Dave Bittner: [00:00:00] Hey, everybody. It's Dave here, and I have a special favor to ask. If you have the time and you have the inclination, please go out and leave us some reviews for our shows on iTunes or wherever you listen. If you love the CyberWire, if you love "Hacking Humans," if you love "Caveat," just take a couple minutes, leave us a review. That'll help us find more listeners. We do appreciate it. And as always, thanks for listening.
Dave Bittner: [00:00:28] The U.S. government issues a major advisory warning of North Korean offenses in cyberspace. Ericsson will provide BT the equipment to replace Huawei gear in its networks; notes on COVID-19-themed cybercrime; some temporary telework may become permanent; disinformation from Tehran; domestic phishbait from Damascus and to Zoom or not to Zoom?
Dave Bittner: [00:00:57] And now a word from our sponsor ExtraHop - securing modern business with network detection and response. Security and IT teams are under more pressure than ever. Any workforce that can go remote has done so almost overnight. That means more stress on critical systems and more potentially unsecured IoT devices on corporate networks and an urgent need to see and respond to threats as quickly as possible. ExtraHop helps organizations like Wizards of the Coast detect threats up to 95% faster and respond 60% more efficiently. As chief architect and information security officer Dan McDaniel put it, there's no other company that aligns to supporting the DevOps model, the speed and the lack of friction than ExtraHop. See how it works in the full product demo free online at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:58] Funding for this CyberWire podcast is made possible in part by McAfee - security built natively in the cloud for the cloud to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time.
Dave Bittner: [00:02:21] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 16, 2020. In what The New York Times sees as a sign that deterrence of North Korea in cyberspace is beginning to fail, the U.S. government has issued an unusually comprehensive advisory about Pyongyang's cyberspace offensive. The joint advisory, to which the Departments of State, the Treasury and Homeland Security and the Federal Bureau of Investigation contributed - and which they approved - concentrates on the threat North Korean hacking poses to the international financial system.
Dave Bittner: [00:02:56] The DPRK's activities are grouped under three main heads - first, cyber-enabled financial theft and money laundering - a great deal of this activity involves stealing altcoin, cryptocurrency; second, extortion campaigns - that is, ransomware. One unusual form of extortion is the DPRK's use of long-term paid consulting arrangements to ensure that no such further malicious cyberactivity takes place. That is, they run cyberprotection rackets. Nice data you got there - shame if something happened to it. And last, cryptojacking, which still affords some prospect of a modest return, and Pyongyang needs all the financial help it can get.
Dave Bittner: [00:03:38] The unusually long public advisory includes advice on how to defend oneself against North Korean attacks. The U.S. government is also offering rewards of up to $5 million for tips about illicit DPRK cyberactivities, which you can submit to the State Department's Rewards for Justice website. To the New York Times' observation that deterrence may be failing - in all fairness, it should be noted that cyberdeterrence of Pyongyang has been, for decades, at best a work in progress. Deterrence is always, at some level, a countervalue proposition, and the less of value you've got to lose, the harder you may be to deter.
Dave Bittner: [00:04:15] Ericsson has won the contract to provide BT with the equipment it will need to replace Huawei gear in the big British telco's networks, SDxCentral reports. The BBC says BT complains it will take until 2023 to purge Huawei kit. This suggests that the British decision to ban Huawei from its core networks, widely seen as wishy-washy appeasement at the time, may be biting harder than it was generally expected to do. There will be costs for Huawei's partners as well as Huawei.
Dave Bittner: [00:04:46] CPO Magazine notes that the U.S. FBI has stepped up its efforts to notify the public of criminal attempts to take advantage of the coronavirus emergency. The bureau has increased the frequency of its alerts. It only issued nine during all of last year. It's already issued four during March and April. Not all of these deal directly with COVID-19, but it does seem that the tempo of cybercrime engendered by the pandemic has moved the FBI in the direction of more frequent public engagement than had been the norm.
Dave Bittner: [00:05:17] One of the things organizations are learning is what sort of work can be done remotely. It's likely that some of the habits being built up now will persist beyond the current emergency. FCW, for one, thinks that a great deal of the surge in telework the U.S. Department of Defense is seeing may well turn into a permanent way of doing business.
Dave Bittner: [00:05:37] Chinese operators have been the most active purveyors of disinformation during the COVID-19 emergency, but other actors haven't been idle either. Graphika reports that an Iranian threat group, the International Union of Virtual Media - IUVM - a front operation, has been active in pushing the line that the coronavirus had its origins in a U.S. biowar program. Quote, "the IUVM operation is significant and mannered by a well-resourced and persistent actor, but its effectiveness should not be overstated," end quote. Their reach has been limited, attracting only about 3,000 followers, The Verge notes.
Dave Bittner: [00:06:15] But persistent they have been. The group's accounts have been the repeated targets of takedowns by Facebook, Google and Twitter, but they continue to reappear. Their line is generally pro-Iranian and pro-Palestinian, anti-U.S., anti-Israel, anti-Turkey and anti-Saudi. Like much Chinese disinformation and unlike much Russian disinformation, the Iranian efforts aim at persuading the audience to a specific set of views and not merely at disruption.
