podcast

The CyberWire Daily Podcast

Telegram recovers from a distributed denial-of-service attack. No attribution yet, but all the circumstantial evidence points to the Chinese security services. Operation Fishwrap, conducted by parties unknown, is an influence campaign that substitutes olds for news. Aircraft component manufacturer ASCO’s production is hit by ransomware. Hacking back is back, in Congress. Why don’t people patch? And a tip on fact-checking. Ben Yelin from UMD CHHS on NYPD cellphone surveillance. Guest is Dave Aitel from Cyxtera on offense oriented security and the INFILTRATE conference.

Transcript

Dave Bittner: [00:00:03] Telegram recovers from a distributed denial of service attack. Operation Fishwrap, conducted by parties unknown, is an influence campaign that substitutes olds for news. Aircraft component manufacturer ASCO's production is hit by ransomware. Hacking back is back in Congress. We wonder why people don't patch. And a tip on fact-checking.

Dave Bittner: [00:00:32] And now a word from our sponsor ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know exactly who did what when and why. Security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated Insider Threat Management platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself, no downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.

Dave Bittner: [00:01:58] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 13, 2019.

Dave Bittner: [00:02:05] Telegram has stabilized its service after sustaining a very large distributed denial of service attack, Reuters reports. The DDoS attack traffic originated largely from Chinese IP addresses, and circumstantial evidence points to Chinese government's attempts to disrupt the use of the secure messaging service by protesters in Hong Kong. According to Bloomberg, controversial legislation that would facilitate extraditions to China proper from the semi-autonomous city has prompted very widespread street protests in Hong Kong.

Dave Bittner: [00:02:39] Recorded Future describes an influence campaign they're calling Fishwrap. Fishwrap repackages genuine but old news as fresh breaking news. It's therefore not really fake but rather misleading. The stories themselves don't appear to be altered and even retain their original dates. But a flurry of tweets distributing a story from, say, 2016 gives the old news current impact. It's very easy to overlook a dateline in a newsfeed. You expect something that's breaking to be current.

Dave Bittner: [00:03:11] We note that YouTube's algorithms seem to have inadvertently engaged in a juxtaposition of news that bears at least a family resemblance to Fishwrap. You will recall that the algorithmically delivered context YouTube provided to video of the Notre Dame fire in Paris included links to material about the 9/11 attacks in New York. Fishwrap makes such mistakes on purpose. They're intentional tactics.

Dave Bittner: [00:03:36] And Fishwrap generally doesn't violate platforms' terms of service either, even so far as those terms of service do seek to draw lines between truth and falsehood. So far, there's no attribution, but the effort that went into the campaign and its concentration on politically and socially divisive clickbait seems to represent a nation-state systematic adoption of a relatively obvious but hitherto unusual tactic.

Dave Bittner: [00:04:03] A ransomware infestation at one of its Belgian facilities has disrupted production at aircraft parts manufacturer ASCO. About a thousand workers have been furloughed indefinitely as plants in Belgium, Germany, Canada and the U.S. are temporarily closed. The facility known to be affected is the one located in Zaventem, Belgium. The other production centers may have been closed as a precaution in an attempt to isolate the infection.

Dave Bittner: [00:04:30] ASCO is based in Belgium but has been owned since last year by the U.S. company Spirit AeroSystems. It's an important supplier of components to both commercial and military aircraft companies. Boeing, Lockheed Martin and Airbus are all customers.

Dave Bittner: [00:04:46] The ransomware was detected last Friday, June 7, and ASCO has been releasing information about it slowly and carefully. It has said that it's notified appropriate law enforcement authorities and that it's brought in security companies to help with forensics and recovery. The company's sparse public communications contrast with very quick and forthcoming public communication of Norsk Hydro when it recently sustained a similar attack.

