In today's podcast, we hear about more misconfigured S3 buckets (these in Australia). Kaspersky Lab protests its innocence as it releases a study of Equation Group leaks. Notes from the world of crime: dual-purpose Trojans, fake-news-as-a-service, and how the cops are keeping the robbers hopping. Some thoughts on Hidden Cobra, and what it means for ICS operators in particular. More positive notices for the VEP. Chris Poulin from BAH on AI ethical conundrums with self-driving cars. Jeremy Wittkop from Intelisecure on the trouble with Social Security Numbers. And Amazon Key may unlock more than one would like.
Dave Bittner: [00:00:01:14] The CyberWire podcast is made possible, in part, by listeners like you; who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:14:00] Misconfigured S3 buckets down under. Kaspersky Lab protests its innocence, as it releases a study of Equation Group leaks. Notes from the world of crime. Dual purpose Trojans, fake-news-as-a-service and how the cops are keeping the robbers hopping. Some thoughts on Hidden Cobra and what it means for ICS operators in particular. More positive notices for the VEP. And Amazon Key may unlock more than one would like.
Dave Bittner: [00:00:44:18] Time to take a moment to tell you about our sponsor Recorded Future; the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web, to give cybersecurity analysts unmatched insight into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email, to get the top-trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyberattacks. They watch the web, so you can have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:44:17] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, November 17th, 2017.
Dave Bittner: [00:01:54:07] Another misconfigured Amazon Web Services S3 bucket leaks. This one belongs to the Australian Broadcasting Corporation. Amazon continues its efforts to nudge customers to more mindful use of its Cloud services.
Dave Bittner: [00:02:08:23] Kaspersky has released the results of its own investigation of the alleged NSA leaks that appear retrospectively to have played a role in prompting the US Government to eject Kaspersky products from its systems. Kaspersky says, a laptop with a Baltimore area IP address and protected with Kaspersky software, was found to have been infected with what appeared to be Equation Group tools and that those were the files Kaspersky uploaded for inspection. Kaspersky says, the fact that there turned out to be classified files in the mix was unknown at the time and that such files were promptly deleted, as soon as recognized. Kaspersky also says, the laptop, which is thought to have been used by a NSA worker, or contractor, was thoroughly compromised by other sources. Dark Reading says, the device in question suffered from 121 problems.
Dave Bittner: [00:03:00:10] Some quick notes from the world of cybercrime. Bitdefender warns that the Terdot banking Trojan is a very capable information stealer, one that would be easily adaptable into an espionage tool.
Dave Bittner: [00:03:12:08] Inevitably, for the usual Willie Sutton-esque reasons, concerns about fake news are being monetized by cybercriminals. Some of them are now offering fake news as a service, often in the forms of spoofed legitimate sites.
Dave Bittner: [00:03:27:09] Late Tuesday afternoon, two separate but related warnings issued from the US Department of Homeland Security and the Federal Bureau of Investigation. They want people to be on their guard against two active campaigns they say emanate from North Korea; FALLCHILL and Volgmer. DHS and the Bureau are explicit in saying that these are the work of the North Korean Government, not simply some random gang of hoods with connections to people north of the 38th parallel.
Dave Bittner: [00:03:54:05] Specifically, they call out the HIDDEN COBRA threat group, which is also commonly called the Lazarus group. HIDDEN COBRA is after some specific sectors. They're showing a particular interest in finance, aerospace and critical infrastructure. And that interest is fairly well distributed geographically and is by no means confined to the US.
Dave Bittner: [00:04:14:15] FALLCHILL is a remote administration tool - a RAT - that's used to establish presence in the victim's network, with a view to enabling further exploitation. The other malware circulating, Volgmer, is described as a backdoor Trojan that's designed to provide covert access to a compromised system.
Dave Bittner: [00:04:32:08] It's worth noting that infestation of either Volgmer or FALLCHILL is likely to be accompanied by other North Korean malware. That malware could be used for either information theft, monetary fraud, or destructive attack.
Dave Bittner: [00:04:46:05] We heard from Phil Neray, Vice-President of Industrial Cybersecurity at CyberX, who offered us some perspective on the incident. He started with the many names the threat actors roll with. "Whether you call them guardians of peace, the Lazarus Group, or HIDDEN COBRA, North Korean cyberattackers are getting more sophisticated every day."
