CyberWire Daily - RSAC 2020. Naming and shaming. Kitty espionage update. Wi-Fi crypto flaw. Impersonating the DNC. Ransomware gets more aggressive. When is removing a GPS tracker theft?
Episode Date: February 27, 2020Naming and shaming seems to work, at least against China’s Ministry of State Security. Iranian cyberespionage continues its regional focus. Wi-Fi chip flaws could expose encrypted traffic to snooper...s. Someone, maybe from abroad, is pretending to be the US Democratic National Committee. Tips on backing up files. Ransomware gangs up their game. And that unmarked small box on your car? Go ahead: you can take it off. David Dufour from Webroot with trends and predictions from the floor at RSA, guest is Liesyl Franz from the Dept. of State on nation state cyber activities and deterrence in cyberspace. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Naming and shaming seems to work, at least against China's Ministry of State Security.
Iranian cyber espionage continues its regional
focus. Wi-Fi chip flaws could expose encrypted traffic to snoopers. Someone, maybe from abroad,
is pretending to be the U.S. Democratic National Committee. Tips on backing up files, ransomware
gangs up their game, and that unmarked small box on your car? Yeah, you can totally take that off.
on your car? Yeah, you can totally take that off. From the 2020 RSA conference in San Francisco, I'm Dave Bittner with your Cyber Wire summary for Thursday, February 27th, 2020.
Those wondering if the U.S. policy of naming and shaming threat actors can disrupt those adversaries
may find
some evidence that it does, by considering how the Chinese organizations named in the Equifax
breach indictment seem to have vanished from cyberspace. It appears that Chinese services,
at least, are sensitive to this kind of treatment. CrowdStrike founder Dmitry Alperovitch said
yesterday at RSAC 2020 that it appeared China's Ministry of State
Security has had to reset and retool. Comment Panda, Stone Panda, and Gothic Panda have all
gone quiet. Whether this amounts to more than a restructuring or reorganization remains to be seen,
but as anyone who's been through a government agency reorganization can attest,
anyone who's been through a government agency reorganization can attest, even that's disruptive enough. Alperovitch said that the Chinese seem unusual in this respect. The Russians, the Iranians,
and the North Koreans, to consider the three other familiar adversaries, tend to shrug off
American indictments and move on. CyberScoop and SC Magazine report that Dell SecureWorks has
concluded that Iranian cyber operations have maintained their customary steady tempo since Quds Force Commander Major General Soleimani died in a U.S. drone strike.
There may have been some retaliatory surge, but for the most part, the activity looks like business as usual.
Researchers attribute the ongoing regional cyber espionage to the Iranian threat group Kobalt Ulster,
also known as Muddy Water, Seedworm, Temp.Zagros, and Static Kitten.
The government's most affected have been those of Turkey, Jordan, and Iraq,
with organizations in Georgia and Azerbaijan also appearing on the target list.
The typical attack method has been spear phishing. Liesl Franz serves in the
office of the secretary in the office of the coordinator for cyber issues at the U.S. Department
of State. She stopped by our booth here at RSAC to share her inside perspectives on the global world
of cyber diplomacy. Our office was created about nine years ago to reflect the international nature of cyberspace,
the need for dealing with cyber policy as a foreign policy issue,
be able to build relationships and coalitions with other countries
to deal with the global issues and the global problems that we've seen.
So what is the day-to-day like?
What sorts of things, the interactions that you and your team are taking part in?
Well, we cover sort of what the cyber policy can cover a lot.
One that we focus on is international security.
That's sort of the bread and butter for the State Department to deal in multilateral venues. We also work within the interagency with other departments and agencies on bolstering what we call cyber due diligence,
which is more along the lines of cybersecurity as we see it here at RSA.
We work with others on the messaging and promoting efforts to combat cybercrime.
We talk about sort of global governance of the Internet.
We talk about Internet freedom, those kinds of issues that sort of run the gamut. And we work a lot within the department with the
other offices that deal appropriately with those issues and the interagency. And we take that
abroad. So what does that mean? We work sort of in what I would call three concentric circles of
venues. One is our bilateral relationships with country to country or our work in regional
organizations or regional sub-regions around the world. But that would include things like
the regional security organizations like the Organization of Security and Cooperation in
Europe or the Organization of American States,
or the ASEAN Regional Forum, things like that, and then take it even further out into the big multilateral organizations like the United Nations. My sense is that many nations have been
reticent to draw sharp lines in the sand when it comes to behavior in cyberspace.
First of all, do you think that perception is accurate?
And do you have any insights on that?
I think it's accurate to say that it's hard to draw right lines a lot of the time.
And so maybe that's what the reticence is. You know, as I mentioned, we've been working on these things for decades,
but it's really only a couple, three decades, right?
It's not 50 years or 100 years.
And so things are fairly new
and it's kind of hard even to draw a bright line
around things like definitions.
So one person's application
is another person's cyber weapon, quote unquote.
I don't like to use that term, but that's what I mean.
We can't even sort of draw clear lines around that.
Or what is one person's security
is another person's content control.
