In today's podcast we hear about ransomware afflicting a healthcare IT provider. Group 123 phishes in South Korean waters. Schneider Electric describes the zero-day Triton/Trisis exploited. The Dark Caracal spyware campaign is attributed to Lebanon's intelligence service. The US Congress will extend Section 702 surveillance authority for six years. GhostTeam-infected apps are booted from the Play Store. Jonathan Katz from the University of Maryland ponders "uncrackable" quantum encryption. Graham Cluley from the Smashing Security podcast drops by for a chat about the state of the industry. And is there ever a good reason to write down a password?
Dave Bittner: [00:00:00:23] Hey everybody, Dave here. Today marks the 2-year anniversary of us launching the CyberWire Podcast. A big thanks to all of you for listening and making it possible to our sponsors, partners and guests. And a special thanks to my co-workers here at the CyberWire. You hear their names at the end of every episode of our show. We're a hard working, scrappy, start-up team doing our best to help keep you all up-to-date on the latest cyber security news. So thanks again for listening. We're looking forward to year number 3.
Dave Bittner: [00:00:31:07] Dark Caracal is tracked to it's Beirut lair. Group 123 phishes in South Korean waters. Schneider Electric describes the zero-day Triton/Trisis exploited. The US Congress will extend Section 702 surveillance authority for six years. GhostTeam-infected apps are booted from the Play Store. Graham Cluley drops by to talk security and is there ever a good reason to write down a password?
Dave Bittner: [00:01:01:07] Now I'd like to share an opportunity from our sponsors Cybric. On February 8th, cybersecurity thought leader Dr. Chenxi Wang joins continuous applications security platform provider, Cybric, to discuss DevSecOps from cradle to scale, real world lessons and success cases. Many businesses are moving to DevOps and agile development methodologies. But most security tools and processes aren't designed for this new world and that hinders innovation. In this webinar, Dr Chenxi Wang, founder of the Jane Bond project, Cyber Security Consultancy, and vice chair of OWASP's board of directors, joins Cybric's CTO, Mike D. Kail, to discuss integrating security into your DevOps process at scale, using real world examples. Mike and Chenxi will also cover getting started with DevSecOps, what metrics to use and what security at scale can mean for you. Join them February 8th at 1 pm US Eastern time for this insightful and information-packed webinar.
Dave Bittner: [00:02:28:07] I'm Dave Bittner with your CyberWire summary for Friday, January 19th, 2018.
Dave Bittner: [00:02:34:18] Add another healthcare sector incident to this week's news of unrelated incidents, running from southern and eastern Norway to Indiana and Mississippi. AllScripts, the Chicago-based provider of electronic health record and practice management tools to some 2,700 hospitals and 13,000 other care organizations, is investigating a ransomware infestation that appears to be affecting some of its applications. The issues came to light yesterday and are reported to be concentrated in applications the company's North Carolina data centers in Raleigh and Charlotte host. The company has taken down it's professional EHR services and its electronic prescribing system until remediation can be accomplished. Other affected functions included regulatory reporting, clinical decision support and various communications and payment apps. AllScripts Support is working with clients during the disruption as the company works toward restoring full service.
Dave Bittner: [00:03:33:06] Cisco Talos reports on a new threat actor, Group 123. It's responsible for six identifiable campaigns mounted during 2017 and continuing into this year. "Golden Time," "Evil New Year," "Are You Happy?" "Free Milk," "North Korean Human Rights" and "Evil New Year 2019," the odd names alluding to the campaign's distinctive phishbait. All except Free Milk targeted South Korean individuals and organizations, Free Milk was international in scope. Talos is commendably reticent about attribution, but you don't have to be George Smiley to see that those look like the work of Pyongyang. The payloads in these campaigns included both remote access Trojans and disk wipers.
Dave Bittner: [00:04:18:02] Schneider Electric offers a post mortem on Triton/Trisis industrial malware and the zero-day it exploited. The company has determined that a vulnerability in it's Triconex safety-controller firmware, permitted exploitation for privilege escalation. And that this enabled attackers to meddle with emergency shutdown systems during attacks on Middle Eastern systems believed to be operated by Saudi Aramco. Schneider said the Trisis/Triton malware included a remote access Trojan, a RAT, that enabled attackers, in principal, not only to shut down plants, but to induce unsafe conditions and damage difficult to replace equipment. The attacks of late 2017, were widely called "Game Changers" because of their happily unrealized potential for catastrophic damage.
