CyberWire Daily - Operation Cloudhopper and industrial espionage. Anonymous social network Blind server left exposed. Reputation jacking. Alexa shares too much, by accident. Hitman scam is back.
Episode Date: December 21, 2018In today’s podcast, we hear that the Five Eyes have had quite enough of Stone Panda’s Cloudhopping, thank you very much, and they want Beijing to put a stop to it. Beijing says it’s all slander..., and that the Yankees are probably just as bad. Blind turns out not to be as blind as its users thought. Reputation jacking comes to business email compromise. Alexa complies with GDPR, but goes a little overboard. And no, a hitman has not been hired to get you, no matter what that email says. Joe Carrigan from JHU ISI on hackers bypassing GMail two-factor authentication. Guest is Brian McCullough, host of the TechMeme Ride Home podcast and author of the book How the Internet Happened. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Five Eyes have had quite enough of Stone Panda's cloud hopping,
thank you very much,
and they want Beijing to put a stop to it.
Beijing says it's all slander and that the Yankees are probably just as bad. Blind turns out not to be as blind
as users thought. Reputation jacking comes to business email compromise. Alexa complies with
GDPR but goes a little overboard. Author and podcaster Brian McCullough joins us to discuss
his book, How the Internet Happened.
And no, a hitman has not been hired to get you, no matter what that email says.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Friday, December 21, 2018. Authorities in the Five Eyes said yesterday,
in coordinated announcements, that China's Ministry of State Security had attacked managed
service providers with a view to using the MSPs as an avenue of approach into their customers'
enterprises. The centerpiece of the coordinated naming and shaming was the U.S. Justice Department's indictment of two contractors working for the Ministry of State Security,
but the words from London, Canberra, Ottawa, and Wellington were clear and left no doubt that China has, in the eyes of the five,
abrogated its obligations to restrain industrial espionage.
The announcements didn't say which MSPs and other targets were attacked in the long-running campaign,
known at least since last year as Operation Cloudhopper,
but Reuters reports that its sources say IBM and Hewlett-Packard Enterprise were two of them.
IBM told Reuters that it
had no evidence that sensitive corporate data had been compromised.
HPE says it could not comment on the CloudHopper campaign.
The company also pointed out that it had spun off its MSP business last year.
They told Reuters,
We are unable to comment on the specific details described in the indictment,
but HPE's managed service provider business moved to DXC Technology
in connection with HPE's divestiture of its enterprise services business in 2017. DxC also declined comment.
into an avenue of approach to its customers,
and that avenue of approach would usually not be regarded as a particularly dangerous one.
The indictment describes one instance in which the Cloudhopper operators compromised a New York MSP and through it reached targets not only in the United States,
but in Brazil, Germany, India, Japan, the United Arab Emirates, and the United Kingdom.
The sectors involved in that incident showed the breadth of economic targets,
financial services, biotechnology and medical equipment, electronics,
and automobile manufacturing, as well as the extraction industries
of mining and oil and gas exploration.
The group the Five Eyes are glaring at is APT10, Stone Panda,
which has now clearly entered the Premier League of Named and Shamed State Hacking, right up there with Fancy Bear, and probably seated higher than Cozy Bear or Charming Kitten.
For its part, China has dismissed the allegations as slander
and says it had filed stern representations with Washington,
demanding the charges against its two citizens be dropped.
Beijing said, quote,
We urge the U.S. side to immediately correct its erroneous actions
and cease its slanderous smears related to Internet security, end quote.
China also complains that the U.S. gets a pass for its own electronic collection
and that what's sauce for the panda should be
sauce for the eagle. A mighty unpleasant meal that would be, too, but the cases aren't really
parallel. The U.S. and its sisters in the Five Eyes are objecting specifically to industrial
espionage, theft of IP and trade secrets for the advancement of national economic goals.
Everyone does indeed know, as Beijing says, that it's an open secret
governments collect against each other all the time. But that's not the point. The point the U.S.
and others are making is that China is behaving differently and that in doing so, in hacking on
behalf of its company's competitive advantage, is violating agreements it entered into back in 2015 to stop doing that.
It seems increasingly likely that Beijing won't find many takers in the developed world
for its claims of innocence and ill-use.
Sterner measures against Chinese government hacking are expected in the coming weeks,
especially after the conclusion of Sino-American trade talks.
Blind, the anonymous social networking app
that had appealed to big tech whistleblowers,
malcontents, and others who wished to discuss
their employers without fear of retribution,
proves to be less blind than thought.
One of its servers was left exposed,
without so much as password protection.
Unencrypted, too, according to TechCrunch.
