CyberWire Daily - Quantum computing and security standards. Cyber war, and the persistence of cybercrime. DPRK ransomware versus healthcare. Cyber incidents and credit, in Shanghai and elsewhere.
Episode Date: July 6, 2022Quantum computing and security standards. Notes on the cyber phases of a hybrid war, and how depressingly conventional cybercrime persists in wartime. Pyongyang operators are using Maui ransomware aga...inst healthcare targets. Malek Ben Salem from Accenture looks at the security risks of GPS. Our guest is Brian Kenyon of Island to discuss enterprise browser security. Shanghai's big data exposure. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/128 Selected reading. NIST Announces First Four Quantum-Resistant Cryptographic Algorithms (NIST) Winners of NIST's post-quantum cryptography competition announced (Computing) NIST unveils four algorithms that will underpin new 'quantum-proof' cryptography standards (SC magazine) NIST Identifies 4 Quantum-Resistant Encryption Algorithms (Nextgov.com) Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats (CISA) Quantum-resistant encryption recommended for standardization (Register) Keeping Phones Running in Wartime Pushes Kyivstar to the Limit (Bloomberg) The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan (CyberScoop) Ukrainian police takes down phishing gang behind payments scam (ZDNet) Cyber Police of Ukraine arrested 9 men behind phishing attacks on Ukrainians attempting to capitalize on the ongoing conflict (Security Affairs) North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (CISA) Reports (Moody’s) Clarion Housing ‘cyber incident’ affects thousands of tenants (Cambs Times) In a big potential breach, a hacker offers to sell a Chinese police database. (New York Times) Nearly one billion people in China had their personal data leaked, and it's been online for more than a year (CNN) China data breach likely to fuel identity fraud, smishing attacks (ZDNet) China Tries to Censor What Could Be Biggest Data Hack in History (Gizmodo) Here are four big questions about the massive Shanghai police leak (Washington Post) Shanghai Data Breach Exposes Dangers of China’s Trove (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Quantum computing and security standards,
notes on the cyber phases of a hybrid war
and how depressingly conventional cybercrime persists in wartime,
Pyongyang operators are using Maui ransomware against healthcare targets,
Malek Ben-Salem from Accenture looks at the security risks of GPS,
our guest is Brian Kenyon of Island to discuss enterprise browser security
and Shanghai's big data exposure.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Wednesday, July 6, 2022.
The U.S. National Institute of Standards and Technology, that's NIST, at the end of a six-year competitive search
has announced the four winners in its program to develop quantum-resistant encryption algorithms.
This represents a milestone en route to NIST's publication of standards for post-quantum
cryptography, expected in 2024. According to NIST, the algorithms are for general encryption, used when we access secure websites,
and NIST has selected the Crystals Kyber algorithm.
Among its advantages are comparatively small encryption keys that two parties can exchange easily,
as well as its speed of operation.
For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms, Crystals Dilithium, Falcon, and Sphinx Plus.
Reviewers note the high efficiency of the first two, and NIST recommends Crystals Dilithium as the primary algorithm, with Falcon for applications that need smaller signatures than Dilithium can provide.
The third, Sphinx Plus, is somewhat larger and slower than the other two,
but it is valuable as a backup for one chief reason.
It's based on a different math approach than all three of NIST's other selections.
Taking note of NIST's announcement,
CISA outlines some steps organizations can take now as they prepare for developments over the
next two years. CISA says, although NIST will not publish the new post-quantum cryptographic
standard for use by commercial products until 2024, CISA and NIST strongly recommend organizations start preparing
for the transition now by following the post-quantum cryptography roadmap. That roadmap includes turns
like inventorying your system for the use of public key cryptography, creating a plan for
transitioning to the new standards as they emerge and preparing to inventory your vendors as
compliance becomes an issue. Naturally, education and training of your workforce will be an issue
and worth preparing for in advance. Sure, you may object. Here we are worrying about the risks of
quantum computing when it's not really even a thing yet. And to be sure, the field is in its lab bench phase, with physicists
tuning lasers like they're a hot rod Lincoln, but the sector is maturing fast, and it will be here
before you know it. Ukrainian mobile provider Kivstar has continued to provide service during
the war as it struggles to work through disruption. In Bloomberg's account, that disruption has been largely kinetic and sadly sometimes lethal.
