The CyberWire Daily Podcast 1.4.22
Ep 1487 | 1.4.22

Log4j issues persist. Konni RAT found in New Year’s greetings. Hacktivism or state-directed cyber action? Moscow worries about Mr. Klyushin’s knowledge. The Show-Me-Too-Much State.

Transcript

Dave Bittner: It's going to take time, vigilance and attention to detail to manage the Log4j risks. A North Korean APT is trying to install the Konni RAT into Russian diplomats' devices. More hacktivist-looking incidents follow the anniversary of Iranian General Soleimani's death. Other self-inflicted software supply chain incidents. The Kremlin is said to be worried about what Mr. Klyushin might tell the Americans who've got him in jail. Ben Yelin on the tension between ephemeral messaging apps and the public's right to know. Mr. Security Answer Person John Pescatore joins the show. And the Show-Me state needs to rethink all that showing.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 4, 2022. 

Dave Bittner: The Log4j vulnerabilities continue to represent a difficult software supply chain risk, one that's proving complex and resistant to any quick and easy solutions. Microsoft yesterday updated its guidance for preventing, detecting and hunting for exploitation of the Log4j2 vulnerability. It's clear, sobering and worth attention. In brief, Microsoft's researchers have been seeing ongoing exploitation across the full range of threat actors, from intelligence services down to low-level grifters using commodity tools. The vulnerabilities represent, in sum, a complex and high-risk situation for companies across the globe. That risk extends beyond applications that use vulnerable libraries to any service that used such applications. Redmond concludes, quote, "Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing sustainable vigilance," end quote. A note in full disclosure, Microsoft is a CyberWire partner, but we'd think this guidance worth a look, even if they weren't. 

Dave Bittner: The good news, as The Washington Post sees it this morning, is that both companies and government agencies seem to be taking the issue seriously and have been more on top of things than they were, for example, in the earlier Shellshock and Heartbleed incidents. May the vigilance be as ongoing and sustainable as possible. Since the effects of vulnerabilities in software libraries can cascade so rapidly, Dark Reading sees an object lesson in the Log4j incident. The experience should lend more impetus to making software bills of materials the norm. We have more coverage of the Log4j affair on the Pro section of our website - thecyberwire.com. 

Dave Bittner: The DPRK's isolation would lead one to think that North Korean APTs are interested in targeting most countries, and that seems to be the case. Cluster25 reports finding a New Year's virtual greeting card screensaver packed as a zip file. It's directed at Russian diplomats, and it carries Pyongyang's familiar Konni remote access trojan RAT as its payload. The tactic may seem too obvious, too dopey for anyone to fall for, but as Recorded Future points out, it's a good bet somebody will because almost always, well, somebody does. Inattention, fatigue, misplaced trust, curiosity - all of these and more at work in the social engineer's favor. And be honest - who among us hasn't been tempted in one of those moments of weakness to take a peek? It's worth noting that this isn't a one-off attempt. Cluster25 says the greeting with the phish hook is the most recent in a series of North Korean attempts to compromise Russian diplomatic targets. 

Dave Bittner: HackRead says that the Israeli Hebrew-language news outlet Maariv had its Twitter account compromised briefly with a message similar to the one Jerusalem Post received in a website defacement. The content injected, in both cases, warned of vengeance for the death of Quds Force commanding General Qasem Soleimani in a U.S. drone strike two years ago. It's unclear which group specifically was responsible for either incident, but alignment with Iranian policy seems obvious enough. 

Dave Bittner: Reuters reports that Iranian President Ebrahim Raisi yesterday demanded the trial of former U.S. President Trump and Secretary of State Pompeo for the murder of Soleimani, which the U.S. has characterized as a legitimate battlefield killing. Failing such a trial, President Raisi said, quote, "Muslims will take our martyrs' revenge," end quote. The list of people President Raisi wants to see face justice is longer than just two. Iranian Prosecutor General Mohammad Jafar Montazeri says Iran's complained to authorities in nine countries, identifying 127 suspects, 24 of whom are U.S. nationals. 

