daily - Olympic hacking—false flags and attack infrastructure. Cryptojacking. Smartphone security bans. Heraldic animals of hacking.
Episode Date: February 26, 2018In today's podcast, we hear that anonymous US Intelligence sources call the Olympic hacks a Russian false flag operation. More cyberattacks are expected from the infrastructure set up to hit the Games.... Calls for international norms for cyber conflict rise. CrowdStrike's Global Threat Report sees proliferation and commodification of attack tools. Ad network serves cryptojacker. Malicious smartphones or just a trade war? Joe Carrigan from JHU on securing AWS buckets. Guest is Randall Murch from VA Tech on cyber bio security. And a scorecard for hacking heraldry. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Russian false flag operation. More cyber attacks are expected from the infrastructure set up to
hit the games. Calls for international norms for cyber conflict rise. CrowdStrike's global
threat report sees proliferation and commodification of attack tools. An ad network serves a crypto
jacker. Are they malicious smartphones or just a trade war? And a scorecard for hacking heraldry.
and a scorecard for hacking heraldry.
I'm Dave Bittner with your CyberWire summary for Monday, February 26, 2018.
Anonymous sources in the U.S. intelligence community are telling the Washington Post and others that Russia's GRU was responsible for the hack that marred the PyeongChang Winter Olympics opening ceremonies.
The U.S. sources also assert that it was a false flag operation intended to look like a North Korean hack.
The GRU accomplished this through some code reuse, use of North Korean IP addresses,
and some scattered Korean language cues.
If this is indeed a false flag operation, two things are noteworthy. First,
the imposture was pretty thin because suspicion fell almost immediately on Russia as private
sector security firms commenting on the incident noted that it had the hallmarks of a Russian
operation. Second, the GRU, Russia's military intelligence service, is well known as the lair of Fancy Bear.
Fancy Bear, in apparent retaliation for anti-doping sanctions against the Russian team,
had begun doxing the International Olympic Committee and individual non-Russian athletes late last year.
For those interested in the probable organization charts,
the GRU operators are believed to work in the agency's main
center for special technology.
They are the same outfit generally denounced last week as responsible for last year's
NotPetya pseudo-ransomware campaign.
Observers think that those who hacked the Olympic Games sites also succeeded in establishing
persistence in the victims' networks.
They had gained access to a number of routers,
and they are expected by many to use the infrastructure established for the Games
in future attacks against other targets.
The International Olympic Committee is reviewing Russia's behavior this week
with a view to possibly reinstating the country's national team
as an official participant in the Olympics.
The main issue is doping,
but it's reasonable to expect the hacking may also figure in their
deliberations.
Olympic hacking, it's good to recall, goes back to Rio 2016, or even, if you count the
bogus Ku Klux Klan leaflets the Soviet security organs printed and distributed to scare people
away from Los Angeles in the pre-internet days of 1984.
Pyeongchang, with its hacks and doping scandals, is now in the books, but tomorrow is another day.
Russian athletes were permitted to compete as individuals under the non-flagged, non-anthemed
collective called Olympic Athletes from Russia, or OAR.
The OAR designation and restrictions didn't prevent the athletes formerly known as the Russian
hockey team from belting out the Russian national anthem on the podium. So there, IOC. Nor, alas,
did it completely inhibit doping. One of those popped for doping during the games, tempted fate
by sporting a sweatshirt emblazoned in English with, I don't do doping, I am ze sport. We note that the shirt was
in the Russian red, white, and blue, which colors the IOC wished the athletes formerly known as the
Russian team to avoid. Those colors were okay for other teams, of course, France, Slovakia,
the Czech Republic, Slovenia, the U.S., the Netherlands, and even the UK, albeit expressed with the crosses of St. George and St. Andrew, and so on.
So, in our view, the IOC should expect more doxing.
Sport hacking is vexing, particularly to fans, participants, and other interested parties,
but of course many more serious varieties of state-sponsored cyber attack have become common.
Sentiment in favor of some sort of international peaceful agreement in cyberspace grows, especially in the tech industry. There are calls for a truce to
limit cyber conflict. Unfortunately, such treaties are unlikely to do much more than afford a
background against which it might be possible to blame and shame. Given the notorious difficulties
of attribution, even when state agents are as noisy and heedless of detection as Fancy Bear, even this hope may be a forlorn one.
Another challenge to the limitation of cyber warfare is noted by CrowdStrike's 2018 Global Threat Report issued this morning.
