CyberWire Daily - Pyongyang’s social engineering campaign to compromise vulnerability researchers. Anonymous is back? Workforce development. Cyber Force? Why not?
Episode Date: January 26, 2021Google reports North Korean social engineering of vulnerability researchers. Anonymous resurfaces, maybe, and tells Malaysia’s government it’s not happy with them. Notes on false credentialism and... workforce development from the National Governors Association cyber summit. Kevin Magee from Microsoft Canada on the launch of the Rogers Cybersecurity Catalyst at Ryerson University to support Canadian Cybersecurity Startups. Our guest is James Stanger from CompTIA on their ultimate DDoS guide. And does America need a Cyber Force? Some think so. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/16 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google reports North Korean social engineering of vulnerability researchers.
Anonymous resurfaces, maybe, and tells Malaysia's government it's not happy with them.
Notes on false credentialism and workforce development from the National Governors Association Cyber Summit.
Kevin McGee from Microsoft Canada on the launch of the Rogers Cybersecurity Catalyst at Ryerson University to support Canadian cybersecurity startups.
Our guest is James Stanger from CompTIA on their Ultimate DDoS Guide.
And does America need a cyber force?
Some think so.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 26, 2021.
Yesterday evening, Google's threat analysis group reported that a North Korean threat actor had been quietly and plausibly engaged in social engineering of vulnerability researchers working for security companies. The campaign seems to represent a significant advance in subtlety and craft on Pyongyang's part.
The threat actors created research blogs and multiple Twitter persona, which they used to discuss various publicly known vulnerabilities, often claiming successful development of proof-of-concept exploits.
The blogs even attracted and published guest posts from legitimate researchers.
It was, as the Register writes, a long con. The evident goal was espionage. The apparent method was to cultivate trust and
then induce researchers to unwittingly install malicious code and an in-memory backdoor that
beaconed to DPRK-controlled servers. The compromise was accomplished through unidentified mechanisms
when the victims visited one of the threat actors' sites. One known way in which victims
were compromised
involved their being induced to collaborate on a research project.
According to Bleeping Computer,
the threat actors would share a visual studio project
that included the proof-of-concept exploit
they represented themselves as working on.
It also included a malicious hidden DLL.
Google says,
At the time of these visits,
the victim systems were running fully patched
and up-to-date Windows 10 and Chrome browser versions.
The Register points out that the campaign wasn't perfect,
and there's a funny meme in circulation
showing dear successor Kim Jong-un's face
superimposed over Steve Buscemi's face
above the legend,
how do you do, fellow zero-day researchers.
But give them credit.
As social engineering goes, this one is better than the cause-threatening arrest
for abuse of your social security number,
or the email from the barrister asking if you'd be willing to serve as the heir
to an intestate gazillionaire.
So, fellow zero-day researchers, engage with caution.
So, fellow Zero Day researchers engage with caution.
Anonymous has apparently resurfaced and it's interested in Malaysia,
if that is the people who posted a video excoriating Kuala Lumpur for allegedly poor government cybersecurity practices really do represent the anarchist collective.
Anarchist collectives are by their nature inherently difficult to
identify or authenticate or indeed even individuate. Their name is Legion, as it were.
Anywho, the video includes an implicit threat of data theft and doxing.
Yahoo Finance says the government is taking the threat seriously.
In fairness to Anonymous, insofar as it's possible to be fair to an anarchist collective,
this sort of doxing under a finicking pretextual fig leaf of stuffy devotion to best security
practices hasn't really been the Anonymous style, but who knows. Full-scale cyber war isn't likely
because Anonymous isn't that big a playa in cyberspace, but there's a real possibility of nuisance attacks.
Their tweet, for what it's worth, is Shadowbroker-esque in diction.
Quote,
This is a wake-up call for the government of Malaysia, they say, adding,
It's have been a long time that we are silent.
Be prepared.
We are Legion.
We do not forgive.
We do not forget.
Expect us.
That's expect us, not expect US, as the capital letters they use might suggest.
Still, again, who knows?
Any Dr. Seuss scholar knows that the Lorax speaks for the trees,
but who really can be said to reliably speak for Anonymous?
We attended last week's virtual cybersecurity summit organized by the National
Governors Association. Much of the issues the participants talked through were familiar enough,
touching as they did on the importance of cooperation, not only among the states,
but between state and local government, with the federal government, and finally,
with the private sector. There was also considerable attention
devoted to workforce development. Our stringer on the virtual spot thought one of the issues
they addressed was particularly interesting, the way in which a kind of false credentialism can
stand in the way of filling jobs with people who are well able to handle the work. CompTIA CEO
Todd Thibodeau mentioned that university preparation is often either misaligned or incomplete with respect to what the industry says it needs,
and that universities might do well to listen to the private sector and take advantage of all the work the private sector's done on the issue.