Dave Bittner: Some revenge will be kinetic, and The Wall Street Journal reports that it seems to have begun, as irregulars aligned with Tehran have conducted a drone strike in Baghdad and intercepted an Emirati-flagged ship. But cyberattacks of the kind seen this week against The Jerusalem Post and Maariv are easy, low-risk forms of retribution as well. 

Dave Bittner: Log4j represents a big, serious and difficult-to-manage supply chain risk, but there are other lower-grade risks, too. Bleeping Computer notes one - copying and pasting commands found on a website. They cite a proof of concept offered by Gabriel Friedlander, founder of the security training platform Wizer. It's easy, of course, but the problem is that the website could very well be having you copy a very different command from the one you saw and that you thought would make your task easier, and of course, that other command might be malicious or at least might not have your best interests at heart. If copy you must, then Bleeping Computer recommends pasting what you've copied into a text editor first, where any shenanigans and bogus-ity will be more evident. 

Dave Bittner: Vladislav Klyushin, a Russian tech oligarch whom Swiss authorities extradited to the U.S. on December 18th, is again in the news. The charges in the U.S. warrant involve trading securities on the basis of nonpublic information obtained through hacking - essentially, an outsider's form of insider trading of companies that don't want him on the inside in the first place. Bloomberg, however, reports that his arrest and time in U.S. custody is proving a significant worry for the Kremlin. Mr. Klyushin is credibly believed to be in possession of information, perhaps documents, outlining a number of Russian intelligence operations that range from Fancy Bear's prance through the 2016 U.S. elections to the attempted assassination by nerve agent of GRU defector Sergei Skripal in 2018. The Russian government is believed to be concerned about the intelligence trove Mr. Klyushin might be induced to give the Americans. 

Dave Bittner: M13 describes itself as a company that specializes in IT solutions for media monitoring. It employs a staff of more than 100 developers, linguists, media analysts and other experts who have necessary skills and expertise in creating powerful and commercially successful automated tools for monitoring and media analysis. It counts a number of Russian organizations among its customers - the Presidential Administration of the Russian Federation, the government of the Russian Federation, federal ministries and agencies, regional state executive bodies, commercial companies and public organizations. And Mr. Klyushin is generally thought to be as well-connected as his company's client list would suggest. Bloomberg quotes sources who think Mr. Klyushin's having been permitted to vacation in Switzerland represents a major security failure on the part of the Russian organs. 

Dave Bittner: Finally, if you are given to seeing wheels within wheels, you can consult the Daily Mail - unrestrained as usual - which is running a screamer headline to the effect that Putin fears Kremlin insider extradited from Switzerland to U.S. may have defected. That's defected - capital D, capital E, capital F, capital E, capital C, capital T, capital E, capital D. No exclamation point - so what's up with that? Are the Mail's editors asleep at their keyboards? Anyway, what's known is that Mr. Klyushin is in U.S. custody and that he was a very well-connected guy back in the old homeland. 

Dave Bittner: And finally, remember the story that broke back in October when the St. Louis Post-Dispatch found a misconfigured website belonging to Missouri's Department of Elementary and Secondary Education? And apparently, the department had put a lot of teachers' Social Security numbers on a publicly accessible web page? All you had to do was view page source or inspect on the web page, and there they were. The Post-Dispatch informed the Department of Elementary and Secondary Education before they published to give the state agency an opportunity to fix its data privacy issue before other people knew about it. This sort of thing is normally thought of as responsible disclosure, but Missouri Governor Parson didn't see it that way. He ordered an investigation and urged the prosecution of the reporter and the newspaper and the newspaper's corporate masters for hacking, for breaking into an IT system. We contacted the governor's office back then to see what law he believed had been broken, but we've received no response. 

