Find out how you can be equipped with a continuous 360° view of which critical assets are at risk, what security issues you should focus on, and how best to harness your resources to resolve them. Simulate, validate and remediate hackers’ path to your organizational critical assets.
The Week that Was.
March 2, 2019.
By the CyberWire staff
What does persistent engagement look like? Ask the Internet Research Agency.
US Cyber Command, supported by intelligence from the National Security Agency, shut off the internet for Russia's Internet Research Agency (IRA) on the day of the US midterm elections and for about a day afterwards, according to the Washington Post. Speaking anonymously, US officials told the Post that the operation was meant to prevent the troll farm from spreading disinformation during the vote or raising skepticism about the results.
After briefings held earlier this month, Senators of both parties credited Cyber Command with preventing foreign influence on the election, and regretted they couldn't share details with the public (Washington Post). The New York Times had reported that Cyber Command was sending direct messages to employees of the IRA and other Russian operators to let them know they were being watched, and Russian officials may have responded with a mole hunt (Naked Security). Rob Joyce, a senior cybersecurity adviser at the NSA, said on Thursday that the time has come "to alter the field and not just stand back and wait for [our] opponents to probe us" and that “we have to impose costs in a visible way to start deterrence.” He added that preparation to defend the 2020 election is already underway (CyberScoop).
The overall reaction to the campaign in the US has been positive. While some said operations like this aren't even close to a long-term deterrent, that wasn't the point. Defense officials told the Post that "grand strategic deterrence" wasn't the objective. Ben Buchanan (Lawfare) agrees, saying it was instead "an attempt to deny, temporarily removing an arrow from the Russian’s quiver." Jason Healey at the Cipher Brief says sometimes "you just have to stop adversaries from punching you." Cyber Command calls the strategy "persistent engagement."
Attending RSA? Book a Meeting Today – and Get a Free Expo Pass!
Join Carbon Black at the RSA Conference. Schedule time for a 1:1 conversation at RSA and see the show floor – on us! Book your meeting today!
Hacking the ostensibly unhackable.
MIT Technology Review reports that blockchains can in fact be hacked. The theoretical possibility wasn't unforeseen—it's the 51% attack, in which an actor gains control of a majority of a network's mining power and forks the blockchain to defraud other users—but it had widely been held to be practically too difficult to amount to a realistic threat. But since the latter part of 2018 Verge, Monacoin, Bitcoin Gold, Vertcoin, and Ethereum Classic have sustained 51% attacks, facilitated by hashrate black markets where attackers can rent computing power. Security flaws in ancillary systems, notably smart contracts, have also been exploited.
Cryptocurrencies, and these are still the principal blockchain applications, of course continue to attract broad interest and support.
Get comprehensive information about securing the DIB supply chain
According to a 2018 Ponemon report, 61% of surveyed organizations have experienced a data breach caused by a third-party vendor. Cyber criminals are targeting Defense Industrial Base (DIB) supply chain vendors in order to gain access to government networks. The latest case study from Attila Security will help identify solutions to keep your organization’s data secure while avoiding disruptions to the DIB supply chain. Download the Vulnerabilities Within The DIB Supply Chain Case Study today.
Smartphone hacking tools are selling for cheap.
Extremely sophisticated smartphone hacking devices from Cellebrite are selling on eBay for as low as $100, according to Forbes. The tools, which are meant for use by law enforcement, can be used to extract data from iPhones and Android devices. Israeli company Cellebrite sells the products for $6,000 a piece to law enforcement agencies worldwide, including the FBI. When Cellebrite releases new models, some customers apparently sell their used devices online, which is unwise for a host of reasons. Besides the obvious danger that they'll be used for malicious hacking, the devices haven't been wiped by their previous owners. Security researcher Matthew Hickey purchased twelve of the devices and found data that had been extracted from phones, some of which was likely extremely sensitive. Even worse, if the encrypted software on the device can be decrypted, it may reveal the zero-day vulnerabilities Cellebrite uses to break into phones (AppleInsider).
Expert-led sessions. Two Expo halls full of the latest cybersecurity solutions. Fascinating keynote speakers. You guessed it—it’s RSA Conference 2019, March 4 – 8 in San Francisco, the ultimate place to expand your knowledge, your perspective, your network and your career. From the latest trends to best practices, RSAC 2019 is your one-stop-shop for cybersecurity intel. Register today.
North Korea-linked phishing lure spotted before summit.
