CyberWire Daily - Reverse engineering Equation Group attack tools (and putting them to bad use). Hacking, jamming, and airstrikes. Taking down coordinated inauthenticity. How big is the dark web?
Episode Date: May 7, 2019Buckeye seems to have reengineered some of Uncle Sam’s cyber tools, and they did it without, apparently, help from the ShadowBrokers. More on airstrikes as retaliation for hacking, with a brief excu...rsus on electronic warfare. Notes on malicious commitment as one of the hazards of open source software development. How big is the dark web? Big enough, but maybe not as big as everyone thinks. And beware of bogus Avengers Endgame sites. David Dufour from Webroot with thoughts on HTTPS security concerns. Guest is Michael Figueroa from the Advance Cyber Security Center on their recent report identifying a need for a board-level cyber risk management standard. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Buckeye seems to have re-engineered some of Uncle Sam's cyber tools,
and apparently they did it without help from the Shadow Brokers.
More on airstrikes as retaliation for hacking with some thoughts on electronic warfare.
Notes on malicious commitment as one of the hazards of open source software development.
How big is the dark web?
Big enough, but maybe not as big as everyone thinks.
And beware of bogus Avengers Endgame sites.
Avengers Endgame Sights.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 7th, 2019.
Researchers at security firm Symantec have concluded that the Buckeye Group has obtained Equation Group cyber attack tools and used them against a variety of targets, including several U.S. allies.
The Equation Group, of course, is generally alleged to be the U.S. NSA.
Symantec doesn't call Buckeye Chinese intelligence services,
but comes as close to everybody else does as to make no difference.
The tool's use apparently antedates the shadow broker's leaks by about a
year, and Symantec thinks, the New York Times reports, that the code was captured and reverse
engineered when it was employed against Chinese networks. The Times compares it to a gunslinger's
grabbing the other gunslinger's peacemaker during a showdown and then blasting back with it. The
other possibilities that the attack code was found inadvertently exposed on a poorly secured server, that it was obtained by hacking, or that it was delivered by a rogue insider, are thought to be significantly less likely.
Specifically, what Buckeye got was the double pulsar backdoor and the Bemstar installation tool.
tool. It did not use them against U.S. targets, either because Buckeye assumes the Americans would be wise to their own exploits or because they wish to avoid tipping their hand to Fort Meade.
Instead, the threat actor targeted, as far as known, scientific research organizations and
educational institutions in Belgium, Luxembourg, Vietnam, the Philippines, and Hong Kong. In at least one case, government networks were also
attacked. Buckeye is also known as APT3, or our personal favorite, Gothic Panda, and it's generally
held to be a contractor in Guangzhou, working for China's Ministry of State Security. The company
is the Guangzhou Boyu Information Technology Company Limited, but it's also known as Boyusec.
You may have heard of them.
They're the employers of the three gentlemen
the U.S. Justice Department indicted in November 2017
on charges of computer hacking, theft of trade secrets,
conspiracy and identity theft directed at U.S. and foreign employees,
and computers on three corporate victims
in the financial, engineering, and technology industries
between 2011 and May 2017.
They're out of the reach of U.S. law for now,
unless and until they decide to vacation in some extradition-friendly vacation destination.
We hear Vancouver is lovely this time of year,
but the indictment seems to have made Bojasek pull in its contractor's horns a bit.
In any case, as several have observed, Bojasek went in its contractors' horns a bit. In any case, as several have observed,
Bojasek went quiet after the Justice Department went noisy.
And therein lies, maybe, another tale.
As Symantec pointed out, if Bojasek is maybe out of the business,
then who's using the tools?
Because they've been used since Bojasek dropped off the radar.
Have they come quietly back, or have they given the tools to someone else?
As a Symantec researcher put it, people come and go, the tools live on.
Observers are drawing several lessons from the incident.
First, it seems that cyber attack tools are less easy to contain,
more susceptible to proliferation, than are other tools of statecraft.
Second, many would really like intelligence services
to do a better job of securing their tools.
Third, cyber attack code seems inherently backward-striking,
and capable reverse engineering makes this even more likely to be a risk.
And finally, some are calling for another review
of the U.S. vulnerability equities process,
which decides which zero days to report for patching
and which to hold onto for use against the opposition.
The Advanced Cyber Security Center, or ACSC, is a member-driven nonprofit
whose mission is to strengthen cyber defenses, develop security talent,
and advocate for well-informed public policy.
They recently published a report
outlining how boards should be active governance partners in collaborative cyber defense.
Michael Figueroa is executive director of ACSC. The report itself has a number of sort of findings,
but as a security executive, I really kind of honed in on two primary key points. And the first point is really
from the board perspective. Rather than try to become security experts or bring in one director
to serve as the security expert, I think what we found is boards should really support their CISOs
by holding the whole leadership team responsible for assessing cyber risks against business risks.
holding the whole leadership team responsible for assessing cyber risks against business risks.