Dave Bittner: Anyhoo, last week, Governor Parson said again that he expected the reporter to be prosecuted, now that the Highway Patrol had concluded its investigation and turned the results over to the responsible Cole County prosecutor. We contacted Governor Parson's office again because that seemed the fair thing to do and asked again for the governor's views on what law had been broken and how. We didn't get a response this time, either, but Governor Parson is widely quoted as saying this - quote, "If somebody picks your lock on your house, for whatever reason - it's not a good lock; it's a cheap lock or whatever problem you might have - they do not have the right to go into your house and take anything that belongs to you," end quote. The analogy seems wayward at best. A better one would be something like this - if you forgot to put clothes on and went out to the store in a state of nakedness, the other shoppers would have the right, perhaps the duty, to say, friend, put some pants on. Even in the Show-Me state, sometimes y'all just show too much - dad blame much. Know what I mean? And we hope the reporter responsible for the story has control-U'd himself into a Pulitzer. 

Dave Bittner: There comes a point in just about everyone's cybersecurity journey where you're just not sure who to turn to, whether it's a technical question, an executive decision or perhaps even an affair of the heart. John Pescatore has been in the cybersecurity world for a while now, has been around the block a few times, has seen a few things and lived to tell the tale. He joins us to help answer your questions in this occasional segment we call Mr. Security Answer Person. 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

Unidentified Person #1: Mister 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

John Pescatore: Hi, everybody, I'm John Pescatore, the security answer person. With this segment, we're going to try to answer some of those questions about the crazy terminology we see used in cybersecurity or things you might see vendors doing or the threat actors doing or consultants doing. I've worked in cybersecurity a long time. I went out of college. I joined NSA and the Secret Service early on in my career. And then for 14 years, I was a lead security analyst at Gartner, and then for over nine years, the director of emerging security trends at SANS. And lots of questions come up over those years on a lot of interesting topics and a lot of crazy terminology we use in cybersecurity. We're going to take a shot at answering some of your questions in this segment. 

John Pescatore: Today's question is, earlier this year, all my security product vendor incoming emails switched from pitching anti-ransomware products to zero-trust products. What the heck is going on, and could zero trust ever actually be a good thing? 

John Pescatore: That's a great question. For many years, I've done the grocery shopping for the Answer Person family, and we've been buying the same brand of breakfast cereal for many years. But I've noticed that periodically the front of the box would tout gluten free for a while and then high in antioxidants or no added sugars. But the ingredients on the side of the box would stay the same. Far as all the Pescatores could tell, the taste never changed. And if you left it in the milk too long, it still got soggy. Marketeers with MBA degrees like to call this brand freshening, but I like to call it buzzword surfing. Companies selling products want to try to differentiate from other nearly identical products that do all the same things because they're trying to avoid commoditization, where prices get driven down, so they jump on the latest buzzwords over and over again. Of course, pretty quickly, every vendor has done the cut and paste of buzzword n to replace buzzword n-1, and they are back to the starting line. Time to freshen up again. 

John Pescatore: So let's zero in on zero trust. But first, pardon me for a little bit more of Mr. Answer Person-splaining. When internet connectivity first began to show up in businesses, attackers took advantage, and havoc ensued. The Morris worm, way back in 1989, was an early example. That took down 30% of the internet at the time. This resulted in the development of the firewall to block everything not explicitly allowed, and for a very short period of time, life was good. However, probably the very next day, businesses found they absolutely needed new ports opened and new services exposed to the internet, and holes had to be punched through the firewalls. And attackers had a great time, leading to the damaging Slammer, Blaster, Code Red, Nimda worms of 2001 and 2003. And security folks began to add many, many more layers of security and having to rinse and repeat and keep doing it from there. 

John Pescatore: As threats evolved, by the way, this is where the term spending in depth - I mean, security in depth - came from. In 2004, a group of CISOs created something called the Jericho Forum and pushed the concept of de-perimeterization, which was based on the idea that all endpoints should be able to protect themselves without relying on a perimeter firewall and that only secure protocols should be used. This sounded good, but of course, in the real world, Windows kept having constant critical vulnerabilities show up, CISO admins kept making mistakes and setting up PCs and servers, and there wasn't a chance in hell that any real business could keep every endpoint safe without some form of external protection. The Jericho Forum faded away. 

