CyberWire Daily - US indicts PLA officers in Equifax hack. Pyongyang shows pariah states how it’s done. DDoS in Iran. Updates on Democratic Party caucus IT issues. Likud has a buggy app, too.
Episode Date: February 10, 2020US indicts four members of China’s People’s Liberation Army in connection with the 2017 Equifax breach. North Korea establishes an Internet template for pariah regimes’ sanctions evasion. Iran s...ustained a major DDoS attack Saturday. US Democratic Party seeks to avoid a repetition of the Iowa caucus in other states as the Sanders campaign asks for a partial recanvas. Israel’s Likud Party involved in a voter database exposure incident via its own app. Joe Carrigan from JHU ISI with a look back at the Clipper chip. Guest is Shannon Brewster from AT&T Cybersecurity with thoughts on election security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. indicts four members of China's People's Liberation Army
in connection with the 2017 Equifax breach.
North Korea establishes an Internet template for a partial re-canvas.
And Israel's Likud party is involved in a voter database exposure incident via its own app.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 10th, 2020.
This morning, U.S. Attorney General Barr announced the indictment of four members of China's People's Liberation Army
on charges related to the 2017 data breach at Equifax.
The four officers, whom the Attorney General did not name,
face nine charges of conspiracy to hack and commit economic espionage.
The PLA is alleged to have broken into Equifax, stolen personal information on about 150 million Americans.
That's roughly half the U.S. population.
Names, dates of birth, and social security numbers were among the data taken.
The hackers are also said to have stolen Equifax intellectual property,
particularly trade secrets involving techniques of handling very large databases of personal information.
The breach was reported by Equifax in 2017 and has been under investigation since then.
The Department of Justice leaders who spoke at the press conference
repeatedly thanked Equifax for its cooperation in the investigation.
The Attorney General said,
The attack is of a piece with other Chinese illegal acquisition of data.
He reviewed China's record of espionage and said that this particular attack is particularly
worrisome because of the data's potential utility in enabling artificial intelligence
and in developing targeting packages against U.S. citizens.
The official said the U.S. normally doesn't bring criminal charges against foreign military
or intelligence personnel.
It's only the second time the U.S. has indicted members of the People's Liberation Army. The officials at the Department of Justice briefing stressed that Chinese espionage is different. They attribute some 80% of espionage to China and said that the People's Republic
is responsible for 60% of trade secret theft.
The differences lie first in the indiscriminate collection
against individual Americans.
In no respect, the Justice Department says,
can collecting PII on half of the country's population
be considered a legitimate targeted espionage campaign.
Moreover, the industrial espionage is being conducted to support the business of Chinese firms,
and that too is not a customary goal of intelligence gathering.
Kaspersky Lab warns that North Korea's Lazarus Group, APT38,
while retaining its focus on cyberattacks that can help redress Pyongyang's
chronic sanctions-induced financial shortfalls, has recently grown subtler and more evasive,
showing greater facility at misdirection. The increase in sophistication has followed
the group's Operation Apple Juice, which showed the Lazarus Group's first focus efforts against
macOS targets. The threat actor has refined its technique against both Windows and macOS systems.
The Lazarus Group has recently been most active against the cryptocurrency sector,
and most of its victims, chosen opportunistically,
have been in the UK, Poland, Russia, and China.
The NetBlock's Internet Observatory reported Saturday
that Iran sustained a large distributed denial-of-service attack.
The Financial Tribune quotes authorities as saying that they successfully parried the attack
and that they were unable to attribute the incident to any nation-state actor.
Forbes writes that 25% of Iran's Internet was rendered unavailable,
but that's after Iran activated its Digital Fortress defenses,
which are thought to impose their own penalty on connectivity as a cost of increased security.
That Iran declined to attribute the attack to any specific nation-state
or indeed to any particular threat actor at all is noteworthy.
The DDoS attack took place the day before yesterday's failed attempt to put Iran's Zafar satellite into orbit,
and some outlets, like Emirati newspaper The National,
speculate that this timing may have been more than coincidence.
But this has remained uncorroborated speculation.
The launch took place, but the satellite failed to reach orbit.
Tehran, in announcing the results of the attempted launch,
did not call out a cyber attack or any foreign interference as a cause of the failure.
Wary after the Iowa Democrats' dismaying experience with a misbehaving app
during last week's caucus in that state,
party officials in Nevada told the Nevada Independent Thursday
that they decided to forego using any mobile applications whatsoever for their caucus,
but that may not be
entirely the case. Saturday, the Nevada Independent reported that precinct leaders would receive
iPads with a preloaded tool they would use to assist them with their viability calculations.
