The CyberWire Daily Podcast 6.14.18
Ep 620 | 6.14.18

Chinese espionage in Central Asia. Dixons Carphone data exposure. Lazy State speculative execution bug. Pyongyang is expected to come roaring back into cyberspace. Unlucky 13.

Transcript

Dave Bittner: [00:00:00] Hi, everybody - Dave here. I want to send a quick thank-you out to one of our listeners who caught a publishing error on our podcast webpage and took the trouble to call us and help us quickly get it fixed. It means a lot to me and our team that she took the time. But sadly, we did not get her name. So if this was you, please let us know. We'd like to send you a little thank-you - a brand new laptop. I'm sorry. That's a brand new laptop sticker. And for those of you who are saying, wait. There are CyberWire laptop stickers. Why, yes. Yes, there are.

Dave Bittner: [00:00:37] LuckyMouse creeps into a Central Asian house. Dixons Carphone data exposure presents complex legal and regulatory issues. It's the first big incident since GDPR came into effect. Lazy State is another CPU speculative execution bug. The U.S. Congress doesn't care for ZTE. Australia's government is wary of Huawei. And the EU doesn't like Kaspersky at all. If you didn't like the end of net neutrality, wait until you get a load of the proposed EU Copyright Regulation's Article 13. And more hacking is expected from Pyongyang.

Dave Bittner: [00:01:18] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email. And every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:24] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 14, 2018. Researchers at Kaspersky Lab report an espionage campaign against an unnamed Central Asian country's servers. The evidence points to a Chinese threat group tracked variously as LuckyMouse, EmissaryPanda, APT27 and Threat Group-3390. The campaign hit a national data center. Kaspersky researchers think the goal is probably to inject malicious javascript code into government websites connected to the data center, thereby transforming those websites into watering holes. It's unclear how LuckyMouse crept in, but the researchers speculate that a watering hole attack gave the threat group its initial entree.

Dave Bittner: [00:03:19] Dixons Carphone, the large, British electronics retailer, has sustained a big data breach that it disclosed earlier this week. Data for almost 6 million customers' pay cards were exposed in the incident. Dixons says the effect of the loss was limited. Most of the cards were chip-and-PIN, and the information loss was partial, not enough to be of much immediate use to criminals. Dixons says it notified the card companies promptly. And they've seen no evidence of fraud emerging from the breach so far. It's too early, however, to say that the people whose data were affected are out of the woods. Criminals can try to build on the limited information they do have to work up usable profiles of the victims.

Dave Bittner: [00:04:03] Dixons also said that 1.2 million records with non-financial personal data - names, email addresses, physical addresses and the like - were also exposed. They've seen no fraud resulting from these either, but the same principle applies here. Such information can find cumulatively more damaging uses. The company is referring to the incident as an attempted hack but better safe than sorry.

Dave Bittner: [00:04:29] So if you are or were a Dixons customer, here's some advice courtesy of Sophos and their Naked Security blog. It has applicability to most breaches of this kind. First, watch your statements for unusual transactions. Second, because some personal data was lost, if you get an email or a phone call from someone asking you to verify account or payment details, don't bite, no matter how much plausibility the details may lend to the phishing. And finally, if you think your pay card was compromised, cancel it and ask the provider to issue you a new one.

Dave Bittner: [00:05:03] British authorities, including the National Crime Authority, the National Cybersecurity Center, the Financial Conduct Authority and the Information Commissioner's Office are all investigating. The complexity of the investigation and the number of different agencies involved suggests its importance. Not only are national regulations increasingly prescriptive, but this is also the first major breach since GDPR came fully into effect late last month. Fines could be heavy. How this case is handled may shape expectations for future enforcement actions.

Dave Bittner: [00:05:37] Cybersecurity continues to be a hot-market segment with no immediate signs of slowing down. For communities looking to attract businesses, cyber companies often bring well-educated, affluent employees. And there can be significant investment in technology and infrastructure as well. So it makes sense that U.S. states would work up incentives to be more alluring than their neighboring states for those coveted jobs.

Dave Bittner: [00:06:02] Our home state of Maryland recently did just that. Stacey Smith is executive director of CAMI, the Cybersecurity Association of Maryland.