Dave Bittner: [00:05:12] Representatives Tom Graves, a Republican of Georgia, and Josh Gottheimer, a Democrat of New Jersey, are reintroducing a hack-back bill to the U.S. Congress with bipartisan support. They're calling it the Active Cyber Defense Certainty Act. Intelligence and law enforcement agencies remain cool to the idea, being concerned about the notorious difficulty of attribution. Some in the security industry are also skittish about the concept of cyber active defense, as the proposed bill calls it, fearing that such laws would tend to induce a crossfire in cyberspace whose effects would be hard to predict and difficult to control.

Dave Bittner: [00:05:51] Representative Graves told CyberScoop that the bill's language resonates with recent remarks by U.S. national security adviser Bolton, who earlier this week talked about U.S. intentions of finding greater scope for retaliatory action in cyberspace. That may be a reach since arguably, Mr. Bolton was talking about an inherently governmental responsibility. But in fairness, the Active Cyber Defense Certainty Act doesn't seem to create the Wild West.

Dave Bittner: [00:06:18] The FBI would be the ones issuing the letters of mark and reprisal here. Quote, "a defender who uses an active cyber defense measure must notify the FBI National Cyber Investigative Joint Task Force and receive a response from the FBI acknowledging receipt of the notification prior to using the measure," end quote. Presumably, acknowledgment of receipt means go ahead and open fire.

Dave Bittner: [00:06:42] As we say, the proposed measure isn't the utterly reckless hack-back-and-go-get-'em system bandied about a few years ago. But Congress will no doubt want to take a close look at this one.

Dave Bittner: [00:06:54] Last month, security pros gathered in Miami to attend the INFILTRATE Conference, which focuses on offense-oriented security issues. Dave Aitel is chief security technology officer for Cyxtera and one of the organizers of the INFILTRATE Conference.

Dave Aitel: [00:07:11] We felt there was a big gap where, every time you went to a talk, they would have to tell you about the interesting stuff. And then they would apologize for telling you about the interesting stuff and sort of, like, pretend as if they didn't want to do offensive work. We sort of took that on ourselves. We're going to make a high-end conference full of people who understand what exploits are - so it's not for beginners necessarily - all about the hardcore technical stuff and not about all the marketing nonsense that's going along with most the other big conferences.

Dave Aitel: [00:07:41] So we do a few things very differently. One, every talk gets peer-reviewed before it goes on stage. We have a team of technical experts watch every talk and make suggestions. And sometimes the suggestions are very simple, like, please make your fonts so that people can read them. And then some of them are deep, technical sort of concerns with the project or ideas that perhaps the author hadn't thought of.

Dave Bittner: [00:08:05] I want to explore something that you mentioned there, which is this notion of people apologizing for the good stuff. Is there - it seems to me like there's a subtext there. Like, the offensive stuff is considered to be the good stuff. But is there a social taboo about talking about it?

Dave Aitel: [00:08:22] There is. There's a huge social taboo for pointing out what we all know, which is that offense is super fun and defense is super boring. Everyone sort of does this kowtow towards the defensive side at most conferences. And we just rip all that away so that we can get on with the business of the interesting technical content at INFILTRATE.

Dave Bittner: [00:08:41] Well, give me some of the sort of the background here. For folks who might not be familiar with exactly what's involved on the offensive side, what's the scope and the range of what we're talking about here?

Dave Aitel: [00:08:51] It could be anything from how to properly automatically attack an active directory network, which is something Microsoft Research presented on in 2015 and which there was a lot of focus on. And a tool came out of that research called BloodHound eventually. And then that, of course, technique is what WannaCry and all the - NotPetya and all the other worms have been using to sort of rampage around everyone's networks for the past two years. In a sense, it's about getting ahead.

Dave Bittner: [00:09:20] What is on the horizon? What are some of the things that folks might have presented on that you think are worth mentioning?

