CyberWire Daily - Suspicion of Chinese hardware manufacturers continues. EU diplomatic cables leaked. Hiding out by dumbing down. Facebook data-sharing. NASA PII exposed. Parrot uses Alexa to advantage.
Episode Date: December 19, 2018In today’s podcast we hear of more international skittishness about Chinese hardware manufacturers. Information operations in Taiwan’s elections. EU diplomatic cables hacked, rehacked, and publis...hed. Dumbing down cyber craft as a form of misdirection. More Facebook data-sharing practices come under scrutiny. NASA PII exposed; investigation continues. And did you hear the one about the parrot, Alexa, Amazon orders, and sappy dance tunes?  Jonathan Katz from UMD describing security improvements in the Signal messaging app. Guest Michael Doran from Optiv with tips on protecting your organization from ransomware. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
There's more skittishness about Chinese hardware manufacturers.
We'll explore information operations in Taiwan's elections.
EU diplomatic cables have been hacked, rehacked and published. Dumbing down cybercraft as a form of misdirection.
More Facebook data sharing practices come under scrutiny. NASA PII has been exposed.
The investigation continues. And did you hear the one about the parrot, Alexa, Amazon orders
and sappy dance tunes?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 19, 2018.
Skepticism about Huawei, and to a lesser but noticeable extent, ZTE hardware, continues to rise.
There are calls in India for restricting the use of the Chinese company's devices in that nation's networks,
and the U.S. diplomatic push to warn allies against the security threat it sees in these manufacturers continues.
The Washington Post notes signs of Chinese government interest in
developing information operations capabilities comparable to those Russia has shown. Recent
activities in Taiwan during that island nation's elections are seen as a bellwether and something
the U.S. ought to be thinking long and hard about right now. In another action linked circumstantially but plausibly to China, diplomatic cables from the
European Union were successfully intercepted by hackers as they're being characterized. Area One,
the Redwood City, California-based security startup, is credited with discovering the intrusion.
The hackers presumably not only intercepted the cables but read them as well,
a reasonable conclusion since New York Times subscribers have now read them as well.
Area 1 says the cables were carried by CORU, the European Diplomatic Correspondence System,
which was compromised over a three-year period.
According to reports, Area 1 found the intercepted cables exposed on an unsecured server in the course of investigating a fishing expedition conducted against the government of Cyprus.
Area 1 characterized the hackers as elite, which has raised some eyebrows at Computer Business Review and elsewhere.
One would imagine sophisticated hackers know better than to leave stuff lying around like that.
But still, everyone has lapses and, well, haven't you ever had a bad day?
Anyway, Area One told the New York Times that signs clearly point to a unit of China's People's Liberation Army.
Area One co-founder Blake Darshay is quoted in the Times as saying,
After over a decade of experience countering Chinese cyber operations and extensive technical analysis, there is no doubt this campaign is connected to the Chinese government.
The EU has declined comment beyond noting that it takes matters of this kind very seriously,
as well it might.
Much of the comment on the incident has been on the contents of the cables,
which don't seem particularly surprising.
EU diplomats worry about American cowboyism,
which they've done since before there was an EU.
They're concerned about Iran, Russia's operations in Ukraine bother them, and so on.
The Register is among those to note the anodyne character of a lot of the material.
Trade missions continue. Did you know Afghanistan is unstable and produces illegal opium? Lots of
diplomats agree North Korean nuclear weapons are a bad thing, as one says, and so on. It's not,
as the Register observes in its customary world-weary fashion, WikiLeaks Part 2.
Comment from other parts of the security industry have been mixed to negative,
with many calling into question the decision to turn hacked cables over to a newspaper,
as well as the newspaper's decision to publish them.
The comments have come from a variety of places in the sector,
so it would be rash to dismiss them as government stooges.
So Area 1 concludes, on the basis of circumstantial evidence, that the operation was a Chinese
one.
They may well be right, the sheer indiscriminate appetite for information, regardless of its
utility, does seem much in Beijing's style.
Also in Washington's indiscriminate cowboy style, but other signs point to China, and in fairness, that does seem the likeliest suspect.
