The CyberWire Daily Podcast 7.23.20
Ep 1136 | 7.23.20
Twitter: hackers got a few accounts’ DMs. French policy toward Huawei hardens. Crooks against British sport. You and your boss should talk more.
Transcript

Dave Bittner: Hey, everybody. It's Dave, and I've got another exciting announcement for you. We've asked a select group of experienced cybersecurity experts to join us and share their unique experiences and perspectives on various topics and concepts in the industry. We're calling this group the CyberWire Hash Table. And you'll hear from these amazing minds on shows like CSO Perspectives and the CyberWire Daily Podcast, along with our own CSO, chief analyst and senior fellow Rick Howard. Learn more about the Hash Table members at thecyberwire.com/hashtable. That's thecyberwire.com/hashtable. Thanks.

Dave Bittner: Twitter updates the news of last week's incident. Pyongyang's cybertoolkit keeps pace with changing circumstances. Beijing is said to be behind recent cyber campaigns against India and Hong Kong. France's partial permission for Huawei to operate in that country now looks like a ban with a 2028 deadline. A quiet cryptominer. The cyberthreat to British sport. Awais Rashid from the University of Bristol on cybersecurity and remote working. John Ford from IronNet Cybersecurity with updated 2020 predictions and cyber priorities. And when it comes to cyber, bosses and employees see things differently. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Thursday, July 23, 2020. 

Dave Bittner: Twitter has updated its account of last week's account hijacking incident. Quote, "We believe that for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox, including one elected official in the Netherlands. To date, we have no indication that any other former or current elected official had their DMs accessed," end quote. Tripwire thinks the Dutch elected official was Geert Wilders, who confirmed to Yahoo that he was indeed the one affected. He's now regained control of his account. 

Dave Bittner: Reading between the lines, as Graham Cluley puts it in his piece for Tripwire's State of Security, Twitter's mention of the elected official in the Netherlands is seen as a slantindicular reassurance from the House of Dorsey that the direct messages of former U.S. President Obama and presumptive U.S. Democratic presidential candidate Biden are safe and secure - whatever nonsense might have been tweeted out during the period of high-profile account hijacking. KrebsOnSecurity believes at least two of The New York Times' sources in last week's story on those responsible for the Twitter hack weren't hemi-semi-demi innocent collectors of original gangster usernames but were themselves active resellers in the underground OG black market. 

Dave Bittner: France had earlier this year announced that it intended to permit Huawei equipment into noncritical portions of its telecommunications infrastructure. And that policy was widely seen as a win for Huawei, which appeared to have successfully got the French government over a barrel. But not so fast. Reuters reports that this apparently permissive decision, in fact, amounted to a policy of eliminating Huawei from French infrastructure by 2028, which, while giving Shenzhen a somewhat longer runway than it was allowed by a recent U.K. decision, amounts to the closing of another major market. 

Dave Bittner: Security researchers at Cisco Talos describe the low-key, unobtrusive workings of the Prometei botnet, quietly mining Monero since this March. Prometei is unlikely to escape the notice of defenders who are on the watch for the kind of activity it exhibits, but the researchers think that most end users probably wouldn't be aware of an attack. Prometei exhibits several features of the MITRE ATT&CK framework, most notably T1089, Disabling Security Tools; T1105, Remote File Copy; T1027, Obfuscation Files or Information; T1086, PowerShell; T1035, Service Execution; T1036, Masquerading and T1090, Connection Proxy. 

Dave Bittner: So here's a question - why should you care if some hood installs a cryptominer on your devices? It's no skin off your nose - right? Actually, no, and here's the skin. There's a drain on computing power and its attendant degradation of system performance. More seriously in this case is the botnet's harvesting and validation of credentials, which it uses primarily to move laterally across networks. That's bad enough, but consider the aftermarket value of the stolen credentials themselves in the criminal-to-criminal market, and that alone should be enough to make anyone want to up their game against Prometei. 

Dave Bittner: The U.K.'s National Cyber Security Centre has published an assessment of the cyberthreat to sports - important because, quote, "Sport is central to British life. It provides massive health, social and economic benefits to the nation, contributing to over 37 billion pounds to the U.K. economy each year," end quote. This makes the sector attractive to attackers. Crooks like it on the Willie-Sutton-esque grounds that that's where the money is. And nation-states might be drawn to it because, well, if they wished Britain ill, they might sap its morale by attacking football, cricket, dog racing, so on. As it is, however, the report concentrates on the former - it's crime that the world of sport should be concerned with. The three trends NCSC discerns are, first, business email compromise, next, cyber-enabled fraud - that is, things like mandate fraud, CEO fraud, conveyancing fraud and invoice fraud - and finally, of course, ransomware, which is to say that sport in the U.K. is susceptible to much the same sorts of cybercrime that afflict other businesses, from the physician's practice to the local realtor, from the bank to the oil company. 