North Korean hackers may have been active just before the Trump-Kim summit, according to ESTsecurity, a Korean cybersecurity company. Last week, researchers came across a phishing document posing as an invitation from a diplomatic organization to a meeting in Seoul to analyze the the summit. Adam Meyers from CrowdStrike told CyberScoop that his company has seen the same document in use by a threat group linked to North Korea. The phishing lure on its own isn't enough to say with any confidence that it came from a state-sponsored group, although it wouldn't come as a surprise if it was linked to Pyongyang. Prior to last year's summit between the two leaders, North Korean hackers were launching attacks against companies around the world (CyberScoop).
Pyongyang's cyberattacks weren't the focus of the summit. Some are speculating, in the game-theoretic way security thinkers have, that possession of capable cyber weapons might even make Mr. Kim feel better about giving up his nuclear arsenal (Fox). Numerous observers point out North Korea's cyber capabilities could serve as a different type of deterrent if the country gives up its nuclear weapons (InsideSources).
Adversaries are creating new attacks at such a speed and volume that signature and sandbox-based threat detection can’t keep up. Deep learning can help. By exposing neural nets to threat data, deep learning can learn to identify malicious traffic, even zero days seen for the first time. But why are advances possible today? How does deep learning differ from machine learning? Where’s the best place to apply deep learning? Get the answers here.
Researchers from BullGuard discovered that the Amazon-acquired Ring Doorbell home security device has a serious vulnerability which could allow an attacker on shared WiFi to receive video and audio from the device, as well as modify the video stream. A patch has been issued, and users are urged to update (Threatpost).
Two high-severity vulnerabilities in the SHAREit Android app received patches in March 2018. Researchers at Redforce discovered the flaws in December 2017, but didn't publicly disclose them until Monday due to their severity and ease of exploitation (Threatpost).
NVIDIA has patched eight vulnerabilities in its GPU display drivers, two of which were high-risk (SecurityWeek).
Cisco has issued yet another patch for its Webex Meetings platform after researchers found ways around the previous two fixes (Threatpost).
Crime and punishment.
The Moscow District Military Court has handed down sentences in a treason case in which the defendants were alleged to have been working for US intelligence services. Former FSB officer Sergei Mikhailov will serve twenty-two years in a high-security prison. Ruslan Stoyanov, formerly a manager at Kaspersky Lab, will serve fourteen years (Bloomberg).
Canada will proceed with an extradition hearing for Meng Wanzhou, Huawei's CFO. She’s currently being detained in Vancouver, where a Canadian court will decide whether she is to be extradited to the US where she will face charges related to money laundering and sanctions evasion. There’s been no decision yet, but observers think it fairly likely that she’ll eventually be turned over to American authorities (Wall Street Journal). In a separate but related action, Huawei has entered a plea of not guilty to US charges involving alleged industrial espionage (Fortune).
Stanislav Vitaliyevich Lisov, noms-de-hack "Black" and "Blackf," took a guilty plea last week in a New York Federal court to cybercrime charges. Mr. Lisov, a Russian national, used the NeverQuest banking Trojan to take control of victims' computers and drain their bank accounts. Arrested in Barcelona in 2017, Spanish authorities extradited him to the United States in January of 2018. The Russian government denounced the arrest and extradition as a "kidnapping" (ZDNet) but their protests fell on deaf Spanish and American ears. Mr. Lisov will be sentenced in June, and could face up to five years.
The US Justice Department Monday charged a graduate of the College of Saint Rose in Albany, New York, for destroying more than fifty computers at his former college using a malware-laden USB drive.
The US Government recovered and returned 27.7 stolen Bitcoins to the Hong Kong-based cryptocurrency exchange Bitfinex. While it's not much compared to the 119,765 Bitcoins that were stolen from the exchange in 2016, the gesture was a pleasant surprise. Bitfinex's CFO Giancarlo Devasini thanked US law enforcement agencies "for their ongoing efforts to investigate the security breach and their commitment to seizing and returning stolen assets" (iTnews).
Courts and torts.
Remember the Equifax breach? US and Canadian regulators do, and they're thought to be preparing new actions related to the security lapse (Wall Street Journal).
The US Federal Trade Commission has fined TikTok, makers of a video app that caters to lip-syncing tweens for improperly collecting information on minor users (WIRED).
There's been a lot of complaint about the failure of YouTube and Instagram to take down the viral, self-harming "Momo Challenge" said to be infesting otherwise innocent videos, and there've been calls for sharp government action, particularly in the UK (Telegraph). In fairness to the social platforms, however, there's a problem with the cries for takedown and punishment: no one who's looked for Momo, including the Washington Post, seems to have been able to actually find her. Talk about Momo, yes, and there's plenty of that, but an actual Momo video in the wild that's actually hurt somebody? Not so far. Naked Security traces the scare back to last summer, notices that it surfaced again a couple of weeks ago, and that it seems to be the online equivalent of a scary campfire story.