Dave Aitel: [00:09:26] We had a lot of phone exploit talks this year. We had a number of talks that sort of looked at how ARM is doing their authenticated pointers and bypassed that sort of defensive mechanism. So it's always a question, when a new mitigation comes out, is it going to be able to be easily bypassed, or is it going to be very difficult to bypass? And I think we've come to the grips of some of these things being useful in certain circumstances, like remote attacks, but not useful against local attacks on the phones themselves.

Dave Aitel: [00:09:57] The telephony attacks were some of my favorite talks, but we also had talks about the past. And I think it was interesting to note that the very first talk was a 20-year-old Solaris local exploit finally being released, which I thought was really interesting.

Dave Bittner: [00:10:13] Bringing it back again to the sort of social taboo, do you see things shifting? Are people waking up to a different reality with this?

Dave Aitel: [00:10:21] I mean, I hesitate to say that people are waking up because if you look at the major companies, they all have a big offensive team. Microsoft, Google, Amazon, Apple - you name it, they have a giant team of offensive researchers. And they compete very carefully for talent in that space. And that's one of the things, obviously, that happens at INFILTRATE.

Dave Aitel: [00:10:40] The taboo, although it is clearly very evident at most conferences, is something that I don't necessarily think is holding any of these companies back from investing in space. I mean, our sponsors include every big-name company you can find.

Dave Bittner: [00:10:54] That's Dave Aitel from Cyxtera and the INFILTRATE Conference.

Dave Bittner: [00:11:00] Why do enterprises fail to patch known high-consequence vulnerabilities like BlueKeep? Avast calls it update inertia. It's all in your heads, IT. Or, to be more precise, it's there in your limbic system, says Avast. The problem with patching is that people tend to regard it as a high-labor, low-payoff nuisance, awakening with a sense of urgency only when they realize that, oh, wait, all my data are belong to someone else. So work to overcome those tendencies. Don't make the lizard brain your personal CISO.

Dave Bittner: [00:11:34] Finally, returning to how algorithms can steer us through falsehood and into truth, I had an interesting experience the other day. I sometimes need to check pronunciations, and YouTube can be a useful place to do this. I was seized by a concern that I had mispronounced TA505. I didn't think so, but it was bothering me, so I checked. A quick search on YouTube brought up a video that was me pronouncing TA505 on a previous episode of the CyberWire. So I'm glad I got that one cleared up.

Dave Bittner: [00:12:07] Here's a fact-checking tip for you all. You want to know if that newspaper story is true? Go buy another copy of the newspaper to double-check it. And I can't help wondering, if I worked hard on my amazing Australian accent, could I become the standard in New South Wales? G'day, mate, from the CyberWire. Awful.

Dave Bittner: [00:12:32] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms

Dave Bittner: [00:13:47] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, it's always great to have you back. We had a story come by. This is from the website called MuckRock, and it's an interesting one about the NYPD claiming that they have no records on the Millions March cell phone surveillance. There's a lot to unpack here. Help us understand what's going on here.

Ben Yelin: [00:14:13] Back in 2014, there was a large peaceful protest in New York City on the Eric Garner incident. There was a protest called the Millions March in New York City - attracted 25,000 people. At least allegedly, the New York Police Department used surveillance tools to try and track members of these protest groups.

Ben Yelin: [00:14:36] The reason suspicions were raised is because protesters, and particularly the leaders of the protest, were getting suspicious messages on their devices. The devices were shutting off at random. There were messages indicating interference. So there were some suspicions raised.

Ben Yelin: [00:14:53] Members of this march, in coordination with the ACLU, tried to use New York's equivalent of the Freedom of Information Act, which in New York is called the Freedom of Information Law, to find out what sort of surveillance techniques, if any, were being used by the police department.

Ben Yelin: [00:15:11] First, the New York Police Department used what's called a Glomar denial, which is basically the, I'm not going to confirm nor deny your suspicions; I'm simply not going to give you any information. A court...

Dave Bittner: [00:15:24] And they're allowed to do that?

Ben Yelin: [00:15:26] They are allowed to do that...

