In today's podcast, we talk about what the Five Eyes see. Implications of North Korean responsibility for WannaCry. Defense and deterrence go with naming and shaming. The Lazarus Group looks to cryptocurrency theft to redress North Korean financial shortfalls. Copperfield cyber espionage campaign in the Middle East. GDPR approaches, and organizations look to get their data houses in order (and buy insurance). Justin Harvey from Accenture on choosing threat intelligence. Guest is Stan Engelbrecht from D3 Security on the vulnerabilities in public transportation. And what to do if your child gets a phone from Santa.
Dave Bittner: [00:00:01:05] Thanks again to all of our supporters on Patreon. The support that we receive there helps us provide the daily news that you come to rely on. We hope you'll check it out at Patreon.com/thecyberwire.
Dave Bittner: [00:00:14:23] What the Five Eyes see. Implications of North Korean responsibility for WannaCry. Defense and deterrence go with naming and shaming. The Lazarus Group looks to cryptocurrency theft to redress North Korean financial shortfalls. The Copperfield cyber espionage campaign in the Middle East. GDPR approaches, and organizations look to get their data houses in order and buy insurance. And what to do if your child gets a phone from Santa.
Dave Bittner: [00:00:47:09] Now a holiday message from our sponsor Neumyer Security. Twas the night before the board meeting when all through HQ not a sea level was stirring, even finance was a snooze. Reports were all stacked in the boardroom with care, in hopes that the members would not pull out their hair. The CISO, however, was pacing the ground, mostly because he had no real metrics to sound. The head of IT, in front of long log reviews, had just settled his brain after full back-up number two. When out of the seam, alarms started to fly. They looked at each other and did not know why. Away to the reports they flew like a flash to see which malware showed up as a hash. If only they knew where exploitables lay and could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Neumyer Security so ready to assist, converting cyber into dollars is impossible to resist. More rapid than eagles, the RQ dashboard came, instantly upping their cyber risk game. Now dollars, now cents, now recommendations, on threats, on exploits, financial justifications. To the top of the budget the CISO's report flew, smart cyber investments, now everyone knew. To hear the rest of the story, visit Neumyersecurity.com
Dave Bittner: [00:02:20:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner wit your Cyber Wire summary for Wednesday, December 20th, 2017.
Dave Bittner: [00:02:30:24] Have you heard? People say North Korea was behind the WannaCry attacks that tore through vulnerable networks early this summer. Pyongyang hasn't had much to say about the latest round of accusations, but it has denounced earlier attributions as slander and provocation, as of course Pyongyang would.
Dave Bittner: [00:02:49:05] That said, all Five of the Eyes are glaring like basilisks toward the Democratic Peoples Republic of Korea, which they agree was responsible for WannaCry. And it's not just the Five Eyes; Australia, Canada, New Zealand, the United Kingdom, and the United States, but others too, Japan among them.
Dave Bittner: [00:03:07:21] Some conclude that the lesson here is that collective defense works, albeit abetted in this case by someone lucking into the kill-switch, because the outbreak could have been far worse. US networks, for instance, proved generally resistant to the campaign.
Dave Bittner: [00:03:22:16] Two questions at least are being asked, one pertaining to deterrence and the retaliatory capability necessary to deter, the other to security lapses that can enable attacks.
Dave Bittner: [00:03:33:15] To take deterrence first, if you wished to deter similar attacks, how might you retaliate? You can hack until the ones and zeros jump, but it's not clear doing so will seriously affect North Korea's regime absent identification of something the regime values that one could hold at risk. Blame, shame, and further isolation may be the best anyone can do, many observers suggest. The US stopped short of using language that would have characterized WannaCry as an act of war, but North Korean cyber operations are clearly a matter of concern.
Dave Bittner: [00:04:06:15] The White House drew particular attention to Facebook account takedowns and Microsoft fixes as providing valuable and ongoing defense against North Korean cyberattacks. Facebook said that last week the company cooperated with Microsoft in "joint action to disrupt the activities of a persistent, advanced threat group commonly referred to as ZINC, or the Lazarus Group.” Microsoft, in addition to cooperating with account takedowns, has said it had taken steps to clean customers' machines and strengthen Windows' defenses.
Dave Bittner: [00:04:38:10] The Facebook account takedowns are seen as suggesting that WannaCry is, as Engadget says, the tip of the proverbial ice berg. They're also taken by many as a sign that the US, and probably the UK, are engaging in some form of retaliation, although little more is being said about it.
Dave Bittner: [00:04:56:14] The Guardian quotes the UK's Foreign Office minister for cyber, Tariq Ahmad, as saying, "We condemn these actions and commit ourselves to working with all responsible states to combat destructive criminal use of cyberspace.” He added that "international law applies online as it does offline," and said the United Kingdom was "determined to identify, pursue and respond to malicious cyber-activity regardless of where it originates, imposing costs on those who wish to attack us in cyberspace.”
