The CyberWire Daily Podcast 6.5.20
Ep 1103 | 6.5.20

Hurricane Panda and Charming Kitten paw at, respectively, the campaigns of Mr. Biden and Mr. Trump. Lies’ bodyguard of truth. Information warfare in the Gulf.


Dave Bittner: It's mostly cyberespionage today with a mixture of influence operations. Google has warned both major US presidential campaigns that Chinese and Iranian intelligence services are after their staffers' email accounts. Russia, China and Iran devote some purposive media attention to US civil unrest; Johannes Ullrich from SANS on malicious PowerPoint add-ons; our guest is Bill Harmer from SecureAuth on credential carelessness. And Qatar's rivals in the gulf continue their information campaign against Doha. This time, it's bogus news of a coup. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm David Bittner with your CyberWire summary for Friday, June 5, 2020. 

Dave Bittner: Google's Threat Analysis Group has warned the US presidential campaigns of both major parties' presumptive nominees that Chinese and Iranian threat groups are targeting campaign staffers' personal emails. Google's Shane Huntley tweeted the findings yesterday and subsequently clarified that the threat groups in question are China's APT31, Hurricane Panda, and Iran's APT35, Charming Kitten. The Wall Street Journal reports that Hurricane Panda is interested in the Biden campaign. Charming Kitten has targeted the Trump campaign. Both efforts are believed to have been unsuccessful. The Washington Post says the two groups have different interests. Hurricane Panda is collecting intelligence on former Vice President Biden's views and those of his staffers while Charming Kitten is interested in undermining President Trump's reelection. Russia is also engaged with the election, but neither Iran nor China appear to be following Russia's playbook, the Post observes. So to summarize, Chinese intelligence services want to find out what's on candidate Biden's mind. And Iranian intelligence services would very much like to see President Trump's reelection campaign fail. The drone strike that killed General Soleimani is offense enough, and the increasingly tight US-led sanctions make Tehran's dislike for the president overdetermined. The Chinese interest in collection is as usual thorough and extensive as the Foreign Policy Research Institute's Clint Watts told The Washington Post, quote, "China doesn't just want to know Biden's opinion about China. They want to know all of Biden's staff's opinions about every part of the world," end quote. So not only thorough and comprehensive but also very much along the lines of traditional collection. 

Dave Bittner: Iran's collecting, too, but Tehran's collection seems more focused. Iran is interested in obtaining and then releasing damaging material. That would indeed be a page from Moscow's 2016 playbook, when Cozy Bear successfully and quietly penetrated campaigns and when Fancy Bear doxed the US Democratic National Committee and the Clinton campaign, releasing emails that embarrassed the victims. Should Tehran obtain comparable dirt on this year's Republican presidential campaign, they can be expected to engage in the same sort of malign, involuntary, enforced transparency to which Fancy Bear subjected the Clinton campaign in 2016. Of course, as the Post and others routinely observe, it's also possible that foreign espionage services could use access to hacked email accounts and other resources to mount disinformation in the form of spoofs and fakes. The fakes can either be deep or shallow. As long as they find takers, it doesn't matter because this is information warfare, not art. That sort of fakery didn't happen with the email compromise of 2016, but it's certainly a possibility in 2020. 

Dave Bittner: US Attorney General Barr yesterday said in brief remarks about ongoing civil unrest that, quote, "we are also seeing foreign actors playing all sides to exacerbate the violence," end quote. The social media study group Graphika independently described influence campaigns by Russia, China and Iran, all of which seek to further their agenda by respectively drawing attention to fissures in American society, discrediting US criticism of human rights violations and undermining the legitimacy of US-led sanctions. This particular influence campaign doesn't seem to be marked, at least not yet, by the characteristic troll farming inauthenticities that became the distinctive stigmata of earlier Russian influence campaigns. 

Dave Bittner: One aspect of influence operations has been the interplay between state-run news outlets, troll farms and useful marks who more or less uncritically accept and amplify the lines the state's operators are pushing. Facebook has, for some time, enjoyed success in identifying and blocking what Menlo Park calls coordinated inauthenticity. The social network is now beginning to address authentic media whose viewpoint might be determined by their government controllers. 

Dave Bittner: Facebook announced some months ago that it would begin labeling accounts run by state-controlled media. This long-anticipated labeling began yesterday. The labels appear in the ad library page view on pages and in the page transparency section. Facebook is looking specifically for outlets that are wholly or partially under the editorial control of their government, so Sputnik and RT would get the Russia state-controlled media label, and China Daily gets the controlled by you-know-who label. The Verge explains Facebook's new policy as one of "including information about their ownership and funding, the level of transparency around their sources and the existence of accountability systems like a corrections policy," end quote. So simply being government-funded doesn't make you state-controlled. Therefore, the BBC presumably would get a pass for editorial independence, as would Radio Free Europe Radio Liberty. 

