The CyberWire Daily Podcast 5.5.20
Ep 1081 | 5.5.20
Bear hunt in the Bundestag. Kaiji botnet described. Cryptojacking. Joint US-UK warning against attacks on COVID-19 response. Contact tracing. Puppy scams.
Transcript

Dave Bittner: [00:00:05] A pretty Fancy Bear hunt in Germany. A new IoT botnet surfaces. Cryptojackers exploit a Salt bug. Bribing an insider as a way to get personal data. The U.K.'s NCSC and the U.S. CISA issue a joint warning about campaigns directed against institutions working on a response to COVID-19. Britain's contact-tracing app starts its trial. Ben Yelin on AI inventions and their pending patents potential. Matt Glenn from Illumio is our guest, and he wonders if companies should break up with their firewalls. And don't get puppy scammed. You're looking for wags in all the wrong places. 

Dave Bittner: [00:00:47]  It's time to take a moment to tell you about our sponsor Recorded Future. They help security teams make more confident decisions faster. Recorded Future's technology automates broad collection and analysis of cyberthreat data and delivers the rich external context you need to understand alerts and emerging threats. With real-time threat intelligence from Recorded Future, security teams respond to threats 63% faster and find undetected threats 10 times quicker. Recorded Future integrates with the security products you already use, making the intelligence you need accessible and relevant. Use it to improve your security operations, incident response, vulnerability management and much more. If you're facing challenges like the cybersecurity skill shortage or more alerts than your team can handle, consider Recorded Future threat intelligence. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And it's on the money. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:16]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 5, 2020. 

Dave Bittner: [00:02:25]  Reuters reports that German authorities have issued a warrant for the arrest of Dmitry Badin, a GRU operator wanted in connection with a 2015 hack of the Bundestag. The Suddeutsche (ph) Zeitung calls the warrant a bear hunt because, of course, the authorities think Mr. Badin is working for Fancy Bear. He's a person of interest elsewhere, too. There are a number of people in the U.S. Justice Department who'd like to hear from him about the 2016 hack of the Democratic National Committee. 

Dave Bittner: [00:02:54]  Researchers at Intezer have identified a new Linux-based botnet they're calling Kaiji. It's apparently the work of a developer in China, and it's designed to infect IoT devices in order to herd them into a botnet adapted to distributed denial-of-service attacks. ZDNet reports that Kaiji gains access to targeted devices via SSH brute-force attacks. 

Dave Bittner: [00:03:18]  Pen Test Partners say they've demonstrated a disturbing proof of concept, a Crying Wolf attack against commercial aviation's Traffic Alert and Collision Avoidance System, TCAS. It's possible to induce ghost contacts in the system, and some aircraft might automatically respond to such false reports by altering course. The potential risk to flight safety is obvious. Threatpost points out that the ghosts won't show up on radar and that pilots may well trust – probably will trust  radar more than TCAS, but the proof of concept remains troubling nonetheless. 

Dave Bittner: [00:03:54]  Cryptominers continue to exploit vulnerabilities in the Salt remote task and configuration framework. Computer Weekly writes that Xen Orchestra users have been affected, as have users of the Ghost blogging platform. The Register reports that DigiCert has also been affected. 

Dave Bittner: [00:04:11]  The UK's National Cyber Security Centre, NCSC, and the US Cybersecurity and Infrastructure Security Agency, CISA, this morning released a joint advisory warning that APT groups are targeting both health care and essential services. While such attacks could either be state-sponsored or the work of criminal gangs and while both kinds of threat actors have been active during the pandemic emergency, APT, advanced persistent threat, has come to be functionally equivalent to state-sponsored threat actor. The advisory summarizes the goals of the campaigns as follows, quote, "APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include health care bodies, pharmaceutical companies, academia, medical research organizations and local governments. APT actors frequently target organizations in order to collect bulk personal information, intellectual property and intelligence that aligns with national priorities. The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international health care policy or acquire sensitive data on COVID-19-related research," end quote. 

