The CyberWire Daily Podcast 2.27.20
Ep 1033 | 2.27.20
RSAC 2020. Naming and shaming. Kitty espionage update. Wi-Fi crypto flaw. Impersonating the DNC. Ransomware gets more aggressive. When is removing a GPS tracker theft?
Transcript

Dave Bittner: [00:00:00] Hi, everybody. It's Dave. We're happy to announce that our new subscription program, CyberWire Pro, will be available soon. For everyone who wants to stay on top of developments in cybersecurity, CyberWire Pro is an independent news service that keeps you informed without wasting your time. This new offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much, much more. As always, you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about CyberWire Pro at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out. 

Dave Bittner: [00:00:44]  Naming and shaming seems to work, at least against China's Ministry of State Security; Iranian cyber espionage continues its regional focus. Wi-Fi chip flaws could expose encrypted traffic to snoopers. Someone, maybe from abroad, is pretending to be the U.S. Democratic National Committee - tips on backing up files - ransomware gangs up their game. And that unmarked small box on your car - yeah, you can totally take that off. 

Dave Bittner: [00:01:17]  And now a word from our sponsor ExtraHop, securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption, just like they want to support enterprise IoT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multi-cloud and hybrid enterprises, or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers; to empower your change-makers, like developers; and to enable business accelerators, like your team's. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:35]  From the 2020 RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Thursday, February 27, 2020. Those wondering if the U.S. policy of naming and shaming threat actors can disrupt those adversaries may find some evidence that it does by considering how the Chinese organizations named in the Equifax breach indictment seem to have vanished from cyberspace. It appears that Chinese services, at least, are sensitive to this kind of treatment. CrowdStrike founder Dmitri Alperovitch said yesterday at RSAC 2020 that it appeared China's Ministry of State Security has had to reset and retool. Comment Panda, Stone Panda and Gothic Panda have all gone quiet. Whether this amounts to more than a restructuring or a reorganization remains to be seen, but as anyone who's been through a government agency reorganization can attest, even that's disruptive enough. Alperovitch said that the Chinese seem unusual in this respect. The Russians, the Iranians and the North Koreans, to consider the three other familiar adversaries, tend to shrug off American indictments and move on. 

Dave Bittner: [00:03:46]  CyberScoop and SC Magazine report that Dell Secureworks has concluded that Iranian cyber operations have maintained their customary, steady tempo since Quds Force commander Major General Soleimani died in a U.S. drone strike. There may have been some retaliatory surge, but for the most part, the activity looks like business as usual. Researchers attribute the ongoing regional cyber espionage to the Iranian threat group COBALT ULSTER, also known as MuddyWater, Seedworm, TEMP.Zagros and Static Kitten. The governments most affected have been those of Turkey, Jordan and Iraq, with organizations in Georgia and Azerbaijan also appearing on the target list. The typical attack method has been spear-phishing. 

Dave Bittner: [00:04:31]  Liesyl Franz serves in the office of the secretary in the office of the coordinator for cyber issues at the U.S. Department of State. She stopped by our booth here at RSAC to share her inside perspectives on the global world of cyber diplomacy. 

Liesyl Franz: [00:04:46]  Our office was created about nine years ago to make - reflect the international nature of cyberspace, the need for dealing with cyber policy as a foreign policy issue, be able to build relationships and coalitions with other countries to deal with the global issues and the global problems that we've seen. 

Dave Bittner: [00:05:06]  So what is the day to day like? What sorts of things - the interactions that your - you and your team are taking part in? 

Liesyl Franz: [00:05:13]  Well, we cover sort of what the - cyber policy can cover a lot. One of - and - that we focus on is international security. That's sort of the bread and butter for the State Department - to deal in multilateral venues. We also work within the interagency with other departments and agencies on bolstering what we call cyber due diligence, which is more along the lines of cybersecurity as we see it here at RSA. We work with others on the messaging and promoting efforts to combat cybercrime. We talk about sort of global governance of the internet. We talk about internet freedom - those kinds of issues that sort of run the gamut. And we work a lot within the department with the other offices that deal parochially with those issues and the interagency. And we take that abroad. 

