Dave Bittner: International conflicts and disputes are attended by hacking in South Asia, Australia and Africa. The U.S. designates four Chinese media outlets as foreign missions - that is, propaganda outfits. Sodinokibi ransomware sniffs at pay card and point-of-sale systems. Ben Yelin on TSA's facial recognition program. Cybersecurity Canon Week continues with our guest Bill Bonney, co-author of the "CISO Desk Reference Guide." And Evil Corp is back, apparently because you just can't keep a bad man down.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 23, 2020.
Dave Bittner: International conflict continues to breed attendant cyber offensive operations and apparent hacktivism. India, which has seen minor but lethal skirmishes with China along their disputed border, continues to warn its businesses, organizations and government agencies to be alert for continued Chinese cyberattacks. The Outlook reports that New Delhi's security agencies are distributing an alert from CERT-In that many such attacks can be expected to take the form of COVID-19-themed phishing. Inc42 says that researchers at CYFIRMA have been monitoring dark web chatter that appears to confirm such warnings.
Dave Bittner: Zscaler has taken a look at last week's warning from the Australian Cyber Security Centre about copy-paste compromises used against Australian networks. None of the reported exploits involve zero-days. All take advantage of known and patchable vulnerabilities. These and several other recent campaigns against Australian targets have been widely attributed to China, as the Sydney Morning Herald summarizes. Prime Minister Scott Morrison didn't name the attacker beyond calling it a state-backed actor with significant capability, but plenty of other sources, publicly outside the government and privately within it, haven't been shy in saying that, straight-up, it's China. The US State Department, in voicing support for Australia, hasn't been coy about naming names either.
Dave Bittner: As has been the case for the last few years, Huawei and its market penetration have provided the occasion of and flashpoint for such conflict. Former Prime Minister Malcolm Turnbull said the recent increase in cyberattacks Australia has seen fully justifies excluding Huawei from the country's infrastructure. Huawei, the Australian Financial Review reported, has tut-tutted that Mr. Turnbull's remarks were inaccurate and inappropriate.
Dave Bittner: And one case of possible hacktivism, or possibly state-directed hacktivism, has appeared in Ethiopia. Addis Ababa says, according to Borkena, that unspecified Ethiopian government organizations have been hit by Egyptians working under the hacker name Cyber Horus Group, AnuBis.Haker and Security _By _Passed. Their evident intent is to pressure the Ethiopian government over the Grand Ethiopian Renaissance Dam, known by its acronym GERD, on the Blue Nile, which has prompted an international dispute among Egypt, Ethiopia and Sudan over water rights.
Dave Bittner: The dam's reservoir is scheduled to begin filling next month, the beginning of a process that could take 10 to 15 years. The dam will, in addition to serving as a water storage source, also protect people downstream from flooding, even as it would interfere with traditional flood recession agriculture. Egypt has voiced concerns that GERD could interfere with its own water supply. Sudan's government has generally been more favorably disposed toward the project, seeing it as a regional water reserve that could redress shortages during times of drought.
Dave Bittner: The US Treasury Department, with the technical assistance of the World Bank, has sought to broker an agreement on regional control of the dam but with mixed results, in part because GERD has become something of a patriotic issue in Ethiopia. You can see online expressions of such sentiment under #ItsMyDam.
Dave Bittner: The US State Department has designated China Central Television, China News Service, the People's Daily and the Global Times as foreign missions - that is, Chinese government propaganda outlets. The Wall Street Journal quotes David Stilwell, assistant secretary of state for East Asia and the Pacific, to the effect that, quote, "these aren't journalists. These are members of the propaganda apparatus," end quote. Beijing says it's a lot of arbitrary Yankee hooey, that the news outlets are firmly grounded in objectivity, impartiality, truthfulness and accuracy, which is the PRC's story, and they're sticking to it. The Chinese government went on. This is totally unjustified and unacceptable and once again exposes its double standards and hypocrisy of the so-called freedom of press. So take that, Foggy Bottom, and tell it to Pravda while you're at it.
Dave Bittner: Anyhoo, the State Department's designation won't shut down the four services' operation in the U.S., but it will prove to be, at the very least, an irritant. Designation under the Foreign Missions Act will require the news operations to report all their personnel to the State Department and to register any property they hold, whether they own it or lease it.