Blind says only one server was so
mishandled and that the matter has now been fixed. But if you want to air the boss's dirty laundry,
the wise troublemaker should probably seek elsewither for an outlet. Consider a local bar
and grill. Companies continue to suffer social engineering attacks from criminals working
through Google Cloud.
It's business email compromise, but it uses the Google service to lend credibility.
The attackers park their malicious payloads in Google Cloud Storage,
whose wide use and good reputation lull the unwary into the trap.
ZDNet calls the technique reputation jacking.
The tactic not only lends credibility, but it makes it easier for the hoods to cover their tracks.
The alert listener will have discerned
a certain resemblance between Reputation Jacking
and an attack that compromises an MSP
so an attacker can pivot into a customer's enterprise
with the agility of those Shen Yu dancers
we keep seeing on YouTube.
Alexa has done some oversharing, but with the best of intentions.
As Motherboard notes, following the German magazine Heisse,
a user requested, as is his right under GDPR,
that Amazon send him all the data it held on him.
And Amazon did, but they got some of the data wrong
and inadvertently sent him 1,700 recordings from some other
guys' Alexa, including some apparently made while the other gentleman was showering.
Time out, Alexa.
Play neun und neunzig Luftballon.
Let it go at that.
That tiresome hitman extortion scam is back, says Hackreed.
You get an email out of the blue from some joker who says you don't know me,
but I've been hired as a hitman and paid to kill you.
But I'll agree not to kill you if you fork over four grand in, what else, Bitcoin.
It's no more plausible than it was the first time around.
Ignore the email.
Ignore the email.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security but when it comes to our GRC programs we rely on point-in-time checks
but get this more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta here's the gist
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
So we've got an article from Motherboard.
This is called How Hackers Bypass Gmail Two-Factor Authentication at Scale.
And they're working off a report from amnesty international
let's walk through here what are they describing okay so they're talking about the two-factor
authentication that uses some kind of code that you either receive or is generated for you okay
and this is a user entered code right uh so there are two ways that you can get these one is with
with an sms messaging just like a text message to your phone.
Yep.
I'm sure we've all seen this.
Yeah.
And another way is with some kind of time-based algorithm that generates a code based on a key that you've already shared between the two sites.
So like Google Authenticator would be an example of that.
Exactly.
Google Authenticator is a prime example of the time-based solution.
All right.
So walk me through this.
Let's say you're targeting me.
So I'm targeting you.
So I set up a fake site that looks almost exactly like Gmail or looks exactly like Gmail.
Right.
And I send you a phishing link that says, hey, Dave, log into your Gmail account.
All right.
I click the link.
You click the link.
And I take your password, your username and password, and I, on the back end of this,
this is actually a web application that goes to Gmail and logs in for Gmail.
So I'm logging into your fake version of Gmail.
Correct.
But behind the scenes, you're...
I'm logging into the real version of Gmail using the credentials you sent me.
Gotcha.
Okay.
So the next thing I see on the back end is, or my application sees on the back end,
is that the page that says we just sent you a code.
So I prompt you with the exact same page saying we just sent you a code.
On the fake site.
On the fake site.
Yep.
You look at your cell phone.
And code pops up.
Code pops up.
You enter it into my fake site.
And I enter it into Gmail. site and I enter it into Gmail.
And now I'm in your account.
So now you own my account.
I own your account.
This is how this works.
It's a phishing scam, essentially.
It's not really new technology.
It's the same thing as credential harvesting, except now I'm actually harvesting the two
factor as well.
Right.
And I guess one of the things they're pointing out here is that this is completely automated.
Right, and that's really the part that makes it terrifying is that they can do this at scale
and send it out to millions of people and it's automated and they can just compromise accounts
because, like we said before, it's a numbers game.
If I send it out to a million people and 1% of those people go through
with it, then that's 10,000 people I've
compromised. So what does this mean?
Should I still be using
two-factor? Yeah, you should still be
using two-factor. Number one,
there's a couple ways you can protect yourself against this.
First, never click on a link in an
email. Go directly to the site.
If you were using a password
manager that checks the site
before it enters a password,
that would protect you against
this as well.
So it would say, this isn't Gmail, I'm not
entering your Gmail account
password into a site that's not
Gmail. So that would stop that from
happening. And this article recommends
also using a hardware
token like a YubiKey.
I see. I'm not a cryptographer,
so I don't know what the cryptography is
that underlies these things. I have
a YubiKey. I use it for
things like my password safe.
But if somebody steals it, they're never going to get
into it because they can't actually enter the
hardware-based token.
