US indicts PLA officers in Equifax hack. Pyongyang shows pariah states how it’s done. DDoS in Iran. Updates on Democratic Party caucus IT issues. Likud has a buggy app, too.
Dave Bittner: [00:00:00] Hey, everybody. Dave here with an exciting giveaway opportunity we're doing. For today only, we are giving away two full conference passes to this year's RSA Conference in San Francisco for free. All you need to do is fill out our short survey that will take less than a minute to complete. To access the survey, check us out on Twitter at @thecyberwire. Follow us and click the link on the pinned tweet at the top of our feed. Check it out. Good luck.
Dave Bittner: [00:00:30] The US indicts four members of China's People's Liberation Army in connection with the 2017 Equifax breach. North Korea establishes an internet template for pariah regimes' sanctions evasion. Iran sustained a major DDoS attack Saturday. The US Democratic Party seeks to avoid a repetition of the Iowa caucus in other states, as the Sanders campaign asks for a partial recanvass. And Israel's Likud Party's involved in a voter database exposer incident via its own app.
Dave Bittner: [00:01:05] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And are you attending RSA Conference 2020 in San Francisco, February 24 through the 28? Well, don't forget to stop by Booth 743 to meet the Recorded Future team in person and pick up a free copy of their new book, "The Threat Intelligence Handbook." Come on by and say hello. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee. Security fueled by insight. Intelligence lets you respond to your environment; insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:41] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 10, 2020. This morning, US Attorney General Barr announced the indictment of four members of China's People's Liberation Army on charges related to the 2017 data breach at Equifax. The four officers, whom the attorney general did not name, face nine charges of conspiracy to hack and commit economic espionage.
Dave Bittner: [00:03:08] The PLA is alleged to have broken into Equifax, stolen personal information on about 150 million Americans - that's roughly half the US population. Names, dates of birth and Social Security numbers were among the data taken. The hackers are also said to have stolen Equifax intellectual property, particularly trade secrets involving techniques of handling very large databases of personal information. The breach was reported by Equifax in 2017 and has been under investigation since then. The Department of Justice leaders who spoke at the press conference repeatedly thanked Equifax for its cooperation in the investigation. The attorney general said, quote, "The attack is of a piece with other Chinese illegal acquisition of data," end quote. He reviewed China's record of espionage and said that this particular attack is particularly worrisome because of the data's potential utility in enabling artificial intelligence and in developing targeting packages against US citizens.
Dave Bittner: [00:04:22] The officials said the US normally doesn't bring criminal charges against foreign military or intelligence personnel. It's only the second time the US has indicted members of the People's Liberation Army, the first being the indictment of five officers in May of 2014 on charges of stealing industrial trade secrets. The officials at the Department of Justice briefing stressed that Chinese espionage is different. They attribute some 80% of espionage to China and said that the People's Republic is responsible for 60% of trade secret theft. The differences lie, first, in the indiscriminate collection against individual Americans. In no respect, the Justice Department says, can collecting PII on half of the country's population be considered a legitimate, targeted espionage campaign. Moreover, the industrial espionage is being conducted to support the business of Chinese firms, and that, too, is not a customary goal of intelligence gathering.
Dave Bittner: [00:05:19] Kaspersky Lab warns that North Korea's Lazarus Group, APT38, while retaining its focus on cyberattacks that can help redress Pyongyang's chronic sanctions-induced financial shortfalls, has recently grown subtler and more evasive, showing greater facility at misdirection. The increase in sophistication has followed the group's Operation AppleJeus, which showed the Lazarus Group's first focused efforts against macOS targets. The threat actor has refined its technique against both Windows and macOS systems. The Lazarus Group has recently been most active against the cryptocurrency sector, and most of its victims, chosen opportunistically, have been in the UK, Poland, Russia and China.