Dave Bittner: [00:15:28] (Laughter) OK.

Ben Yelin: [00:15:28] ...Until a court steps in.

Dave Bittner: [00:15:28] I see.

Ben Yelin: [00:15:28] And that's what happened here.

Dave Bittner: [00:15:30] I see.

Ben Yelin: [00:15:31] A court stepped in and basically said they had to comply with this Freedom of Information request. And now the New York Police Department is simply saying, we do not have those records. We do not have information. This is at an absolute impasse now. I'm sure members of the Millions March are going to appeal. It's certainly a major civil liberties concern.

Ben Yelin: [00:15:55] If the New York Police Department was using surveillance techniques like Stingray devices, where law enforcement is able to trick cell phones into identifying their location by posing as cell site towers, then that gives the users of the cell phones certain legal rights under the Fourth Amendment. In order to know whether those statutes have been violated or these constitutional principles have been violated, we need access to that information. So it's certainly disturbing that the police department doesn't have access of these records.

Ben Yelin: [00:16:26] The one good thing is that - from a civil libertarian's perspective, is that the court ruled against this - what they call the Glomar invocation, this invocation that they were not going to confirm or deny the existence of these surveillance tools. The court was very clear that that was not acceptable in this case. And as a result, that set a precedent for future cases within the New York court system. So assuming that in the future records are actually retained as it relates to these surveillance services, at the very least cell phone users and members of future marches and the like will have this legal opinion as binding precedence.

Dave Bittner: [00:17:03] To be clear here, coming from the NYPD's point of view, I mean, they are under legal obligation to tell the truth here, right? They can't just say, oh, no, we don't have those records if they have a box of records sitting behind them - and saying, what records? If they had the records, legally, they would have to say so.

Ben Yelin: [00:17:21] They absolutely would, especially since it's now mandated as part of a court order. I'm certainly not in any way suggesting that they are breaking the law by lying about whether they've retained these records. But it's also possible that they have been breaking record retention laws. If there were evidence that these records were destroyed prior to this court decision, there could be legal consequences for the department.

Ben Yelin: [00:17:44] As far as I can see - and maybe you have a different read of this - I haven't seen any evidence of that. So if it was a good-faith mistake and they intended to keep the records but, for whatever reason, the records were not retained, then they're not going to be exposed to legal liability.

Dave Bittner: [00:17:59] So where do we suspect this goes from here?

Ben Yelin: [00:18:02] As far as we know at the moment, the highest court to weigh in on this is the New York Supreme Court, which, in New York, is actually not the highest court in the land. But we are really going to be at an impasse if it's true the New York Police Department didn't actually retain these records.

Ben Yelin: [00:18:19] You know, in the one sense, that's a very dissatisfying answer for the members of this protest, rightly are suspicious of whether their communications were intercepted or whether their location was tracked while they were exercising their First Amendment rights. But on the plus side, we now have this precedent decision saying that the New York Police Department can't issue this Glomar denial if there are allegations that they have been using surveillance techniques. In the future, according to this precedent, in similar cases, the police department is going to have to either confirm or deny whether they were using this surveillance technology.

Ben Yelin: [00:18:56] Sometimes groups like the ACLU, the best they can do is solicit an admission that these surveillance techniques are being used, even if they aren't able to get additional information. Sometimes simply publicizing the fact that Stingray devices are being used or other intercepting technology is being used can be the purpose of some of these lawsuits - just to get it out there in the public mind that people who are protesting might be insecure in their electronic devices.

Dave Bittner: [00:19:25] All right. Well, Ben Yelin, thanks for joining us.

Ben Yelin: [00:19:28] Thank you.

Dave Bittner: [00:19:33] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bitner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
ObserveIT
ObserveIT

ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.

ThreatConnect

Designed by analysts but built for the entire team, ThreatConnect’s intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics, and workflows in a single platform. Start Using ThreatConnect Today for Free.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire