Ukraine says it blocked a second wave of NotPetya attacks. Notes on hybrid warfare and the challenges of sharing data. Will the EU get a right to repair?

Dave Bittner: [00:00:01:03] Thanks once again to all our Patreon supporters for helping us do all the things we do here. We do appreciate it. It's at patreon.com/thecyberwire.

Dave Bittner: [00:00:12:18] Ukrainian police raid Intellect Service and seize M.E. Doc servers. Ukraine's Interior Ministry says this stopped a second wave of NotPetya. Affected companies continue to recover from the NotPetya infestation. US Cyber command prepared to parry hybrid warfare. A spyware campaign hits Chinese language news services. The EU considers adopting a "right to repair," and medical information sharing runs into problems in the UK.

Dave Bittner: [00:00:45:02] Time for a message from our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire Web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily, as anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence.

Dave Bittner: [00:01:21:01] Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the Web; cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to RecordedFuture.com/Intel to subscribe for free threat intelligence updates. That's RecordedFuture.com/Intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:58:17] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, July 6th, 2017.

Dave Bittner: [00:02:08:22] It seems that M.E. doc, the Ukraine's widely used equivalent of TurboTax, was the way the attackers behind NotPetya got their malware onto its victim's systems. Ukrainian authorities certainly think so. On Thursday, they raided Intellect Service, whose M.E. Doc tax accounting software is believed to be the initial source of Petya/Nyetya/NotPetya, which we'll henceforth simply call NotPetya, they seized servers they say were primed to release a second wave of the non-ransomware.

Dave Bittner: [00:02:39:11] Affected firms recovery from NotPetya continued this week but slowly and painfully. The shipping industry, in particular, appears to be taking the lessons of NotPetya to heart, especially as it increasingly depends upon robotic material handling equipment in ports and on increasing use of autonomous vehicles. Manufacturing was also hit and companies have yet to fully recover in that sector either. Consumer goods manufacturer, Reckitt Benckiser said Thursday, that manufacturing disruption by NotPetya had cost it, so far, £100 million in lost revenue. UK based Reckitt Benckiser produces several brands you may be familiar with, including Dettol, Harpic, Gaviscon, Clearasil and Durex.

Dave Bittner: [00:03:23:16] It's unsurprising that adoption of new technologies increases attack surface but it's striking to see the extent to which recovery from NotPetya drove logistics firms, in particular, to manual fall-backs and shut down manufacturing lines entirely.

Dave Bittner: [00:03:39:11] Intellect Service says it's not responsible for the malware and that its networks had been compromised by hackers. Those hackers, Ukraine continues to maintain, were in the service of Russian government, which attribution, of course, Russia continues to deny.

Dave Bittner: [00:03:55:19] People purporting to be the controllers of NotPetya gave Motherboard an apparent demonstration of ability to decrypt affected files, but the demonstration was too limited to carry conviction. Security experts continue to regard NotPetya as not having been ransomware at all.

Dave Bittner: [00:04:12:08] Most observers are inclined to credit Ukraine's suspicions and other governments remain wary. Germany, for one, expects to be on the receiving end of attempts to disrupt its September elections. That country's domestic security service doesn't think there will be an effort to support one candidate over another, but rather that hostile actors, read "Russia", will seek generally to discredit German political institutions.

Dave Bittner: [00:04:37:14] A researcher at the University of Southern California says he's found signs that the same Twitter bots that opposed Clinton's presidential campaign in the US did the same to Macron's in France. His paper is still under review but early reports say he thinks he's found signs of bots-for-hire that lie dormant until called into campaign-season service.

Dave Bittner: [00:04:58:16] If such operations constitute Russian hybrid warfare, recently concluded US Cyber Command exercises afford some insight into how at least one Western power sees itself parrying them. Cyber operations are increasingly integrated with more traditional electronic warfare and signals disciplines, and even information operations are finding their way onto the battlefield.