Dave Bittner: [00:05:02:19] Schneider is fast-tracking firmware updates to prevent a re-occurrence, but in the meantime, they recommend that users always enable Triconex cybersecurity features, always deploy safety systems on isolated networks, don't make them easily connected, and pay close attention to sound physical security of safety systems and networks. They also recommend other standard digital hygiene best practices.
Dave Bittner: [00:05:28:15] As the Davos meetings approach next week, thoughts of the participants turn to geopolitical tensions and the way those are increasingly manifested in cyberspace. Russian capabilities in hybrid warfare, of course, prompt considerable reflection and concern. And the North Korean operations we've mentioned are also well know. But states that are neither large nor rogue can also be problematic. One of those, perhaps surprisingly, is Lebanon. The Electronic Frontier Foundation and security firm, Lookout, have issued a report describing an operation they're calling Dark Caracal, named after the long-eared wildcat endemic to North Africa and Southwest Asia.
Dave Bittner: [00:06:08:11] Dark Caracal is a long-running espionage campaign that has been affecting android mobile devices since 2012. Lebanon's intelligence service, The General Directorate of General Security, GDGS, is the organization being held responsible for the campaign. Their targets included journalists and activists, military personnel, manufacturers and financial institutions in more than 20 countries.
Dave Bittner: [00:06:33:13] Several things are noteworthy about the discovery. First, the GDGS seems to have inadvertently left the information they took, exposed on an open server. This has been an issue intelligence services and their contractors in some large and sophisticated countries as well. So, OPSEC slips of this sort aren't by any means confined to the Levant. Second, no sophisticated malware was involved. The approach was as effective as it was direct. Dark Caracal spread by phishing with baited software that looked like legitimate communication apps. The malware simply used the permissions users granted, when they downloaded it.
Dave Bittner: [00:07:10:20] Third and in some ways, most interestingly, it seems the GDGS may have rented it's espionage tools and infrastructure from some third party. The researchers say they found servers and malware associated with Dark Caracal they'd seen last year in an investigation of hackers apparently working on behalf of the Kazakh government. Whether Lebanon rented the stuff from Kazakhstan or vice versa, or whether both intelligence services are buying from some third party vendor, is unknown. But the appearances suggest a complicated market for espionage tools and infrastructure.
Dave Bittner: [00:07:45:10] In the US, the Senate, yesterday, voted to extend Section 702 surveillance authorization for another six years. This means the US intelligence community will retain what it regards as an essential foreign intelligence collection authority.
Dave Bittner: [00:08:01:08] In news of other hacks, Google has kicked 53 apps out of the Play Store. The malware they were hosting was "Ghost Team" which is designed to steal Face-book credentials. Trend Micro, the security firm who has published the results of their investigation into the malware, thinks internal signs point to a Vietnamese origin for the code. So far they haven't observed any significant exploitation of Face-book credentials, but Trend Micro is working with both Google and Face-book to prevent a major outbreak.
Dave Bittner: [00:08:30:05] Finally, this is the week that began with some false alarms of missile launches issued by Hawaiian civil defense authorities and Japanese broadcaster NHK. The unrelated incidents were due to operator error, abetted perhaps, by some questionable user interface design choices. So, they weren't the work of hackers. But pictures from the Hawaiian center have raised a lot of eyebrows in security circles, because pictures taken in July of workspaces in the Hawaii Emergency Management Agency command post showed an official posing in front of a monitor adorned with a sticky note that had a password written on it. There's been a great deal of contemptuous mockery, like the tweet that said, "the deep state apparently uses Password Post-It Keeper" or the Reddit wise-crack, "you have to write your password on the back of the post-it note to be secure."
