CyberWire Daily - Patchable vulnerabilities in Apache Struts and Exim. CombJack malware. DPRK vs. UN Panel of Experts. Cyberwar and legal limits. Espionage Act prosecution. Infowars turn grimly kinetic.
Episode Date: March 7, 2018In today's podcast, we hear that spies like Apache Struts exploits. Server vulnerabilities described. A new cryptojacker steals at least four varieties of cryptocurrency. North Korea may have hacked... UN sanctions enforcers. Dutch Intelligence (and Microsoft) warn of cyberwar, but it's not a declared war, which makes response harder. Update to the pack rat defense, with considerations of mens rea. ISIS terror inspiration. And a possible assassination attempt. Chris Poulin from BAH on next generation IoT devices, like security robots. Guest is Sylvain Gil from Exabeam on business by design, and the importance of the design process in security solutions. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N steals at least four varieties of cryptocurrency.
North Korea may have hacked UN sanctions enforcers. Dutch intelligence and Microsoft
warn of cyber war, but it's not a declared war which makes response harder. We've got an update
to the pack rat defense with considerations of mens rea, ISIS terror inspiration and a possible assassination attempt.
I'm Dave Bittner with your CyberWire summary for Wednesday, March 7, 2018.
Security firm QuickHeal reports Chinese and Russian operators are showing a continued interest in Apache Struts exploits.
Patching is strongly advised, and patches are available.
Another vulnerability affects servers.
The Exim message transfer agent is susceptible to buffer overflow bugs.
Security consultants at DevCore, which described the issue,
recommends Exim users upgrade to version 4.90.1.
Palo Alto Networks reports finding a new multifunctional crypto-jacker in the wild.
ComboJack steals Bitcoin, Litecoin, Monero, and Ethereum by replacing a wallet's legitimate address with the attacker's.
North Korea's online operations are famous for having proceeded from vandalism to lucrative cybercrime,
but their role in espionage shouldn't be discounted.
Pyongyang cyber operators are said to have hacked the UN panel
responsible for administering economic sanctions leveled against the DPRK.
The UN Panel of Experts,
which routinely reviews attempts to bypass international sanctions
through smuggling and other means,
says it was subjected to a state-sponsored attack from an unspecified state.
That unspecified state, widely and obviously suspected on a priori grounds to be North Korea,
was apparently interested in measures being undertaken to facilitate clandestine trade with the DPRK.
Much more than that, the heavily redacted report doesn't say,
but it does indicate that the attack vector was spear phishing by email.
When looking for cybersecurity tools, it's natural to consider the technology under the hood,
but it's also important to take into account how the people using that technology interact with it.
A well-designed user interface can be the difference between an efficient tool
and a frustrating one. Sylvain Giel is co-founder at Exabeam, a provider of security intelligence
and management tools, and I recently spoke with him about the relationship between design
and security. We're constantly trying to understand what our users are dealing with
on a daily basis, kind of the problems they're facing. And before we think of a technology we put out on the market, we really just, you know,
go through a fairly rigorous design process to try to, you know, empathize with these
users and their problems.
And when we come up with solutions, I think often these solutions decide what features
we're going to be adding to the product and also even sometimes what products we're going to be releasing or not releasing
based on the outcomes of the design process.
You make the point that there could be a generational thing at play here,
that millennials, they're looking to interact with the machines
perhaps in a different way than some of us old-timers are.
I don't think it's a generational thing necessarily, but I think it's very important to,
I think, recognize the fact that everybody has technology in their hands nowadays.
And, you know, I've been in the information security industry now for a couple decades,
and I feel like we have a big, you know, talent problem where there's just not enough trained
practitioners out there.
And if we're trying to be inclusive, kind of bring people in our world,
we have to make the learning curve a little bit easier for these folks that are coming from the outside.
And in general, even if you're a security expert in Ninja, it shouldn't be too complicated to use your security tools.
So what we're trying to do, I think, often is just to attach to a pattern
in terms of interactions, user experience that people are familiar with.
Probably the best example of that in one of Exabeam's products
is how we show user activities in a timeline that's very similar
to the timeline you would see in Facebook, for example.
And that was really something we did on purpose.
Try to give them something that perhaps they're familiar with from a different context. We've seen Facebook, for example. And that was really something we did on purpose.
