The CyberWire Daily Podcast 4.21.17
Ep 333 | 4.21.17

States and gangs. Insider threats and mole hunts. The misguided vigilante behind BrikerBot. Hollywood hacks. Not a Nigerian prince this time, just the Director General of the National Intelligence Agency.

Transcript

Dave Bittner: [00:00:03:22] Cyber gangs work away at the last Shadow Brokers' document dump. A look at state connections with criminals in cyberspace, plus insider threats and mole hunts. BrickerBot's author plays a dangerous vigilante game. Hollywood's best depictions of hacking, and there are 43 million dollars in a Nigerian apartment. No, really, 43 million in cash.

Dave Bittner: [00:00:32:17] Time for a message from our sponsor, Palo Alto Networks. You can learn more about them at go.paloaltonetworks.com/secureclouds.

Dave Bittner: [00:00:41:16] With the adoption of software-as-a-service applications, data now lives beyond the traditional network perimeter. What are you doing to keep your organization’s data protected in this new environment? Palo Alto Networks integrated platform provides detailed SaaS visibility, and granular control, data governance, automated risk remediation and malware prevention. So, organizations can achieve complete SaaS protection. Palo Alto Networks has the broadest and most comprehensive cybersecurity for all cloud and SaaS environments, because secure clouds are happy clouds. Get started at: go.paloaltonetworks.com/secureclouds. We thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:33:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, April 21, 2017.

Dave Bittner: [00:01:43:22] Cyber criminal gangs are busily at work reverse engineering the tools alluded to in last week's Shadow Brokers' document dump. According to what SenseCy and Recorded Future tell CyberScoop, they're observing the dark web. These gangs are, for the most part, Russian, but with a significant fraction hailing from China. How much serious labor the gangs will have to put in is a matter for speculation, but it may be less for the Russians than for the Chinese given the degree to which Russian security and intelligence services have systematically inter-penetrated in co-opted criminal organizations. U.S. authorities showed signs of pursuing the gangs as a matter of both law enforcement and national security. BuzzFeed has a long report on the topic.

Dave Bittner: [00:02:25:04] The sources of the Shadow Brokers' leaks remain under investigation, but as the Daily Beast notes, signs in the latest set of leaks may point to an insider which could set off a mole hunt as likely to be disruptive as productive. Whether those signs were inadvertent or deliberately planted to send a message or sow discord remains unknown.

Dave Bittner: [00:02:46:04] Catching insiders bent on behaving badly is rarely as easy as it seems it ought to be. How many people have endured lectures on the motivations of those who have turned to spying. Those motives have often been summed up in the acronym "MICE", for money, ideology, compromise and ego, to which one of our stringers once heard a frustrated colleague shout during a counter intelligence lecture, "Hey, why does anyone do anything?" So, people look for the usual markers of disaffection, carelessness, instability, unexplained sudden affluence and so on, but in practice things like multiple arrests, spectacular infidelity, tendentious complaints to inspectors general, and public, but unexplained visits to Russian embassies get overlooked. "Well, he always seemed a little odd, but, well, that's just old so-and-so", co-workers say when someone's collared after a decade of spying.

Dave Bittner: [00:03:40:16] Cooler heads now think the rumor that the U.S. hacked North Korean missile test last week-end is both wishful and wayward. Sure, thinking people throughout the civilized world would like to be reassured that Mr. Kim's nuclear delivery systems could be incapacitated remotely by means short of strike or invasion, but alas it's rarely that easy.