Dave Bittner: [00:05:28:21] The second big question about WannaCry is, how did the alleged NSA exploits, particularly EternalBlue get loose into the hands of the ShadowBrokers in the first place? Early in 2017 NSA warned Microsoft about a vulnerability in Windows' Server Message Block protocol, which Microsoft patched in March. In April the ShadowBrokers dumped what they characterized as stolen NSA attack code, and that dump included the EternalBlue exploit subsequently used by WannaCry to hit unpatched machines.
Dave Bittner: [00:06:01:09] White House Homeland Security Advisor Tom Bossert, who's been the public face of US attribution of WannaCry to North Korea, said yesterday that "The government needs to better protect its tools, and things that leak are very unfortunate. We need to create security measures to better protect that from happening." While there have been at least three arrests in connection with NSA leaks, none of these, so far as is publicly known, were for leaks of exploits to the ShadowBrokers. So presumably investigation continues.
Dave Bittner: [00:06:33:13] WannaCry is of course currently in remission, as it has been for some months. The DPRK's current interests appear to lie in cryptocurrency, with the Lazarus Group paying a great deal of attention to hacking wallets and catphishing people with access to alt-currencies. The UK's minister for cyber, Ahmad, alluded to Pyongyang's motives in his statement on WannaCry: "The indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber programme to circumvent sanctions." That program now concentrates on stealing Bitcoin, so alt-currency fans, look to your wallets.
Dave Bittner: [00:07:12:13] With the holidays upon us, many will be traveling to visit friends and family. They'll make use of public transportation and some of those systems are semi-autonomous. Stan Englebrecht is Director of Cyber Security Practice at D3 security.
Stan Englebrecht: [00:07:26:13] One example that I take daily here would be the Trans-link sky train here in Vancouver, which doesn't have any drivers, it's all centrally controlled. So all the speed, any type of stopping mechanisms or anything like that is basically all controlled out of a central location and it's all driven by inter-connectedness.
Dave Bittner: [00:07:45:03] What are some of the specific vulnerabilities that systems like this would have?
Stan Englebrecht: [00:07:50:03] A number of them would be the central systems themselves. You know, if we're talking the sky train, it was something that was developed in 1986. It came out when the world expo here in Vancouver happened. Back in 1986, the idea of a cyber attack I mean we're talking about something that really wasn't even thought of, nor invented at that point and so these systems which are now Internet connected really don't have the controls and securities in place that they need to in this time and space. That's probably one of the biggest problems that we're running into right now.
Dave Bittner: [00:08:19:03] Have we seen any attempts to get into these sorts of systems?
Stan Englebrecht: [00:08:23:06] There was a San Francisco one which happened not too long enough, which is fairly well known. A media attack basically caused their system to run for free. Our system here there hasn't really been an attack I would say in terms of causing the system to go down. There was a card hack in terms of the payment system in which, you know, people were able to ride for free, but not really anything where it was a real disruption. Different actors are getting into different places and so the prospect of a general cyber attack on a public transportation system is something I would say is inevitable.
Dave Bittner: [00:08:55:03] Can you contrast the difference between someone who would be going after criminal things, such as money, versus perhaps a terrorist attack.
Stan Englebrecht: [00:09:04:04] You listed it all right there. The differences can really be motive. So a cyber criminal, while they don't really want to disrupt the system, so to speak, they want to get into it to profit from it, whether it's, you know being able to siphon off account information, whether it's being able to actually, you know directly pull money out of the card payment systems that they have in place. Whereas if you're looking at something, I will use the state actor or terrorist organization, I mean if you have the ability to shut down New York's central train stations or anything like that that's going to be inter-connected, you're going to cause widespread chaos. That's going to have a number of different impacts, obvious financial, but you're really talking about pulling a system down or causing a lack of service. You're talking about one of their motives right there, they're terrorists, they want to spread terror, and having the system pulled down is one aspect of it. If I think of possible outcomes in terms of what could happen there, I look at our sky train system, I would hope that they have some physical controls in place in terms of speed, but if somebody gets into the centralized system, you could well imagine if they just turn off the controls or turn up the controls on these systems so the trains run at full speed and there's no stopping or the operators don't have the ability to stop the trains, you're talking about a mass accident that could affect hundreds of people at a time.
Dave Bittner: [00:10:21:07] Is your sense that the municipalities are prepared for these sorts of things, or are they behind?
Stan Englebrecht: [00:10:27:02] I would say they're behind. One of the people that we've had in from our security group here is a gentleman by the name of Gary Perkins, and he's actually the CISO of the Province of British Columbia here. According to him, from what he knows of the public systems and whatnot, he figures that probably less than 5% of municipalities in the public sector here is ready for any type of a widespread cyber attack. Of course, that's concerning. I think us in the security community and even I know with our group here, one of our goals is to really educate the public on some of the dangers. I think if the public is better educated, not in a way where we're spreading fear I mean that's really not our goal, our goal isn't to spread fear, our goal is to educate and make people aware. And I think if we were better at spreading that type of awareness, I think probably more things would happen quickly and you'd get, you know, if it was a political item like you brought up, in terms of public transportation, if there's more of an outcry from the public to secure these things, I think things would probably happen in a much better fashion.
