The CyberWire Daily Podcast 8.3.22
Ep 1633 | 8.3.22

Tories delay leadership vote over security concerns. Cyber phases of Russia’s hybrid war. CHinese patriotic hacktivism vs. Taiwan. Malware designed to abuse trust. Putting a price on your privacy.


Dave Bittner: Tories delay a leadership vote over security concerns. A summary of the cyber phases of the hybrid war. Cyberattacks affects three official sites in Taiwan. Malware designed to abuse trust. Gunter Ollmann of Devo is here to discuss how cybercriminals are winning the AI race. Renuka Nadkarni of Aryaka explains how enterprises can recession proof their security architecture. Plus, putting a price on your privacy.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 3, 2022. 

Tories delay leadership vote over security concerns.

Dave Bittner: GCHQ's National Cybersecurity Centre advised the U.K.'s Conservative Party that its upcoming vote for a new leader could be vulnerable to interference, specifically manipulation. And the Tories have decided to postpone the vote of Prime Minister Boris Johnson's successor until the issues can be satisfactorily addressed. The Telegraph quotes the NCSC on its role in election security, stating, defending U.K. democratic and electoral processes is a priority for the NCSC. And we work closely with all parliamentary political parties, local authorities and MPs to provide cybersecurity guidance and support. As you would expect from the U.K.'s National Cybersecurity Authority, we provide advice to the Conservative Party on security considerations for online leadership voting. There was, the Telegraph reports, no specific threat from any state, but NCSC alerted the party to vulnerabilities in its plans for online balloting that could have interfered with credible voting. Paper ballots will be delivered to party members later this month. 

A summary of the cyber phases of the hybrid war.

Dave Bittner: Nozomi Networks this morning published its OT/IoT Security Report and in that report details what it's observed during Russia's war against Ukraine. While others have expressed surprise at the relatively ineffectual character of Russian offensive cyber operations, Nozomi's report highlights the attacks that Russia is known to have carried out in cyberspace. It concludes that cyber operations have now clearly established themselves as a force multiplier. That is a factor in combat power that gives a force greater capabilities than its unaided numbers would enable it to achieve in contemporary combat. The report draws three major lessons from the hybrid war. 

Dave Bittner: First, war increases cyberactivity. Of the varying threat actors and motives, nation-state advanced persistent threats are the most active during wartime. They are less financially motivated and more focused on cyber-espionage, spying and disrupting communications and other critical enemy systems. Some companies become incidental casualties of cyberwar as a result of threat actors' attacks on their targets. 

Dave Bittner: Second, private companies are stakeholders in war. In addition to military and government entities, private companies, especially critical infrastructure companies, are also prime targets during wartime. Companies should maintain a heightened security posture and cooperate with their governments to safeguard assets in the event of a war. 

Dave Bittner: And finally, wartime contingency and data security strategies are necessary. Ukrainians relocated their sensitive servers out of the country in case of physical attack was launched on their communications infrastructure. An attack on in-country servers could prevent Ukrainians from organizing efforts with domestic troops and even allies, putting them at a disadvantage during war. 

Dave Bittner: Both sides have been active in cyberspace, but Russia has been responsible for the preponderance of offensive cyberaction. Nozomi describes Russia's use of wiper malware as a distinctive and characteristic feature of its cyber operations. The effects of the attacks haven't been either massive or widespread, but that, apparently, isn't for want of trying. 

Cyberattacks affect three official sites in Taiwan.

Dave Bittner: Yesterday, as the U.S. speaker of the House, Representative Nancy Pelosi, a Democrat of California's 12th District, prepared for her visit to Taiwan, cyberattacks briefly took down at least three Republic of China websites. The New York Times reports, the official website of Taiwan's presidential office was attacked around 5 p.m., according to a statement from the office, several hours before Ms. Pelosi's landing. The site's traffic shot up to 200 times that of a normal day, leaving the website unable to display any content for 20 minutes. It resumed normal operation after the problems were fixed, according to the statement. Taiwan's Foreign Ministry website and the main portal website for Taiwan's government also experienced cyberattacks on Tuesday, according to Joanne Ou, spokeswoman for Taiwan's Foreign Ministry. 

