Dave Bittner: [00:00:00] Hey, everybody. Thanks for checking out our new "Hacking Humans" podcast. If you enjoyed the show, we hope you'll subscribe on iTunes and leave a review. That'll help people find it. Thanks.
Dave Bittner: [00:00:13] The Lazarus Group may be on good behavior, relatively speaking. A study suggests that if cybercrime were a country, it would have a GDP comparable to Russia's. The Canadian Security Intelligence Service warns, in the nicest way possible, that Chinese spies are out to get New Zealand. ZTE and Huawei come in for more criticism. The BND gets a court victory in Leipzig. And Google's ground-truth algorithms are looking a little truthy.
Dave Bittner: [00:00:45] And now some notes from our sponsor, Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the U.K., North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spear-phishing. Those can never be discounted. But here's a twist. Cylance has determined that one of their ways into the grid is through routers. They've found that the bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a fish net could catch, don't you think? Go to threatmatrix.cylance.com and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. That's threatmatrix.cylance.com. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:49] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 1, 2018. North Korea's Lazarus Group has continued to target financial institutions for cybertheft, but it appears to be on its good behavior, for now, at least, with respect to U.S. institutions. The restraint is generally thought to be part of the DPRK's charm offensive during the runup to the June 12 Kim-Trump summit. A subunit of the Lazarus Group, which researchers at AhnLab track as the Andariel Group, has been active against South Korean targets. It's been using an ActiveX zero day in its campaign. Bleeping Computer's been told by an anonymous source close to the investigation that the zero day is being used to exploit Samsung SDS Acube installations. A great deal of North Korean hacking has been designed to obtain money to redress Pyongyang's sanctions-induced and command economy-induced financial shortfalls.
Dave Bittner: [00:02:54] But states, of course, are not the only perpetrators of financial and other forms of crime. As cyberspace grows in importance to commerce and, indeed, daily life, criminals flock there for the Willie Sutton-esque reasons that that's where the money is.
Dave Bittner: [00:03:09] Bromium commissioned a study by criminologist Michael McGuire at Surrey University. Dr. McGuire concluded, as Dark Reading reports, that if cybercrime were a country, it would have the world's 13th-largest gross domestic product. By his estimation, crooks now pull in $1.5 trillion annually. He breaks their takedown as follows - $860 billion from illicit or illegal online markets - those are markets like the old Silk Road - $500 billion from intellectual property theft, 160 billion from data trading, 1.6 billion from crimeware as a service and 1 billion from ransomware.
Dave Bittner: [00:03:50] McGuire notes that in some precincts of the internet, including those regions collectively called the dark web, the line between legitimate and criminal enterprise is a blurry, gray area. He thinks there's now what he calls the web of profit. As he puts it, quote, "companies and nation-states now make money from this web of profit. They also acquire data and competitive advantages from it and use it as a tool for strategy, global advancement and social control," quote. This is tied to the emergence of what he calls platform criminality and the increasing commodification of attack tools and exploits that are traded in online criminal-to-criminal markets. That black market operates very much like the legitimate markets we're all accustomed to, complete with customer ratings, FAQs, help sites and so on. If you've used Amazon or Uber, you'd probably feel at home in a criminal market fairly quickly.
Dave Bittner: [00:04:45] Given the vast scale on which cybercriminals operate, and even if McGuire's conclusions are exaggerated by any reckoning, it's still pretty vast. It would seem to be a matter of some urgency to increase the criminal's cost of doing business. To put this into perspective, $1.5 trillion is roughly Russia's GDP. Whether President Putin counts the significant financial cyber intake of the Russian mob in the country's GDP is unknown - seems doubtful, though maybe Russia's doing better than the rest of us tend to think.
Dave Bittner: [00:05:18] A report by the Canadian Security Intelligence Service concludes that Chinese espionage and influence in New Zealand has reached a critical point. The report was delivered at an academic conference and so doesn't necessarily reflect CSIS official views. And CSIS has hastened to express its solidarity with fellow Five Eyes services in New Zealand. The report reflects ongoing Five Eyes suspicion of Chinese companies and organizations. The U.S. Congress is considering holding ZTE's and Huawei's feet to its own fires of scrutiny, and a court case in Australia described ZTE as a company built to spy and bribe.
Dave Bittner: [00:05:59] Germany's BND Intelligence Service wins a surveillance case in a Leipzig court. It can continue to monitor traffic in a Frankfurt-based hub operated by DE-CIX. DE-CIX had complained to the Federal Administrative Court that BND was in violation of German privacy law because so much of the traffic the BND monitored crossing the hub was domestic and, therefore, off limits to surveillance. But the court tossed their case out, concluding that legitimate security interests justified the monitoring. The hub in question is one of the largest in the world. Frankfurt, it's worth noting, is the center of the German financial markets, roughly analogous to the American Wall Street or the city in the U.K.