I see. Because they don't physically have
what I have. Right. So they're saying that this
hardware key somehow
circumvents this, or prevents
this man-in-the-middle kind of thing that's going
on here. And I'm not sure, again, I'm not sure
what the cryptography is underneath, but...
According to the article, that's a good step.
And I think also this is one of those things
where if you're a person who
needs this, you probably know it.
Right. You know, if you're a person who is being targeted by a government organization, you
would know, exactly like you said, you would know that you're a person that's targeted
by a government organization, and you should probably already be taking extraordinary security
measures.
Yeah.
All right.
Well, the bad guys up their game, and they're doing it quickly, I guess.
Yes, they do.
It's one of the lessons here.
Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second
and staying ahead is more than just
a challenge. It's a necessity.
That's why we're thrilled to partner with
ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. My guest today is Brian McCullough. He's the host of the
Internet History Podcast and the Tech Meme Ride Home podcast. He's also author of the book How the
Internet Happened, From Netscape to the iPhone. Our discussion today focuses on the book. Here's
my conversation with Brian McCullough. So I'm actually, I'm not a historian,
I'm not a journalist, I'm a three-time company founder. It always bothered me that there have
been books about the deep internet, you know, going back to the ARPANET and the Pentagon and all that stuff.
But there hadn't really been a history of the internet going mainstream and infiltrating all of our lives.
So like every other startup idea I've had, the impulse was, well, that's a good idea.
Somebody's going to do that someday.
Why not me?
I'm not used to writing a book, so I found it.
I was getting all these great interviews firsthand from initially, especially the Netscape people.
And I thought, well, five years from now, two sentences of this interview will make it into the book.
Why don't I just throw up all of the interviews unedited and see if people find that interesting?
And so that's how the podcast got started.
So the podcast and the book sort of fed on each other.
And now the book is out and
it's been a wild ride. As you were making your way through the history of the internet,
were there any things that jumped out at you as being surprising, things that were unexpected?
Yeah, totally. Because again, I sort of lived a lot of this. So there were so many things
that I was surprised. Just off the top of my head, I came up, most of my businesses
were in the 2000s when Microsoft was sort of in its lost decade. So it surprised me how much,
especially as late as the early 2000s, as late as Google IPO-ing and not wanting to tell anybody
how much money they were making. It surprised me how much Microsoft, everyone was thinking of
Microsoft, was making moves in relation to what Microsoft may or may not do.
There was a lot of times when I didn't realize what the theme of a section was until I was
writing it. So I knew I was going to have to do something on eBay. You know, eBay is not a tech
company that we think of as one of the big, big guys right now, one of the fang stocks or anything
like that. But when I, when I was reading and researching eBay, it occurred to me that eBay is actually
a way more influential company than anybody gives it credit for. We live in the tyranny of the five
star ratings now. Where would Uber or Airbnb or anything like B, if eBay hadn't pioneered the reputation system that
allows us to do business with strangers on the internet, eBay trained a lot of people
for the first time that you could do business with strangers halfway across the world that
you would never meet and never even know their name.
And then also, eBay was the first company that, you know, we think of social media platforms now. We know that they're incredibly valuable because of the content that the users generate.
eBay was the first company that sort of didn't own anything.
All eBay was was a platform for the economic activities of its users.
Now, how much of the growth of the Internet was linear versus fits and starts?
Was it more of one than the other? 100 versus fits and starts. Was it more of one than the other?
100% fits and starts. And I mean, that's always true for any new technology. You kind of have to
throw stuff against the wall and see what sticks. But conceptually, it was harder because at the
very, very beginning, people don't even know what was there. You know what I mean? If you develop an internal combustion engine, you have a good idea that you're going to use it to move people and things around.
But when the web takes off, people aren't really sure what it's for.
Is it for doing business?
Is it for commerce?
Is it for just talking to each other? So many things in the 90s especially, but even all the way up through today, has been
people trying to work out, even at a base conceptual level, what the business opportunity
here was, what the use case was.
And so I always found that fascinating because the whole book is just a bunch of stories
of entrepreneurs feeling their way around in the dark.
You know, I think it's interesting when you think about some of the unintended consequences.
I've heard people say that, you know, the original sin of the Internet was making everything free and having it being paid for by advertising.
And that's what led to all of these privacy and tracking issues.
Do you have thoughts on that?
that's what's led to all of these privacy and tracking issues. Do you have thoughts on that?
One of the first interviews I did was with Lou Montulli, who invented the cookie,
the browser cookie, or at least was one of the guys at Netscape that helped invent that.
Over the course of 200 episodes of the Internet History Podcast, that's come up a lot. The idea that the original sin was because the internet came out of academia, it wasn't
commercialized.