Dave Bittner: [00:04:00:20] HackForums is an underground community known for Davy-Crockett-esque exaggeration and braggadocio, you know what we mean. Everyone who posts is half-man, half-horse and half-alligator with a little bit of snapping turtle thrown in. But the self proclaimed author of BrickerBot, someone calling himself "Janit0r" seems to be the real thing according to BleepingComputer. Janit0r registered his profile at Hack Forums on January 21, 2017, and on the 27th of that month he told the discussion board that, "You've probably seen a drop in your bot counts by now," since he killed more than 200,000Telnet devices since the previous November. He's since claimed to have bricked about two million IoT devices. Janit0r comes across as righteous and impatient. IoT botnets like Mirai are, in his view, a huge problem and one that market forces cannot, and will not, correct. So, he's taking matters into his own hands. He says, he wants to force better IoT security and won't shut down BrickerBot regardless of the damage it's causing. Janit0r, it's safe to say, is a wanted man.

Dave Bittner: [00:05:11:10] This sort of vigilante action is arguably as big a problem as the issues it seeks to redress. ICS-CERT has issued an alert for BrickerBot, and industrial control system operators have reason to be particularly concerned. ICS-CERT offers this advice, "ICS-CERT strongly encourages asset owners not to assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner's knowledge putting those systems at increased risk of attack."

Dave Bittner: [00:05:55:05] We heard from Nozomi Networks CEO, Edgar Capdevielle, who says BrickerBot is an obvious threat to operating technology systems where sudden failure without warning presents a very serious problem. Recovery from a BrickerBot infestation, he says, could be both lengthy and expensive. He strongly seconds the advice of ICS-CERT and adds the recommendation that plant operators look into network behavioral analysis.

Dave Bittner: [00:06:22:18] We've had occasion to talk about the Hollywood hack. The guy in the hoodie tapping intently at a keyboard for five seconds or so and then saying, "I'm in," as a kernel panic scrolls across the screen. But Dark Reading today published their list of movies and TV shows they think got infosec right. Here's their list; Sneakers from 1992, Blackhat from 2015, Enemy of the State from ‘98. Wargames in ‘83, Minority Report in 2003 and of course, Mr Robot in 2015. How about you? When do you think Hollywood gets it right, and when does it go spectacularly wrong? Let us know on Twitter, it's at the CyberWire.

Dave Bittner: [00:07:02:09] Finally, you know those Nigerian princes whose bereaved widows are always emailing us for help, transferring their late husbands legacies, well, here's a real world case out of Nigeria. That country's spy-master, their Director General of the National Intelligence Agency has been suspended on a corruption beef connected with the campaign of former President Goodluck Jonathan. Apparently 43 million dollars were found, much of it in neatly stacked Benjamins in a nice Lago apartment. The Director General's spokespeople say, the apartment was like a safe-house for spies and stuff, but the money was for covert operations and things. But President Buhari's buying none of it probably because 43 million bucks is a lot of unexplained sudden affluence, even in Nigeria. So, if you get an email from Lagos over the next two weeks, please don't click the link. Chances are they're not writing to you. Or, who knows? Maybe they are.

Dave Bittner: [00:08:05:12] Now, a moment to tell you about our sponsor, Control Risks. Successful companies look for opportunities in new markets, but where there's opportunity, there's risk. Whether you want to move your client data to the cloud, bring an office on-line in China or acquire a competitor in Colombia, keeping your information secure is paramount. To do that, your cyber security decisions must be aligned with your business strategy, driven by reducing your risk. In such complex environments, there's no substitute for expertize on the ground. With over 25 hundred employees, and 36 offices around the world, Control Risks can help you assess the risk to your business, mitigate what you can, and properly manage the rest as they have for over 40 years. If you need to get a handle on your cyber risk in an emerging market, Control Risks will meet you there. You can find out more at Controlrisks.com/cyberwire. That's Controlrisks.com/cyberwire. Check it out. We thank Control Risks for sponsoring our show.

Dave Bittner: [00:09:13:11] Joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland, Center for Health and Homeland Security. Ben, welcome back. I saw a story come by recently in the New York Times about a well-known journalist and weaponization of an animated GIF. Fill us in here, what's going on?