Policies, procurements, and agency equities.
The Federal Trade Commission on Monday announced the launch of a task force that will monitor the tech industry for "anti-competitive conduct." The Technology Task Force will be made up of seventeen staff attorneys currently working for the FTC's Bureau of Competition who have "unique expertise in complex product and service markets and ecosystems, including markets for online advertising, social networking, mobile operating systems and apps, and platform businesses" (TechCrunch).
Fortunes of commerce.
DarkMatter has asked Mozilla to whitelist DarkMatter certificates into Firefox's certificate store. The request is controversial (ZDNet). On the one hand DarkMatter is known as a vendor of surveillance tools, and so the EFF and others warn against giving the company what could amount to an ability to intercept traffic without triggering errors in some Linux systems. On the other hand, DarkMatter does seem to have a clean record as a certificate authority.
Intel has backed out of its 5G deal with Unisoc, China's second-largest mobile chip developer, partly due to worries that the partnership could complicate matters with Washington. The deal was announced less than a year ago at the 2018 Mobile World Congress in Barcelona. Nikkei cites a source as saying that Intel’s former CEO Brian Krzanich, who departed the company in June, was the primary advocate for the deal. The US has greatly increased its pressure on Chinese technology companies since then, citing security concerns that the equipment could be backdoored for purposes of espionage during production (VentureBeat). Intel says the decision was mutual, and that there was no political pressure from the US. Unisoc, a subsidiary of the Chinese state-owned Tsinghua Unigroup, announced on Tuesday that it will design its own modem 5G chip in-house.
Huawei is fighting the allegations by the US and its allies that its equipment poses a security threat in what Reuters calls an "unprecedented public relations blitz." The company's officials at the Mobile World Congress this week have been using sarcasm and jokes to address the issue (Japan Times). The company also ran a full-page ad in the form of an open letter in major US newspapers on Thursday, including the New York Times, the Washington Post, the Wall Street Journal, Politico, USA Today, and the Los Angeles Times, telling Americans it would "like the U.S. public to get to know us better" and that "the US government has developed some misunderstandings about us" (Reuters). Similar ads were also run in other countries, including New Zealand and Germany (CNBC).
The Office of the Director of National Intelligence (ODNI) and the Office of Personnel Management (OPM) on Thursday gave details regarding the planned changes to the security clearance process (Federal News Network). After an individual is initially vetted, a continuous vetting process will replace periodic reinvestigations, with the level of vetting corresponding to the individual's position. Cleared contractors will also be able to transfer between government agencies without needing to receive a clearance from each one. Some thoughts on what motivates people who could make more money elsewhere to take jobs in national security (Clearance Jobs).
Greg Touhill, the former Federal CISO of the United States who is now president of Cyxtera Technologies, believes taking employees from other career fields and "reskilling" them in cybersecurity will play a large role in filling the job gap (BankInfoSecurity).
Australia Federal Police Commissioner Andrew Colvin told a senate committee hearing that finding and retaining cybersecurity talent is a "constant challenge," as specialists are attracted to more lucrative private sector opportunities. The Australian Cyber Security Growth Network has estimated that approximately 11,000 workers will be needed by 2026 (iTnews). The Australian Labor Party is hinting at legislation that would punish "digital poachers," or private sector vendors that lure cyber talent away from the federal government (iTnews).
Tommaso De Zan, a PhD Researcher in Cyber Security at the University of Oxford, says that the nature of the cybersecurity skills gap isn't understood well enough to implement an effective response. Some experts don't believe there is a shortage of skills in the cybersecurity sector. Others think that even there is, there's not much that's being done about it. De Zan believes that governments need to clearly measure and understand the shortage before they can address it effectively (Council on Foreign Relations).
Mergers and acquisitions.
Entrust Datacard appears to be the right suitor to pick up nCipher. Thales spun out nCipher, which specializes in general purpose hardware security modules, to clear the anti-trust decks for its acquisition of Gemalto, which Thales expects to close in March (Register).
Security awareness training company KnowBe4 is expanding into Brazil with the purchase of cybersecurity company El Pescador. El Pescador will maintain its brand, operating as an independent subsidiary of KnowBe4 (CISO Magazine).
Palo Alto Networks has made five acquisitions, totaling more than $1 billion, since the beginning of 2017. Most recently, it purchased security orchestration, automation, and response company Demisto for $560 million. Before that, the company bought two cloud computing security firms. All of Palo Alto's acquisitions have shown the company's willingness to branch out beyond its traditional product offerings in order to adapt to the evolving cybersecurity industry (The Motley Fool).
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.