May hands Putin an ultimatum (and cyber conflict is expected). HenBox spies on Uyghurs. Vixen Panda creeps in UK targets by backdoors. Changes at US State Department, CIA. SINET ITSEF notes.
Dave Bittner: [00:00:01:00] Thanks to all of our Patreon supporters. You can find out how you can support our show at patreon.com/thecyberwire. Just a few bucks a month can make a big difference to us here. Thanks a lot.
Dave Bittner: [00:00:13:20] Britain gives Russia an ultimatum. Cyber conflict between the two countries is widely expected. Palo Alto's Unit 42 finds HenBox Android spyware. NCC Labs describes Chinese backdoors used against UK Government and industry targets. President Trump replaces Secretary of State Tillerson with DCI Pompeo. Gina Haspel is tapped as next DCI. And a wrap-up of SINET ITSEF.
Dave Bittner: [00:00:45:24] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it, the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough.
Dave Bittner: [00:01:08:04] Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay a step or two ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:55:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, March 13th, 2018.
Dave Bittner: [00:02:04:11] UK Prime Minister May has demanded an explanation from Russia, by midnight tonight, of the March 4th attempted assassination by nerve agent of former GRU officer Sergei Skripal and his daughter Yulia. Russia will not comply. Foreign Minister Lavrov dismissed any notion of Russian complicity as "nonsense." Essentially, no one believes this. The poison used was an unusual nerve agent, Novichok, developed by the Soviet Union during the Cold War's endgame. No other country is known to have stocks of Novichok.
Dave Bittner: [00:02:38:24] The British view, which Prime Minister May expressed directly when she had the Russian ambassador summoned to the Foreign Office for an explanation, poses Russia with a dilemma. Either Russia lost control of the nerve agent, or Russia committed "a direct action" in Salisbury, England. Neither horn of the dilemma is a palatable one for Russia to grasp, and it seems unlikely that there's any face-saving way of slipping between the dilemma's horns.
Dave Bittner: [00:03:04:20] The Prime Minister said, "This attempted murder using a weapons-grade nerve agent in a British town was not just a crime against the Skripals, it was an indiscriminate and reckless act against the United Kingdom, putting the lives of innocent civilians at risk. And we will not tolerate such a brazen attempt to murder innocent civilians on our soil." 21 people, including the Skripals, required medical treatment after the attack. Hundreds of others were offered chemical decontamination, so this assassination attempt was more indiscriminate than most.
Dave Bittner: [00:03:38:01] Russia is not in a repentant mood. Speaking for the Russian Foreign Ministry, Maria Zakharova dismissed the Prime Minister's talk as so much theater. As reported by CNN, Zakharova said, "This is a circus show in the British Parliament. The conclusion is obvious. This is another information and political campaign based on provocation. Before composing new fairy tales, let someone in the kingdom tell you about how the previous ones about Litvinenko, Berezovsky, Perepilichny and many others ended."
Dave Bittner: [00:04:08:23] The last three named are other Russians who were murdered in the UK. They are generally thought to have been assassinated by Russian security services for spying on behalf of Western governments. Skripal himself had been convicted in Russia of spying for MI6. He was released to live in the UK as the result of a US-brokered spy-swap.
Dave Bittner: [00:04:29:21] Prime Minister May's language has been unusually direct. "Should there be no credible response, we will conclude that this action amounts to an unlawful use of force by the Russian state against the United Kingdom."
Dave Bittner: [00:04:44:05] The UK has darkly promised some form of retaliation. Sanctions, expulsions, and so forth would be the norm, but they may have more in mind. Home Secretary Rudd said the retaliation may be covert or clandestine, which, taken with last week's Cabinet statement on cyber defense, is being read as hinting at retaliation with some form of cyberattack. That in turn is expected to summon further Russian retaliation.
Dave Bittner: [00:05:09:17] The US has deplored the attack and said it stands firmly with its ally.
Dave Bittner: [00:05:16:03] Have you considered that testing your network for vulnerabilities may draw undue attention to it? Tom Badders is from Telos, and he joins us to make the case that obfuscation and the use of cloud infrastructure can make it harder for adversaries to make sense of what you're up to.
Tom Badders: [00:05:32:11] Cyber threat intelligence professionals are attempting to do their research and investigation and thwart attacks using standard or their own basic networks from inside out. Many times what happens is cyber criminals are just sitting out there listening, to see who's doing what, to find vulnerabilities for attack. So new tools are required to really do this job well and separate those activities from corporate or enterprise networks through the use of cloud based obfuscated networks that are separate from the enterprise networks. So, basically, do your work to identify threats on a separate network than your own.
