The CyberWire Daily Podcast 8.31.21
Ep 1408 | 8.31.21

Dangers of data collected in Afghanistan. Another cryptocurrency theft. Hardware backdoors? LockBit dumps airline’s data. CISA opens registration for the President’s Cup. Too much gaming, kids.


Dave Bittner: Possible consequences of the Taliban seizure of Afghanistan's APPS data. Another DeFi platform sustains a cryptocurrency theft. How would one handle a hardware backdoor? LockBit begins dumping data stolen from Bangkok Airways. Registration for CISA's President's Cup is now open. Joe Carrigan describes the superiority of AI-generated phishing emails. Rick Howard speaks with Art Poghosyan from Britive on software-defined perimeters. And China moves to keep minors from wasting too much time in online gaming.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 31, 2021. 

Dave Bittner: The Taliban's seizure of HIIDE - that's Handheld Interagency Identity Detection Equipment - biometric registration and identification devices aroused concern when it was first reported, but the risks of that loss, while real, seem likely to be limited. MIT Technology Review argues that a more serious matter is the insurgent government's acquisition of APPS, the Afghan Personnel and Pay System used by the deposed government's ministries of Defense and the Interior. 

Dave Bittner: A great deal of data was collected in APPS. Technology Review's sources tell it that each profile in APPS contains at least 40 data fields. Quote, "these include obvious personal information such as name, date, date of birth, as well as a unique ID number that connects each profile to a biometric profile kept by the Afghan Ministry of Interior. But it also contains details on the individual's military specialty and career trajectory, as well as sensitive relational data such as the names of their father, uncles and grandfathers, as well as the names of the two tribal elders per recruit who served as guarantors for their enlistment," end quote. 

Dave Bittner: This amounts to a catalogue of community connections with anyone whose name appears in a profile flagged as connected in some nontrivial way to the subject of the profile. And unfortunately, there are signs that the lists are being used in headhunting searches for personnel who served in or were otherwise connected to the former government's military services. APP's data was unprotected by retention or deletion policies and was presumably seized intact. 

Dave Bittner: Another DeFi cryptocurrency platform - that's DeFi as in decentralized finance - Cream Finance, has suffered the theft of $29 million. Cream suspended supply and borrow in the affected AMP market shortly after blockchain security firm PeckShield detected activity that looked like a reentrancy criminal attack. In general, reentrancy can occur when a procedure can be initiated, interrupted, initiated again in a second instance and when both instances can then be run to completion without error. 

Dave Bittner: PeckShield tweeted how the robbery worked. Quote, "the hack is made possible due to a reentrancy bug introduced by AMP, which is an ERC777-like token, and exploited to reborrow assets during its transfer before updating the first borrow. Specifically in this case, the hacker makes a flash loan of 500 Ethereum and deposits the funds as collateral. Then the hacker borrows 19 million in AMP tokens and makes use of the reentrancy bug to borrow 355 Ethereum inside the AMP token transfer. Then the hacker self-liquidates the borrow," end quote. 

Dave Bittner: And then, of course, Bob's your uncle - or rather, the thieves' uncle. Cream tweeted a summary account of the incident yesterday. Quote, "C.R.E.A.M. v1 market on Ethereum has suffered an exploit resulting in a loss of 418,311,571 in AMP and 1,308.09 in Ethereum by way of reentrancy on the AMP token contract. We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected." 

Dave Bittner: The Record thinks the theft displays some of the unfortunate tendencies in the still-young cryptocurrency world. They argue, quote, "This trend of hackers targeting DeFi platforms can be explained by the fact that the cryptocurrency ecosystem is highly unregulated, security is almost an afterthought, and many platforms fail at implementing their underlying technical base, many running buggy contract scripts that can be easily abused by anyone with knowledge of cryptography and C and C++ coding," end-quote. 

Dave Bittner: Global Control points out the potential threat of hardware backdoors in transformers and other power generation, transmission and distribution equipment. The essay also notes the limitations of software bill of materials in addressing this risk. Chinese-manufactured equipment has received some adverse comment for the potential security risk it poses, but it remains popular because of its relatively lower cost. The issue may illustrate the familiar maxim that lowest cost doesn't always equate to best value. 

Dave Bittner: The Register reports that the LockBit ransomware gang has, in the wake of Bangkok Airways' refusal to pay the ransom, begun to release the personal data the gang stole. The size of the data dump is assessed variously, with estimates coming in between 103 gigabytes and more than 200 gigabytes. The airline has emphasized that the compromise didn't affect safety of flight, and it's apologized for the exposure of passengers' personal data. Bangkok Airways has told its customers, quote, "for primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible," end-quote. And, of course, to be wary of any communications they may receive that purport to be from the airline but that might be phishing for more data. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has opened registration for the President's Cup Cybersecurity Competition. Individuals can register through October 4. Teams have until September 20 to sign up. CISA describes the President's Cup, which was established in response to Executive Order 13870, as a national cyber competition, aiming to identify, recognize and reward the best cybersecurity talent in the federal executive workforce. Hosting challenges from across the National Initiative for Cybersecurity Education Cybersecurity Framework, competitors will face a diverse array of challenges and will require an extensive skill set to succeed. 

