CyberWire Daily - Shamoon variant implicated in Saipem hack. Charming Kitten reappears. Sino-American tension over trade and industrial espionage.
Episode Date: December 13, 2018In today’s podcast we hear that the Saipem hack looks like a new Shamoon variant. Charming Kitten started prowling through relevant places after the Iran sanctions became more serious. US authorit...ies denounce Chinese espionage, especially industrial espionage, but there are as yet no new indictments or sanctions. Concerns mount over Chinese influence operations. Another Canadian may be in Chinese custody—possibly in retaliation for the detention of Huawei’s CFO. Ben Yelin from UMD CHHS on how password policies align with the 5th amendment. Guest is Liz Rice from Aqua Security on the notion of security teams “shifting left.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Saipem hack looks like a new Shamoon variant.
Charming Kitten started prowling through relevant places after the Iran sanctions became more serious.
U.S. authorities denounce Chinese espionage, especially industrial espionage,
but there are as yet no new indictments or sanctions.
Concerns mount over Chinese influence operations.
And another Canadian may be in Chinese custody,
possibly in retaliation for the detention of Huawei's CFO.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 13, 2018.
Cyber news today is dominated by reports on what appear to be the activities of two nation-states,
Iran and China.
First, Iran.
There's been an update to the story of the cyber attack against offices in the Italian oil field services company, Saipem.
Reuters reports that the attack delivered a new variant of Shamoon wiper malware.
The attack took place over the past weekend and was tersely disclosed Monday.
As details have emerged over the course of the week, we're hearing more about how this version of Shamoon differs from the 2012 original.
One apparent difference is cosmetic.
The original Shamoon replaced data with propaganda images, burning American flags, jihadist execution pictures,
while this one appeared to encrypt rather than destroy data through overwriting.
Upon further review, that seems not to be the case.
ZDNet reports that it looked as if the data had been encrypted,
but in fact it was simply overwritten with crypto-looking gibberish.
Garbage data, as an outside analyst told ZDNet.
Another difference seems to lie in the malware's mode of transmission.
The original Shamoon samples came with SMB credentials
that enabled it to propagate across the targeted network.
This has led to speculation that the infection arrived
through exploitation of remote desktop protocol.
The third significant difference is the absence of a networking component.
Unlike its predecessors, this version of Shamoon didn't have a command and control server configured.
That suggests it was deployed manually and not, for example, by a phishing email.
Iran is also being mentioned in connection with another cyber campaign, this one directed at
more conventional espionage. The AP is reporting today that Iran's Charming Kitten cyber espionage group
was sent out to collect against targets that might yield intelligence
relative to sanctions the U.S. has reimposed
in an attempt to curb Tehran's nuclear ambitions.
Charming Kitten, the AP was told by London-based security shop Serfta,
went after private email of U.S. Treasury officers involved in sanctions enforcement.
Their collection list also extended, the AP says,
to high-profile defenders, detractors, and enforcers
of the nuclear deal struck between Washington and Tehran.
They were also interested in Arab nuclear scientists,
D.C. think tanks, and various Iranian civil society figures.
We spoke yesterday about DevOps and the desire to better integrate security throughout a product lifecycle.
We get additional perspective today from Aqua Security's Liz Rice, who advocates a notion she describes as shifting left.
Rice, who advocates a notion she describes as shifting left. I guess traditionally we often see security seen as something you apply to software that's already been written and perhaps
has already been deployed. Quite often it's a separate security team who really aren't very
involved with the development of the software. So if we're talking about shifting left, we're really talking about involving security earlier in the development lifecycle of that software.
But what we're seeing increasingly in a DevOps world is we need to be able to ship software
faster. We need to be able to deploy more frequently. And then that means you can't really just be having the security conversation at the end. It needs to be automated. It needs
to be part of these automated processes that are deploying software, you know, often many times a
day. And for a typical security team, how much of a culture shift is this? I think it can be a really big shift, actually.
Particularly if you think about the world of containers, the world of orchestration.