Attack tools have become commoditized and less capable states are gaining access to code that would have been beyond their ability to develop and deploy as recently as a few years ago.
And the report notes commodity criminal tools are also being repurposed by states and redeployed
as cyber weapons.
There are strong economic and industrial policy forces working to exacerbate cyber tensions,
if Chinese smartphone manufacturers are to be believed,
Australia's Defense Department has joined its U.S. counterparts
in banning Huawei and ZTE phones as security risks.
Huawei sees the bans as moves in a larger trade war,
prompted by industry fears of the Chinese company's potential to dominate the market.
Biology is more and more intersecting with
the digital domain, with genomes being decoded, automation and drug development,
disease surveillance, and food production and safety. But with these new capabilities come
new risks. Randall Murch is research lead and professor of practice at Virginia Tech,
and he's heading up an effort to understand the complex issues of cyber biosecurity. Cyber biosecurity is an emerging new discipline that really tries to
bring together sort of the world of cyber and the world of bio, and that's broadly based,
and then also with the security components. So we've actually crafted a definition,
components. So we've actually crafted a definition, which is, it's morphing as we talk,
but very quickly, it's developing understanding of the vulnerabilities to underwanted surveillance,
intrusions, malicious and harmful activities, which can occur within or at the interfaces of commingled life sciences, that includes medicine, cyber-physical and infrastructure systems. And what we're seeking to do is developing measures to prevent, protect,
mitigate, investigate, and attribute those threats. So that's the explanation. Can you give us some
real-world examples of where these things intersect and how it might affect us?
First of all, the life sciences are heavily dependent on collection of large amounts of data
The life sciences are heavily dependent on collection of large amounts of data that's basically IT-enabled.
And that data is then exploited by advanced computational methods, increasingly AI.
And some of that data is particularly sensitive when it relates to somebody's personal health all the way down to their personal genomics.
And so that data is moving around in the cloud and that data is not secured. Two might be if a company is building a new therapeutic or vaccine to something,
an infectious disease or a chronic disease, and wants to maintain their competitive advantage
because they've invested lots of money into this. They want to protect their investment. So the protection against theft of intellectual property would be another example.
Another might be over in agriculture and food systems where drones are used for field disease
surveillance and monitoring crops and so forth. Those drones obviously have communication links
that are not secure. And if they are
corrupted, the drone may not be as effective as it intended to be. Another is an area of process
control. So in biomanufacturing, on small scale, there are more humans in the loop with some IT
enabled support, such as the cyber physicalphysical interfaces in fermentation when you're growing
up a microbe that's producing a product of interest. And as you scale up, and including
in big biomanufacturing, there's less human intervention and more automation.
You know, we hear these stories related to privacy, with people getting their DNA tested,
stories related to privacy with people getting their DNA tested and then, you know, the DNA testing companies claiming rights to your DNA, you know, things like that. Is there a sense that,
you know, people are giving up this data without really knowing what the long-term consequences
might be? I think that is true. And also, it's one thing for a company to have a legal arrangement with you that you're
going to provide the DNA and they're going to analyze the DNA and provide you some set of
results that you're interested in. But also, then what happens to the DNA when they hold on to it
is kind of where you were going with that. But if, for example, you have a situation which is actually occurring now
where a company and, let's say, some kind of organization or entity in the U.S.
outsources the analysis of DNA,
whether it's from an electronic health records perspective
or a personal genomics perspective,
they can actually use that and they may be playing by different rules than we have
with respect to what can be done with the DNA or the information
and also how it's protected for privacy purposes.
So imagine, for example, the personal genomics, let's say, of a military unit, something like that on one of our military units was stolen, if you will.
And it was then fully analyzed and an adversary really understood what the attributes and limitations for performance, let's say, or vulnerability to a disease or something like that,
you can imagine that that would be a significant advantage to an adversary
as they look at us as if we're a threat and what they might do with that.
And obviously another one would be if an entity, let's say it's the department, our Department of Defense or some other country's military enterprise is investing in biotherapeutic or a vaccine for an infectious disease or something.
And the adversary understands what the strengths and weaknesses are and builds capabilities around that to avoid that antimicrobial vaccine, whatever it is.
That's Randall Murch from Virginia Tech.
You can learn more about their efforts in cyber biosecurity on the Virginia Tech website.
In cybercrime news, researchers at security firm Kihu360 NetLab say an unnamed ad network
installs cryptojackers via advertising it serves on its customers' sites.
