The CyberWire Daily Podcast 1.26.21
Ep 1256 | 1.26.21

Pyongyang’s social engineering campaign to compromise vulnerability researchers. Anonymous is back? Workforce development. Cyber Force? Why not?


Dave Bittner: Google reports North Korean social engineering of vulnerability researchers. Anonymous resurfaces, maybe, and tells Malaysia's government it's not happy with them. Notes on false credentialism and workforce development from the National Governors Association cyber summit. Kevin Magee from Microsoft Canada on the launch of the Rogers Cybersecurity (ph) Catalyst at Ryerson University to support Canadian cybersecurity startups. Our guest is James Stanger from CompTIA on their ultimate DDoS guide. And does America need a Cyber Force? Some think so.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 26, 2021. 

Dave Bittner: Yesterday evening, Google's Threat Analysis Group reported that a North Korean threat actor had been quietly and plausibly engaged in social engineering of vulnerability researchers working for security companies. The campaign seems to represent a significant advance in subtlety and craft on Pyongyang's part. The threat actors created research blogs and multiple Twitter personae, which they used to discuss various publicly known vulnerabilities, often claiming successful development of proof-of-concept exploits. The blogs even attracted and published guest posts from legitimate researchers. It was, as The Register writes, a long con. The evident goal was espionage. 

Dave Bittner: The apparent method was to cultivate trust and then induce researchers to unwittingly install malicious code and an in-memory backdoor that beaconed to DPRK-controlled servers. The compromise was accomplished through unidentified mechanisms when the victims visited one of the threat actors' sites. 

Dave Bittner: One known way in which victims were compromised involved their being induced to collaborate on a research project. According to BleepingComputer, the threat actors would share a Visual Studio project that included the proof-of-concept exploit they represented themselves as working on. It also included a malicious, hidden DLL. Google says, at the time of these visits, the victims' systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. 

Dave Bittner: The Register points out that the campaign wasn't perfect, and there's a funny meme in circulation showing dear successor Kim Jong Un's face superimposed over Steve Buscemi's face above the legend, how do you do, fellow zero-day researchers? 

Dave Bittner: But give them credit. As social engineering goes, this one is better than the calls threatening arrest for abuse of your Social Security number or the email from the barrister asking if you'd be willing to serve as the heir to an intestate gazillionaire. So, fellow zero-day researchers, engage with caution. 

Dave Bittner: Anonymous has apparently resurfaced, and it's interested in Malaysia - if, that is, the people who posted a video excoriating Kuala Lumpur for allegedly poor government cybersecurity practices really do represent the anarchist collective. Anarchist collectives are, by their nature, inherently difficult to identify or authenticate or, indeed, even individuate. Their name is Legion, as it were. Anyhoo, the video includes an implicit threat of data theft and doxxing. Yahoo Finance says the government is taking the threat seriously. 

Dave Bittner: In fairness to Anonymous, insofar as it's possible to be fair to an anarchist collective, this sort of doxxing under a finicking, pretextual fig leaf of stuffy devotion to best security practices hasn't really been the Anonymous style. But who knows? Full-scale cyberwar isn't likely because Anonymous isn't that big a playa (ph) in cyberspace, but there's a real possibility of nuisance attacks. 

Dave Bittner: Their tweet, for what it's worth, is Shadow Broker-esque in diction - quote, "this is a wake-up call for the government of Malaysia," they say, adding, "it's have been a long time that we are silent. Be prepared. We are legion. We do not Forgive. We do not Forget. Expect US!" That's expect us, not expect U.S., as the capital letters they use might suggest. 

Dave Bittner: Still, again, who knows? Any Dr. Seuss scholar knows that the Lorax speaks for the trees, but who, really, can be said to reliably speak for Anonymous? 

Dave Bittner: We attended last week's virtual cybersecurity summit organized by the National Governors Association. Much of the issues the participants talked through were familiar enough, touching as they did on the importance of cooperation not only among the states, but between state and local government, with the federal government and, finally, with the private sector. 

Dave Bittner: There was also considerable attention devoted to workforce development. Our stringer on the virtual spot thought one of the issues they addressed was particularly interesting - the way in which a kind of false credentialism can stand in the way of filling jobs with people who are well able to handle the work. 

Dave Bittner: CompTIA CEO Todd Thibodeaux mentioned that university preparation is often either misaligned or incomplete with respect to what the industry says it needs and that universities might do well to listen to the private sector and take advantage of all the work the private sector's done on the issue. 

Dave Bittner: But there's another bottleneck in the talent pipeline, too, and this one is on the side, largely, of industry. Thibodeaux called it a confidence gap, the widespread assumption or sense that all cybersecurity jobs require deep STEM expertise and training. He encouraged employers to give applicants who don't have those a look. Alternative credential programs, many of which have appeared over the last few years, can deliver solid candidates. And in Thibodeaux's view, it doesn't take a four-year degree to switch fields into cybersecurity. 

