Big big DDoS. Evolving malware families. (More) privacy by default. A superseding indictment in the US case against Julian Assange. The EU reviews two years of GDPR.
Dave Bittner: Akamai's report on the record-setting DDoS attack it stopped this week. Glupteba and Lucifer malware strains are described. Apple and Google move their defaults in the direction of greater privacy. The U.S. designates Huawei and Hikvision as controlled by China's military. A superseding indictment in Julian Assange's case. The EU looks at GDPR and likes what it sees. REvil gets ready to sell stolen data. David Dufour from Webroot with tips on navigating new workplace realities. Our guest is David Sanger, author of "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age" - a lot of Daves on today's show. And the Navy recruiting campaign that wasn't.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 25, 2020. Akamai has published an account of the very large distributed denial-of-service attack against an unnamed European bank it stopped earlier this week. The attack generated 809 million packets per second. In terms of packets per second, Akamai believes this is a record. The attackers' motivation is unclear, but whoever was behind it had a large botnet. Most of its bots - over 96% - were observed for the first time in this incident.
Dave Bittner: Assessing the size of a distributed denial-of-service attack is not necessarily a straightforward matter. Akamai expressed its estimate of this most recent attack size in terms of packets per second. You'll also see the size of DDoS attacks expressed in bits per second. What's the difference? Well, Akamai explains it this way. "Imagine a grocery store checkout. A high-bandwidth attack, measured in BPS, is like a thousand people showing up in line, each one with a full cart ready to check out. However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it."
Dave Bittner: Sophos has observed a new member of the Glupteba malware family. It's stealthy and evasive. And it not only collects a great deal of information from victim machines, but it's also being used to drop cryptocurrency miners and browser stealers. Its name can be rendered into English roughly as You Dummy.
Dave Bittner: Palo Alto Networks describes Lucifer, hybrid malware with both cryptojacking and DDoS functionality. Lucifer begins by scanning for open TCP ports, then either credential-stuffs or brute-forces its way in. Once there, it drops the Monero minor XMRig and establishes a connection with a command-and-control server. Patches are available for all the exploits Lucifer uses - at least ten of them - and users should apply them.
Dave Bittner: Both Apple and Google are moving their defaults toward greater privacy. Google yesterday announced changes to its default data handling practices. The Verge describes the new defaults as representing a compromise between privacy and the data it collects for ad targeting, Google's bread and butter. The changes affect search history both on web and in-app, location history and voice commands given to Google Assistant or Google Home. This data, available for user inspection in the My Activity page, had been retained indefinitely, although last year Google gave users the option of setting their systems to delete the information after either three or 18 months, depending on their preference.
Dave Bittner: The change announced yesterday makes an 18-month autodelete the default. Location history is now off by default, although users will have the option of turning it on should they wish to do so. YouTube, owned by the Mountain View tech giant, will default to a three-year autodelete, the better to serve YouTube's recommendation algorithms. These changes affect new users only. Existing users will still have the option of opting for autodeletion, and Google intends to promote that option heavily.
Dave Bittner: The keynote at Apple's World Wide Developers Conference, for which MacRumors published a transcript, said that iOS 14 would feature significantly enhanced privacy protections. Henceforth, according to Naked Security, users will be given the app-by-app option of choosing to allow tracking or ask app not to track. As a condition of using Apple's IDFA mobile advertising tool, app developers will have to seek consent from iOS device users in order for third parties, aka app monetization partners, to access their data, Adweek explains, adding, this in effect makes IDFA an opt-in feature for users, and advertisers will no longer be able to target them by default.
Dave Bittner: The US Department of Defense has designated Huawei and Hikvision, among other firms, as companies owned or controlled by China's military, Reuters reports. The designation in itself triggers no sanctions, but it can lay the groundwork for more restrictions on the companies named.
Dave Bittner: The US Justice Department has issued a superseding indictment of WikiLeaks impresario Julian Assange. It doesn't add charges to the 18 counts Mr. Assange already faces, but it does broaden the scope of the conspiracy surrounding alleged computer intrusions with which Assange was previously charged. He's alleged in the new indictment to have conspired with LulzSec and Anonymous.
Dave Bittner: The European Commission yesterday released its assessment of the first two years of GDPR. It's positive, but the commission would like to see more vigorous enforcement.