Dave Bittner: [00:06:44] On the principle of the enemy of my enemy is my friend, the IUVM has been heavily engaged in repeating stories that tend to Beijing's advantage. They generally praise China's response to the epidemic, dismiss criticism of Beijing as psychological warfare, commend China's contributions to international emergency relief and even praise China's business acumen in using the crisis as an opportunity to buy low and sell high.
Dave Bittner: [00:07:11] For many, part of the new normal in shoring up your work-from-home cyberdefenses involves running a VPN. But not all VPNs are created equal, and they vary in both security and ease of use. For more on that, we checked in with Attila Security's Gregg Smith.
Gregg Smith: [00:07:29] Well, I think today, Dave, what you're seeing is a significant amount of people who have been bound to their office desks are all being asked to move home. Very often, the enterprise or the government agency that they work for does not have the capabilities of providing all these employees that are forced to work at home with government-issued or enterprise-issued computers. So one of the challenges that's facing the CIO today is the fact that these employees are using their home computers to connect back into the network. And of course, that presents an awful lot of challenges, especially as it relates to the secure communications from their home back into the enterprise itself.
Dave Bittner: [00:08:17] Well, let's go over, I mean, just some of the basics here. What are the issues there? What's the stuff that we should be worried about that could be being sent in the clear?
Gregg Smith: [00:08:26] Well, certainly any government agency or enterprise employee is working with sensitive information. In the case of the enterprise, it could be just enterprise data, but it also could be the intellectual property of that particular entity itself. There was a resort here locally in Maryland that sent their workers home last week. And lo and behold, someone who did not have a VPN - they were using their home computer - their home computer was attacked. The attacker moved laterally into the payment system of this particular resort. And the resort, the next day, realized that they had lost $23,000.
Gregg Smith: [00:09:10] So as a starting point, communicating in the clear from a home computer can create a lot of problems just from the use of unsecured Wi-Fi, not having a VPN, a potential eavesdropping event, a man-in-the-middle attack and, again, the advent of insecure Wi-Fi being the most prominent situation that's out there today.
Dave Bittner: [00:09:35] Well, can you walk me through it sort of one level at a time - I mean, starting from the least secure to the most secure - the various options and things that people can put in place?
Dave Bittner: [00:10:51] That's Gregg Smith from Attila Security.
Dave Bittner: [00:10:55] Researchers at Lookout have seen a change in approach on the part of a group that appears to be operated by the Syrian government's domestic security apparatus. It's been active since 2018 at least, and recently, it's been prospecting Syrians with COVID-19 phishbait to induce them to install SpyNote, SandroRat, AndoServer or SLRat surveillance tools. Some of the bait takes the form of bogus apps. One is a bogus digital thermometer because what better to have on a worried person's phone than a thermometer that can warn them of the onset of a fever?
Dave Bittner: [00:11:30] More large companies have banned the use of Zoom. TechRadar reports that Siemens has joined Standard Chartered Bank in telling its employees to avoid using the teleconferencing service. Zoom hasn't been idle. In its latest move to shore up security, the company has brought in Luta Security to run a revamped bug bounty program. ZDNet observes that Luta's Katie Moussouris has tweeted a greeting to others she indicates are joining Zoom's advisory team. In addition to Alex Stamos, whose appointment has been known for several days, she indicated in a tweet that she'd be joined by, as ZDNet lists them, privacy expert Lea Kissner, former global lead of privacy technology at Google; cryptographer and Johns Hopkins professor Matthew Green and three well-known security auditing firms - BishopFox, the NCC Group and Trail of Bits.
Dave Bittner: [00:12:20] So should organizations use Zoom or not? Forbes offers sensible advice. If data privacy and security are paramount, then no. If, however, affordability and ease of use are more important than locking down your data, then Zoom isn't a bad choice. So if your office is holding a virtual happy hour, go ahead and Zoom happily. If you need to discuss PII, trade secrets or, heaven forfend, classified information, then seek thou elsewhither. And if it's classified stuff you're talking, take it to a SKIF, friends.
Dave Bittner: [00:13:00] Hey, everybody. Dave here. And I want to tell you about CyberWire's new subscription program CyberWire Pro. It's designed for security professionals and all others who want to stay abreast of cybersecurity news. CyberWire Pro is a premium service that will save you time and keep you informed. You may be saying to yourself - hey, that sounds great and something my entire organization can benefit from. We think so, too. With a CyberWire Pro enterprise subscription, you can make that happen. You can help to keep your organization up to date with the latest news, analysis and trends across the evolving cybersecurity landscape. Save some money, and look like a hero at the same time. We've got great discounts for government, commercial teams and academia, too. To learn more, visit thecyberwire.com/pro and click on the contact us link in the enterprise box. That's thecyberwire.com/pro, and then click contact us in the enterprise box and we will help you become that office hero.
Dave Bittner: [00:14:06] And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, you recently keynoted at the 2020 RSA Conference. I was hoping you could give us a little summary. What were some of the topics that you touched on there?
