CyberWire Daily - Satellite communications suffer from Thrip(s). Zacinlo rootkit poses as a VPN. Insecure Firebase apps. EU copyright legislation. Kardon Loader. Bithumb robbed. #Opicarus2018. Bitcoin Baron jailed.
Episode Date: June 20, 2018In today's podcast, we hear that the Chinese espionage group Thrip is targeting satellite communications operators and others in the US and Southeast Asia. Zacinlo rootkit hides inside a bogus V...PN. Developers are leaving Firebase apps insecure. The EU's controversial copyright regulation advances from committee. Kardon Loader malware is in beta. South Korean cryptocurrency exchange Bithumb is looted of more than $30 million. Anonymous is back with Opicarus2018. And the Bitcoin Baron goes to jail. Awais Rashid from Bristol University on why real-world experimentation is vital to cyber security. Guest is Dr. Chris Pierson from Binary Sun Cyber Risk Advisors, weighing in on the claims of sabotage at Tesla.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Chinese espionage group Thrip targets satellite communications operators
and others in the U.S. and Southeast Asia.
Zakinlo rootkit hides inside a bogus VPN.
Developers are leaving Firebase apps insecure.
The EU's controversial copyright regulation advances from committee.
Card and loader malware is in beta.
Anonymous is back with OpIcarus 2018.
And the Bitcoin baron goes to jail.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 20, 2018.
Symantec reported late yesterday its discovery of an extensive Chinese cyber espionage campaign
targeting U.S. and Southeast Asian satellite operators, telecommunications companies, and defense contractors.
The researchers attribute the activity to THRIP, a Chinese threat group Symantec has tracked for the past five years.
The infection of satellite communication systems was particularly noteworthy and troubling.
Much of the world's communications passes through communication satellites.
The campaign's goal is interception of military and civilian communications.
Symantec has notified the appropriate U.S. authorities.
According to Bitdefender, the Zakinlo rootkit is out in renewed form, this time concealed within a malicious VPN product, S5Mark.
It affects Windows 10 machines, capturing screenshots and other data and reporting them back to its criminal controllers.
Developers' failure to secure Google Firebase apps has resulted in more than 3,000 leaky apps.
App Authority says more than 100 million records have been exposed by inattentive development.
In fairness to the developers, Firebase is among the most popular widely used back-end database technologies for mobile applications.
Unfortunately, Firebase doesn't secure user data by default. Instead,
developers must themselves secure their tables and rows of data. This is the sort of thing that
gets overlooked, and so Firebase is an attractive place for attackers to come in search of unsecured
data. In another instance of black markets behaving like legitimate markets,
the proprietor of the Cardin Loader, whose nom de hack is Yataz,
is soliciting beta testing for their malware.
Researchers at Arbor's Security Engineering and Response Team, that's ACERT,
say Cardin Loader allows users to build their own bot shop
with potential for resale on the criminal-to-criminal market.
Cardone remains a work in progress, but it will bear watching.
The European Parliament passed a new copyright regulation out of committee.
To call it controversial is an understatement.
Critics, and the critics include coders, users, big tech firms, and internet pioneers,
well, they say it will turn
the internet into a surveillance and control tool. Particularly objectionable to critics are Articles
11 and 13. Article 11 established a neighboring right for press companies that would require
companies like Google and Microsoft to pay those publishers for displaying news snippets.
Laws similar to Article 11 in Spain led Google News to exit the Spanish market.
Article 13 established mandatory upload filtering that would require platforms to install filters
that would block users from uploading copyrighted material without a license to display content.
There's no sign of any mitigating fair use reservation.
If there's rent-seeking going on
here, as there may well be, it would appear to be on behalf of big publishing houses.
Critics note that the law would have a stifling effect on much internet discourse.
This is easy to see in the case of memes, but it would have more widespread effects as well.
Passing from committee is a first step, so this isn't EU law yet.
It will have to be negotiated through the EU members' national authorities,
and the law's opponents are unlikely to make that an easy process.
News broke yesterday of reported sabotage by an insider at Tesla,
with an email to employees from CEO Elon Musk stating
that the employee had made changes to the code in manufacturing systems and had sent highly
sensitive data to unknown third parties. Musk wrote, quote, his motivation is that he wanted
a promotion that he did not receive. In light of these actions, not promoting him was definitely
the right move, end quote.
