The CyberWire Daily Podcast 2.19.20
Ep 1027 | 2.19.20

Ransomware hits US natural gas pipeline facility. DRBControl’s espionage campaign. Firmware signing. No bill of attainder against Huawei. A mistrial in the Vault 7 case?

Transcript

Dave Bittner: [00:00:02] CISA reports a ransomware infestation in a U.S. natural gas compression facility. A new threat actor possibly linked to China's government is running an espionage campaign against gambling and betting operations in Southeast Asia. More notes on firmware signatures. Huawei loses one in U.S. federal court. Reality Winner hopes for a pardon. And the defense asks for a mistrial in the Vault 7 case. 

Dave Bittner: [00:00:33]  And now a word from our sponsor, ExtraHop - securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption just like they want to support enterprises' IoT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multi-cloud and hybrid enterprises. Or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:01:28]  Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 19, 2020. 

Dave Bittner: [00:02:02]  CISA, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, has responded to and reported a ransomware incident at an unnamed natural gas compression facility in the U.S. While the facility didn't lose control of operations at any time, it did experience a partial loss of visibility into real-time operational data. Plant managers elected to implement a deliberate and controlled shutdown, which cost two days of lost productivity and revenue. The attack was confined to a single facility. 

Dave Bittner: [00:02:36]  It's noteworthy that the attack vector was spearphishing. CISA outlines what happened after the spearphishing email delivered its payload. First, inadequate segmentation between information technology and operational technology networks allowed the attackers to pivot from the IT to the OT side. Assets on both networks were disabled. Second, the attacker used what CISA calls commodity ransomware against Windows assets in both networks. The ransomware affected human-machine interfaces, data historians and polling servers. Third, the PLCs, the programmable logic controllers used to monitor and control physical processes, were left unaffected. And finally, the facility was able to recover by installing replacement equipment and loading last-known-good configurations. 

Dave Bittner: [00:03:28]  CISA draws several lessons from the incident for other infrastructure operators. They're too numerous to recount here. But in sum, most of them come down to improved planning, more effective and realistic training, better authentication and more network segmentation. 

Dave Bittner: [00:03:45]  ZDNet suggests the possibility that the malware involved was EKANS, but CISA is silent on this point. And so the suggestion that the ransomware could have been EKANS remains, at best, speculation. Dragos - which ZDNET properly cites as the source of research into EKANS - itself reached out late this morning to say that EKANS wasn't a likely suspect. Instead, Dragos thinks with high confidence that the incident CISA responded to was the same Ryuk infestation the U.S. Coast Guard reported this past December. They described the infection as well-known ransomware behavior and is not an ICS-specific or ICS-targeted event. Dragos thinks the attack doesn't show even the limited process targeting observed in EKANS and some MegaCortex incidents. 

Dave Bittner: [00:04:34]  Security firm Trend Micro has found what it considers a hitherto unidentified threat actor - they call it DRBControl - working against gambling and betting operations in Southeast Asia. DRBControl's techniques aren't entirely unfamiliar, however, as Trend Micro discerned some connections with the Winnti and Emissary Panda APTs, both of which have been associated with the Chinese government. The Emissary Panda link is particularly interesting. DRBControl uses the HyperBro backdoor, which until now had been observed only in Emissary Panda operations. Trend Micro considers the campaign an espionage effort. 

Dave Bittner: [00:05:16]  When I was growing up, I remember my father telling me, son, you never want to end up with a car that came through the assembly line late on a Friday afternoon. All those workers are more concerned with starting their weekend than building a quality car. I don't know what evidence there is to support that claim, but the notion that the quality of a product could be affected by the mindset of the people making it is a compelling one. Anita D’Amico is CEO at Code Dx, a firm that aims to address the need to discover and manage vulnerabilities in software applications. She's also part of a team of researchers looking into the question of whether several human factors - developer, team and environmental characteristics - influence whether developers will inadvertently introduce security weaknesses into their code. 

Anita D’Amico: [00:06:04]  I have been interested in human factors for quite some time. I am an experimental psychologist by education. And I work in the area of application security. So I was very interested in the human factors that affect secure code development. I recently was the principal investigator of a research project funded by DARPA to study, what are the characteristics of software developers, of development teams? And what are the work conditions that affect secure code development? 

Dave Bittner: [00:06:38]  Well, let's explore that some. That's fascinating to me because I think it's so easy, particularly when it comes to all this technology, to think a sort of in the cold terms of ones and zeros and so on and so forth. But what you're looking into here is the fact that those real-world, everyday human factors that we deal with can actually find their way into the security of code. 

Anita D’Amico: [00:07:01]  Absolutely. Software is written by people. And people perform differently depending on the circumstances. So if human factors affect how well a pilot pilots an airplane, if it affects truck drivers, if it affects medical doctors, why wouldn't human factors affect how well a software developer develops code? And I was specifically interested in the human factors that affect both code quality and security. And there's been very little research done in this area. 

Anita D’Amico: [00:07:36]  So the first thing we did was we did a literature review. And so we developed a way of mining open source repositories for indirect measures of human factors. For example, we looked at the time of day that code was committed to find out if it had an effect on code quality or code security. One of the things that I'll be talking about at the RSA presentation is the results of that study. I'll give you a little bit of insight... 