Ben Yelin: [00:09:31:13] So, this is a download by the name of Kurt Eichenwald. He's a reporter from Newsweek. He became a target of, what we call, the Alt-Right on the Internet, sort of a group of young, generally conservative males. Eichenwald was a critic of President Trump during the campaign.. He wrote a lot of stories that were very critical of him becoming President. So, he became this online target. What happened to him in December is that one of his followers on Twitter sent him an image with an animated GIF that contained flashing capital letters with a blinding strobe light. This was significant because Mr Eichenwald has epilepsy and he's talked a lot about this epilepsy even on his social media accounts. So, the FBI conducted an investigation. They found the individual that sent this GIF. His name is John Rayne Rivello, and he lives in Salisbury, Maryland--

Dave Bittner: [00:10:26:21] Ben, just to interrupt you there. I mean, this animated GIF did trigger a seizure.

Ben Yelin: [00:10:31:11] It triggered a seizure, absolutely. So, because of Mr Eichenwald's epilepsy, his condition caused him to have a seizure when seeing this image. So, it caused significant physical harm which is not something we generally see with crimes like this. Mr Rivello was charged under a criminal cyber stalking statute, and he was charged with the intent to kill or cause bodily harm, and it seemed very unusual charge. Usually, with cyber stalking, we're concerned about two things. We're concerned about harming somebody's mental health and well-being, and that can include suicide, or we're concerned about cyber attacks, harm to somebody's Internet infra-structure, that sort of thing. It's very rare that something that you send somebody on-line can trigger physical pain and ultimately a seizure which obviously is very serious. Another thing that makes this case unique is the paper trail on it. The cyber stalker seemed to have known that Mr Eichenwald had this condition. He had mentioned it before. There was some direct messages that were uncovered as part of the investigation that he attended to activate Mr Eichenwald's epilepsy. So, unlike almost all other cases you find with cyber stalking, there's a paper trail that shows an attempt to injure and cause bodily harm. Mr Rivello, who did this, is facing up to ten years in prison for these charges, and the trial is going to take place in Texas where Mr Eichenwald lives, and it will be very interesting to see how that goes.

Dave Bittner: [00:12:03:08] Ben Yelin, thanks for joining us.

Dave Bittner: [00:12:09:11] Time for a few words about a new sponsor here at the CyberWire, Domain Tools. Whether they're phishing, or hacking, or spying, threat actors use domains and IP addresses to launch their attacks. While you might not be interested in targeted attacks yet, targeted attacks are interested in you. Your ability to map and characterize the attacker's infra-structure is crucial to defending yourself. Join Domain Tools Senior Security Researcher, Kyle Wilhoit and Director of Product Management, Tim Helming on a virtual ride along using Domain Tools, IRIS. They use real world cases to show you how you can quickly and efficiently expose the adversaries infra-structure. Join their webinar at domaintools.com/cyberwire. Learn how to protect yourself against various crime, espionage and hacktivism by seeing how investigators and threat hunters work in the trenches. Visit domaintools.com/cyberwire, and see how you can recognize the staging area of the next attack. We thank Domain Tools for sponsoring our show.

Dave Bittner: [00:13:18:12] My guest today is Carson Sweet. He's Chairman and Chief Technology Officer at Cloud Passage where they say, they enable enterprises to fearlessly embrace the power of agile computing by delivering innovative, automated security and compliance solutions. We began our discussion around the recent ruling by a U.S. judge ordering Google to hand over emails stored outside the U.S. in order to comply with an FBI search warrant. The case hinges on the federal law called the Stored Communications Act, a law that was written in 1986.

Carson Sweet: [00:13:52:04] The thing that's interesting to me is that we continue to have these fights about laws that were written 20 or 30 years ago. They were written at a time when we didn't have the kind of technology for communication that we have today, and we're seeing more of that today, and that's what we're seeing with the recent Google order. Microsoft went through this some months ago where there was a federal government order to turn over information on foreign nationals, and that was actually rejected by judges, and that was appealed and the rejection was upheld. So, that was good news for privacy, not good news for law enforcement, but this situation, the judge has actually pointed to a 30-year-old law that says, it's not a big deal to make a copy of communications from one place to another because it doesn't actually keep the account holder from accessing their data. So, it's not a form of theft.