John Pescatore: But that did lead to the concept of network access control, the idea that any time a device connected to the network, it should be checked to see if it was dangerous or vulnerable before allowing it to access an internal network. Unfortunately, NAC standards battles erupted between Microsoft - Windows internals and Active Directory are the answer - and Cisco - iOS features and switches and VPNs will solve all problems from the network - causing many implementation issues, since pretty much everyone was forced to use Microsoft software and Cisco networks. In 2010, Forrester essentially extended the basic ingredients of network access control and mixed in an emulsion of Jericho Forum tidbits and published a research note, using the very catchy name of Zero Trust. It was briefly the buzzword du jour, but quickly ran into the same real-world issues that de-perimeterization hit. 

John Pescatore: The bottom line is zero trust is only doable after you have implemented all the other security basics. For example, if users are still using reusable passwords, you can't trust identity since phishing attacks succeed so often. If you don't have a high-accuracy asset inventory, strong change management and granular privilege and application security controls, you can't trust that the endpoints aren't already compromised and dangerous. You must do the foundational, essential security hygiene steps before you can even think about zero-trust. Zero-trust can only be the end game, not the starting point. For example, in 2011, Google started working towards defining how they could achieve something like zero-trust - what Google now calls BeyondCorp. It took several years for them to even define what that meant across Google and then five more years to develop and improve the processes needed to implement something close to zero-trust. Not many companies have the resources and staff Google does, however. 

John Pescatore: So to finally answer the question. In President Biden's May 2021 executive order, one element specifically said government agencies were required to, quote, "develop a plan to implement zero-trust architecture," unquote and overall used the zero-trust term 11 times, almost twice as frequently as he mentioned moving a multifactor authentication, which as I mentioned has to be a precursor to reaching zero-trust and which all of us know in security is the single most important thing we can do to improve security. But from that executive order flowed all that zero-trust brand-freshening spam that you've been seeing. But not to worry - in 2022, we're sure to have a new buzzword coming along. I'm betting on security turmeric. 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person. 

Unidentified Person #1: Mister. 

Unidentified Person #2: Security. 

Unidentified Person #3: Answer. 

Unidentified Person #4: Person. 

Dave Bittner: We hope you enjoyed Mr. Security Answer Person with John Pescatore. We aspire to air these on the last Tuesday of every month, so make sure to mark your calendars or, if you're like me, forget and enjoy the surprise next time. If you'd like to submit your own question to Mr. Security Answer Person, email us at questions@thecyberwire.com. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Interesting story from The Washington Post. This is written by Steve Thompson. And it's titled "Maryland Governor Larry Hogan's Messages To State Employees Self-Destruct In 24 Hours." What's going on here, Ben? 

Ben Yelin: So the governor of our great state of Maryland has been using an app called Wickr, which deletes all communications after 24 hours. 

Dave Bittner: OK. 

Ben Yelin: The concern here is that this violates public records retention laws. That's why this is a legal and policy question. It seems like the governor was mostly using this to let off steam. The Washington Post obtained some of the communications, and it was, you know, things that you might hear in a private text conversation - complaining about bad media reports, saying that he's being covered unfairly, criticizing individual reporters. It's the type of thing that you would see on, you know, your own company's Slack channel, talking about your boss or, you know, your worst client or something. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: The problem is there are laws that, you know, at least theoretically, allow the public to access those communications if they're in the public domain. So the governor's spokesman said that they paid for the application through the governor's private campaign account, which is fine. But he also said that their - his communications were mostly among private individuals, so people who are not in - didn't have government jobs. Notably, that means that some of the communications were with people who had government jobs, and according to this article, they were talking about public matters in some of those communications, including response to the COVID-19 pandemic. That's where those records laws really come into play. Records laws - they're not really well-suited for an age where communications are deleted after 24 hours... 

Dave Bittner: Right. 