Dave Bittner: Researchers at Symantec's Critical Attack Discovery and Intelligence team this morning reported a couple of new wrinkles in the Sodinokibi ransomware. First, the gang is using the commodity malware Cobalt Strike to deliver its payload. Second, they're also scanning some of the victims' networks for point-of-sale or pay card management software. This second activity is ambiguous but suggestive of a further direction in the malware's evolution. They could be attempting to encrypt point-of-sale data, or they could be interested in diversifying their revenue stream through some carding on the side. That would be consistent with the recent tendency of ransomware to steal data for either leverage or resale in addition to simply encrypting it. It's worth noting that even confined to traditional extortion by encryption, Sodinokibi is asking a lot from its victims. Symantec says that their current demands are $50,000 - in Monero, of course - if the victim pays up within the first three hours of infection. After that, the ransom goes up to a hundred grand.
Dave Bittner: And, hey, everybody! Remember the group that calls itself Evil Corp, the gang behind the Dridex Trojan that went into occultation last year after two of their numeros, Maksim Yakubets and Igor Turashev, got clobbered with U.S. federal indictments and some attendant sanctions against their collaborator back in December? Well, Evil Corp is back in business, ZDNet reports.
Dave Bittner: A study released today by Fox-IT describes WastedLocker, a new ransomware strain that's designed to bypass many of the endpoint protections that frustrate other forms of malware. It also demands a very high ransom. Fox-IT says they've seen demands as high as $10 million, which makes the hoods behind Sodinokibi look like cheap grifters.
Dave Bittner: Misters Yakubets and Turashev, both still at large, are Russian nationals. The U.S. Justice Department says that it asked Moscow for help during the investigation that resulted in the indictments unsealed in December and that Moscow was sort of helpful to a point. But both men remain at large, and Justice suspects that Mr. Yakubets, at least, is cooperating with the Russian organs. So, FBI, Britain's National Crime Agency, Interpol, good hunting, friends.
Dave Bittner: We continue Cybersecurity Canon Week, celebrating the books and authors the Cybersecurity Canon Committee has determined are well worth your time. Our own Rick Howard heads up the effort here at the CyberWire. And today, he speaks with Bill Bonney, co-author of the "CISO Desk Reference Guide."
Rick Howard: So, Bill, why'd you write this book?
Bill Bonney: Well, this actually came from a panel discussion that Matt and Gary and I had, oh, back in 2015. We were talking about the evolving role of the CISO and what new CISOs had to be prepared to do that was different than the expectations of the CISOs of the past. The panel discussion was supposed to run about an hour or so, and about an hour and 45 minutes into the discussion, they started kicking us out of the room. And then people started kind of following us down the hall because the conversation was so kind of resonating with everybody trying to figure out, you know, how do I evolve what I am doing to meet the needs of today?
Bill Bonney: So we started by writing a few articles for LinkedIn back in 2015, and we would kind of trade off and kind of edit each other's work. And then, you know, after we did about four of those articles, we said, you know, this material and the way that we're going about this, this might be better suited to put down in a book. And the point, really, was to try to set something up that would be consumed by the mid-tier CISO, you know, wannabe CISO or a CISO who's, you know, in a situation where they're trying to learn the business, they haven't done it before, they're working for a mid-tier company. The reason why we had mid-tier in mind is because San Diego is very much a mid-tier town. I think we have the lowest per capita S&P 500 headquarters in the country. For us, the audience was really kind of that built-in set of our peers that needed to have that kind of, you know, the wisdom, so to speak, collected from people who had kind of been there and done that.
Bill Bonney: What we then realized, as we got the first volume out and started working on the second volume, was that our way of putting this book together was just to have each of us talk about each one of the topics, kind of recreated that panel discussion. And then the book actually became consumed by a much larger audience, which was very gratifying to us and, you know, really kind of nailed home that point for us that, you know, being able to kind of write down what we all kind of collectively knew in a way that people could explore from different angles really kind of, you know, hit a sweet spot for us. That's really what was - the impetus was trying to write something that would capture the wisdom, really, for those mid-tier players that didn't have the ability to learn from S&P 500 peers.
Dave Bittner: That's the CyberWire's Rick Howard speaking with Bill Bonney, co-author of the "CISO Desk Reference Guide."
Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Hello, Ben.
Ben Yelin: Hello, Dave. How are you?
Dave Bittner: Doing well, thanks. Interesting story came by. The TSA has released a Privacy Impact Assessment report that updates their plans on integrating facial recognition into everyone's experience at the airport. What's going on here?
Ben Yelin: So prior to these past couple of weeks, the TSA has engaged in a pilot program where attached to the stations where they scan your boarding pass, there's also a camera that takes a picture of each boarding passenger and sort of cross-references that person's face against government databases to ensure that the person is, quote, "safe" to get on an airplane, that they're not a security risk.