Dave Bittner: And finally, Bloomberg reports that the government of China plans to restrict children's access to online games. During most weeks, young gamers will only be able to play for three hours a week, with some relaxation of the limits on some holidays. Bloomberg summarizes the move as follows. Quote, "Gaming platforms from Tencent Holdings Ltd. to NetEase, Inc., can only offer online gaming to minors from 8 p.m. to 9 p.m. on Fridays, weekends and public holidays, state news agency Xinhua reported, citing a notice by the National Press and Publication Administration. The new rules are a major step up from a previous restriction set in 2019 of 1 1/2 daily hours most days," end-quote. So a top-down solution, which would seem to require a reliable way of identifying minors, parents everywhere will agree that wasting time rummaging through the loot boxes and yelling at the screen would be a cross-cultural universal of human use. China's solution really puts the authority in authoritarian, doesn't it? We'll watch with interest to see how it works out. 

Rick Howard: Art Poghosyan is the CEO and co-founder of Britive, a cloud native identity and access management product. I wanted to talk to him because his product spans across a couple of security vendor categories - zero trust, because you can't do zero trust without a robust identity and authorization program, and SDP or software defined perimeter, which is a horrible marketing name because the tech involved smashes completely the perimeter paradigm. By the way, Art didn't invent the name. You can blame the U.S. military for that when they came up with it in the mid-2000s. The Britive product just happens to fit into the category. 

Rick Howard: In the general sense, SDP moves the functions of identity verification and authorization away from the workflows that users are trying to get to. In other words, instead of logging into the Linux machine that hosts the data, users log into a completely different system that's not connected to the Linux system at all. The SDP system verifies your identity, checks if you are authorized to access the Linux system in question, and if you are, establishes the connection - not to the entire network, just to the specific Linux system. 

Rick Howard: So, Art, let's just back up and talk about the general problem in the industry with all of these cloud deployments. Any company of any size is probably going to be in multiple clouds, and even small companies like mine. We're a startup. We have, like, 25 different SaaS services that we use to do our stuff. 

Art Poghosyan: And that's important context, even on your example as being a small business. You already are in multi-cloud. I'll throw an interesting statistic out there. There's some, you know, research that indicates mid- to large-size enterprises - 90% of them are already in multi-cloud, including two or more infrastructure-as-a-service - Azure and AWS, TCP Azure and whatnot, plus 50 to 60 SaaS and other as-a-service technologies, and it's growing. 

Art Poghosyan: From the standpoint of operational processes, especially in infrastructure and DevOps, but also on the business side, it's very difficult to have, you know, multiple processes, given the differences in the cloud, you know, technologies in the way they access and, you know, permissions are defined in each of these systems. It becomes extremely inefficient and costly. 

Art Poghosyan: And most of the time, organizations end up granting this access without much control or foresight into how that exposes too much access because they have to do it in a fast pace. If they have to support multiple infrastructure platforms, it becomes, again, a very inefficient and costly process to support, let's say, you know, DevOps CI/CD pipelines for both Azure and AWS. 

Art Poghosyan: And all that result in, on one hand, very high operational costs and burden. But from a security standpoint, what it means is, when you have to cut corners and compromise security for the sake of velocity, the outcome is, almost 100% of the time, you have exposed some access in the cloud that is - only a matter of time before it gets exploited. 

Rick Howard: I was reviewing the attack sequence behind the SolarWinds attack, the famous supply chain attack from earlier in the year. It seems to me that if a SolarWinds customer had an STP solution in place before the attacks, it would have greatly reduced the chances that the attackers would have been successful. I realize that you might be biased here because you sell an STP product, but would you agree with my assumption? 

Art Poghosyan: I would not only say that, I would be prepared to defend it. 


Art Poghosyan: Because if you look at - yeah (laughter). If you kind of break down sort of the whole attack trajectory there, you know, it was a classic, classic scenario that we've been, you know, talking about for a few years now. You know, lateral movement, compromise of a privileged - static privileged credential in the VMware management console, which let the attackers pivot into Azure environment, gain federated identity controls, set up identity endpoints. And that was pretty much game over at that point. 

Art Poghosyan: How an attack like this would have eliminated that exposure is there would not be a static admin access into VMware console. And any session with that admin level should and would have gone through multiple levels of, you know, authorization, authentication, to verify who the user is before they would be allowed to do that. 