Liesyl Franz: [00:06:01]  So what does that mean? We work sort of in what I would call three concentric circles of venues. One is our bilateral relationships with country to country, or our work in regional organizations or regional - subregions in - around the world. But that would include things like the security - regional security organizations, like the Organization for Security and Cooperation in Europe or the Organization of American States or the ASEAN Regional Forum - things like that. And then take it even further out into the big, multilateral organizations like the United Nations. 

Dave Bittner: [00:06:39]  My sense is that many nations have been reticent to draw sharp lines in the sand when it comes to behavior in cyberspace. First of all, do you think that perception is accurate? And do you have any insights on that? 

Liesyl Franz: [00:06:59]  I think it's accurate to say that it's hard to draw... 

Dave Bittner: [00:07:05]  Yeah. 

Liesyl Franz: [00:07:06]  ...Bright lines a lot of the time. And so maybe that's what the reticence is - you know, is - you know, I mentioned we've been working on these things for decades. But it's really three decades, right? It's not 50 years or a hundred years. 

Dave Bittner: [00:07:17]  Right. 

Liesyl Franz: [00:07:17]  And so things are fairly new. And it's kind of hard even to draw a bright line around things like definitions. So one person's application is another person's "cyberweapon," quote-unquote. 

Dave Bittner: [00:07:30]  Sure. 

Liesyl Franz: [00:07:31]  I don't like to use that term. 

Dave Bittner: [00:07:32]  Yeah. 

Liesyl Franz: [00:07:32]  But that's what I mean. We can't even sort of draw clear lines around that - or what is one person's security is another person's content control. So how to even draw a line is sometimes hard. So maybe that's what you're sensing. 

Dave Bittner: [00:07:47]  The sense that I've had is that it's - for - it could be that nation-states are reticent to draw lines in the sand because their own intelligence organizations may be taking advantage of some of that ambiguity themselves. So it's in their best interest to not be too specific about certain things because if we let this ambiguity stay out there for a certain amount of time, that may be in our own interest. 

Liesyl Franz: [00:08:14]  I think there's a point to that... 

Dave Bittner: [00:08:15]  Yeah. 

Liesyl Franz: [00:08:15]  ...Which is why we as diplomats... 

Dave Bittner: [00:08:18]  Yeah. 

Liesyl Franz: [00:08:18]  ...Spend a lot of time negotiating text. And the kinds of things that we - like the outlines of this framework for responsible state behavior that I mentioned - is a way to put what I think are clear expectations of state behavior, but allow for the innovation and communication and, you know, technologies, which frankly are not only held by states - right... 

Dave Bittner: [00:08:42]  Yeah. 

Liesyl Franz: [00:08:42]  ...To develop, to move. And you know, if there's some ambiguity for countries, maybe that's reflected in some of that. But the bottom line is to be able to articulate what is acceptable and what isn't. 

Dave Bittner: [00:08:58]  Yeah. What would you like people to know - I'm thinking specifically folks who are cybersecurity professionals - about the work that your department does - the Department of State? Are there any things you feel aren't getting the attention they deserve? 

Liesyl Franz: [00:09:16]  It's notable to me - just as anecdotally - that, you know, I've been coming to the RSA Conference since 2006. And I've been in and out in government, so I've represented both industry and government here, but always in the policy space. And it used to be that the policy track at the RSA Conference were - have a few smattering of people in the room. The panel I just came from - we were full. 

Dave Bittner: [00:09:37]  Oh, interesting. 

Liesyl Franz: [00:09:37]  And so I think that the - that there is a greater understanding of what exactly governments do in this space and how we work together and that there is an - I think probably some people might have been surprised that our office is only nine years old. That doesn't mean cyber diplomacy wasn't happening before that, but that was when it was sort of coalesced into more regularized processes. 

Dave Bittner: [00:09:59]  Yeah. Yeah, a recognition of the... 

Liesyl Franz: [00:10:02]  Yeah. 

Dave Bittner: [00:10:02]  ...Of its status and... 