Dave Bittner: [00:09:19:02] So that's funny, sure, but, Motherboard offers a contrarian take on the matter. There are, the publications says, worse things you can do, like record your passwords in an unencrypted text file. Or simply re-use the same one for all your accounts because it's easy to remember, like "Frank's_Red_Hot" a password that gets even better if you change the a in Frank's to an at symbol. Those things would be bad, but as the Motherboard writer points out, whether or not it's a good idea to write down your password depends on your threat model. If your workstation is in a publicly accessible place, then bad idea. But if it's in your home office say, maybe not as bad as some other choices you could make, especially if you've got a bad memory. Is it likelier someone's going to break into your house than it is that they'll realize you use "Ninja1234" for everything? Still, a real password manager is your best bet, and you certainly don't want sticky notes around when the local TV reporter comes to visit.
Dave Bittner: [00:10:19:04] And now a moment to tell you about our sponsor Control Risks. For over 40 years across 178 countries, Control Risks has partnered with the world's leading companies to help them be secure, compliant, resilient and to seize opportunities. From kidnapping in the jungles of Columbia to cyber enabled extortion, they've been with their clients as risks have evolved. In an interconnected world, cyber risks are everywhere you operate. Control Risks has a comprehensive view of cybersecurity, a critical business risk within a context of geopolitical, regulatory and competitive complexity. And thanks to their unique heritage, they provide clarity and actionable guidance that only decades of risk experience can bring. Control Risks brings reassurance to the anxiety about your cyber risk. Let them show you what over 40 years in the risk business has taught them. Find out more at controlrisks.com. That's controlrisks.com. And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:11:25:12] And joining me once again is Jonathan Katz, he's a professor of computer science at the University of Maryland and also director of the Mail and Cyber Security Center. Jonathan, welcome back, great to talk to you again. We saw some stories come by on Engadget about some research being done in China with quantum computing, quantum encryption, quantum cryptography and claims that these are unhackable. Sort of unpack it for us? What are we talking about here?
Jonathan Katz: [00:11:51:17] Yeah I've read those articles too and the first thing I want to say is, that it's always been interesting to me and I don't quite understand why anything related to quantum cryptography automatically gets a lot of press coverage. I mean quantum cryptography is interesting but, I think it's kind of got a niche use case. But nevertheless, in these particular articles, what they were talking about was a new network for quantum encryption and quantum communication that had been set up by the Chinese and basically had some previous records, in terms of the distance over which the communication was going and perhaps also at the rate at which the communication was being done.
Dave Bittner: [00:12:30:10] And when they say unhackable, they always put it in scare quotes, is that a reasonable thing to say? Or is it merely a factor that some day a clever human might come up with a way to crack any type of cryptography.
Jonathan Katz: [00:12:45:17] Well you always have to take these things with a grain of salt. What they are referring to there is the fact that there is a mathematical proof that the underlying quantum mechanical protocol actually cannot be hacked. And not only can it not be hacked by a classical computer, it can't even be hacked by a quantum computer, should one come along in the future. And that's a guarantee that we don't have for the other kind of cryptography that we use in the Internet. Those kind of systems number one, rely on assumptions and number two, can potentially be cracked with enough computational power. So that's what they mean when they say unhackable.
Jonathan Katz: [00:13:21:00] Now having said that, of course, what you realize in practice most systems that get broken are broken are broken not because of the cryptography, but by things surrounding the cryptography. By the implementation, by user error, by an attacker maybe hacking the physical devices being used for the communication. So you have to take the unhackable there with a bit of a grain of salt, but, nevertheless, it is nice that these systems come along with some kind of a proof that at least the underlying protocol itself is not going to be the point of failure.
Dave Bittner: [00:13:49:12] And is this something that's still off on the horizon? It's merely at the research stage? Or are there practical uses on the way for this?
Jonathan Katz: [00:13:57:06] It's at the borderline. I do think that it will remain a niche technology that will only be applicable in certain scenarios. But I think it's at the point now where people are talking about using it or even using it in very specific scenarios. And so it is starting to move from the research lab into limited use.
Dave Bittner: [00:14:16:08] Alright. Jonathan Katz, thanks for joining us.
