The CyberWire Daily Podcast 5.17.22
Ep 1580 | 5.17.22

Russian cyber threats and NATO’s Article 5. Conti says it’s going to bring Cost Rica to its knees. BLE proof-of-concept hack. CISA warns of initial access methods. Thanos proprietor indicted.


Dave Bittner: NATO's Article 5 in cyberspace. Conti's ransomware attacks against Costa Rica spreads in scope and effect. Bluetooth vulnerabilities are demonstrated in a proof of concept. CISA and its international partners urged following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO Alliance. Rick Howard and Ben Rothke discuss author Andrew Stuart's book "A Vulnerable System: The History of Information Security in the Computer Age." And the doctor was in, but, wow, was he also way out of line.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 17, 2022. 

An assessment of the Russian cyber threat.

Dave Bittner: An op-ed by Akamai and CSO warns that the cyberwar against pro-Ukrainian countries is real and then goes on to describe the nature of those threats. They are the sorts of activity that have been much in evidence recently - Russian-aligned cybercriminal gangs engaged in ransomware and Russian-aligned hacktivist groups engaged in distributed denial of service attacks. The author urges organizations to apply sound best practices to protect themselves. Against ransomware, they recommend network segmentation. Against DDoS, they recommend conducting service validations, confirming authorized mitigation service contacts, reviewing and updating run books, performing operational readiness drills and updating your emergency methods of communication. 

NATO's Article 5 in cyberspace.

Dave Bittner: With a hybrid war in progress and NATO directly adjacent to that war's active theater of operations, the European Leadership Network has published an essay that argues for greater clarity in how the Atlantic Alliance will execute its commitment to collective defense when the attack comes in cyberspace. The authors recommend clarity for the opposition in the form of defined red lines, but most of their discussions look inward toward unity of command, toward maintaining an accurate picture of the friendly situation in cyberspace, toward regular collection and reporting of cyber intelligence and, of course, toward a clear understanding of the legal constraints on cyber activity. 

Conti's ransomware attack against Costa Rica spreads, in scope and effect.

Dave Bittner: Reuters reports that the number of Costa Rican organizations affected by Conti's ransomware attack has now grown to 27. Recently elected President Rodrigo Chavez has said that nine institutions, most of them governmental, were heavily affected and that the attacks were having an enormous impact on foreign trade and tax collection. The governments of Israel, the United States and Spain are all providing Costa Rica with assistance in recovery and remediation, but a lot of work remains to be done. 

Dave Bittner: Conti has been crowing large over its malign intentions for the Central American country, and it's worth remembering that the ransomware gang operates from Russia and with the effective protection of the Russian government. They say, just pay before it's too late. Your country was destroyed by two people. We are determined to overthrow the government by means of a cyberattack. We have already shown you all the strength and power. You have introduced an emergency. And by the way, the ransom demand has gone up to $20 million. And, I suppose adding insult to injury, they've referred to U.S. President Biden as a terrorist. Costa Rica has refused to pay the ransom. 

Bluetooth vulnerabilities demonstrated in proof-of-concept.

Dave Bittner: NCC Group researchers have demonstrated that Bluetooth Low Energy (BLE) systems are vulnerable to link layer relay attack. The news has been generally reported with headlines that point out that crooks could now open and start your Tesla without so much as a by-your-leave. But the problem is more widespread than that. According to NCC Group, BLE is the standard protocol used for sharing data between devices that has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smartwatches, laptops and more. It's not the kind of problem that can be resolved with a patch. 

Dave Bittner: Rather, NCC group argues, it's the kind of issue that arises when technologies are extended beyond their intended purpose. And BLE, they say, was never designed for use in critical systems. The researchers offer three recommendations - two for manufacturers, one for users. They say manufacturers can reduce risk by disabling proximity key functionality when the user's phone or key fob has been stationary for a while. They say system makers should give customers the option of providing a second factor for authentication or use presence attestation, such as tapping an unlock button on an app on the phone. And they say users of affected products should disable passive unlock functionality that does not require explicit user approval or disable Bluetooth on mobile devices when it's not needed. 

CISA and its international partners urge following best practices to prevent threat actors from gaining initial access.

