CyberWire Daily - Polish espionage case. Ryuk tactics, and some thoughts on its attribution. Access-control system zero-days. Lawsuit may bring clarity to cyber insurance war exclusion clauses.
Episode Date: January 14, 2019In today’s podcast, we hear that Huawei has fired the sales manager arrested for espionage in Poland, and says that if he was spying, he was freelancing. Ryuk ransomware now looks more like a crim...inal than a state-sponsored operation. And its “big-game hunting” has pulled in almost four million dollars since August. Access control system zero-days found. And a lawsuit is likely to set some precedents concerning what counts as cyberwar. Joe Carrigan from JHU ISI on updated NIST password guidelines. Guest is Vijaya Kaza from Lookout on the shifting role of privacy in infosec. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Huawei fires the sales manager arrested for espionage in Poland
and says that if he was spying, he was freelancing.
Ryuk Ransomware now looks more like a criminal than a state-sponsored operation, and its
big-game hunting has pulled in almost $4 million since August.
Access control systems zero days have been found, and a lawsuit is likely to set some
precedents concerning what counts as cyberwar.
what counts as cyber war. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Monday, January 14th, 2019. Suspicion that Huawei serves as a reliable
partner of China's intelligence services seems likely to grow, the Washington Post notes.
In addition to all five eyes, Japan, Poland, Norway, and the Czech Republic have all recently
expressed varying degrees of official skepticism about the hardware manufacturer's reliability as
a partner. Other Chinese manufacturers, notably ZTE, are also coming in for their share of
suspicion, but Huawei is first among equals
when it comes to security worries. The recent arrests in Poland are the latest events to provoke
concerns about Huawei in particular. Huawei has fired Wang Weijing, the manager who was arrested
on espionage charges. The company denied involvement in the alleged espionage and said
that the arrest and Wang's alleged actions served only to bring the company into disrepute.
This is a very different response from the one on display concerning the arrest last month of the company's CFO, Meng Wanzhao, in Vancouver.
Huawei had been supportive of Ms. Meng, but they were quickly to toss Wang overboard.
had been supportive of Ms. Meng, but they were quickly to toss Wang overboard.
In fairness to Huawei, the company's claims of not being involved were lent some credence by official Polish sources, who spoke over the weekend about the espionage appearing to have
represented individual effort and initiative, as opposed to corporate policy. The AP says the
Polish national arrested alongside a Huawei executive had formerly held senior cybersecurity posts in three Polish agencies, the Interior Ministry, the Office of Electronic Communications, which is a telecommunications regulatory body, and International Security Agency, a counterintelligence organization. The suspect, identified only as Pyotr D., was at the time of his arrest working
for the telecommunications company Orange, an outfit that had been partnering with Huawei in
the 5G rollout. Both Mr. Wang and Pyotr D. have asserted their innocence and declined to provide
testimony. Similarities between code used by Ryuk Ransomware and the Lazarus Group's Hermes tool
led to tentative suspicion that North Korean state-directed actors, like the Lazarus Group,
might have been behind Ryuk as well.
But states and hoods sell and buy in the same black market,
so code sharing is not particularly surprising,
nor does it amount to more usually than modest circumstantial evidence. ZDNet says the
growing consensus among cybersecurity firms is now that Ryuk is run by Russian-organized criminal
gangs. Ryuk, recently famous for having disrupted newspaper printing in the U.S., has been an
interesting case. The criminals behind it are believed to have pulled in some $3.7 million in Bitcoin payments since August.
FireEye and CrowdStrike have tracked some 52 payments over that period.
The ransomware has been distributed to a significant extent by TrickBot,
but unlike the indiscriminate and opportunistic pattern common in other ransomware attacks,
Ryuk engages in what CrowdStrike calls big game hunting.
It will lie dormant until it finds a target it can hurt badly enough to prompt a big payoff. There's a growing call in the U.S. for meaningful privacy regulation and reform,
as frustration builds over data breaches and misuse of personal information.
Vijaya Kaza is chief development officer at Lookout, and she maintains
that companies who take privacy seriously could find themselves with a competitive advantage.