So how to even draw a line is sometimes hard.
So maybe that's what you're sensing.
The sense that I've had is that it could be
that nation states are reticent to draw lines in the sand because their own intelligence organizations may be taking advantage of some of that ambiguity themselves.
So it's in their best interest to not be too specific about certain things because if we let this ambiguity stay out there for a certain amount of time,
that may be in our own interest. I think there's a point to that, which is why we as diplomats
spend a lot of time negotiating text. And the kinds of things that we out, like the outlines
of this framework for responsible state behavior that I mentioned is a way to put what I think are clear expectations of state behavior, but allow for the innovation and communication and technologies,
which frankly are not only held by states, right?
To develop, to move.
And if there's some ambiguity for countries,
maybe that's reflected in some of that.
But the bottom line is to be able to articulate what is acceptable and what isn't.
Yeah.
What would you like people to know?
I'm thinking specifically folks who are cybersecurity professionals about the work that your department does, the Department of State.
Are there any things you feel aren't getting the attention they deserve?
It's notable to me, just as anecdotally,
that I've been coming to the RSA conference since 2006,
and I've been in and out in government,
so I've represented both industry and government here,
but always in the policy space.
And it used to be that the policy track at the RSA conference would have a few
smattering of people in the room. The panel I just came from, we were full. And so I think that
there is a greater understanding of what exactly governments do in this space and how we work
together. And that there is, I mean, I think probably some people might've been surprised
that our office is only nine years
old.
That doesn't mean cyber diplomacy wasn't happening before that, but that was when it was sort
of coalesced into more regularized processes.
Yeah, a recognition of its status and necessity, I suppose.
And since in the last nine years, other countries have developed roles or offices similar to
ours in their foreign ministries. Many manner of countries have developed roles or offices similar to ours in their foreign ministries.
Many manner of countries have done that.
Russia, China, Estonia, Germany, you name it, and Netherlands.
And some of them are here.
What I would like people to come away with maybe is the idea that we need to keep talking about the nexus between network security and international security.
That there is a nexus
there and we're working it. That's Liesel Franz from the U.S. Department of State.
ESET researchers report finding encryption flaws in Cypress semiconductor and Broadcom
Wi-Fi chips. While the risk is relatively limited, it remains possible that attackers could intercept
data transmitted wirelessly. They call the bug Crook and it's been assigned the identifier CVE-2019-15126.
ESET says Crook can cause vulnerable devices to use an all-zero encryption key
to encrypt part of the user's communication.
In a successful attack, this vulnerability allows an adversary
to decrypt some wireless network packets transmitted by a vulnerable device.
According to the Washington Post, persons, possibly foreigners, impersonating the Democratic National Committee have sought to establish contact with presidential campaigns.
The impersonation was initially reported to the DNC by Senator Sanders' campaign.
initially reported to the DNC by Senator Sanders' campaign, the National Party would like all campaigns to regard contacts purporting to be from the DNC with appropriate skepticism.
The UK's National Cyber Security Centre wishes to remind everyone, and everyone includes you and me,
my friends, that ransomware can also affect online backups. Too many enterprises have thought they
were good to go, only to find out
that, well, their backup files, conveniently connected to their network, were also encrypted.
We've had occasion to observe that a ransomware attack should now be regarded as also a data
breach. The hoods are threatening to release their victim's sensitive files to give them
additional leverage in extracting ransom. Bleeping Computer
says the gang behind Sodinokibi, which you'll recall operates as an affiliate marketing scheme,
is telling its criminal clients not only to exfiltrate data before they encrypt it,
but also to threaten the victims that they'll tell the stock markets the victims have lousy security.
It hasn't occurred to the hoods that they could equally well just short the stock and then work their reputational damage.
It's a good thing that only nice people listen to this podcast, right?
And here's some news you can use from the state of Indiana.
We've sometimes been moved to ask, suppose you found a GPS tracker on your car.
Could you just unplug it and take it away?
We're asking for a friend, you understand.
Well, anywho, this case came up in the Hoosier state
where some guy the police were tracking.
Legally, we hasten to add,
the guy, one Derek Huring,
was suspected of dealing methamphetamine.
Well, he suddenly drops off the grid.
One minute, you're tracking his Ford Expedition.
The next, blammo, he's gone, baby, gone.
So anyway, they figure out that he'd found the GPS tracker,
probably wondered what it was,
unplugged that bugger, tossed it into the backseat,
and went about his business.
So John Law, being pretty sore at this guy,
decides to ask for a search warrant for Mr.
Hearing's house and his dad's barn because the loss of signal counts as probable cause
for concluding that Mr. Hearing stole the GPS tracker, right? And so they got their warrant.
But on Mr. Hearing's appeal, the Supreme Court of Indiana says no, that's unreasonable,
and so all the drug contraband
and the handgun they found during the search is out as fruit of the poisoned tree.
I mean, come on.
It's an unmarked box stuck to the guy's SUV without so much as a logo or a serial number,
so how could taking it off count as stealing?