Carson Sweet: [00:14:49:12] Possessory interest is the term that you hear tossed around in this particular case, and therefore Google should make a copy of the communication and put it on U.S. soil so that essentially the FBI can then request it and get access to it. So, it's a bit of a turnaround. It's a little bit surprising to a lot of folks, and again it looks to some very old legislation that I doubt very seriously anyone intended to be used this way because, of course, it was developed in 1986. There are a lot of laws on the books that have to do with physicality; that have to do with possession, an old question that used to come up, and it looks like it's bubbling up again in this case. If I make a copy of some-thing that's yours: a digital copy, have I stolen it from you? Right? Because theft means that you've been deprived of ownership. That kind of problem with just the way the laws are written and the context in which laws were written ten, 15, 20, 30 or more years ago, and those laws being applied to situations now is really the quagmire we're stuck in.

Dave Bittner: [00:15:53:15] What about the mismatch between the velocity at which legislation is updated, and the velocity that things develop in cyber?

Carson Sweet: [00:16:02:06] It's a great question, and I think that that is bigger challenges with the technology velocity we're seeing today. When you look back at the adoption of, let's say, client-server technology, which took over the world from mainframes, that kind of a disruption was much slower than the kinds of disruptions we see now. Adoption of web technology happened a little bit faster, and there were more ripples, if you will. With these big technology disruptions, there's usually one big seismic shift, and then there are a lot of aftershocks. As we go along in our progression, our evolution of technology, since the day's mainframe we see more aftershocks every time we see a big disruption. Cloud technology, software-as-a-service, the number of different technologies and platforms available; the number of communication modes that we have today that we just didn't have is accelerating and that's going to continue to accelerate. The way that we legislate today is extremely problematic with regards to trying to keep up with the technology advancement that's happening, and so the next one that we talk about in the security world quite often is machine learning, and artificial intelligence. These technologies are starting to have a big, positive impact on the security world and of course we don't have enough security practitioners out there, and we can't develop and grow that skill set fast enough.

Carson Sweet: [00:17:26:22] So, what does that mean from a legal perspective? It's something that a machine dictates, or a machine discovers, is that admissible? Is it something that is probable cause? There are all these issues now around artificial intelligence and machine learning. So, that's just one example of what's next with regards to legislation struggling to keep up with innovation, and the international question comes in, and that's really where a lot of the issues we're seeing today come from, is does one sovereign state have a right to gain access to another sovereign state's date under overt legal means? So, even if we do figure this out for a single nation-state, then we have to figure it out for the international community as well. So, there have been a lot of discussions around, do you have the right to delete certain things about yourself? Can you call up Google and say, "I want you to wipe out all the data you have about, here's my name and my email address?” Run that to ground for a minute around, let's say that there was a law passed in the United States that said that any consumer had the right to contact any vendor and say, "Delete my stuff," right? Very much like the "Do not call us" that we came up with. Well, then, how do we implement that? So, that alone from a practical perspective becomes a massive problem with regards to e-discovery. So, where is my data? Could any of these massive providers and collectors of data even find everywhere that my data lives, and then prove to me that it's been deleted? So, from a practical perspective I think our society has gotten to a point, we may be beyond the point of no return. At some point, the reality needs to be, what does privacy now mean in a digital society? I think that's really the bigger question, and some of these issues around the believability of personal data I think are harbingers of that conversation starting.

Dave Bittner: [00:19:17:11] That's Carson Sweet from Cloud Passage.

Dave Bittner: [00:19:24:20] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you through their use of artificial intelligence, check out cylance.com.

Dave Bittner: [00:19:40:01] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend everybody. See you back here on Monday. Thanks for listening.