CyberWire Daily - Seeding-attack skepticism. MSS officer arrested, will face industrial espionage charges in the US. Russia says again that it didn't hack the OPCW.
Episode Date: October 11, 2018In today's podcast, we hear that the report of Chinese supply chain seeding attacks comes in for more skepticism: NSA never heard of it, and Congress would like some answers. The US has an officer of ...China's MSS in front of a Cincinnati court on charges of industrial espionage: he was extradited this week from Belgium. Notes on officers and agents. Russia repeats denials of hacking the Organisation for the Prevention of Chemical Warfare. Ben Yelin from UMD CHHS with a court case on cell site location data. Guest is Brian Vecci from Varonis with results from their data breach survey. For links to today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The report of Chinese supply chain seeding attacks comes in for more skepticism.
NSA never heard of it, then Congress would like some answers.
for more skepticism.
NSA never heard of it,
then Congress would like some answers.
The U.S. has an officer of Chinese MSS in front of a Cincinnati court
on charges of industrial espionage.
He was extradited this week from Belgium.
We've got notes on officers and agents.
And Russia repeats denials of hacking
the Organization for the Prevention of Chemical Warfare.
for the prevention of chemical warfare.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, October 11, 2018.
Bloomberg's report of a large-scale Chinese seeding attack
on the hardware supply chain has yet to find much corroboration.
As we noted yesterday, Bloomberg itself cited a
Maryland security firm, Sepio Systems, willing to say that it had found the Chinese spy chips
in some Supermicro motherboards used in one of its client's servers, but it can't say where it
found them because of non-disclosure agreements with that company. It can only say that it was a telecommunications company.
To review, Apple, Amazon, and Supermicro, the three companies named in the original story,
have all categorically denied that the hardware they used, or in the case of Supermicro produced,
was compromised by an illicitly installed chip. Both Britain's GCHQ and the U.S. Department of
Homeland Security say they have no reason to doubt those denials,
and DHS has also said it's not conducting any investigation into the alleged seeding attack on the supply chain.
NSA's Rob Joyce, the agency's senior advisor for cybersecurity strategy, is the latest official to cast doubt on the report.
At an event in Washington yesterday organized by the U.S. Chamber of Commerce and Real Clear Politics,
Joyce said, quote, there's no there there, end quote.
That is, he hasn't seen any evidence that the supply chain attack took place.
He pointed out the denials by Apple, Amazon, and others should count for something,
since their directness and specificity would expose the companies to considerable legal risk if the denials were untrue.
As he said in response to a question from the Wall Street Journal,
quote,
What I can't find are any ties to the claims in the article.
We're befuddled.
If someone has first-degree knowledge, can hand us a board,
and point to somebody in a company that was involved in this as claimed, we want to talk to them, end quote. So it appears NSA doesn't see the malicious chip
either. Congress is pushing its own investigation. Apple has already sent the Senate a letter,
and Senators Marco Rubio, a Republican from Florida, and Richard Blumenthal, a Democrat
from Connecticut, have asked Supermicro to reply
to a series of questions about the alleged incident. Senator John Thune, a Republican
of South Dakota, requested staff briefings from Apple, Amazon, and Supermicro by Friday.
In the House, Oversight Committee Chair Representative Trey Gowdy, Republican of
South Carolina, and Intelligence Committee Chair Devin Nunez,
Republican of California, have asked for classified briefings on the matter from the FBI,
DHS, and the Director of National Intelligence. They want those briefings by October 22nd.
More will, therefore, probably come to light over the next two weeks, but for now at least,
the best most other parties can say about the Bloomberg story
is that it's not proven.
Others are harsher.
Security firm Malwarebytes calls it the Bloomberg blunder.
Google security researcher Tavis Ormandi tweeted his skepticism
by saying that this is starting to feel like chemtrail territory.
And two experts quoted in the story,
Joe Grand of Grand Idea Studio
and Joe Fitzpatrick of Hardware Security Resources, both say their statements were taken out of
context and don't in fact support the reporter's conclusions.
So at best, not proven, and increasingly looking as if the story won't be.
Bloomberg continues to stand by its reporting.
won't be. Bloomberg continues to stand by its reporting. Security firm Varonis recently surveyed both IT and C-suite professionals to gauge their perceptions on data breach prevention.
