In today's podcast we hear that cyber threats to river traffic have intermodal implications. Nation state hacking, Presidential Policy Directive 20, and international norms of cyber conflict. The tragic consequences of overconfidence concerning communications security. Australia's new cyber laws are more legal hammer than required backdoor. A campaign of ATM robbery nets millions worldwide. A cryptocurrency speculator sues the phone company, a spyware firm sues a former employee, and the Dread Pirate Roberts would like a pardon. Johannes Ullrich from SANS and the ICS Stormcast Podcast, on lingering legacy passwords in Office documents. Guest is Phil Neray from CyberX on the National Risk Management Center being spun up by DHS.
Dave Bittner: [00:00:03] Cyberthreats to river traffic have intermodal implications, nation-state hacking by the familiar four, Presidential Policy Directive 20 and international norms of cyberconflict. The tragic consequences of overconfidence concerning communications security. Australia's new cyberlaws are more legal hammer than required backdoor. A campaign of ATM robbery nets millions worldwide. A cryptocurrency speculator sues the phone company, a spyware firm sues a former employee, and the Dread Pirate Roberts would like a pardon.
Dave Bittner: [00:00:43] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:49] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 16, 2018. The FBI is warning of cyberthreats to a sometimes-overlooked sector of transportation infrastructure, inland waterways. Those include the rivers, canals, dams, locks and intermodal facilities that serve water traffic in the U.S. There's a great deal of ship and barge traffic in U.S. rivers, especially in the Mississippi basin, and the disruption to that traffic would have an intermodal ripple effect on road, rail and air transportation.
Dave Bittner: [00:02:27] NSA alumnus Rob Joyce gave an account of nation-state hacking at DEF CON last week. The rogues' gallery was populated by a familiar four - Russia, China, North Korea and Iran. Espionage is pervasive, to be sure, but the four countries have distinct interests. Russia is heavily invested in traditional espionage, in developing the potential for cybersabotage and in pursuing disruptive information operations against its targets. China, whose activities have subsided somewhat but which can be expected to return to or exceed their former vigor, should a full-blown trade war with the U.S. erupt, has typically been interested in industrial espionage, in the theft of trade secrets for the benefit of Chinese industry and the country's larger economic place in the world.
Dave Bittner: [00:03:16] Iran has recently been preoccupied with working against regional rivals, particularly Sunni Muslim powers like Saudi Arabia. But they have shown an interest in U.S. targets in the recent past. Joyce doesn't call this out specifically, at least, as his remarks are being reported, but many think Iran likely to return to direct theft and financial fraud as renewed sanctions bite deeper into the country's economy. In this, Tehran would be following the unfortunate example of Pyongyang, whose North Korean hacking teams operating as the Lazarus Group and other threat actors have long been involved in fraudulent wire transfers and other forms of bank account looting.
Dave Bittner: [00:03:56] A recent example of what appears to be a North Korean campaign of theft has been seen in the looting of ATMs associated with India's Cosmos Bank. $13.5 million is said to have been drained from machines in some 28 countries. This particular raid, as computing and other sections of the international press are pointing out, came shortly after an FBI warning that something like this was afoot. The investigation is still young, but the early signs point toward the DPRK's Lazarus Group.
Dave Bittner: [00:04:28] President Trump is reported to have loosened in various unspecified ways the constraints on U.S. retaliatory cyberoperations that have been in place since President Obama's promulgation of Presidential Policy Directive 20. PPD-20 is secret but, in outline, generally familiar, thanks to illicit leaking and more or less licit hinting. Too much of both, probably. PPD-20 is said to have established some guidelines under which the U.S. might undertake to hack foreign targets. It's thought that the current revision to the policy PPD-20 embodied would probably take the form of greater delegation of authority to conduct offensive operations in cyberspace. Relaxation of certain restrictions seems consistent with public comments from U.S. Cyber Command, particularly Gen. Nakasone's remarks about just what it means for the military to be sworn to support and defend the Constitution of the United States.
Dave Bittner: [00:05:25] The problem of nation-state hacking has prompted renewed calls for a better or clearer set of international norms for cyberspace. These might be modeled on the existing laws of armed conflict. We heard from the Cloud Security Alliance, the CSA, on the matter, via email. The CSA's CEO Jim Reavis said, quote, "the CSA perspective is that we would like to see an international dialogue on the use of cyberweapons in warfare. Computer technology was long ago weaponized, but there would be tremendous value in having a global understanding in how this can be used and clarifying that attacks targeting cyberinfrastructure for civilian uses, such as hospitals, should be forbidden. We will eventually see treaties in this area as we gain a more mature understanding of the space."
Dave Bittner: [00:06:12] It's worth noting that prohibitions - really, inhibitions - of attacks against targets that people use simply as ordinary human beings and not as combatants, like medical facilities, water sources and so on, have evolved into formal rules of kinetic conflict over the past century. Many would hope to see these extended to cyberconflict, as well.
Dave Bittner: [00:06:34] The secretary of the U.S. Department of Homeland Security recently announced the launch of the National Risk Management Center, with the mission of guarding the nation's banks, energy companies, and other industries from major cyberattacks that could cripple critical infrastructure. Phil Neray is from security company CyberX.
Phil Neray: [00:06:53] I think that the launch of the center is important. It is an acknowledgment that cyberthreats to our critical infrastructure are serious and that we need to handle them in a centralized and coordinated way. And we've seen, you know, over the last few months, acknowledgements from the administration and from various intelligence agencies that we know the Russians have been in our critical infrastructure, we know they're targeting not just our energy sector but also other sectors, like pharmaceuticals and oil and gas and chemicals. And we know that we have other adversaries, like Iran and North Korea, that are trying to do the same thing. So I think the idea of centralizing our response and centralizing the way we deal with these threats is a good thing. I think information sharing is a good thing. And coming up with some common ways of defending against these threats is important.
Phil Neray: [00:07:50] What is missing, so far, though - because we've had ISACs before. We've had groups that share information across sectors about threat actors and campaigns. What we're missing, though, are minimum standards of due care or minimum standards of security monitoring across all these sectors. NERC CIP was a good first step, but it's just for the energy sector. And it was designed a couple of years ago before these more sophisticated threats came into play so it's missing some key things, like being able to monitor a network continuously to detect a breach or an intrusion. If we were to look at NISD, the Network and Information Systems Directive that the EU put into place in April, that would be more, I think, what we need in terms of giving the industry guidance on a comprehensive set of minimal requirements for security.
Dave Bittner: [00:08:48] Now, you had some points you wanted to make, about Fancy Bear, specifically. You think there are some things that folks may be overlooking?
Phil Neray: [00:08:57] Well, the thing about Fancy Bear that's interesting is, you know, different industry groups have been tracking them for years. If you look at the group, they have a long history of doing nefarious cyber things across the world, right? In July 2008, they hacked Georgian ministries in advance of a Russian military invasion. It was probably the first time we saw a coordinated cyber and kinetic attack. In 2011 to 2014, they infected U.S. energy firms with BlackEnergy malware. In 2015, they destroyed equipment belonging to a French broadcaster, TV5. They made it - they tried to make it seem like it was an Islamic terrorist group, but later we found that it was them. They compromised German Bundestag members in 2015. They compromised U.S. defense contractors in 2015 and '16.
Phil Neray: [00:09:54] They're more famously known for two destructive grid attacks in the Ukraine, one in December 2015, one in 2016. And with the recent indictments by the DOJ related to interference in our 2016 presidential election, officers that were named in that are all GRU officers - GRU being the Russian military intelligence agency. You know, in one of your recent podcasts, you said, you know, the goal is disruption and chaos. And if you think about, you know, disruption and chaos that was caused in the Ukraine by shutting down portions of the grid in the middle of winter, I mean, I don't think anybody really died, and it wasn't a catastrophe from a safety point of view or an environmental point of view, but it certainly goes a long way to creating disruption and chaos in the society.
Phil Neray: [00:10:47] We also believe that Fancy Bear or, at least, the GRU was responsible for NotPetya. You know, the cost of NotPetya, the economic impact of NotPetya is in the billions of dollars, including, you know, critical infrastructure and industrial ICS systems that were down for days or weeks or months at a time, causing the companies to report huge losses. So you know, that's a different type of vendetta. That's an economic impact, as opposed to a kinetic impact or an electrical grid impact or an attempt to influence our political process.
Dave Bittner: [00:11:25] That's Phil Neray from CyberX.
Dave Bittner: [00:11:29] Foreign Policy is reporting on the immediate human consequences of inadequate communications security. According to the journal, a CIA communications system that had worked well enough in the relatively benign Middle Eastern environments, where the agency had used it earlier, failed when it was deployed for running agents in China. Chinese security services were able to penetrate it between 2010 and 2012, roll up the CIA's agents and execute about 30 of them. Some estimates give a higher toll. China's alleged recruitment of former CIA officer Jerry Chun Shing Lee appears to have contributed to the intelligence failure. Lee was indicted earlier this year for his alleged role in the matter.
Dave Bittner: [00:12:14] Australia's new cybersecurity laws seem to function more by penalizing noncooperation than by mandating backdoors. So no backdoors, but the penalties for not working with police when they ask for your help won't be chicken feed by any means. Companies that refuse to disclose customer data upon proper request can be fined up to 10 million Australian dollars. That's about $7.3 million in U.S. currency. And individuals who won't open their devices to duly constituted authority could face up to 10 years in prison.
Dave Bittner: [00:12:48] A U.S. cryptocurrency speculator says he lost $24 million in altcoin to a crook who got into his cellphone account and that it's all AT&T's fault for not being secure enough. In fact, it's so much AT&T's fault, says the California man, that the phone company owes him damages an order of magnitude larger than his losses. He's asking for $224 million to make him whole.
Dave Bittner: [00:13:14] And remember Ross Ulbricht, the Dread Pirate Roberts who ran the Silk Road online contraband emporium? He's currently serving two life sentences plus 40 years without possibility of parole. As anyone in his shoes would, he's angling for a pardon, now through a Twitter account his family set up for him. He tells them what to tweet, and they take it from there. The Twitter feed describes Silk Road as being not that different from eBay. Sure, there was some illegal stuff traded there. But, according to them, that was mostly just small amounts of cannabis. Mr. Ulbricht's line is that his sentence is shocking and far too harsh for what he and his supporters characterize as nonviolent offenses. Mr. Ulbricht was, for example, originally suspected of selling murder as a service, but that didn't make it into his final charge sheet. There were also claims that people died of drugs bought on the Silk Road.
Dave Bittner: [00:14:11] Unfortunately, the misconduct of some of the investigators in his case will lead some to agree that the Dread Pirate Roberts is being ill-used. A Secret Service agent, Shaun Bridges, pleaded guilty to stealing Silk Road bitcoins, and a Drug Enforcement Agency man, Carl Force, received six years for both bitcoin theft and for trying to extort Ulbricht. Bridge and Force. May their names be remembered for infamy. Still, it seems unlikely Mr. Ulbricht will receive his pardon.
Dave Bittner: [00:14:46] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. Thecyberwire.Com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:15:47] And I'm pleased to be joined once again by Johannes Ullrich. He's from the SANS Institute. He's also the host of the ISC "StormCast" podcast. Johannes, you had a story you wanted to share today. This involves an encrypted Office document using an old default password. What do you have to share?
Johannes Ullrich: [00:16:02] Yeah. This was a real interesting case here. Now, velvet sweatshop is nothing you necessarily associate with Microsoft. But what happened was that old, old versions of Office used this password as a default password to encrypt Office documents. So in these - and I'm talking about ancient versions of Office here. When you encrypted a document, you actually didn't enter a password. You just basically clicked, I want the document to be protected, as they called it, and then Office encrypted the document using this password, velvet sweatshop.
Johannes Ullrich: [00:16:39] Well, move forward a few years or a decade, and new versions of Office still support this old format. So what they do is, if they encounter an encrypted document with this default password, they'll just decrypt it for you. They won't prompt you for a password. They'll just do it for you. And apparently, malware writers have figured this out. So what they will do is, they'll send you a malicious document. This document is encrypted using this default password. Now, a lot of your security software doesn't know about this password. So what they'll do is they'll just treat it as an encrypted document and forward it for you, and they won't inspect it. But Office, or Microsoft Word in this case, well, it knows about the password. It will open the document for you like it's an unencrypted document and will run the malicious content.
Dave Bittner: [00:17:38] Now, is there any warning that any of this is going on? Does Office warn you that you're dealing with a legacy encrypted document?
Johannes Ullrich: [00:17:46] Nope. They really just treat it as an unencrypted document. So really no warning here. Of course, you may get some additional warnings later as the malicious content runs, like, things like, for example, macro warnings and such. But it's not like some of the other encrypted emails where they - you know, within the email they'll tell you, hey, this document is encrypted and please use this particular password to decrypt it.
Dave Bittner: [00:18:10] And is there any way to protect yourself? Can you disable something in Office, or is this a functionality you're kind of stuck with?
Johannes Ullrich: [00:18:16] You're really stuck with this. I think the real protection here is to make sure that your security products know about this default password. Now, I haven't really done a survey of this so I'm not really sure how well they protect you from any of this.
Dave Bittner: [00:18:32] All right. It's an interesting one, for sure. It just shows you how sometimes these old things come back to haunt you. Johannes Ullrich, as always, thanks for joining us.
Johannes Ullrich: [00:18:40] Thank you.
Dave Bittner: [00:18:45] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:53] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:20] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.