The CyberWire Daily Podcast 7.6.22
Ep 1613 | 7.6.22

Quantum computing and security standards. Cyber war, and the persistence of cybercrime. DPRK ransomware versus healthcare. Cyber incidents and credit, in Shanghai and elsewhere.


Dave Bittner: Quantum Computing and security standards. Notes on the cyber phases of a hybrid war and how depressingly conventional cybercrime persists in wartime. Pyongyang operators are using Maui ransomware against health care targets. Malek Ben Salem from Accenture looks at the security risks of GPS. Our guest is Brian Kenyon of Island to discuss enterprise browser security. And Shanghai's big data exposure.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 6, 2022. 

Quantum computing and security standards.

Dave Bittner: The U.S. National Institute of Standards and Technology - that's NIST - at the end of a six-year competitive search has announced the four winners in its program to develop quantum-resistant encryption algorithms. This represents a milestone en route to NIST's publication of standards for post-quantum cryptography, expected in 2024. According to NIST, the algorithms are, for general encryption, used when we access secure websites. And NIST has selected the CRYSTALS-Kyber algorithm. Among its advantages our comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. 

Dave Bittner: For digital signatures, often used when we need to verify identities during a digital transaction or to sign a document remotely, NIST has selected the three algorithms CRYSTALS-Dilithium, FALCON and SPHINCS+. Reviewers note the high efficiency of the first two, and NIST recommends CRYSTALS-Dilithium as the primary algorithm, with FALCON for applications that need smaller signatures than Dilithium can provide. The third, SPHINCS+, is somewhat larger and slower than the other two, but it is valuable as a backup for one chief reason - it's based on a different math approach than all three of NIST's other selections. 

Dave Bittner: Taking note of NIST's announcement, CISA outlines some steps organizations can take now as they prepare for developments over the next two years. CISA says although NIST will not publish the new post-quantum cryptographic standard for use by commercial products until 2024, CISA and NIST strongly recommend organizations start preparing for the transition now by following the  Post-Quantum Cryptography Roadmap. That roadmap includes turns like inventorying your system for the use of public key cryptography, creating a plan for transitioning to the new standards as they emerge, and preparing to inventory your vendors as compliance becomes an issue. Naturally, education and training of your workforce will be an issue and worth preparing for in advance. 

Dave Bittner: Sure, you may object. Here we are, worrying about the risks of quantum computing when it's not really even a thing yet. And to be sure, the field is in its lab bench phase, with physicists tuning lasers like they're a hot-rod Lincoln. But the sector is maturing fast, and it will be here before you know it. 

Notes on the cyber phases of a hybrid war.

Dave Bittner: Ukrainian mobile provider Kyivstar has continued to provide service during the war as it struggles to work through disruption. In Bloomberg's account, that disruption has been largely kinetic and, sadly, sometimes lethal. Physical destruction of infrastructure has been more of a problem than cyberattacks. The relatively small role Russian offensive cyber operations have played in the war so far has not prevented others from drawing lessons from Russia's conduct of its hybrid war. China is said, by CyberScoop, to be watching the action in cyberspace especially closely, with a view to sorting out its options in the event of a war to conquer Taiwan. The consensus lessons are strike quickly, pick targets that would cripple the enemy early on, and rely on attack methods that never have been observed in public. 

And cybercrime persists in wartime.

Dave Bittner: Criminals continue to shape their social engineering to events, especially tragic events. ZDNet reports that Ukrainian police have arrested nine alleged members of a gang the authorities say they are using the promise of European aid checks to beleaguered Ukrainians as phishbait in a tiresome version of familiar fraud. Victims are directed to a bogus website that presents them with an equally bogus application for assistance. Ukrainian police say, through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union. The victims are invited to provide their banking information so they can receive aid, and then the criminals simply rifle whatever they've been given access to. If convicted, the nine alleged thieves face up to 15 years in prison. 

DPRK using Maui ransomware against healthcare targets.

