CyberWire Daily - Romania, UK, warn of Russian cyber ops. International norms of cyber conflict. Bronze Butler's USB drives. Too-smart batteries not smart enough. Industry notes. Game cheater gets jail time.
Episode Date: June 26, 2018In today's podcast, we hear warnings of Russian cyber operations from Romania and the UK. Recent attempts at developing international rules of conduct (and conflict) in cyberspace. Bronze Butler's nau...ghty USB drives—not as scary as they sound, but a useful reminder of some sound precautions. FireEye says it never hacked back. Smart batteries may be too smart for their users' good. A new venture fund lends credibility to cryptocurrency and blockchain startups. Overwatch hacker gets jail time in Inchon. Daniel Prince from Lancaster University on cascading failures in complex systems. Guest is Vikram Thakur from Symantec on the VPNfilter router infestation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Warnings of Russian cyber operations from Romania and the UK.
Recent attempts at developing international rules of conduct and conflict
in cyberspace, Bronze Butler's naughty USB drives, FireEye says it never hacked back,
smart batteries may be too smart for their users' good, a new venture fund lends credibility
to cryptocurrency and blockchain startups, and the Overwatch hacker gets jail time.
Overwatch Hacker gets jail time.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 26, 2018.
Romanian Defense Minister Mihai Fifor says the NATO member is under more or less continuous Russian cyber attack. In the UK, GCHQ's National Cyber Security Center director Kieran Martin offered a similar warning to Parliament yesterday,
noting, quote, a consistent rise in the appetite for attack from Russia on critical sectors,
end quote. The comments will surprise few. Romania is geographically close to Russia,
even closer now that Russia has seized
Crimea from Ukraine, and shares the Black Sea with Russia. It also represents a NATO partner
whose proximity to the Russian border would tend to arouse the bear's ire. And London has long
experienced tension with Moscow, heightened by Russian intelligence services' attempted
assassination of a former
GRU officer and his daughter in a nerve agent attack conducted in Salisbury.
Note that GCHQ emphasized the risk of attacks on critical infrastructure, the sort of operation
both UK and US intelligence agencies have said they've seen in preparation.
The United Nations' recent attempts at developing norms
of cyber conflict, having so far amounted to little more than non-binding statements of principle,
good as far as they go but falling short of the bar set by the Geneva Conventions or the
Hague Rules, Lawfare has an interesting roundup of private sector contributions to emerging
international norms of behavior in cyberspace.
Lawfare finds these particularly worth attention,
Microsoft's Digital Geneva Convention and Cybersecurity Tech Accord,
and recommendations of the Global Commission on the Stability of Cyberspace,
Siemens' Charter of Trust,
and the Carnegie Endowment's norm against manipulating financial data.
International rules of cyber conflict remain very much a work in progress,
and these four private sector efforts are worth a look.
There's a bit of mildly alarmist reporting on Palo Alto Network's discovery
that a Chinese cyber espionage group TIC, also known as Bronze Butler,
has been working to infect secure USB drives produced in
South Korea with Simon Loader malware. The activity has been widely reported as an attack
on air-gapped systems, which in a sense it is, but not by any particularly exotic new method.
Mounting a malicious payload on a USB drive is an old technique that's been used by many organizations for some time.
The malware Palo Alto describes affects only systems running Microsoft Windows XP or Windows Server 2003,
and the researchers don't believe the infections form part of any active campaign.
The discovery, while apparently not of any urgent concern, does serve as a useful warning of supply chain risk,
and of course a useful reminder not to plug just any old thing into your devices.
Speaking of supply chains, here's a rule of thumb.
If something is smart, then it's risky.
A team of researchers from Technion, the University of Texas, and the Hebrew University
have found a potential problem with smart batteries for mobile devices,
the kind of battery that's designed to improve responsiveness and battery life.
They call the problem interference attacks by malicious batteries on mobile devices,
which somehow sounds like the kind of caper Felix the Cat would foil when he went up against the master cylinder.
the cat would foil when he went up against the master cylinder.
The researchers have demonstrated that sampling the phone's power trace from the battery can reveal a surprising amount of information.