Dave Bittner: [00:06:02] The NetBlocks Internet Observatory reported Saturday that Iran sustained a large distributed denial-of-service attack. The Financial Tribune quotes authorities as saying that they successfully parried the attack and that they were unable to attribute the incident to any nation-state actor. Forbes writes that 25% of Iran's internet was rendered unavailable, but that's after Iran activated its "Digital Fortress" defenses, which are thought to impose their own penalty on connectivity as a cost of increased security. That Iran declined to attribute the attack to any specific nation-state or indeed to any particular threat actor at all is noteworthy. The DDoS attack took place the day before yesterday's failed attempt to put Iran's Zafar satellite into orbit. And some outlets, like Emirati newspaper The National, speculate that this timing may have been more than coincidence, but this has remained uncorroborated speculation. The launch took place, but the satellite failed to reach orbit. Tehran, in announcing the results of the attempted launch, did not call out a cyberattack or any foreign interference as a cause of the failure.
Dave Bittner: [00:07:11] Wary after the Iowa Democrats' dismaying experience with a misbehaving app during last week's caucus in that state, party officials in Nevada told The Nevada Independent Thursday that they decided to forego using any mobile applications whatsoever for their caucus. But that may not be entirely the case. Saturday, The Nevada Independent reported that precinct leaders would receive iPads with a preloaded tool they would use to assist them with their viability calculations. The party cautioned its precinct workers not to refer to the software on their iPads as an app because it's not an app at all, they say; it's actually a tool. How that avoids being a distinction without a difference remains unclear. In any case, it's apparently not going to be a tool produced by Shadow, Inc., the firm that built the failed IowaReporterApp. The Wall Street Journal isn't particularly optimistic about the upcoming Nevada caucus, describing preparations as "cobbled together."
Dave Bittner: [00:08:11] It's worth noting that caucuses aren't primaries. Primaries, like the one coming in New Hampshire, are much closer to a preliminary election than are the more informal caucuses. Primaries are run by state governments using procedures and technology similar, if not identical, to that used in elections. The less-transparent caucuses are run by state parties. And The Washington Post says Democrats are worried about other caucuses repeating Iowa's unfortunate experience.
Dave Bittner: [00:08:40] It's also worth repeating - again, because there's been so much misleading speculation to the contrary - that there's no reason to reach for a cyberattack to explain why events in Iowa happened as they did. The problems with reporting the results seem entirely explicable in terms of the buggy app the state party saddled itself with. As Dr. Freud is apocryphally said to have put it, sometimes a cigar is just a cigar. And in Nevada, sometimes an app is just a tool - or something like that. Iowa's caucus isn't over yet, either. The Sanders campaign has said it will ask for a partial recanvass of that state's party results, according to The Hill.
Dave Bittner: [00:09:20] The issues in Iowa have reminded many that this year's round of elections are likely to be anything but routine. We checked in with Shannon Brewster from AT&T Cybersecurity for his insights on election security.
Shannon Brewster: [00:09:33] I would say that election operations are done in a very decentralized way in the United States. It has pros and cons, right? I mean, it creates a fragmented approach, but it also makes it difficult for an external threat actor to attack those jurisdictions with a single campaign because every operation's different. They're using different technologies. They're bringing forward a different approach.
Dave Bittner: [00:09:55] For the folks who have this task ahead of them. What sort of recommendations do you have? What are some of the best practices for - specifically to securing elections?
Shannon Brewster: [00:10:07] I would bring forward three main points. That's a great question. I mean, the first thing you need to think about is, what are my risks, and do I understand my attack surface? Right? And secondly, I would say you really want to think about - how do I baseline a security program that is specifically applied to elections? And don't overlook the basics. You know, we really get caught up sometimes in hearing about the threat actors, the nation-states. But if you step back and consider what an election is doing and what it's there for, you have to appreciate that public trust in the integrity of that election is really fundamental. And when it comes to that, perception can be reality, right?
Shannon Brewster: [00:10:53] So simple fundamental security basics that should be implemented when you're putting together a system really shouldn't be overlooked because any breach of something fundamental like that could be just as devastating as an external threat actor. And then the third thing I would say is - be aware of the resources that are available through DHS, Cyber and Infrastructure Security Agency that sits as a subcomponent under DHS and some other of the other resources that can be taken advantage of through third parties to help, you know, baseline that program and build out a program that is maturing over time.
Dave Bittner: [00:11:28] You know, it really strikes me that this is a collaborative process between not just the folks on the technical side of the house, but those people who have to communicate the message out to the public, like you say, for confidence in the elections themselves - that these are the things that we're doing, and you can you can rest assured that these elections are going to be valid.