I think it wasn't until even 1992 that you legally could do business on the internet.
And so there was this culture at the very beginning that there's no way we're going
to pay for anything.
It was almost like an article of faith.
So I don't blame the companies themselves or the entrepreneurs themselves from going towards an advertising model because it was the users and it was the culture that was inherent in the internet that required them to go that way.
I actually have made the argument that it's only in the last five years or so that we have finally convinced people that
things on the internet are worth paying for. And we can credit the Netflix's and the Spotify's of
the world for that, I think. But it's not the company's fault. It was the culture of the
internet as it existed right before it went mainstream. And so then when all the mainstream
users come onto it, they just adopt the culture that was already there.
But then again, at the same time, can you imagine how it would have been different had Bill Gates gotten his way and the internet from day one was something that you had to pay Microsoft for
whatever fee they were going to charge you per month? I don't know that that would be a better
internet. We got what we got, and it's an accident of history. And that doesn't mean that we can't
change it. And I think we're evolving into an internet that's not just ad-based.
I'm curious, when it comes to security, what's been the evolution of that?
Was it baked in from the beginning or grafted on along the way?
It really feels like nobody on the early internet was thinking too much about security.
Nobody on the early Internet was thinking too much about security. Because, again, remember, if you're using the Internet in, say, 1978 or even as late as 1988, you're expecting that all of the other people that you'll be interacting with will be technically proficient.
You know, I think you want to talk about a real original sin of the Internet is that nobody ever assumed that normal people would be on it. And so there were a
lot of design decisions that were made early on, just sort of by default, because no one was
thinking about my mom using the internet, right? Right. And so I feel like it's been decades and
decades of sort of cleaning up that mess. Certainly, if you were designing the internet today, you would,
from the ground up, make it way more secure. So I think that what you've seen, essentially,
in terms of how it's designed, it was always baked in that it's not super secure.
From the user perspective, from the mainstream perspective, I feel like, and maybe you can speak more to this,
we go through these cycles where, you know, I was doing actual library research for this book,
like going back to finding articles from the late 90s and things like that. And it was surprising
to me the headlines that, you know, say a double click would make because they would do something
with the cookies and it would make the front page of the New York Times,
oh my God, privacy concerns.
And if I told you what those details were today, you'd laugh because everybody does way worse stuff today in terms of tracking people.
And so at the beginning, everyone was afraid.
No one wanted to put their credit card online.
People were convinced e-commerce would never take off because no one would share their credit cards.
And then somehow after the bubble burst around the turn of the century, everyone just forgets about it.
And so we went through this 10 or 15-year period where everyone was just blasé.
And Facebook comes in and Google comes in and we gave away everything.
And we gave away everything. And so now I feel like the mainstream user concern trolling about data and security is ebbing back to a fever pitch where probably it needs to be to correct some of these things.
How do you think this internet revolution compares to other huge shifts we've had in the history of humanity?
I'm thinking of things like the industrial
revolution. Is this on that sort of scale in your estimation? I think it's more profound in the
sense that it's an industrial revolution combined with a media revolution. So there are a lot of
things that are changing the way that we do our jobs, that we conduct commerce. Those are the obvious things
you can point to. But as we've been seeing, especially these last few years or so,
the internet is fundamentally changing the way we think and interact with each other and our
institutions. And there's a million different avenues we could go down talking about this,
about, you know, how, you know, content bubbles and things like that. But on a really fundamental
level, I think that the internet is atomizing all of us into these different tribes and into
these different worldviews. And so while there is a big industrial revolution happening, there's a
big commercial revolution happening, at the same time, I think the internet is fundamentally rewiring society and our relationship with
government. And the balance between the individual and the government and culture is kind of been
tossed up in the air right now. And it hasn't quite settled yet.
Yeah, that's interesting. I mean, I've heard people refer to particularly some of the online social media platforms as anxiety engines.
And that's a design decision too, because again, you know, I talk about this on the Daily Tech
Meme podcast a lot. The success playbook for the last 10 or 15 years was always scale.
Once people realized you can code up a chat app and have a billion users overnight,
the only thing that anybody ever designed for was more usage.
Facebook is more sharing, more likes, more all these things.
And because it was taken as a given that more usage was inherently good. But there's a
difference between designing for quantity and designing for quality. And I think that the next
10 years or so is going to be about the successful companies and the successful startups and the
successful products will be the ones that will design for quality of life,
for quality of experience with the product, as opposed to just more, more, more, more sharing,
all that stuff. That's Brian McCullough. The book is How the Internet Happened,
from Netscape to the iPhone.
Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you.