We go from, you know, an organization may have traditionally shipped software four times a year, say,
and suddenly the security team are asked to deal with software
that's being deployed, well, as I say, several times a day. And every time you deploy something,
there's got to be a question mark over what is it that we're deploying? And does it have
any vulnerabilities? And how can I, as a security person, take responsibility for software where perhaps it's being run under an
orchestrator. So I don't even get to control where the software is run. It's up to an orchestrator to
automatically deploy software somewhere in our cluster. So what are your recommendations for
organizations who want to do this, who want to shift security, as you say, more to the left?
What's the best way for them to approach it
so that it won't have a negative impact on their team?
So I suppose it has to be part of a broader discussion
of the adoption of DevOps practices.
And for any given organization,
they really need to understand what it is they're trying to achieve.
Usually, in my experience, at least, it's a business desire to be able to shift software
more quickly, to be able to deliver functionality to customers more quickly, to be able to be more
responsive to change. So, I think having everybody on board with that, you know, with those requirements, with the benefits of moving to this kind of process, if that works for the particular organization, if that's important for them. about it in a manageable way. There are lots of really great stories out there from organizations
who have adopted moving to the cloud, moving to cloud native technologies. So figuring out what
you want to achieve, figuring out what your first project, what your journey should look like by
trying to learn from other people's experiences and talking to all the
stakeholders from the business side, from the developers, from the operations team,
and from the security team. I think those would be my key recommendations.
That's Liz Rice from Aqua Security.
Chinese cyber espionage and a growing penchant for influence operations
continue to draw attention from nations that feel themselves most directly threatened.
Tensions between China and the U.S. remain high,
and they're exacerbated not only by continuing conflict over trade,
but also by growing suspicion that Chinese intelligence services
were behind the very large, long-enduring attack on Marriott
that since 2014 have compromised some 500 million articles of personal information.
Sources close to the investigation, as they say,
are telling Reuters and others anonymously
that U.S. investigators are close to making a convincing case for Chinese responsibility.
It's also been noted that 2014 was a big year for Chinese cyber espionage.
That was also the year of the big OPM breach that scooped up a great deal of personally
identifiable information from the U.S. government. Chinese involvement is widely suspected in that
case, too. A new wave of U.S. indictments of Chinese nationals on hacking charges is widely
expected, but that hasn't happened yet.
An official of the Department of Homeland Security told a Senate panel yesterday
that the investigation was still in progress and not ready to move to the next stages.
New sanctions are also widely expected, but these haven't materialized either.
But the third generally anticipated U.S. response, public denunciation, has happened, and it arrived with some eclat in testimony before the U.S. Senate Judiciary Committee yesterday.
Senior counterintelligence officials from DHS, the FBI, and the Department of Justice characterized China as a big threat, maybe the biggest threat, to the American economic and technological place in the world.
In committee hearings on non-traditional espionage against the United States,
officials outlined a picture of Chinese strategy designed to supplant U.S. leadership.
Assistant Attorney General John Demers put it this way,
quote, The playbook is simple. Rob, replicate, and replace.
Rob the American company of its intellectual property, replicate the technology,
and replace the American company in the Chinese market and one day in the global market.
End quote.
The Senate hearings were also noteworthy for mention of influence operations
exercised in universities through China's Confucius Institutes,
educational and cultural establishments that have over the past
year received increasing scrutiny as centers of government-directed influence. Russian influence
operations have long received the most attention, but there are now suggestions that China is
mounting such operations of its own. Beijing's style is quite different from Moscow's, running
far more toward economic entanglement and tenditious cultural exchange
than it does toward trolling, catfishing, and opportunistic gonzo black propaganda.
In the UK, MPs are also warning of Chinese presence in universities,
but the British problem is seen as excessive coziness with Huawei.
As noted yesterday, Huawei's CFO Meng Wanzhou has posted bail in Vancouver
as she awaits further proceedings that could lead to her extradition to the United States.
Feelings over this matter are running high and in a patriotic direction over in China.
Authorities there are believed to have taken a second Canadian citizen into custody
in apparent retaliation for Ms. Meng's arrest.
It will be interesting to see how various advance fee scammers will make use of the current state of the Meng case.
Earlier this week, they were using emails in which someone posing as Ms. Meng or her agent solicited a couple thousand bucks so she could bribe her jailer and escape.
She's out now, so that won't
be as plausible. A more interesting touch in the scam emails was a veiled promise of romance.
That's also probably out the window now that it's generally known that not only does Miss Mung have
a husband, but that said husband is with her and helping her abide by the terms of her release.