Privacy is becoming increasingly important for consumers. Obviously, from organizations'
perspective, where we are today is it is a program-driven approach relegated to compliance teams and in response to typically new
laws or regulations right as a result of that product teams are reluctantly basically doing
the minimum they need to do to check the box and avoid any fines or penalties so that basically changes privacy to just a loss avoidance type of approach as opposed to really thinking about what can privacy do for us and how do we turn this into a strength and really take care of customer concerns and use it as a differentiator.
So let's dig into that, Sam. How can privacy be a competitive advantage? Yeah, as I was saying, if we are trying to be in this mode of loss avoidance,
obviously the fines and penalties and damage to brand reputation are the only ones that you're
thinking about, right? Vendors often really compete on features and capabilities,
but they don't pay as much attention to privacy
because, again, it is a compliance checkbox.
But if you flip it on its head
and really lead with privacy first,
it can help build a mood for your product
and differentiate your product
because it now becomes a mainstream capability
or functionality that your product can offer
and therefore differentiate yourself from competition.
In fact, by doing this, it goes beyond loss avoidance
and really getting to what can it do for business
for bringing additional revenues
and additional top line and bottom line benefits.
And there are many studies that have been done on this.
Recently, Cisco did a study, a privacy benchmark study.
And that study and others have shown that
addressing privacy the right way
reduces the length of sales cycle
by eliminating any kind of customer objections that you get
and also help you win deals, right?
Especially in privacy-sensitive industries
like healthcare and financial services and government,
that can be huge.
We often see that customers have many objections
as they're going through the sales cycle.
You know, how do you store data?
What do you do with our data, right?
So by addressing that head-on
and really making that a product functionality, you can take care of that and reduce those sales cycles. And obviously,
leading with privacy also shows to your customers that you care about their concerns,
and that increases customer loyalty and satisfaction. And therefore, if you're looking at activations, retention rates, and renewals,
all of those will be automatically better. And
it also improves brand reputation at the same time.
So all in all, addressing privacy the right way with
privacy first approach will definitely bring
a lot of benefits to the business and really
take that problem and burden and convert that into opportunity.
Starting with people is the right way to think about privacy because unlike security, privacy
is not solved by technology.
It is a complex people, culture, and organizational issue and really requires a cultural shift across the organization.
Every employee in the organization needs to understand how important privacy is to their customers.
And also think about, OK, privacy is not just a burden, but I really can turn this into differentiation as we talked about before.
That's Vijaya Kaza from Lookout. Researchers at security firm Tenable disclosed today that they've found several zero days in Identicard's premises access control system. These include
hard-coded credentials allowing admin access to the system, weak hashing, a hard-coded password,
and use of default database credentials. Tenable says Identicard hasn't responded to its private
disclosures, and that as of last week no patches were available. Tenable advises that users should
make sure their premises instances aren't connected to the internet.
instances aren't connected to the internet.
NotPetya hit candy and cookie company Mondelez hard, but their insurer, Zurich, declined to pay their claim on the grounds that NotPetya, which Western governments publicly blamed
on Russia, amounted to an act of war.
Mondelez, a big confectioner that owns the well-known Oreo and Cadbury brands, is now
suing Zurich for $100 million.
Bloomberg says this shows the downside of official attribution.
Insurance policies of all kinds routinely exclude coverage for acts of war.
Wars represent the prospect of the sort of catastrophic damage
that would swiftly exceed the insurer's market capacity.
Thus, war exclusion clauses are routine in the insurance industry.
It is possible to obtain some forms of war risk insurance,
but it's a lot more expensive and harder to get than other forms of coverage.
Thus, war exclusion clauses are standard because of the likelihood
that losses in wartime would exceed the insurer's ability to pay,
not because a particular actor, a state let's say,
was the agent that caused the damage. Cyberattacks present an interesting case.
They certainly can represent a form of warfare and have a clear space on the spectrum of conflict
where they've already appeared in hybrid campaigns like the one Russia has been waging for some years
against Ukraine. On the other hand,
it seems instructive that NotPetya, to return to this particular case, initially represented
itself as, and was briefly taken to be, a ransomware campaign undertaken by criminal
gangs for common criminal financial motives. While the losses companies sustained were substantial,
they still seem closer to a big pile-up on Interstate 5 than they do to Sherman's march to the sea.
