Counting coup against REvil (and other gangs are taking note). Export controls and dual use. A timing bug will surface this weekend.
Dave Bittner: REvil's troubles appear to be the work of an international law enforcement operation. Other gangs have noticed, and they're looking a little spooked. Questions are raised about the efficacy of surveillance tool export controls. Caleb Barlow has cybersecurity considerations for CEOs and boards. Our guest is Mickey Boodaei of Transmit Security on the movement to do away with passwords. And if you liked Y2K, you're going to love 10/24.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 22, 2021.
Dave Bittner: We close the week with what appears to be some good news. Speculation that REvil's second disappearance may have been induced by law enforcement activity seems to have been borne out. Reuters reported late yesterday that REvil's difficulties in reestablishing itself, including its loss of keys and loss of control over its servers, were due to a concerted effort by law enforcement, intelligence and military agencies with the cooperation of private security companies to knock the gang offline. One feature of the operation appears to have been the compromise of REvil's backups, an aspect of the operation some who commented found ironic given the attention ransomware gangs tried to pay to back-ups. A representative of the U.S. National Security Council said only, according to Computing, a whole of government ransomware effort, including disruption of ransomware infrastructure and actors - so whole of government, which implies both civilian and military agencies and organizations, but also an allied action. The operation was also international, with participation by other unspecified but like-minded countries. And so efforts to build an international consensus against ransomware may be bearing some first fruits in the action against REvil.
Dave Bittner: The cyber underworld will adapt and is already showing signs of doing so, security researchers note. One immediate response noticed by security firm Profero and reported in the Record is some shifting of ill-gotten assets. The way in which the authorities wrapped REvil around their fingers clearly gave DarkSide, for one, the willies. That particular ransomware gang early this morning began moving its assets, shifting about 107 bitcoin - that amounts to around $6.8 million - from the wallet where they'd been cashed. Omri Segev Moyal, CEO and co-founder of Profero, told The Record, quote, "Basically, since 2 a.m. UTC, whoever controlled the wallet started to break the bitcoin into smaller chunks. At the time of this writing, the attackers split the funds into seven wallets of seven to eight bitcoin, and the rest - 38 bitcoin - is stored in the following wallet." How effective that will prove in keeping the DarkSide stash safe from compromise and confiscation remains to be seen. But it's worth noting that such shifts aren't invisible and aren't necessarily beyond the reach of the authorities. Good hunting to them.
Dave Bittner: Other recent trends among the gangs are also interesting. We saw yesterday that Kaspersky researchers looked specifically at Russophone gangland, the criminal market leader, and found increased division of labor, commodification and C2C marketing.
Dave Bittner: The criminal supply chain now extends to business email compromise. Palo Alto Networks' Unit 42 has found that BEC is now being offered as a service. In this, Unit 42 told ZDNet, BEC is following the path of ransomware. Quote, "Similar to ransomware, we're seeing an increased number of attackers getting into BEC, and we're also seeing it mature into, like ransomware as a service, BEC as a service. They're becoming more tech savvy. They've been in the commodity space and are starting to include publicly disclosed vulnerabilities. They're becoming more professional," end quote.
Dave Bittner: Such professionalization is consistent with the ways in which criminal markets tend to imitate legitimate markets. It's also been seen in the deployment, which we discussed earlier, of front companies by criminal gangs like FIN7. These are recruiting gambits, attempts to recruit staff with conventional promises of regular hours, high pay and the like - no word on benefits like a 401(k) or a health plan. But who knows? Those might be coming, too.
Dave Bittner: The Intercept has a long essay on the use of NSO Group's Pegasus tool by Moroccan security services against that kingdom's dissidents. The surveillance isn't confined, The Intercept says, to Pegasus infestations of targeted smartphones, but rather represent a general policy of inducing a sense of general surveillance, a kind of panopticon into the daily lives of the kingdom's subjects. Morocco's government denies using Pegasus or other tools for such widely criticized purposes.
Dave Bittner: Restricting the export of tools that might be abused is one purpose, Decipher writes, of the U.S. Commerce Department’s interim final rule which the Bureau of Industry and Security published at midweek. The rule is intended to keep surveillance technology out of the hands of repressive regimes, with U.S. rivals Russia and China figuring prominently among such bad actors.
Dave Bittner: The rule has met with mixed reviews, and not because people are in favor of aiding repression. Indeed, some of those who’ve expressed reservations, like the Electronic Frontier Foundation, typically have a libertarian take on technology. In this case, however, there are concerns that the rule might be framed in excessively broad terms, and might punish or at least inhibit legitimate security research.
Dave Bittner: There are also concerns, summarized in a piece appearing in Threatpost, that the controls themselves might also be anemic, ineffectual in keeping potentially misused technology out of the hands of ill-willed state actors. There are familiar dual-use problems here. Technologies with perfectly legitimate uses may be abused. Penetration-testing tools are a good example. By their very nature, they can be, and have been, abused by criminals and intelligence services.