So, you know, that's really looking at it from that board responsibility-oriented perspective. But of course, I wouldn't say that the security executives are without responsibility either.
In order for the board to really be effective at that, I think security executives
that are most effective at building constructive board relationships are the ones who are able to
get out of the technical weeds and seek to build leadership coalitions across the organization on
mitigating cyber risks, comparing cyber risks to business risks. So it's really a sort of two-pronged
approach that then the report digs into some of the key findings, experiences, and techniques for how the organizations can improve those
communications. So as you see it, I mean, to what degree is it a board member's responsibility
to educate themselves on cyber issues? You know, it's been a really, really long sort of
conversation lately. I think that the security community will generally say
that board members need to be more educated in security. But I would say that's, based on our
findings, that's really not the right direction because it's not the board's responsibility
to dictate how the security program should be executed. It's really the board's responsibility to dictate how the security program should be executed. It's really the
board's responsibility to be able to help the organization and the leadership make strategic
decisions based on their governance function. So to do that, I think it's a much easier path to go
for the board to be able to leverage its understanding of business governance and
require the leadership team to really partner with the security executives to understand
how cyber risks affect their areas of business so that the board can then make better strategic
decisions without some idealistic overlay of what a security-informed board
member should be. What we're finding CISOs are getting locked up in is they're reporting on
metrics as they understand security and then are forced to spend much of their limited time in
front of the board trying to explain what those metrics mean. I think it would be much more effective,
and what the report is sort of showing us is more effective, for the CISOs to align their
measurements against the performance of the business and then engage in that board-level
conversation so that then they can seek the resources that they need to really mitigate
the business risks versus try and hone in on specific
cyber risks. We're in a transition stage, what I've been seeing right now, where the older generation
of CISOs, or let's say the more seasoned generation of CISOs, are CISOs who inherited their position
at large enterprises, for example, because they've been at the enterprise for a long time and they're starting to retire out. That's opening up a new pool of CISOs to really start standing up into those larger
enterprise-oriented positions. And what's happening there is that the first generation of CISOs were
very, very business-oriented and sort of learned security through the process of the evolution of
the organization versus newer CISOs
that tend to be much more technically sound and technically oriented,
but are much more comfortable in the technical side of security versus the business side of security.
So those that are being most successful are the ones who are able to effectively translate their technical knowledge to a business-oriented audience versus those that
want to dive into the weeds and support their teams but aren't able to really engage in building
those partnerships at the business leadership levels. That's Michael Figueroa. He's the
executive director of the Advanced Cybersecurity Center. The report is titled Leveraging Board Governance for Cyber Security.
You can find it on their website.
Israel's airstrike against a Hamas cyber operations center
continues to be seen by many
as a radical shift in the nature of combat.
The future is here,
and it features hackers getting bombed,
as foreign policy puts it.
Wired's more nuanced discussion
sees the novelty in the near-real-time retaliation
and its public avowal by the Israeli government. What the hackers were engaged in doing is unknown,
not having been part of that public discussion. But consider that as cyber operations and
electronic warfare converge, whether the Gaza strike might be more like hitting an enemy jammer
than something altogether new under the sun.
Not all retaliation, of course, is kinetic.
Sometimes you jam the enemy emitter, and sometimes even a private company can do it.
Facebook just did so this week, taking down 97 groups, pages, and accounts
in an action against Russian-coordinated inauthenticity deployed against Ukraine.
against Russian coordinated inauthenticity deployed against Ukraine.
Finding and stopping inauthenticity continues to seem like a better and easier bet than direct content moderation.
And sometimes you'll even leave the emitter alone
because it's doing the opposition more harm than good.
Perhaps it's telling its people what you would prefer they heard.
Sometimes it broadcasts nonsense,
unintentionally darkening counsel with waylored folly. Sometimes it broadcasts nonsense, unintentionally darkening counsel with
waylord folly. Sometimes it's a self-jamming platform, some colonel or master sergeant who
just loves, loves, loves to send their voice and the thoughts that voice carries out across the
ether to the exclusion of all other communication. And sometimes what you're collecting from a given
emitter might just be more valuable than what the opposition's doing with it.
We continue the CyberWire's coverage of the inaugural Global Cyber Innovation Summit in Baltimore last week.
Among the discussions came a warning about the supply chain.