Part of the issue, as Fifth Domain points out, is who gets to say what counts as an act of war.
Formal declarations of war have been more or less out of fashion
since the United Nations authorized that police action in Korea back in 1950,
since the United Nations authorized that police action in Korea back in 1950,
and several states, the U.S. included,
have publicly discussed their ability to conduct cyber operations that don't amount to acts of war.
There's a good chance that the Mondelez suit against Zurich
will establish some precedence in this regard.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
and he's also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
We wanted to touch today on passwords and some of the new recommendations from NIST.
They recently finalized their new guidelines, and there's some interesting changes here.
What's your take on this?
So I like this guidance a lot.
Number one, they have said that you should have a maximum length of characters of at least 64 characters.
I was changing my passwords on one of my financial websites the other day and was shocked to
find I can only have a 24 character password on that site.
It's a good idea to allow them as much
space as they want. Right.
One of the other things is they talk about
restricting passwords from previous breaches.
Amazon has actually already been
doing this. We had a story a couple months ago, I
think, about people having Amazon contact
them and saying your password's weak
and the way we speculated that
that was happening was they were just using a known password list
and cracking passwords and contacting people whose passwords they could crack with that list.
So in other words, if I try to use a new password at a site,
and if it's a password that's on one of the compromised password lists,
it'll say, try again.
Right, exactly.
And that's great because if that password hash is leaked,
that's going to be one of the passwords
that gets cracked pretty quickly
because it's on a list.
Another thing is,
I really appreciate in this,
is they say,
let users enter any characters on this.
If they can hit the keyboard
and enter that character,
they should be able to use that character
in their password.
I always am wary of sites that don't let me use special characters.
I'm concerned that the reason they're not letting me use special characters
is because they're afraid of a SQL injection attack,
which means that at some point in time, or maybe even now,
they're not hashing my password.
Because regardless of what I enter,
a hashed password will come out with a known set of characters
that will not be useful in creating
a SQL injection attack. And that's the information you put into the database, not my actual password.
I see. Allowing users to enter any characters is great because it increases the key space,
as we like to say. But the other thing I want to touch on here that's kind of an important
distinction and something that's a little nuanced that may not be
apparent is they say that you should no longer force users to change their passwords. Right.
Okay. Sounds good to me. It does sound good. And the rationale for that is? The research has shown
that if you force users to change their passwords, that they will pick weak passwords and just
slightly modify the passwords over time. Right.
Okay, but if you let them pick strong passwords and don't force them to change it unless there's been a breach or something or some other motivating factor.
Actually, the NIST standard cites two motivating factors in the articles I'm reading.
I can't actually access the NIST standard right now because of the shutdown.
The government shutdown.
Yeah.
But it says if you have a known breach or if the user requests a password change.
I see.
That's an important distinction right there.
Because I recommend that people still change their passwords on sites that they care about regularly.
For example, any financial institution that you do business with, you should change the password on that with some regularity that you're comfortable with the risk level on.
And that is different from being forced to have your password changed in my workflow
I'm thinking of a person who's using a password manager, so they're always producing a random 20 character password
They're not really remembering the password right and they're just going to go ahead and change the password every like six months or maybe every
Year mm-hmm forcing users to change their password after you know that there's a breach protects the users against the known breach. But changing your password with some regularity protects you against the unknown
breach. So the site may have been breached or the password may have been leaked out and attackers
are immediately going to start cracking those passwords. You have some amount of time if you
have a good complex password, but you don't have forever. And you can change that password,
and then when they do crack your password in a year or so,
or maybe in 10 years,
your password will no longer be valid because you will have changed it. I see. That's an interesting nuance.
Yeah, it is.
So put yourself on a regular schedule, set a reminder in your calendar,
hey, it's new password day.
Right. Or if you use a password manager,
like the one I use, PasswordSafe, that's free and open source,
then you can actually set those passwords to expire, and your password manager will remind you to change them.
Huh.
All right.
That's an interesting insight.
That is a subtle nuance, but it does make a difference there.
Mm-hmm.
Yeah.
All right, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
All right, Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.