Microsoft patches a vulnerability NSA disclosed. Fronting for APT40 in Hainan. Fancy Bear pawed at Burisma. The NSA Pensacola shooting and the debate over encryption.
Dave Bittner: [00:00:04] NSA discloses a vulnerability to Microsoft so it can be patched quickly. Intrusion Truth describes 13 front companies for China's APT40. They're interested in offensive cyber capabilities. Area 1 reports that Russia's GRU conducted a focused phishing campaign against Ukraine's Burisma Group, the energy company that figured prominently in the House's resolution to impeach US President Trump. And the US Justice Department moves for access to encrypted communications.
Dave Bittner: [00:00:39] And now a word from our sponsor, PrivacyGuard. By now, you might have heard of the scary stats of how many times identity theft happens and of data breaches happening to big companies, companies that you might have done business with. But PrivacyGuard members can have more peace of mind. PrivacyGuard takes privacy personal. Protecting your privacy means protecting the integrity of your name, your reputation and your identity. PrivacyGuard is a comprehensive, personalized privacy protection service that helps protect you from identity theft. PrivacyGuard's public and dark web scanning will keep an eye on your private information. Plus, with PrivacyGuard's 24/7 triple-bureau credit monitoring, you can be alerted if a certain change to your credit score occurs, which could be an indication of identity theft. Your identity and privacy belong to you. PrivacyGuard works to help keep it that way. To learn more, go to privacyguard.com. That's privacyguard.com. And we thank PrivacyGuard for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:10] Still on assignment in Seattle, Washington, and looking forward to heading home, I'm Dave Bittner with your CyberWire summary for Tuesday, January 14th, 2020.
Dave Bittner: [00:02:20] Today is Patch Tuesday. And late yesterday, KrebsOnSecurity said that sources told him Microsoft would issue an unusually important patch for a core cryptographic component shared by all versions of Windows. That module is crypt32.dll, which Microsoft characterizes as handling certificate and cryptographic messaging functions in the CryptoAPI. The Washington Post this morning reported that the flaw was discovered by the US National Security Agency, which quietly reported it to Microsoft rather than weaponizing the vulnerability. The flaw is said to be comparable in severity to the one exploited by EternalBlue, which NSA also discovered and disclosed to Microsoft upon learning that others had gained access to the tool. The flaw to be patched today has a variety of implications for authentication and protection of sensitive data. And it could also, in principle, be exploited to spoof digital signatures associated with particular bits of software. Early reports said that Microsoft had quietly informed some government agencies of the vulnerability. But this seems in some respects to have it backward. It was the US government, specifically NSA, that informed Microsoft.
Dave Bittner: [00:03:33] NSA commented early this afternoon in a media call. Cybersecurity directorate head Anne Neuberger said NSA discovered the crucial vulnerability in the course of its routine look at the range of tools it uses. Given the vulnerability's severity, NSA decided to notify Microsoft to help them expedite patching. NSA itself recommends that network owners immediately implement the patch, as, she said, we ourselves will be doing. When Microsoft posts the patch this afternoon, they will give attribution to NSA. NSA agreed to attribution as a way of building trust of showing their work. They also wanted the attribution as a way of leaning forward to raise awareness and a proper sense of urgency. These represent, she said, an evolution of NSA's new commitment to openness and the building of trust with the larger community. Asked why NSA decided to disclose rather than weaponize the vulnerability, Director Neuberger said that in this case, it was NSA's judgment that its mission was best served through disclosure. This is part of overall trust building.
Dave Bittner: [00:04:38] The CyberWire asked if this disclosure represented the ordinary working of the Vulnerabilities Equities Process. Ms. Neuberger explained that the Vulnerabilities Equities Process, a National Security Council process, concerns itself with retention decisions. But in this case, the process didn't need to be invoked. NSA quickly made a determination to share the vulnerability it discovered. And so the VEP wasn't engaged. This sort of decision to disclosure, Ms. Neuberger said, should be regarded as NSA's normal way of doing business. When security is enhanced by disclosure, NSA will decide to disclose. Neither NSA nor Microsoft have seen any exploitation of the vulnerability in the wild. And if you'll take NSA's advice, you'll apply today's Microsoft patch as soon as you can.