Physical destruction of infrastructure has been more of a problem than cyber attacks.
The relatively small role Russian offensive cyber operations have played in the war so far
has not prevented others from drawing lessons from Russia's conduct of its hybrid war.
China is said by Cyberscoop to be watching the action in cyberspace especially closely, with a view to sorting out its
options in the event of a war to conquer Taiwan. The consensus lessons are strike quickly, pick
targets that would cripple the enemy early on, and rely on attack methods that never have been observed in public.
Criminals continue to shape their social engineering to events, especially tragic events.
ZDNet reports that Ukrainian police have arrested nine alleged members of a gang
the authorities say are using the promise of European aid checks to beleaguered Ukrainians
as fish bait in a tiresome version of familiar fraud.
Victims are directed to a bogus website that presents them with an equally bogus application for assistance.
Ukrainian police say,
Through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union.
The victims are invited to provide their banking information so they can receive aid,
and then the criminals simply rifle whatever they've been given access to.
If convicted, the nine alleged thieves face up to 15 years in prison.
CISA, the FBI, and the U.S. Department of the Treasury have issued a joint
alert titled, North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare
and Public Health Sector. It warns of a North Korean ransomware campaign that's been in progress
since at least May of 2021. The alert says, North Korean state-sponsored cyber actors
used Maui ransomware in these incidents to encrypt servers responsible for healthcare services,
including electronic health record services, diagnostic services, imaging services, and
intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH sector organizations for prolonged periods.
How the threat actor obtained initial access is unclear, but the warning recommends that organizations pay particular attention to the dangers of phishing and that they train their personnel to recognize it, which suggests that social engineering has played a significant role in the Maui campaign. How do rating agencies look at cyber incidents and cyber risk?
Moody's has sent us a pair of reports on current events, and they're interesting.
The firm's Investors Service released a report detailing the credit implications of Conti's
early April ransomware attack on the government
of Costa Rica. The attack impacted the government's two largest revenue streams,
income taxes and customs duties, and impacted the international trade and healthcare sectors
most heavily. The report notes that this attack provides insights on the government's strength,
saying that while the attacks weren't prevented, they were handled with effective solutions. Moody's anticipates the fiscal deficit to remain
close to 4.8% GDP and expects to see GDP growth of 4% in 2022. In another report,
Moody's discusses the recent cyber attack on Clarion Housing Group in the United Kingdom and its implications for housing associations as a whole.
On June 23, Clarion reported a cyber attack on their IT systems that impacted IT operations,
such as scheduling repairs and maintenance.
This attack comes on the heels of a number of other cyber attacks on housing associations in the past few years
and highlights
the need for cyber risk mitigation. According to a recent cyber survey conducted by Moody's,
cyber risk remains small in the housing sector but is growing strongly, with 25% spending growth
from 2018 to 2020. And finally, several questions remain about the big data exposure incident
that appears to have affected information held by the Shanghai National Police.
Some of the data that's been posted online as a teaser by the person or persons trying to sell them,
who goes by the name China Dan, have been confirmed to be genuine,
but it's unclear whether all of them are.
If they are the real goods, then the incident affects about a billion people,
making it the biggest data exposure in history.
The New York Times, like the Wall Street Journal,
has been able to determine that some of the posted information is authentic.
China has made no official statement on the matter, but the New York Times reports,
on Chinese social media platforms like Weibo and the communication app WeChat,
posts, articles, and hashtags about the data leak have been removed.
On Weibo, accounts of users who posted or shared related information have been suspended,
and others who talked about it have said online that they had been asked to visit the police station for a chat.
And all of this suggests some official sensitivity about the matter.
Why else would they want to chat?
Chat in real life, we mean.
Some of the hashtags that are putting a burr under official saddles way out west, Shanghai way,
include data leak or database breach, things like that. If the data China Dan
is offering is indeed legit, and at least some of it is, and the man and woman in the Shanghai
street appear to be assuming that they are, then the risks are foreseeable. Identity theft, fraud,
more plausible social engineering, and so forth. We're running around naked here, is a commonly quoted remark.
One risk citizens of China face that people in most other countries don't
is damage to their social credit.
