CyberWire Daily - Sri Lanka’s social media clamp-down, and investigation of Easter massacres. CIA said to have details on Huawei’s relationship with China’s security services. Marcus Hutchins pleads guilty.
Episode Date: April 22, 2019Sri Lanka clamps down on social media in the wake of Easter massacres. Authorities suspect an Islamist group, but no terrorist organization has so far claimed responsibility. CIA intelligence is said ...to have the goods on Chinese security services’ hold over Huawei. Marcus Hutchins, also known as MalwareTech, and famous as the sometime hero of the WannaCry kill-switch, has taken a guilty plea to charges connected with the distribution of Kronos banking malware. Joe Carrigan from JHU ISI on password research from WP Engine. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Sri Lanka clamps down on social media in the wake of Easter massacres.
Authorities suspect an Islamist group, but no terrorist organization has
so far claimed responsibility. CIA intelligence is said to have the goods on Chinese security
services hold over Huawei. Marcus Hutchins, also known as MalwareTech and famous as the sometime
hero of the WannaCry kill switch, has taken a guilty plea to charges connected with the
distribution of Kronos Banking Malware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 22, 2019.
Sri Lankan authorities have shut down most social media in that country
in an effort to prevent the spread of inflammatory rumor or disinformation.
The restrictions follow a series of apparently coordinated suicide bombings
that killed Christians at worship in Baticaloa, Colombo and Negomba and others,
including guests staying at tourist hotels at five other sites in Colombo.
Police have arrested 24, but no group has claimed responsibility.
Agence France-Presse reports that Sri Lankan security authorities issued an alert over a week ago
warning police that chatter collected from various intelligence sources
suggested the likelihood of jihadist actions by Nations Thawahid Jaman, or NTJ,
during the Christian Holy Week. It remains unclear whether that group organized the bombings.
CNN says almost 300 are dead. About 500 are wounded. NTJ had previously distinguished itself
mostly by defacing Buddhist statues in the majority Buddhist nation.
Sri Lanka had gone through a lacerating civil war from 1983 to 2009, but the opposing sides
were defined ethnically and geographically, with the predominantly Hindu Tamils, a bit more than
11% of the population, seeking an independent state among the northern rim of the island.
seeking an independent state among the northern rim of the island.
The majority Sinhalese, with about 75% of the population, are predominantly Buddhist.
A coordinated campaign of lethal violence on the parts of jihadists is something new.
Muslims make up less than 10% of the country's population, slightly more than Christians.
Authorities concluded this morning that the NTJ was in all likelihood responsible and have taken a number of its adherents into custody for questioning.
They've also found quantities of explosives, for the most part detonators, in the possession of
the group. The police and intelligence services think there's a fairly high probability that the
bombers received assistance from like-minded international jihadist
groups. Reuters quotes experts who see ISIS or al-Qaeda in the attack's methods. Sri Lanka's
defense minister attributed the massacres to followers of religious extremism. Investigation
continues. A presidential commission has been appointed to look into the massacres. It's likely
to also look inward at what some critics are calling an intelligence failure.
The clampdown on social media is a preventative reaction.
Social media has spread violent contagion elsewhere in South Asia over the past year,
and various figures in the NTP have romped pretty freely across YouTube, in particular in recent months.
freely across YouTube, in particular in recent months.
The Times of London reported Saturday that the CIA shared intelligence with Five Eyes partners, establishing Huawei's significant funding by Chinese security services.
The Times treats this as significant, which suggests their sources see investment amounting
to control, not simply purchase of goods and services.
amounting to control, not simply purchase, of goods and services.
More significant, for example, than what the Washington Post notes in an unrelated editorial about Microsoft's AI research cooperation with a Chinese military university.
While one might question the wisdom of a U.S. company working with a Chinese defense research
establishment on any number of grounds, They might include the risk of sensitive technology transfer, IP theft,
providing technology that might be used in ongoing repressive measures, and so forth.
But it would seem a stretch, to say the least,
to say that Microsoft had come under the sort of control Huawei is thought to be subject to.
Thus, it would be interesting to learn more of the nature of the funding Huawei received.
Marcus Hutchins, sometime hero of WannaCry's kill switch, pleaded guilty to U.S. federal charges involving making and selling malware for, quote,
surreptitious interception of wire, oral, or electronic communication, end quote.
communication, end quote. Hutchins, also known by his white hat name MalwareTech, was apparently already a person of interest to the U.S. FBI for some time before he came to fame for stumbling
across WannaCry's kill switch and recognizing that kill switch for what it was. He was arrested in
the U.S. while on a kind of post-WannaCry victory lap through the conference circuit in the U.S.
The crime to which he has allocuted, as they say on Law & Order,
involved the creation and sale of the Kronos banking malware,
designed to harvest account credentials.
Hutchins apparently began his malware entrepreneurial career in his teens.
He says he's outgrown that phase and that he now knows better, and no doubt he does.
This may well be another
instance of that sadly familiar online disinhibition that grips so many when they use the internet.
Mr. Hutchins, a British subject, now faces sentencing.
The two counts in his guilty plea each carry a maximum sentence of five years.
years. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
He's also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
It's good to be back, Dave.
We've got an interesting story to share with us here today.
This is about passwords.
What do we got here? This one comes from WP Engine, who did a little
bit of research. And if you go to WPEngine.com slash unmasked, you can find this incredibly
interesting article in here. Yeah. These folks do WordPress hosting. Right. What they did was
they went out and they got a hold of a couple of old breaches and they started analyzing the
breaches and seeing if they could pull
out matching passwords, if they could generate matching passwords.