Dave Bittner: CISA, the FBI and the U.S. Department of the Treasury have issued a joint alert titled "North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector," It warns of a North Korean ransomware campaign that's been in progress since at least May of 2021. The alert says, North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for health care services, including electronic health records services, diagnostic services, imaging services and intranet services. In some cases, these incidents disrupted the services provided by the targeted HPH sector organizations for prolonged periods. How the threat actor obtained initial access is unclear, but the warning recommends that organizations pay particular attention to the dangers of phishing and that they train their personnel to recognize it, which suggests that social engineering has played a significant role in the Maui campaign. 

Cyber incidents, risk, and credit.

Dave Bittner: How do rating agencies look at cyber incidents and cyber-risk? Moody's has sent us a pair of reports on current events, and they're interesting. The firm's Investors Service released a report detailing the credit implications of Conti's early April ransomware attack on the government of Costa Rica. The attack impacted the government's two largest revenue streams - income taxes and customs duties - and impacted the international trade and health care sectors most heavily. The report notes that this attack provides insights on the government's strength, saying that while the attacks weren't prevented, they were handled with effective solutions. Moody's anticipates the fiscal deficit to remain close to 4.8% GDP and expects to see GDP growth of 4% in 2022. 

Dave Bittner: In another report, Moody’s discusses the recent cyberattack on Clarion Housing Group in the United Kingdom and its implications for housing associations as a whole. On June 23, Clarion reported a cyberattack on their IT systems that impacted IT operations, such as scheduling repairs and maintenance. This attack comes on the heels of a number of other cyberattacks on housing associations in the past few years and highlights the need for cyber-risk mitigation. According to a recent cyber survey conducted by Moody's, cyber-risk remains small in the housing sector but is growing strongly, with 25% spending growth from 2018 to 2020. 

Shanghai's big data exposure.

Dave Bittner: And finally, several questions remain about the big data exposure incident that appears to have affected information held by the Shanghai National Police. Some of the data that's been posted online as a teaser by the person or persons trying to sell them, who goes by the name ChinaDan, have been confirmed to be genuine, but it's unclear whether all of them are. If they are the real goods, then the incident affects about a billion people, making it the biggest data exposure in history. The New York Times, like the Wall Street Journal, has been able to determine that some of the posted information is authentic. China has made no official statement on the matter. But The New York Times reports, on Chinese social media platforms like Weibo and the communication app WeChat, posts, articles and hashtags about the data leak have been removed. On Weibo, accounts of users who posted or shared related information have been suspended. And others who talked about it have said online that they had been asked to visit the police station for a chat. 

Dave Bittner: And all of this suggests some official sensitivity about the matter. Why else would they want to chat? Chat in real life - we mean. Some of the hashtags that are putting a burr under official saddles way out West, Shanghai Way, include data leak or database breach, things like that. If the data ChinaDan is offering is indeed legit - and at least some of it is - and the man and woman in the Shanghai street appear to be assuming that they are, then the risks are foreseeable - identity theft, fraud, more plausible social engineering and so forth. We're running around naked here, is a commonly quoted remark. 

Dave Bittner: One risk citizens of China face that people in most other countries don't is damage to their social credit. That's not like something in, say, Baltimore or Birmingham being worried about the effect bogus purchases with their credit card can have on their credit score. Social credit is a general assessment of a Chinese citizen's reliability, trustworthiness and good citizenship. And it's a hard, quantifiable score, with more consequences than the mere reputational damage you might sustain if you were falsely outed as, say, a Red Sox fan or a Wolverhampton supporter - shameful enough, to be sure, but trivial compared to a bad social credit score in Shanghai, where it could affect access to employment, housing and so on. 

Dave Bittner: For many of us, the web browser serves as the primary gateway to the internet, a universal app for accessing everything from search to email to online dashboards and databases. That versatility of the browser can be a mixed blessing, of course, because it can provide an avenue for infiltration for a whole host of bad actors. Brian Kenyon is one of the founders and chief strategy officer of a company called Island, who are looking to enhance enterprise security through the use of a custom secure web browser. 

