CyberWire Daily - Sequelae of the US Reaper strike against the Quds Force commander. Warnings of Iranian retaliation, with an emphasis on cyberspace. Espionage in Austria, and a second look at an LSE outage.

Episode Date: January 6, 2020

Iran vows retribution for the US drone strike that killed the commander of the Quds Force. The US prepares for Iranian action, and the Department of Homeland Security warns that cyberattacks are parti...cularly likely. Some low-grade Iranian cyber operations may have already taken place. Austria’s Foreign Ministry sustains an apparent state-directed cyber espionage attack, and in the UK authorities are taking a second look at the August outages at the London Stock Exchange. Joe Carrigan from JHU ISI, describing a clever defense against laptop theft.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.
Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.
Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.
Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Iran vows retribution for the U.S. drone strike that killed the commander of the Quds Force. The U.S. prepares for Iranian action, and the Department of Homeland Security warns that cyber attacks are particularly likely.
Starting point is 00:02:08 Some low-grade Iranian cyber operations may have already taken place. Austria's foreign ministry sustains an apparent state-directed cyber espionage attack, and the U.K. authorities are taking a second look at the August outages at the London Stock Exchange. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 6, 2020. The news, as it's developed over the weekend, centers on heightened tension between the U.S. and Iran in the wake of attacks against U.S. forces in Iran and the U.S. retaliation that killed Iranian Major General Soleimani.
Starting point is 00:02:51 Iran has promised retribution, and many believe that such retribution is likely to include a heavy cyber component. Fifth Domain offers an account of what an Iranian cyber campaign might look like, betting on form and with the initial reservation that Iranian operators have shown themselves capable of innovation and therefore able to mount unexpected attacks, the experts Fifth Domain talked to think a data destruction attack to be one likely option. The Shamoon attacks against Saudi Aramco offer a precedent. Cyber espionage designed to develop target
Starting point is 00:03:26 indicators for a kinetic attack is also a possibility. Iran has also engaged in distributed denial-of-service actions against U.S. financial targets, and it has doxed the Saudi government, so the theft and release of sensitive documents would also be a possibility. Finally, Tehran is believed to have studied Russian attacks against Ukraine's power grid, and they've demonstrated the ability to hit infrastructure targets, including Bahrain's water distribution systems. Iranian operators, we might add, are also known to have taken an interest in U.S. infrastructure. They have been attentive consumers of open-source material on ICS vulnerabilities,
Starting point is 00:04:08 and they also conducted one easily overlooked attack, the 2013 intrusion into the control system of the Bowman Street Dam in downstate Rye, New York. That particular incident involved a small flood control dam and had no perceptible effect. The controls were offline for repair at the time, but it's an interesting cautionary tale. It was either a proof of concept, or a demonstration, or a shot across the Yankees' bow, or, and this may be the most interesting possibility, a case of misidentifying the target. New York's Bowman Street Dam is very small infrastructure potatoes indeed, but there's a big irrigation dam in Idaho, the Bowman Dam, interference with which would have presented more serious problems. And Tehran's hackers
Starting point is 00:04:51 might have believed themselves to be on to the dam in Idaho as opposed to the one in New York. So an ICS attack is among the realistic possibilities. That's also the official view of the U.S. Department of Homeland Security. Cybersecurity and Infrastructure Security Agency Director Krebs tweeted a warning and a recommendation that enterprises brush up on Iranian cyber tactics, techniques, and procedures. Pay close attention to your critical systems, particularly ICS. Do note CISA's emphasis on ICS, that is industrial control systems. The Department of Homeland Security's bulletin on the National Terrorism Advisory System elaborates in part as follows, quote, Iranian leadership and several affiliated violent
Starting point is 00:05:38 extremist organizations publicly stated they intend to retaliate against the United States. At this time, we have no information indicating a specific credible threat to the homeland. Iran and its partners, such as Hezbollah, have demonstrated the intent and capability to conduct operations in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber-enabled attacks against a range of U.S.-based targets. Iran maintains a robust cyber program and can execute cyber attacks against the United