Dave Bittner: [00:14:23:10] And now a word from our sponsor, The Johns Hopkins University Information Security Institute. They're seeking qualified applicants for their full time Master of Science and Security Informatics. The program covers the most current topics in information security with core courses covering security and privacy, cryptography, computer forensics, software vulnerabilities, ethical hacking and more. And it's a quality program too, not just because it's from one of the worlds great research universities, but because the institute is an NSA and DHS designated center of academic excellence in information assurance in cyber defense and research. So, apply by March 1st 2018. Scholarships are available, so apply today. Visit isi.jhu.edu for more information. Fire up that browser and head on over to isi.jhu.edu. And we thank the The Johns Hopkins University Information Security Institute for sponsoring our show.
Dave Bittner: [00:15:30:10] My guest today is Graham Cluley. He's a popular voice in the cybersecurity world through his own website grahamcluley.com. And as co-host of the Smashing Security podcast, with Carole Theriault. He's a popular key-note speaker and a regular on broadcast media around the world. I began our conversation by asking him for a status update when it comes to cyber security.
Graham Cluley: [00:15:51:08] You know I like to be upbeat about these things. I like to think positively and I think if we're going to put some positive spin on this, by now, January 2018, we can assume that all of us have had our identities stolen at some point, to some extent or another, via one of these huge breaches. So in a way, that's good news because now we're aware of identity theft. Maybe we're even aware of some of the steps we need to take in order to make sure that funds aren't beginning to disappear from our wallets as well. So it's almost like there's been so much bad news and so many bad experiences that we're a bit more battle worn as a result. So we've been in the fight for a while and we're better prepared from that point of view. But, other than that, I don't really see anything that great and positive on the horizon. I think we're going to see another year of enormous vulnerabilities, huge data breaches and shocking privacy scares. And I suspect it's going to be that way for many, many years to come.
Dave Bittner: [00:16:56:09] What do you suppose GDPR is going to do in terms of having an effect globally?
Graham Cluley: [00:17:01:23] Well it's already had an effect, certainly in Europe of course, where companies have really been on the ball and been putting measures in place for some time to get themselves prepared for it, and I think in the case multi-nationally, some companies outside of Europe have simply not realized that this also affects them. And if they have any customers in Europe, they need to make changes, maybe, to their systems and appreciate that potentially there could be some very, very large fines coming along. I'm somewhat skeptical as to whether we are going to see these really enormous fines and damages imposed upon companies that the law provides for, when this comes round. I suspect it's being more used to scare people. But, for many companies, this has been an enormous upheaval.
Graham Cluley: [00:17:53:03] But if it does wake up any companies a little bit more seriously, and wake up the board and the C-Level executives to the threats which are out there, then that has to be good news. Because, for too long, too many companies have really had a slip-shod approach to protecting their customer's data. That has to change because we are putting our trust in these on-line businesses and indeed not non on-line as well. Yet time and time again, they're proving themselves to be, frankly, incompetent at protecting our information.
Graham Cluley: [00:18:25:16] I'm more concerned, actually, that many companies and many individuals these days, are almost accepting data breaches as a fact of life. Thinking oh well what could we have done? Or they're rolling out the age-old excuse of well, it was a highly sophisticated attack, using mysterious zero-day vulnerabilities. And you know what? It could well have been state-sponsored as well. In which case it's oh well that's alright that you got hacked, because clearly there was nothing you could do. And I get fed up with companies using those kind of excuses and trying to wiggle their way out of it. I would really love to see consumers voting with their wallets and actually punishing the companies who do suffer these data breaches, by no longer doing business with them. But I know from my own human experience, that it's a hassle changing providers or suppliers, it's a hassle, if you have a relationship with a company and they are providing you with a service and they suffer a data breach, it's quite a nuisance changing your supplier isn't it? Or moving your account. And in some particular cases, you simply can't do it.
Graham Cluley: [00:19:29:10] If it's a government agency or if it's the National Health Service or something like that, there's no other choice. You have to do business with them effectively. You have to entrust them with your data and what more can you do? But certainly for the commercial data breaches, I would love to see users really making their opinions felt strongly about this. And not just for that week, the initial week after the breach is exposed, but actually remember it and tell their friends never deal with xyz company again, because they treated us so badly a year ago.
Dave Bittner: [00:20:04:04] I wonder if we are going to see a time where companies use security as a feature. Similarly to the way for example that Volvo made where they sold safety when no one else was making the point of safety. Volvo made that a selling point. And it doesn't seem like we've seen that yet with security, but it strikes me that that could be an area where someone could try to have a competitive advantage.