Liesyl Franz: [00:10:03]  Yeah. 

Dave Bittner: [00:10:03]  ...Necessity, I suppose. 

Liesyl Franz: [00:10:04]  And since in the last nine years, other countries have developed roles or offices similar to ours in their foreign ministries. Many manner of countries... 

Dave Bittner: [00:10:15]  Yeah. 

Liesyl Franz: [00:10:15]  ...Have done that - Russia, China, Estonia, Germany - you know, you name it - Netherlands. 

Dave Bittner: [00:10:20]  Right. 

Liesyl Franz: [00:10:20]  And some of them are here. What I would like people to come away with, maybe, is the idea that we need to keep talking about the nexus between network security and international security, that there is a nexus there, and we're working it. 

Dave Bittner: [00:10:33]  That's Liesyl Franz from the U.S. Department of State. 

Dave Bittner: [00:10:37]  ESET researchers report finding encryption flaws in Cypress Semiconductor and Broadcom Wi-Fi chips. While the risk is relatively limited, it remains possible that attackers could intercept data transmitted wirelessly. They call the bug Kr00k, and it's been assigned the identifier CVE-2019-15126. ESET says Kr00k can cause vulnerable devices to use an all-zero encryption key to encrypt part of the user's communication. In a successful attack, this vulnerability allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device. 

Dave Bittner: [00:11:15]  According to The Washington Post, persons - possibly foreigners - impersonating the Democratic National Committee have sought to establish contact with presidential campaigns. The impersonation was initially reported to the DNC by Senator Sanders' campaign. The national party would like all campaigns to regard contacts purporting to be from the DNC with appropriate skepticism. 

Dave Bittner: [00:11:38]  The U.K.'s National Cyber Security Centre wishes to remind everyone - and everyone includes you and me, my friends - that ransomware can also affect online backups. Too many enterprises have thought they were good to go only to find out that, well, their backup files, conveniently connected to their network, were also encrypted. We've had occasion to observe that a ransomware attack should now be regarded as, also, a data breach. The hoods are threatening to release their victims' sensitive files to give them additional leverage in extracting ransom. 

Dave Bittner: [00:12:10]  BleepingComputer says the gang behind Sodinokibi - which, you'll recall, operates as an affiliate marketing scheme - is telling its criminal clients not only to exfiltrate data before they encrypt it but also to threaten the victims that they'll tell the stock markets the victims have lousy security. It hasn't occurred to the hoods that they could equally, well, just short the stock and then work their reputational damage. It's a good thing that only nice people listen to this podcast, right? 

Dave Bittner: [00:12:43]  And here's some news you can use from the state of Indiana. We've sometimes been moved to ask, suppose you found a GPS tracker on your car. Could you just unplug it and take it away? We're asking for a friend, you understand. Well, anyhoo, this case came up in the Hoosier State, where some guy the police were tracking - legally, we hasten to add - the guy, one Derrick Heuring, was suspected of dealing methamphetamine. Well, he suddenly drops off the grid. One minute, you're tracking his Ford Expedition; the next, blamo (ph) - he's gone, baby, gone. So anyway, they figure out that he'd found the GPS tracker, probably wondered what it was, unplugged that bugger, tossed it into the back seat and went about his business. 

Dave Bittner: [00:13:27]  So John Law, being pretty sore at this guy, decides to ask for a search warrant for Mr. Heuring's house and his dad's barn because the loss of signal counts as probable cause. We're concluding that Mr. Heuring stole the GPS tracker, right? And so they got their warrant. But on Mr. Heuring's appeal, the Supreme Court of Indiana says no, that's unreasonable. And so all the drug contraband and the handgun they found during the search is out as fruit of the poisoned tree. I mean, come on. It's an unmarked box stuck to the guy's SUV without so much as a logo or a serial number. So how could taking it off count as stealing? The tracker didn't even have a sticker on it that said something like, property of Warrick County Sheriff. Do not remove under penalty of law, you know, like those tags on my mattress that I've always been afraid to mess with. 

Dave Bittner: [00:14:26]  And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga - stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show. 