Dave Bittner: AFP outlines the ongoing disinformation campaign against Qatar. It's the latest round in a regional dispute that goes back to 2017, when Saudi Arabia, the United Arab Emirates, Bahrain and Egypt cut ties with Qatar over that country's alleged closeness to Iran and thus to Tehran-backed Islamist groups. The recent disinformation includes social media posts that claim a violent coup d'etat was in progress in Doha, complete with grainy video of machine gun fire and so on. Some of this stuff came from social media accounts that just popped up - no followers, no nothing. None of the corroborative detail one expects would lend verisimilitude to an otherwise bald and unconvincing narrative. It's interesting that AFP calls their story a fact check. It seems to be just straight-up good reporting, but fact-checking now seems to have a cachet among those who struggle with disinformation and fake news. Perhaps that's fair enough since it's meta-reporting - that is, reporting about reporting. 

Dave Bittner: My guest today is Bill Harmer, chief evangelist and CISO at SecureAuth, where, as the name implies, they specialize in identity security. He joins us with insights on credential carelessness. 

Bill Harmer: One of the things that was really interesting that stood out was the convenience factor, where - we look at things like biometrics. If you talk to people about biometrics and ask them, are you comfortable with sharing your biometrics with a company so that you can have access? They say no. A lot of them say no, I'm not comfortable with that. I don't trust them - because they keep hearing about the hacks. But then you ask how many of them use it. And it is - you know, well, if you look at an iPhone, you have to use it. Well, you don't have to. You can go to a PIN number. But everybody does it because they want the convenience. 

Bill Harmer: And I've been saying this for years. Security with - is a balance of convenience and risk. That's really all it is. If it's too inconvenient to use the security tools, users find a way around it. That's what drove shadow IT. That's what drove, you know, entire industries. It was interesting to see that. And when you start to see that things like the director versus the nonmanagement level - we were seeing that directors were reusing passwords more than regular employees. And, you know, I'd love to try and dig into that deeper to find out... 

Dave Bittner: (Laughter). 

Bill Harmer: ...Is that - again, is that convenience? Gosh, I'm a director. I'm so busy. Or is it just, it doesn't apply to me, right? Is there a... 

Dave Bittner: Right. 

Bill Harmer: ...Level above sort of the applicability? 

Dave Bittner: So based on the data that you collected here, what are the take-homes for you? What are some of the things we can learn from this? 

Bill Harmer: We need to get rid of passwords. We really, really have to start to drive towards a password-less environment because probably for, I guess, five years now, we've heard about digital transformation. Five years ago, it was kind of a buzz word. Last year, it's sort of the norm. Everybody's talking about digital transformation. COVID - it effectively based jumped everybody into digital - you had no choice, right? Friday, everybody's working in the office. Monday, everybody's working from home. 

Bill Harmer: So digital transformation is part of what we are now. And it will be the new norm, right? We're seeing this already with Shopify, Twitter. They're all saying, work from home. Work remote. We're going to shut down offices. We don't need to have our offices. You don't have to come back in. So it is the new norm. But in doing that, in setting up your Zscalers, your Palo Altos, your Cisco Umbrellas and stuff like that and creating good, secure communication channels for security everywhere, every one of them looks at it and says, get us a authentication. Authenticate the user and send us a SAML token. And then, you know, this zero-trust world kicks in. 

Bill Harmer: And to me, I mean, the key to this - you can build all the great infrastructure you want, but the key right there is the identity, right? And in that identity, it's all hinged on these poorly crafted, reused, garbage passwords. And they are dispersed across the world. And that's something nobody's really had to deal with before. 

Dave Bittner: What do you suppose it's going to take for these sorts of changes to make, for people to finally jettison passwords for us to move on to, you know, whatever that next thing may be? Do you - is it possible to imagine an event where we turn that page? Or is it going to be more of a slow evolutionary kind of thing? 

Bill Harmer: Honestly, I think we might be in that event right now, I think, because companies - people aren't going to do anything just for the sake of doing it, right? There's got to be some sort of impending or critical event that happens. And right now, as companies are sending people home to work and realizing, OK, they can do it - and they know there's ones that have said, no, you can't do your job from home. And they're going, nope, I can. See? it's being done. There's others that are going, hey, I don't have to pay for expensive downtown property in San Francisco and New York. 