Dave Bittner: We might add some historical perspective. When the battleship USS California was sunk at Pearl Harbor, until she could be raised and repaired, it was found that the musicians in her band showed a surprising aptitude as code breakers. They were temporarily assigned to Fleet Radio Unit Pacific, where they served with distinction. Look for the equivalent in cybersecurity. 

Dave Bittner: And finally, once you do get the right people, how do you organize them? One of our favorite sailors, retired Admiral James Stavridis, a friend of the show, has an op-ed in Bloomberg in which he argues that the SolarWinds supply chain compromise and presumably the other related campaigns by, probably, Russia's Cozy Bear show that the U.S. isn't properly organized for cyber conflict. He thinks that Space Force, whose creation he approves, suggests a model for cyberspace. A new military service - call it Cyber Force - should do for operations in cyberspace what Space Force promises to do in outer space. 

Dave Bittner: As the admiral puts it, quote, "the administration should also create a full-fledged Cyber Force. The Donald Trump administration correctly created a Space Force, recognizing how much of national security relies on the ability to operate in space and that securing it requires specific skills concentrated in a single organization. Likewise, we are overdue for an elite, independent branch of the armed forces in which all the personnel wake up every morning thinking about defending the nation in cyberspace," end quote. 

Dave Bittner: Maybe he's right, although we're agnostic on the issue. But if there ever is a Cyber Force, we look forward to watching its culture develop. That's the fun part, and roles and missions be damned. 

Dave Bittner: Space Force calls its troopers Guardians. The inevitable choice for Cyber Force would seem to be Hacker, as in Hacker Recruit, Hacker, Hacker First Class and so on. 

Dave Bittner: In fairness, Cyber Force probably ought to go into the Department of the Army, since the Departments of the Navy and the Air Force already have two services, respectively the Marine Corps and the Space Force. 

Dave Bittner: And bonus - it could there make its contribution to the Army's rich tradition of demotic terms of disapprobation. Where the Army Airborne has its legs, a derisive reference to non-airborne, foot-mobile troops who don't arrive by parachute, Cyber Force could have - what? - No-hats, maybe. And the equivalent of the combat troops' REMF, which acronym we won't unpack because we're a family show, but which is used to refer to judge advocates general, headquarter clerks and comparable miscreants - well, that one could be non-hacker. And an incompetent hacker, the equivalent of the Army's bolo - well, obviously it's skid. 

Dave Bittner: DDoS attacks continue to be an ongoing issue for cybersecurity professionals, a bit of a cat-and-mouse game as adversaries grow their botnets and defenders strengthen their mitigation capabilities. Dr. James Stanger is chief technology evangelist with nonprofit trade association CompTIA, and he joins us now. James, welcome to the CyberWire. 

James Stanger: Hey. Thanks, man. It's great to be here. Appreciate your time. 

Dave Bittner: Let's start off with a little level-setting here. I mean, where do we find ourselves when it comes to the state of things in regard to DDoS attacks? 

James Stanger: You know, in some ways, I swear, when it comes to DDoS attacks, we seem to kind of reinvent our susceptibility to them. In other words, just as - I remember years ago, there was the Robert Morris internet worm. Now, we're talking about primordial times back in the '80s... 

Dave Bittner: (Laughter). 

James Stanger: ...When, you know, he accidentally or accidentally on purpose - who knows what happened? - released this thing, and it went along and crashed, you know, about a quarter to a third or more of the known internet at the time. Well, then in the '90s, late '90s, DDoS attacks became big. And now we have the botnets. We have the volumetric attacks. We have, you know, the ability of some of these pretty sophisticated outfits to send even small amounts of traffic that are designed to crash servers. 

James Stanger: So it's interesting to see how these things are cyclical. It comes and it goes, but it's cyclical. But the patterns are kind of the same. But the actual volume and the severity of the attacks seems to be getting worse. 

Dave Bittner: Yeah, I mean, and I think that's really striking. As the techniques on both sides, you know, as they grow their capabilities, I think we're seeing numbers that we would have a - would've had a hard time imagining just a few years ago. 

James Stanger: You know, it used to be, oh, hey, look at that. We're seeing a lot of SYN packets, you know, like a SYN flood. You know, there's the TCP three-way handshake. And you can take advantage of that by overwhelming a server there or, you know, lots of ping packets - you know, all that. 

James Stanger: It's gotten so much more sophisticated on the attack side to see how you can, you know, put together hundreds of thousands to millions of unwitting participants in your little scheme that they're just doing things as they normally would do, and then all of a sudden, just a few packets come from each of those, and then it adds up to a huge attack that - you know, we've seen it bring down Amazon S3. We've seen it bring down Netflix. We've seen it bring down quite a few things, certainly with the IoT packets. 