Dave Bittner: [00:15:40]  And joining me once again is David Dufour. He's the VP of engineering for cybersecurity at Webroot. David, here we are - RSA 2020, you and I together. What do you think? What - you've been walking around the showroom, the floor a little bit, taking things in. What's your take so far? Where do we stand this year? 

David Dufour: [00:16:00]  Well, last year, we had solved cybersecurity. I don't think you... 

Dave Bittner: [00:16:03]  (Laughter). 

David Dufour: [00:16:03]  You may not remember that. 

Dave Bittner: [00:16:04]  That's right. That was right. 

David Dufour: [00:16:06]  So... 

Dave Bittner: [00:16:07]  So why even have the show this year? 

David Dufour: [00:16:08]  Well, I had questioned why we would have the show this year. But I've realized, I think, this year, it's to help the employment problem we have with cybersecurity professionals. We have so many of them out there, trained, who can't seem to find jobs... 

Dave Bittner: [00:16:21]  That is true. 

David Dufour: [00:16:22]  ...That we've - this year, it seems like we've come up with a bunch of product ideas that are going to require companies to hire dozens and dozens of more people because the products don't do anything but detect, analyze and alert you. Apparently, we've decided to stop protecting... 

Dave Bittner: [00:16:37]  Oh. 

David Dufour: [00:16:38]  ...As an industry. 

Dave Bittner: [00:16:39]  Yeah, I see. 

David Dufour: [00:16:39]  It's very interesting. 

Dave Bittner: [00:16:41]  So what someone needs a product that takes all of those other products and then feeds their output into that product... 

David Dufour: [00:16:48]  ...And does something. 

Dave Bittner: [00:16:48]  ...And does something (laughter). 

David Dufour: [00:16:49]  Exactly. 

Dave Bittner: [00:16:50]  What would you propose that it does? 

David Dufour: [00:16:52]  Well, maybe it would block a threat or, you know, if it's identified a threat and it can remove it, maybe we could remove that threat. But honestly, in all seriousness, there is a lot of analyzing going on... 

Dave Bittner: [00:17:04]  Yeah. 

David Dufour: [00:17:04]  ...A lot of detecting. And I know from an enterprise perspective - and a lot of folks here really are looking at enterprise and government - that's what they want because they want to be able to chase that trail. 

Dave Bittner: [00:17:14]  Right. 

David Dufour: [00:17:15]  But it seems like everybody's forgotten that there are smaller organizations who can't afford to have an army of people sitting there, monitoring, looking, seeing what's going on. I'm going to call us all out because I'm an engineer in this industry. It's a little bit easier to detect something than it is to remediate it or block it because you have to, you know, look for false positives and things like that. So are we getting a little bit lazy because we're just detecting and analyzing? Lots of analyzing going on, David, lots of learning - and then we're dumping it off to humans to figure it out. 

Dave Bittner: [00:17:46]  Do you think that it might just be that that is this year's shiny object? You know, every year at RSA, some things bubble to the top. And a couple of years ago, it was artificial intelligence and machine learning. And, you know, is that just the... 

David Dufour: [00:18:00]  It could be. 

Dave Bittner: [00:18:01]  ...Where we are... 

David Dufour: [00:18:02]  You know... 

Dave Bittner: [00:18:02]  ...As things come around in cycles? 

David Dufour: [00:18:04]  But - and it's funny because, I mean, what was it - five, six, seven, years ago, everything was SIM. 

Dave Bittner: [00:18:10]  Right. 

David Dufour: [00:18:10]  The analyzing - and maybe we're back to the analyzing because there is nothing really new and exciting. And AI got us away from that for a while. And, I mean, like I said last year, AI fixed everything, so... 

Dave Bittner: [00:18:19]  Yeah. 

David Dufour: [00:18:20]  We said we were done. 

Dave Bittner: [00:18:21]  (Laughter). 

David Dufour: [00:18:22]  But I think you could be right. You could be onto something there. And - but I feel like we're really focusing on governments and large businesses. And everything you read in the news anymore is about, you know, small, local governments, small businesses, medium-sized businesses, medical centers. We're not really addressing those markets. And I know it's harder. You know, you want your big 30x multiplier, you got to be locked into a government or enterprise. But as an industry, it seems like we should be able to do some things that help those smaller institutions and go that extra step to actually help them, not just alert them. 