Brian Vecchi is technical evangelist at Varonis, and he joins us with what they found.
91% of IT and cybersecurity pros believe that their organization is making progress when it comes to cybersecurity, while the C-suite was less positive.
Only 69 percent agreed with the same thing.
More than half of C-suite respondents and about half of IT and cyber pros identified data loss as their number one priority, number one concern, I should say, followed by data theft.
But what they thought was the third priority differed a little bit. Cybersecurity pros and
IT pros are really worried about ransomware, which has been one of the biggest scourges
recently. And C-suite executives are more worried about data alteration, which I think is pretty
interesting. What do you think is the source of that little disconnect there between the IT pros
thinking that they're
making progress and the C-suite maybe not thinking they're as far along? I think that's probably the
most interesting thing that's come out of this survey is that kind of discrepancy between IT
and security pros thinking, hey, we're making big investments in technology and cybersecurity,
and we're making some pretty big progress with regards to our security posture. C-suite executives don't seem to share that same view. And I think it comes from
how we measure the ROI, the return on investment for security spending. And it also comes with
how we measure or tend not to measure the risk associated with data lost and data theft.
You know, for C-suite executives, one of the sense that we get from this survey is that security is kind of a binary situation.
You've either been breached or not.
And what was interesting is that the C-suite executives believe that the biggest issue with cybersecurity is recovery costs.
You know, if you get breached, how expensive is it going to be to clean things up?
Whereas IT and cybersecurity pros are more concerned with reputational and brand damage.
How is this going to affect our business?
In some cases, is this going to mean the end of the business completely?
And I found that really, really interesting.
It's the IT pros that realize these security issues have really deep connections with how the business is run, while leaders the measurable risk and risk reduction of security investments and what security actually means for their business.
So how do you suppose the cyber pros go about bridging that gap?
I think it's kind of a messaging issue.
bridging that gap? I think it's kind of a messaging issue. It's cyber pros have to do a better job of explaining to business leaders and showing them not only the scale of the problem,
but exactly how investments in cybersecurity can make a measurable difference in their business.
I spent some time recently with a group of CIOs, and we had a really interesting conversation about this, that was based on investments related to the GDPR, which, as I'm sure you know, is the EU General Data Protection Regulation.
And this group of CIOs is in the United States.
And they were kind of split on whether they had a real mandate to make big changes to their organizations from a technology perspective because of a law that may or may not affect them.
And one of the things that came out as part of that discussion was, you know, there are going to be real costs with putting the kinds of controls in place to keep data private that the GDPR mandates. And should we do this now,
even if maybe as an organization, we're not subject to these kinds of controls? Or should we wait until, for instance, the California Consumer Privacy Act goes into effect and we
have a real mandate to do it? Some CIOs and some business leaders are thinking that way,
but others are realizing that putting the kind of controls that the GDPR says you need to have when it comes to data, which is really just treating personal information as something that's kind of valuable and not something that you can just throw in a junk drawer and not worry about, which is how many organizations have treated data in the past, can give them a competitive advantage.
Because who wants to do business as a consumer or as a business partner with an organization that doesn't take data privacy and security seriously? haven't been great at, and it shows up in the results of these surveys, where C-suite executives don't see the same kinds of results that IT and cybersecurity pros see when
it comes to security investment. That's Brian Vecchi from Varonis. You can find the results
from their data breach prevention survey on their website. In the first incident of its kind,
an officer of the Chinese intelligence service, the Ministry of State Security, MSS, is in U.S. custody facing hacking charges.
Yan Junzhu, a deputy division director in MSS's Zhangzhou State Security Department, 6th Bureau, was apprehended by Belgian authorities in April and extradited to the U.S. on Tuesday.
April and extradited to the U.S. on Tuesday. The Department of Justice says he'll be tried for conspiring and attempting to commit economic espionage and steal trade secrets from multiple
U.S. aviation and aerospace companies. It's an industrial espionage beef, and it will be tried
in Cincinnati, near where the alleged attempted theft of trade secrets from GE Aviation occurred.
Zhu used traditional espionage approaches
as opposed to more 21st century cyber attacks. He would attempt to recruit U.S. agents by offering
them, for example, invitations to academic conferences at Jiangsu and then work on them
to deliver the information the MSS was after. He himself was apprehended using traditional
counter-espionage approaches.