Ben Yelin: This announcement leads us to believe that this practice is going to become more widespread. There has been a notice of proposed rulemaking at the federal level to make this universal as it applies to international travelers, and at least this article seems to think that that's going to be extended to domestic travelers as well.
Ben Yelin: So the TSA says, you know - and there are ways to sort of limit the invasion of privacy as it relates to these types of mug shots. The first is that, at least as it relates to domestic flights, theoretically, this is all going to be voluntary. So you can opt out, although some customers have reported that TSA agents have not let them opt out of taking these photographs at security checkpoints. And even, you know, thinking practically, sort of all the security we go through at TSA checkpoints, a lot of it is opt-out. But by opting out, you're really making your life more difficult. If you choose not to go through those scanning machines, you know, they're going to pat you down.
Dave Bittner: Right.
Ben Yelin: So it's not really the ability to opt out in any meaningful sense of the word. So that's sort of one way that they will try to protect your personal privacy. They also say that these photographs are going to be deleted after 24 hours, after they, you know, have cross-referenced them against federal databases. So this is not a photo that they're going to keep in their system. But they are collecting, at least for a temporary period, your biometric data, and that can always be a little bit dangerous in terms of protecting your privacy.
Ben Yelin: The other thing that's mentioned in this article which I think is very interesting is the TSA is asking people who are flying to take their masks off in this age of the COVID-19 pandemic. And, you know, that presents a potential danger for a passenger. You're exposing yourself to airborne pathogens, or really, you're exposing other people to your own potential germs or disease related to the coronavirus. So, you know, that adds, certainly, another level of risk that perhaps the TSA did not anticipate when they wanted to put this policy into practice.
Ben Yelin: So, you know, there are a couple of things privacy advocates can do here. This is in the federal rulemaking process right now. You can find this privacy impact analysis and publicly comment on it. Sometimes they read the comments. Sometimes they don't. But it's always worth, you know, having your voice heard on that, especially as it relates to domestic air travel. And for the time being, you know, you do have the option of opting out. And, you know, that's something that the article really harps on, is that this is voluntary right now. You can still fly even if you choose not to be photographed. So just things to keep in mind for people who are going to be traveling on airplanes in the next couple of months.
Dave Bittner: A couple of things caught my eye here. One was, evidently, there are requirements that the TSA is supposed to follow when it comes to notification. This article points out - it says required notices are dictated by the Paperwork Reduction Act and the Privacy Act, but the TSA has ignored both of these federal laws in its facial recognition plans.
Ben Yelin: Yeah, so...
Dave Bittner: (Laughter) There it is.
Ben Yelin: Yeah. I'm not sure that they've necessarily ignored it. I mean, without having full details on it, both the Paperwork Production Act and the Privacy Act are complex pieces of legislation with a lot of exceptions. So, you know, I don't know if what the TSA is doing falls under that exception. It's certainly worth doing more research on it. But - you know, so I wouldn't necessarily allege anything nefarious on the part of the TSA.
Dave Bittner: Right.
Ben Yelin: But generally, they are required to provide proper notice. For the most part, you know, the TSA has been pretty good about that. They do put signs up, for example, saying that use of enhanced screening technology, going through those little machines, is voluntary. You can opt out. And it seems like, you know, at least going forward, there are going to be those types of warnings as it relates to these supposed mug shots. So, you know, without knowing the details of whether they've complied completely with those statutes in the past, you know, I think they will try to do their best going forward.
Dave Bittner: Yeah, yeah. It's also interesting to me - and I'm just speculating here. But they say that the images won't be retained for more than 24 hours, but I wonder if the metadata, you know, the fact that you passed through this place gets logged somewhere. In that cross-referencing of information, across those databases that they're checking, does the fact that a ping was made from this data point - does that get logged somewhere? I don't know the answer to that, but it's something - it's a question I would ask if I were interested in digging into some of the details of this.
Ben Yelin: Absolutely. And the metadata - you know, even if they don't get the photograph itself, the metadata could be useful information.
Dave Bittner: Right.
Ben Yelin: It could be private information. You know, if you didn't want people to know that you were photographed at an airport at a certain point, that you weren't taking a particular flight - maybe that was something that you were doing as part of your personal life and, you know, you didn't want it public that you are participating in air travel, then, yeah. I would guess that that metadata is going to be stored somewhere, even if they delete the photograph itself. I mean, that certainly presents privacy concerns.
Dave Bittner: Yeah, interesting. All right. Well, Ben Yelin, as always, thanks for joining us.
Ben Yelin: Thank you, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.