Try to give them something that perhaps they're familiar with from a different context.
Yeah.
Every time we're able to mimic an interaction, the interaction of a consumer type of software,
and even better if it's kind of a mobile experience that people get to use every day,
that means that we do not need to train our end user on how to use that specific feature in our products.
Do you find you get any resistance to this sort of thing?
I'm thinking specifically that I think for some people in cybersecurity,
stepping up in front of a command line is almost a point of pride.
That's right. I think what we've had to deal with early on at XFM is deep. The fact that even though we had a very,
you know, you could say clean UI, clean design, very simple usability of the product,
that simplicity actually at some point came to hurt us where people thought that the technology
was too simple, that, you know, there was just, you know, not enough under the hood in the machine
learning engine and the analytics capabilities because
the outside actually almost looked too good. So that's something we had to deal with,
more in terms of messaging, positioning, and we had to educate a little bit about
the advanced aspects of what we do because, well, in some way, the clean design that looks like a
consumer tool may not reveal all the sophistication that we've put on the back end.
So it sounds like you're really making the case that paying attention to these details, sweating the details when it comes to design, can lead to safer outcomes.
It does.
I think it's safer outcomes.
It's easier adoption.
It's easier adoption.
You know, a lot of times when you deal with, at least, you know, a facet of what we do at Exabeam is around detection.
People have a lot of, I think, you know, concerns with machine learning.
And I think one of those is actually a trust concern.
It's something that's a very normal human feeling.
You know, you have a computer telling you, I think this is good or bad. And it's really through a design process that you can kind of break down that problem into little tidbits where you can sort of fight the feeling where if you're not trusting
what we are going to output, we're going to give you ways to get to that trust level. You're going
to be able to have checks and balances so you're not left with a black box that tells you your name.
That's Sylvain Gille from Exabeam.
Dutch intelligence services report that state-directed cyber espionage has risen significantly.
Microsoft's president says we're witnessing a level of activity in cyberspace consistent with active warfare.
But one problem, of course, for any concerned with legality and authority,
is that the U.S. and Russia, to take the two biggest antagonists, aren't at war.
is that the U.S. and Russia, to take the two biggest antagonists, aren't at war.
President Trump and Director of National Intelligence Coats say the U.S. is fully determined to stop Russia or anyone else from interfering with midterm elections.
But DNI Coats points out that, absent a state of war and absent other new authority from Congress to act,
the intelligence community is constrained in its responses
in ways that Russian security and intelligence services are not.
The government's Espionage Act prosecution of former NSA contractor Hal Martin
continues to face difficulties, Politico reports.
The defense argues that Mr. Martin was unlikely to have known about the specific 20 documents
specified in the indictment.
After all, he is said to have been a pack rat,
and the charges under the Espionage Act would seem to require that he knew what he had.
Federal District Court Judge Marvin Garbus, who's hearing the case, is skeptical.
The prosecution argues that as long as Martin knew he was doing something wrong,
he had the necessary mens rea for a conviction.
Martin's defense attorney, Debbie Boardman, argued that the government theory would raise
mere petty theft to the level of espionage. She posed a hypothetical. Suppose she were at a
meeting at Fort Meade and pilfered a stack of notepads with the NSA's Eagle and Key logo on
them. Then suppose one of the pages on one of the pads in the stack had something classified
written on it, and she didn't know that.
I'd be guilty under the Espionage Act, she said.
Well, we don't know about you, but we'd be mighty careful at RSA about taking home any swag being offered at the NSA booth.
Who knows what might be in it.
The pack rat defense being mounted in a Baltimore courtroom has an almost operatic quality to it,
but other cases of espionage and terrorism are decidedly serious.
Two sad incidents serve as reminders that more than ever,
there's a lethal intersection of the informational and the kinetic.
In the first, ISIS is using a video that purports to show the deaths of U.S. special operations personnel
during an
ambush in Niger. The caliphate has entered its terrorist diaspora phase. No longer able to
maintain pretenses to governing, ISIS returns to its familiar online playbook of depraved
inspiration. The U.S. Department of Defense, which continues its investigation of the ambush,
is said to see any viewing or mention of the video as objectively providing support to ISIS.