Stacey Smith: [00:06:11] Senate Bill 228 was passed through the legislative process this year in Annapolis, Md. And the bill was called the cybersecurity incentive tax credits bill. And essentially, it has two sides to it. One side is a tax credit that incentivizes entities and individuals to invest in Maryland cybersecurity technology companies. And the other side provides a tax credit for small Maryland businesses to buy their cybersecurity solutions locally from Maryland cybersecurity providers, and that could be purchase of both services and products.

Dave Bittner: [00:06:48] So let's go through each of those individually - what the state is hoping to get out of them and why that's a good investment against the tax base.

Stacey Smith: [00:06:57] Maryland has had a tax credit in place for the investor side, providing a tax credit to cybersecurity companies when an individual or an entity invested in them. However, that isn't as valuable to a cybersecurity company as providing the investment or the tax credit incentive to an investor to invest in them. So the state feels that it will attract more investment dollars to Maryland cybersecurity companies that have - or to companies that have an innovative cybersecurity technology that they would like to bring to the market.

Stacey Smith: [00:07:31] On the other side, the buy local - this is a nationally unique tax credit program, and we're especially excited about it at our organization because we're focused solely on helping Maryland cybersecurity companies grow by connecting them with potential customers. So to hear about an opportunity for a tax credit like this to be passed through legislation was very exciting to us, and so we spent a lot of time in Annapolis trying to bring this bill to the finish line. And luckily, it happened.

Stacey Smith: [00:07:58] The advantage of this is that it will not only help give our Maryland cybersecurity companies another tool, I guess you could say, in their sales kit by being able to say to a company, if you buy this product or service from me, you'll get a tax credit, but it's also providing a very needed resource to small businesses who may not be investing in any way yet in cybersecurity. A lot of them will tell you small businesses will say that they might not know who to go to for cybersecurity products or services, but more critical for them is having the funding to be able to afford cybersecurity products or services.

Dave Bittner: [00:08:37] It was interesting to see that the bill got bipartisan support. I'm curious - how does it compare to some of your neighboring states? And do you expect this to be sort of a competitive thing, as states in the region do their best to attract these sorts of businesses?

Stacey Smith: [00:08:54] Well, it'll definitely be a great tool for attracting cyber companies to come to the area, also cyber companies to stay in the area. Also, maybe some businesses that are looking to locate somewhere, you know, tax credits are a huge plus in deciding where to locate. As far as neighboring states, we have not been able to find any state in the nation that has any kind of a tax credit like this. But I can tell you that with the promotions that we've done thus far, we have been contacted by several to understand what the details are of this bill, and actually talking with some other states about some of the cybersecurity programs that they're lobbying to put into place and kind of just learning from each other what would be good for the industry, what's good for business, what's good for the cyber companies as well.

Stacey Smith: [00:09:42] And it was really exciting and refreshing to see the bipartisan effort for this. The bill started as the investor incentive tax credit bill, and it was put forth by Howard County Senator Guy Guzzone. And Governor Hogan had the buy local portion. And together, they realized that both bills had a better chance of passing if they took the key elements from both and, essentially, combined them into one bill and put it forth as a bill together. And luckily, that worked.

Stacey Smith: [00:10:10] And we saw, you know, legislators on both sides saying, hey, if this is good for the industry, it doesn't matter who brought what part forth. Let's just get this thing finished. And it passed on the very last day of our legislative session. We're certainly excited about it.

Dave Bittner: [00:10:27] That's Stacey Smith. She's executive director of CAMI, the Cybersecurity Association of Maryland.

Dave Bittner: [00:10:34] Intel reports finding another CPU security issue in its core-based processors. Called Lazy State, the bug is already addressed in some systems. Other mitigations will follow. It's another speculative execution flaw assessed by most observers as being of moderate and not severe importance, hard to exploit and easy to fix, as ZDNet notes. Chinese and Russian companies continue to face headwinds driven by security concerns in different national markets. ZTE's recovery remains in doubt, and the company remains in very bad odor with the U.S. Congress.

Dave Bittner: [00:11:11] Australia's government is very leery of Huawei, and although Huawei says it's still very much in the bidding, Australia is considering excluding the company from any work related to the build-out of the national 5G system. This is a long-standing disquiet on the part of Australian authorities. Last year, they moved to block Huawei's participation in an undersea cable that would've served Papua and transited Australian territory.