Rick Howard: That's Art Poghosyan, the CEO and co-founder of Britive. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, over on "Hacking Humans," we talk a lot about things like phishing emails and spear phishing and whaling and all those kinds of things. This article from WIRED, written by Lily Hay Newman, caught my eye. It's titled "AI Wrote Better Phishing Emails Than Humans In A Recent Test." 

Joe Carrigan: Yeah. 

Dave Bittner: What's going on here, Joe? 

Joe Carrigan: So some researchers from Singapore's government technology agency presented at Black Hat and DEF CON. What they did was an experiment. It was a - kind of a small, sample-size experiment. They wrote 200 phishing emails themselves, and then they used OpenAI's GPT-3, which is a language generation, deep learning model, to generate another 200 spear phishing emails. And they found that the AI-generated phishing emails were more effective than the ones they wrote themselves. So this is interesting because it is a small sample size, right? It's only 200 people. 

Dave Bittner: Right. 

Joe Carrigan: They kind of had inside knowledge about these people so they could tailor these phishing attacks towards these individuals. But the key takeaway here is that the AI generated better click-through results for these phishing emails, more successful click-through results. 

Dave Bittner: Yeah. And, you know, this speaks to something I think we've wondered about, which is, you know, at what point and to what degree do the bad guys start using some of these AI-as-a-service platforms... 

Joe Carrigan: Right. 

Dave Bittner: ...For their own purposes? 

Joe Carrigan: There's a lot of discussion about that in the article. And one of the things that the article points out is that it does cost a lot of money to build your own model or to train your own model. You have to have AI experts who understand what the algorithm is going to do, and then you have to spend actual money on hardware to train it because the hardware to do it isn't cheap. It's actually one of the barriers to entry to this field. 

Dave Bittner: Yeah. But if you can do it as a service, then... 

Joe Carrigan: But - exactly. If you do it as a service, for example, with this OpenAI product - actually, Microsoft has licensed the model. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? But you can still - they have exclusive rights to the underlying model, but you can still go out and use the API, which is what these guys from Singapore did. And you can feed it in some parameters, and it spits out really, really effective text. 

Dave Bittner: Yeah. 

Joe Carrigan: And there is - OpenAI, in this article, says, we put a lot of tests on our - you know, checks and balances on our system to make sure that it doesn't get abused. 

Dave Bittner: Right. 

Joe Carrigan: And the people from Singapore's Technology Agency worked with OpenAI. They didn't just do this out of the blue. They told OpenAI what they were doing, so OpenAI knew about this. But they're not the only people out there with a natural language processing language generator. 

Dave Bittner: Right. 

Joe Carrigan: And it costs millions of dollars right now to train a model, but in the future, that will not be the case. So this is something we need to start thinking about now. How do we protect ourselves against these things? I say frequently email's terrible. 

Dave Bittner: (Laughter). 

Joe Carrigan: Because if I have an email address, I just put a server out there. Anybody can put anything in there. 

Dave Bittner: Right. 

Joe Carrigan: And that's - like, I can't think of another - aside from anonymous FTP, where you have to deliberately turn on the ability for people to upload things, I can't think of another system on the internet like that. 

Dave Bittner: Yeah. It also strikes me that, because there are so widely available these data sets about all of us... 

Joe Carrigan: Right. 

Dave Bittner: ...You know, I could go to a data broker, and I'm sure I could find out all sorts of things about Joe Carrigan. 

Joe Carrigan: Yeah. 

Dave Bittner: Hobbies and interests and work history and all those sorts of things that could be plugged into some sort of automated system that could then weave together some sort of plausible-sounding message that seems like it was written just for you because, in a way, it was. 

Joe Carrigan: Exactly. I don't see this becoming a big problem for phishing emails, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Because of exactly what you just said. In order for these things to be effective, you have to feed the algorithm information about the target. But the fact that an AI model generates more effective spear-phishing emails, that's significant. Now, there does need to be further study on this. And both the people from OpenAI and Singapore Government Technology Agency agree that this is just a first bit of research on it. There's much more that needs to be done, but this is something we need to start thinking about right now. 

Dave Bittner: Yeah. Yeah. Interesting. Fascinating. I mean, the business case - if your - if the cost for buying that information from data brokers or, you know - I mean, heck, it's out there on the dark web also. You can download... 

Joe Carrigan: Right. It's on LinkedIn, right? 

Dave Bittner: Yeah. Yeah, right. So if the cost of doing that is low enough and you combine that with the low price of using one of these AI-systems-as-a-service... 

Joe Carrigan: Right. 

Dave Bittner: ...If your profits from that are high enough, then it makes sense to go in this direction. 

Joe Carrigan: Absolutely. 

Dave Bittner: Yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. And speaking of sponsors, stay tuned for a message from our sponsor, Arctic Wolf. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.