Dave Bittner: [00:05:29]  The threat actors are actively scanning for specific vulnerabilities in their target systems, specifically Citrix vulnerability CVE-2019-19781 and vulnerabilities in virtual private networks products from Pulse Secure, Fortinet and Palo Alto Networks. They're also engaged in large-scale password spraying attacks. The UK has been particularly concerned to block these threats, which have been particularly active against the country's biomedical research sector. The Wall Street Journal calls NCSC's response a pivot, and reports that measures are being taken to protect institutions engaged in vaccine research. 

Dave Bittner: [00:06:09]  The venerable firewall is a tried-and-true component of cybersecurity, tirelessly keeping watch over your network, keeping the bad stuff out. But some say there's a tendency toward overreliance on firewalls and a closer look is in order. Matt Glenn is vice president of product management at data center and cloud computing security company Illumio. 

Matt Glenn: [00:06:30]  If you think about the original firewall, it was basically the perimeter of an enterprise versus the internet. It was sort of the thing that was making sure that the internet couldn't get inside of your enterprise. So it was you were either on the good side of the firewall or the adversarial side of the firewall. And it is a great perimeter device. The challenge has been - and I think that most of your listeners will sort of, you know, see this - is that the threats are no longer popping through from the outside into a lot of internal things that happen, right? So the first thing that a bad actor will try to do is infiltrate. How do they try to infiltrate? Malware. So instead of it coming in - you know, someone trying to, you know, pierce the firewall - what they're doing is they're relying on somebody clicking on a bad link, downloading something bad onto their devices. And then, you know, suddenly, that threat is now behind the firewall. 

Matt Glenn: [00:07:25]  And so what did organizations begin to do? They began to put more and more firewalls inside of their enterprises. And that is just - you know, that creates a lot of complexity to manage all those different firewall rules. And now you're creating more and more perimeters inside of your enterprise, which, you know, from a security strategy perspective is a good idea, right? And I think, you know, when Wi-Fi came in, you know, the access of the network was, you know, literally piercing outside of the four walls of a building. So, you know, we see people putting more and more firewalls, like, in front of their data centers, right? 

Matt Glenn: [00:07:59]  And now what I think the new sort of threat landscape is - you know, we have our perimeter firewall. Our users, you know, are going to get impacted at some point. I have some customers where they actually have people working for organized crime that come into an organization as a developer. So the assumption is that you've already been breached. That's sort of the new mindset of CISOs. So how do you basically ensure that the breach that has already taken place - and you have to assume breach - that it can't spread? And the answer to doing that is segmentation. So the first thing that a CISO will do is to say, oh, let's buy more firewalls to do that. Well, the problem is that driving more and more firewalls into your data center is costly and disruptive in that, you know, you may have to re-architect your data center to insert them. And I think that's why things are starting to break down in the report that we put out. "The State of Security Segmentation" sort of speaks to that point. 

Dave Bittner: [00:09:03]  What is the transition like? If someone wants to adopt what you're proposing here, how is that turnover period? What is that like for them? 

Matt Glenn: [00:09:13]  Here's the good news about it. There is no change to the underlying infrastructure to do it. There's no sort of modification of the network. In fact, a lot of customers, the question is who owns this. Most frequently, we do see that network teams own the segmentation problem because, you know, segmentation is classically a networking problem, OK? The good news is you don't have to modify the network in any way, shape or form. 

Matt Glenn: [00:09:37]  What organizations do and what I always tell customers to do is start by concentrating on the people and process. And what do I mean by that? Work out the process for how you're going to do the brownfield segmentation. Target, like, you know, nine, 10 applications and build that up. It's not very hard to do once you sort of target those people and process to go into your brownfield and, you know, take care of segmentation but without breaking any applications. 

Dave Bittner: [00:10:04]  That's Matt Glenn from Illumio. 

Dave Bittner: [00:10:08]  The UK today began to pilot its contact-tracing app on the Isle of Wight. Matt Hancock, secretary of state for health and social care, gave the islanders a bucking up. The Telegraph quotes him as saying, "We'll learn a lot. We'll use it to make things better. And we want to hear from you. Where the Isle of Wight goes, Britain goes," end quote. 