So how do these revelations affect Tesla from a risk perspective?
We checked in with Chris Pearson, CEO of Binary Sun Cyber Risk Advisors, for his take on the matter.
The risks here are actually quite interesting.
I mean, first of all, they're dealing with an intellectual property risk. The theft of potentially intellectual property from them could not only serve to fuel other competitors globally, or like I said, other governments in terms of a race for
self-driving autonomous vehicles. So that's quite important there. From a product side,
if there are vulnerabilities or flaws, you now have some type of potential cybersecurity risk,
which could be seen into these vehicles. You also
have massive legal risk. I mean, you know, once again, a material cyber risk is something that
they would have to report if this is an occurrence that met that threshold of being something that
investors should know about, shareholders should know about. I also think there's an enormous
reputational risk,
even on top of the cybersecurity risks. And this is, how do you trust the underlying operating
system that's within the vehicles? How do you trust the operating systems, the manufacturing
plant? How do you actually look at those? So I think there are a few different risks there.
It's definitely one of those things that is perhaps around ones and zeros, but just goes home to prove the point that, look, at the end of the day, Tesla is an IT company. Obviously, an IT company in terms of the autonomous machines that they're potentially creating and looking towards creating, but they are an IT company first and foremost, and the vehicle company and energy company second and third and fourth.
Yeah, I'm curious what your thoughts are on the regulatory side of things.
I mean, you think about in the past we've had manufacturers have had trouble with, well, any number of things that auto manufacturers have had to do recalls for.
But it seems like when the ratio of software to steel in a car continues to shift towards software, it's kind of a new world.
Yeah, it definitely is.
You know, I think that Tesla's lucky in that regard in terms of the automated updates and the pushing of updates that they have. They've shown quite consistently over the years that they're able to go ahead and fix items, patch items, do massive
updates to their vehicles. So if there was something in there, let's just say there are
100 lines of code that have been replaced or something, or there's something that's vulnerable,
I think they have a pattern and history of showing that they can and will push massive
updates to their vehicle fleets. And so I think that really mitigates things there.
One other risk here,
quite honestly, I mean, when we look at Elon Musk, when we look at the books and the articles and the
speeches, a lot of what he does and a lot of what he talks about is culture. It is possible,
and this is the thing I'd be a little worried about, it is possible that this amount of theft could cause some type of shift in terms of trusting employees,
trusting insiders. That may be more damaging long-term in terms of the types of controls
that are implemented, if there's as much free sharing with employees, if there's as much trust
with employees as a result of this. And once again, one bad apple shouldn't make a massive
change for the whole
environment. But I can bet you their security teams are actually looking at how do we think
about insiders and employees as on the team, but maybe with a few tighter controls and few
tighter barriers there. That's Chris Pearson from Binary Sun Cyber Risk Advisors.
Cryptocurrencies fell today on news that another South Korean exchange,
Bithumb, was looted of about $31 million. Coming less than two weeks after the theft at Coinrail,
which lost a reported $37 million, the loss has shaken confidence in cryptocurrency markets.
While speculators will continue to pursue alternative currencies,
and while they've established a place for themselves in financial markets,
investors might apply the same risk-reward calculus they would use, for example,
when investing in a highly speculative growth stock. As Hitech Bridge CEO Ilya Kolechenko put
it in an email, users who entrust their digital coins to third parties should be prepared
to never see them again. This is the reality of modern Bitcoin Klondike. Bithumb is not an
inconsiderable exchange, although it's not the largest. WebRoot senior threat research analyst
Tyler Moffat said, quote, to be hacked is a huge deal in the crypto world and will definitely have
an impact on this speculative market, end quote. He sees Bithumb's offer to cover lost funds from its own reserves as a kind of silver lining,
at least the customers won't take a bath,
and he notes that Bithumb has moved its remaining coins to an offline cold wallet.
Moffat notes that it's important to understand that this was loss of access
to the private keys of online wallets,
not the hacking or manipulation of the blockchain itself.
So it's analogous to the sort of credential loss that has become the norm for all manner of cybercrime.
Moffitt pointed out, quote,
Anyone who has these private keys is going to be able to withdraw funds as if they were the legitimate owner.
Storing these keys on a computer or cloud backup,
especially in plain text, is just asking for trouble.
