CyberWire Daily - Operation Sharpshooter. Meng makes bail. Sino-American cyber tensions. Leadership crises in the UK and France. Congress doesn’t lay a glove on Google. 2018’s bad password practices.
Episode Date: December 12, 2018In today’s podcast, we hear some of McAfee’s description of Operation Sharpshooter, an ambitious cyber reconnaissance campaign. Huawei’s CFO Meng makes bail in Vancouver, and China reacts sharpl...y to the arrest. The US is said to be preparing sanctions and indictments in response to various Chinese hacking activities. A no-confidence vote is called in the UK. In France, President Macron makes concessions to the Yellow Vests. Google skates through its interrogation by Congress. And bad passwords get rated. Johannes Ullrich from SANs and the ISC Stormcast Podcast with holiday tips on securing new devices. Guest is Ali Golshan from StackRox on the shift toward DevOps. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
McAfee describes Operation Sharpshooter, an ambitious cyber reconnaissance campaign.
Huawei's CFO Meng makes bail in Vancouver, and China reacts sharply to the arrest.
The U.S. is said to be preparing sanctions and indictments in response to various Chinese hacking activities.
A no-confidence vote is called in the U.K.
In France, President Macron makes concessions to the Yellow Vests.
Google skates through its interrogation by Congress.
And bad passwords get raided.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, December 12, 2018.
McAfee Labs Malware Operations Group reports its discovery of Operation Sharpshooter,
a critical infrastructure cyber reconnaissance campaign. They conclude it's a nation-state
operation, but they commendably are reticent about offering any specific attribution.
They do note the campaign shows some code overlap with earlier operations by the Lazarus Group,
which of course has long been associated with North Korea. Operation Sharpshooter's targets
are global in scope, but they're concentrated in several sectors, nuclear, defense, energy,
and financial services companies. McAfee says Sharpshooter uses an in-memory implant to download and retrieve a second stage implant.
They call that implant Rising Sun, and Rising Sun, which sets the target up for further exploitation,
uses source code from the backdoor Trojan Doos, which the Lazarus Group deployed back in 2015.
For now, at least, Operation Sharpshooter must be regarded as a reconnaissance effort.
It would be prudent to regard reconnaissance of this kind as the first stage of a larger program,
and also as possible battle space preparation for subsequent attacks.
How does Operation Sharpshooter draw an initial bead on the target?
Through social engineering.
We're almost tempted to say, through social engineering. How else?
A sharpshooter infestation starts with a malicious macro in a document,
usually delivered via Dropbox,
and representing itself as legitimate corporate recruiting activity.
Huawei's CFO Meng Wanzhou has been granted bail.
It's a hefty sum, $10 million Canadian, or about $7.5 million US.
The Vancouver judge, who overcame his initial skepticism about bail,
also directed Ms. Meng to wear a tracker on her ankle,
observe a curfew, and pay the cost of her own surveillance.
The complaint on which she was arrested had its origins in US charges
that she was involved in Huawei's use of a cut-out company, Skycom,
in the service of evading sanctions against Iran.
So this is a sanctions-related fraud beef and not an espionage case,
although there's been considerable suspicion in many countries
over Huawei's connections to Chinese intelligence operations
and their interest in industrial espionage.
China's reaction has been sharp.
The U.S. ambassador was called in for an explanation, that is, a dressing down.
More seriously, Chinese authorities have, according to the Times of London,
taken a former Canadian diplomat into custody.
Michael Kovrig, now a senior advisor for the International Crisis Group,
an organization that studies conflict prevention, is being detained for reasons that aren't entirely
clear, but that are generally regarded as retaliation for Ms. Meng's arrest.
Chinese public opinion on the matter is running in a strongly patriotic direction.
Sino-American tensions over cybersecurity are running high
right now for other reasons. U.S. investigators are moving toward the conclusion that Chinese
intelligence services were behind the epic Marriott data breach when the Starwood reservation system
coughed up half a billion people's personal information during a quiet four-year campaign.
The Washington Post said yesterday that the U.S. was preparing to take a tough line with China
over cyber espionage and IP theft in particular,
with a mix of sanctions, public denunciation, and indictments.