Dave Bittner: [00:18:58]  Is it a missed opportunity? Is there a market opportunity there for somebody to go after those people who aren't being served? 

David Dufour: [00:19:06]  You know, I think there is, but again, it depends on what your goal is. If your goal is revenue - recurring revenue and making a profit - I'm not trying to be silly here, but if that's your goal, there's a lot of market opportunity. But I think a lot of companies - you know, I've been coming here seven, eight years now. They're really looking to get bought. And if you're looking to get bought, you need that new, sexy thing... 

Dave Bittner: [00:19:25]  Yeah. 

David Dufour: [00:19:25]  ...That somebody's going to pay a large multiplier for. 

Dave Bittner: [00:19:27]  Yeah. 

David Dufour: [00:19:27]  So it depends on what you're really looking for. 

Dave Bittner: [00:19:30]  What do you hope to take away from a conference like this? As you walk around and you take things in - I mean, obviously, you're here representing your company, and so there's a sales and promotional component. But you want to learn things, too. 

David Dufour: [00:19:43]  Yes. 

Dave Bittner: [00:19:44]  As you walk around, what are the things you're hoping to pick up? What are the take-homes for you from a show of this scale? 

David Dufour: [00:19:51]  That's, like - the big thing usually is, what's the vibe? What's the feel? 

Dave Bittner: [00:19:55]  Yeah. 

David Dufour: [00:19:55]  Is there anything - underlying tone? And to kind of end on a positive note, David, we talked about this last year. There was a huge, I believe, in the last year or two, understanding that users aren't as dumb as the cybersecurity people want to make them out to be, that if we can show them the right thing to do, if we can ask them to follow these procedures, most of them are going to do it. Now, is there - you know, is there Bob down the road that, every time somebody sends him a link, he clicks on it? 

Dave Bittner: [00:20:23]  Right (laughter). 

David Dufour: [00:20:23]  Yes. No. We've got to deal with the Bobs of the world, right? 

Dave Bittner: [00:20:26]  Yeah, yeah. 

David Dufour: [00:20:26]  But in general, people want to do the right thing. And if we're very clear with - hey; we're trying to do this not to be difficult, but it really helps protect us as an organization, people are really signing up for that. And where am I going? This year, the conference is about the human element. 

Dave Bittner: [00:20:43]  Yeah. 

David Dufour: [00:20:43]  Right? 

Dave Bittner: [00:20:43]  Yeah. 

David Dufour: [00:20:43]  And I'm making fun of the product that - I'm a vendor, so I like to make fun of our - you know, us as well. 

Dave Bittner: [00:20:49]  Yeah. 

David Dufour: [00:20:50]  The - I'm making fun that the human element is they want you to hire a bunch more cybersecurity people. 

Dave Bittner: [00:20:54]  Right (laughter). 

David Dufour: [00:20:55]  But to look at it the other way, I think there's really getting to be a more and more understanding that if we can work with the people using computers who are inside the organizations we're trying to protect that they actually are able to really help more. And we're seeing that come through, which is kind of nice. 

Dave Bittner: [00:21:13]  Yeah. All right. Well, David Dufour, thanks for joining us. 

David Dufour: [00:21:16]  Great being here, David. 

Dave Bittner: [00:21:22]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing, too. 

Dave Bittner: [00:21:32]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. Funding for this CyberWire podcast is made possible by RSA Conference, where the world talks security. Through global events and year-round content, RSAC connects you to cybersecurity leaders and cutting-edge ideas for a safer, more secure future. Learn more at rsaconference.com. 

Dave Bittner: [00:22:03]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. 

Dave Bittner: [00:22:27]  Thanks to everybody who's come by our booth here at RSA 2020. It's been great meeting you all, getting to say hello and putting faces to some of the names - looking forward to being back home soon, though. Thanks to all of you for listening. We'll see you back here tomorrow.