But it would seem important for people to understand
what the terrorist organization sees as its core message.
It's an ugly one.
And in the UK, police and intelligence organizations are treating the poisoning
of a former Russian intelligence officer and his daughter as attempted assassinations.
Sergei Skripal, aged 66, and his daughter Yulia, aged 33,
collapsed at a shopping center in Salisbury after having been exposed to an unknown substance,
the Times of London reports.
Both are in critical condition, undergoing treatment in a hospital.
Ten other people, bystanders and first responders, were also affected,
and one of them remains hospitalized.
The agent involved in the apparent poisoning is unknown.
Skripal, who had been an officer in Russia's GRU,
was arrested and convicted of passing information to Britain's MI6.
He was released to the UK in a 2010 spy swap arrangement.
If Russian security services did indeed, as it seems, try to kill him and his daughter, this would appear to be the first time
an exchanged spy had been so targeted. We wish all involved comfort and recovery. Russian officials,
of course, deny any involvement. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Chris Poulin.
He's the Director of Connected Product Security
at Booz Allen Hamilton.
Chris, welcome back.
Today, you wanted to touch on some issues
with things like physical security,
some of these next generation systems
that take on tasks that were typically human tasks,
things like security guards, things like that.
But what do you have to tell us today?
So it's interesting.
I've been talking to some customers who are asking questions about how...
Well, let me back up.
So you think about the IoT as being typical devices that we're used to using
and then connecting them to the internet.
And so people characterize that as being sort of a physical, digital combination.
And so if you flip it around on its head to a certain extent,
physical security is actually coming up more and more in conversations
that I have with clients about how to build out physical security systems.
So, for example, there was a client who is going to be building a parking
garage. They're building a new facility and they're adding a parking garage to it. And it's
going to be in the middle of a city where their employees have been used to being out on the
outskirts where they feel a little bit safer, you know, suburban versus urban settings.
Right.
And so what the employees want to feel secure when they park their car and get out. So everything from the entry systems to try to prevent, you know, some sort of attacker from physical attacker from being able to get into the garage and then hide behind some of the cars and and assault them as they're walking toward the entrance.
And so, you know, and that's their primary concern about the physical being.
I mean, there's also theft of the cars themselves or the contents of the cars and things like that.
So one of the interesting things is how can you outfit physical security with things that are IoT devices?
And so one example would be, and anybody who's been around smart cities knows that lighting is ubiquitous.
And so a lot of times sensors are placed, a multitude of sensors are placed within lighting systems. So the same thing can happen in
a garage where there are audio sensors that listen for gunshots, or even, for example, they can
listen for somebody who just sort of says help at voice level, normal speaking voice. And then the
different microphones can triangulate exactly where they are and automatically recognize that as a trigger word and contact security guards who can then respond quickly and directly to where that person is physically presumably being assaulted or at least feeling threatened.
So that might be one instance.
A little bit more on the nose, I suppose, is that there are security guards who wander around, right? And you can actually supplant that with more security guards
because the opportunity for an attacker is to profile the path
and the timing of the security guards.
And there's only a certain amount of people that you can put on the job.
But instead of having those security guards that you always read about in the news
who look like something out of RoboCop and have some sort of a laser weapon attached to their arm.
You can instead have small robots, you know, about two, three feet high that just roll around.
And they're affordable enough that you can have many of them and you reduce that opportunity between the time that they're actually wandering around.
the time that they're actually wandering around.
So even though they might not be able to do anything like attack the attacker, the fact that there's something moving and presumably watching over has a twofold effect.
It can deter the attackers.
It can also make the employees feel safer in a place like a parking garage.
And I suppose part of it is that the bad guys don't necessarily know what the capabilities
of that device are.
They just see it moving around, and they don't know if it can chase them down or take a picture of them or what.
Exactly.
And plus, by the way, there's all kinds of interesting things you can do with it.
If it's short, it can see under cars, so it actually reduces the hiding spaces for attackers in the first place.
So, yeah, so to your point, they don't know whether or not that thing can actually detect heat, which you could probably outfit them, infrared sensors.
There's the unknown, and then there's, I think, just a little bit of the psychological aspect of it as well.
Yeah, it's interesting stuff.
All right, Chris Poulin, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.