The tracker didn't even have a sticker on it that said something like
property of Warwick County Sheriff do not remove under penalty of law.
You know, like those tags on my mattress that I've always been afraid to mess with.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is David DeFore.
He's the VP of Engineering for Cybersecurity at WebRoot.
David, here we are, RSA 2020, you and I together.
What do you think?
You've been walking around the showroom, the floor a little bit, taking things in.
What's your take so far?
Where do we stand this year?
Well, last year we had solved cybersecurity.
I don't think you may not remember that.
That's right. That was right.
So why even have the show this year?
Well, I had questioned why we would have the show this year, but I've realized I think this year it's to help the employment problem we have with cybersecurity professionals.
We have so many of them out there trained who can't seem to find jobs.
That is true. That this year, it seems like we've come up with a bunch of product ideas that are going to require companies
to hire dozens and dozens of more people
because the products don't do anything
but detect, analyze, and alert you.
Apparently, we've decided to stop protecting
as an industry.
Yeah, it's very interesting.
Huh.
So what someone needs is a product
that takes all of those other products and then feeds
their output into that product.
And does something.
And does something.
Exactly.
What would you propose that it does?
Well, maybe it would block a threat or, you know, if it's identified a threat and it can
remove it, maybe we could remove that threat.
But honestly, in all seriousness, there is a lot of analyzing going on, a lot of detecting.
And I know from an enterprise perspective, and a lot of folks here really are looking at enterprise and government, that's what they want because they want to be able to chase that trail.
Right.
But it seems like everybody's forgotten that there are smaller organizations who can't afford to have an army of people sitting there monitoring, looking, seeing what's going on.
I'm going to call us all out because I'm an engineer in this industry. It's a little bit
easier to detect something than it is to remediate it or block it because you have to, you know,
look for false positives and things like that. So are we getting a little bit lazy because we're
just detecting and analyzing? Lots of analyzing going on, David, lots of alerting. And then we're just detecting and analyzing. Lots of analyzing going on, David, lots of alerting. And then we're dumping it off to humans to figure it out.
Do you think that it might just be that that is this year's shiny object? You know,
every year at RSA, some things bubble to the top. And a couple of years ago,
it was artificial intelligence and machine learning. And, you know, is that just the-
It could be.
The where we are as things come around in cycles?
But it's funny because, I mean, what was it, five, six, seven years ago,
everything was SIM, the analyzing, and maybe we're back to the analyzing
because there's nothing really new and exciting.
And AI got us away from that for a while.
And, I mean, like I said, last year AI fixed everything, so we were done.
But I think you could be right.
You could be on onto something there.
But I feel like we're really focusing on governments and large businesses.
And everything you read in the news anymore is about, you know, small local governments,
small businesses, medium-sized businesses, medical centers.
We're not really addressing those markets.
And I know it's harder.
You know, you want your big 30X multiplier,
you got to be locked into a government or enterprise.
But as an industry,
it seems like we should be able to do some things
that help those smaller institutions
and go that extra step to actually help them,
not just alert them.
Is it a missed opportunity?
Is there a market opportunity there
for somebody to go after those people
who aren't being served? You know a market opportunity there for somebody to go after those people who
aren't being served? You know, I think there is, but again, it depends on what your goal is. If
your goal is revenue, recurring revenue and making a profit, I'm not trying to be silly here, but if
that's your goal, there's a lot of market opportunity. But I think a lot of companies,
you know, I've been coming here seven, eight years now, they're really looking to get bought.
And if you're looking to get bought, you need that new sexy thing that somebody's going to pay a large multiplier for.
So it depends on what you're really looking for. What do you hope to take away from a conference
like this? As you walk around and you take things in, I mean, obviously you're here
representing your company. And so there's a sales and promotional component, but you want to learn
things too. Yes.
As you walk around,
what are the things you're hoping to pick up?
What are the take-homes for you from a show of this scale?
That's great.
Like the big thing usually is what's the vibe?
What's the feel?
Is there anything underlying tone?
And to kind of on a positive note,
David, we talked about this last year.
There was a huge, I believe in the last year or two, understanding the users aren't as dumb
as the cybersecurity people
want to make them out to be.
That if we can show them the right thing to do,
if we can ask them to follow these procedures,
most of them are going to do it.
Now, is there Bob down the road
that every time somebody sends him a link,
he clicks on it?
Yes.
No, we got to deal with the Bobs that are right yeah but but in general people
want to do the right thing and if we're very clear with hey we're trying to do
this not to be difficult but it really helps protect us as an organization
people are really signing up for that and where am I going this year the the
conference is about the human element right and I And I'm making fun of the product.
I'm a vendor, so I like to make fun of us as well.
I'm making fun that the human element is they want you to hire a bunch more cybersecurity people.
But to look at it the other way, I think there's really getting to be a more and more understanding
that if we can work with the people using computers who are inside the organizations we're trying to protect,
they actually are able to really help more.
And we're seeing that come through, which is kind of nice.
Yeah. All right. Well, David DeFore, thanks for joining us.
Great being here, David.
Cyber threats are evolving every second, Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.