Dave Bittner: [00:05:21:18] The University of Toronto's Citizen Lab reports a cyber espionage campaign targeting Chinese language news sources. No attribution, but it looks like the Chinese government. The Chinese language sources being surveilled are generally located outside of China proper, and primarily serve the Chinese diaspora. The hackers appear to be located in the PRC itself. So, Citizen Lab isn't saying it's the Chinese government but...it's the Chinese government. Coincidentally or not, online leaks about corruption have begun playing a larger role in Chinese domestic politics.

Dave Bittner: [00:05:58:01] File-less attacks continue to be an expanded threat, and we check in with CrowdStrike's Dan Larson for some updates on protecting yourself against them.

Dan Larson: [00:06:07:08] It starts by not writing anything to disc, thus the term file-less - no files are written to disc but it doesn't end there. Typically, after that, they will use built-in tools like PowerShell or WOI to live off the land, to accomplish their goals. Then the third characteristic is that they persist in a very stealthy manner, so they set up back doors that a traditional tool wouldn't be able to detect or prevent.

Dave Bittner: [00:06:36:20] So help me understand, the attack itself is fileless but it can make changes to existing files?

Dan Larson: [00:06:42:16] Yes, exactly. I think it's important to understand the back story here, to understand the motivation of the attackers. They work from the assumption that the industry standard protection is in place, and anti-virus technology, in their minds, is likely to be installed on the end-point and that's what they need to get around. Ten years ago that was easy; all you had to do was make a new variant before the AV company could update their signatures and you'd have an easy go of it.

Dan Larson: [00:07:12:00] But an important thing happened ten years ago which is the AV companies started using cloud-based reputation services that would identify the prevalence and prominence of new samples. It was that moment when things really changed for the attacker; just making a new file as an invasion technique won't work anymore, so I need to step up my game. I need to do something other than just making new variants. While there's a number of things they're doing now, the most common one is exploit kits. You simply have to visit a website, you don't have to download a file, you don't have to execute anything. You visit a website, it looks for a vulnerability and, if it's able to exploit the vulnerability, it will start running in memory.

Dan Larson: [00:07:58:18] People have to understand that this kind of technique is the new normal. According to our own data, when we respond to incidents, eight out of ten times the initial infection was from a file-less attack. Even bigger, broader data sets like the Verizon Data Breach report, say it's 50/50. So this is not an exotic, special kind of attack that's limited to small groups of people. This is the new normal for every day attackers, regardless of what their motivation is and it's not something that's just reserved for big governments or big business. This is the reality of the new threat landscape for all of us.

Dave Bittner: [00:08:36:18] That's Dan Larson from CrowdStrike.

Dave Bittner: [00:08:40:19] The UK's Information Commissioner's Office, ICO, ruled this week that the Royal Free National Healthy System Trust illegally shared data with Google's DeepMind. Although the data was anonymized, the ICO ruled that, since the NHS Trust shared the data without the knowledge and consent of the 1.6 million patients involved, the Trust was in violation of the Data Protection Act. The implied consent that Royal Free and Google argued didn't fly, especially since Royal Free didn't conduct its required privacy assessment until after it had shared the information with DeepMind. Royal Free will be fined up to £500,000, a 20% discount is available for early payment.

Dave Bittner: [00:09:23:20] Computing notes darkly that, "after 25 May next year, when the EU's general Data Protection Regulation, the GDPR, comes into force, the ICO would be empowered to levy a much bigger maximum fine against both parties." It seems worth noting that whatever problems may surround this particular information sharing arrangement, sending patient files via Snapchat, as some NHS doctors in the UK are said to be doing, there being few good alternatives available to them, hardly seems an improvement.

Dave Bittner: [00:09:56:13] Some see a silver-lining even in the looming wall cloud that is GDPR. A piece in Healthcare Informatics argues that GDPR will have a salutary effect by driving faster international adoption of interoperability standards, including HL7's FHIR, the Fast Healthcare Interoperability Resources. Still other observers see GDPR as fostering the growth of a healthy security culture. Time will tell, actually about ten months from now, whether the optimists or the pessimists had it right.