Dave Bittner: Finally, CISA warned yesterday that a GPS Daemon rollover bug will hit Network Time Protocol servers this Sunday, October 24, rolling the date back 1024 weeks to March 2002, with predictable disruption to services using NTP. It's a punning bug - 1024 like Sunday's date. Get it?
Dave Bittner: Listeners of a certain age will be reminded of the Y2K bug, the millennial apocalypse that in the end turned out to be more of a whimper than a bang. But this particular problem, while not to be ignored, is fixable, and so shouldn’t be exaggerated either. The problem affects only GPSD versions 3.20 through 3.22. The fix is an obvious one - upgrade systems to version 3.23 or later, and that version has been available for months.
Dave Bittner: CISA recommends that concerned users consult the SANS Institute's account of the bug for more background and information. Take a look, and upgrade if you need to.
Dave Bittner: OK, so real quick - name a part of your everyday computing experience you would love to see put out to pasture. For me, it's probably email, but I'll bet a good number of you in the security world are thinking passwords. They are all too often too easy to guess, reused from site to site and a prime target in data breaches and business email compromise. Mickey Boodaei is CEO and founder of Transmit Security, where they are working to change the password business by getting rid of them entirely.
Mickey Boodaei: So I would say that today, we're still very much in a password world. And the problem with passwords is pretty much clear. It has actually - it has two aspects to it. The first one is on the security side, and the second one is on the customer experience side. And both of them are getting worse from, you know, over time. So from a security perspective, we know the statistics. We see the attacks every day. But more than 80% of data breaches today are due to account takeover, and account takeover is typically done by stealing passwords. And stealing passwords is becoming easier and easier over time just because the techniques for stealing passwords, from phishing to malware to social engineering, are becoming more sophisticated. And it's much easier to get users to reveal their passwords when they have so many passwords and so many interactions with so many systems. So we're seeing a constant increase in the number of attacks, in the sophistication of these attacks and obviously in the damage that passwords are eventually causing to the industry.
Dave Bittner: Do you feel as though we're having success in getting folks to adopt things like password managers and then, of course, multifactor authentication?
Mickey Boodaei: Well, the problem with password managers is that you can't really enforce them, definitely not on consumers. So it's up to the consumer to decide whether they want to use a password manager or which one to use, how they use it and how to make sure, too, that fraudsters are unable to steal access to their password manager, which is obviously the worst thing that could happen for the consumer. From a two-factor authentication perspective, this is actually something that you can enforce on your consumers. The problem with that is the price you're paying in terms of customer experience.
Mickey Boodaei: So the more restrictions, the more constraints, you put on consumers when it comes to password, you know, the worse the customer experience is. And there is a direct correlation between customer experience and business results for consumer-facing applications. So you would see that consumers, for example, that forget their passwords or that - they're faced with a two-factor authentication every time they try to log in or transact or, you know, buy something, they're less likely to use the services and they're more likely to look for alternatives. So it's a very delicate balance when it comes to passwords.
Dave Bittner: So what's next, then? I mean, if we're going to do away with passwords, how are we going to handle secure logins?
Mickey Boodaei: Well, actually, the technology has evolved significantly in terms of password alternatives or alternatives to passwords. It used to be just one-time authentication using links that you were getting over email or OTP codes. Both of them are not very convenient and also not very secure for the long term. But over the past, I would say, five years, we're seeing an increase in the number of devices that support biometric authentication, own device authentication, own device biometrics, which is the biometric readers that are embedded in the device itself. So this could be fingerprint authentication or face recognition. And with that, our ability to provide a much more secure login process, as well as a much more convenient login process, has increased significantly. The quality of these readers, both in terms of security and in terms of the customer's experience, is increasing from one generation to another generation in a very fast way. So from that perspective, we're seeing, for the first time ever, a technology that is not just secure or not just convenient, but is both highly secure and highly convenient.
Dave Bittner: That's Mickey Boodaei from Transmit Security. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews.
Dave Bittner: And joining me once again is our CyberWire contributor, Caleb Barlow. Caleb, it's always great to have you back. You know, I wanted to check in with you today because you have been in the unique position of being both a security professional, but also the CEO of a public company. And I want to check in with you. What is the reality of that? What sort of things do you have to worry about from a security perspective when you're sitting in that top seat?
Caleb Barlow: Well, you know, Dave, I recently finished the role as the CEO of a public company, which - let's face it - gives me a little more latitude to talk about what you've got to think about in that seat than when you're in it, right?
Dave Bittner: (Laughter) Right.
Caleb Barlow: So the responsibilities of being a public company's CEO or on the board of a public company are no joke. But a lot of these same governance factors apply to any company. And it's a bit different of a perspective than, you know, you might have at a small startup. But I think there's a lot we can learn from that. So now that I've got a little bit more freedom to talk about it, I kind of laid out five things that you've really got to think about at kind of that level if you're a CEO or a board member or supporting one of them from a cybersecurity perspective.
