Espionage, influence, summits, and elections. What counts as a luxury? An iCloud warrant raises cryptowars speculation. Microsoft's GitHub acquisition. Facebook's coziness with Shanghai?
Dave Bittner: [00:00:03] TempTick and Turla are interested in the U.S.-North Korean summit. That summit might not take up many cybersecurity issues. Where did North Korea get all that digital rope they want to hang the West with? Russian influence ops continue to give lies their bodyguard of truth. The FBI gets a warrant for a high-profile iCloud account. Microsoft outbid Google for GitHub. What will Redmond do with all that code? And Facebook may have a complicated relationship with Shanghai.
Dave Bittner: [00:00:38] Time to take a moment to tell you about our sponsor, Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99 percent, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve.
Dave Bittner: [00:01:09] Comodo doesn't settle for 99 percent, and neither should you. They put those 3,000 daily problems into a lightweight kernel-level container where the malware's rendered useless. With Comodo's patented auto-containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, I got 99 problems, but malware ain't one.
Dave Bittner: [00:01:34] Go to enterprise.comodo.com to learn more and get a free demo of their platform. That's enterprise.comodo.com. And we thank Comodo for sponsoring our show.
Dave Bittner: [00:01:54] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 6, 2018.
Dave Bittner: [00:02:06] The U.S.-North Korean summit, still on for June 12, approaches. According to security firm FireEye, interest in the meetings by other powers, notably Russia and China, is said to have prompted an increase in cyber-espionage targeting South Korea.
Dave Bittner: [00:02:22] The two threat groups FireEye calls out specifically are TempTick, a Chinese outfit hitherto best-known for its collection against domestic dissident or otherwise suspect groups, and Turla, best-known for its Trojan of the same name. Turla is a Russian government group that's been active at least since 2008. It's generally believed to be associated with Russia's FSB.
Dave Bittner: [00:02:46] North Korean operators have been relatively quiet with respect to U.S. targets, on relative good behavior as leader Kim prepares to meet President Trump in Singapore next week. But North Korean hacking remains a matter of considerable international concern to the U.S. and others. That said, however, the summit may not address cybersecurity to any significant extent, at least if various advisers and members of the U.S. foreign policy establishment are listened to. Advisers and various policy mavens are recommending that President Trump concentrate on nuclear affairs, leaving cybersecurity for another time. Nuclear arms reduction will be a tough enough challenge, they say, without adding equally difficult cybersecurity tensions to the agenda.
Dave Bittner: [00:03:33] But here's a question. The DPRK is more or less cut off from the larger global economy, yet its ruling elite seem to have little difficulty getting online, and its cyber operators continue to infest networks worldwide. So where does North Korea get the hardware and software it needs to operate online, particularly the tools its elite needs to use the internet?
Dave Bittner: [00:03:56] Cyber intelligence firm Recorded Future concludes that they get it mostly from the U.S., but in roundabout ways, using spoofed identities or third-party cutouts. This part of its sanctions regime may be more porous than the U.S. government would like.
Dave Bittner: [00:04:11] The stuff Pyongyang has been able to get its hands on tends to be older but still quite serviceable. Items Recorded Future has been able to identify include iPhones, Windows XP and Windows 10 devices, Samsung Galaxies up to the S8+ and MacBooks. One of the more curious loopholes the DPRK has used to move goods involves differential interpretation of what counts as a luxury good. These are generally prohibited by international sanctions, and consumer electronics are commonly classed as prohibited luxuries, but varying national and U.N. criteria have contributed to a murky picture of this trade.
Dave Bittner: [00:04:51] As far as third-party enablers are concerned, some of these have been North Korean shell operators - Glocom and its network of front companies is a leading example - and, of course, some large international companies. ZTE is in American hot water, for example, over evasion of sanctions against Iran, but also over evasion of sanctions directed against the DPRK.
Dave Bittner: [00:05:15] Concerns about Russian election meddling persist in the U.S. and elsewhere. These concerns generally come down to fear of influence operations and of amplified divisive hyperpartisan narratives, as opposed to direct disinformation. The goal fundamentally remains erosion of public trust and confidence in the institutions of civil society. Here again, lies receive a bodyguard of truth. There's usually some truth somewhere in even the most hyperpartisan narratives.
Dave Bittner: [00:05:46] In the U.S., Russian influence operations have made heavy use of trolling. In Europe, notably in Germany and Italy, they've tended to rely upon various mouthpieces in political parties whose platforms and interests tend to align opportunistically, and not as systematically as they did in the bad old Soviet days, with Moscow's goals.
