The CyberWire Daily Podcast 7.30.20
Ep 1141 | 7.30.20
A quick look at Big Tech’s antitrust testimony. BootHole may be tough to patch. Fake COVID contact tracers. Netwalker warning. And Chinese espionage against the Vatican and the United Kingdom.
Transcript

Dave Bittner: Yesterday's antitrust hearings in the U.S. House of Representatives focus on Big Tech's big data as something open to use in restraint of trade. And there are questions about community standards as well. The BootHole vulnerability may not represent an emergency, but it will be tough to fix. Android malware masquerades as COVID-19 contact tracers. The FBI warns against Netwalker ransomware. China says it didn't hack the Vatican. Justin Harvey from Accenture demystifies red teaming. Our guest is Christopher Ahlberg from Recorded Future on trends in threat intelligence. And somebody is spoofing a British MP. He's looking at you, People's Liberation Army.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 30, 2020. 

Dave Bittner: Amazon, Apple, Google and Facebook completed, by WebEx, yesterday's testimony before the U.S. House Judiciary Committee's antitrust subcommittee. Bezos, Cook, Pichai and Zuckerberg hewed to foreseeable lines during the testimony. The Telegraph thought they emerged unharmed, but observers thought the congressional inquisitors generally well-prepared. 

Dave Bittner: The House subcommittee was interested in both anti-competitive practices and the roles the platforms have assumed in moderating content and influencing elections. The Wall Street Journal sees the central issue raised in the session as the economic and social power big data analytics have enabled Big Tech to concentrate. 

Dave Bittner: The chiefs' answers to both questions about alleged anti-competitive practices were to disclaim any attempt to use data they collect on their customers or partners to favor their own business at the expense of those customers or partners. They also said it wasn't their practice to acquire potential or actual competitors to clear the field for their own products or services. To questions about content moderation - with Democrats seeming mildly in favor of more of it; Republicans decidedly wanting less of it - the executives gave mixed responses that expressed an interest in enabling the free sharing of ideas, feelings and experiences but within the limits of safety and unspecified community standards. 

Dave Bittner: The representatives seemed well-briefed, equipped with news reports, corporate email exchanges and stories from disgruntled competitors and customers. In fairness to Big Tech, the questions they were asked were sometimes complex, presumed that those testifying would have sufficient amount of detail at their fingertips and were, in most cases, tendentious. They had the character of a cross-examination, whose purpose isn't to elicit new information but rather to get things you already think you know into the record. The answers stayed as close as possible to the statements the companies came in wishing to make. At several points, those testifying promised to return responses once they had the opportunity to check the information on which their answers would depend. Those follow-ups will cover specific cases of alleged anti-competitive practices, details on the composition of their fact-checking and other content-moderation staffs, their use of data analytics and the specifics of content-moderation policies, or community standards, in force at their companies. 

Dave Bittner: Two things seem likely, at least to our editorial staff who listened to the hearing. First, it will be difficult for online services to hang onto Section 230 immunities they currently enjoy while they exercise more gatekeeping with respect to content. The role of publisher and neutral public square are likely to prove, ultimately, incompatible. And second, Big Tech's antitrust problems are unlikely to go away. And as investigators continue to examine tech companies as incipient monopolies, those companies' access to and use of massive quantities of data will be the entering wedge of antitrust action. 

Dave Bittner: Eclypsium has found a vulnerability, BootHole, that affects the GRUB2 bootloader used by most Linux systems. It could be exploited to gain the ability to execute arbitrary code even when secure boot is enabled. An attacker would need either administrative privileges or physical access to a device to infect it, however, which - as Ars Technica points out - if the attacker has those, you've got a lot of other problems to worry about. 

Dave Bittner: So while BootHole is a widespread vulnerability, it's not a terrifying one and has earned a rating of moderate severity. But as Ars Technica adds, not scary isn't synonymous with not serious, and BootHole is something that should be dealt with. Fixing it won't be simple - Eclypsium has an account of the various steps vendors will need to provide for their users before this particular hole can be patched. 

Dave Bittner: EclecticIQ and its partners at ThreatFabric report that malicious Android packages have been found presenting themselves as legitimate, government-backed COVID-19 contact-tracing apps. 