Dave Bittner: [00:10:29]  The British system is something of an outlier among the more recent approaches to contact tracing in that it represents a centralized approach to collection and analysis of data. The Telegraph has a description of how the app is intended to work. It's an opt-in system that uses Bluetooth for sensing proximity and that depends upon self-reporting of positive diagnoses. 

Dave Bittner: [00:10:49]  A skeptical piece in The Register outlines some of the challenges confronting the NHSX-developed app and a second Register article reports that NHS has informed Parliament that it intends to retain the data it collects even after the pandemic passes. The centralized collection and analysis and the plans to continue to use data for research has led to calls for close legislative oversight of the system, ComputerWeekly says. The inadvertent exposure of a contact-tracing database in India has aroused suspicion of such efforts' security and privacy, SC Magazine observes. The Washington Post has an overview of how such suspicions are currently being manifested around the world. In the US, while there are other projects under development, the joint Apple-Google exposure notification app has attracted the most interest. It's decentralized, opt-in and will not use location tracking, Reuters reports

Dave Bittner: [00:11:45]  And, finally, not all human-animal interaction during the pandemic has come in wet markets. There's been a striking rise in the rate of animal adoptions as people look for companions during a time of isolation, with WIRED having gone so far as to say that animal shelters are empty. That's clearly an exaggeration, at least if taken generally and literally. But it does seem that pet adoption is up significantly. Since demand equals opportunity for criminals, there's also been a spike in what Naked Security calls "puppy scams." These are like romance scams, only using cute pictures of dogs as the catfish. You send your money in for an adoption, and that money's gone with nary a puppy in sight. So animal adoption has become popular phishbait during the pandemic, maybe even overtaking colloidal silver as a cure for what ails you. If you're looking for an animal to adopt, there are reputable local shelters who can put you in touch with a pet needing a home. There are still dogs and cats out there who could use a home. And, animal, vegetable or mineral, don't be fooled by cute pictures that turn up in your email. 

Dave Bittner: [00:12:58]  And now a word from our sponsor KnowBe4. Corporate privacy concerns are more paramount than ever before. Organizations are being forced to maneuver a new world of security and privacy issues related to a remote workforce, evolving hardware and software needs and employee access policies. Kevin Mitnick knows this world well. In fact, that's the topic of his new book, "The Art of Invisibility." Kevin Mitnick has a new webinar, and a few topics include privacy concerns around employees using personal devices for business purposes, security issues with various operating systems, mobile devices and the internet of things, the reality of deep privacy and how tied together devices, systems and surveillance really are and why new-school security awareness training is more critical than ever before. Plus, Kevin shares some shocking new demonstrations that will change the way you think about privacy. Go to knowbe4.com/artofinvisibility to watch the webinar. That's knowbe4.com/artofinvisibility. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:14:13]  And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, and he's also my co-host over on the "Caveat" podcast. Ben, great to have you back. 

Ben Yelin: [00:14:22]  Good to be with you, Dave. 

Dave Bittner: [00:14:24]  You have an interesting story to share this week. This comes from Motherboard on the VICE website, and it has to do with artificial intelligence and some stuff from the patent office. What's going on here? 

Ben Yelin: [00:14:37]  So last year, there were two patents pending in front of the United States Patent and Trademark Office, one for a shapeshifting food container and another for an emergency flashlight. The interesting thing about these inventions is that they were not invented by a human being. They were invented by DABUS, an artificial intelligence system. Now, the system was created by a researcher, a guy named Stephen Thaler. But the issue in front of the patent court was whether you could grant a copyright or patent interest in something created by a nonhuman, created by artificial intelligence. And the Patent and Trademark Office said that inventions - that only human beings can be inventors. Artificial intelligences cannot be inventors. Only natural persons have the right to obtain a patent. 

Ben Yelin: [00:15:34]  So until this decision came out, the law around this was pretty vague. Patent law referred to individuals as entities that could be inventors. Of course, the question was whether individuals just meant natural persons or artificial intelligence. I mean, DABUS, the artificial intelligence system, according to, you know, some definitions, might be considered an individual. And so, finally, the Patent and Trademark Office has provided some clarity here. 