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - and its partners in Canada, the Netherlands, New Zealand and the United Kingdom this morning issued  alert AA22-137A, "Weak Security Controls and Practices Routinely Exploited for Initial Access." The alert describes common weak security controls, poor configurations and poor security practices that are used for initial access. And it recommends particular attention to seven best practices, including control access, hardening credentials, establishing centralized log management, using antivirus solutions, employing detection tools, operating services exposed on internet-accessible hosts with secure configurations and, of course, keeping software updated. 

The doctor was in, but wow, was he also way out of line.

Dave Bittner: And finally, there's the curious case of the crooked cardiologist, a multitasking C2C ransomware purveyor who prided himself on good customer reviews but, in other respects, seems to be something of a case of arrested development. The U.S. Attorney's Office for the Eastern District of New York yesterday announced that it had charged Dr. Moises Luis Zagala Gonzalez with attempted computer intrusions and conspiracy to commit computer intrusions. 

Dave Bittner: Breon Peace, the United States attorney for the Eastern District of New York, explained, as alleged, the multitasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims and then boasted about successful attacks, including by malicious actors associated with the government of Iran. 

Dave Bittner: So Dr. Zagala, when he wasn't using his stethoscope, was busy coding ransomware and selling it in the C2C markets. His customers included, as the U.S. attorney said, Iran, specifically the MuddyWater threat group but many others as well. He offered both licenses and an affiliate program. His reviews in the dark-web equivalent of Yelp were pretty good too. One satisfied crook said, I bought the ransomware from Nosophoros, and it's very powerful - and said he used the product to infect about 3,000 machines. A happy Russophone customer wrote, we have been working with this product for over a month now. We have a good profit. Best support I've met. 

Dave Bittner: Dr. Zagala offered advice in chat forums, where he used the hacker name Nosophoros - disease-bearing in Greek and, fun fact, the root of the vampire name Nosferatu. He's also evidently a fan of the Marvel universe because he called some of his wares Thanos. He's still at large and living it up in the Cuidad Bolivar, Venezuela, so he's unlikely to face justice anytime soon. But Thanos had better hope the FBI's New York field office doesn't find the rest of the Infinity Stones, in which case they'd snap him into Club Fed. 

Rick Howad: I'm joined by Ben Rothke, a very old friend of mine, one of the original members of the Cybersecurity Cannon Committee, a senior information security manager at Tapad and - how do I say this, Ben? - a voracious reader. Thanks for coming on the show. 

Ben Rothke: My pleasure. You know, thanks for spearheading things and starting it. 

Rick Howad: So today we're talking about the latest entry into the Cybersecurity Canon Hall of Fame, a book called "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew J. Stewart and published by Cornell University Press in September 2021. And Ben, you know Andrew, right? 

Ben Rothke: Yeah. I mean, it's one of those sort of internet friends. We've never met in person. 

Rick Howad: Yeah (laughter). 

Ben Rothke: But yeah, actually, we go back, you know, a number of years. Actually, I was a advance reader of the book. So yeah, I enjoyed it from before it was publicly available. 

Rick Howad: So you wrote the original review for this for the Canon project. So why is this a Cybersecurity Canon Hall of Fame inductee? 

Ben Rothke: For a lot of reasons. Those getting into, you know, whether technology or anything generally or information security specifically, it's often you could just jump in and, you know, start doing things. But, you know, Santayana said those who don't learn history are doomed to repeat it. So this is in large part a history of information security. As Isaac Newton said, if I've seen further, it's by standing on the shoulders of giants. I think this really shows the context of information security, its history, where it's coming from, you know, how we got here today, how, you know, some of the issues are inherent in the design of, you know, the first computers. And some of the trajectories which were mistaken, you know, plague us today. So I think it really is a fundamental text because really, it's a - you can't just do information security. You have to, you know, understand its history. I mean, sure, you know, someone can be a firewall administrator. You could - you know, you could harden Linux boxes. So that's in a very limited sense. But if you're working at the enterprise level in the big picture and, you know, understand what this thing called security is, you know, having this understanding of, you know, how we got here today really can be a good linchpin to, you know, how are you going to, you know, move forward? 

Rick Howad: I thought the section of the book about the early history was fascinating. It covers the period of mainframe computers from the beginning of the digital age - I mean, this is way back to the 1940s - in the incipient research of how to secure them. And he makes the case that early researchers tried to design a secure computing system but never really attained that goal. And so I love that little, you know, storytelling there. Did you have a favorite part of the history that you like? 