Dave Bittner: [00:06:34:19] So take us through the details of that. How can you test your network using a separate network?
Tom Badders: [00:06:40:24] Really when you test your network, you want to do that from the outside in, right? You want to find out who's looking at your network and who can get into your network. So, using an obfuscated or managed attribution network that will hide your identity, hide your location and encrypt all of your data so that no-one can attribute your activities to you.
Dave Bittner: [00:07:14:00] So it sounds to me like with this security comes a certain level of increased complexity. How do you balance that complexity against the potential for the increased security?
Tom Badders: [00:07:24:10] From the user's perspective, it's fairly simple. From the user's perspective, they get, for example, a VPN profile that when they're connected to that, it automatically connects them to this infrastructure. So, from a user's perspective, it's not complex at all. From a network development perspective, it's just a matter of setting up nodes in a virtualized environment. Go to AWS, go to Azure, go to any number of different cloud providers, buy a VPS for $30 to $60 a month, and buy a number of them, tie them together with the software, and create a network. There is quite a bit of complexity in setting up the network, knowing how to configure it, and ensuring that the end user's device that's being used, is configured such that there's no digital exhaust that is not planned, coming from that device into the network.
Tom Badders: [00:08:37:01] That's a lot of the problem. Once you set up your browser to access the internet to do your threat intel, or do any kind of business communications using the internet, typically there are digital exhausts, digital breadcrumbs that are put out from your device. And that's what causes many of the issues, of course, for cyber criminals accessing your network. So ensuring that the attack surface is eliminated is key to the capabilities of these obfuscated networks.
Dave Bittner: [00:09:18:02] That's Tom Badders from Telos.
Dave Bittner: [00:09:22:06] Palo Alto Networks Unit 42 this morning published a report on HenBox, a family of Android malware that represents itself as legitimate apps available on third-party app stores. HenBox is spyware, an information-stealer that seems designed to target China's Muslim minority. Unit 42 doesn't offer attribution, but the target set strongly suggests a Chinese government domestic intelligence operation.
Dave Bittner: [00:09:47:18] NCC Group reports that a Chinese threat actor, APT 15, also known as Mirage, Vixen Panda, or Playful Dragon, has been actively prospecting British Government agencies and defense contractors through a series of backdoors.
Dave Bittner: [00:10:04:18] The US Government has for reasons of national security stopped Broadcom's attempted hostile takeover of Qualcomm.
Dave Bittner: [00:10:13:01] The AP reports this morning that US President Trump has dismissed Secretary of State Rex Tillerson. Director of Central Intelligence Mike Pompeo is said to be his replacement. President Trump tweeted a summary of the decision: "Mike Pompeo, Director of the CIA, will become our new Secretary of State. He will do a fantastic job! Thank you to Rex Tillerson for his service! Gina Haspel will become the new Director of the CIA, the first woman so chosen. Congratulations to all!" In other statements, President Trump thanked Secretary Tillerson for his service, expressed appreciation for his work, but also indicated that he and Tillerson hadn't really been thinking along the same lines for some time.
Dave Bittner: [00:10:54:23] Gina Haspel, the new prospective Director of Central Intelligence, is a Career Intelligence Officer who joined the Agency in 1985. She became the CIA's Deputy Director last February. She had previously served under former DCI John Brennan as active Deputy Director of the National Clandestine Service.
Dave Bittner: [00:11:14:07] We wrap up our coverage of SINET's annual ITSEF conference today. Among the many interesting takeaways from the conference were the importance of resilience, clarity about one's own enterprise, the relative likelihood of falling victim to a mundane threat, and the shifting regulatory landscape.
Dave Bittner: [00:11:31:17] Speakers emphasized that most of the damage done by attackers was accomplished not through rare, exotic, and sophisticated attacks using never-before seen zero-days, but through social engineering, credential stuffing, and attacks on unpatched systems using known exploits. Cyber hygiene was therefore much recommended to all. The threats are less exotic, more familiar, and in many ways more tractable than hype would tend to make them out to be.
Dave Bittner: [00:11:57:15] And CISOs urged companies to adopt a realistic view of the direction in which regulation will push them. Businesses should expect to be held liable for much of what goes on in their customers endpoints. Indeed, data themselves may well be on their way to becoming "the new endpoint." The EU's GDPR and the US Federal Trade Commission are the two major engines driving this shift. Sallie Mae's CISO, Jerry Archer, was particularly clear on this point. This represents a new reality, and there's little point in kicking against it. Instead, come to grips with how to handle it.