Dave Bittner: [00:05:06:04] They're not to be discounted. These aren't skids, or wannabes and they've shown the ability to do some damage. As Neray put it, "The group is known for being discreet and meticulous and covering its tracks, as previously shown in the SWIFT and WannaCry attacks, and the latest DHS, FBI alert shows the continued evolution of their evasionary tactics."
Dave Bittner: [00:05:28:02] The attack tools DHS and the FBI warned against aren't new. FALLCHILL, according to Neray, is a descendant of HIDDEN COBRA's Manuscrypt malware, that was first detected in 2013. He characterizes FALLCHILL as sophisticated, a RAT that does a good job with hiding and evasion through encryption and the use of multiple intermediate proxies.
Dave Bittner: [00:05:49:22] What FALLCHILL does, once it's in should be of particular interest to operators of industrial control systems. Neray told us, "Once deployed to a target host, it can be used as a launching point for cyber reconnaissance and further attacks on other systems. Critical industrial infrastructure systems, such as SCADA workstations, are ideal targets, because most industrial sites are still running legacy unpatched versions of Windows, and half aren't running anti-virus programs that would detect known malware like FALLCHILL."
Dave Bittner: [00:06:21:08] So, by all means patch, but everyone should recognize that patching industrial control systems isn't as simple a matter as updating your laptop with the latest version of Microsoft Office. Industrial experts, like NIST and Neray recommend continuous monitoring for behavioral anomalies as an important step towards securing ICS networks.
Dave Bittner: [00:06:41:22] The new US Vulnerabilities Equities Process continues to draw generally positive reviews. The Council on Foreign Relations issued a dignified grade of Pass, while noting that, of course, work remained to be done. Their blog post on the matter, by Robert Knake, an official who had worked on the VEP during the previous Administration, had very kind words for White House cyber coordinator Rob Joyce and, "Cheered on the comity and bipartisanship that continues in cybersecurity."
Dave Bittner: [00:07:12:18] Finally, were you ordering something from Amazon? You were, weren't you? Well, anyway, if you signed up for Amazon Key, a cyber physical lock integrated with a security camera, that's designed to let the Amazon delivery person into your house to drop off your packages inside, as opposed to leaving them on the porch, or the doorstep, or next to the mail slot, well, think twice. It turns out the key is hackable. While it's not as simple as standing at the front door and shouting, "Alexa, let this nice person in so they can rifle our sock draws," it's not exactly Equation Group stuff either.
Dave Bittner: [00:07:46:19] Amazon has promised to fix at any moment, so help is on the way. But, at least, in the meantime, you might consider specifying a delivery option like, "Hey drone, just drop the steak knives off at DeeDee and Lenny's next door." That's what we do. DeeDee and Lenny are okay with it. After all, we had Alexa ask their Google Home.
Dave Bittner: [00:08:09:14] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent Cylance Protect engine into VirusTotal. You'll know VirusTotal is the free online service that analyzes files and URLs to identify viruses, worms, Trojans, and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace, free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyberattacks. And they're now fully integrated as one of the analysis engines available in VirusTotal. Visit cylance.com and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:09:09:06] Joining me, once again, is Chris Poulin. He's a Principal Director for Booz Allen's Dark Labs, where they focus on IOT security and machine intelligence. Chris, welcome back. You know, I saw a discussion go by on Twitter the other day and it was talking about that famous trolley problem. We were talking about automotive AI and self-driving cars, and that sort of stuff. Of course, the problem is, how does a self-driving car decide if given an impossible situation of who to run over, what decision do they make? I thought, well I know the perfect person to talk to about that. So, Chris, what are your thoughts on this? How does a car decide?
Chris Poulin: [00:09:44:20] So, it is kind of interesting. There's actually a website that you can log onto and you can help to train systems to make better decisions. I think it's called the Ethical Machine Project, or something, at MIT. I don't have that in front of me right now. But it presents things, you know? If it's a busload of nuns and a busload of children, which one do you hit, you know, or whatever it is. It's kind of interesting, because, right now, basically, AI for cars is largely based upon cameras and subsonic sensors and things like that. But those things don't necessarily know what a child, or a nun looks like. I think a lot of times, we're thinking of long distance and in the future, but it's certainly something we should be thinking about.