They've also demonstrated the possibility of establishing a covert channel from the battery
to a command and control server.
It's all proof of concept, of course,
but this kind of risk is best handled earlier rather than later.
The researchers,
by the way, give their paper the title, Power to the Peep-All. David Sanger's new book,
The Perfect Weapon, reports that Mandiant, now a unit of FireEye, hacked back into APT-1's
computers, gained access to the cameras on the attacker' laptops, and so observed them hacking in real time.
FireEye says the account is based on a misunderstanding.
Mandiant never hacked back at anyone, and everything it learned about APT1,
a watershed private sector investigation of Chinese espionage,
was obtained by, quote, consensual security monitoring on behalf of victim companies, end quote.
The VPN filter malware continues to attract attention as more devices are found vulnerable to infection.
Conservative estimates have put the number of infected devices at over half a million worldwide.
Vikram Thakur is technical director at Symantec, where they've been tracking the issue. So what's really helped over the last few weeks is the message about the malware itself reaching out to many people
and the instructions from the FBI as well as the private sector telling users to just go ahead and restart their routers.
So that's really resonated. We can see the effects already.
restart their routers. So that's really resonated. We can see the effects already.
The restarting is taking the malware out of control from the attacker's perspective.
Then comes the much longer term solution of making sure that these routers are no longer susceptible to such kind of attacks. And that's the process which is likely to take one year,
maybe even a couple of years. And that's the process which is likely to take one year, maybe even a couple of
years. And that is a little bit more involved, both from the user perspective, as well as the
manufacturers and the messaging perspective, because it requires a little bit more technical
assistance to make sure that the router is safe from such attacks in the future. So that process
is ongoing, and it will take time.
I think there was a little bit of confusion when the FBI made the announcement for folks
to restart their routers, that that would take care of things completely. But
there is the possibility of some components of the malware surviving that reboot.
So that's actually true. Think of it as the attacker was able to plant a piece of code on the router.
And that piece of code periodically reached out to the attacker and said, hey, do you want me to do something?
What the FBI did was the FBI went and intercepted that communication legally.
and intercepted that communication legally.
And now the routers are only configured to reach out to the FBI server and say,
hey, do you have any instructions for me?
Do you have any instructions for me?
Naturally, the FBI is not going to be sending any instructions to the router. They're just using the information to understand how many people in which geography are compromised with this malware.
But by restarting the device, by restarting your router, users' routers were confirmed to move away
from the attacker's control of the router to now communicating with the FBI. So the malware still
resides on the router, except it's not going to receive any instructions to perform anything, whether good, bad, ugly, because the FBI is on the other end of the communication channel with that router.
Are we dealing with a situation where we have hardware that could perhaps be obsolete?
You know, there are no updates for it, and folks should be thinking about cycling that hardware through getting newer hardware in
there that's always a problem in our in our industry whether it comes to even laptops computers
and especially home routers home routers are such a out of sight device where the first time you
move into a house you speak with your internet provider in the locality, you get that little
box, they've told you to plug it in, and it just starts working and just goes out of sight and
people never ever look at it also. So that is a huge challenge in this situation. And that's
exactly what the attackers took advantage of. They look at a device which is connected to the
internet and the fact that nobody's ever going to be updating it or nobody's ever going to be restarting it and that's what they they leverage
to their advantage out here yes our advice is go out and upgrade some of these devices or call
someone who's technically capable of logging into these devices and updating the firmware on them
but we understand that there's a cost associated for end users with this.
And end users are not going to be naturally shelling out more money to upgrade a device,
which from their perspective continues to operate.
So it's a tough situation for consumers.
We understand that.
But our recommendation is to spend the effort and spend the money if required to either upgrade the device or switch it to something a little bit more secure that you can easily purchase at your local IT store.
That's Vikram Thakur from Symantec.
In industry news, Silicon Valley venture capital firm Andreessen Horowitz has opened a new fund.
This one is dedicated to supporting startups working on cryptocurrencies and the blockchain,
which should instantly provide some capitalist street cred to the somewhat battered sector.
And a new company has emerged from stealth and announced not only a quantum network,
but $10 million in Series A funding.