That's not like something in, say, Baltimore or Birmingham
being worried about the effect bogus purchases with their credit card
could have on their credit score.
Social credit is a general
assessment of a Chinese citizen's reliability, trustworthiness, and good citizenship. And it's
a hard, quantifiable score, with more consequences than the mere reputational damage you might
sustain if you were falsely outed as, say, a Red Sox fan or a Wolverhampton supporter.
Shameful enough to be sure, but trivial compared to a bad social credit score in Shanghai,
where it could affect access to employment, housing, and so on.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
For many of us, the web browser serves as the primary gateway to the internet,
a universal app for accessing everything from search to email
to online dashboards and databases. That versatility of the browser can be a mixed
blessing, of course, because it can provide an avenue for infiltration for a whole host of bad
actors. Brian Kenyon is one of the founders and chief strategy officer of a company called Island,
who are looking to enhance enterprise security through the use of a custom secure web browser.
You know, third-party risk, and whether that's in the form of, you know, suppliers or true
contractors who are accessing, you know, organizational resources, that entire aspect
of our IT landscape has become a big concern for us, and it's been highlighted by any number of breaches or entity that might be accessing their resources, and then apply appropriate controls.
And so if you look at the evolution of how folks and organizations have dealt with this third-party risk. It started off with organizations
would, they want to ensure it was their device connecting to their resources. So they'd go
through the practice or methodology of shipping a device to the contractor, to the organization.
Now, as you multiply that out, it gets really expensive. And as you start looking at, you know,
the current supply chain woes and constraint we have, organizations are having a hard time finding devices and actual physical hardware to actually ship in a timely way. as a service to try to abstract the third party's device from the equation and just present them
with an access capability that just presented a corporate desktop to them. But at the end of the
day, that became extremely expensive. It's costly to both license as well as run and manage, whether
it's in the cloud or even in a traditional on-prem hardware type of virtualization. So organizations
that have gone through this journey
are looking for a new, better way
to bring these folks on board.
And so where does it seem things are headed?
What are some of the options on the horizon here?
Yeah, you know, there's been a lot of technologies
that have tried to simplify this problem.
And, you know, what we see actually is
it's actually a pretty common
recurring pattern in security where we looked at the symptoms of things. You know, what is the
problem? Well, we can't get hardware, so let's try to find something that's easier to deploy,
like VDI or desktop as a service. Or let's try to find something that's lightweight that they can
install, like an extension in a browser or maybe an agent. And all of those are met with different
friction points. But at the end of the day, they don't really truly provide the solution we're
looking for, which is I want to attest to the type of environment my contractor is using to connect
to my resources. I want to ensure that no data is lost or no data spills onto that contractor device.
And I want to make sure that ultimately I can govern and have an accurate audit log of everything that contractor is doing when they're accessing my resources.
Those are the real capabilities we're looking to try to solve when we think about third-party risk. And so we've seen a number of solutions, but all of them fail in one
form or another, either in the user experience, in the cost, or in the complexity of deployment.
So we're seeing a big shift now where folks are looking for lightweight options that give the
contractor, that third-party user, a very native experience. And many people are going back to
a controlled web browser as a
vehicle to engage this type of behavior. So when you say controlled web browser,
what specifically is involved with that? Yeah, so we've seen, and obviously from
Island's perspective, we've innovated around the ability to have a browser that is familiar to the end user, but that the organization has ultimate control over.
So what it can do, the actions it can perform, both the user as well as the browser itself, and the types of activities you want to permit.
And so what organizations have seen is, A, from a deployment perspective, all you're doing is you're asking your third-party contractor to download and install a web browser, something that they do multiple times throughout their career and probably multiple
times across multiple devices. And then ultimately, they authenticate to the browser, and then the
browser has all the security controls built into it. So if the organization decides, I don't want
anything from that contractor system making it into my application, then you prevent uploads and downloads.
You could prevent copy and paste.
You could prevent all these types of activities that we've long feared and have used technologies like VDI to try to control.
You know, I'm probably revealing myself as a bit of an old timer here.
But in a way, it kind of reminds me of the old days when browsers would have a kiosk mode, you know, and you'd often see it used at the, you know,
at the mall or the shopping center or some place like that where they wanted to limit access. But
it seems like this is in some way an evolution of that. Yeah. It's almost an evolution back in
history, right? Because as we look at it, you it, the cycles in IT tend to go from thin to thick client back to thin.