Robert M Lee: [00:14:20] Yeah, absolutely. And thanks. It was a big shock, by the way, even getting that. It was just really exciting, and it wasn't because I thought I was so good. Contrary to that, actually, it was because I thought that the community had really rallied around that. And the reason it felt so great is 'cause people showed up. It was tons of people online, and it was tons of people in the room - I think 500 or 600 people that were there in the auditorium just caring about industrial infrastructure. And I just thought that was such a wonderful moment in our community.
Robert M Lee: [00:14:48] The keynote focused on the Dragos year in review reports we publish. So those year in review reports have insights into the threats, our lessons from the field and also insights into vulnerabilities. What we had found couple years ago is that nobody was publishing kind of as vendor-neutral as possible kind of reports about sort of the status of the industry and what's going on and setting some kind of trend lines to be able to follow over the years. So this keynote really had a couple points from there. But I, in many ways, also treated it as this welcome to the ICS community, here's how we play and work together, and this is what you need to be aware of kind of wide-audience presentation.
Robert M Lee: [00:15:29] And the points, really, were, one, industrial is different. Please stop trying to call it IoT. I see a lot of big firms and marketing firms and markets and et cetera get confused on this ICS stuff or operations technology or OT stuff, so they just try to flavor it as, well, it's those - it's the IoT, it's internet-connected stuff - except for our systems have been around longer than your internet, so let's focus on the fact that it's ICS or OT. So No. 1, we're different, and please don't call it IoT.
Robert M Lee: [00:16:00] No. 2, the reason we're different is not just because we have different systems. We have Windows systems, too. It's the fact that we have different threats, different missions, different risks. Everything about what we are trying to accomplish and the environment which we're accomplishing it in is different, which also means there's that interaction with physics. And so we have to take different approaches to security. A lot of the things that you would think would work in an IT environment - you know, deploying antivirus or endpoint protection systems, relying heavily on vulnerability management programs, encryption, et cetera - like, a lot of the things that you would want in an IT environment you don't actually even want in the ICS. And I'm not saying don't patch or don't do antivirus, but the limits of those controls are significant when you look at what you're actually trying to reduce risk against.
Robert M Lee: [00:16:47] And then the third thing is I just kind of gave an overview of where we are with threats, vulnerabilities and kind of lessons from the field from the threats perspective. There are 11 different teams targeting industrial control systems specifically now, with two that have shown the ability to do destructive and disruptive attacks. That is a huge increase from where we were just a couple years ago. But where I kind of gave, you know the community a note of optimism was, look; this is also because we're starting to look. So it's not like things have just gotten worse than ever, and - oh, my gosh - we're screwed. It's more of the fact that our communities are becoming mature, doing things like asset identification and visibility and network monitoring in these environments. We're seeing more things.
Robert M Lee: [00:17:27] In the same way, I talked about the vulnerabilities, which, actually, a significant portion of the vulnerabilities in ICS are useless and we shouldn't overfocus on them. But there are some that are important, and let's figure out how to evaluate these correctly. So we're not going to operations and saying, you should patch all these vulnerabilities, but instead going to them and saying, look; there's like, 450 that came out this year, and we only really care about, like, these five; let's go take advantage of these five together. And there's more of a sense of partnership.
Robert M Lee: [00:17:55] And then the last thing was just around, like, instant response lessons learned. So even though we're a technology company, we still do a lot of instant response and get a lot of good insights from that in our services work. And in - a couple of the metrics that kind of stood out was, one, 100% of people that thought they had an error gap had multiple routes of connectivity into their industrial environments. We found that 51% of our instant response engagements, we were given information that was supposed to help us, like network diagrams or similar, and it was so out of date or so bad that it actually hurt us, and we were better off sort of throwing that information to the side.
Robert M Lee: [00:18:33] And then we found the fact that in the instant response engagements we went into, none of them were benefited at all from any level of, like, centralized logging or network visibility or any of the tooling required to be successful in those environments. So you know, as a call to action for the community, we really wanted to say, look; go think about what the response would look like, and work backwards to build the detection strategy and the collection strategy that you want to be able to operate in that response scenario. Anyways, that was a lot, but that was a lot shorter than the keynote, so that's good, too.
Dave Bittner: [00:19:07] That's right. That's right. That's right. Well, that's a good summary, and I suppose RSA has put these keynotes online. So if you want to check it out, you could do that, right?
Robert M Lee: [00:19:16] Yeah, absolutely. It's out there and viewed - I mean, as of right now - again, talk about an amazing community response - it already has something like 50,000 views on it as of today. And it's like - that's crazy. I mean, think about people caring about our infrastructure and caring about the industrial community. And I just think we're in this real inflection point within our community where I think there's a lot - there's a lot of work to be done, but there's a lot of desire and goodwill to get it done. And I ultimately just think we're going to be successful.
Dave Bittner: [00:19:45] Yeah. All right. Well, congratulations, Rob, and thanks for joining us. Robert M. Lee.
Dave Bittner: [00:19:54] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: [00:20:12] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:23] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team, working safely from home, is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.