Starting point is 00:06:12 States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States. End quote. So, among the Iranian tactics, Director Krebs advises everyone to review the use of proxies figures prominently. A great deal of Twitter traffic associated with Tehran
Starting point is 00:06:34 has organized itself around the pre-existing hashtags Hard Revenge and Death to America, as CyberScoop, citing the Atlantic Council Studies, reports. There's also been one minor attack on a U.S. government website that would seem to represent the work of either Tehran's operators or of patriotic hacktivists aligned with Iran. The website of the U.S. Federal Depository Library Program, a GPO site that makes official documents broadly available,
Starting point is 00:07:02 was defaced with Iranian messaging, Forbes and others report. Forbes characterizes it as a noisy attack, which is usually the case with cyber vandalism. The Department of Homeland Security is investigating, and as NBC News quotes CISA representatives, it's too early for firm attribution. Quote, at this time, there is no confirmation that this was the action of Iranian state-sponsored actors. Silicon Angle, in its reporting, calls the hack the beginning of a potential cyber war. That's not entirely wayward, but it is a bit breathless, given that, really, this is hardly like General Beauregard firing on Fort Sumter
Starting point is 00:07:41 or Moltke the Younger ordering the Kaiser's troops through Belgium. The affected site itself is neither a high-value or a high-payoff target. on Fort Sumter or Moltke the Younger ordering the Kaiser's troops through Belgium. The affected site itself is neither a high-value or a high-payoff target. It's maintained by the U.S. Government Printing Office as a low-cost, accessible way of providing interested citizens with easy access to official documents, like the full text of congressional bills and that sort of thing. The Federal Depository Library was probably a simple target of opportunity, hacked because it was hackable. We've seen that more than once over the past decade.
Starting point is 00:08:11 At one time, the websites of small cities in the U.S. Midwest were common targets of this kind of online vandalism, and that wasn't because the attackers thought the heartland was anything like the throbbing heart of the great Satan. It's because the sites were small and casually constructed. It's because they were there and accessible. One odd bit of fallout from the U.S. strike against Soleimani was a run on the U.S. Selective Service Agency's website
Starting point is 00:08:37 that actually rendered it temporarily unavailable over the weekend. Younger Americans were responding to a meme that foretold a return of the draft should there be a full-scale war between the U.S. and Iran. There was a similar run on the federal student aid site. Perhaps all of this is due simply to a lingering cultural memory of the way Dean Wormers delivered Delta House's midterm grades. In any case, a resumption of conscription is, to say the least, highly unlikely, but the rush to the draft board site is an instructive incident of the swift propagation of a meme. While people focus on U.S.-Iranian tension, there is, of course, other activity in cyberspace.
Starting point is 00:09:19 Austria's foreign ministry was hacked late last week in what appears to have been a foreign espionage campaign. Vienna is being cagey about attribution, as the BBC reports, and cagey about the details of the attack. But the BBC does bracket its own reporting of the few known facts with a review of Russian cyber espionage campaigns that suggests the way speculation, at least, is currently running. And finally, the Wall Street Journal says that Britain's GCHQ is investigating the possibility that a London Stock Exchange outage in August, regarded as an accidental glitch, may have in fact been a cyber attack.
Starting point is 00:09:56 The London Stock Exchange said at the time that, quote, a technical software issue had temporarily prevented trading in a range of securities, end quote, but it hasn't, according to the journal, explained just what the issue was. British authorities are looking into the possibility that if the incident was an attack, the attacker's goal might have been erosion of confidence in the financial sector specifically, and in Britain's critical infrastructure generally. So, by all means, Cheltenham, dot the I's and was meant to be. Let's create the agent-first future together.
Starting point is 00:10:55 Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Starting point is 00:11:27 Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Starting point is 00:12:48 Learn more at blackcloak.io. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Also my co-host on the Hacking Humans podcast. Joe, great to have you back. It's good to be back, Dave. This is a fun one I want to share with you. This is something I came across on Twitter. It's from a gentleman named Michael Altfield. He's got a blog, and it's titled Introducing Bus Kill, a Kill Cord for Your Laptop. And Michael's addressing a particular security concern here.