U.S. officers lured him to Belgium, where Belgium authorities arrested him on the U.S. warrant.
The Washington Post reports that Zhu's case is linked to that of Xi Shakun, a Chinese citizen living in Chicago.
China's reaction has been relatively moderate.
The Post reports that the foreign ministry said the indictment was made of thin air,
but that they expect the U.S. to deal with Zhu fairly in accordance with law,
respecting his legitimate rights and interests.
Some observers suggest that the arrest, trial, and extradition of a Chinese intelligence officer
will prompt strong Chinese retaliation in cyberspace.
And perhaps it already has.
The U.S. officials this week have been naming China as the principal cyber threat, worse
than Russia, which itself is pretty bad.
A quick note as we follow these stories on the difference between an officer and an agent.
An officer is someone who works for an intelligence service as a regular employee.
An agent is someone that an officer might recruit to spy for that service. Thus, Aldrich Ames,
currently serving life respionage in a U.S. federal prison, was an American officer. He was
employed by the CIA, but a Russian agent. He spied for the KGB and its successor agencies.
Russian agent. He spied for the KGB and its successor agencies. Zhu is an MSS officer.
Threat intelligence firm Recorded Future contrasts the Russian and Chinese hacking communities, respectively, thieves and geeks. This is from its analysis of their online hacking
communities. Part of the difference lies in China's relatively greater separation from the
two countries' mostly Western targets. There's not only the barrier of the difference lies in China's relatively greater separation from the two countries' mostly Western targets.
There's not only the barrier of the Great Firewall,
but also the separation imposed by quite different language families.
And of course, there are cultural issues as well.
Russia makes use of traditional criminals to serve the state as they enrich themselves.
China uses its security services to help enrich the state.
And finally, TASS is authorized to declare that Russia strongly denies having hacked the
Organization for the Prevention of Chemical Warfare. They were framed, Moscow says,
by Dutch security services, probably in cahoots with their Anglo-American masters.
We await further clarity about the GRU hackers and Novichok specialists
and their interests in Stonehenge, tulips, windmills, and canals.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, it's good to have you back. We have been going through a couple of interesting cases that came through Florida recently, and there was one that had to do with
cell site location information. Bring us up to date what's going on here.
Sure. So this is another Court of Appeals decision from the state court in Florida.
It was actually a cell site location information
case dating back to 2001, the early days of cellular telephones, or maybe the middle ages
of cellular telephones. And what happened is the government was able to use cell site location
information to locate a person charged with first-degree murder. That person was convicted largely based on the evidence gained through that cell site location information.
Then this year we had a Supreme Court decision in Carpenter v. United States,
which informed us that the government needs a warrant to obtain cell site location information.
Now, usually this is not a problem for law enforcement.
cell site location information. Now, usually this is not a problem for law enforcement.
There's this thing in the legal world, in the Fourth Amendment world, called the good faith exception. And if the government is relying on clear rules that are in place at the time,
the conviction will stand even if those rules are subsequently changed by the Supreme Court.
So if something was legal in 2001 and the Supreme Court
suddenly decides it's illegal in 2018, traditionally that means a conviction can't be overturned. The
law enforcement was working with the tools that they had been given. That is actually not the
case here because in this case there was no legal doctrine at all in this area of the law. There was no decision
saying that a warrant is not required for cell site location information. And in the absence
of any sort of guidance, the good faith exception can't apply. So this person is going to be granted
a new trial, and the state will have to use evidence that wasn't gleaned from the historical cell site location information.
So a retroactive decision, what, a decade and a half or so back?
Yeah, it's probably very devastating for the prosecutors Court decides that we have a reasonable expectation of privacy and information gleaned from a certain type of technology.
Then the end result is going to be that some undesirable people, people who have committed heinous crimes, are either going to be set free or going to get their day in court.
to get their day in court. And, you know, traditionally, the good faith exception allows us to avoid these types of situations. But since there was no prevailing law on the question of
warrants for cell site location information, the state is really out of luck here.
All right. Well, it's fascinating to track along with it. Ben Yellen, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
And for professionals
and cybersecurity leaders
who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.