The CyberWire Daily Podcast 8.31.20
Ep 1163 | 8.31.20
DDoS continues to trouble New Zealand’s stock exchange. A glitch, not an attack. New Chinese export controls. Oversharing agencies? Who’s the bank robber? A botnet serving ad fraud.
Transcript

Dave Bittner: New Zealand's stock exchange continues to fight through offshore DDoS attacks. Sunday's internet outage was a glitch, not an attack. China enacts new technology export controls that may impede the sale of TikTok. Danish authorities investigate allegations of data sharing with NSA. North Korea says it doesn't rob banks, but Americans do. Caleb Barlow looks at security validation and how it can help manage vendors and SOCs. Rick Howard has the CSO Perspective on identity management. And a look at Terracotta, a botnet serving up ad fraud.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 31, 2020. 

Dave Bittner: DDoS attacks against New Zealand's principal stock exchange have continued. Such attacks effectively shut down the NZX exchange for much of last week. Distributed denial-of-service attacks have continued into this week. 

Dave Bittner: Reuters reports, however, that NZX has resumed trading after arriving at an agreement with the Financial Markets Authority to use alternative ways of releasing market announcements. 

Dave Bittner: According to Reseller News, NZX has brought in DDoS-mitigation shop Akamai to help control the effects of further attacks. 

Dave Bittner: MENAFN says that New Zealand's Government Communications Security Bureau, the GCS, has been called in to help investigate. GCS has issued a general warning to New Zealand businesses that they ought to be ready for further cyberattacks. No one has a good read on who's responsible for the attacks. Stuff says the GCS has no significant leads on who may be responsible for it, although press reporting has coincidentally said that the attacks came from somewhere offshore. 

Dave Bittner: A major internet outage yesterday, which was said by ZDNet to have affected some 3% of traffic worldwide, was not the result of a cyberattack. Instead, it seems to have originated with a misconfigured Flowspec rule at a CenturyLink data center in Mississauga, Ontario. 

Dave Bittner: The problem appears to have been contained, and while CenturyLink continues its investigation, DDoS-protection shop Cloudflare has offered a timeline and some well-informed speculation about the origins of the outage. They say it took about four hours to resolve the problem after it was detected. Forbes puts the duration of the outage at half a day. In any case, service was restored Sunday. 

Dave Bittner: China has enacted new export controls on artificial intelligence technology that the Nikkei Asian Review sees as likely to derail any acquisition of TikTok assets by U.S. corporate suitors. The new restrictions, which The Wall Street Journal reports Beijing announced Friday, cover such technologies as text analysis, content recommendation, speech modeling and voice recognition. ByteDance, TikTok's corporate parent, quickly said that it was aware of and fully intended to comply with the new restrictions. 

Dave Bittner: Reuters says that Danish authorities are investigating the country's Defense Intelligence Service following allegations that the service shared Danish citizens' data with the U.S. NSA. The Danish government has said little beyond stating that its investigation represented follow-up to a whistleblower's complaint. 

Dave Bittner: Remember last week's discussion by U.S. agencies in which CISA, NSA and FBI outlined their reasons for pinning a wave of cyber bank robberies on North Korea's Hidden Cobra group, specifically on the group called the BeagleBoyz? It is, of course, a DPRK government threat group that seeks to redress the country's chronic financial shortfalls through direct theft. 

Dave Bittner: Anyway, on Saturday, North Korea's foreign minister denounced the United States as a mastermind of cybercrime and said that Pyongyang wasn't stealing, but that Washington was. In particular, the DPRK Foreign Ministry says that the Americans are the ones who've been guilty of robbing banks and doing other stuff like that to the world financial system. 

Dave Bittner: Korea JoongAng Daily, a legitimate news organization and not a North Korean mouthpiece, quotes with what we imagine must be a straight face Pyongyang's National Coordination Committee for Anti-Money Laundering and Countering the Financing of Terrorism as describing the country's "consistent position" as one of opposing "every form and shape of criminal acts in cyberspace, and the integrated and that consolidated legal and institutional mechanisms are put in place in our country in order to prevent and eradicate cybercrime of all forms and manifestations." So there. 

Dave Bittner: And finally, ZDNet reports that Google has removed an undisclosed number of ad fraud apps being spread by Terracotta, a botnet discovered by bot-hunting security firm White Ops. Terracotta uploaded apps on the Google Play store. The apps promised free stuff to users who install the applications on their devices. 

Dave Bittner: So what kind of free stuff? Shoes, sneakers and boots were the most common phishbait, but Terracotta, which White Ops says they began tracking late last year, sometimes offered tickets, coupons and expensive dental treatments. Dental treatments are surprising, aren't they? If we were going for tooth implants, veneers or tooth whitening, the Play Store wouldn't be our first stop - but then dental plans evidently differ. 