Dave Bittner: Early Wednesday, the websites appear to have resumed operation, although Ms. Ou said they were still fixing the problems. The incidents were all distributed denial-of-service attacks, and Politico cites various experts who assesses them as patriotic hacktivism, not operations carried out directly by the Chinese government. The attacks were consistent with official Chinese expressions of strong and clear disapproval of the speaker's visit to Taipei and of vaguer threats of retaliation. But that's also consistent with patriotic hacktivism, as the SANS Internet Storm Center points out. The Washington Post dismisses the incidents as no big deal, saying that the attacks were probably not all they were cracked up to be. And that's about par for the patriotic hacktivist course. 

Malware designed to abuse trust.

Dave Bittner: VirusTotal has released its report, titled "Deception at Scale: How Malware Abuses Trust," which details abuse-of-trust approaches threat actors use to spread malware, avoid defenses or improve the success of social engineering. Researchers discovered that 10% of the top 1,000 Alexa domains have distributed suspicious samples, with 0.1% of legitimate hosts for apps having distributed malware. Researchers have also noted a continuous increase in malware that mimics legitimate applications, with Skype, Adobe Acrobat and VLC as the top three. In terms of social engineering, 4,000 samples either executed or were packed with legitimate app installers. 

Putting a price on your privacy.

Dave Bittner: And finally, what is your personal data worth? Really - on the market - and of course, we mean the criminal market - what would your digital information fetch? TrustWave's SpiderLabs has done some window shopping so you don't have to, and they found that prices are pretty low, which, as usual, suggests that the hoods' secret, if they have one, is like Crazy Eddie's - volume. SpiderLabs puts it in terms adapted to the meanest understanding. They say, for the price of a Starbucks Caramel Frappuccino Grande and a cheese Danish - about $8 - a cybercriminal can obtain all the information needed to max out a person's stolen credit card and possibly steal their identity. The crooks sell the personal data they collect because it's easy and because it gives them quick cash. 

Dave Bittner: Admittedly, the common stolen paycard fullz - and fullz means the basic card info comes with enough ancillary data like name, address, Social Security number, driver's license, bank account credentials and sometimes even medical records to give the user the verisimilitude necessary to put the scam over - the common stolen paycard fullz, SpiderLabs says, is at the low end of the price range. Classier cloned cards will bring a lot more, say $50 to $1,000 depending on the card's credit limit. And access to a bank account suitable for draining can be had for the low, low price of $100 to $3,000. And who could turn that down? It's like the boss is on vacation, and they've all gone crazy in Whacky Ivan’s Nuthouse of Criminal Bargains. 

Dave Bittner: Some of the C2C offerings are clearly designed for the discriminating goons who are playing for bigger, high rolling stakes. Access to a virtual private network goes for $2,500. And SpiderLabs found an ad for an entree into a corporate network priced at a cool five grand. So our advice is, well, be careful. Don't get your data, like, stolen, you know? And that advice and eight bucks will get you a venti latte at your local Starbucks, plus a decent selfie of you holding your forged documents like that license that says you're 21 and your name is McLovin. 

Dave Bittner: Just a few years ago, artificial intelligence and machine learning were the hottest buzzwords in cybersecurity, the must-have features that no marketing team could resist bragging about. Thankfully, in the intervening years, things have settled down a bit with the true utility of AI and ML unencumbered by so much marketing hype. 

Dave Bittner: Gunter Ollmann is chief security officer of security firm Devo, and he and his colleagues recently released research tracking the use of artificial intelligence by cybercriminals and that, for the moment, they may have the upper hand. 

Gunter Ollmann: AI was certainly the buzzwords - it was plastered everything. I think this year - I made the joke that this year it's - X is the new NG in front of everything. 

Dave Bittner: (Laughter) There you go. 

Gunter Ollmann: Right. But I think there's been, you know - it's good that AI has sort of shifted over the marketing pen and into the hands of the coders and the engineers, right? What we've seen is that, you know - AI actually genuinely being applied into the security technologies that are making it to the hands of customers and SOC teams and, you know, security analysts for the first time. 

Dave Bittner: And so along with that, I suppose this is falling into the hands of the bad folks as well. 

Gunter Ollmann: Unfortunately, yes, right? And I see it in two ways. So one is the bad guys are leveraging, you know, smart code, smart, you know, AI systems to understand their adversary and to data-mine their adversaries. And the other side is attacking the AIs that the good guys or the targets actually use to extract confidential and personal information out and, you know, and maybe influence the AIs that are out there in a positive or negative manner, depending on what their - what the adversary's goals are. 