Dave Bittner: [00:06:43] Google's efforts at content moderation, or at least flagging, have produced some preposterously tendentious results. The search giant's reliance on Wikipedia for moderation may be damaging Wikipedia. The problem, as reported in WIRED, Motherboard and elsewhere, apparently arose from Google's prim attempt to provide a ground truth in the form of its featured snippets tool that produces knowledge panels designed to let the naive researcher in need of epistemic protection know what's a fact, Jack. Anyway, they rely on Wikipedia for their info, apparently in a pretty automated way.
Dave Bittner: [00:07:18] Because Wikipedia is crowdsourced and dynamically edited, it's possible for a contributor to ride a hobbyhorse very hard, indeed, if only briefly. That's why Google, this week, soberly informed researchers that the ideology of California's Republican Party was Nazism, which, of course, as far as we know, it's not. Such shenanigans are fairly well-distributed across the political spectrum. Motherboard has a useful rundown of past factoids Google has served up. Quote, "it's worth mentioning that in the past, these same knowledge panels have falsely shown that various presidents were KKK members, that MSG causes brain damage and that Barack Obama is king of the United States and was planning a coup," quote. We're pretty sure none of this is actually true either, even that stuff about MSG.
Dave Bittner: [00:08:10] In fairness to Wikipedia, fact-checkers have found that it compares favorably with conventional encyclopedias, and sensible users don't find it difficult to exercise appropriate, good judgment. And besides, Wikipedia does tend to correct itself when a contributor goes rogue. Google's knowledge panels, however, seem to do at least four things. First, they provide quick information - so far, so good. Second, however, they also divert traffic that would've otherwise gone to Wikipedia - less good. Third, they come with all the solemn authority of Google, as if they were carved on tablets of virtual stone delivered from the digital smoke and fire of Mountain View itself. And fourth, they provide almost no context for reflective, skeptical judgment. And that, unless you're looking up something easy, like Manny Machado's batting average, is no bueno at all.
Dave Bittner: [00:09:07] Time to take a moment to tell you about our sponsor, Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99 percent, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99 percent, and neither should you. They put those 3,000 daily problems into a lightweight, kernel-level container where the malware's rendered useless. With Comodo's patented auto-containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, I got 99 problems, but malware ain't one. Go to enterprise.comodo.com to learn more and get a free demo of their platform. That's enterprise.comodo.com. And we thank Comodo for sponsoring our show.
Dave Bittner: [00:10:20] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back.
Joe Carrigan: [00:10:27] Hi, Dave.
Dave Bittner: [00:10:27] We got some follow-up from our conversation last week, where you and I were having a friendly, respectful conversation about iOS and Android.
Joe Carrigan: [00:10:37] We need more friendly disagreements.
Dave Bittner: [00:10:39] That's right. That's right. It was very civil.
Dave Bittner: [00:10:41] And a listener wrote in. And he said, hello, gentlemen. I know this is a minority opinion, but I don't trust the Play Store apps. In fact, I do think side-loading is better, but if and only if you have a really trusted source. For me, as for a lot of people, that source is F-Droid. The amount of time and detail these folks put into the entry for each app is impressive, apart from the fact that it must be open source. They also redline entries that promote for non-free services or add-ons that aren't updating or have changed their source code license since this version and probably other non-open-source-friendly things. And he goes on to say that, basically, if it doesn't come included with the box, which is the phone...
Joe Carrigan: [00:11:27] Right.
Dave Bittner: [00:11:27] ...He only uses stuff from F-Droid. What's your take on this?
Joe Carrigan: [00:11:31] My take on this is that F-Droid is another secondary - is a secondary market where you can go and install these apps. And if all this is accurate - and I've looked at F-Droid, but I can't find any policy on there, but I have no reason to doubt what the listener is saying...
Dave Bittner: [00:11:45] Right.
Joe Carrigan: [00:11:45] ...Then F-Droid is probably fine. The concern I have here with that is that - can you get by with all those apps that are on F-Droid and none of the apps that are then in the Android marketplace? Yeah, a lot of those apps have advertising in them in the Android marketplace. And they probably don't go through as rigorous of a testing cycle at the Android marketplace as they do at F-Droid, so you might say that F-Droid is more of a walled garden than the Android marketplace.
Dave Bittner: [00:12:10] Because of that community aspect and the fact that everything is open source.