Shannon Brewster: [00:11:49] That's absolutely right, absolutely right. And I would say if you approach it holistically, that is probably the best approach to be able to communicate that message that you've taken a proactive approach using a security framework, you know, to baseline a program against. DHS is recommending NIST CSF as an example. It's a very simple framework to align to. And you've got those five areas, right? Identify, detect, protect, detect and respond, recover. So, you know, aligning everything you're doing holistically and not getting focused on one particular component of the operation is really fundamental.
Dave Bittner: [00:12:30] That's Shannon Brewster from AT&T Cybersecurity.
Dave Bittner: [00:12:35] Apps are causing other parties and other country's problems, too. Haaretz reports that Israel's Likud Party's unsecured Elector app uploaded and leaked names, identification numbers and addresses of more than 6 million voters. The paper explains that Israeli political parties receive personal details of voters before the elections and commit to protecting their privacy, as well as not to reproduce the registry, not to provide it to a third party and to permanently erase all the information once the election is over. So this is apparently a case of inadvertent exposure, not theft of a voter database.
Dave Bittner: [00:13:12] Elector's developer, Feed-b, minimized the incident as a one-off incident that was immediately dealt with. The company says it's upgraded its security since learning of the exposure. It's unknown whether anyone improperly accessed the data. But the possibility is difficult to exclude, and the people who potentially had access to the data aren't all in Israel. Elector has users in other countries, including, according to Haaretz, Russia, China, the United States and Moldova.
Dave Bittner: [00:13:47] And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:39] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, great to have you back.
Joe Carrigan: [00:14:46] Hi, Dave.
Dave Bittner: [00:14:47] You know, there's that old saying about those who forget history are doomed to repeat it.
Joe Carrigan: [00:14:52] Yes.
Dave Bittner: [00:14:53] And I saw an article come by from The Register, and this was taking us down a little trip about the old Clipper chip back in the '90s.
Joe Carrigan: [00:15:02] A little trip down memory lane.
Dave Bittner: [00:15:03] A little - exactly. Now...
Joe Carrigan: [00:15:04] Bad memory lane.
Dave Bittner: [00:15:05] I suspect there - we have probably a lot of listeners, perhaps younger folks...
Joe Carrigan: [00:15:09] Yep.
Dave Bittner: [00:15:09] ...Who may not be familiar with the Clipper chip. Can you give us a little overview, what it was about?
Joe Carrigan: [00:15:14] The Clipper chip was a way to introduce a backdoor into cryptographic algorithms by having a chip on the device that would allow the government access to encrypted communications.
Dave Bittner: [00:15:26] It's important to remember that back in the early to mid-'90s, when this was a thing, it was much more efficient to do encryption in hardware...
Joe Carrigan: [00:15:36] Yes.
Dave Bittner: [00:15:36] ...Than in software. The computers just weren't that fast back then.
Joe Carrigan: [00:15:39] Yeah. Encryption is always more efficient than doing hardware. It's just that now we have computers that can do it with the same amount overhead; it's just they're much more powerful and faster now.
Dave Bittner: [00:15:46] Yeah.
Joe Carrigan: [00:15:47] But keeping that in mind, these chips were terrible chips. First off, they were expensive.
Dave Bittner: [00:15:52] Right.
Joe Carrigan: [00:15:52] And second off, they had all kinds of vulnerabilities in them. And the article actually says that the chips were so bad that people who worked on the project were actually leaking information about how bad they were because they were concerned about the security of these systems.
Dave Bittner: [00:16:06] And the notion here was that this is a way that if you were someone who felt like you needed to use encryption...
Joe Carrigan: [00:16:12] Right.
Dave Bittner: [00:16:12] ...You could, but if the NSA needed to get at that data, they had a backdoor that was burned into the chip.
Joe Carrigan: [00:16:20] Right. And not just the NSA; any law enforcement agency that presumably would get a warrant to do it. I don't know. Maybe just look at it. Who knows?
Dave Bittner: [00:16:28] Right.
Joe Carrigan: [00:16:29] It's ripe for abuse, is my concern.
Dave Bittner: [00:16:31] And how did it play out?
Joe Carrigan: [00:16:33] Yeah, it eventually failed. It met a lot of resistance from security and privacy advocates. And then once all the information came out about how buggy it was, it kind of just died off and wasn't picked up.