It's using a domain generation algorithm to evade ad blockers.
T-Mobile patches a bug that could have enabled customer account hijacking through the company's
website.
Whether the vulnerability was actually exploited is unknown.
In industry news, Phishme has been acquired by a consortium of private equity investors
for a reported $400 million.
The company will rebrand itself as CoFence,
the better, it says, to reflect the range of its offerings.
And finally, to return to CrowdStrike's 2018 Global Threat Report,
we note that the security firm has compiled a useful scorecard
that lets you know you're hacking animals.
Bears are Russian.
Kolymas, mythical winged horses, kind of Sino-Korean pegasus, are North Korean.
Jackals are hacktivists, which seems to say something about CrowdStrike's low view of this category of threat actor.
Kittens are Iranian. Persian cats, right?
Leopards are from Pakistan.
Pandas are, naturally, Chinese.
Spiders are cyber criminals.
Tigers come from India.
So there you go.
But we think no nation should be left behind.
People should think up animal names for threat actors belonging to other nations.
Consider starting with the Five Eyes, for example.
They deserve some love, too.
Australia seems obvious.
The kangaroo, especially since the wombat is already taken by some guys from Pittsburgh.
But you could also go with a kookaburra.
New Zealand is probably going to have to be a kiwi.
Canada offers a couple of good options, but we'd pick the lucky loon over the blue-nosed beaver.
The UK should be maybe a lion or a unicorn.
Or both.
The US is difficult.
The eagle is pretty obvious.
Too obvious, maybe.
Local pride suggests that maybe Maryland's state reptile,
the Diamondback Terrapin,
would be a good animal for America.
Equation Group is sort of bland, don't you think?
Shadowbrokers.
Why not Terrible Terrapin?
Topper turtle?
Dapper diamondback?
We'll leave this as an exercise for our listeners.
Let us know what you think.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the
agent-first future together. Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. AWS buckets and Amazon Web Service containers and either having them misconfigured or just not having the proper security settings on them.
Right.
The most recent one being the Red Disk virtual disk
that was up in Amazon.
Right.
Just completely unprotected.
Right.
From the Department of Defense.
Right.
I don't think people are intentionally
leaving things out in the open,
or do you think that they're just relying on security by obscurity? I don't think people are intentionally leaving things out in the open, or do you think that they're just relying on security by obscurity?
I don't know.
It could be that somebody put it out there intentionally, but I think that the much more likely explanation is that somebody put it up there going, nobody's ever going to look here.
Somebody's going to look there.
Wherever there is on the Internet, somebody's looking.
It's just a fact of life.
And there is no such thing as security through obscurity because there are a lot of people
who spend time looking for these kind of things out there that are just available and open.
So if you have something out there that's available and open and you put something as
a matter of convenience up so you can get to it from another place without having to
authenticate, you're not the only one doing that. Somebody else is going to do that.
And they're doing it in an automated way, right?
Sure, absolutely. There are tools out there.
No one's manually poking around.
Yeah, they're not manually poking around. There are tools out there that you can script these
things that go out and look, and if they get a response from a web server or some Amazon site
out there that says, hey, there's some interesting things here,
then they'll go in and manually look around. Yeah. It also strikes me that how often this
seems to be third parties where it's a contractor or someone who is trusted with the data who sticks
it somewhere, again, for convenience. And it's hard to know how you control that.
You know, there are controls in place for how you're supposed to handle classified information.
Sure, sure.
Well, classified information, yes.
Right.
And I believe this Red Disc League falls under those guidelines.
So this is clearly somebody mishandling this, in my opinion.
Are they being malicious?
I couldn't say.
In fact, if I had to guess, I'd say probably not.
What's that old saying of never assign malice to something that could be explained with
incompetence or laziness?
Exactly.
Yeah.
That's exactly what I'm saying.
So I guess the lesson here is, well, number one, don't assume that you can just stick
something somewhere online and that no one will find it.
Yep.
Because somebody will find it.
Those days are over.
Yep.
and that no one will find it.
Yep, because somebody will find it.
Those days are over.
Yep.
But also, you need to, when you're configuring these things,
you need to make sure, double-check, have someone maybe watching your back.
Right, lock them down.
Audit them.
That's a good way to say it.
Right, audit them.
Excellent.
Excellent advice, as always.
Joe Kerrigan, thanks for joining us.
My pleasure. Cyber threats are evolving every second, Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.