So all these passwords were plain text passwords that have already been cracked, but what they
did was they looked at the information and they tried to do some correlation and figure
out how easy it was to generate a password that would match.
So they aren't actually doing any hashing.
how easy it was to generate a password that would match.
So they aren't actually doing any hashing.
One of the things they say in this report is that Hashcat,
they talk about Hashcat being able to perform 300,000 hashes a second depending on how your password is hashed.
The limit to Hashcat is really how much money you have to spend on hardware.
So if you can buy a bunch of GTX 1080 TIs and put them into a machine,
that can crack way more than 300,000 passwords a second.
Couldn't you also buy that service from like AWS?
They have GPUs for sale, right?
They have GPU processing for sale.
You can probably run Hashcat on that as well.
I haven't ever tried it.
I've used my own GPUs to do this.
But Hashcat's a remarkable tool.
You should look into it.
A couple things.
There is no difference
in the quality of passwords
between men and women
that we're all equally bad at it.
Okay.
Phew.
Right.
If you're going to add a number
at the end of your password,
that really doesn't make it
any more secure.
Can you guess the number one number that was added at the end of a password to make it different?
Well, the number one.
Yeah.
Number one.
The number one.
Number one.
The number one choice.
Oh, it was the number one.
There you go.
It's number one.
Okay.
So if you take your password and put a one after it, that essentially doesn't make any difference.
Because so many people do that.
Right.
23% of passwords that end in a number end in the number one.
Wow.
Okay.
I'll just choose two.
Right.
That's 6.72 passwords end in the number two.
So this method is not effective.
It is not effective.
Absolutely not effective. It is not effective. Absolutely not effective.
Yeah.
Effective.
Now, they talk about this concept called password entropy, which is essentially a measure of how good your password is.
And they say that a password with an entropy of 60 or greater is actually less common than a password with an entropy of 0 to 5.
So a lower number is worse, right?
So a password with an entropy of 0 to 5 would be something that you could crack in lower number is worse, right? So a password with an entropy of zero to five
would be something that you could crack in a matter of seconds, right? And a password with
entropy of greater than 60 would be something that you could crack in years. So it's much more common
to find passwords you can crack in a second than it is to find passwords that take forever to crack.
Right, right. Okay. I guess that's not surprising.
That is not surprising.
Do you think that you're clever by using keyboard patterns to generate passwords?
Because that's going to be a hard password that's kind of difficult to remember.
It would be a random string of numbers by walking down the keyboard.
Right, yeah.
It's not really random at all.
It's terribly predictable, just like almost everything humans do.
Right.
And this report shows you 20 different patterns, including one that's actually generated just by pressing the digits 2 through 9 on your keyboard.
On your mobile device.
On your mobile keyboard, right, on your mobile device.
Yeah.
So, I mean, that one looks like it's secure because it's A, D, G, J, M, P, T, W.
Right.
So if you look at it on a regular keyboard, it looks random.
Yeah.
But on a mobile device, you're just walking.
Mobile devices, 2, 3, 4, 5, 6, 7, 8.
Walking along.
Okay.
Silly humans.
Right.
I love these kind of reports.
The most used base password phrase.
Number one, still password.
Of course it is.
It's still just password.
Then they break it down by nouns, verbs, and colors.
I was happy to see that names and usernames that David is on there, but Joe is not.
That's right.
The article starts, I love, in the middle of this article they have like lists of different kinds of password parts.
Right.
And it starts with saying name your favorite
superhero pick a number between 1 and 10 and then pick a color right so if that's
how you're generating your passwords then you're generating passwords that
are easy to guess because I can take a very limited set of lists and start
trying to crack these passwords just by appending them together and the the fact
that you're putting a number between them I know you're gonna pick a number a number between one and a hundred probably. Right. Right. So that's
where I'm going to start guessing. But more importantly than that, I have to say this again,
Dave, you should not be generating your own passwords. You should be using a password
manager to do that for you. If you were to ask me what my password to Facebook is,
I don't know what my password to Facebook is. My password manager knows that. And it's a 20 character randomly generated password
that would take years to crack. Yeah. I thought it was interesting. One of the things in this
article is they went through some high profile folks and tracked what the entropy of those
passwords would be and how long it would take to crack them. Some of them take tenths of a second,
some of them take hours or longer. But the longest, the strongest password of the bunch belonged to a GitHub developer. It's basically what you describe. It's the 20 character long,
just random string of characters that have absolutely no meaning or no association with
anything. And it had an entropy of 96. The weakest was a senior manager at a major tech company, and it was 1, 2, 3, 4, 5, 6.
He said it was probably for a throwaway sign-up or something like that.
Right.
Because who would be so silly?
Yes.
Thank you, Joe.
Thanks for saving me there.
I was thinking of another S word, but yours is much better.
Yours is much better.
Yeah.
Yes, don't do that.
Use a password manager. Use a do that. Use a password manager.
Use a password manager.
Use a password manager.
And another way you can increase your strength is by using multi-factor authentication.
And once again, you know, everybody thinks they have a system.
Right.
Everybody thinks they're being clever.
Nope, your system stinks.
Yeah.
Let me tell you that right now.
Your system is not as good as randomly or pseudo-randomly picked letters by a computer.
Yeah, and thanks to this article, I mean, you've got the data to prove it.
Right, absolutely.
All right.
Well, yeah, I recommend folks check this out.
It's an interesting article.
So, Joe, thanks for bringing it to our attention.
Great having you on the show.
It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.