Dave Bittner: (Laughter) Right. 

Bill Harmer: Real estate - commercial real estate's going to take a beating after this. But all of these things are happening. And what they're realizing is, OK, yeah, I'm going to have to have VPNs. And some - you know, people are out buying extra licenses for their VPNs. But it's around that identity. How can I be sure that it is them? So I think we're going to see a push in identity. I think it was on Cramer's "Mad Money" or something like that - they said that this is now a $16 billion industry and climbing. I think so that is part of it. But the other part of it is, as you start to see things like digital voting, taxes, all these other things - our Social Security number is an utter joke as a method of identifying ourselves, right? This is 100% compromised for everybody in this - in the country. It's out there. So what do you do? How do you fix that? 

Bill Harmer: And I think this is where we're going to see a drive or a request from the citizens for a sovereign identity, something that is theirs that is digitally managed, that is compartmentalized so that way, when I have to maybe go buy a car and I need to have a credit check done, I share part of it. I don't share the whole thing 'cause right now, you just - you write down your social security number, your name, your home address, stuff like that. And if they lose that bit of paper, you're done, all right? So it's going to be something... 

Dave Bittner: Well, and they photocopy your driver's license, right (laughter)? 

Bill Harmer: Oh, yeah. They photocopy your driver's license, photocopy your passport when you check into the hotel. 

Dave Bittner: Yeah, yeah. 

Bill Harmer: So how is it that we can find a digital way, like an Apple Pay or a - you know, Samsung Pair - one of those things where I can send a token. I can send an authentication token. It's vetted by third party. And we're seeing that. We're starting to see that in the identity space where we're seeing this convergence of things like identity proofing, along with identity and access management and authentication starting to become more of a ubiquitous tool. 

Dave Bittner: That's Bill Harmer from SecureAuth. Subscribers to CyberWire Pro can find an extended version of my interview with Bill in the Interview Selects. 

Dave Bittner: And joining me once again is Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. You've got some interesting information to share about some stuff that's going on within PowerPoint. What's going on here? 

Johannes Ullrich: Yeah. PowerPoint is sort of an interesting format as far as Microsoft Office formats go. You're all aware that there are tons of malicious Word and Excel documents because they contain macros, and then the macros are being used to install malicious software. Now PowerPoint was, sort of, a little bit the oddball here in that PowerPoint doesn't really support macros. But what you have seen now is that PowerPoint templates are actually being used. And with PowerPoint templates, you have a feature called add-ins. Well, I guess it's a macro by another name, but it has a similar functionality where as you open, as you close a PowerPoint document, you can run code. You can download malware. You can start it and do pretty much everything that sort of matters from a malware point of view that macros in Excel and Word allow you to do. 

Dave Bittner: Wow. So what specifically are you tracking here? What have you seen? 

Johannes Ullrich: Well, we have seen some documents that are being used to install malicious software. What was sort of interesting here is also there are two hooks that are available. One that's triggered whenever you open the document. And that's by far sort of more common thing that's being used in Word and Excel macros. The other hook that you have available is when you close the document. And interestingly in the PowerPoint documents, or I should say PowerPoint templates, we have seen that hook is being used, the close hook. And the PowerPoint, of course, is empty. So the user opens it, closes it immediately because nothing to see, and that's sort of - and it triggers. The assumption here is that maybe that more (unintelligible) are looking for the open call, not so much for the close call. Or maybe some sandboxes will not detect the close but only the open. Not really sure why they do it, but I assume it's a little bit of additional obfuscation here. 

Dave Bittner: Now, what sort of options are available to protect against this? Because with, you know, Excel, you can disable macros. Do you have that sort of capability within PowerPoint? 

Johannes Ullrich: In PowerPoint, not so much. But in general, if you lock down your Windows system, prevent unwanted software from running, so essentially any kind of whitelisting will help. That's what you should anyway do that - protects against so many other attacks. And I think this is just another example that the attackers are getting and have always been really creative in how to trick users into installing software. And I think the thing to remember here is that most software, I would say, you know, 90% - I don't have any hard numbers of software that infects workstations - is willingly launched by the user - under a wrong pretext, of course. You know, where I tell them it's something useful - you know, way back to the fake antivirus and such. So it's not so much about preventing the particular method that's being used to launch a software, but really more about preventing the user from launching software they're not supposed to launch. 

Dave Bittner: So there's a user education component here as well. 

Johannes Ullrich: User education is a good part of this. But from a technical point of view, just, you know, prevent the user from launching random software. 

Dave Bittner: Yeah. All right, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.