Dave Bittner: Once you were incautious to download the proffered app, you would have been asked to wait two weeks to receive your new kicks or your coupon for a free gum-scraping. Of course, these don't materialize. What did materialize was WebView, which ZDNet describes as a stripped-down version of Chrome. WebView would run quietly and continuously in the background, racking up bogus page views to pull in money for worthless ad impressions. 

Dave Bittner: At the end of two weeks, it's hasta la vista and seek elsewhither for periodontitis treatments or those Demonia men's ankle boots you were jonesing for. Of course, by then, Terracotta has made its masters their money. 

Dave Bittner: Why should users care? Well, not you, of course. We mean the selfish users without either public spirit or fellow feeling, who don't care who gets stuck as long as it's not them. Those guys. Well, there are several reasons. For one, it drains batteries. For another, it eats up the user's mobile bandwidth. So before you hit the Play Store, you may just want to check your dental plan. 

Dave Bittner: And joining us once again is Rick Howard. He is the CyberWire's chief analyst, also our chief security officer. Rick, it's great to have you back. On "CSO Perspectives" this week, you are tackling identity management. 

Rick Howard: This is something that I can't say I'm an expert in. This is one of my weak points. And so what I do when I try to learn something new, I try to figure out the history of it, is figure out how we got to where we are today. And turns out that the history of identity management is fascinating and convoluted and full of internet drama - OK? - which I... 

Dave Bittner: OK. 

Rick Howard: ...Which I just love (laughter). 

Dave Bittner: All right, well, take us through some of it. 

Rick Howard: All right, so the first part is, we get passwords in 1960. The guy that invents the use of passwords is a famous founding father for computer science and the internet. His name is Dr. Fernando Corbato, and I always mispronounce it, but he's the guy that decides that we're going to use passwords to log in to systems. He's also famous for inventing timesharing, if you remember that back in the day, before... 

Dave Bittner: Oh, yeah. 

Rick Howard: Yeah. Before timesharing, it was all batch processing. And he was responsible for coming up with the original Multics operating system. This is a failed experiment to build a better operating system, but it turned into Unix. So the things - yeah, the things they learned at Multics made Unix what it is today, OK? So - but Dr. Corbato - all right? - he invents passwords and, thus, gives bad guys a never-ending list of things to go after, too. 

(LAUGHTER) 

Rick Howard: So in fairness to him, though - OK? - the weakness of passwords didn't really show up for, like, 30 years, you know, when the internet started getting humming, all right? So anyway, passwords - 1960s. We get access control lists in the '70s and '80s. We get MIT inventing Kerberos - OK? - which is an authentication system, in the late '80s and LDAP in the early '90s. And then Microsoft decides to combine LDAP and Kerberos into their famous Active Directory, which still exists today. It's just one of the most used kind of systems altogether. 

Rick Howard: And then after that, we get two authentication and identification processes. One is SAML, and the other one is OpenID combined with OOF, right? And that's where the internet drama is. I'm not going to talk about it today. You should listen to the episode to figure it out, OK? 

Rick Howard: But the one I want to talk about is federation. And you and I were talking before the show. We both sort of knew what this was before, but not really, right? That's not - you didn't really know about it. 

Dave Bittner: Yeah, yeah. 

Rick Howard: So federation is this idea that you're going to have a partnership with authentication and identity. So here's Helen Patton. She's the CISO for Ohio State University. She's going to explain it to us. 

Helen Patton: One of the things I really like about being in higher ed, there's always been a need for researchers from different institutions to be able to collaborate. So we've always had federated identity - well, not always. We've worked early on having federated identity management options. 

Helen Patton: So for example, if I'm visiting my friends at the University of Michigan, I can go up there and log in with my OSU credentials and get access to the things that those credentials allow me to have on the U of M campus. Whether or not you're authorized to get into an application still happens at the local level, but the identification of who you are is federated. 

Dave Bittner: That's interesting. But - OK, so you've got federation. What does that do for you in terms of granularity? 

Rick Howard: Yeah, exactly, right? The way I look at it is it's kind of the associative property for zero trust - OK? - or for just trust because, essentially, if Ohio State University trusts the University of Michigan and Ohio State University trusts Helen, that means by default, the University of Michigan trusts Helen. So that's all fine and great, but the granularity there is not that fantastic. She either gets all or nothing. There is not a whole lot of in-between. 

Rick Howard: The good news is - OK? - that the local administrators of the campus or the networks - they do grant control to those individuals. So there is some, but it is not a perfect solution. 

Dave Bittner: All right. Well, looking forward to this one. It's identity management over on "CSO Perspectives." You can check that out on our website, thecyberwire.com. It's part of CyberWire Pro. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, it's always great to have you back. You know, there's that old chestnut of a saying of trust but verify. And I think that comes into play when we talk about security and validation of our security measures. And I know this is something that you talk about a lot, particularly when it comes to some of the higher-ups in an organization. 

