What do AI and machine learning mean for cybersecurity?
The week that was.
Lone wolves, known wolves, and how the pack howls.
ISIS called for jihad during Ramadan (Newsweek), and sadly, terror returned to the UK this Saturday evening (Telegraph). In a story that's still developing, police are looking for attackers who drove into pedestrians on London Bridge and at Borough Market, then dismounted and attacked with knives (Telegraph). At least seven victims are reported dead; three attackers were killed. Authorities comb jihadist networks and media for clues; twelve arrests had been made by Sunday (BBC). Police, security, and public safety agencies worldwide move to heightened alert. ISIS newspaper al-Naba's Thursday issue had promised more attacks would be coming to the UK. Attacks have picked up during Ramadan; the Islamic holy month is expected to end June 25th (Daily Caller).
The Manchester terror-bombing had already prompted more discussion in the UK about restricting encryption. The hope is that backdoors or other limits on crypto would enable more effective surveillance by security authorities (TechCrunch). The crypto-wars in the US have so far been fairly clearly won by the pro-encryption side (former FBI Director Comey having been the last prominent backdoor dead-ender).
The outcome in the UK may be different. Prime Minister May's Sunday reaction to the London attacks ("enough is enough") included a call for eradication of "safe spaces" the Internet and its providers have given terrorists. She specifically called out "the single evil ideology of Islamic extremism," whose inspiration she said must be driven from cyberspace (Independent). She expressed the intention of pushing for regulatory limits on strong, end-to-end encryption (Ars Technica). Her model would be the European one as opposed to the more freewheeling Internet governance that prevails currently in the US (Washington Post). It seems worth noting that much extremist inspiration derives from fairly overt jihadist online magazines as opposed to encrypted channels (BBC).
Apart from vandalism and defacement of soft-target Websites, the terrorist threat in cyberspace has mostly manifested itself in information operations, not proper cyberattacks. The Web affords extremists a propaganda, recruitment, and inspiration channel with very low barriers to entry. Countering those information operations assumes greater urgency after a massacre; responses usually take the form of blocking, tighter surveillance, or counter-messaging. Blocking tends to strike public opinion as the most promising first response (Foreign Affairs), but attempts by social media providers to filter content have shown blocking to be problematic. Not only does it seem practically impossible to disentangle interdicting extremist messaging from more obviously objectionable forms of censorship, but it's also just a lot harder than it looks (Motherboard). In Pakistan, to take one country's experience, more than forty banned extremist groups operate with impunity on Facebook (Dawn). And it's not just Facebook: people game Twitter, too, and that has implications for information operations (New York Times). YouTube is the latest channel to try its hand at content filtering (TechCrunch).
Controversy surrounds "missed signals" that might have helped security authorities roll up the jihadist bomber and his enablers (New York Times). The will to use even currently available legal authorities for counterterrorism is also being questioned: UK Home Secretary Amber Rudd confirmed that temporary exclusion orders (TEOs) have been used only once since their enaction in February 2015. TEOs can deny British subjects suspected of fighting abroad reentry to the country (Times).
Other European arrests showed more attention to wolfish signaling. French authorities released more information on the jihadist network rolled up in Marseilles. One leader was such a known wolf that he did a stretch in US custody at Guantanamo Bay; he was released to live in France upon official French acceptance (Voice of America). Police in Brandenburg arrested a teenage refugee on suspicion of planning a suicide bombing in Berlin (Deutsche Welle).
Hybrid warfare: the continuation of politics by other (deniable) means, often in <140 characters.
Russia and Ukraine continue their war less lethally via Twitter. The governments exchanged 140-character volleys over whether Anne de Kiev (d. AD 1075, daughter of Jaroslav the Wise and consort of King Henry I of France) was Ukrainian or Russian. Russia tweeted that the two countries' common heritage should unite rather than divide them. (Much as a bear might seek to unite itself with a salmon.) Ukraine replied with a Simpsons GIF ("You really don't change, do you?") showing Russia as just the old Soviet Union: new nameplate, same management. (American cultural referents noted.) Kinetic aspects of Russia's hybrid war have, sadly, claimed some 10,000 victims (Foreign Policy).