Chris Poulin: [00:10:29:09] The question may not be, what's the best decision in that case, but how are we going to make these things make that decision in the first place? That means bringing context in. I think there's two steps. One is, how do we actually bring in context and say, "What is the value of this asset?" Because I think that's how a vehicle considers it from that perspective. How do we say, what's a child, what's a nun, what's an inanimate object and which things should you hit? That's the first problem to tackle. The second one is, this MIT Project, we're sort of training it by making decisions in a consensus form. What would the majority of people choose if it were down to those two decisions? And so once that's codified, if we have the context, and we've codified what the ethics are of actually hitting one thing versus another, then it's really up to the machine at that point.
Chris Poulin: [00:11:20:05] I think people give machines too much credit for trying to make a decision that a human wouldn't necessarily make, but the reality is, we're training the machine to make those decisions anyway. By the way, it's like politics, not everybody's going to agree.
Dave Bittner: [00:11:32:13] Right. I thought it was interesting, in this conversation on Twitter, that someone made the point that the vehicle will make the decision that results in the least amount of liability for the manufacturer of the vehicle. In this case, they said that would be continuing on the path that they're going in and slamming on the brakes.
Chris Poulin: [00:11:49:17] [LAUGHS] Well, it's probably true that liability is going to factor into it. It may not be the auto manufacturer, because, if you think about it, the people who make the machine intelligence in the first place are not the OAMs. I think somebody said, a long time ago, that OAMs are no longer in the manufacturing business, they're in the assembly business. They get their parts from everybody else. Let just say, for the sake of argument, it's Envidia, who make a lot of these AI engines for vehicles. I don't think that they're necessarily going to say, "Look, what results in the least amount of liability?" more to the point, though, I think that, again, because a lot of this is going to be legislated to begin with. That it's going to be percolated up into some legislative body who says, here are the decisions and here's how we're going to make them, and that's going to be the design principles for these AI engines.
Dave Bittner: [00:12:37:09] Alright. Well, it's going to be interesting to see it play out. Chris Poulin, as always, thanks for joining us.
Chris Poulin: [00:12:43:02] Thank you.
Dave Bittner: [00:12:48:06] Now a few words about our sponsor Dragos; the ICS and OT security experts. They've got some advice to help people understand threat detection for industrial control system security. Dragos has determined that there are four basic ways of detecting threats; through configuration, modeling, indicators and behavioral analytics. If an ICS security team understands these modes of detection, how they're different and how they can be used to monitor industrial environments, we'll be able to help their organization invest intelligently for improved security. Check out their webcast on the topic, hosted at thecyberwire.com/dragos and learn all about detection. To find out more about Dragos, including the paper they've prepared on the four kinds of threat detection, go to dragos.com and meet the people who built the first industrial cybersecurity ecosystem. That's dragos.com. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:13:54:06] My guest today is Jeremy Wittkop. He's the Chief Technology Officer at Intelisecure, an information, technology and service company with offices in Denver and London. The recent Equifax breach highlighted the vulnerability of our personal information, including our Social Security numbers. Jeremy Wittkop is one of a growing number of security professionals who think our system of Social Security numbers is due for an upgrade.
Jeremy Wittkop: [00:14:18:15] I think, when Social Security numbers were first created, it was largely a paper-based exercise and people would have that card and there wasn't a realistic threat that someone else would know your Social Security number. You could essentially use two forms of identification verbally, say here's my name, which publicly available, people could know, and here's my Social Security number and if those two things matched at one point, that was a realistic way to verify identity, especially over a spoken media microphone, where you can't check a photo ID or something like that.
Dave Bittner: [00:14:47:14] I remember when I was in college, the Social Security number was my Student ID. So, you know, every test I took, every form I filled out had my Social Security number on it.
Jeremy Wittkop: [00:14:57:00] Yeah, absolutely. When I was in the military, it was the same thing. Some people would even call it your serial number. Essentially, it was the number you were given at birth, that was going to identify you for the rest of your life, which was okay. I mean, as soon as you started storing that type of information on computers and connecting those computers together, it was the beginning of the end.
Dave Bittner: [00:15:15:01] The situation we find ourselves in now, in your estimation, are we hitting the point where the Social Security number just isn't adequate anymore?
Jeremy Wittkop: [00:15:23:08] In my opinion, it's already obsolete. If you take the numbers of records that were breached and some of the larger breaches, forget even the smaller ones, if you just aggregate the number of people who were affected by the Office of Personnel Management breach and the Equifax breach, it's realistic to say that 95 plus percent American adult Social Security numbers have been compromised.