It's worth noting again the ways in which nation-states complicate attribution by hiding in the criminal, hacktivist, and skid noise that so fills the online world.
Recorded Future has noted a trend in state intelligence operations.
Dumb down your craft to make a hack look like the work of criminals or hacktivists.
This happens linguistically as well.
It's worth noting that the Internet Research Agency's performance on Instagram and Twitter
show that had it chosen to use them,
Moscow had an American English fluency available that never appeared,
except perhaps by inversion,
in shadow brokeries.
The New York Times has been on other cases as well.
The paper reported late yesterday that Facebook gave various big tech partners, including
Apple and Amazon, access to some user data, including some messages.
Facebook replies that the partnership was benign,
that user data wasn't handed over without user consent,
and that in any case, the more aggressive forms of sharing stopped
as Facebook tightened its privacy policies over the past year.
But eroding trust in the social medium seems to have made it impossible
for the company to avoid another black eye.
It's running out of eyes.
Facebook's British nemesis, the Department for Digital, Culture, Media and Sport,
has requested an explanation.
It may not be as prevalent in the headlines these days,
but crooks are still making use of ransomware,
targeting individuals and businesses,
and making them pay up if they ever want to see their files again.
Michael Duran is senior Security Consultant at Optiv, and we checked in with him to see
how organizations are preparing themselves for the possibility of a ransomware attack.
So there is a variety of avenues that individuals are taking.
The first most prevalent one that we're seeing from our standpoint and my team
is they're taking a proactive approach into beefing up their security, both from the technology
standpoint and from the proactive side, which is where they're training their individual responders
and their end users on specific IOCs or indicators of compromise as it relates to ransomware.
There are other options, which is starting to make it into the mainstream methodology,
if you will, for responding to that.
And that is the implementation or the garnering of cryptocurrency as a way to pay off in the event that the ransom does take hold of their environment.
So this is companies having a stash of cryptocurrency on hand so that if they do find themselves hit by this,
they're not scrambling around trying to figure out how they're going to pay the bad guys.
That is correct. It's at the ready in the event that something bad happens and they can't afford to have any amount of downtime.
So it's a quick, quick fix, if you will.
Albeit it's not the best option, but it is options that are starting to make a more prevalent way into the mainstream response.
Yeah, I mean, it's an interesting insight because, of course, we know that the FBI discourages paying the ransom, but I suppose when it comes down to it,
sometimes that's a practical way to come at this. It is, but it also has a lot of drawbacks to it
in that it opens you up to the perception from the outside that you are willing and able to pay a ransom for the attack, which is bad.
Not only from the standpoint of once you get encrypted and you pay it off, they come back at you again for a higher dollar amount.
Also, we're starting to see more and more attacks on environments strictly for the
cryptocurrency, not so much for the data that the company holds, but because they have stockpiles
of cryptocurrency. Now, are there any special things that companies have to look out for
when they're keeping stashes of cryptocurrencies in terms of staying within regulatory frameworks and so forth?
That's where the tricky part comes in, is that because cryptocurrency is still in its infancy stages,
there's not a lot of regulation regarding its use and or creation through the Bitcoin mining and purchase.
However, as it is gaining popularity, you're going to start seeing,
if not right now, you're starting to see a little bit of government interaction
in the financial sector into regulating its use and what can be done and can't be done with it.
So when you're out there providing advice to the companies that you deal with,
what are you saying to them? Is this a multi-tiered approach?
Is it protecting from both sides? So what we typically do from our standpoint,
Optus standpoint, is we take a neutral stance in that we don't advocate paying the ransom at all.
We side with the FBI on this. However, if that option is the only available option to the company, they have exercised all available resources and options at their disposal, then that may be an option on the table.
However, that option should be discussed in depth internally at the highest ranks before that decision is ultimately made.
is ultimately made. Where we recommend is taking the money that you would devote to stockpiling the cryptocurrency and invest in your technology stack, in your IR response platform,
in your individual end users. Because from our stance, that's where the initial point comes in.
If you can identify it quickly, you can solve it quickly.
What about the importance of
having up-to-date and regularly tested backups? It's extremely important because that cuts off,
number one, the time frame to actually get business back up and running as usual,
especially with environments in the financial sector, in the healthcare sector,
especially with environments in the financial sector, in the healthcare sector, e-commerce business, where if something does plague their environment, it could be the opportunity for lots of money to be lost.