Dave Bittner: [00:12:30:09] Finally, ITSEF speakers stressed that incident response planning, and exercises that teach and test those plans, are essential to achieving resilience, which they defined as the ability to fight through an attack and continue to do business. If that sounds military, it is. A number of industry experts thought resilience was an area where the private sector could learn much to its profit from soldiers. So find some old, or even young, soldiers, ask them about commander's intent, mission analysis, and the right way to conduct after-action reviews, and you'll be better off for it. Which army doesn't matter much, our military desk says it's seen firsthand good work in these disciplines from US, French, British, German, Israeli, South Korean, and Canadian forces at least.
Dave Bittner: [00:13:14:09] You'll find detailed accounts of the conference at thecyberwire.com.
Dave Bittner: [00:13:22:14] Time for a message from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new but proven technologies at E8security.com/cyberwire.
Dave Bittner: [00:13:42:10] We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach? In fact unsupervised machine learning can show the humans something unexpected. Cut through the glare of information overload and move from data to understanding. Check out E8security.com/cyberwire and find out more. Follow the behavior, find the threat. That's E8 Security. And we thank E8 for sponsoring our show.
Dave Bittner: [00:14:30:19] And joining me once again is Professor Awais Rashid. He's a Professor of Cybersecurity at the University of Bristol. Welcome back. We wanted to touch today on cyber physical systems. You say this is a new frontier for security, fill us in here, what are we talking about?
Professor Awais Rashid: [00:14:46:06] We use devices all the time. We have smart watches, smart thermostats, we're using smart locks. We are talking about the Internet of Things revolution. And all these devices are effectively mini computers which control the environment, and that's really what a cyber physical system is. Ultimately what we are looking at is potentially, and industry estimates are that in the next few years we may have up to 50 billion connected devices around the world. How do we actually secure this really highly connected set of mini computers all over the world is actually very complicated. We want to look at the scenario of the Mirai botnet, where a number of these connected devices were actually repurposed to launch a very large scale Denial of Service attack.
Professor Awais Rashid: [00:15:37:19] Ultimately, these devices interconnect with other connected environment that we have, for example, workplaces, our homes and so on, in intricate ways and often implicitly, and users do not fully understand what kind of complex interconnection is going on. That really is the next challenge for security. How do you actually secure this highly connected set of lots and lots of small devices?
Dave Bittner: [00:16:03:21] Do you think we're looking at a situation where there needs to be some sort of international standards for a minimum standard of security for these sorts of things?
Professor Awais Rashid: [00:16:14:02] I think the problem is more complex, in the sense that standards are a very good thing, they provide a baseline, but they often lag behind the technological developments. And they also often have to cater for the lowest common denominator. I think the key thing here is that when we are designing these devices, we need to think about what are the security implications of these devices? At the moment many times security is a very late consideration, or not a consideration at all. People are concerned about connectivity of these devices, ease of connectivity. They're also concerned about battery life and hence energy consumption, and things like that. So often security takes a back seat. And we need to really think about security being a core feature of the devices, because only by doing that can we actually address these kind of issues.
Professor Awais Rashid: [00:17:04:04] Similarly, we also have to think about these devices are not used by security experts. They are used by citizens around the world who actually deploy them in their homes. How easy or difficult are we making it for them to actually configure the security settings on these devices? What do they understand? How are we informing them what kind of communication is the device undertaking? For example, you buy your smart TV, do you know with what or with whom the smart TV is communicating? Can you easily change those settings? The answer at the moment is, unfortunately not, because it's not very easy for users to understand what happens and what are the security implications of the various communications that these devices do. But, also, it's not very easy to update those settings or even understand those settings.
Dave Bittner: [00:17:52:23] So perhaps even having security be a feature that they brag about before you buy it in this world where people browse through Amazon and look for the cheapest device. Perhaps security is something that manufacturers should crow about as a differentiator?
Professor Awais Rashid: [00:18:11:17] Yes, and I think we need to change that mindset that security has to become a differentiator, but it has to go hand in hand with cost. There are studies that show that if you have a more secure device, for instance, but there is a cheaper device, then consumers may actually opt for a cheaper device. And also, there is always an economic factor to these things. So unless and until we can bring the cost of more secure devices down, we will continue to face these kind of problems. And the flip side of that is that we also need to actually have better means to encourage developers in integrating security more concretely into the software and the hardware that underpins these devices.
Dave Bittner: [00:18:57:17] Professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:19:02:11] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit E8security.com to learn more.
Dave Bittner: [00:19:24:06] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:19:33:17] Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.