Julian Assange is out of the Ecuadoran embassy and in British custody. He’s been found guilty of bail jumping, and will face extradition to the US on charges related to conspiracy to release classified material. Hidden Cobra is back with a new Trojan: “HOPLIGHT.” Kaspersky describes Operation SneakyPastes. IBM Security finds organizations don’t exercise incident response plans. Two New Jersey high school boys are in trouble for jamming Secaucus High’s wi-fi. Jonathan Katz from UMD with his response to a skeptical critique of quantum computing. Guest is Maurice Singleton from Vidsys on the convergence of IoT security devices and IT security.
Dave Bittner: [00:00:03] Julian Assange is out of the Ecuadorian Embassy and in British custody. He's been found guilty of bail jumping and will face extradition to the U.S. on charges related to conspiracy to release classified material. Hidden Cobra is back with a new Trojan, HOPLIGHT. Kaspersky describes operation SneakyPastes. IBM security finds organizations don't exercise incident response plans. And two New Jersey high school boys are in trouble for jamming Secaucus High's Wi-Fi.
Dave Bittner: [00:00:40] And now, a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95 percent faster with machine learning and guided investigations that help Tier 1 analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:37] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 11, 2019. The big story today is about WikiLeaks founder Julian Assange. Ecuador ejected him from its London embassy early this morning, citing repeated violations to international conventions and daily life protocols. The international conventions Ecuador says he violated involve abuse of their hospitality to engage in actions Ecuador says are designed to undermine its government. The complaint about daily life protocols involves ways in which the embassy staff increasingly found Mr. Assange a pain to live with during his seven years in residence.
Dave Bittner: [00:02:20] The years have no doubt been difficult ones in certain respects. That's what Mr. Assange's colleagues at WikiLeaks say - confinement, lack of sun, few visitors and so on. And indeed, he didn't look good when London police escorted him in handcuffs from the embassy grounds. He now sports a big St. Nicholas-style white beard, for one thing. But then, he is older, and time is the fire in which all of us burn. He gamely smiled for the cameras and gave the reporters a big thumbs up, and he also held a copy of Gore Vidal's "History Of The National Security State."
Dave Bittner: [00:02:56] Mr. Assange was arrested by the Metropolitan Police for bail jumping. Homeland Secretary Sajid Javid tweeted, quote, "I can confirm Julian Assange is now in police custody and rightly facing justice in the U.K." Other official British reaction has been equally starchy. Foreign Secretary Jeremy Hunt said he has hidden from the truth for years and years, and it's right that his future should be decided in the British judicial system.
Dave Bittner: [00:03:24] The big legal problem Mr. Assange faces isn't just a bail-skipping beef - the kind of thing that might be resolved on reality TV by Dog the Bounty Hunter - nor is it likely to be his now-closed dust-up with Sweden's legal system, although that one was a more serious matter. He had faced sexual assault charges in Sweden. These have been dropped, but could be reopened if Swedish authorities found cause to do so. Mr. Assange says that the whole thing was a frame-up anyway, probably an American honey trap. It was the prospect of facing Swedish justice, however, that led him to the U.K. and the embassy of Ecuador in 2012.
Dave Bittner: [00:04:04] More serious still, and more likely, is the prospect of being extradited to the United States. It has long been thought, based on an apparently inadvertent failure to fully redact a related indictment, that Mr. Assange would be charged in the U.S. That's now confirmed. The U.S. Justice Department unsealed an indictment shortly after Ecuador showed Mr. Assange the door. He's charged with one count of conspiracy to release classified information. The alleged conspiracy was with former U.S. Army Specialist Bradley - now Chelsea - Manning. Justice says that if convicted, Mr. Assange could face five years in prison. For now, it's just the one charge, but the Justice Department is indicating that more could well be added.
Dave Bittner: [00:04:48] He faced his first hearing at a Westminster Magistrates' Court, where District Judge Michael Snow threw the book and some tough love at him for skipping out on bail. The defense claim that the face of WikiLeaks hadn't had a fair hearing to begin with, but Judge Snow was having none of it. The judge said, quote, "Mr. Assange's behavior is that of a narcissist who cannot get beyond his own selfish interests. He hasn't come close to establishing reasonable excuse," thus a quick finding of guilty.
Dave Bittner: [00:05:19] Mr. Assange will remain in custody until sentencing at some later time in the Southwark Crown Court. He could face up to a year's detention at Her Majesty's pleasure. He'll also remain in custody through the extradition hearing that will decide whether he's turned over to the U.S. for trial there. Reporters present in court noted that Mr. Assange continued to read Mr. Vidal's "History Of The National Security State" while he waited for his lawyers to show up.
Dave Bittner: [00:05:46] Russia's government denounced the arrest as a strangling freedom. And it must be conceded that on that topic, at least Moscow speaks from deep and direct experience. But perhaps it's only fair to regard the Kremlin's concern as a disinterested commitment to personal liberty and journalistic rights since Russia has said it has nothing to do with WikiLeaks. Mr. Assange's other supporters object to the arrest as illegal, seeing him as a journalist and transparency activist whose arrest represents an assault on journalism itself. The story is rapidly developing. We'll continue to follow it as it does.