Dave Bittner: [00:05:27] ZDNet reports that the anonymous security analysts of Intrusion Truth have uncovered some 13 companies operating for the most part from Hainan, a large island province in the South China Sea, that serve as fronts for APT40. APT40 is a threat group associated with the Chinese government and best known for espionage on behalf of the People's Liberation Army Navy. An order of battle note - that may be an odd-sounding name, but it's the one China's navy is known by - the People's Liberation Army Navy.
Dave Bittner: [00:05:59] Intrusion Truth posted its findings this past Thursday and Friday. The 13 Hainan companies are all hiring. And they're hiring people with offensive cyber skills and useful linguistic capabilities. For example, some of the job ads look for female English speakers. As Intrusion Truth sums it up, quote, "we have multiple companies with identical descriptions and job adverts, overlapping contact details and office locations but different names, recruiting for offensive hacking skills. Like Boyusec, Huaying Haitai, Antorsoft and others, these companies have very little presence on the internet outside of these adverts." It's, of course, possible that offensive skills can be, as they often are, put to defensive use in red teaming and penetration testing. But the skill sets the companies are interested in would seem to mark them as organizations of interest.
Dave Bittner: [00:06:52] They've also found an academic connection, one Gu Jian, a professor in the information security department of Hainan University. His CV describes him as a former member of the People's Liberation Army. In itself, that's no surprise. There's no shortage of PLA veterans in China. It's a pretty big army. Professor Gu is also down as the contact person for one of the front companies that's itself linked to the other 12. It's an interesting example of how researchers develop connections among cyber actors. Intrusion Truth promises more posts on the Hainan group of companies in the near future.
Dave Bittner: [00:07:31] It's a new year, and that means predictions are hot on many minds as we try to align security budgets with resources. Haiyan Song is senior vice president and general manager of security market at Splunk. And she shares these insights.
Haiyan Song: [00:07:45] Cloud adoption, I would say, is still in the early stages in terms of fully understanding how this new paradigm of cloud computing is going to impact our day to day. You know, we love all the technologies like the new containers, the Kubernetes. And in the meantime, there's also this whole emergence of API-driven economy in the cloud, right? People can build solutions without having to really build the entire stack. They can leverage a lot of services that's already in the cloud. What it does, though, is now you have a very complicated digital supply chain for what you're delivering. And all of the things are happening in the cloud computing speed, which, you know, we call it machine speed. So we think what's really going to happen this year - and at least the prediction - is it's no longer just, oh, we found a misconfiguration that we're just going to take some data from, you know, S3 buckets. I think it's going to be - they'll figure out how the service is sort of linked together and try to disrupt something in the middle. And it's going to be so much more impactful to the services or the customers of the services. And it's happening so fast that we have to find a way to automate the responses.
Dave Bittner: [00:09:05] What about some of these applications of technology that are coming along - you know, people who are up to no good? I'm thinking of things like deepfakes. You know, particularly as we head into an election season, you know, people will be worried about the things they're going to see on the news and so forth. Are things like deepfakes - is that something that's on your radar?
Haiyan Song: [00:09:28] It's definitely something that we always talk about as part of this concept. Humans are still, I would say, the weakest link when it comes to thinking about what the best practices are and to protect yourself. And the human factor continue to be a major sort of threat vector, if you will. I just saw the latest news. I think Snapchat just sort of invested in a company or a bought company and - that's really specializing in deepfake technology. So that's sort of a sign of that's becoming more and more mainstream. And I think 2020 was the election year. It's going to be a perfect storm for how this technology is going to be, you know, leveraged to - for social engineering. And I'm sure it's going to bring a lot of, you know, entertainment for people who were sort of, you know, looking at those things. But I think it's definitely going to exploit the weakness in the human link, if you will.
Dave Bittner: [00:10:29] Yeah. As we're heading into this new year, how do you describe your own attitude towards it? Are you optimistic? Are you cautious? How do you think things are going to play out this year?
Haiyan Song: [00:10:42] I'm always a glass half full person. So I love the technology. The adoption of new technology, I think, is going to bring us many different cross-pollination on how to really learn from the new cloud paradigm. How do we learn from, you know, all the natural language processing that brought all this access to technology? I think one thing that I'm always really trying to get to our audiences and customers is think of automation as one of the key technologies to really help you with making the shift to the cloud paradigm and knowing that automation is there to help us. There's a lot more benefit to be had. And I thought I would just always want to share that perspective.