In his view, hardware wallets are a better option for holders of cryptocurrencies.
Akamai notes the declarations of OpIcarus 2018
emerging from the hive mind of Anonymous,
the anarcho-syndicalist collective's calls to action
threaten and inspire attacks on financial institutions
between the 21st and 28th of June.
The operation includes or subsumes several other ops,
Op Payback, Op Icarus, Delete the Elite, and SOS Nicaragua.
Anonymous ops have tended to fizzle badly over the last several years,
and it's been a long time since Anonymous has counted any meaningful coup,
but the declared targets would do well to be on heightened alert over the next week or so.
And finally, speaking of altcoins and Anonymous,
there's a minor harmonic convergence of the twain in the world of crime and punishment.
InfoSecurity magazine reports that the Bitcoin baron of Apache Junction, Arizona,
has received a sentence of 20 months for charges related to his online activity.
Randall Charles Tucker, 23, was convicted of organizing a distributed denial of service
attack against the city of Madison, Wisconsin. His motives remain unclear,
possibly because those motives themselves lack clarity, but the best bet is that he saw himself
as an idealistic hacktivist in the anonymous mold. Mr. Tucker has a bit of a track record.
The Madison DDoS might have been prompted by a police shooting, but on the other hand,
Mr. Tucker is also said to have hacked a children's hospital with inappropriate images of children. Why is he called the Bitcoin Baron? Don't know,
but it's the title he gave himself, like a less effectual version of Star-Lord from the
Guardians of the Galaxy. Probably poorer taste in movies and music, too. Mr. Tucker's claim of
idealism have therefore prompted either skepticism or a so-much-the-worse-for-idealism
reaction.
It's sad, really, when you can't trust the discretion, the target selection, and the
aim of an anarcho-syndicalist and altcoin speculator.
Well, who can you trust in this veil of tears?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Welcome back, Awais. We want to talk today about the importance of real-world experimentation,
getting out of the lab and with your research and practice.
What do you have to share with us about that today?
I think the challenge we are going to face is that within the next few years, the number of devices
connected to each other and the internet will outnumber humans by, depending on whose estimate
do you believe, something like five to one. And, you know, these systems of connected devices
will underpin everything from healthcare to transport to energy and finance.
And the way we communicate and share information with each other will change.
So we are really talking about really large-scale hyper-connected systems.
So as a result, we need to ensure that what we develop in the lab actually works in the real world. And as a result, the way to test any kind of security solutions and architectures has
to be to deploy them in the wild and understand what are the implications of that.
However, that is very, very challenging because, of course, you can't deploy prototypical solutions
on production environments because, of course, they may not necessarily
be fit for purpose or scale very well. So we really do need large-scale experimental
infrastructures that are close enough to the real world to be able to do that. And that's a big
challenge. Yeah, well, there's that old saying from warfare that no battle plan survives contact
with the enemy. It seems like that could apply
here as well. Absolutely. And that's exactly the reason that normally what happens is we develop
things, they are developed with rigor and with all good intentions by researchers and practitioners,
but usually we test them on small scale things in the lab or in an experimental setting. And then
when they are
deployed in real world infrastructures, they don't always scale. I'm not saying that they
never scale, they don't always scale. And that's why we need to think about as to how we might be
able to do this. There are a number of academic and industry organizations that run testbeds.
And I think there is a good argument for us to try and link some of these testbed infrastructures together so that we do have economies of scale, but also that really large scale environment that would represent the realistic setting in which security takes place in the real world.
I'm thinking of the rigorous testing that takes place when it comes to pharmaceuticals. Is that not a good example? Is it simply too
expensive to do something at that scale? I think it's not a case of expense. It's how you may
deploy and test something. And the pharmaceutical industry is an interesting example because
the trials only move on to large-scale clinical trials once they've gone through smaller-scale testing,
and then increasing level of confidence is built up.
And I think we do need to be able to do something very, very similar.
But the question is, how do we test in the wild?
For example, would you be willing to deploy an experimental security solution on, say, a power grid or a nuclear power plant or a transportation system.
And I think you would have to have a lot of confidence and then a lot of fail-safes built
into it. And I think we need to develop those kind of protocols. Other disciplines have developed
those protocols. And I think we are a little bit further from that at this point in time.
Awais Rashid, thanks for joining us.
Thanks for joining us. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.