Brian Kenyon: You know, third-party risk - and whether that's in the form of, you know, suppliers or true contractors who are accessing, you know, organizational resources - that entire aspect of our IT landscape has become a big concern for us. And it's been highlighted by any number of breaches or incidents that have taken place, either through third-party access or third-party contractor access into an organization's network and applications and ultimately their data. So organizations over several years have been going to great lengths to try to get control back and be able to accurately assess, determine the risk posture of an individual or entity that might be accessing their resources and then apply appropriate controls. And so if you look at the evolution of how folks and organizations have dealt with this third-party risk, it started off with organizations would - they wanted to ensure it was their device connecting to their resources, so they'd go through the practice or methodology of shipping a device to the contractor, to the organization. Now, as you multiply that out, it gets really expensive. And as you start looking at, you know, the current supply chain woes and constraint we have, organizations are having a hard time finding devices and actual physical hardware to actually ship in a timely way. So that gave way, over time, to both, you know, virtual desktop infrastructure as well as a desktop as a service to try to extract the third party's device from the equation and just present them with an access capability that just presented a corporate desktop to them. But at the end of the day, that became extremely expensive. It's costly to both license as well as run and manage, whether it's in the cloud or even in a traditional on-prem hardware type of virtualization. So organizations that have gone through this journey are looking for a new, better way to bring these folks on board. 

Dave Bittner: And so where does it seem things are headed? What are some of the options on the horizon here? 

Brian Kenyon: Yeah. You know, there's been a lot of technologies that have tried to simplify this problem. And, you know, what we see actually is - it's actually a pretty common recurring pattern in security where we looked at the symptoms of things. You know, what is the problem? Well, we can't get hardware, so let's try to find something that's easier to deploy like VDI or desktop as a service. Or let's try to find something that's lightweight that they can install, like an extension in a browser or maybe an agent. And all of those are met with different friction points. But at the end of the day, they don't really, truly provide the solution we're looking for, which is, I want to attest to the type of environment my contractor's using to connect to my resources. I want to ensure that no data is lost or no data spills onto that contractor device. And I want to make sure that, ultimately, I can govern and have an accurate audit log of everything that contractor is doing when they're accessing my resources. Those are the real capabilities we're looking to try to solve when we think about third-party risk. And so we've seen a number of solutions, but all of them fail in one form or another, either in the user experience, in the cost or in the complexity of deployment. So we're seeing a big shift now where folks are looking for lightweight options that give the contractor, that third-party user, a very native experience. And many people are going back to a controlled web browser as a vehicle to engage this type of behavior. 

Dave Bittner: So when you say controlled web browser, what specifically is involved with that? 

Brian Kenyon: Yeah. So, you know, we've seen - and obviously, from Island's perspective, we've innovated around the ability to have a browser that is familiar to the end user but that the organization has ultimate control over - so what it can do, the actions it can perform - both the user as well as the browser itself - and the types of activities you want to permit. And so what organizations have seen is, A, from a deployment perspective, all you're doing is you're asking your third-party contractor to download and install a web browser, something that they do multiple times throughout their career and probably multiple times across multiple devices. And then, ultimately, they authenticate to the browser, and then the browser has all the security controls built into it. So if the organization decides, I don't want anything from that contractor system making it into my application, then you prevent uploads and downloads. You could prevent copy and paste. You could prevent all these types of activities that we've long feared and have used technologies like VDI to try to control. 

Dave Bittner: You know, I'm probably revealing myself as a bit of an old-timer here. But in a way, it kind of reminds me of, you know, the old days when browsers would have a kiosk mode, you know. And you would often see it used at the - you know, at the mall or the shopping center or someplace like that where they wanted to limit access. But it seems like this is, in some way, an evolution of that. 