During a joint appearance Monday at Versailles with Russian President Putin, French President Macron called out RT (originally Russia Today) and Sputnik as state-directed agents of influence, fonts of disinformation (Atlantic). That RT and Sputnik peddle disinformation is widely believed in the West. RT also peddles UFO stories, vaguely lefty conspiracy chatter, and commentary from post-modern philosopher Slavoj Zizek (Moscow Times).
In another appearance Mr. Putin denied knowledge of any Russian hacking of US elections, although he did speculate that free-spirited patriotic hackers might well have sought in their creative way to redress anti-Russian slanders (New York Times). The free-spirited hackers could even have been Americans, for all he knows (Euronews). He also thinks Ed Snowden misguided, but not actually a traitor to the US, and that it's a shame for anyone to conduct surveillance of their friends (Times of India).
The ShadowBrokers, inveterate NSA gadflies who posture implausibly as Robin-Hoodish hacktivists and communicate in artificially broken English, opened their promised exploit-of-the-month club Thursday. The Brokers emptied their Bitcoin wallet Monday and have switched to Zcash, an alternative cryptocurrency; they plan to move to a different cryptocurrency every month. The cost of a single subscription is approximately $22,000 per month. The Brokers describe their offering thusly: "Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing 'the game' is involving risks" (Naked Security).
The ShadowBrokers' identity remains unknown, as does how they get their stolen exploits. Some observers doubt the Brokers are really in it for the money. Earlier forays into exploit sales haven't netted them much: auction, direct sales, and crowdfunding efforts are generally regarded as flops. Oddly, although they're using Zcash in June, the ShadowBrokers denounce the currency as a tool of US and Israeli intelligence (Bleeping Computer). Subscribers who sign up this month receive their first exploit in July (Reuters).
There's no doubt about WikiLeaks' identity (it's led by Julian Assange) although the group's motivation is sometimes a matter of dispute. On Thursday WikiLeaks released another tranche of material from Vault7, this purporting to reveal details of a CIA program, "Pandemic" (Threatpost, Bleeping Computer).
Sensitive but unclassified information from the US National Geospatial Agency was inadvertently exposed by a contractor on an AWS server. How long they were up isn't clear, but the data have now been taken down (Graham Cluley).
NATO added new members Belgium and Sweden to its Cooperative Cyber Defence Centre of Excellence. Bulgaria and Portugal will join soon (Infosecurity Magazine). NATO also warned this week that sufficiently damaging cyberattacks on a member state's infrastructure would trigger Article 5, the alliance's collective defense provision (Defense News). The alliance is also seeking to enhance deterrence (Defense News). (But see the next two sections for notes on the difficulties surrounding both attack phenomenology and attribution.)
Hack or glitch? In this case, glitch.
A global IT outage crippled British Airways operations last weekend. Initial alarmist reports suggested the carrier had sustained a cyberattack, but the airline said it was a power system issue, specifically an inadvertently pulled plug (Computing). Operations have returned to normal, but British Airways is believed to have taken a financial bath from the outage, losing an estimated £150 million (Times). The incident is another example of the difficulty of distinguishing attack from accident.
The murky arts of attribution.
Symantec and Kaspersky have both pointed toward North Korea as the source of the WannaCry ransomware pandemic that broke out to great éclat on May 12 of this year (Spamfighter News, PPP Focus). They point to similarities with Lazarus Group code used in earlier attacks. The Lazarus Group has been associated with the DPRK, most recently by a new study of the Sony and Bangladesh Bank hacks by Group IB (Register).
As usual, attribution is complex, circumstantial, and controversial (SANS Internet Storm Center). Flashpoint, whose linguistic staff contributes extensively to its investigations, thinks signs point to native speakers of Chinese, and that the Korean-language elements of the campaign actually seem unlikely to have been written by native speakers probably hailing originally from south China (Gizmodo). That's still circumstantial, and short of decisive (Flashpoint itself cautions that, at the very least, there's a large Chinese diaspora, and others have noted a degree of interpenetration of North Korean state cyber operators and Chinese criminal gangs) but it's still suggestive.