Ben Yelin: ...Because you can challenge, you know, the fact that a government record hasn't been released. But then you have to go through a whole judicial process that necessarily involves, you know, discovering something about the communication in question. And if that communication's been permanently deleted, then, you know, you're sort of out of luck, which leads me to believe that, you know, we might need to update our records laws to be more responsive to these types of scenarios where, you know, you have people using these applications, potentially, to skirt around these, you know, public communications regulations. 

Dave Bittner: Yeah. I guess part of me wonders about, you know, in the old days, the good old days of telephone calls with landlines and so on and so forth, perhaps a public records law like this would be able to pull the phone records, but really, all you would get from that would be the metadata - who... 

Ben Yelin: Right, which... 

Dave Bittner: ...Who I called, when, how long. But you wouldn't get the contents of the conversation. 

Ben Yelin: Right. 

Dave Bittner: And I don't know that I think it should be fair game for every one of my text messages to be discoverable... 

Ben Yelin: Right. 

Dave Bittner: ...In an era where that... 

Ben Yelin: You're also not a public official, but... 

Dave Bittner: No, no, no. Right. What I'm saying - even if I was a public official, in an era where text messaging has taken over much of what we used to make phone calls for... 

Ben Yelin: Right. 

Dave Bittner: ...Or even private conversations, is this - have we gone a little too far? I understand the need for transparency among our public officials. But at the same time, talk to any politician, talk to any businessperson, I mean, a lot of what gets done are the side conversations, and they're necessary. They have to - sometimes you have to be able to have a private conversation to get things done. And I realize that that can get you into sticky areas. But I don't know. I just wonder if we're going a little too far with this. What do you think? 

Ben Yelin: Yeah. You know, in my personal opinion, I kind of think we have - we might have gone a little bit too far. 

Dave Bittner: Yeah. 

Ben Yelin: Sometimes you get public information requests, and they're going to reveal, you know, what seems like embarrassing gaffes from politicians or business leaders. And really, to me, it's just - you know, all of us in our private communications with people have moments of levity, moments where we're making fun of somebody, you know, moments when we're using language we may not, you know, otherwise use. 

Dave Bittner: Right. 

Ben Yelin: And, you know, it just happens to be that if you are in the public sector, if you're in the government, those can be - those communications can be made public and can be used to embarrass you, and it can also lead to further investigations. So, yeah, I kind of think it has been a little overzealous. The laws still do exist, though. So, you know, I think it is the responsibility for individual government officials to make sure that they're complying with those records retention statutes. But, you know, just speaking as a human being... 

Dave Bittner: (Laughter). 

Ben Yelin: I - yeah, I do think - you know, I don't need to see every single Larry Hogan communication about a mean Washington Post reporter. 

Dave Bittner: Right. 

Ben Yelin: I don't think that's necessarily in the public interest. 

Dave Bittner: Yeah. Do you suppose that we could find a situation where these sorts of ephemeral messaging apps are prohibited for use from public officials, where they just can't use them? 

Ben Yelin: That's hard to say. I mean, we've now had a couple of states - it also happened in Missouri. They were using a similar application, and there was an attorney general investigation. This was the governor - the former governor, who was using this application. But, you know, without access to the communications, you can't really prove a violation of a statute. So it didn't really go anywhere. You know, because of that, I don't think we're going to see any outright bans. 

Dave Bittner: (Laughter). 

Ben Yelin: It just wouldn't be worth it for legislators... 

Dave Bittner: It's a loophole, Ben. They found a loophole (laughter). 

Ben Yelin: They found a loophole. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: Now, I would not be surprised if we saw some proposals, you know, especially in the state of Maryland or in the state of Missouri, trying to highlight the fact the government used this encrypted application. So yeah, I mean, you know, if you're an enterprising legislator and, you know, you happen to be a good troll, now might be a time to, you know, abolish banning communications on apps like Wickr among public officials in Maryland. 

Dave Bittner: Yeah. 

Ben Yelin: Not suggesting that; I'm just saying it might happen. 

Dave Bittner: (Laughter) Right. OK. All right. Well, again, the article's over on The Washington Post, written by Steve Thompson - "Maryland Governor Larry Hogan's Messages To State Employees Self-Destruct In 24 Hours." Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.