Graham Cluley: [00:20:27:09] It would be nice wouldn't it? I think for most people, unfortunately, security simply isn't sexy. Look at the huge growth we've seen in the Internet of things devices. Every device imaginable these days has got the internet connected to it. And it's simply another feature which they can put on the side of the box and say "it's not just a toothbrush, it's a toothbrush which can connect to the worldwide web." People say, "oh yes, I'd like one of those." But that's the thing which makes them choose that particular toothbrush from Amazon, rather than this is a really secure toothbrush, which can never be connected to the Internet and doesn't require Internet updates. But when there's security vulnerabilities-- simply isn't sexy enough.
Graham Cluley: [00:21:09:24] The only company which I've really seen making a bit of a stand on this, and it's not so much about security, it's more about privacy, is Apple. Which has acted differently from some of the other technology companies out there and said, "look we're not going to make money out of you by collecting your data and potentially putting you at risk that way or displaying ads everywhere and again, maybe exposing you to risk. We're going to make money by charging you a heck of a lot of money when you buy our shiny gadget." and so they charge more than most people charge for that particular gadget, but what they do is they say, "that's going to be it. Once you've done that, that's how we're going to make money from you. And maybe we'll make some more money from having you in the ecosystem when you buy things in the app store. But we're not going to be selling your data" And I like that they appear to have that attitude.
Graham Cluley: [00:21:58:02] Now having said that, they still have security vulnerabilities and sometimes really bad ones. But they do appear to have adopted that as a philosophy. Now of course that's sometimes has got them into trouble with governments because they've been so hot on privacy and locking down their phones for instance.
Dave Bittner: [00:22:13:08] Do you have any advice for those people who are considering a career in cyber security in terms of pathways they should take or classes or certifications? What's your take on all that.
Graham Cluley: [00:22:24:12] I do get asked this quite a lot and I feel incredibly under qualified because I don't have any computer security qualifications. I fell into this industry 25 odd years ago completely by accident. I've no idea. The world has changed so much in 25 years. I haven't gone to a job interview in 25 years either. What I would say to people is try and keep on the right side. Don't be tempted to do naughty things just because they're possible. For instance if you're interested in penetration testing, make sure that you have the permission of the company whose systems you are testing or you're looking for vulnerabilities. So make sure you don't blot your copy book from that point of view as it may impact your future career.
Graham Cluley: [00:23:09:24] But the big resource I would really recommend, which wasn't available to me 25 years ago, are sites like Twitter. Because there you can begin to converse and join in the conversations with so many really brilliant security researchers. There are fantastic conferences around the world as well. Maybe a BSides or something like that in your area which is fairly easy to get to where you can meet some of these people, form relationships and learn a huge amount. The opportunities are out there to gather information to join in on forums, to exchange expertise, to learn, to watch YouTube videos, to get really enthusiastic about this. But keep your nose clean, don't do anything silly which your future self might regret.
Dave Bittner: [00:23:56:08] Graham Cluley, thanks for joining us.
Graham Cluley: [00:24:06:18] Thank you very much.
Dave Bittner: [00:24:08:12] We'll have an extended version of my conversation with Graham Cluley for our Patreon subscribers, you can learn about that at patreon.com/thecyberwire. And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more. The CyberWire podcast is proudly produced in Maryland out of the Start Up studios of DataTribe where they're code building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with Editor John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe and I'm Dave Bittner, thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
CYBRIC is the first to orchestrate and automate code and application security across the DevOps lifecycle. CYBRIC's Continuous Application Security Platform leverages patent-pending technology to seamlessly integrate security into the development process, delivering frictionless security assurance from code commit to application delivery. Learn more.
Control Risks is a global specialist risk consultancy. We help clients find opportunities and grow, build secure, compliant and resilient organizations, and resolve critical business issues and crises. Our unique expertise and geographical reach support decision-making with crucial intelligence and insight. Learn more at controlrisks.com.
The Johns Hopkins University Information Security Institute provides the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security and information assurance. Learn more at isi.jhu.edu.