Dave Bittner: [00:06:26] Turning to other matters, CISA, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, has issued a joint Homeland Security-FBI malware analysis report on the HOPLIGHT Trojan, which is attributed to North Korea's Hidden Cobra, also known as the Lazarus Group. It's in use around the world, the report says, and isn't focused on any restricted set of targets. It also uses a proxy app to obscure its connections with its command-and-control server. The report says HOPLIGHT is a fairly powerful backdoor Trojan.
Dave Bittner: [00:07:02] Some say this is a time of accelerating convergence in cybersecurity with increasing opportunities to combine signals from different sources for a clearer picture of what's going on. Maurice Singleton is a founding member of security firm Vidsys, where they're seeing the intersection of physical and IT security.
Maurice Singleton: [00:07:21] We're talking about video surveillance. We're talking about technology such as social media information in real time, as a matter of fact. We're talking about RSS feeds where, you know, folks are constantly plugging in, getting real-time updates about what's going on in and around their environments - right? - and from, again, various different sources - cellphone data, computer data, sensor data, smart information coming from sensors that are part of building management systems, temperature sensors, for example, flood sensors for monitoring the rain and even sensors monitoring chemicals in the air. All of this information is now being flown into one central source where you have folks that need to determine is this real, or is this false?
Dave Bittner: [00:08:18] And can you give me an example of how in the real world this would play out? Is there a situation where having this blend of information really puts you in a better position?
Maurice Singleton: [00:08:28] Let's take a use case where, in a global security operations center, there are monitors out in the environment for chemical detection. One of those sensors might go off - right? - which may indicate that something's happening, or it could be a false, right? And so if you have that sensor go off, the user can quickly have the video presented in the area to determine is there any activity that might lend itself to verify validating that this is a real situation or incident that's occurring. So they get multiple aspects of what's happening.
Maurice Singleton: [00:09:05] At the same time, they might get a phone call that says, hey, someone's not feeling well. And again, it could be in the vicinity of where that chemical detection went up. So now they have more data that adds to the utility and verification of that particular incident that's been reported to them.
Dave Bittner: [00:09:24] So, I mean, you could track things like social media chatter, that people are talking about an incident online as well.
Maurice Singleton: [00:09:29] There you go. Exactly. So people now are on their smartphones going, hey, wait a minute. I just saw, you know, someone that looks to be in distress. I myself might be feeling some effects of not feeling well. You may have chatter on, you know, the public safety radios that's now, you know, where folks are being dispatched, first responders. Again, all of that information is relevant to the particular situation, that incident at that time, that now can be brought in to get better situation awareness and also contribute to the response and actions that need to be taken.
Dave Bittner: [00:10:03] And do you find that this is an area where folks are lagging? Do people tend to think of physical security as physical security and IT as IT?
Maurice Singleton: [00:10:11] No, Actually, we're really starting to see the uptick in that convergence, right? Because, again, you have your physical security folks. You have your IT folks. And while they may have separate missions and separate bills and responsibilities, they are starting to see those touch points where, you know, there are incidents that are basically joint incidents in their environment. Cyberattacks, for example, cannot just be, you know, related to someone trying to access to a computer, for example. It could be someone trying to violate a space as well, right? So there comes that convergence of that information being part of the same response that needs to be taken to address it.
Dave Bittner: [00:10:56] That's Maurice Singleton from Vidsys.
Dave Bittner: [00:11:01] Kaspersky, which yesterday described the activities of TajMahal, now describes an operation by the politically motivated Gaza Cybergang Group1. Kaspersky calls the operation SneakyPastes. This operation is rated as far less sophisticated than anything seen in TajMahal. But potential victims, most of them in and around Israel and the Palestinian territories, should be alert for the spear phishing the group is said to employ. Kaspersky Lab summarizes the principle target set as embassies, government entities, education, media outlets, journalists, activists, political parties or personnel, health care and banking.
Dave Bittner: [00:11:41] Finland's election results reporting system sustained a denial-of-service attack this week. Authorities are investigating, but there is so far no attribution. Finland votes this Sunday. Denial of service would affect the reporting of results by the press and probably not vote tallies themselves. Still, Finnish authorities are concerned about maintaining public confidence in the election. There's widespread agreement that incident-response plans are a security essential. It's therefore dispiriting that an IBM Security study should find that over half of the organizations that have such plans never get around to exercising them.
Dave Bittner: [00:12:22] And finally, a couple of teenagers in New Jersey are in big trouble with the law for jamming the Wi-Fi at Secaucus High School. Our North Jersey desk, by the way, insists that we use the old-school local pronunciation Secaucus as opposed to the trendy Secaucus favored by recent arrivals who lack knowledge but do watch football games over at the Meadowlands. Anywho, the Secaucus utes (ph), both freshmen at Secaucus High, were running a Wi-Fi-jamming on-demand service, apparently with the dual motive of helping out some of their bros and girlfriends who would have rather not taken exams and, of course, getting some LOLs (ph). The two unnamed boys will appear at family court in Jersey City at some undetermined future date to give an account of themselves. The attack was a DDoS - they would flood the school's Wi-Fi routers to render service inaccessible. Nj.com talked to a junior girl in a position to know who told them on background, quote, "he was doing it to get out of tests and stuff like that. One of the boys was also doing it for his friend so she wouldn't have to take a test during the class. It was a big prank, really," end quote. Hey, students, leave those Wi-Fis alone. And if you're listening to us in Hudson County, N.J., we'd just like to close with, go Patriots.