Starting point is 00:13:22 I shared this with you. You want to take us through what's going on here? Okay. So here, it's an operational security concern. Okay. Not really a cybersecurity concern, right? Because at the end of the article, he says, you know, what if you've done everything right, right? You've got a password manager, you've got two-factor authentication, you're using a VPN at a coffee shop, right? Right. And you've accessed your bank account. And at that point in time, someone comes and snatches your laptop. So you're sitting at a coffee shop doing your business. Someone comes along. I can imagine you or I sitting there, someone much younger and more fit than either of us, which is not hard to do, comes and snatches that laptop and runs away. No way I'm catching that guy. And you're logged in. Yeah, I'm logged in. So they have access to it. They have access to my bank account. Okay,
Starting point is 00:14:03 that's the scenario. Despite the fact I've used my two-factor authentication, my password manager and my VPN, they still have access to my account. Well, what Michael has done is address this concern. Okay. And it's kind of a clever fix, but I'm going to start off by saying there's a caveat. Michael has developed this on a Linux machine where you have a lot more control over what's going on. Yeah. And what he's done is there's a service in Linux called Udev. Now Udev is the device manager for the Linux kernel. Okay. All right. And in Linux, like in all the other Unix-like operating systems,
Starting point is 00:14:36 everything is considered to be a file at some point in time, including the devices that you plug in to your computer. Okay. And Udev is how you manage those devices when they're connected. I see. So what he's built here is actually a pretty clever device. He has gone out and gotten himself a USB cord that has a magnetic connection to it. Like a breakaway cord. Right, exactly. So the first time I saw these cords was when somebody had a deep fat fryer that they put a breakaway cord on.
Starting point is 00:15:08 The thinking being that if you're running a deep fat fryer in your kitchen and a kid comes running through there and they run through the cord because they're kids and they're not looking, that what happens is the cord just breaks away and the fryer doesn't move. The fryer full of hot oil doesn't move. Right, right. And similarly, we saw these Apple had power cords this way. Yeah, Apple has power cords like this. Yank the cord. Yeah, it doesn't pull the laptop to the ground and shatter. Microsoft Surface, I think, also has the same kind of cords.
Starting point is 00:15:35 Okay. So they're great cords. But this is a USB cord with that feature. I see. So the connection is maintained via a magnet. Right. And then into that magnetic breakaway adapter, he has a one-meter cable that is attached to a USB thumb drive. And that thumb drive has a key ring hole in it that he runs a key ring through with a carabiner on it.
Starting point is 00:15:59 And then he takes that carabiner and he clips it to his belt. Oh. Or clips it to his person. So he is tethered to his laptop while sitting in the cafe. Right. All right. So now what happens is somebody comes along, they snatch the laptop, but in so doing, they break that magnetic connection, which breaks the USB connection.
Starting point is 00:16:16 And the UDEV rule says, hey, that USB device just got disconnected. Lock the screen. I see. Right? And that's what happens. And that's how Michael addresses the snatch and grab security risk. I like it.
Starting point is 00:16:30 I like it too. It's clever. I guess I question how, I guess if you're someone who would need this, I guess you'd know it. Right, right. Yeah. And it's unfortunate that he,
Starting point is 00:16:40 well, it's not unfortunate. I shouldn't say that. Right now, this is only a Linux solution. I'd like to see something like this for Windows. Yeah, I see some folks in the comments have a version that would work on Mac, which is Linux-y. Well, yeah, it's BSD-based. Right, right. So, you
Starting point is 00:16:55 could absolutely run this on a Mac as well. Yeah. But I'd like to see something implemented in Windows. That would be cool. Yeah. But this is really cool. I like the idea. Yeah, it's clever. Again, it's called Introducing Bus Kill, a kill cord for your laptop. It's Michael Altfield's tech blog.
Starting point is 00:17:12 Check it out. It's kind of a fun little project. All right, well, Joe Kerrigan, thanks for joining us. My pleasure, Dave. Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland
Starting point is 00:18:31 out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening. We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
Starting point is 00:19:32 helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.