Dave Bittner: According to the Register, the REvil ransomware gang is preparing to put at least some of the celebrity information it says it took from lawyers-to-the-stars Grubman Shire Meiselas & Sacks back in May, online. The data, which Variety said at the time the gang had offered to sell back to Grubman for $42 million, is said by REvil in their ShadowBroker-esque dialect to contain big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery and bribery by Democratical party. No one's really sure what they've got, but the consensus is that the gang's got some of what it claims to have. The first tranche of mud lurking behind the scenes is supposed to involve just three of the celebrities - singers Mariah Carey and Nicki Minaj and LeBron James. REvil says the bidding will open on July 1.
Dave Bittner: And, finally, maybe you heard from a friend that the United States Navy was posting recruiting messages to a well-known adult site. And maybe you thought to yourself, hey, good idea - what better place to find potential sailors? Bravo Zulu, USN. We hasten to add that the well-known adult site is well-known to other people, not to you or to us.
Dave Bittner: Well, Task & Purpose has dashed cold water on the story. There were some messages that looked like recruiting messages, but they were just spoofs. Navy spokeswoman Lieutenant Commander Megan Isaac said, the social media account discussed on the podcast is a fraudulent account with no official connection to the Navy; as a matter of policy, Navy recruiters are not authorized to recruit on pornographic websites. It's difficult not to notice that Lieutenant Commander Isaac's statement technically doesn't rule out an unofficial connection, but we doubt there's one of those, either. And the Naval Criminal Investigative Service - the actual NCIS, not the television franchise - has asked the adult site in question to take down the content. Suggestion to NCIS, if they're looking for the spoofer's hidden hand - tell it to the Marines.
Dave Bittner: Our celebration of cybersecurity canon week continues, and today, CyberWire's Chief Analyst Rick Howard speaks with David Sanger, author of "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age."
Rick Howard: David Sanger, welcome to the show.
David Sanger: Great to be with you, Rick.
Rick Howard: Why did you write the book, David?
David Sanger: Well, Rick, you know, I cover cyber-related issues and particularly state-on-state cyber conflict issues and have for, oh, decade and a half as part of my national security portfolio with The New York Times. And I felt as if we were heading into a new era of conflict where people saw this blitz of headlines, whether it was, you know, some Chinese group that just got your medical health records or just got into the Office of Personnel Management's records about people who hold security clearances. Well, you read about the Sony hack or about Stuxnet, a story that I broke a lot of the details about. But they hadn't tied it all together. And I kept running into people who understood we were going into a new age and really didn't have any sense of what that would mean to us strategically.
David Sanger: And so, you know, I went back, and I reread some books that I had read as an undergraduate, including Henry Kissinger's "Nuclear Weapons and Foreign Policy," which was a book written in 1957 about how nuclear weapons were changing the way Americans should think about national security policy. And I even went to talk to Kissinger, and he said to me at one point, you know, David, cyber is so much more complicated than this.
Rick Howard: (Laughter).
David Sanger: Because of course, he said, you know, in our day, we only had to deal with one player - you know, the Russians or the Soviets. And then, of course, later on, they had to go, you know, spread that out and deal with China and North Korea, Iran, India, Pakistan. But it was a relatively small group. But in cyber, of course, it's everyone. It's states. It's criminals. It's terrorists. It's teenagers, right?
Rick Howard: (Laughter).
David Sanger: And sorting out a different strategy for each of them makes this far more complicated. "The Perfect Weapon" is not a book for people who are interested in how to set up defenses or how to code this; it is a book about how to think about a new era in American national security, one that is forever changed by the introduction of a weapon that enables small states to balance their power with large ones and that enables large ones to go do, via cyber, something that previously they could only do by bombing another country or sending in saboteurs.
Rick Howard: So the book is "The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age." It is the first book I recommend to anybody that is interested in cybersecurity, and it is now officially inducted into the cybersecurity canon hall of fame. Congratulations, David. And thanks for being on the show.
David Sanger: Thank you, Rick.