In the healthcare world, if it plagues a hospital, you're talking about the loss of human life in the event something happens.
So not only making the backups, but also regularly testing those is of paramount importance.
That's Michael Duran from Optiv. In the U.S., NASA reports a breach that compromised workforce
personal data. A notice sent out by NASA HR to the space agency's personnel says,
on October 23, 2018, NASA cybersecurity personnel
began investigating a possible compromise of NASA's servers
where personally identifiable information was stored.
After initial analysis, NASA determined that information
from one of the servers containing social security numbers
and other PII data of current and former NASA employees
may have been compromised.
End quote.
The story is developing. We'll have updates as necessary.
Finally, for your consideration, a different kind of insider threat,
one that involves a rescued parrot and an Amazon Alexa.
It seems that one Rocco, an African gray parrot,
has become too cozy with the family Alexa.
Rocco is something of a recidivist.
He was previously ejected from one of the UK's National Animal Welfare Trust sanctuaries
because he was cussing too much, and visitors found the swearing more than they could bear.
Also, he's thought to have flung his water bowl at passerby.
Anywho, Rocco was removed to the home of trust employee Merican Wisniewski,
where his saucy beak might give less offense.
Soon after Rocco's arrival, Ms. Wisniewski noticed that a number of surprising orders
to her Amazon account had been queued up through Alexa.
Fortunately, she had the proper parental lock established,
so no orders could actually be placed without her approval.
But Rocco had been telling Alexa to get him, among other things,
light bulbs, a kite, watermelon, ice cream, raisins,
strawberries, broccoli, and a tea kettle.
He also asked Alexa to tell him jokes.
Which jokes the news coverage doesn't say, but there's a vast genre of parrot jokes out there,
so perhaps it was one of those.
Rocco also asked Alexa to play music.
His requests tended to be, according to Naked Security, sappy dance tunes.
So Rocco, if you're listening, tell Alexa to play the Cyber Wire and Bird.
Today our closing music is for you. Enjoy.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world
what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, it's great to have you back.
We had an interesting story come by on Wired,
and this was about the Signal app, which is a well-known encrypted messaging app.
And they're sort of upping their game here with some new protections to make it even more safe.
Can you give us some of the background here?
What have they been doing, and how have they made it better?
As you know, because it was in the news a couple of years ago, encryption typically is used to hide only the messages that are sent from one party to another,
but it doesn't usually hide anything about the so-called metadata, which is information in
particular about who the sender is and who the receiver is, and the fact that these two are
talking to each other. And Signal recognized that, and their software until now was like regular
encryption, only hid the messages and didn't hide any of this metadata.
And now they're improving their protocol to also hide information about who's sending the message.
So this means that when somebody, person A, sends a message to another person, person B, the identity of person A will not be stored by signal, and it won't even necessarily be visible from the communication
packets themselves. Now, the article points out that perhaps this could open up some vulnerabilities
as well, that I guess there's less handshaking going on here, verification of the data path?
Yeah, there are a couple of interesting features here that they needed to address.
So for one thing, you think about the sender and receiver communicating with
each other, and typically the receiver would like to know who they're communicating with.
And so hiding the identity of the sender seems like a bad idea from that point of view.
There's also cases where Signal itself is using information about the sender in order to prevent
abuse or to prevent the sender from sending too many messages in too short of a time span, like to prevent spam or something like that. But they've designed things so that they can deal
with some of these issues. And in particular, the first one about letting the receiver know
the sender's identity without revealing that information to Signal, they've dealt with that
by basically adding a second layer of encryption to encrypt the sender information so that only
the receiver can then see it on the other end. So it's encryption all the way down. Right, right. And it's pretty interesting, too,
because I think Signal, you know, they're demonstrating that they're really taking
great care with security. They have some excellent people working on the security of their system,
and they're really thinking ahead, kind of proactively keeping one or two steps ahead
of an attacker here. And so I think
it's really to their credit that they're thinking about this and that they've come up with a
protocol to address it. Jonathan Katz, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly
produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.