Dave Bittner: And so where do we find ourselves now in terms of this arms race? Is it - is there any clarity on who might have the high ground here? 

Gunter Ollmann: Oh, I think the key part there would be the adversaries have been leveraging public AI and have been influencing many of the, you know, chatbots and extracting data from that external surface of AI. But I think the good guys are doing much better in, you know, leveraging AI and, you know, subsets of machine learning and, you know, data leak analytics to better understand the threats and the attack surface, which has meant it's become a lot easier to identify, track and provide attribution to their adversaries. 

Dave Bittner: One of the things that caught my eye in the research that you all shared was that a lot of organizations seem to be struggling when it comes to implementing AI. What were some of the findings there? 

Gunter Ollmann: I think it may tie back to your first question there - and about, you know, the marketing pitch, you know, that was plastered on everyone. So I think expectations were very, very high and that AI was sort of seen as a silver bullet, for want of a better term, right? And, you know, the reality is that, you know, we're - AI isn't going to displace the human today. You know, AI isn't the thing of, you know, of the movies. And where the technology is today is really, you know, using and harnessing AI to augment the human analyst and to increase the automation, you know, and the - speed up the workflows of those humans, you know, and the monitoring systems behind the scenes. 

Dave Bittner: Are there particular areas where organizations are finding AI to really slot in and be an effective tool? 

Gunter Ollmann: I think the key parts that we're seeing here has really been in the security analytics space - the ability to finally, you know, make use of that data, in particular, you know, logs, you know, logs and events that have been collected, you know, and streaming, and over the years, you know, those terabytes or petabytes of data to actually harness the value out of them. So what we're seeing is the use of AI as being uses that transition from storage of data as a compliance tick box into the ability to deliver a return on investment for, actually, you know, keeping hold of those logs. And we're actually seeing them, you know, identify new threats. But it does sort of change the paradigm of - previously the analysts - the human analysts were looking at that data, and there'd be a lot of, you know, cheering and whooping when they found something in there. You know, it'd be the literally hunting for the needle in the haystack. Now, with the AI and the AI systems that they have involved in these processes, they are now finding haystacks of needles. And so they're moving into a new paradigm of how to manage haystacks of needles. 

Dave Bittner: (Laughter) They need to throw some AI at that problem, right? 

Gunter Ollmann: (Laughter) That's correct. 

Dave Bittner: You know, based on the information that you all have gathered here, what are your recommendations? What sort of take-homes are there here? 

Gunter Ollmann: They're model ones. I think one of the key things really is in the classic sense of security, it's better to not roll your own. There's - you know, there's a lot of very smart people, you know, and there's a lot of great research going on in the community. You know, so best harness that collective wisdom, you know, and that collective contributions to AI and machine learning systems is one key part. The second part in my mind, really, is that many and much of the advanced AI is actually embedded with inside the cloud services that security vendors are now providing, as opposed to the endpoint of the software that you're installing on premise. And I think one of the key parts is, you know, becoming more and more important, which is that those vendors need to be able to explain in detail to their purchasers and the operators how these systems actually genuinely work and to provide real metrics of true positive, false positive, you know, and other operational considerations that help elevate the trust of these AI systems. 

Dave Bittner: That's Gunter Ollmann from Devo. 

Dave Bittner: Economists may not all agree whether or not we are actually in or unavoidably headed toward a recession. But there's no question we are in the midst of serious inflation, with many organizations calling on managers to tighten their belts or do more with less. But, of course, the cyberthreats aren't slowing down. For insights on where we're headed, I checked in with Renuka Nadkarni, chief product officer at cloud and SASE provider Aryaka. 

Renuka Nadkarni: So what we are seeing is there is multiple factors happening at the same time, and the macro trends, as we all know, have been changing dramatically. So the first and the foremost, the umbrella that we talk about is the whole concept of digital transformation. And what's happening is enterprises are going through this major shift in terms of digital transformation because of the factors like COVID and how the way people do business, how the way consumers consume, you know, different services, that's changing dramatically. So at a very high level, there is a existential need to change the way people do business by using technology, by enhancing and advancing the, you know, technological aspects, the networking aspects that customers have. Within that, what we are seeing is there is a tremendous focus on agility, which is how do I do things faster? And what that means is the organizations are under tremendous stress to, A, go through a massive change, but, B, they also need to do it fast, agile, in a simple, convenient way. 