Dave Bittner: And joining me once again is David Dufour. He's the vice president of cybersecurity and engineering at Webroot, an open-text company. David, always great to have you back. You and I spoke previously about some of the things that you think are coming down the pike when it comes to organizations dealing with work and some of the changes we're going to see in this post-pandemic time. I want to come at it from a slightly different direction this time and talk about the workers themselves, the folks who have adjusted to this from the workforce point of view, those of us who are getting the job done every day. What sort of changes do you think we're going to see for those people?
David Dufour: Well, you know, David - first of all, always great to be here. I love having these conversations. You know, a lot of - as people are working at home more, from a network computer security perspective, all of a sudden - people are used to coming in the office. Even remote workers typically would come in once, maybe twice a week, plug their computer in. They'd make sure they had antivirus updates, any patches were applied.
David Dufour: All of a sudden, poof. That's gone. That ability for the folks who control your infrastructure to do that is all but gone 'cause who knows how you're connecting to the network back at the office or even, you know, getting your emails, et cetera. And so what's really happening, from a purely technical perspective, never mind the business process side of it, is not only are we trying to do our regular jobs; we've now become IT support for our internal home network, but we're also that perimeter defense for the corporation and the corporate environment as well.
Dave Bittner: Yeah. I mean, that's interesting because it seems like, to me, there's also a bit of a privacy issue here as well, where I don't know that I necessarily want, you know, the folks from IT stopping by the house to evaluate and adjust, you know, all of my router settings in my living room.
David Dufour: That's exactly right. Now, I think if they show up with coffee at your house, you're going to let anybody in to do anything to the network, David.
Dave Bittner: True, true - or certainly pizza. Yeah. That would do it.
David Dufour: (Laughter) I forgot that one.
Dave Bittner: Yeah. Yeah.
David Dufour: But for sure, it becomes a question of, you know, I'm working on this device, but I bought it. I'm connecting to my job. My job just told me I have to work from home. Who really is managing that infrastructure? And you know, that becomes a discussion that needs to be had and negotiated.
David Dufour: And I think we're going to see - you know, before, you'd come in. You'd start a job. You'd sign the piece of paper that said you won't browse the bad websites on your work computer. Well, you can't do that. So some policies are going to have to change as well from an internal IT perspective because people are being more productive at home. People are actually happy. Yes, they probably want the opportunity to come to an office once in a while, but the productivity has really surprised folks. So we're going to have to adapt from a corporate perspective on how we support, you know, the mom who's also the great, you know, engineer who's able to write tons of code. How do we get her able to do patch management on the computer and make sure that she's securing our environment? - 'cause she's our perimeter now.
Dave Bittner: Yeah. Can you envision a situation where companies say, you know what? It is a lot cheaper for us to provide, you know, a really high-speed secure connection to someone's home separate from their personal private one. You know, and that's cheaper than having to maintain office space. Let's do that.
David Dufour: Well, that's an option. But I think the more direct option would be, hey, maybe let's bump up your bandwidth a little bit. We're going to make a secure tunnel, or I'm going to ship you a little black box that you're going to plug into, and then we will send you your corporate laptop. The problem there becomes - is now you're managing all these disparate things. What happens if that machine breaks? You've got all these things you've got to manage.
David Dufour: So I think the better answer, just like moving servers from a data center to the cloud, where they're accessible from everywhere, rather than through one pipe into a data center - I think the answer becomes, how do we put tools in place - and I think a lot of people are answering these questions, a lot of small companies - how do we put tools in place to manage and work with those people remotely and just blow up the perimeter? Let's not have physical network. We don't have cloud and data - or we don't have data centers anymore. We've got cloud. Let's blow up the physical network and put that as a cloud network. I think that's where we're going.
Dave Bittner: How do you suppose people are going to respond to that? Generally think they're going to be positive about it or maybe a mixed bag?
David Dufour: I think, much like social media, initially, everybody's going to be like, this is great. I can work from my computer at home. And then all of a sudden, you know, companies are going to start locking these computers down and preventing people from doing things they want to do. And you know, I know if I can't play my massive online computer games, I'm going to be frustrated.
David Dufour: So I think there'll be a little bit of pushback. But it's like that pendulum. We'll find a equilibrium, but I think right now everybody's excited. As soon as companies start trying to lock down stuff, there'll be that blowback, and then we'll find a nice equilibrium.
Dave Bittner: Yeah. Yeah. All right. Well, David Dufour, thanks for joining us.
David Dufour: Great being here, David.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.