But let's not underestimate the cunning and imagination of the grifters.
Sure, it's low cunning,
and yes, the imagination is on the mechanical side,
but they do find their marks.
There's one of those born every minute.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at
the University of Maryland Center for Health and Homeland Security.
Ben, it's great to have you back.
I had an article on the Naked Security blog from Sophos, and this is about passcodes being protected by the Fifth Amendment.
This is a topic we've touched on before.
What here is new and interesting?
So, as you know, the Fifth Amendment protects you against self-incrimination.
So the government cannot force you to incriminate yourself in the commission of a crime.
That's one of our most cherished constitutional protections.
In this case, which concerned an underage drunk driver, the government thought they could obtain evidence from the driver's smartphone device.
So they asked that driver to enter the passcode into his smartphone. And
based on that information, they were able to obtain the conviction. The defendant appealed
saying that just asking for that passcode violated his Fifth Amendment right against
self-incrimination. And amazingly, there's been a lot of case law on this. And it comes down to what's called the foregone conclusion exception or the foregone conclusion standard. So if the
government can show that it knows that the defendant knows the passcode, then the Fifth
Amendment is not implicated because eventually that person is going to have to open the phone.
It is a foregone conclusion. The government has some proof. Maybe
they've actually seen the individual unlock that phone with that passcode. So it need not go
through these Fifth Amendment hoops or these judicial hurdles to obtain access to that
information. What this opinion is suggesting for the first time, and what I think is very
interesting, is that the foregone conclusion doesn't necessarily apply
when we're talking about obtaining the contents of information inside the phone.
So what the court in this case made clear is that the government doesn't care about the passcode per se.
It's very rarely going to be evidence that a person's passcode is 5643.
That doesn't really matter for police purposes.
What matters is the content
inside the phone and whether that content contains information that's incriminating
to a potential criminal defendant. And what the court here is saying is it is not a foregone
conclusion in this case that information on this individual's phone was going to have
relevant information to that person's prosecution. At the very least, the government didn't prove with any level of certainty that they knew
what was on the phone.
They knew what they were looking for, and that information was going to lead to the
defendant's conviction.
So this raises the suggestion, and again, it's just one court, and it doesn't necessarily
apply nationwide, that there's going to be a higher standard as it applies to
the government trying to unlock devices. They will now have to show with some level of
particularity that there is something on that device, a piece of information that they know
is there in order to unlock it. Otherwise, the defendant has a valid right against self-incrimination.
So if we see this applied elsewhere, I think it would have a major impact on law enforcement.
I mean, because we collect so much in our smartphone and it contains every last iota of information about us,
these are evidence valhalla for law enforcement.
And if it's harder for them to get access to these devices, then I think that
Fifth Amendment right against self-incrimination will have more meaning in the digital age.
Yeah, it's interesting because this runs contrary to what I had believed or thought,
which was that, you know, we've talked about how they could compel you with biometrics. You know,
they could force you to use your fingerprint to unlock your phone,
but they couldn't force you to reveal a password.
And what you're saying here is that, no, they could compel you through a court order to reveal that password?
They could.
Not according to this particular court's holding,
but several courts have basically upheld that if the government has reason to believe that
that person can unlock their phone, then that does not count as testimonial evidence.
And under this foregone conclusion standard, the criminal defendant is going to be out of
luck in those circumstances. They will have to unlock their phone. If they're not, they're going to be
held in contempt. And that's the exact thing that the Fifth Amendment right of self-incrimination
is trying to avoid. You have these situations where, you know, let's say you have incriminating
information on your phone and you're asked to reveal it. You basically have two options. You
do not reveal it and you're held in contempt, or you do reveal it and you're going to
be convicted of a crime. And that's exactly why we have a Fifth Amendment right against
self-incrimination. We don't want to put people in that situation. So one thing I would say about
biometrics, the equivalent in the physical world is something like a police lineup, where you are
identified affirmatively by a witness. And that does not
count as testimonial evidence for the purposes of the Fifth Amendment, because you're not really
revealing anything about yourself. You're just, you know, showing your face to somebody. So I
think that's why, at least to this point, courts have analogized biometrics, facial recognition
to that non-digital standard. All right. That's interesting. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.