Dave Bittner: According to BleepingComputer, the FBI has issued a warning that Netwalker ransomware is being deployed against government agencies both in the U.S. and internationally. Netwalker has specialized in exploiting vulnerable VPN appliances, web apps' user interfaces and weak Remote Desktop Protocol passwords as its methods of gaining access to victims' networks. The bureau said, quote, "Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN, CVE-2019-11510, and Telerik UI, CVE-2019-18935." The FBI discourages any victims from paying the ransom, and it recommends that organizations adopt familiar measures of sound digital hygiene to protect themselves from infection in the first place. 

Dave Bittner: China says it's always been firmly opposed to cyberespionage and that anyone who thinks Beijing hacked the Vatican, like for instance Recorded Future, whose report on Chinese operations has been widely cited, needs to put up or shut up, Global News reports. Give them specific evidence, says the Foreign Ministry. It seems unlikely that Beijing would find any evidence adequate in either quantity or quality. The Holy See itself has declined to comment on the reports. And speaking of Recorded Future, the CyberWire's chief analyst and chief security officer Rick Howard checked in with Recorded Future's CEO Christopher Ahlberg for his insights on the latest trends in threat intelligence. 

Christopher Ahlberg: It actually, over time, has gone from open source data exclusively to - down to sort of the electrons of the internet and trying to put all of that together. And that's been the sort of - we call that our security intelligence graph that we connect all those dots. And that's been sort of the really exciting journey in all of this. 

Rick Howard: So the point of all that is you're trying to forecast where the next attacks are coming. Is that the main function of the service? 

Christopher Ahlberg: I would say that that's one element, you know. And we have some pretty incredible success stories of that. But you know, it can be sometimes when it's sort of - you know, when you're able to sort of see something ahead the - around the corner. But then it can also just be where you're detecting something totally outside in. We had a really cool success here in the spring where this - we'll just call it European energy organization had been, for a month, leaking email data to a sophisticated actor. And we were able to observe that completely outside in and not just sort of do intelligence around it but find the incident. And it blew people away that we were able to do it. And it was sort of connecting six layers through that security intelligence graph. 

Christopher Ahlberg: So I think sometimes it's about forecasting, but it can just as well by being able to sort of help people understand things that are ongoing or make it easier to do incident response. It sort of can be across that spectrum. 

Rick Howard: So can you talk about at a high level - I don't want to give any secrets away. But how do you take this vast amount of unstructured data and turn it into something useful? Is there techniques that you can describe that people can use in their own organizations or any tips or tricks you can hand over to us? 

Christopher Ahlberg: Yeah, no. I think - you know, look; you take a big step back and think about, like, if you have a lot of data - so we use the Bloomberg analogy. You can use, you know, whether it's sort of a sales dashboard analogy, whatever sort of thing. Understand the problem you're trying to solve, and I think you were getting that before. You know, don't just collect data for the sake of collecting data - even though sometimes it's pretty enticing to do that. We have plenty of that... 

Rick Howard: (Laughter). 

Christopher Ahlberg: ...Divvied for themself (ph). And there's... 

Rick Howard: Yeah, you're right. There's a lot of people just collecting large giant lakes of data, and they don't really know what to do with it. 

Christopher Ahlberg: Yeah, which, you know, to be honest, you have to do some of that. I'm sort of a huge believer that as we collect all this data, you need to apply analytics. I think analytics is the word that I come back to. It's more than just simple data analysis and doing roll-ups and sums and minuses, even though the simple is sometimes underrated. But the key is trying to understand analytically, what are you trying to do? That's the - it really is the secret that most people forget about. And that will inform you - what sort of dashboards you need to build? What sort of analysis do you need to do? What sort of automated correlations do you need to provide for? 

Christopher Ahlberg: Understand the problem, and be disciplined about that so that when you then don't - if you don't succeed, you can tune the analytics, tune what data you need to add, tune whatever you're doing. So you really think about it as an analytical process. And actually, I think a lot of people learned in the intelligence community can be put to work here, but it needs to be more data-driven, and people are not thinking enough about that. 

Dave Bittner: That's the CyberWire's Rick Howard speaking with Recorded Future's CEO Christopher Ahlberg. 