Caleb Barlow: So first and foremost, you need a CSO. And if you're a company of any size nowadays, you're going to need a CSO. Now here's the really key thing; where do they report? And we've seen a lot of change in the industry on this over the last few years, and I think the best practice now is really not to have the CSO report into the CIO, which many of them do, or report into the CFO. And the reason for this is governance. And you've got to understand that the CIO is responsible for, you know, delivery and performance of IT services for a given cost. But the CISO's role is really a bit different in that they're responsible for managing risk and consequence. And that security budget - well, it's got to be reviewed relative to the corporate risk, not as part of the IT budget. And you've got to determine that appropriate risk threshold, most likely, at the board level.
Dave Bittner: What other things do you have on your list?
Caleb Barlow: Well, the second thing is, almost every company out there has gone out and got some sort of, you know, security assessment. But it's time to take that up a notch. And you know, there's new tools and a lot of new services from companies out there offering security validation assessments. Now, what these are - and I would really encourage this actually be contracted at the board level, not from the CISO or the CIO. Now, granted, they should be involved in supporting it and everything else. But it is important from a governance perspective that a board of directors actually goes out and is seen as contracting this directly. Now, what a validation assessment will do is actually launch an inoculated attack. Let's say it's a malware, you know, attack or a ransomware incident or something like that. And it actually keeps a log of what happened at what time, and it does this by looking at the logs.
Caleb Barlow: So, OK, we launched a fictitious WannaCry incident. We see that the IPS detected it at a given point. The firewall detected it. Did it correlate properly or not in the SIM (ph)? How long did it take for the SoC to recognize the issue? Maybe it was an outsourced vendor. It took them four hours. That's not too good. Did they open a ticket? How long did it take it to open the ticket? Did they follow procedure, disposition appropriately?
Caleb Barlow: You kind of get this - not even just the normal things you get in a security assessment. But you also get this timeline of - when we tested your entire system, here's what the timeline looked like. And either it's green in that it matches exactly the way it should, or, hey; there's a few red elements in here. You know, the guy that was on at 2 o'clock in the morning running your SoC didn't notice this for four hours. What's wrong? Or the SIM didn't correlate properly.
Caleb Barlow: It is so critical to do that level of assessment at a board level because if you are breached, if - you know, if a regulator does come on board, not only can you show you've done this work. But in addition to that, you can demonstrate that, hey; when we did this assessment, here were the results. And here are the actions we took from it.
Dave Bittner: OK. What else is on your list?
Caleb Barlow: Well, hey; we know we need to drive security into the culture. We've all talked about this before. But I want you to do it at the board level, right? So what does that mean - at the board level? That means not only regularly having security as a topic on your board meetings but a couple of things that are now best practice. You get past the green, yellow, red lights where the CISO comes in and tells you, everything's green, right?
Caleb Barlow: You've got to get into these becoming more educational sessions where you're talking about, you know, not the Harvey balls and the traffic lights but getting into talking about, what threats do you see - actor, campaign, motivation - maybe that we're up against, educating that board on the latest threats. Remember; it's important for a governance perspective for a board to show not only are they paying attention to cybersecurity but they're getting educated on cybersecurity. And that's something CISOs have to take on as part of their charter - is to make sure that their board is constantly getting educated and coming up to speed.
Caleb Barlow: I've seen some great practices recently. You know, one large cloud company ensures that their senior leadership team has a standing meeting with all of their security, you know, leadership on a regular reoccurring basis. In this case, it was weekly. That way, they know that if there's a security issue that needs to get elevated to senior management, it can and without multiple levels to ensure transparency.
Caleb Barlow: I've even seen - and lawyers hate this, but I think it makes a ton of sense. I've even seen situations where all security incidents are exposed to the board level so that board members have the ability to kind of peruse not only what happened but what was the corrective action. Again, it's important that a board can demonstrate that not only were they making decisions and having the meetings, but they were getting educated and staying on top of these things.
Dave Bittner: Interesting - one more on your list.
Caleb Barlow: One more. Our security documentation, Dave - it kind of sucks. I mean, I'm sorry.
Dave Bittner: (Laughter).
Caleb Barlow: We all know it. It's just us talking here. But it's time to up the security documentation to that of the level of what you would see your CFO deals with or, if you're in the manufacturing world, kind of Six Sigma or, you know, ISO. Security documentation is really lacking out there. And why this is so important is when you're breached, when there's litigation, you need to be able to demonstrate that you said what you did and you did what you said.
Caleb Barlow: And what I tell people to think about all the time is the volcano test. If one of your critical people fell into a volcano, is the security documentation robust enough that a new hire off the street, you know, with the right skills and training could figure it out and could recreate your environment? If it's not, then you've got some work to do.
Dave Bittner: All right - well, a good list for sure. Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Doel Santos from Palo Alto Networks Unit 42. We're discussing their recent report, "Ransomware Groups to Watch: Emerging Threats Research." That's "Research Saturday." Do check it out.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire, team is Elliott Peltzman, Trey Hester, Brendon Karp, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Patrick, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.