Dave Bittner: [00:08:09]  Right, right. 

Anita D’Amico: [00:08:10]  ...That code is buggier when it's committed between midnight and 7 a.m. I have a couple of specific suggestions for anybody who is managing a software development team. And these suggestions are based on scientific evidence. So the first is stop coding after about 11 hours of work, really take a break and probably put it down until tomorrow. Any code that is developed between 10 p.m. and 6 a.m. in the morning should be carefully reviewed. I would also suggest that you keep developers focused on just a few files. Don't spread them across many different ones, because the more you spread a developer across a lot of different files, the more likely they are to accidentally insert quality or security issues. 

Dave Bittner: [00:09:08]  That's Anita D’Amico from Code Dx. She'll be presenting on this topic next week at the RSA Conference in San Francisco. 

Dave Bittner: [00:09:17]  Eclypsium, the security firm that yesterday reported widespread issues with unsigned firmware and peripherals, recommends that signatures be verified every time the firmware is loaded into memory and not just upon initial installation. The researchers note that Apple products routinely do this, whereas Windows and Linux systems do not. But they also argue that verification is better treated as the device manufacturer's responsibility and not something to be left up to the operating system. 

Dave Bittner: [00:09:47]  The trade press has been hard on the industry on this one. WIRED takes a glum view that supply chain firmware has been only laxly secured for years, and that this is generally known, but that there's been little progress made toward fixing it. ZDNet thinks the research shows that companies have failed to learn the lessons they ought to have taken from the Equation Group revelations of a few years ago. And it imputes a mix of discreditable attitudes to device makers. They say "the reason why device manufacturers aren't doing this" - that is verifying signatures whenever firmware is loaded - "is because of laziness, indifference or because they don't feel they or their customers are under any threat" - end quote. 

Dave Bittner: [00:10:31]  There's some news from the legal world today. The U.S. District Court for the Eastern District of Texas has tossed out Huawei's suit against a congressional restriction of the company's products and federal programs, Reuters reports. The National Defense Act, the court found, is not an unconstitutional bill of attainder after all. And Congress was acting within its proper authority when it moved to exclude Huawei and ZTE from federal contracts. 

Dave Bittner: [00:10:58]  And finally, attorneys for Joshua Schulte have asked for a mistrial on grounds of a Brady violation, claiming that the prosecution failed to disclose potentially exculpatory evidence. Mr. Schulte is the former CIA employee accused of having leaked classified information about Langley's hacking tools to WikiLeaks in what became known as Vault 7. The evidence and the filing are classified. 

Dave Bittner: [00:11:23]  But there have been reports in CyberScoop and elsewhere of some of the testimony in the case. And the picture that testimony paints of the CIA's day-to-day workplace life is one of pranks, joshing insults, rearranging desks, shooting one another with Nerf guns and so on. It's unlikely that this has anything to do with a Brady Rule violation, of course. But it does suggest that working at Langley has more in common with an Ivy League frat house circa 1950 than one would have suspected. 

Dave Bittner: [00:11:57]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business's security. LastPass Identity can minimize risk and give your IT team a breakthrough, integrated single-sign-on password management and multi-factor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multi-factor authentication, securely authenticate into your work using biometrics like fingerprint or face, deliver a passwordless login experience for employees while securing every password in use through enterprise password management and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, go to lastpass.com/enterprise. That's lastpass.com/enterprise. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:13:23]  And joining me once again is Caleb Barlow. He's the CEO at CynergisTek. Caleb, it's always great to have you back. You've got some interesting information you want to share today about some ways to go online and gather up some information here. What do you have for us? 

Caleb Barlow: [00:13:41]  OK. So it's the early part of the year. It's time for resolutions and all that good stuff. Maybe this year, you ought to change the name of your home Wi-Fi router, Dave, because I don't - does the name of your home Wi-Fi router got your actual name in it? Like, a lot of people name things like Davis or WilsonNet or JonesFamilyWi-Fi. 

Dave Bittner: [00:14:02]  AbrahamLinksys, yeah. Yeah. 

Caleb Barlow: [00:14:03]  Yeah. 

Dave Bittner: [00:14:04]  All right. Go on. Yeah. 

Caleb Barlow: [00:14:05]  Not a good idea. 

Dave Bittner: [00:14:05]  (Laughter) OK, go on. 

Caleb Barlow: [00:14:06]  And let me tell you why. 

Dave Bittner: [00:14:07]  Yeah? 

Caleb Barlow: [00:14:08]  So for years, the cars that drive around and map streets aren't only gathering GPS mapping information and taking pictures of streets, they're also mapping out the location of every cellphone tower and every Wi-Fi hotspot they pass and its exact location. And in some cases early on, they were even employing taxi drivers to put antennas on the taxis and map it out. And triangulating the available Wi-Fi signals is really important because it turns out it's an even more accurate way of determining location than even GPS or GLONASS - because GPS and GLONASS don't work well when you're inside of a building. But knowing what Wi-Fi hotspots are immediately available and their signal strength can tell you exactly where you are. 