Renuka Nadkarni: And among all these things, there is another big shift that's happening on the attacker or the security side of things, where attackers are also now getting much more sophisticated. The kinds of things that we saw back in the day, like advanced threats, which were sort of reserved for privileged financial and federal customers, are now become commonplace, and attackers don't discriminate. They actually go after certain kinds of things that they see a pattern. And basically, no matter which industry you are, no matter what the size of your business is, they actually are equally susceptible and equally vulnerable to these new kinds of attacks and threats. 

Renuka Nadkarni: So we are seeing a lot of changes in the macro trends on both sides. One is the tremendous pressure our customers are under to make their business run. And on the other side, the attackers are also getting more sophisticated. And in the midst of all of this, we are going through, as we all believe, some kind of a recession. The U.S. inflation is at 8.5%, its highest over the last 40 years. And there is also tremendous pressure in the job market with shortage of skills. So you're trying to cope with all these moving parts, but you don't have actual, you know, ability to hire people, A, because of the capital but, B, also a shortage of skill set. It's like a perfect storm. There's too many moving parts. Everything is coming together almost at the same time. And taking us through this requires a lot of persistence and, you know, good technology that can help us through this process. 

Dave Bittner: Yeah. I mean, you know, we hear this phrase that, you know, we're going to have to do more with less. And I think more organizations are hearing that right now. As you say, belts are tightening. You know, money - the flow of money is perhaps slowing down. What sort of things do you think can ease some of the pressure that organizations are feeling? 

Renuka Nadkarni: So as I was mentioning, there is two very big trends. The security attacks - they are becoming so prevalent. There is tremendous pressure on the organizations. This is a boardroom conversation where security is paramount. If there is a breach or a ransomware, it makes a big goal on the business. So it's absolutely something - you know, our customers are feeling pressure. While there is a need to tighten the belt, there is also this tremendous pressure to get better at what we do, get digital transformation done, get it done in a secure way. 

Renuka Nadkarni: So the challenge there is how do you survive in those both opposite sort of requirements, and how do you address those? And what we see is that when people think about this, the first instinct is to buy new security products, try to, you know, get them work and run. But clearly, one of the things where we see our customers base tell us as a challenge is even if you buy the best security product, unless you can enforce it consistently and ubiquitously, it's actually ineffective. So there is this race going on, which is, which security product should I implement in my network? And it has caused tremendous confusion because of the fragmented solutions that are out there. 

Renuka Nadkarni: So it's not just a matter of like, I need - I already know I need to secure, but now I don't even know where to begin because the whole offerings are fragmented, which by themselves introduce new attack surfaces. It has sort of two-phase effect. One is, A, I need to choose what kinds of security to put where for it to be effective. And then the second problem is, I don't have skilled labor. I don't have workforce. I don't have people who can actually manage it on a day-to-day basis. So even if I do manage to get something in my network, how do I get the right skill set? How do I make sure that I can manage it on a daily basis? So it's a very pronounced sort of a challenge, and I think that's where some of the things that we talk about as solutions come into play. 

Dave Bittner: You know, for that person who knows that they have a meeting with their board of directors coming up and they see these economic headwinds coming, you know, money is going to be tighter. What are your recommendations? How do they go about prioritizing the decisions that they make? 

Renuka Nadkarni: First and foremost is looking at any solution that you're talking about holistically. I think that's the most important thing that you need to consider. And what I mean by that - it's not a one-time installation. It's not, like, set and forget because security is something that you need to constantly watch, monitor, and that is really important. So at Aryaka, we are actually a big fan of integrated networking and security, as we call it. And it solves multitude of problems that I described earlier, including the challenge of fragmented security solutions, including the management of the first-time configuration, ongoing monitoring, as well as incident response if something happens. It also ensures that this is a holistic solution that customers can actually implement and can take care of from a networking as well as from the security needs perspective. And it really gives you consistent and ubiquitous security controls, which can be applied globally for global connectivity, no matter where the user saw it and no matter where the applications are. 

Dave Bittner: That's Renuka Nadkarni from Aryaka. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.