Dave Bittner: [00:06:05] An international group is being formed to counter the effects of Russian influence operations. It will be called the Transatlantic Commission on Election Integrity. Its two co-chairs suggest a seriousness of purpose - former NATO Secretary General Anders Fogh Rasmussen and former U.S. Secretary of Homeland Security Michael Chertoff. We'll watch their activities with interest.
Dave Bittner: [00:06:30] There are, of course, still secondary concerns about voting integrity in U.S. midterm elections. Security company Synack is offering U.S. state election officials free penetration testing to help them shore up the security of their systems.
Dave Bittner: [00:06:46] The GDPR implementation deadline has come and gone. And as we wait to see how enforcement will take shape, security providers are still working overtime to get the word out on proper GDPR compliance.
Dave Bittner: [00:06:59] Ameesh Divatia is co-founder and CEO at security firm Baffle, and he joins us to share advice on taking a data-centric approach to cloud security.
Ameesh Divatia: [00:07:08] It is no longer adequate to just comply to certain ways of protecting data. GDPR is different in the sense that if you lose the data, no matter how you protected it, you are liable.
Ameesh Divatia: [00:07:21] It doesn't just stop there. It goes a step further, where it actually talks about the fact that security has to be always on, so always secure by default. And it has to be done by design. Security has to be implemented by design.
Ameesh Divatia: [00:07:35] The last thing that it actually says which is relevant for what we do is that it actually said that any sensitive data - actually be protected while it is being processed. This is Article 25. For doing processing, not only do they say that it has to be protected, they actually talk about the fact that it has to be what they called pseudonymized, which means that it's either tokenized, it's masked or - the best form of protection is actually encryption.
Ameesh Divatia: [00:08:05] As it turns out, any of these privacy regulations - and actually, we have - every state in the U.S. actually has privacy regulations as well when it comes to data breaches and how those are revealed. When a breach happens, and if data is leaked and it happens to be encrypted, there is no requirement for it to be actually announced. You don't have to - actually have to reveal the fact that you were breached if all you lost was encrypted data. So encryption is really the only safe harbor that's available for an enterprise when they get into a situation where the data is breached.
Dave Bittner: [00:08:44] That's an interesting insight. So if an organization takes the effort to encrypt their data, that could save them a lot of headaches along the way when it comes to GDPR compliance.
Ameesh Divatia: [00:08:55] Exactly. And again, it's very specific in the sense that if you lose the encrypted data and the keys, you still have to reveal that. So there is a disclosure requirement for that. But if you just lose encrypted data and not the keys, there's no disclosure requirement.
Dave Bittner: [00:09:11] So I suppose the rationale there is that if someone gets their hands on encrypted data without the keys, it doesn't really have a lot of use for them.
Ameesh Divatia: [00:09:18] By definition, by mathematical proof, it is proven that if the data is encrypted, in a million years, with all the computers all over the world, you cannot break encryption. AES encryption, which is what we use, has that guarantee.
Dave Bittner: [00:09:34] One of the points that you make is that GDPR is going to have specific effects on folks using cloud services. What can you share about that?
Ameesh Divatia: [00:09:43] Yeah. So again, GDPR is actually the first regulation that is very broad-based in the sense that it doesn't really apply to specific companies or specific geographies or where the data is stored. All they say is, if you are a resident of the EU, you have a right to your data being protected. And the data may be stored anywhere in the world, but as long as you are an EU resident and that particular data is stolen, you know, that entity that - actually, the data processer that collected your data is now liable.
Ameesh Divatia: [00:10:15] So that completely changes the whole story because it really doesn't matter where the data is located. There are other data location requirements that are also specified there. Certain countries require data locality - data has to be in Germany or in Belgium. GDPR itself is not necessarily focused on that. It's only focused on the record itself - the individual data. By definition, when you talk about - data locality completely goes out the window because you really don't know where your data ends up.
Ameesh Divatia: [00:10:47] And that's where we believe that this is going to really drive the need for what we would like to refer to as data-centric protection, or ways of protecting the individual record itself and not just the environment, not just a file or not just a specific repository. It's really about protecting data at the record level.
Dave Bittner: [00:11:08] That's Ameesh Divatia. He's from Baffle.
Dave Bittner: [00:11:13] Security researchers at cyber company Lastline have found at least three sophisticated keylogger variants in the wild. They're actively targeting financial institutions. exchange Bitfinex is back online after sustaining a denial-of-service attack that took it down for several hours earlier this week.