The party cautioned its precinct workers not to refer to the software on their iPads as an app
because it's not an app at all. They say it's
actually a tool. How that avoids being a distinction without a difference remains unclear.
In any case, it's apparently not going to be a tool produced by Shadow Incorporated, the firm
that built the failed Iowa Reporter app. The Wall Street Journal isn't particularly optimistic about
the upcoming Nevada caucus,
describing preparations as cobbled together.
It's worth noting that caucuses aren't primaries.
Primaries, like the one coming in New Hampshire,
are much closer to a preliminary election than are the more informal caucuses.
Primaries are run by state governments using procedures and technology similar if not identical to that used in elections. The less transparent caucuses are run by state governments using procedures and technology similar, if not identical, to that used in elections.
The less transparent caucuses are run by state parties,
and the Washington Post says Democrats are worried about other caucuses repeating Iowa's unfortunate experience.
It's also worth repeating, again, because there's been so much misleading speculation to the contrary,
that there's no reason to reach for a cyberattack to explain why events in Iowa happened as they did. The problems with reporting the results
seem entirely explicable in terms of the buggy app the state party saddled itself with.
As Dr. Freud is apocryphally said to have put it, sometimes a cigar is just a cigar,
and in Nevada, sometimes an app is just a tool. Or something like that.
Iowa's caucus isn't over yet, either. The Sanders campaign has said it will ask for
a partial re-canvas of that state's party results, according to The Hill.
The issues in Iowa have reminded many that this year's round of elections are likely to be
anything but routine. We checked in with Shannon
Brewster from AT&T Cybersecurity for his insights on election security. I would say that election
operations are done in a very decentralized way in the United States. It has pros and cons, right?
I mean, it creates a fragmented approach, but it also makes it difficult for an external threat
actor to attack those jurisdictions with a single campaign because every operation is different.
They're using different technologies.
They're bringing forward a different approach.
For the folks who have this task ahead of them, what sort of recommendations do you have?
What are some of the best practices for specifically to securing elections?
I would bring forward three main points.
That's a great question.
I mean, the first thing you need to think about is
what are my risks and do I understand my attack surface, right?
And secondly, I would say you really want to think about
how do I baseline a security program
that is specifically applied to elections
and don't overlook the basics.
We really get caught up sometimes in hearing about the threat actors, the nation states,
but if you step back and consider what an election is doing and what it's there for,
you have to appreciate that public trust in the integrity of the election is really fundamental.
And when it comes to that, perception can be reality, right? So simple, fundamental security
basics that should be implemented when you're putting together a system really shouldn't be
overlooked, right? Because any breach of something fundamental like that could be just as devastating
as an external threat actor.
And then the third thing I would say is be aware of the resources that are available through
DHS, Cyber Infrastructure Security Agency that sits as a subcomponent under DHS,
and some of the other resources that can be taken advantage of through third parties to help
baseline that program and build out a program that is maturing over time.
you know, baseline that program and build out a program that is maturing over time.
You know, it really strikes me that this is a collaborative process between not just the folks on the technical side of the House, but those people who have to communicate the message out
to the public, like you say, for confidence in the in the elections themselves, that these are
the things that we're doing. And you can you can rest assured that these elections are going to be valid.
That's absolutely right. Absolutely right.
And I would say if you approach it holistically, that is probably the best approach to be able to communicate that message that you've taken a proactive approach using a security framework to baseline a program against.
DHS is recommending NIST CSF
as an example. It's a very simple framework to align to, and you've got those five areas,
right? Identify, detect, protect, detect, and respond, recover. So, you know, aligning
everything you're doing holistically and not getting focused on one particular
component of the operation is really
fundamental. That's Shannon Brewster from AT&T Cybersecurity. Apps are causing other parties
and other countries problems too. Haaretz reports that Israel's Likud party's unsecured elector app
uploaded and leaked names, identification numbers, and addresses of more than 6 million voters.
The paper explains that
Israeli political parties receive personal details of voters before the elections
and commit to protecting their privacy,
as well as not to reproduce the registry,
not to provide it to a third party,
and to permanently erase all the information once the election is over.
So, this is apparently a case of
inadvertent exposure, not theft of a voter database. Electors developer FeedB minimized
the incident as a one-off incident that was immediately dealt with. The company says it's
upgraded its security since learning of the exposure. It's unknown whether anyone improperly
accessed the data, but the possibility is difficult to exclude,
and the people who potentially had access to the data aren't all in Israel.
Elector has users in other countries, including, according to Haaretz,
Russia, China, the United States, and Moldova.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, great to have you back.
Hi, Dave.
You know, there's that old saying about those who forget history are doomed to repeat it.
Yes.
And I saw an article come by from The Register, and this was taking us down a little trip about the old Clipper chip back in the 90s.