Joe Carrigan: [00:12:11] Because of the community aspect, everything is open source.
Dave Bittner: [00:12:13] Right.
Joe Carrigan: [00:12:13] And that means the code has to be available for inspection.
Dave Bittner: [00:12:17] Yeah.
Joe Carrigan: [00:12:17] And that's not the case in the Android store.
Dave Bittner: [00:12:19] So you have this pretty strict standards, I suppose, of, if you want something in here, it has to have gone through these community-enforced checks.
Joe Carrigan: [00:12:29] Yes. So I would go ahead and say that F-Droid's probably OK for sideloading, but only if you know what you're doing. Because once you enable, on Android, the ability to load from other sources other than the Android marketplace, you can unload them from anywhere, even just having them copied over from your computer.
Dave Bittner: [00:12:47] And we have seen examples. It rarely happens, but it has happened where there's been some sort of - what do you call it? I guess an infection of some open-source software.
Joe Carrigan: [00:12:57] Yes.
Dave Bittner: [00:12:57] Someone has gone in and changed some code for bad reasons.
Joe Carrigan: [00:13:01] Yeah. I remember a privilege escalation attack where they changed a Boolean operator to an assignment operator. So instead of testing, it actually elevated the privileges automatically.
Dave Bittner: [00:13:10] Yeah. So something to look out for. But it sounds like this community has their guard up for those sorts of things.
Joe Carrigan: [00:13:16] Right.
Dave Bittner: [00:13:16] They're probably doing the best that they can to prevent it.
Joe Carrigan: [00:13:18] Yeah. F-Droid's probably the exception to the rule.
Dave Bittner: [00:13:20] And, of course, there is nothing like this on the iOS side. It just simply doesn't exist.
Joe Carrigan: [00:13:25] It does not exist.
Dave Bittner: [00:13:26] Unless you jailbreak your device.
Joe Carrigan: [00:13:28] Which is getting harder and harder.
Dave Bittner: [00:13:29] Yeah. All right. Well, thanks to this listener for writing in. Certainly, interesting information. And, as always, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:13:37] My pleasure, Dave.
Dave Bittner: [00:13:42] And now a few words from our sponsor, CYBRIC. We all heard the important and welcome themes coming out of RSA this year on resiliency and collaboration. This is underscored, of course, by the steady stream of innovations we see coming out of the cybersecurity industry. But what does all this really mean for IT, security and development teams day to day? Join Mike Brown, retired rear admiral in the U.S. Navy and former director, cybersecurity coordination for DHS and DOD, for a lively discussion on the industry's current direction, the type of collaboration that yields immediate results to teams and the criticality of protecting application infrastructure. This insightful webinar is taking place on Wednesday, June 20, at 1:00 p.m. Eastern time. So be sure to register at cybric.io/cyberwire and tune in on the 20th. That's cybric.io/cyberwire. And we thank CYBRIC for sponsoring our show.
Dave Bittner: [00:14:50] My guest today is Todd Inskeep. He's a principal with Booz Allen Hamilton in their commercial cybersecurity consulting group. When the NotPetya pseudo-ransomware attack hit last summer, he found himself in the middle of it, working to protect his clients and his team members in the midst of a rapidly evolving, somewhat chaotic situation.
Todd Inskeep: [00:15:10] I was acting as the CISO, the chief information security officer, for one of our clients. Imagine you come into what you think is going to be kind of the normal day at the office. All right? There's always a lot of activity going on between the information security and IT, as you're working at a fairly significant Fortune 1000 company. On this particular day, things seem to start OK. And then we started getting email from our employees embedded at the supplier and at the client who were actually impacted by NotPetya. Hey - their computers are down. These things are happening. And we're now trying to figure out, well, what do we need to do? What is this thing? How is it spreading?
Todd Inskeep: [00:15:58] And you start searching for information. You go to all your resources. In this case, NH-ISAC, to CNN, to Twitter. There's not a lot of news, particularly starting out early in the morning. You're trying to figure out, what is it, what do I need to do? And almost immediately, we get kind of the first question. Well, we've got network connections to these two companies. Maybe we should cut those off. And because we had people with their computers embedded at these companies, maybe we should cut them off, too. We don't know what it is. We don't know how it's spreading. And so we're trying to make those first couple of decisions. What do we think it is? How do we make sure it doesn't impact us any more than it already has?
Dave Bittner: [00:16:48] So describe - what is that process like? What did you ultimately decide, and what were the bits of information that made you take the choices that you did?