Dave Bittner: [00:11:38] Kaspersky was hit with a significant setback in Western Europe. The European Parliament yesterday voted overwhelmingly in favor of a ban on the company's security products from official networks.

Dave Bittner: [00:11:52] Proposed EU copyright laws have aroused considerable alarm. The end of the internet as we know it is widely predicted. Much opposition derives from a proposal to, essentially, extend content moderation to the internet as a whole. Article 13 of the proposed European Copyright Directive would require anyone posting any content for public use or viewing to run it through a copyright filter. Such filtering is thought to represent, essentially, the same approach as YouTube's current content filter. Any text, audio, imagery or video that flunked the filter's check would, if the EU regulation were adopted, be blocked from the internet. One of the problems critics see with Article 13 is its apparent overlooking of copy fraud, falsely claiming intellectual property rights over content one, in fact, has no ownership of. And the proposal does seem to combine unreliable technical content filtering with a cumbersome and onerous compliance regime.

Dave Bittner: [00:12:53] North Korea is widely expected to resume its ambitious program of cyber operations following the modified limited restraint it displayed during the runup to this week's U.S.-DPRK summit. We know, we know. This is betting on form. And we know that North Korean Hacking Expected has become an evergreen headline, right up there with Heat Wave Hits Elderly Hardest or Brazil Rising Power in the Western Hemisphere or Cleveland Fans Expect Disappointment or even EU Regulation Threatens Freedom of Speech. Still, betting on form isn't a bad bet, especially in this case. Expect more badness out of Pyongyang.

Dave Bittner: [00:13:40] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:14:41] And I'm pleased to be joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. I saw on your Twitter feed you made note of a journal paper that mentioned something called antifragile communications that's caught my eye. Describe what's going on here.

Charles Clancy: [00:15:00] So antifragile is the opposite of fragile. So if something is fragile, then it is brittle. It breaks easily. And if you look at trying to build a resilient communication system, certainly, you don't want a fragile one that is easy to disrupt.

Dave Bittner: [00:15:14] Right.

Charles Clancy: [00:15:15] In general, you want something that is resilient, meaning that it responds reasonably well in the face of adversarial conditions, whether that's hostile jamming or just general interference. Antifragile seeks to take that a step further, where, rather than being degraded but being able to bounce back in the face of adversarial RF environment, an antifragile communication system would actually be able to take advantage of the hostile elements in the environment to improve its performance.

Dave Bittner: [00:15:42] And how does it do that?

Charles Clancy: [00:15:44] So a specific example would be as you look at jamming technology, it used to be jammers would just blast out Gaussian noise...

Dave Bittner: [00:15:53] Right.

Charles Clancy: [00:15:53] ...That was completely unrelated to the signal they were seeking to jam.

Dave Bittner: [00:15:56] Spark gap generator - that sort of thing?

Charles Clancy: [00:15:59] Exactly. As we've seen over the last, probably, 10 years, jammers have gotten more sophisticated. They are creating waveforms that are specifically targeting their adversaries' signals and are, in some cases, designing signals specifically to target adversaries as they transmit it over the air. So any time an adversary is making decisions about how to jam you and what energy to transmit based on what you're doing, you can actually use that against them and use their jamming signal as a way to amplify your own signal.

Charles Clancy: [00:16:31] So the simple example might be if you have a signal - a weak signal that can transmit on two different channels - Channel A or Channel B - and you have a smart jammer that is transmitting high-power jamming signal on Channel A or Channel B, you basically just bounce back-and-forth between Channel A and Channel B. One represents a one and the other represents a zero, and the jammer is sort of playing whack-a-mole and jamming you, but the person you're communicating with can just observe what channel the jammer is jamming in order to decode your signal.

Dave Bittner: [00:17:00] That's interesting. So, yes, using the ability for the jammer to be agile, in this case, is actually to your benefit and not theirs.

Charles Clancy: [00:17:10] Exactly. Now, of course, this is very proof of concept and preliminary - certainly haven't demonstrated this against any actual systems in the world. But it's a really interesting example of a proof point that there may be a whole additional realm of robust and resilient communications particularly military users can explore over the coming years in order to ensure that their systems are available in the face of an increasingly sophisticated adversary.

Dave Bittner: [00:17:36] All right. Well, it's interesting stuff, as always. Dr. Charles Clancy, thanks for joining us.

Dave Bittner: [00:17:44] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:18:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.