Dave Bittner: [00:10:30:23] The European Parliament considers adding a "right to repair" to the EU's enumerated cyber rights. The proposed measure is being characterized as a blow against planned obsolescence, expected to have collateral benefits in terms of sustainability, environmental friendliness, and in the creation of jobs in repair shops.

Dave Bittner: [00:10:51:13] And, finally, remember the Crackas with Attitude? Straight out of North Wilkesboro or maybe Morehead City? The first member copped a plea back in January and he's received two years at Club Fed. Confederates await their fate in US and UK Courts.

Dave Bittner: [00:11:11:22] Now I'd like to tell you about some research from our sponsor, Delta Risk. We all depend on the power grid, you've heard a lot over the last few months about the grid's vulnerability, Crash Override, in particular, threw a scare into the energy distribution sector. It's a real threat and its masters demonstrated what they can do last December in Ukraine. Even a minor disruption to the power grid could be devastating to all of us. Download Delta Risk's new white paper, "Cyber Security and the Grid, The Definitive Guide", for insight into how the North American power grid works, an overview of current regulations, and a look at potential cyber threats. You'll find the guide at deltarisk.com/grid-whitepaper. Delta Risk LLC, a chaired-off group company, is a global provider of strategic advice, cybersecurity and risk management services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com and, while you're there, get that guide to cybersecurity for the grid. It's deltarisk.com/grid-whitepaper. We thank Delta Risk for sponsoring our show.

Dave Bittner: [00:12:23:13] I'm pleased to be joined once again by Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back.

Joe Carrigan: [00:12:29:21] Thank you, Dave.

Dave Bittner: [00:12:30:17] You and I have talked before about always-on-devices that monitor in your home things like TV's and smart devices. I want to touch on some of these cylinders that are always listening, things like Amazon's Alexa and Google Home. Apple recently announced they're coming out with a Home Pod later this year. In addition, Amazon has their Echo Look Camera. It's a camera designed to go in your dressing area - seems like they're targeting women mostly to help them with fashion recommendations.

Joe Carrigan: [00:13:11:05] Correct. It's got a built in fashion sensor.

Dave Bittner: [00:13:15:02] That's all well and good, but I'm sure you had the same thought I did?

Joe Carrigan: [00:13:20:24] What could possibly go wrong?

Dave Bittner: [00:13:22:10] Let's put a camera in the bedroom where you're changing your clothes! You wanted to make the point that, in general, you think Amazon does a good job with security?

Joe Carrigan: [00:13:31:21] I think they do. They do a very good job of security but there is no such thing as perfect security and a perfectly secure system. I'm an Amazon customer, I enjoy being an Amazon customer, I've never had a problem with them. Some of the things that they've done have impressed me. For example, the way they check user's passwords by cracking them and then letting users know that they need to change their password to make them more secure. That's a proactive security measure. I love seeing companies that do that.

Dave Bittner: [00:14:04:18] Maybe there's a market for an Amazon cover or some kind of doily that you put over it. Once you're dressed, you pull it off, do the big reveal and say, "how do I look now?"

Joe Carrigan: [00:14:16:14] Or you keep it in a place where you're not changing or, like you suggest, a cover might be best. I can't think of a place in my house where I'm 100% sure that I'm not going to be walking around in a state that I'm okay with everybody seeing me.

Dave Bittner: [00:14:35:15] Inside your own home, you shouldn't have to think about it.

Joe Carrigan: [00:14:39:03] Exactly. I go back to the story about when the Amazon Echo came out and I was excited about it, I said to my wife, "We should get one of these", and then she says, "I can't believe you, of all people, want to put essentially a bug in your house." I was like, "Oh, hadn't considered that."

Dave Bittner: [00:14:55:20] Convenience over security, Joe, people choose convenience every single time.

Joe Carrigan: [00:14:59:16] They do.

Dave Bittner: [00:15:01:07] Joe, thanks for joining us.

Joe Carrigan: [00:15:04:00] My pleasure, Dave.

Dave Bittner: [00:15:07:06] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:15:19:02] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bitter. Thank you for listening.