The indictments aren't out yet, but the Wall Street Journal says
they're going to deal with alleged Chinese attempts to compromise large managed service providers.
attempts to compromise large managed service providers. Many organizations are embracing DevOps or DevSecOps to better integrate security throughout a product's lifecycle. Ali Golshan
is co-founder and CTO for StackRox, a container security company, and he joins us with his
perspective on DevOps. The major changes that we've been seeing in infrastructure,
you know, from virtualization to public cloud, the major trends that we've been seeing is more
and more businesses are obviously trying to focus on as much of their workforce and their resources
on delivering value and kind of delight for their customers. Naturally, a lot of movement towards
kind of online services
created this model where developers and ops folks had to move faster, create faster,
and build at more granular levels so you don't build these traditional monolithic applications.
These trends combined with the notion of, you know, wanting to move towards a continuous
integration and deployment so you can build faster, test faster, build more resilient solutions,
created this movement that then brought on, I think, what we now really classify as DevOps,
which is this full lifecycle of product management from build, deploy through runtime,
and the various toolings and workflow consistencies that you bring along that process.
Now, when it comes to integrating security into
DevOps, how does that happen? This is where, for one of the first times in infrastructure platform
or just general design history, we've had this well-aligned model where security can be integrated
in a much earlier stage. Traditionally, we had security as more of a linear function where you
went through your building, you went through the deployment and security took over and bolted on security and
helped lock everything down. Now, because everything is more continuous, higher velocity,
more granular pieces, security is becoming, it hasn't quite gotten there yet. This is obviously
one of the things we're trying to focus on and help drive. But it's an integration, not just
on product, it's actually
trying to leverage as much of the infrastructure as possible. It's part of the workflow. So it's
not just that you can hand off things, it's you have to be integrated with DevOps teams and their
workflows. This is where you see more of the security shifting left, working at the build
deployment to remove a lot of the risks and harden a lot of the system before it even gets to a point
of deployment and production.
And the last part of it where we're seeing security really try to focus on integrating and working with this particular workflow
is around common languages or frameworks.
This is where we're seeing, for example, Kubernetes becoming a really good platform or language for security folks and DevOps folks to work together on.
Now, how do you keep security from being, I guess, a speed bump in the
process? I think a speed bump is typically when security in the past has taken this notion of
what we call either point solutions or form factor specific, meaning I'm going to secure the network,
I'm going to secure the perimeter, I'm going to create a WAF, I'm going to do segmentation here,
or it's been focused on a very particular form factor. I'm going to secure the VM, the hypervisor.
More and more of this stack is looking a little hyper-converged, and more and more it's a full lifecycle from build, deploy, and runtime.
It's a very philosophical, very much a philosophical change for security, which is more taking the approach of being guardrails at a more granular, earlier kind of continuous process stage versus trying to have these batch process checkpoints where I analyze all this and I either have to say yes or no or fix things. So it's the continuous aspects of it.
Continuous aspects of it is security going from being pointed and point solutioned and batched to a continuous model that is allowing security to become more integrated versus a speed bump.
Yeah, it seems to me like along with this goes some sort of culture change within the organization itself.
Absolutely.
And I think this is where in a larger market and a larger customers, we see it under digital transformation.
But more practically, we're seeing it as the mindset is the company is trying to move fast, offer value.
There is an enormous amount of competition in every sector being built.
Companies moving away from models of trying to manage as little of their infrastructure and platforms as possible, focus more of their time and management on the application side.
And I think these naturally have led into this DevOps, DevSecOps.
But the higher aspect of what we see is,
obviously, you have to do more with less people
and you have to automate
because you are dealing with massive scale.
So I think these are the core principles
that we've seen create this philosophy
around this current market.
That's Ali Golshan from StackRox.
Two European political crises are nearing a kind of conclusion.
British Prime Minister Theresa May survived a no-confidence vote today, largely over the handling of Brexit.
The Prime Minister needed a simple majority of the governing party to continue in office.
The final tally was 200 against 117.
The other crisis involves the Yellow Vest unrest in France.
President Emmanuel Macron has publicly offered concessions on taxes to the Gilets Jaunes,
but he's emerging from the essentially populist Führer in a somewhat weakened political position.
Investigation of influence operations affecting the crisis is in progress, but in this case
any foreign, and by foreign we mean Russian, influence operations, while likely enough
on a priori grounds, would be an act of super-reregation.
The unrest seems to be over-determined by various existing grievances.
The unrest seems to be overdetermined by various existing grievances.
The U.S. House Judiciary Committee's quizzing of Google CEO Sundar Pichai yesterday is being lamented as a lost opportunity by op-eds in Bloomberg and Wired, to cite just two of several. and Republican members of the committee are seen as having swapped partisan shots at the expense of examining big tech's manifold issues,
privacy, monopolistic practices, data collection and monetization,
charges of bias, particularly viewpoint bias, and so on.