Dave Bittner: [00:11:25:19] That's Stan Engelbrecht from D3 Security.
Dave Bittner: [00:11:30:24] Another cyberespionage campaign has been spotted in the Middle East. Researchers at security firm Nyotron call it "Copperfield." It's an evolution of the H-Worm, also called "Houdini," that emerged from Algeria four years ago. No firm attribution yet, but Nyotron speculates about the possible involvement of Algeria, Iran, and Saudi Arabia.
Dave Bittner: [00:11:54:19] As full implementation of the EU's General Data Protection Regulation, GDPR, approaches its May deadline, many organizations are looking for a silver lining in what amounts to a pretty dark regulatory cloud. Computing reports that GDPR does afford everyone an opportunity to get its data house in order. There are also reports of a lining, silvery or leaden remains to be seen, for underwriters: a lot of businesses have decided to transfer their GDPR regulatory risk by taking out cyber insurance policies.
Dave Bittner: [00:12:28:01] There are only five days until Christmas, of course, and those of you who are considering getting your kids smartphones may find some quick advice useful. The Website Cool Mom Tech offers nine bits of counsel that are worth your consideration: First, check location settings so your kids don't inadvertently broadcast their whereabouts. Second, of course you'll want to set restrictions and parental controls. Third, consider setting up some way of sharing, like the Family Sharing offered on iOS devices. Fourth, set up their contacts, especially if you are sharing, to avoid oversharing. Fifth, manage their passcodes, so you know them, and add your fingerprint to devices with biometric security. Sixth, set up a charging station somewhere away from the child's bedroom, so they'll be less tempted to sit up all night looking at their new phone. Seventh, sit them down and show them how to use the phone. You don't want them picking up this kind of know-how on street corners, either physical or virtual. Eighth, consider making a contract with them about how, when, and where they'll use the phone. Or at least set clear limits for them. And, finally, if you get them a phone, get them a case to put it in. A good case, that will survive dropping, immersion, maybe even temperamental banging. And happy holidays.
Dave Bittner: [00:13:51:05] And now let's go back to our sponsor Cylance for some more hacksmass cheer. Here's their carol. On the third day of hacksmass, my black hat sent to me three ROP chains, two factor off and a zero day in SMB. Don't know what an ROP chain is? Well neither do I, but Cylance does and they'll be happy to explain it to you. Here's a hint, it's no French hen, trust me. Just go to Cylance.com and see how their artificial intelligence is a natural for your network and any end points under your tree. That's Cylance and we thank them for sponsoring the Cyber Wire.
Dave Bittner: [00:14:31:20] Joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, welcome back. Today we wanted to touch on threat intelligence. Specifically, you make the point that when you're shopping for threat intelligence it pays to make sure you know what you're getting.
Justin Harvey: [00:14:47:02] That's exactly right. It seems like on a daily basis, my team and myself are asked questions from our clients like how do I know if we're spending our time and money on the threats that impact the areas of the business that are critical or making money? Or, how do I triage security incidents? Or do I even have the right of the best threat intelligence? And it seems like there is a feeding frenzy in the cyber security market today. More and more software companies are coming out with their next generation threat intelligence, and then you've got next generation threat intelligence feeds and so on. Really, I think that we as an industry need to examine and talk about the various forms of threat intelligence and how it affects our clients, or how it affects business, per se. And that's really being materialized around the hype around having the best threat intelligence, like the best bad domains or the best bad IPs, and knowing exactly what signatures are out there and having them first, before anyone else, and getting them to the clients. Really what we should be focusing on is not just the tactical threat intelligence that compromise or indicators of attack, but also examining the who, what, why and where behind a lot of the attacks, since how can you properly defend yourself if you don't know who out there wants to cause you harm from an adversary level? Just hanging your head on tactical threat intelligence could be a mistake simply because these indicators, IPs, domains, signatures, all of that good stuff, is all predicated on one simple thing and that is someone else in the world have to have seen that adversary or seen that threat one time before. But what we're seeing is very advanced adversaries, heck, you don't even have to be an advanced adversary, you can just be an adversary, not even nation state, and it's very easy to take your malicious code and re-jigger a few variables and now you have a completely new signature. So it's very important not to hang your hat just on indicators that compromise an attack.
Dave Bittner: [00:17:05:21] Is it really a notion that while threat intelligence can be an important part of the spectrum of tools that you use, you shouldn't allow it to give you a false sense of security?
Justin Harvey: [00:17:15:16] Right. I think it really speaks back to previous points. We're seeing an industry move from solely based around prevention, to prevention, detection and response. If you put all your eggs in the threat intelligence basket, you are almost saying you're putting all of your eggs in the prevention basket.
Dave Bittner: [00:17:38:14] Justin Harvey, thanks for joining us.
Dave Bittner: [00:17:43:06] That's the CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, check out Cylance.com.
Dave Bittner: [00:17:55:22] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Nehemiah Security delivers a security risk assurance platform that is transforming how organizations secure technology so they can quantify their cyber risk in dollars and cents. Learn more at: nehemiahsecurity.com.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com