And we find ourselves moving back to this thin client as we've really raced to the cloud, we've raced to SaaS, and now we're racing to remote employees and remote work and work from anywhere.
And so more and more of our daily activities have actually moved into the
browser. But when you think about that, it's the one enterprise application that doesn't actually
have control and governance for the enterprise. And so when you think about what we do with
contractors and third parties, we're really provisioning a VDI or these remote desktops,
or even shipping them laptops and hardware
just so they can open a web browser that we don't control and access the applications
that we're worried about.
It's time we've given control back of this application back to the enterprise.
And in this case, it's a great use case to quickly, very inexpensively, and very securely
onboard those contractors.
That's Brian Kenyon from Island.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem.
She is the Technology Research Director for Security at Accenture.
Malek, it's always great to welcome you back. You know, I was over the weekend visiting some friends, and I had their address dialed in with my GPS.
And I was thinking to myself, oh, these kids today, they're never
going to know a world without GPS. But of course, there are some cyber risks that go with GPS. I
want to touch base with you on that today. What can you share with us? Yeah, we don't think of
GPS as a risk, you know, whether we're businesses or individuals. But it turns out that this system, this global positioning system,
is very vulnerable to either signal spoofing or signal jamming.
So signal jamming is when threat actors can jam the signal
so that you don't have access to the signal that you need to access the GPS system.
And spoofing is when they feed you the wrong information. And because of this risk, the U.S.
government actually has paid attention to this problem and has drawn attention of the businesses
to this problem and has issued a number of guidelines that businesses should follow. What sort of things have they suggested?
So, you know, they developed a framework for the risk that is aligned with the NIST framework,
which I can share the links for. And there's a number of libraries now that device developers can use
in order to authenticate and to validate the information that they're receiving by the GPS
systems. And some of the recommendations is to also not rely on GPS systems only, but rather validate that information with other systems like radar systems or, you know, more new tools like satellite information to identify whether the GPS information is actually correct or not.
Now, there's more than one GPS system up there, right?
I mean, there's the U.S. system, but don't the Russians have their own system as well?
Exactly, yeah. So one of the defense mechanisms, I guess, that some businesses and organizations have been using is not just to rely on the U.S. system, but also use the Russian system as an alternative in case the U.S. system goes down.
But obviously that comes with its own risks, right?
Especially in the context that we are in, in this, you know, war against the Ukraine.
That system is not reliable intentionally, in some cases, not reliable. You know, the Russians may be spoofing,
deliberately, you know, sending wrong information. So it's not recommended to rely on that system as
an alternative. It's better to use other means like, you know, radar information or, you know,
visual aids to identify where your location is, whether you're in a
transportation, whether you're on a ship or, you know, as an aircraft pilot. It's better to use
these combined, let's say, at least these other sources of information together with the GPS
information. Yeah, I've seen reports, I suppose, particularly affecting ships at sea
where there have been some spoofing incidents where, you know,
and you can imagine the problems with that.
If a ship gets too close to land because it thinks it's not where it actually is,
well, that's trouble.
Oh, yeah, absolutely.
And not just, you know, commercial ships, but if
you are, you know, if you own a boat, right, and you go to an area where, you know, the waters are
being, you know, disputed between two different countries, or there is a military exercise in the
area, then the signal may be jammed or spoofed deliberately, right? Or if there is a VIP in the
area, right, who don't want to get their location revealed, then it's likely that that signal will
be jammed. So you don't want to rely on it in that case, and you want to have some alternative
mechanism. So what are your recommendations here? I mean, is this the kind of thing where, you know,
folks who would be likely to have issues with GPS problems,
they probably already know it?
So for organizations, I think that the recommendation is to rely on the U.S.
government recommendations and resources that have been provided.
Again, for device manufacturers or device developers,
there's libraries that are available
that have to be checked and used in the software.
But for average users like you and I,
there is an app that can be used to detect
if there is GPS jamming in the area.
And at least when you detect that, then you know you cannot rely on the GPS information that you have.
Oh, interesting.
All right.
Well, Malik Ben Salem, thanks for joining us. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Guru Prakash, Justin Sabe, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.