The committee chair, Representative Robert Goodlatte, Republican of Virginia,
did draw sharp attention to Google's data collection practices.
They have, he said sharp attention to Google's data collection practices.
They have, he said, an appetite for user data whose veracity would make the NSA blush.
Not, we hasten to note, that we necessarily agree that NSA has anything to blush about.
Mr. Pichai did tell reporters that Mountain View was still trying to work through a lot of difficult issues involving content moderation.
One of those issues involves Project Dragonfly,
which has been the internally and externally controversial search engine Google has under development.
It's widely regarded as a censorship tool Google's building at the behest of the Chinese government.
Dragonfly is thought to represent the company's attempt to re-enter the Chinese market
in a big way. The Washington Post says Mr. Pichai and his company emerged unscathed from the hearing
room. They certainly escaped the kind of wire-brushing Mr. Zuckerberg's Facebook lieutenants
received on Capitol Hill, and especially in Westminster. Finally, Dashlane has offered up its 2018 list of the world's worst password offenders.
It's an eclectic crew, from worst to less worse.
It includes Kanye West, the Pentagon, people who buy and trade cryptocurrencies,
the manufacturers of Nutella, the sweetened palm oil spread with the distinctive blended flavors of cocoa and hazelnut,
the sweetened palm oil spread with the distinctive blended flavors of cocoa and hazelnut,
British barristers and solicitors, the Lone Star State of Texas,
the White House staff, the United Nations, and, sad to say, the University of Cambridge.
You can read their commentary on Dashlane's site,
but we'll close by mentioning that Kanye West earned pride of place when he unlocked his phone with a string of uninterrupted zeros.
In front of cameras.
Okay, but it seems unfair to hold an entertainer
to higher standards than Queen's Council
or the Department of Defense or Oxbridge.
Be kind and be secure.
Treat yourself to a serving of Nutella comfort food
and think up some strong passwords.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io
And I'm pleased to be
joined once again by Johannes Ulrich.
He's the Dean of Research for the SANS
Institute. He's also the host of the
ISC Stormcast podcast.
Johannes, it's great to have you back.
Here we are, the holidays are coming
up quickly, and you had some
tips and advice for folks when it comes to those devices you might find under the Christmas tree.
Yes, one issue that always seems to be coming up is that devices that people buy come with malware already reinstalled. And sometimes that has happened in the factory in the past where, for example, test systems were infected and then copied their malware over to these devices.
We have seen this a lot with USB picture frames and the like.
The other reason we have seen this is if you saved some money and you sort of got the open box special in the store, well, that device may have been used by someone else.
And they often don't properly delete all the software.
And malware, of course, that they may have either intentionally or accidentally copied
to the device.
So how do you know if a device has been properly restored to factory condition?
You don't really know.
And that's sort of a little bit of problem. So you should assume it has not been restored to factory condition. So before
you connect the device to anything like your computer to sort of initialize it or copy over
pictures or whatever, see if you can sort of do a factory reset yourself.
Quite often they have some reset button or so that you can use to do a factory reset.
That would be a first step.
And then, of course, before you connect the device to your computer,
make sure that computer is running some up-to-date anti-malware and such. So if something is still sitting on that device,
well, hopefully it will get caught by your anti-mounter.
Yeah, and also I suspect it would be good to segment your home network if you can.
Yeah, segment your home network is always great if there's like a Wi-Fi device or such.
If you are a geek like many of us, set up a packet sniffer,
see what's happening on the Wi-Fi.
And I actually have seen a couple of things there.
I remember like a couple of years back, a weather station.
And of course, I set up a packet sniffer whenever I bring up a new device on my network.
Of course you do.
And promptly, I saw that it actually sent my Wi-Fi password back to the manufacturer in the clear.
Wow.
So that's definitely a nice exercise to do.
Always fun with the kids to look at packet captures under the tree.
Right in front of a nice warm fire.
Nice warm fire, yes.
And of course, also, if you then don't like the device
and you return it to the store,
make sure you first erase all information, at least as good as you can.
Sometimes that's not always that easy.
Yeah.
No, it's a tough thing to navigate, trying to make sure.
I guess sometimes those open box deals aren't such a good deal.
Yeah.
And like I said, it's not always the open box deals.
Sometimes it's actually from the factory.
They come, as we call it, certified pre-pwned.
There's a special sticker that comes on the box.
Yes.
All right.
Well, as always, Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.