Todd Inskeep: [00:16:58] So certainly, there were some bits of information. There was information on Twitter that people were seeing companies going down. The computers were locked up. There was a little bit of news. And it seemed to be spreading very rapidly. And so it was a process then of myself and the head of the IT team really just talking for a couple of minutes, looking at the email evidence we had from our own teams and saying, look, we're just going to stop everything. Let's cut the ties. We'll cut the network connections. We'll push those people off the network. We'll talk to them by phone until we have a better idea of what's going on.
Todd Inskeep: [00:17:37] And it was a five-minute conversation and five minutes of searching, trying to find anything that would tell us what was happening. Now, it turns out that that was too slow. When you actually go look at how rapidly NotPetya spread in an organization, it was spreading through some of these organizations that were impacted at rates of over 10,000 computers per minute. Very rapid spread as it grabbed credentials and used those to expand itself across an enterprise.
Dave Bittner: [00:18:11] You know, from a leadership point of view, how are the various folks that you're working with managing the emotional components of this? How do you make sure that nobody panics or - but that, also, that you have an appropriate amount of concern?
Todd Inskeep: [00:18:26] That's a really great question. And I can be honest. We didn't think about the emotions very much at all. We were really focused on the task at hand - how do we protect our enterprise in the midst of this unknown thing happening? Especially when we have, not just the general chaos that, you know - CNN is starting to report things, and you're starting to see some things on Twitter, but we know our employees have been affected at the supplier and at the customer. We're still trying to figure out, what does it mean for the company? But we're very clear. Our first job is to protect that company.
Todd Inskeep: [00:19:09] And so we make those decisions and then start to work back to what's it going to take for us to feel comfortable to bring those computers back on our network? What's it going to take for us to feel comfortable to reconnect our network to that supplier that has been impacted, to that customer that's been impacted?
Dave Bittner: [00:19:28] Looking back, having had the experience that you had, what are the take-homes for you? How does having been through this inform the work that you do today?
Todd Inskeep: [00:19:37] The first is that I think a lot more about having people, particularly business executives, practice and think about what kind of events might impact their business. One of the big realizations for me was that while our company wasn't the target of this attack in any way, shape or form, we were really collateral damage in a way that we haven't seen very often in previous cyberattacks. There were a lot more companies more deeply affected even though they weren't the target. And for us, there was a business loss that we had to report to Wall Street that had no relationship to us actually losing capability in our technology and our IT systems.
Todd Inskeep: [00:20:26] And so trying to get the executives to think more about how cyberattacks impacting our suppliers, impacting other parts of our business than just the IT portion of our business could impact us makes you think about risk differently. There were a number of takeaways in terms of thinking about how this attack spread. Like many of the attacks over the past couple of years, this attack stole credentials. And so the ability to reuse credentials has been critical for a lot of adversaries and a lot of the attacks in the last couple of years. Particularly, moving to two-factor, multi-factor authentication, becomes a critical control as we go forward so that when an adversary steals credentials, they can't go on an extended spree across the entire enterprise or across multiple enterprises. You really want to limit them to a couple of uses and create conditions that let you detect their activity earlier.
Todd Inskeep: [00:21:29] And then there are a lot of little things. One of the companies that was impacted had no printed copies of their disaster recovery plan. So when all of these Windows machines are affected by NotPetya, that means the server that stored your disaster recovery plan isn't available for you to get a copy of the disaster recovery plan. If you don't have a printed copy, you're relying on phone networks and memory to start recovering from this disaster. Having some simple ideas and the practice of running through drills gives you a lot more confidence in running through that.
Todd Inskeep: [00:22:07] It made me think more about the relationships that we have. A lot of times, the CISOs of companies have built relationships with the CISOs of other similar companies. But when we started this effort on June 27, I had no idea who the CISO at the supplier was. I had no idea who the CISO at this pharmaceutical client was. And trying to make those connections in the middle of everything else when they're very busy fighting their fires, the last thing you want to do is be trying to establish those kinds of relationships. Having an IT lead that I knew well, could trust, having a CIO that I'd been working with for a while, having a number of people that I could trust, that trusted me, and being able to just call them on the phone, text and quickly make decisions, it is invaluable.
Todd Inskeep: [00:23:02] We often talk about the soft skills of leadership and communication when we're hiring people and as we're building our teams. I can tell you, there's no time when those soft skills are more important than in the middle of firefighting. It's important for everybody to know their role and to communicate quickly when they need the guidance but also for them to be able to go and to trust that you know they're going to be doing the right thing.
Dave Bittner: [00:23:30] That's Todd Inskeep from Booz Allen Hamilton.
Dave Bittner: [00:23:37] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:24:05] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.