Dave Bittner: Among the capers reported are an attack that interfered with a Premier League football - that is soccer, as we translate for our North American listeners - transfer - that is a trade, as it's generally called on this side of the Atlantic - various ransomware incidents and an attack that disabled turnstiles to keep supporters - that is what we Americans call fans - out of a stadium. The last-named turnstile hack is particularly interesting as an example of a disabling Internet-of-Things attack. The NCSC's report is worth a look in any case for its accessible explanations of the threats and its common-sense recommendations for improving security. Small businesses in particular might profit from a reading. 

Dave Bittner: No nation-state hacks reported? Well, sure. In general, sport probably isn't going to be of much interest to espionage services, and the NCSC report doesn't mention any. But there's a track record, even here, of some nation-state activity. Remember Russian acts against anti-doping authorities and laboratories against targets associated with the last round of Olympic Games, when Russian athletes were widely disqualified when they were found taking performance-enhancing drugs? 

Dave Bittner: With 2020 more than halfway over - and some would say, thank goodness - it's worth remembering that back in January, we spoke with many cybersecurity professionals who looked in their crystal balls and shared their predictions for what 2020 might bring. Looking back, knowing what we know now, those predictions were just plain adorable. John Ford is senior security strategist at IronNet Cybersecurity, and he joins us with updated 2020 predictions, as well as why it's important to adjust our focus and be flexible when talking about our cyber priorities. 

John Ford: 2020 was already going to be an interesting year given the fact that it's an election year. So, you know, we fully anticipated, you know, cyber events as we got closer to the election related to the campaigns, you know, voting systems, if you will, right? You know, but COVID put that into a very different, you know, gear in the car, (laughter) if you will. And it's changed the landscape significantly. 

Dave Bittner: And how so? 

John Ford: So for one, we still have those same campaigns going on, you know, that you would have in the election year. But now we've added to it in a couple of different arenas. Like, one, you know, now we have, you know, people both private sector and public sector scrambling to - how do I secure this remote workforce? And I don't - how long I'm going to need it for. So we have that scenario. And then we have a couple of other scenarios. You know, our adversaries obviously want to take advantage of this - right? 

John Ford: And it's something I call - you know, I was having a conversation the other day with somebody who said it's space race 2.0. You know, United States and China - collectively, I think there's about nine companies between the two countries that are really actively pursuing a vaccine. And this is very, very similar to, you know, what we saw in the space race - right? - where it's not just a matter of national pride. It's a - you know, it could become an economic boon for - you know, for whichever country is first to market. 

John Ford: And there's a diplomatic component that goes along with it, as well, because, you know, who's first to the market kind of gets to dictate who gets the vaccine, right? And you can do a lot with diplomatic relations that, you know, are masked by the humanitarian component that you want to share. But so those - you know, what the result is - those companies are developing those vaccines. You know, we already know that they're way under - you know, they're very much under attack right now. It's going to be a very interesting year from that perspective. And I wouldn't be surprised - and this is, you know, just my own thinking. But I really wouldn't be surprised if we saw something closer to the election where one nation or another announces, you know, hey, we're very close to coming out with a vaccine. It just wouldn't shock me. 

Dave Bittner: If I'm an organization out there looking to protect myself, how do I calibrate my efforts against the folks that are coming at me from nation-states, from online organized crime? I mean, how do I set the standard or my own understanding of what they're capable of? 

John Ford: Well, in isolation, you can't because, you know, it's been proven time and time again most private sector companies, even the best of the best, don't have, you know, the tools, talent and resources, really, to defend against a nation-state like China. We need some sort of a force multiplier to join forces within our sector and not compete but to say, hey, you know, within this sector, we have 10 companies, and we're leveraging the resources of all 10 to defend against that nation-state adversary. And in that model, if we're participating with government entities, as well, then we have a chance - right? But today's model - it's just a matter of time. 

Dave Bittner: That's John Ford from IronNet Cybersecurity. 