But there's another bottleneck in the talent pipeline, too, and this one is on the side largely of industry.
pipeline too, and this one is on the side largely of industry. Thibodeau called it a confidence gap,
the widespread assumption or sense that all cybersecurity jobs require deep STEM expertise and training. He encouraged employers to give applicants who don't have those a look.
Alternative credential programs, many of which have appeared over the last few years,
can deliver solid candidates.
And in Thibodeau's view, it doesn't take a four-year degree to switch fields into cybersecurity.
We might add some historical perspective. When the battleship USS California was sunk at Pearl
Harbor until she could be raised and repaired, it was found that the musicians in her band showed
a surprising aptitude as codebreakers.
They were temporarily assigned to Fleet Radio Unit Pacific, where they served with distinction.
Look for the equivalent in cybersecurity.
And finally, once you do get the right people, how do you organize them?
One of our favorite sailors, retired Admiral James Stavridis, a friend of the show,
has an op-ed in Bloomberg in which he argues that the SolarWinds supply chain compromise
and presumably the other related campaigns by probably Russia's cozy bear,
show that the U.S. isn't properly organized for cyber conflict.
He thinks that Space Force, whose creation he approves, suggests a model for cyberspace.
A new military service, call it Cyber Force, should do for operations in cyberspace what Space Force promises to do in outer space.
As the Admiral puts it, quote,
The administration should also create a full-fledged cyber force. The Donald Trump administration correctly created a space force,
recognizing how much of national security
relies on the ability to operate in space,
and that securing it requires specific skills
concentrated in a single organization.
Likewise, we are overdue for an elite,
independent branch of the armed forces
in which all the personnel wake up every morning
thinking about defending the nation in cyberspace. End quote. Maybe he's right, although we're agnostic on the issue.
But if there ever is a cyber force, we look forward to watching its culture develop.
That's the fun part, and roles and missions be damned.
Space Force calls its troopers guardians.
The inevitable choice for cyber force would seem to be hacker,
as in hacker recruit, hacker, hacker first class, and so on.
In fairness, Cyber Force probably ought to go into the Department of the Army,
since the Departments of the Navy and the Air Force already have two services,
respectively, the Marine Corps and the Space Force.
And bonus, it could there make its contribution
to the Army's rich tradition of demotic terms of disapprobation,
where the Army Airborne has its LEGS,
a derisive reference to non-airborne foot mobile troops
who don't arrive by parachute.
Cyberforce could have, what, no hats, maybe?
And the equivalent of the combat troops REMF,
which acronym we won't unpack because we're a family show,
but which is used to refer to judge advocates general,
headquarter clerks, and comparable miscreants.
Well, that one could be non-hacker.
And an incompetent hacker, the equivalent of the army's BOLO?
Well, obviously, it's Skid.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
DDoS attacks continue to be an ongoing issue for cybersecurity professionals,
a bit of a cat and mouse game as adversaries grow their botnets and defenders strengthen their mitigation capabilities.
Dr. James Stanger is Chief Technology Evangelist with nonprofit trade association CompTIA, and he joins us now.
James, welcome to the Cyber Wire.
Hey, thanks, man. It's great to be here. Appreciate your time.
Well, let's start off with a little level setting here.
I mean, where do we find ourselves when it comes to the state of things
in regard to DDoS attacks?
You know, in some ways,
I swear when it comes to DDoS attacks,
we seem to kind of reinvent
our susceptibility to them.
In other words, just as I remember years ago,
there was the Robert Morris internet worm.
Now we're talking about primordial times
back in the 80s when, you know,
he accidentally or accidentally on purpose,
who knows what happened, released this thing and it went along and crashed about a quarter
to a third or more of the known internet at the time. Well, then in the 90s, late 90s,
DDoS attacks became big and now we have the botnets, we have the volumetric attacks, we have
the ability of some of these pretty sophisticated outfits to send even
small amounts of traffic that are designed to crash servers.
So it's interesting to see how these things are cyclical.
It comes and it goes, but it's cyclical.
But the patterns are kind of the same, but the actual volume and the severity of the
attack seems to be getting worse.
Yeah, I mean, and then I think that's really striking as the techniques on both sides,
as they grow their capabilities, I think we're seeing numbers that we would have had a hard
time imagining just a few years ago. You know, it used to be, oh, hey, look at that,
we're seeing a lot of sin packets, you sin flood there's the TCP three way handshake
and you can take advantage of that
by overwhelming a server there
or lots of
ping packets
it's gotten so much more sophisticated
on the attack side
to see how you can
put together hundreds of thousands
of millions of
unwitting participants in your little scheme,
that they're just doing things as they normally would do.
And then all of a sudden, just a few packets come from each of those,
and then it adds up to a huge attack.
We've seen it bring down Amazon S3.