Caleb Barlow: [00:14:55]  So think of it this way, Dave. This technology isn't just used for your own phone. But let's say a retailer - let's say, you know, you're inside of a large retailer like a Target and somebody wants to know, you know, are you in front of, you know, the women's section? Or are you in the Starbucks? 

Dave Bittner: [00:15:11]  Right. 

Caleb Barlow: [00:15:12]  Literally, this location technology is that accurate to be able to tell you where you are inside of a building based on the Wi-Fi signals. 

Dave Bittner: [00:15:20]  OK. 

Caleb Barlow: [00:15:20]  Now, to put this into full perspective of creepy... 

Dave Bittner: [00:15:24]  (Laughter). 

Caleb Barlow: [00:15:25]  ...One of the providers of this type of data was able to leverage location information of the attendees at the Super Bowl. Correlate that with census and other data to determine where attendees came from, their average income, age and education level. Now, how does this happen? Well, remember - when your phone is looking for a Wi-Fi signal, it isn't just listening for what's available. It's broadcasting out what it wants to see. So let's just say your whole Wi-Fi network - I don't know if it is - is BittnerNet, right? 

Dave Bittner: [00:15:58]  Yeah, right. 

Caleb Barlow: [00:15:58]  Your phone is constantly going, BittnerNet, are you out there? Hilton Honors, are you out there? American Airlines, are you out there? It's constantly broadcasting, looking for these signals. Well, I can actually be near you with something like a Pineapple and actually see what you're looking for. So I say, OK, he stays at Hilton. He travels on American Airlines. What's this BittnerNet thing? I bet you that's his home address or his home Wi-Fi signal. Well, I can then go look it up in an open source database and find out exactly where you live because with this new technology and - you know, the largest purveyor of this is certainly Google. But this open source project called Wireless Geographic Logging Engine or WiGLE will allow pretty much anyone to put in a unique SSID and find out where in the world that SSID broadcasting. 

Caleb Barlow: [00:16:51]  So if you're the only person in the world with an SSID called BittnerNet, I can find out exactly where you live within a foot or two. Now, if your SSID is something not unique like - let's say Jackie was the name - good luck because there's going to be thousands of those that pop up all over the place. 

Dave Bittner: [00:17:10]  Sure. 

Caleb Barlow: [00:17:11]  But this becomes really problematic for people that want to keep their travel and the locations that they frequent - not just their home - but the locations they frequent private. So, Dave, you know, you can think of a whole variety of ways in which this could be used nefariously. 

Dave Bittner: [00:17:28]  Give me some examples. 

Caleb Barlow: [00:17:29]  OK. So let's say we're talking about law enforcement, private investigator. Maybe this is a divorce situation. I can probably figure out where your girlfriend lives just off of what your phone is broadcasting if you've ever connected to her Wi-Fi network. I can figure out, you know, where she lives and probably also who it is. 

Dave Bittner: [00:17:51]  OK (laughter). 

Caleb Barlow: [00:17:53]  Now, there is a way there is a way to hopefully protect yourself on this. So... 

Dave Bittner: [00:17:59]  Oh, OK. Bring it home, Caleb. 

Caleb Barlow: [00:18:00]  Let's talk about that side. 

Dave Bittner: [00:18:01]  Bring it home (laughter). 

Caleb Barlow: [00:18:02]  OK, so the first thing is go out to WiGLE and have some fun and play with it. It's pretty interesting what you can find out there. 

Dave Bittner: [00:18:08]  Yeah, it's wigle.net. There's one G in WiGLE. 

Caleb Barlow: [00:18:11]  That's right. 

Dave Bittner: [00:18:12]  All right. 

Caleb Barlow: [00:18:12]  OK. First of all - and I don't know how well this works. But one of the things some of the provider mapping companies like Google do is if you append your SSID with _nomap, they won't map it. So, you know, if it's, you know, BittnerNet, change it to BittnerNet_nomap. Now, I don't know if they all respect that, but hopefully, they do. The second thing to do is clean out all the old SSIDs on your phone and your laptop that you're constantly broadcasting, right? Reduce it down to the ones you actually use. I mean, if you haven't gone in there in a year or so, you probably have hundreds of SSIDs you're broadcasting. You might as well be broadcasting your whole travel history out everywhere you go. 

Caleb Barlow: [00:18:53]  And then the third thing is rename your home network. Use something that's not your name. And use something that's not unique. So my strategy with this - and I'd be curious of feedback from people on how well they think this is going to work. But I'm going to name my home network after a car because all these cars now have, you know, like, you'll see, like, AudiWi-Fi or JanesAudiWi-Fi driving around. I'm going to name my home network after a car because I think that not only is it not unique, but cars pop up all over the place when you're doing Wi-Fi mapping. 

Dave Bittner: [00:19:31]  All right. Well, something to play with and also lose sleep over. So thanks for both of those, Caleb (laughter). Always great to talk to you. Thanks for joining us. 

Dave Bittner: [00:19:47]  And that's the CyberWire. For links to all of today's stories, check out our daily news briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing, too. 

Dave Bittner: [00:19:57]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:09]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.