Brian Kenyon: Yeah. It's almost an evolution back in history - right? - because as we look at it, you know, the cycles in IT tend to go from thin to thick client back to thin. And we find ourselves moving back to this thin client as we've really raced to the cloud. We've raced to SAS. And now we're racing to remote employees and remote work and work from anywhere. And so more and more of our daily activities have actually moved into the browser. But when you think about that, it's the one enterprise application that doesn't actually have control and governance for the enterprise. And so when you think about what we do with contractors and third parties, we're really provisioning a VDI or these remote desktops or even shipping them laptops and hardware just so they can open a web browser that we don't control and access the applications that we're worried about. It's time we've given control back of this application back to the enterprise. And in this case, it's a great use case to quickly, very inexpensively and very securely onboard those contractors. 

Dave Bittner: That's Brian Kenyon from Island. 

Dave Bittner: And joining me once again is Malek Ben Salem. She is the technology research director for security at Accenture. Malek, it's always great to welcome you back. You know, I was, over the weekend, visiting some friends, and I had their address dialed in with my GPS. And I was thinking to myself, oh, these kids today, they're never going know a world without GPS. But of course, there are some cyber-risks that go with GPS. So I wanted to touch base with you on that today. What can you share with us? 

Malek Ben Salem: Yeah. We don't think of GPS as a risk, you know, whether we're businesses or individuals. But it turns out that this system, this global positioning system, is very vulnerable to either signal spoofing or signal jamming, right? So signal jamming is when threat actors can jam the signals so that you don't have access to the signal that you need to access the GPS system, and spoofing is when they feed you the wrong information. And because of this risk, the U.S. government actually has paid attention to this problem and has issued a number of - has drawn attention of the businesses to this problem, has issued a number of guidelines that businesses should follow. 

Dave Bittner: What sort of things have they suggested? 

Malek Ben Salem: So, you know, they developed a framework for the risk that is aligned within this framework, which I can share the links for. And there's a number of libraries now that device developers can use in order to authenticate and to validate the information that they're receiving by the GPS systems. And some of the recommendations is to also, you know, not rely on GPS systems only, but rather validate that information with other systems like radar systems or, you know, more new tools like satellite information to identify whether the GPS information is actually correct or not. 

Dave Bittner: Now, there's more than one GPS system up there, right? I mean, there's the U.S. system. But don't the Russians have their own system as well? 

Malek Ben Salem: Exactly. Yeah. So one of the defense mechanisms, I guess, that some businesses and organizations have been using is not just to rely on the U.S. system but also use the Russian system as an alternative in case the U.S. system goes down. But obviously, that comes with its own risks - right? - especially in the context that we are in, in this, you know, war against Ukraine. That system is not reliable - intentionally, in some cases, not reliable. You know, the Russians may be spoofing - deliberately, you know, sending wrong information. So it's not recommended to rely on that system as an alternative. It's better to use other means, like, you know, radar information or, you know, visual aids, to identify where your location is, whether you're on a ship or, you know, as an aircraft pilot. It's better to use these or combine, let's say, at least, these other sources of information together with GPS information. 

Dave Bittner: Yeah. I've seen reports, I suppose, particularly affecting ships at sea, where there have been some spoofing incidents where, you know - and you can imagine the problems with that. If a ship gets too close to land because it thinks it's not where it actually is - well, that's trouble. 

Malek Ben Salem: Oh, yeah, absolutely. And not just as, you know, commercial ships, but if you are - you know, if you own a boat - right? - and you go to an area where, you know, the waters are being, you know, disputed between two different countries or there is a military exercise in the area, then the signal may be jammed or spoofed deliberately, right? Or if there is a VIP in the area - right? - who don't want to get their location revealed, then it's likely that that signal will be jammed. So you don't want to rely on it in that case, and you want to have some alternative mechanism. 

Dave Bittner: So what are your recommendations here? I mean, is this the kind of thing where, you know, folks who would be likely to have issues with GPS problems, they probably already know it? 

Malek Ben Salem: So for organizations, I think the recommendations is to rely on the U.S. government recommendations and resources that have been provided. Again, for device manufacturers or device developers, there's libraries that are available that have to be checked and used in the software. But for average users like you and I, there is an app that can be used to detect if there is GPS jamming in the area. And at least when you detect that, then you know you cannot rely on the GPS information that you have. 

Dave Bittner: Wow, interesting. All right. Well, Malek Ben Salem, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.