Dave Bittner: [00:16:43] Right.
Joe Carrigan: [00:16:43] But now we're back at it again as a nation here in the United States.
Dave Bittner: [00:16:49] (Laughter) The crypto wars are back.
Joe Carrigan: [00:16:51] Right.
Dave Bittner: [00:16:51] Yeah.
Joe Carrigan: [00:16:51] And Attorney General Barr has said that he needs to have access to encrypted communications with a backdoor, and he's pressuring tech companies. And this is nothing new. This was also done under the Obama administration. Eric Holder was a big proponent of this as well. One of the most telling things is Senator Lindsey Graham, who says to the tech companies, quote, "You're going to find a way to do this, or we're going to do it for you." Now, you'll forgive me, Senator - with all due respect, I do not have faith in your ability or the Senate's ability to write a law that is knowledgeable about cryptography and can do this well.
Dave Bittner: [00:17:31] Well, and I've seen people...
Joe Carrigan: [00:17:32] Sorry.
Dave Bittner: [00:17:32] Yeah, I've seen people respond to this and say, you can't legislate math, that...
Joe Carrigan: [00:17:36] Right. And what they're talking about there is - you can make Facebook and WhatsApp and Apple all put backdoors into their communication, right? And then, yes, you can have access to that communication. All that will do is give you access to law-abiding citizens' information.
Dave Bittner: [00:17:53] Right.
Joe Carrigan: [00:17:54] Right? The criminals are going to write their own code. They're going to write their own software, and they're going to use that. And that's how they're going to encrypt it. And you will not have a backdoor into that, no matter what - period. And it won't happen.
Dave Bittner: [00:18:07] And it's not a hard thing to do these days.
Joe Carrigan: [00:18:09] It's really not.
Dave Bittner: [00:18:10] Yeah.
Joe Carrigan: [00:18:10] The libraries are out there to be implemented. All you have to do is implement it correctly. It's pretty well documented on how to do it right.
Dave Bittner: [00:18:16] Yeah.
Joe Carrigan: [00:18:17] There is a paper that was written, a position paper, called "Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications." OK? This reads like a who's who - the authors list reads like a who's who of cryptography. Whit Diffie is on the authors list. Matthew Green from Hopkins is on the authors list. Ronald Rivest - he's the R in RSA - he's on the authors list. Bruce Schneier is a contributor to this paper. Matt Blaze, who's quoted a lot in this Register article, is also on this paper.
Dave Bittner: [00:18:49] Yeah.
Joe Carrigan: [00:18:49] And there are many other authors on this paper. Those are just the more notable names that pop out to me. But this paper takes a very strong stance against backdoors into encryption and why it's not going to work.
Dave Bittner: [00:19:03] Yeah.
Joe Carrigan: [00:19:03] First off, if you do it, you really weaken the encryption for everybody, right?
Dave Bittner: [00:19:08] Right.
Joe Carrigan: [00:19:08] You and I will not be able to communicate securely. Bad guys will probably get access to it - with a very high confidence interval, I'm saying that. I would say it's 95% the case that that system is going to be found to be vulnerable at some point time. But what's more important is that oppressive regimes could use this as well, right? If you mandate access to this communication from the American standpoint, how do you stop someone like an Iranian regime from saying, we need to find all the dissidents in our network who are violating our laws; give us the keys. Right? How do you say we can't do that now?
Joe Carrigan: [00:19:45] And while here in America, we have certain legal protections - right? - that are not available abroad, but in America, we have those legal protections now, right? What about the future? Maybe I'm not concerned about Senator Graham or Attorney General Barr. But what about 10 years from now? Who's going to be in those offices? We have no idea who's going to be in those offices. And I want to be protected against that down the road.
Dave Bittner: [00:20:09] All right. Well, it's an interesting trip down memory lane. I suggest for our listeners, if you're not familiar with the story of the Clipper chip, it's a good background to kind of inform your knowledge of how we got to where we are today when it comes to this encryption conversation. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:20:28] My pleasure, Dave.
Dave Bittner: [00:20:34] And that's the CyberWire. For links to all of today's stories, check out our daily briefing thecyberwire.com.
Dave Bittner: [00:20:40] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:51] The CyberWire podcast is probably produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.