Bethesda, Maryland-based Quantum Exchange announced this morning that it had launched, quote,
the first quantum fiber-optic network in the United States and commercial quantum key distribution service for quantum-safe data protection, end quote.
New technology ventures led the funding round.
End quote.
New technology ventures led the funding round.
Finally, if you're playing Overwatch, don't cheat,
and especially don't sell the cheats you come up with.
This is news you can particularly use if you're within reach of the long arm of the Republic of Korea's law.
The Incheon District Court has sentenced a 28-year-old man
to a year in prison and two years of probation.
The Republic of Korea has been interested in cracking down on gaming problems for some time.
The country has earned a reputation as home to Overwatch cheaters. According to an article in
Kotaku last February, it's not unusual for 20,000 or more South Korean players to be banned from
Overwatch on a typical day.
Those banned are usually able to hack their way back in short order. As Kotaku put it,
quote, cheating on the Asian Overwatch server is endemic and widespread. On the battle.net forums and Reddit, complaints about hacking South Korean players' too-accurate headshots,
immediate gun downs, and even DDoS attacks against winners in competitive
mode are widespread, end quote. It's not only a national embarrassment, but it's also a practice
that's fueled a burgeoning black market in game cheats. The cheater in this case, and he was
selling his cheats for a pretty penny, was convicted under two Republic of Korea laws
designed to curb misbehavior by online gamers,
the Game Industry Promotion Law and the Information and Communication Technology Protection Law.
His sentence might wind up being suspended, at least in part,
but in any case, the sentence is unusually stiff.
Violators usually get off with fines, but jail time is unusual.
It's thought that the hacker's profit, some 200 million won, that's about $180,000,
disposed the court to go for justice as opposed to mercy.
Take that, Hanzo. Boom.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, welcome back.
You wanted to touch today on this notion of cascading failures in complex systems.
What can you share with us?
So one of the things that I've been looking at is how digital systems effectively remove the friction within day-to-day activities.
And we design them like that so that we can actually have that reduction in friction because the argument is that it makes us much more productive.
We can do more complicated things with less time.
The problem is that within those large-scale distributed systems, we can start to combine different
processes together in ways that we don't understand, creating complex systems.
But because there is a lack of friction, the human interaction in many of these systems,
the automation part, the orchestration part, means that when an incident happens,
it cascades very quickly across the whole of the platform.
And that can potentially create a significant risk within that system, which is an unintended consequence of the complexity.
The example I like to use is around distributed ledger smart contracts.
For me, you can orchestrate a smart contract environment in which multiple contracts are cascaded together to create a series of financial transactions.
If you were buying a house, which can be a very complex process, the complexity of the chain of me selling a house to me buying a house and then similar people either side of me naturally becomes quite short. People don't like long chains because of the complexity of having to deal with multiple solicitors, multiple lawyers, and other legal agencies
that sit around that. But if I can do that in a smart contract, then it actually becomes easier
to create incredibly long chains for exchanging contracts. That's great because we can do a very
quick transaction. But if there was something wrong within that transaction, it becomes very difficult
to potentially reverse. Now, if we think about how that could happen in a very large scale with
multiple micro transactions, you could potentially create a situation where you're launching
effectively a financial denial of service attack against organizations,
where multiple transactions, millions of cascading multiple transactions target one particular
financial institution, which causes that system to potentially fail.
Is it important that the people who are designing these systems, who are putting them together,
build in some sort of fail safe so that if there's a way to sense
when something has perhaps spun out of control? So yeah, there's lots of systems theory about
looking at these types of anomalous behavior, thinking about these feedback mechanisms,
being able to detect these failures. And I think it's something that we need to start thinking
about how large scale systems
can potentially cause these types of problems because they're replacing systems which have
traditional kind of inbuilt friction in the bricks and mortar and the people.
And that's a positive thing, but it causes this potential risk to build up within the
overall system.
How we actually go about doing that, I don't know,
but actually we need to start thinking about how we engage with the conversation to say,
what is the larger problem here that could be caused by this entirely frictionless data
exchange, financial exchange system that we're globally trying to build?
All right, Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.