It may be wise to assume hardware's compromised, and as for software,
the industry as a whole hasn't come to grips with the implications
of the very widespread use of open source code what of the problem of the malicious committer
security industry leaders and venture capitalists closely engaged with them shared some thoughts
a great deal of this is open source and increasingly producers of open source software
have little or no relation to the software's consumers. With 80 to 90 percent of any given software product being written by unknown people
with equally unknown skills, qualifications, and motivations,
one of the panels said, we now face the problem of the malicious committer.
Sonotype executive Wayne Jackson warned,
working your way into a project and introducing coding errors is pretty trivial.
Recorded Future takes a demystifying look at the dark web.
What is the dark web, you might ask?
Recorded Future's simple definition is as good as any.
It's any World Wide Web content that requires specific software, configurations, or authorization to access.
The Tor network is a part of the dark web that many will be familiar with.
What Recorded Future found is that there's a lot less to the dark web
than the familiar iceberg metaphor would suggest.
It's not that 90% of the internet is down there invisibly submerged in the dark web.
In fact, it's just the opposite.
About 90% of online stuff is up on top, visible to all.
Alas, we might say all too visible.
In Recorded Future's infographic, there's plenty of room for the happy whale in their illustration
to pass beneath the iceberg without so much as a loss of a barnacle.
So there's bad stuff out there in the dark web,
but only around 100 or so sites are doing bad things like hawking contraband.
And finally, we fear this is another dog bites
man story, but apparently it needs to be told again. Sites promising pirated downloads of movies,
television programs, songs, and so forth are bad mojo. In fact, don't tell Thanos, but there's a
sketchy Avengers Endgame site out there that promises downloads of the movie. It should be unnecessary to say this,
but apparently it's not. The site is not an official Marvel one, and unsurprisingly,
it's actually involved in credential harvesting. Giving up your credentials is like giving up the
time stone to someone other than Doctor Strange or the Ancient One. Don't go there. You don't want to get dusted.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, it's great to have you back.
We wanted to talk today about HTTPS and some safety information you wanted to share about that.
Yes. So always good to be here, David. Thank you for having me back.
Let's talk a little bit about HTTP and HTTPS. And I think most folks are familiar now that HTTP is basically an open connection and people can see network traffic and information going
back and forth. And they've learned to look for that HTTPS, which means it's secure,
and the little lock that says, hey, my connection is secure.
And you feel good about that, right?
Right. Sure.
Well, there's some concerns here.
One of them is that with HTTPS,
many of the common techniques for monitoring where you're going on the internet
to make sure you're not landing on malicious websites can't read that secure traffic,
which makes sense. The reason you want an HTTPS connection is you don't want anyone seeing your
traffic. But that same security is blocking a lot of the tools that exist today that would prevent you from going places you shouldn't go.
So there's a concern there.
Sort of a natural tension there.
Correct.
And obviously the question becomes, am I more concerned about my privacy or am I more concerned about where I'm browsing on the Internet?
Because, you know, some of your folks might be wondering, well, aren't all HTTPS
sites secure and safe? Well, they're not. HTTPS, what it is doing is basically making sure the
communication between your browser and the website on the other end is encrypted. It makes no
determination if the website on the other end is a malicious website or not. It's just as easy for
somebody setting up a malicious website to register and get a certificate to make that secure connection
as it is for a legitimate business to do it. Now, you all have been tracking some examples of this.
Wasn't there a recent phishing campaign involving some folks faking some Facebook logins?
Yeah. So we do see a lot of not just with Facebook, but you're
absolutely right with Facebook where people will set up these HTTPS sites. They look legitimate.
They look like Facebook. They look secure because you have the lock, but you're actually not on a
legitimate Facebook site or some other site. And it really makes it more difficult to make a determination,
because we've all been taught, look for the lock, make sure that the URL looks good,
and you're in fact on a malicious site.
Isn't some of that changing? Aren't some of the browser suppliers are going to be adjusting how
some of those look on the page, trying to get away from that lock being a symbol of security?
look on the page, trying to get away from that lock being a symbol of security?
Well, they are starting to figure out how they can make that determination that that isn't the only sense of security, but it's not going to be holistic or exactly definitive on how that's going
to play out in the marketplace. So if you're using HTTPS, which you should be, we're not sitting
here on this podcast today, David, saying you shouldn't use it.
Just you've got to be aware of where you're going and just don't make the assumption that
the site you're on is good.
Yeah, don't let it give you a false sense of security.
That's exactly right.
And again, you should be looking at things that protect you at the network layer, not
just on the endpoint, but things that are monitoring
your DNS to make sure you're not being routed to malicious sites and make sure the certificates
have good reputation, which all your folks are wondering, how do I do that? Again, that's looking
at the lock and making sure it's green, but don't just trust it because your lock is green, you're
good. Yeah, because those security certificates aren't so hard to get. Correct. All right. Well,
David DeFore, thanks for joining us.
Hey, it's been great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.