Ben Yelin: [00:16:04]  What other researchers have said is they really should allow artificial intelligence to be able to be granted patents and trademarks because it's sort of analogous to a senior adviser who has, you know, mentored a Ph.D. student into coming up with an invention. That patent should belong to the student, the person who's learned from the inventor, and not from the inventor him or herself. And I think what the court is saying here is you can't make that analogy. The Ph.D. student is a living, breathing human being... 

Dave Bittner: [00:16:37]  Right. 

Ben Yelin: [00:16:38]  ...Unlike the robot artificial intelligence in this case. So sadly, our robot friends and... 

0:16:47:(LAUGHTER) 

Ben Yelin: [00:16:49]  If you actually... 

Dave Bittner: [00:16:50]  We put off our robot overlords for a little while longer. They're not able to get patents. 

Ben Yelin: [00:16:54]  Yes, we've bided just a little bit of time. 

Dave Bittner: [00:16:57]  Right. 

Ben Yelin: [00:16:57]  It's so funny that on the front page of this article, there's a picture of various robot toys. And they just look so sad that their patents have not been granted. But alas, only human beings can be granted these patent and trademark interests. 

Dave Bittner: [00:17:13]  You know, this - a couple of things this reminds me of, one of them they bring up in the article here. And the first is the - there was the case with the monkey taking a selfie of itself and some folks trying to say that the monkey had copyright to the selfie. And ultimately, the Copyright Office said that, no, only humans can be copyrighted. 

Ben Yelin: [00:17:34]  What I love about that is PETA went to bat for the monkey, which I guess is... 

Dave Bittner: [00:17:38]  (Laughter) Of course they did. 

Ben Yelin: [00:17:38]  ...Very on brand for PETA. 

Dave Bittner: [00:17:40]  Yeah, right. 

Ben Yelin: [00:17:41]  It's not just trying to get us to stop, you know, eating meat. It's, let's grant intellectual property rights to monkeys. 

Dave Bittner: [00:17:47]  Right, right. 

Ben Yelin: [00:17:47]  But, you know, good for them. 

Dave Bittner: [00:17:50]  But the other thing that this makes me think of, which is not quite so lighthearted, I suppose, is that I remember when the laws about gay marriage were making the rounds, and there was lots of discussion about that. You know, some folks on the right would say, well, if two men can get married, two women can get married, why can't I marry a goat, right? Why can't we just - and, of course, the response to that is, well, a goat is not a human being. A goat is not - you know, can't have - there's no contract law that applies. Marriage is a contract, and you can't have a contract between a human and a goat. And, you know, obviously, a half-serious argument to illustrate something, but this reminds me of that also in that, you know, humans have rights and machines and animals do not. 

Ben Yelin: [00:18:43]  I don't want to get too deeply into existentialism here. I can't claim to be an expert. But... 

Dave Bittner: [00:18:48]  (Laughter) Right. 

Ben Yelin: [00:18:49]  ...There are some things that are unique about human beings. We are aware of our own existence. We have emotions. We have feelings. We have dreams and aspirations. And machines, by and large, do not have those things, although the more advanced the machines get, you know, as you say, they will eventually be our overlords. Maybe they'll start to develop some of those qualities. But, yeah, I mean, there is a serious point in there that only humans can be human. And, you know, I sort of think that might be underlying the rationale for this decision. 

Dave Bittner: [00:19:27]  Yeah. Well, it's all a simulation anyway, Ben, so it doesn't really matter (laughter). 

Ben Yelin: [00:19:29]  We are living in a simulation, yeah. This is just one of many universes. And... 

Dave Bittner: [00:19:34]  Right. 

Ben Yelin: [00:19:34]  ...We happen to be in... 

Dave Bittner: [00:19:35]  Right. 

Ben Yelin: [00:19:35]  ...One of the worst ones right now, unfortunately. 

Dave Bittner: [00:19:37]  Oh, there you go. Keep your chin up, Ben. Keep your chin up. 

Ben Yelin: [00:19:40]  I will try, yep. 

Dave Bittner: [00:19:42]  All right. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:44]  Thank you. 

Dave Bittner: [00:19:50]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:20:08]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:20]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.