Dave Bittner: [00:11:32] That's Haiyan Song from Splunk.
Dave Bittner: [00:11:35] Area 1 has released research indicating that Russia's GRU in November of 2019 began a phishing campaign against the Ukrainian energy company Burisma Holdings. The goal was to obtain email credentials from Burisma, its subsidiaries and its partners. Burisma is the company whose connections to former US Vice President Biden's son, Hunter Biden, were at the center of the impeachment inquiry directed at US President Trump, who wanted a Ukrainian investigation of those connections and is accused of having abused his office in pressuring his Ukrainian counterpart.
Dave Bittner: [00:12:08] Phishing is a common method of attack. And as the New York Times and Wall Street Journal point out, it's how Fancy Bear, the GRU, accessed Democratic Party accounts in 2016. What specifically was Fancy Bear after once it had those credentials? Area 1 says it doesn't know. But the two most probable inferences are that they were interested in either collection against a target of interest or in preparing some influence operation or perhaps both.
Dave Bittner: [00:12:36] Yesterday, US Attorney General Barr released the results of the Justice Department's inquiry into the December 6 shootings at Pensacola Naval Air Station. The investigators concluded, as expected, that the shooter was Lieutenant Mohammed Saeed Alshamrani of the Royal Saudi Air Force and that his actions were an act of terrorism motivated by what the attorney general characterized as jihadist ideology. That conclusion was supported by inspection of the shooter's social media posts, which indicated that he had become radicalized.
Dave Bittner: [00:13:08] While investigation determined that the shooter acted alone, an inquiry into the social media presence of other Saudi military personnel determined that 21 of those training in the US were in possession of similar material. None of this, the attorney general said, warranted prosecution under US law. But the kingdom of Saudi Arabia determined that their engagement with such material constituted conduct unbecoming of an officer. The kingdom disenrolled the 21 officers from training in the US and returned them to Saudi Arabia late yesterday.
Dave Bittner: [00:13:40] The investigation also constitutes another round in the dispute over access to encrypted communication. The attorney general says the shooter's two iPhones have been recovered and restored to usability - he damaged each of them - but that investigators are unable to read their encrypted contents. The Justice Department has asked for Apple's help in unlocking them, which Apple has not provided. The attorney general called upon Apple and the tech industry generally to work with the Justice Department to find some middle ground in the Crypto Wars.
Dave Bittner: [00:14:16] And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business' security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single sign-on password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics such as fingerprint or face, deliver a passwordless login experience for your employees while securing every password in use through enterprise password management and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, visit lastpass.com. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:15:43] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:15:51] Hi, Dave.
Dave Bittner: [00:15:52] Interesting article came by. This is from Gadgets 360. But I've seen this being covered in a variety of places. And this is, "Google is Being Urged by Over 50 Organizations Including DuckDuckGo to Take Action Against Android Vendors Offering Bloatware" (ph).
Joe Carrigan: [00:16:08] Right.
Dave Bittner: [00:16:08] What's going on here?
Joe Carrigan: [00:16:09] So what happens when you buy an Android phone from a manufacturer like HTC or Samsung or a myriad of other manufacturers is you get these apps on the phone that you can't uninstall.
Dave Bittner: [00:16:22] Out of the box.
Joe Carrigan: [00:16:22] Out of the box.
Dave Bittner: [00:16:23] Yeah.
Joe Carrigan: [00:16:23] The phone comes with these apps. And I've experienced this frustration with both HTC and Samsung personally.
Dave Bittner: [00:16:29] OK.
Joe Carrigan: [00:16:30] And they have legitimate concerns that there are some privacy issues with these apps. First off - and security issues as well. They're not updatable. They don't get updates unless it's an update pushed out through the cellphone provider many times. The apps are not installed through the Google Play store, so they're not subject to the scrutiny that those apps go through. Now, you can argue about how good that scrutiny is. But these apps don't get any scrutiny. They're just installed by default. And they, a lot of times, will leak information about the user.
Joe Carrigan: [00:17:04] So - but I'm going to also point something else out here that these organizations may or may not understand and that is that there is the Android One program, which was designed originally for emerging markets, but it's kind of expanded. And one of the benefits of the Android One program is that in order for a phone to be considered an Android One phone, it has to be running stock Android, which is the same operating system that comes on the Google devices like the Pixel 3 or the old Nexus devices.