Jeremy Wittkop: [00:15:42:04] At this point, I think the idea that we can even use a Social Security number as any form of identification, at this point, is a fallacy. People continue to use it, that's the scary part. But being able to use it right now to identify anybody with any level of confidence is just not there. People are asking for a Social Security number, but then they're asking for another form of identification on top of that, which just shows the weakness of the Social Security number as an identifier.
Dave Bittner: [00:16:07:14] What options do we have available to us? If we were to switch to something else, what could we do?
Jeremy Wittkop: [00:16:12:23] I think the best example that we have right now is credit card numbers. If a credit card number is stolen, I can shut that credit card number off and I can be issued another credit card number. Maybe we could do something similar with national identifiers. It would require more infrastructure, but when you look at the numbers, it would certainly than what we're being caused by identity theft out in the marketplace today. I think in 2015, it was $15.4 billion to the US economy. In 2016, it was $16 billion. It's up to close to $17 billion and we're not even done with 2017 yet. So I think there's enough damage to the US economy and the personal lives being done, to justify that we do something a little bit different.
Jeremy Wittkop: [00:16:51:09] It can't just be that you have this one number for life and, if it's breached, then you're going to have to monitor your credit for the rest of your life, which many Americans, at this point, should be doing. Just because there's been so many breaches, there's a good chance that that information is out there.
Dave Bittner: [00:17:05:16] Is it just a matter there needs to be political will? Because this would not be a small job to undertake?
Jeremy Wittkop: [00:17:13:04] Yeah. I mean, it would require a functional government. It would require a government that could get something done. That's not a shot at either political party, or who happens to be in power right now, it's just the fact that very little can get through Congress with the partisanship that we have. This is not just going to be a theoretical change in the way we do business, there's going to have to be funding with this and there may have to be either changes to the Social Security Administration, or a different department that handles the administration of these numbers.
Jeremy Wittkop: [00:17:41:02] But, if we want to continue to have a national identifying number, then we're going to need to do something like this. If we want to scrap that idea completely, we're going to have to find a different way to identify people. There's no solutions that aren't going to require some change on our part and, likely, some money to do it.
Dave Bittner: [00:17:57:17] Are there any other nations that have taken the lead in this sort of thing?
Jeremy Wittkop: [00:18:01:00] Nobody that's really done anything that I would consider great, in terms of being able to throw something away and making it disposal. But there are some interesting things being done. In Spain, there's an article on their Constitution that says that no one number can identify a person. So they have different national identifiers for different things and there's, I believe, six of them. And so if you were trying to verify somebody's identity over the phone, for example, for the purposes of credit, or something like that, you may ask for two or three of those things. So, it makes it harder for you to breach a single person's identify, you would have to have multiple factors in order to do that.
Jeremy Wittkop: [00:18:34:18] In the United Kingdom, there's similar things. They have lots of different numbers, it's not just one. They have a National Election Roll Number and they have a Driver's License number that's tied to their identity, and then they have a National Health Service Number. There's several numbers. But I think the real answer is similar to what we do with credit cards.
Dave Bittner: [00:18:53:16] I've become a fan, personally, of using Apple Pay, because it takes my credit card number, but then that information is tokenized and so there's an added layer of security. Is that technical solution an option for something like this?
Jeremy Wittkop: [00:19:15:02] You could certainly apply a multi-factor authentication strategy, which is really what Apple Pay is doing. It's essentially the token plus your fingerprint equals your credit card number. You could certainly do something like that with the proliferation of technology, especially in this country, but we still have to keep in mind that there are still people who don't have access to that type of technology, even in America. This is something we often forget, because so many of us have access to Smartphones and things like that. We have to have a solution that fits all Americans.
Jeremy Wittkop: [00:19:44:13] If we're going to do something like that, we would have to make sure that there are programs in place where people who didn't have that technology today could have access to some way to utilize that technology. It's time for us to do something different, and what that something is should be the subject of national debate. I'm not saying that I have all the answers, but I would love for the conversation to happen and for us to come up with a solution and lead the world on this.
Dave Bittner: [00:20:06:20] That's Jeremy Wittkop from Intelisecure.
Dave Bittner: [00:20:14:06] That's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, check out cylance.com.
Dave Bittner: [00:20:27:02] The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Have a great weekend. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com
Dragos, Inc. is an industrial cybersecurity company focused on protecting infrastructure such as power grids, water sites, manufacturing networks, and oil and gas pipelines. Our Dragos Platform, Threat Operations Center, and Dragos Intelligence team provide the community with the technology, services, and intelligence it needs to safeguard civilization. Learn more at dragos.com.