Dave Bittner: And finally, whatever China might have been up to in the Vatican and the Hong Kong dioceses - and, candidly, it looks like it was up to no good - there are other allegations of the Chinese services undertaking some active cybermeasures against an out-of-favor foreigner. Conservative member of the British Parliament Tom Tugendhat, who chairs the foreign affairs select committee and has been critical of China, says he's been the victim of an email spoofing campaign in which Chinese operators send embarrassing emails and other communications from bogus accounts that purport to be his. The Express says that Mr. Tugendhat realized the campaign was in progress when a reporter asked him about a press release he'd issued. Only, in fact, he hadn't issued it and was quite in the dark about it. No doubt, China's Foreign Ministry would like to see the evidence here, too. 

Dave Bittner: And joining me once again is Justin Harvey. He is the global incident response leader at Accenture. Justin, always great to have you back. I wanted to check in with you and get your take on red teaming. And just start with some basics. How do you define it, and how does it work within the organizations that you work with? 

Justin Harvey: Well, red teaming is a concept where you take humans and you make them act like an adversary toward an objective. And that objective or those objectives that you define, there are multiple ways to accomplish them. You can do them through social engineering. You can do them through direct system and network exploits. And of course, there's always a set of rules of engagement around a red team operation that should be discussed ahead of time. Can outside tools be used, like zero-days? 

Justin Harvey: There's also the behavior of the red team. Should you simulate being a nation-state in an enterprise when nation-states typically aren't targeting you? So you want to right-size that red team engagement. There has been a lot of talk these days about automating red teaming. And I think that - you know, I'm a little bit of the opinion here that until we can have a system that really mimics the thought process of humans, then we're likely not to see an effective automation of red teaming because red teaming really requires the team to sit there and think about, OK, how are we going to accomplish the mission just like you were - just like a normal adversary would and then of course simulate it in an environment? There are ways out there to automate a lot of persistence vulnerability checking, persistent network scanning. But I would never consider them part of a red team engagement. 

Dave Bittner: But when you're out there looking for someone to be a red teamer - you know, you're interviewing somebody or something like that - what are the attributes you look for? What makes a good red teamer? 

Justin Harvey: I would say one of those attributes would be cleverness, the ability to think outside the box and be able to look at a problem in a different way. If you need to get access to a system - and let's say it's a pretty tight system - well, then you're going to think, well, how do I get in if I can't do a direct network or system exploit? I don't have access to the system. How do I do it? And you want to watch your candidate's or your red teamer's thought process to say, OK, how do I get in? Well, I can't get on via the network or the system. Well, how about if I get on via an administrator? Or what is the - what sort of communications are going in and out of that box and examining the network activity and maybe compromising a neighbor and then using that neighbor. So I think No. 1, maybe - and these are in no particular order, Dave. I'd say one of them is being clever. 

Justin Harvey: And I think another one is be a geek - being someone... 

Dave Bittner: (Laughter). 

Justin Harvey: ...Who is technically proficient and... 

Dave Bittner: Right. 

Justin Harvey: ...that just loves breaking into systems. You know, and I could say the same is true for incident response and all of the other disciplines that we have in cyberdefense, Dave. And that is, you've got to be passionate about what you do. And that passion also has to be channeled into technical acumen. So red teaming, just like incident response, requires a pretty high degree of technical sophistication - being able to write scripts, being able to look at executables or network traffic and being able to string a few of these together. 

Justin Harvey: And then I would say the third one would be knowledge of the Library of attacks that are available out there. And I use the Library like a capital L. There are so many exploits and procedures and tactics and techniques, and there's probably ten times that many open source areas that you can go to find those tools - so knowing what tools are out there, knowing the systems you're attacking and then being able to find the right tool for the job and then, of course, being up on the leading edge. Some of the most successful red teamers at Accenture are always looking at the news and looking at open source intelligence and saying, oh, wow - there's this new type of exploit that this other red team did over here. I bet you I could grab that code and apply it to this other situation here. So I would say those are the main three things that I look for in red teamers. 

Dave Bittner: All right. Well, Justin Harvey, thanks for joining us. 

Justin Harvey: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.