Dave Bittner: PWC has published the results of a survey it took a week and a half ago to assess the state of cybersecurity awareness in businesses. As one might expect, the results showed that the leaders' perceptions differed significantly from those of the led. The PWC survey concludes, quote, "The communication and training they offer on cybersecurity and cyber acumen aren't resonating with employees. Most workers have little awareness of how their employers are protecting them or their company from hackers, ransomware, phishing or other attacks. In some cases, employees are even flouting security rules by downloading unsecure apps or sharing their work device with family members," end quote. 

Dave Bittner: Among other recommendations, the report suggests that companies stress the personal implications of security to their employees. That is, don't tell them about how a data breach could hurt the business. Instead, tell them how it could hurt them through identity theft. We might put it this way. If you're in the habit of saying things like, now that we've provided training, I don't want to hear that anyone has clicked a phishing link in an email, well, it will work in this sense. You won't hear it. Remember, friends, bad news isn't like good wine. It doesn't improve with age. 

Dave Bittner: And joining me once again is professor Awais Rashid. He's a professor of cybersecurity at Bristol University. Awais, it's great to have you back. Why don't you touch today on cybersecurity and remote working, which, of course, is top of mind for lots of folks these days as we make our way through the global pandemic. What can you offer on that topic for us today? 

Awais Rashid: We've all worked from home at different points in time. You know, in many jobs people can sometimes, you know, stay and work remotely. And some people work sort of more often remotely than others. But the present pandemic - what it has done is it has led to many, many people and whole organizations working remotely. And that that brings to the fore the importance of cybersecurity and also consideration of the security and privacy properties of the platforms that we are using to conduct our work from home. 

Awais Rashid: And it's not just the platforms. There is all sorts of other complicated issues that, for example, organizations need to consider because in some cases, employees will have devices that are given to them from their workplace. But in other cases, because of the way the lockdown and pandemic unfolded, that wasn't always possible for organizations to do and especially in smaller organizations that may not have been the case in any way possible. And the net result of that is that people may be actually using shared devices that they shared with other family members. They may also be working in settings where they are actually in shared houses or in shared spaces and so on. 

Awais Rashid: So there is a lot of these considerations that previously, where we could consider that employees will be in a workplace - there will be particular security policies in place with regards to that workplace - that doesn't necessarily apply. We are effectively in this kind of virtual workplace setting. And the security teams and organizations, as well as the more strategy-level organizations, need to consider, what does that mean for the cybersecurity of the organization as a whole? The employees also need to consider as to what that means in terms of their responsibility but critically very important to consider, you know, what is feasible and feasible in terms of secure ways of working in this kind of setting. 

Dave Bittner: You know, as we settle in with this, you know, being a couple months in now, I suppose there's an issue, too, that people make adjustments to their home set-up. They could get a new computer or get a new router or add new devices. Or their kids could get new devices. I suppose it's harder for the folks who are in charge of security for an organization to keep track just from an inventory point of view of what's accessing what. 

Awais Rashid: Yes, absolutely. And normally when you are in a workplace, you have a set of devices that you have procured, you have deployed, you have given to your to your employees. And I go back to my very early example that in this case, people may actually be working from shared devices that are personal devices that they shared with other family members, that may maybe sitting in kind of shared settings. But also, what about the security hygiene of those devices? Because on a corporate network, for example, you may be running various types of security tools that may be monitoring, for example, for malware, for viruses and or other types of issues. That is not necessarily happening in a remote work setting. 

Awais Rashid: Of course, you know, we can require that people sort of log into organizational systems using using VPNs, but that only guarantees the security of that link. That does not necessarily guarantee the security of the kind of wider network in which that device is actually in place in the first instance. And then, of course, you know, VPNs interfere with some of the services. For example, we are recording this session today without a VPN because it interferes with the recording and so on. 

Dave Bittner: (Laughter). 

Awais Rashid: So it's not - but that's a very practical example, right? 

Dave Bittner: Yeah. 

Awais Rashid: So, you know, when you are - and, for example, in our own work, you know, they've been trying to run labs with students remotely. And, actually, the routers in some cases interfered with the kind of devices that we had given them to use for their lab work. So there - it's not a simple scenario anymore where your IT systems are completely or largely within your control, and you can make sure that particular security policies are enforced, particular security properties are in place, particular countermeasures are in place. And this leads to a really, really interesting question as to, how do we actually ensure cybersecurity for organizations which effectively are now operating in a virtual organization setting of their employees distributed all over the place? 

Dave Bittner: Yeah. All right. Well, it's an ongoing, interesting issue to get your arms around. Awais Rashid, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. See you back here tomorrow.