Dave Bittner: [00:11:34] Former Trump campaign manager Paul Manafort faces additional charges based on evidence the FBI collected under a warrant for his iCloud account. The FBI had enough evidence to obtain the warrant. And Manafort, who had encrypted his message traffic, found that this was insufficient to keep the bureau out once they had access to iCloud. A number of observers think this investigative success undermines the bureau's rather lonely campaign for what it calls responsible encryption and what most other people call either back doors or key escrow.
Dave Bittner: [00:12:09] Microsoft had to outbid Google to buy GitHub. Mountain View is said to have competed for the open-source code repository with Redmond. Redmond offered more. In fact, its $7.5 billion bid amounted to 25 times GitHub's annual revenue, which is a nice premium.
Dave Bittner: [00:12:28] Put this amount in the context of an acquisition in another industry, the aerospace sector. Northrop Grumman is buying Orbital ATK for 7.8 billion, a little more, to be sure, but still in the same ballpark. GitHub hosts open-source code. Orbital ATK provides, among other things, space launch services.
Dave Bittner: [00:12:50] As WIRED points out, GitHub hosts a surprising array of stuff, from bitcoin code to the Federal Republic of Germany's laws and regulations. The code in GitHub's 85 million repositories include software that enables the creation of things like deepfakes, nonconsensual adult content and even roll-your-own Xbox emulators. The last of which, for example, would hardly be welcome at Redmond on grounds of pure and probably legitimate commercial self-interest. If Facebook and Twitter have trouble moderating content, what's Microsoft going to do about software whose purpose is to produce the content Facebook and Twitter are so tangled up about?
Dave Bittner: [00:13:32] Speaking of Facebook, it appears the platform allowed at least four Chinese firms, including usual suspects Huawei and ZTE, to access its users' data, often without those users' consent. This has raised senatorial eyebrows. Facebook, after a little initial vagueness, acknowledged its partnership with Huawei to Senator Warner of Virginia. And Facebook says it intends to wind up its surprising partnerships by Friday. So get those friends while they're hot, People's Liberation Army Unit 61398. Your relationship status may soon be changed to it's complicated.
Dave Bittner: [00:14:14] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats. And it's extremely difficult even for the most technical users to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:15:23] And I'm pleased to be joined once again by Johannes Ullrich. He runs the Internet Storm Center daily podcast the StormCast from the SANS Institute. Johannes, welcome back. Today, you had some things you wanted to share about deserialization. What do we need to know about this?
Johannes Ullrich: [00:15:39] Last year, OWASP added deserialization as a one of their top-10 vulnerabilities. And people were a little bit confused by that because it's not sort of one of those vulnerabilities you're often confronted by, like in a single injection or cross-site scripting. But I think they, actually, really hit it on the nail - hit the nail on the head here with that addition because we had a number of high-profile deserialization vulnerabilities recently - for example, WebLogic, Apache Struts and a lot of these frameworks.
Johannes Ullrich: [00:16:13] And it's really sort of a little bit of a problem with this vulnerability. It often shows up in these frameworks, these libraries that you use. So it may not necessarily be code that you write. What this is all about is that - well, in language like Java, .NET, you're dealing with objects. Deserialization takes, essentially, text and converts that into an object.
Johannes Ullrich: [00:16:37] Now, simply speaking, that's a data converting it into a variable. Variable you wouldn't really associate with anything bad. But with objects - your variable, so to speak - your object, it contains data and code. So what can happen if you're not careful that some of the data you're reading and that you're turning into this object actually triggers code. So deserialization is really, really dangerous because it's actually code execution.
Johannes Ullrich: [00:17:08] And we have seen this, for example, with that logic being exploited many, many times or with Apache Struts where the attacker then - all the attacker has to do - they're sending you some XML when that's the text. And as the server parses that XML - converts into an object, code is executed.
Dave Bittner: [00:17:27] And so what are the protections against this?
Johannes Ullrich: [00:17:29] All you really have to do as developer is the function that's being used to read the data - you have to write sort of your own custom function here not necessarily relying on some of the default functions. The default functions - they're doing, well, what they're supposed to do but sort of without restrictions, so whatever comes they're turning into an object. But what you have to make sure is that all the objects that you receive are safe to actually deserialize. And one way to do that is to just write your own rate function to do that.
Johannes Ullrich: [00:18:02] In some cases, if you authenticate and verify the data before you actually deserialize it - so you make sure you actually receive it from an authenticated source. You definitely, in web application in particular, always should first authenticate before you accept and parse any data. So that's another sort of additional protection that you can perform - or, you know, digitally sign data so it can't be altered by an attacker in transit. And that also helps to minimize the risk of deserialization somewhat.
Dave Bittner: [00:18:34] All right. It's interesting stuff as always. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:18:38] Thanks.
Dave Bittner: [00:18:43] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:11] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.