A little trip down memory lane.
A little, exactly.
Down bad memory lane.
I suspect we have probably a lot of listeners, perhaps younger folks, who may not be familiar
with the Clipper chip.
Can you give us a little overview what it was about?
The Clipper chip was a way to introduce a backdoor into cryptographic algorithms by having a chip on the
device that would allow the government access to encrypted communications. It's important to
remember that back in the early to mid-90s, when this was a thing, it was much more efficient to
do encryption in hardware than in software. The computers just weren't that fast back then.
Yeah, encryption is always more efficient to do in hardware.
It's just that now we have computers that can do it
with the same amount of overhead.
It's just they're much more powerful and faster now.
Yeah.
But keeping that in mind, these chips were terrible chips.
First off, they were expensive.
Right.
And second off, they had all kinds of vulnerabilities in them.
Hmm.
And the article actually says that the chips were so bad
that people who worked on the
project were actually leaking information about how bad they were because they were concerned
about the security of these systems. And the notion here was that this was a way that if you
were someone who felt like you needed to use encryption, you could, but if the NSA needed to
get at that data, they had a back door that was burned into the chip.
Right.
And not just the NSA, any law enforcement agency that presumably would get a warrant
to do it.
I don't know, but maybe just look at it.
Who knows?
Right.
It's ripe for abuse is my concern.
And how did it play out?
Yeah, it eventually failed.
It met a lot of resistance from security and privacy advocates.
And then once all the information came out about how buggy it was,
it kind of just died off and wasn't picked up.
But now we're back at it again as a nation here in the United States.
The crypto wars are back.
Right.
And Attorney General Barr has said that he needs to have access
to encrypted communications with a backdoor,
and he's pressuring tech companies.
And this is nothing new.
This is also done under the Obama administration.
Eric Holder was a big proponent of this as well.
One of the most telling things is Senator Lindsey Graham,
who says to the tech companies, quote,
you're going to find a way to do this or we're going to do it for you.
Now, you'll forgive me, Senator, with all due respect. I do not have faith in your ability or
the Senate's ability to write a law that is knowledgeable about cryptography and can do
this well. And I've seen people. Yeah, I've seen people respond to this and say you can't legislate
math. Right. And what they're talking about there is you can make Facebook and
WhatsApp and Apple all put backdoors into their communication, right? And then yes, you can have
access to that communication. All that will do is give you access to law-abiding citizens'
information, right? The criminals are going to write their own code. They're going to write
their own software and they're going to use that.
And that's how they're going to encrypt it.
And you will not have a backdoor into that, no matter what.
Period.
That won't happen.
And it's not a hard thing to do these days.
It's really not.
The libraries are out there to be implemented.
All you have to do is implement it correctly.
It's pretty well documented on how to do it right. Yeah. There is a paper that was written, a position paper,
called Keys Under Doormats Mandating Insecurity
by Requiring Government Access to All Data and Communications.
Okay?
This reads like a who's who.
The author's list reads like a who's who of cryptography.
Whit Diffie is on the author's list.
Matthew Green from Hopkins is on the author's list.
Ronald Revest, he's the R in RSA. He's on the author's list. Matthew Green from Hopkins is on the author's list. Ronald Rivest, he's the R in RSA.
He's on the author's list.
Bruce Snyder is a contributor to this paper.
Matt Blaze, who's quoted a lot in this Register article, is also on this paper.
And there are many other authors on this paper.
Those are just the more notable names that pop out to me.
But this paper takes a very strong stance against backdoors into encryption and why
it's not going to work. First off, if you do it, you really weaken the encryption for everybody,
right? You and I will not be able to communicate securely. Bad guys will probably get access to it
with a very high confidence interval, I'm saying. I would say it's 95% the case that that system is going to be
found to be vulnerable at some point in time. But what's more important is that oppressive regimes
could use this as well, right? If you mandate access to this communication from the American
standpoint, how do you stop someone like an Iranian regime from saying, we need to find all
the dissidents in our network who are violating
our laws. Give us the keys, right? How do you, how do you say we can't do that now? And while
here in America, we have certain legal protections, right? That are not available abroad, but in
America, we have those legal protections now, right? What about the future? Maybe I'm not
concerned about Senator Graham or, or, or attorney General Barr, but what about 10 years from now?
Who's going to be in those offices?
We have no idea who's going to be in those offices.
And I want to be protected against that down the road.
All right.
Well, it's an interesting trip down memory lane.
I suggest for our listeners, if you're not familiar with the story of the Clipper chip. It's a good background to kind of inform
your knowledge of how we got to where we are today when it comes to this encryption conversation.
Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows. Thank you.