Serious companies are aware of these ambiguities. Symantec, for example, has an interesting story about hacking in Moldova and Transnistria that looked like a nation-state attack. It turned out that the "Bachosens" malware, however, was probably the work of a skid hood (Dark Reading). "Igor," as Symantec nicknamed him, is no secret agent. He works at an auto parts store in Tiraspol (Bleeping Computer).
Patching: some fixes are silent, some announced with a blare of trumpets.
Microsoft issued a silent fix for its Malware Detection Engine on May 24, closing a vulnerability Google's Project Zero disclosed to Redmond on May 12 (Threatpost). The problem lay in an x86 emulator that wasn't sandboxed; attackers could have exploited it to execute input/output control commands. With a silent patch, users whose systems are set to the defaults receive the upgrade automatically, without need for further specific action on their part.
How Google itself is dealing with issues in Android and Chrome is louder. Google was dealing with at least four issues this week: three in Android, one in Chrome. "Judy" adware has led Google to kick forty-one infested apps from Google Play (Bleeping Computer). Check Point thinks Judy unusually extensive, the biggest adware infestation so far found in Google Play (Neowin). The second issue, "Cloak and Dagger," is a family of credential-stealing attacks by researchers at Georgia Tech and the University of California Santa Barbara demonstrated and reported (Silicon UK). Google is working on remediation (Hack Read). The third problem is malicious, spam-serving apps Sophos found in Google Play: corrupted versions of Star Hop and Candy Link, both to be avoided (Naked Security). The Chrome issue is a surveillance bug that doesn't trigger the browser's red-circle-and-dot warning. It won't receive emergency attention because the real security lies in the pop-up dialogue box, which still appears (Bleeping Computer).
Cisco and Netgear plan patches for the Samba SMB vulnerability disclosed last week (Threatpost).
Appthority warns that a newly discovered vulnerability, "Hospital Gown," opens over a thousand mobile apps to backend exposure. (Right, Appthority: "Hospital Gown," "backend," everyone gets it. Right, everyone?) Researchers say vulnerable apps with backend services flapping in the breeze can be found in Apple's App Store and Google Play. Cupertino and Mountain View have been notified (eWEEK). Remediation is presumably in progress.
Ransomware rises in the underworld (but old-fashioned carding and credential theft are still with us).
Criminals are concentrating on extortion as opposed to carding and other data theft (Computing). The costs ransomware imposes run high, and aren't limited to the ransom itself. The twelve National Health Service Trusts hit by WannaCry aren't talking on the record, but one source says they expect recovery costs north of £1 million (Digital Health).
But, as Chipotle's experience this week indicates, point-of-sale attacks remain a threat (TheStreet). Old-school data thieves are quick, too: a US Federal Trade Commission honeypot experiment concludes it takes crooks only about nine minutes to put stolen data to use in the black market (FTC). Kmart also disclosed a point-of-sale breach (Infosecurity Magazine).
Distributed denial-of-service attacks remain a thing, having evolved from hacktivist protest to a crime and espionage tactic (Infosecurity Magazine). And Symantec warns that while ransomware may be getting the headlines, malware is a bigger problem for the financial sector (PYMNTS).
OneLogin disclosed a data breach. Experts still recommend password managers, but they're getting queasy over the possibility that such tools can constitute a dangerous single point-of-failure (Dark Reading).
Anarchist re-enactors prepare their next virtual infernal machine.
Anonymous, the anarcho-syndicalist hacktivist collective whose recent ops have largely fizzled, may be prepping an upgraded version of the Houdini worm for use in an upcoming campaign. Recorded Future has been following the lead hacktivist's tracks in Facebook and Pastebin (Infosecurity Magazine).
Tech trends shaping the security software market.
Gartner thinks the security software market is being shaped by developments in "advanced analytics, expanded ecosystems, adoption of SaaS and managed services, and the prospect of punitive regulations" (Help Net Security). The punitive regulations aren't just coming from the European Union and its looming GDPR; investors in the cybersecurity sector, particularly private equity investors, are very much aware of how regulation and litigation are driving the market (The CyberWire).
There's also growing collaboration among companies: Cisco's threat data will now feed IBM's security AI, for example (CSO).
© 2018 CyberWire, Inc.
Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story.