Caleb Barlow: So, Dave, that's an interesting question. Let me tell you, I sit on a public board, right? I run a public company. And this is a huge challenge for the C-suite and for the board. You know, are those investments you're making - are they actually showing a return when it comes to security? 

Caleb Barlow: But there's a new class of tools and services that I think really holds a lot of promise. It's something called security validation. And remember, you know, on average, your typical company's got about 47 different security solutions from probably, you know, equal or more vendors. And you always wonder, do they really work when put to the test? 

Caleb Barlow: Well, this whole journey kind of starts off with people testing, you know, kind of environments either in a cyber range, which, you know, a lot of people know I've done a lot of work in, or, let's say even just a tabletop exercise. Let's go through a mock drill. Does it really work? You know, do our plans actually come into place? And then engineers at Netflix actually came up with a fascinating idea about 10 years ago, something called the Chaos Monkey. Have you ever heard of this, Dave? 

Dave Bittner: I have. I have. Go on. 

Caleb Barlow: Well, you know, the cool thing about the Chaos Monkey for Netflix was it was a way of randomly terminating sessions in production to make sure their tool could work and, you know, you could watch the latest episode of your favorite show. But some security professionals started to apply the chaos theory to security. And literally let's throw inoculated malware into our production environment and see if the team detects it. 

Caleb Barlow: And the early tools were - well, frankly, they were a bit clunky, right? You'd throw something in and, you know, you'd wait and see if anybody set off an alert or whatever. But these new class of tools, well, what they did is kind of magical. They linked not only the ability to send inoculated malware between two agents and, you know, effectively walk your way down the MITRE ATT&CK framework, but they connected to the logs of all your security devices. 

Caleb Barlow: So they're connected to the IPS and the SIM and everything in between. And what they're doing is actually going and saying, all right, we're going to launch this inoculated piece of malware between these two agents. We're going to see, you know, did Palo Alto detect it? Did FireEye detect it? Did CrowdStrike detect it? Oh, look, they did pick it up. Did it show up in, you know, QRadar or another SIM? 

Caleb Barlow: And then they're going to say, well, how long did it take for the eyes on glass to open a ticket? How far did they go with the investigation? So the great thing about this new class of tools is you can actually measure not only the performance of your overall, you know, defenses, but you can also measure the performance of your team. 

Dave Bittner: Now, does this also give you the opportunity to have insights on perhaps what tools you've got up and running that never really kick in, that never do anything, the stuff that you're throwing money at but maybe you don't even need? 

Caleb Barlow: Or worse yet a tool that you think is working right but maybe isn't configured properly for one form of an attack. And, you know, I was talking about this with my team, and one of my guys gave me a really good analog. And he said, you know, this security validation thing he said is a lot like a medical or a surgical timeout, you know. So when a surgical team is getting ready to operate on a patient, you know, they have literally a timeout, right? They've got a lot going on, and they say, all right, let's just pause everything. Is this, you know, Mr. Finn (ph)? Yes. What are we operating on? We're taking out his appendix, not his gallbladder, right? And they go through a series of checks to verify that everything is in the right place. 

Caleb Barlow: Security validation kind of does the same thing. You're forcing a scenario in and you've got the ability to pause and go, OK, did the IPS detect it? Did it route it to the SIM? Did the SIM properly correlate all of the rules? Did it elevate to the SOC? How long did it take the SOC operator to, you know, get eyes on glass on this and start investigating it? Did they escalate it properly? And now you've got the ability to go back to your C-suite and say, hey, we tried these 10 fundamental tasks, including that, you know, that new attack that came out last week. We tried that, too. And, you know, we did really good in these areas. We didn't do so hot in this one area. And that's where we need to invest and have some proactive action. 

Dave Bittner: I suppose it also provides a little bit of a translation layer for them, that you're able to put things in the terms - those risk terms that they enjoy so much. 

Caleb Barlow: Well, think of it this way, right? So if I go in and do a security assessment on a company, I'm giving you a score that's usually going to the board of how well your architecture, your decisions, your procedures layout. But what I don't know is do they actually work when put to the test? This gives me the next layer to say, OK, your assessment said A and B and C and then I was able to validate and yes A and B and C are actually working. Those controls are operational and they're performing exactly as they're designed. And that is a big vote of confidence. 

Dave Bittner: Anything to look out for here or is it possible to go into this with best intentions but come up short? People, you know, go down this path, but for one reason or another, end up not getting the information that they were hoping to get. 

Caleb Barlow: Well, look, I mean, you always run the risk of actually finding out that the emperor has no clothes and your security systems don't work as you had them designed. But I would argue that's probably something you really want to know. And at the end of the day, yes, these tools are very new. This is a whole new area, but I really think this has the opportunity to take things like security assessments, as well as even training, you know, cyber range tabletops, all those types of things, to a new level because we can actually try some of these cases in production. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Caleb Barlow: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it won't leave you stranded by the side of the road. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.