We've seen it bring down Netflix.
We've seen it bring down quite a few things, certainly with IoT packets.
On the mitigation side, it's also interesting to see the more sophisticated approaches.
There's big data approaches to crunch all of the data to find out what the patterns seem to be so you can proactively protect yourself.
protect yourself. We're also seeing a lot of really good third parties out there that can kind of insert themselves in between you and the bad guys to scrub out a lot of those packets. So
it's interesting to see how both sides have become more sophisticated. What do you suppose
we're headed with this? Is this something that we're going to get control over or is this something
that is here to stay? It's here to stay.
I see it as a chronic issue that has to be managed
rather than something like,
because I remember for a while,
it was like there was a certain
mission accomplished attitude.
Well, there's no more, you know,
we figured out the ping of death.
I'm using old examples.
Or we figured out slow Loras.
We don't have to worry about that so much.
We've kind of figured out systems have become
much more able of handling floods of traffic than they ever were. I mean, nowadays,
you can simulate using Kali Linux or Metasploit or whatever, HPing, simulate floods of traffic
that back in the day would have crashed a Linux or a Windows server of its day. They're much more resilient now. But again, the attackers are able to step up their game each time.
So I see it as a slow and steady evolution
against the slow and steady evolution of the bad guys.
Dr. James Stanger is Chief Technology Evangelist
with the nonprofit trade association CompTIA.
Thanks so much for joining us.
It's fantastic to be here.
Thanks again.
I appreciate it.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And joining me once again is Kevin McGee.
He's the Chief Security and Compliance Officer at Microsoft Canada.
Kevin, always great to have you back.
I want to chat today about the launch of the Rogers Cybersecurity Catalyst at Ryerson University.
And this is something you're involved with.
Can you give us some of the details?
What's going on here?
And why is it something that's important to you?
Personally, and also professionally,
I'm very interested in the next generation of leaders
for our industry and how we develop them.
And that doesn't mean just within the corporate sense.
That's also looking to the startup community
and building that startup community.
And in Canada, we have a much smaller startup community than you do in the U.S.
So we're looking at how best to grow and really accelerate those efforts.
And what we're seeing is that partnerships between corporations like ourselves,
like Rogers and universities, and the startup community are really producing the best results,
and universities and the startup community are really producing the best results where we come together to provide not only access to talent, access to mentorship, access to applied research
and whatnot, and build out that community is greatly accelerating those startups and developing
that talent we need for the next generation of our leadership in our industry.
So it's a fascinating time to be involved in this community.
And Ryerson partnered with Rogers to launch this cybersecurity catalyst.
At the beginning of the COVID pandemic, it was meant to be a physical space.
So we had to work together to sort of pivot to an online space and evolve as well in real time.
Can you give us some insights? to work together to sort of pivot to an online space and evolve as well in real time.
Can you give us some insights? I mean, what's the general framework that you're using here to set up the partnership between private and the educational folks?
So Ryerson really approached a number of large corporations that had either expertise or whatnot
that could bring to bear and said, you know, how can you help us? And so they run a program that they've established sort of based on a generic
entrepreneurship program, and they've adapted it to the cybersecurity startups as well. So they
have entrepreneurs and residents that are industry folks that come in and assist the companies to
develop in sort of the generic aspects of business. But then they've created a role
called a corporate in residence, where people like myself or
other folks within Microsoft really come in and advise the companies, much like the entrepreneur
in residence, on specific topics that are of interest.
And then it also gives an opportunity for those organizations or those startups to tap
into the vast resources.
Microsoft is a $2 trillion company or something like that.
We have a vast array of resources that we can make available to the startups
and really help them accelerate.
And if I look back, my first company that I founded in the 90s
was based on a Microsoft program that assisted startup
by providing free licenses to software and whatnot.
And without that help at that early stage,
I'm not sure I could have got my company off the ground.
So that's what we're looking to achieve with the partnership.
And what's in it for you personally?
Why is this something that you want to invest your time in?
So I find it's really something that brings energy to my day.
So when I spend some time with some of the founders,
I really come out of the call energized and excited.
And when you spend time with entrepreneurs who are really tackling some interesting challenges or something that no one's ever done before, and they're young and they're invested and they're really excited about their work, it's a fascinating thing to do.
they're really excited about their work. It's a fascinating thing to do. And sometimes little things that you can advise them on or assist them with make an incredible difference because I've
made that mistake hundreds of times over my career. They have not yet, so they can benefit
from that wisdom as well. But again, it really is something that I find a great deal of personal
satisfaction out of. And nothing makes me happier than to see these folks either go on to succeed
with their organization or maybe move around the industry and become leaders in other parts
of the organization as well. All right. Well, Kevin McGee, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
One tough customer.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Our amazing CyberWire team is Elliot Peltzman, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.