Dave Bittner: [00:17:34] OK.
Joe Carrigan: [00:17:35] Now, my first smartphone was an HTC smartphone. And it had an interface called HTC Sense. So that's kind of the benefit that these people, these manufacturers will say, is that we have a lot better Android experience because we'll overlay our own interface over top of it, right? But when I got fed up with my Samsung devices and finally went into the store and said, I don't care, just give me a stock Android device and I bought a Nexus 6, I found that interface to be very clean and very enjoyable. And then my next phone was an LG phone that didn't have the stock Android experience again.
Dave Bittner: [00:18:12] Yeah.
Joe Carrigan: [00:18:13] And I found I missed the stock Android experience. So I went back and I bought a - the phone that I currently have. I have a Pixel 3, which, of course, comes with the stock Android experience.
Dave Bittner: [00:18:23] OK.
Joe Carrigan: [00:18:23] Now, the Pixel 3, I think, is prohibitively expensive and I would dare say overpriced. But there are other phones out there in the Android One program that are more competitively priced and have the same stock Android apps without any of the bloatware and without any of these security issues that these folks are talking about here.
Dave Bittner: [00:18:42] Well, let me ask you this. So the phone that you have now, did that come with any bloatware on it?
Joe Carrigan: [00:18:47] It did not.
Dave Bittner: [00:18:48] It did not. OK, so - and I think that's one of the points here, is...
Joe Carrigan: [00:18:52] Right.
Dave Bittner: [00:18:52] ...That if you're willing to pay a premium price, you can get phones that don't have this sort of bloatware. And certainly, over on the Apple side of things, iOS devices come with no bloatware.
Joe Carrigan: [00:19:05] Correct.
Dave Bittner: [00:19:05] And that's a premium price.
Joe Carrigan: [00:19:08] Right. But the Android One phones are not premium price phones.
Dave Bittner: [00:19:12] But part of the way that the cheap phones are financed is through the installation of this bloatware. In other words, the manufacturer is making some money on the back end.
Joe Carrigan: [00:19:21] Yeah.
Dave Bittner: [00:19:22] And that's part of how they can make the phones so inexpensive. And the point I'm trying to get to is that isn't everyone entitled to good security?
Joe Carrigan: [00:19:29] Right.
Dave Bittner: [00:19:30] You shouldn't just need to pay a premium to have a secure device in a world where we're so dependent on these devices.
Joe Carrigan: [00:19:37] Agreed.
Dave Bittner: [00:19:37] Yeah.
Joe Carrigan: [00:19:37] But the Android One program phones are not prohibitively expensive. They're actually a lot cheaper than these phones here. Like, you can get an Android One phone for about 400 bucks.
Dave Bittner: [00:19:47] So you're saying, if this is a concern of yours, go out and look for the Android One...
Joe Carrigan: [00:19:52] Right, get an Android One phone.
Dave Bittner: [00:19:53] ...Labeled phone.
Joe Carrigan: [00:19:53] Right.
Dave Bittner: [00:19:53] And that won't have the bloatware.
Joe Carrigan: [00:19:55] It won't have the bloatware. It'll come with Android - stock Android installed. You get security updates, monthly security updates guaranteed for two years. It's a pretty good program. But that precludes you from getting the cool, flashy devices from, like, Samsung, HTC and LG.
Dave Bittner: [00:20:09] I see.
Joe Carrigan: [00:20:09] They don't have that. But again, those phones are also expensive. So there is an inexpensive option for users to get. In fact, I think my next phone will probably be an Android One phone, a less expensive Android One phone.
Dave Bittner: [00:20:25] All right. Well, it's an interesting push if nothing else.
Joe Carrigan: [00:20:29] I agree a hundred percent.
Dave Bittner: [00:20:30] Yeah.
Joe Carrigan: [00:20:31] Yeah, this is a privacy push. And I'm all in favor of whenever that happens.
Dave Bittner: [00:20:34] Yeah.
Joe Carrigan: [00:20:35] Right.
Dave Bittner: [00:20:35] All right. Well, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:20:36] My pleasure, Dave.
Dave Bittner: [00:20:43] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:20:49] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company the leading insider threat management platform. Learn more at observeit.com
Dave Bittner: [00:21:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.