Dave Bittner: [00:13:46] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free, no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:54] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. I saw an article from the IEEE Spectrum publication. This was written by Mikhail Dyakonov. And it's called "The Case Against Quantum Computing
Jonathan Katz: [00:15:25] Well, I think what we know - there's a lot of excitement about quantum computing, and it's been studied at least from a theoretical point of view for a couple of decades now. And people are excited or maybe even worried about it from a cybersecurity point of view because we know that as soon as general-purpose, large-scale quantum computers are built, they would be able to break all the public-key cryptography that's currently being used on the internet. So that would be certainly quite devastating. And there are a lot of people now trying to experimentally realize quantum computers not only within academia but also within industry.
Jonathan Katz: [00:15:56] Now, I take - you know, his article, I can appreciate where he's coming from. I think it's certainly worth having some skepticism here. But I think he's really being overly pessimistic. To say that it can never possibly be realized seems a bit extreme. Certainly it may take longer than people think. But there seems to be no fundamental physical reason why we shouldn't be able to build these quantum computers.
Dave Bittner: [00:16:19] Yeah. You know, I hear folks saying that, on the optimistic side, it could be five to 10 years. And then I heard other people say - you know, it's kind of like that joke about fusion energy, that it's always 20 years away no matter when you ask. Is...
Jonathan Katz: [00:16:33] (Laughter) That's right.
Dave Bittner: [00:16:33] Do you think it's somewhere in between there?
Jonathan Katz: [00:16:35] Well, actually, I just gave a talk where I said somewhat jokingly that the best-case scenario from the point of view of research would be if it's five years away for the next 20 years...
Dave Bittner: [00:16:43] (Laughter).
Jonathan Katz: [00:16:43] ...Because you could keep on getting funded for working the area (laughter).
Dave Bittner: [00:16:46] There you go (laughter).
Jonathan Katz: [00:16:48] I mean, what I will say is that it's very unclear what the timeline is. I was actually just recently part of a team that was working on putting together a white paper to actually try to come up with some concrete estimates for how long we think it would take to build a quantum computer capable of, say, factoring the numbers that are being used for modern public-key cryptography. And really, the - at the end of the day, the result was we just don't know. A lot of the theoretical work that's being done doesn't take into account various real-world constants and real-world constraints that people would have to consider in building a quantum computer. And so fundamentally, we just don't quite know yet how these things are going to behave when you start building them in the real world.
Jonathan Katz: [00:17:30] Now, as I said, people are starting to build smaller-scale quantum computers. Google and Microsoft have shown examples of this. And I think that's why the research is important. The goal of the research is to exactly see what happens when you start building these things. And the other thing I like to think about always is a quote actually - or an observation, I should say, made by Scott Aaronson that he's made repeatedly - is that if we - if there's some fundamental reason that we aren't aware of yet for why quantum computers cannot be built, then that would represent an advance in our understanding of physics. That would mean that there's something about quantum physics that we currently don't understand.
Jonathan Katz: [00:18:07] And so from that point of view, it would kind of be a win either way. Either we learn something new about physics, or we can build these quantum computers. But as I said earlier, there seems to me no fundamental reason why we can't. It seems to be just an engineering task at this point.
Dave Bittner: [00:18:20] And what is the threshold by which you all consider a quantum computer to be a practical thing and not just something to be running in a lab?
Jonathan Katz: [00:18:30] Well, it depends on what you're trying to do. So there are these quantum computers that are already being commercially produced, for example, by the D-Wave company, which I saw was mentioned in the article. Now, that computer is not what some people would call a true quantum computer. It's relying on certain aspects of quantum machinery but not others. And so in particular, it doesn't allow you to break modern public crypto. But it does allow you to solve other problems.
Jonathan Katz: [00:18:55] And so, again, it kind of depends on what exactly you're looking to do with the quantum computer. If you're looking to attack public-key cryptography, then you need a certain number of cubits to be able to run this algorithm called Shor's algorithm. Again, if that's your only goal, then that would be what you're trying to optimize for.
Dave Bittner: [00:19:10] Time will tell, right? Jonathan Katz, thanks for joining us.
Jonathan Katz: [00:19:13] Thank you.
Dave Bittner: [00:19:19] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at thecyberwire.com.
Dave Bittner: [00:19:26] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider-threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:37] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ExtraHop provides cyber analytics for the hybrid enterprise. Using wire data and machine learning for real-time threat detection and investigation from Core to Cloud, ExtraHop delivers unprecedented visibility, definitive insights, and immediate answers so security teams can act with confidence. Learn more at ExtraHop.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.