Ben Rothke: Security is all about trade-offs. And, you know, we could never build a perfect system. And when you've got complex programs with hundreds of thousands or millions of lines of code, bugs are, you know, inherent, and it's impossible to certify and improve security. And I think that's - from an academic perspective, it's almost impossible to build any system that's, you know, provably secure. But once again, you need to know that going in the real world - is that everything really is trade-off. 

Rick Howad: That's a really good point, yeah. 

Ben Rothke: Once again, if you're in a, you know, small auto body shop, then, you know, security means one thing. If you're a brokerage, you're, you know, making billion-dollar trades. Obviously, you need, you know, a lot more security there. I mean, you know, he talks about the economics of security, the psychology of security that drives everything. 


Rick Howad: That's Ben Rothke, the senior manager at Tapad. In. And the book is called "A Vulnerable System: The History of Information Security in the Computer Age" by Andrew Stewart. And it's the latest addition into the Cybersecurity Canon Hall of Fame. For more information on the project, go to your favorite search engine and look up Cybersecurity Canon - that's canon with one N as in canon of literature, not two Ns where you blow stuff up - and Ohio State University, the project's official sponsor. 


Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We were talking over on "Hacking Humans" about a press release actually that came from the FIDO Alliance. Fido stands for... 

Joe Carrigan: Fast Identity Online. 

Dave Bittner: There you go. 

Joe Carrigan: I'll never forget it again, Dave. 

Dave Bittner: (Laughter) So the FIDO Alliance, they're in the business of trying to make authentication better, more convenient, more - all while keeping it secure. 

Joe Carrigan: Yes. 

Dave Bittner: And they have some interesting news here. A bunch of big names have gotten on board to try to push some of these efforts forward. What's going on here, Joe? 

Joe Carrigan: So apparently, Google, Apple and Microsoft have committed to expanding its support for the FIDO Alliance standard. 

Dave Bittner: OK. 

Joe Carrigan: FIDO has worked with tech companies over the years to build a standard... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That is essentially public private key authentication. 

Dave Bittner: OK. 

Joe Carrigan: Right? And this standard can be implemented in a number of different ways. The most common way you see it implemented is with a - some kind of hardware token. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. So my YubiKey... 

Joe Carrigan: Exactly - YubiKey, Google Titan. There are tons of devices out there that use the standard. 

Dave Bittner: So they conform to one of - to the FIDO Alliance standard. 

Joe Carrigan: The FIDO Alliance standard. Exactly. 

Dave Bittner: Got it. Yeah. 

Joe Carrigan: The way it works is it has a secret on it, right? That secret is combined with the domain of the website that is requesting the authentication. 

Joe Carrigan: Right. 

Joe Carrigan: Right? And that's - the combination of the secret and the domain are used in the generation of a private key. 

Dave Bittner: OK. 

Joe Carrigan: It's generated on the fly, so it actually doesn't even need to be stored. 

Dave Bittner: OK. 

Joe Carrigan: The only thing that needs to be stored is the secret. 

Dave Bittner: Yeah. 

Joe Carrigan: So when you register, you actually do have to register your device, your hardware device with the server you're going to use to authenticate it. Right now, it's used as multi-factor authentication, right? 

Joe Carrigan: Right. 

Joe Carrigan: So you would enter use your username and your password, and then you push a button on your hardware device that says I'm ready do the work, ready to do the cryptographic work here. But when you register the key, you actually give them a public key that is unique to that website. So let's say you're going to register with Google - which you can do, by the way. And if you have a YubiKey, you should absolutely use a YubiKey to to register - register your YubiKey with Google for authentication. And I will say this - get two of them. Right? 

Dave Bittner: (Laughter) Yeah. 

Joe Carrigan: Get two of them and register both of them. You can register both of them. 

Dave Bittner: You know from experience (laughter). 

Joe Carrigan: I don't know this from experience... 

Dave Bittner: Oh, OK. 

Joe Carrigan: ...But I can see the problem coming down the road. 

Dave Bittner: I do. 

Joe Carrigan: Right. 

Dave Bittner: I do. I do. 

Joe Carrigan: Because you're going to be carrying around one of these YubiKeys with you. 

Dave Bittner: Yeah. 

Joe Carrigan: And I keep mine on my backpack, but they have little holes in them to keep with their keys. They're going to get treated roughly. They're going to be with something you lose. You know, like my backpack is actually a target for theft, right? 