James Stanger: On the mitigation side, it's also interesting to see the more sophisticated approaches. There's big data approaches to crunch all of the data, to find out, you know, what the patterns seem to be so you can proactively protect yourself. 

James Stanger: We're also seeing a lot of really good third parties out there that can kind of insert themselves in between you and the bad guys to scrub out a lot of those packets. So it's interesting to see both - how both sides have become more sophisticated. 

Dave Bittner: Where do you suppose we're headed with this? Is this something that we're going to get control over or is this something that is here to stay? 

James Stanger: It's here to stay. I see it as a chronic issue that has to be managed rather than something like - 'cause I remember for a while it was like there was a certain mission accomplished attitude. Well, there's no more - you know, we figured out the ping of death. I'm using old examples. 

Dave Bittner: (Laughter) Right. 

James Stanger: Or we figured out Slowloris. We don't have to worry about that so much. We've kind of figured out - systems have become much more able of handling floods of traffic than they ever were. I mean, nowadays you can simulate using Kali Linux or, you know, Metasploit or whatever, hping3, simulate floods of traffic that back in the day would've crashed a Linux or a Windows server of its day. They're much more resilient now. 

James Stanger: But again, the attackers are able to step up their game each time, so I see it as a slow and steady evolution against the slow and steady evolution of the bad guys. 

Dave Bittner: Dr. James Stanger is chief technology evangelist with the nonprofit trade association CompTIA. Thanks so much for joining us. 

James Stanger: It's fantastic to be here. Thanks again. Appreciate it. 

Dave Bittner: And joining me once again is Kevin Magee. He's the chief security and compliance officer at Microsoft Canada. Kevin, always great to have you back. I want to chat today about the launch of the Rogers Cybersecurity (ph) Catalyst at Ryerson University. And this is something you're involved with. Can you give us some of the details? What's going on here, and why is it something that's important to you? 

Kevin Magee: Personally and also professionally, I'm very interested in the next generation of leaders for our industry and how we develop them. And that doesn't mean just within the corporate sense. That's also looking to the startup community and building that startup community. And in Canada, we have a much smaller startup community than you do in the U.S. So we're looking at how best to grow and really accelerate those efforts. 

Kevin Magee: And what we're seeing is that partnerships between corporations like ourselves, like Rogers and universities and the startup community are really producing the best results, where we come together to provide not only access to talent, access to mentorship, access to applied research and whatnot and build out that community is greatly accelerating those startups and developing that talent we need for the next generation of our leadership in our industry. 

Kevin Magee: So it's a fascinating time to be involved in this community. And Ryerson partnered with Rogers to launch this Cybersecure Catalyst at the beginning of the COVID pandemic. It was meant to be a physical space. So we had to work together to sort of pivot to an online space and evolve as well in real time. 

Dave Bittner: Can you give us some insights? I mean, what's the general framework that you're using here for - to set up the partnership between private and, you know, the educational folks? 

Kevin Magee: So Ryerson really approached a number of large corporations that had either expertise or whatnot that could bring to bear and said, you know, how can you help us? And so they run a program that they've established sort of based on a generic entrepreneurship program. And they've adapted to the cybersecurity startups as well. 

Kevin Magee: So they have Entrepreneurs-in-Residence that are industry folks that they come in and assist the companies to develop in sort of the generic aspects of business. But then they've created a role called a Corporate-in-Residence, where people like myself or other folks within Microsoft really come in and advise the companies, much like the Entrepreneur-in-Residence, on specific topics that are interest. 

Kevin Magee: And then it also gives an opportunity for those organizations or those startups to tap into sort of the vast resources. So Microsoft is a $2 trillion company or something like that. We have a vast array of resources that we can make available to the startups and really help them accelerate. 

Kevin Magee: And if I look back at my first company that I founded in the '90s was based on a Microsoft program that assisted startup by providing free licenses to software and whatnot. And without that help at that early stage, I'm not sure I could've got my company off the ground. So that's what we're looking to achieve with the partnership. 

Dave Bittner: And what's in it for you personally? Why is this something that you want to invest your time in? 

Kevin Magee: So I find that it's really something that brings energy to my day. So when I spend some time with some of the founders, I really come out of the call energized and excited. And when you spend time with entrepreneurs who are really tackling some interesting challenges or something that no one's ever done before, and they're young and they're invested and they're really excited about their work, it's a fascinating thing to do. 

Kevin Magee: And sometimes little things that you can advise them on or assist them with, you know, make an incredible difference because I've made that mistake hundreds of times over my career. They have not yet, so they can benefit from that wisdom as well. 

Kevin Magee: But again, it really is something that I find a great deal of personal satisfaction out of. And nothing makes me happier than to see these folks either go on to succeed with their organization or maybe move around the industry and become leaders in other parts of the organization as well. 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. One tough customer. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.