Dave Bittner: Nobody's strong enough to run off with your backpack, Joe. 

Joe Carrigan: My backpack is very heavy. They will be going sufficiently slower, hopefully slow enough that I'll be able to catch them. 

Dave Bittner: (Laughter) That's right. 

Joe Carrigan: But that's not likely. I'm way too old. And I really hate running after people - just like, nah, you can keep it. 

Dave Bittner: Right. 

Joe Carrigan: But so if that happens, then you're not going to be able to authenticate to your accounts anymore. So you need a second one that you just keep it home or keep safe. Right? 

Dave Bittner: Yeah. Well, let's talk about what they're pushing forward here that these organizations have agreed to roll out over the course of the rest of this year. 

Joe Carrigan: One of the things that they're looking forward to or they're actually looking at is because this is a public private key exchange - right? - and it's essentially public key, private key authentication. It's better than the password. Right? So they're actually moving towards passwordless authentication. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's what these three companies have agreed to. This is Google, Microsoft and Apple agreed to it. So there are two big tech names who are notably missing here, those being Facebook and Amazon, although I will say I do have my YubiKeys registered with my Facebook account. So Facebook's already on board, I think, at least with the FIDO Alliance standard. 

Dave Bittner: So two main things they're announcing here that are... 

Joe Carrigan: Right. 

Dave Bittner: ...Going to be rolled out this year. And what are those? 

Joe Carrigan: One is they're going to allow users to automatically access their FIDO sign-in credentials, which they call a passkey... 

Dave Bittner: Yeah. 

Joe Carrigan: ...On many of their same devices, even new ones, without having to re-enroll every account. 

Dave Bittner: Ah, OK. 

Joe Carrigan: So... 

Dave Bittner: More convenient. 

Joe Carrigan: Yes. And another one is you're going to enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser that they're running. 

Dave Bittner: Oh, I see. 

Joe Carrigan: So they're going to implement a software version of the FIDO stuff. 

Dave Bittner: So you can use your mobile device with your, let's say, desktop computer for authentication... 

Joe Carrigan: Right. Yes. 

Dave Bittner: ...Again, making that more seamless, reducing friction, which, I submit, will accelerate adoption... 

Joe Carrigan: I agree a hundred percent. 

Dave Bittner: ...The easier you can make this stuff. Yeah. 

Joe Carrigan: I think if you can just get away from passwords and come up with a good, secure way to do private key management... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And all these authentication sites are storing - instead of storing password hashes or anything like that, they're storing just public keys - if those are ever breached, those are absolutely useless to an attacker. 

Dave Bittner: Yeah. 

Joe Carrigan: They have no value at all. 

Dave Bittner: Right. 

Joe Carrigan: First off, they're going to be different for every single site you go to, right? So it's going to be difficult to associate you across multiple sites - unless you use the same username or other information. I mean, then it's going to be the same old standard stuff. But it's not like a password hash. A password hash is an - you can think of it as an encrypted way of storing your password. It's really not - I mean, I guess it is encrypted, but you can't ever decrypt it. But one thing you can do is take a bunch of guesses and see if you get a match, right? That is useless against public/private key cryptography. You can't do that. 

Dave Bittner: I see. 

Joe Carrigan: The guess - you just have to start guessing the private key space. And that space is huge. 

Dave Bittner: Right. Right. 

Joe Carrigan: Right? You'll never finish. 

Dave Bittner: Right. All right. Well, I think good news here, especially that we've got these three heavy hitters on board. 

Joe Carrigan: Yes. 

Dave Bittner: Hopefully we're heading - or accelerating our journey in that direction of a passwordless future. 

Joe Carrigan: I think it's coming. 

Dave Bittner: Yeah. 

Joe Carrigan: You remember six years ago when we started doing this... 

Dave Bittner: Yeah. 

Joe Carrigan: ...When I started appearing on the show? 

Dave Bittner: Yeah. 

Joe Carrigan: We were talking about passwordless logins, getting rid of passwords, and I was like, I don't know what that looks like. 

Dave Bittner: Yeah. 

Joe Carrigan: Well, here. This is what it looks like. 

Dave Bittner: (Laughter) Fair enough. 

Joe Carrigan: Right. 

Dave Bittner: All right. Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.