Fancy Bear indictments. VPNFilter found in Ukrainian water-treatment chlorine plant. Comment spam. Speculative execution side-channel attacks. MDM exploits in India
Dave Bittner: [00:00:03] Special counsel Mueller secures an indictment of 12 Russian intelligence officers for hacking during the 2016 U.S. presidential elections. Ukraine finds VPNFilter in a water treatment facility. Comment spam returns. Speculative execution issues. Mobile device management tools have been used against smartphone users in India. The U.S. Army directly commissions two cyber operators. Congratulations, first lieutenants.
Dave Bittner: [00:00:36] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding of the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:50] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for this lucky Friday the 13 of July, 2018.
Dave Bittner: [00:01:59] This afternoon, it was announced that special counsel Robert Mueller, who's been investigating matters related to hacking during the 2016 U.S. elections, has secured 12 more indictments. The accused are all Russian nationals - all, in fact, officers of Russia's GRU military intelligence service. The indictment, unsealed a few hours ago, outlines a conspiracy. The GRU officers, the document says, quote, "knowingly and intentionally conspired with each other and with persons known and unknown to the grand jury - collectively, the conspirators - to gain unauthorized access to hack into the computers of U.S. persons and entities involved in the 2016 U.S. presidential election, steal documents from these computers and stage release of the stolen documents to interfere with the 2016 U.S. presidential election," end quote.
Dave Bittner: [00:02:52] The charges outlined the now-familiar Fancy Bear story, which it traces to at least March 2016, when the conspirators hacked email accounts of employees and volunteers working on Hillary Clinton's presidential campaign, including the emails of campaign chairman John Podesta. The indictment offers an interesting overview of Russian organization for a cyber campaign. Ground zero of the operation was 20 Komsomolskiy Prospekt in Moscow, where GRU unit 26165 was located.
Dave Bittner: [00:03:25] Unit 26165 had, or has, a sub-unit whose mission includes, quote, "targeting military, political, governmental and non-governmental organizations with spear phishing emails and other computer intrusion activity," end quote. The typical phish bait used represented itself as being from Google. Another sub-unit of 26165 was charged with malware development, including the X-Agent implants used against the Clinton campaign and the Democratic National Committee.
Dave Bittner: [00:03:55] There was another GRU outfit, unit 74455, this one located at 22 Kirova St., Moscow, in a building the GRU calls the Tower. This was where the sock puppeteers worked, and their part of the operation was to coordinate release of stolen documents through DCLeaks and Guccifer 2.0 personas, the promotion of those releases and the publication of anti-Clinton content on social media accounts operated by the GRU. Thus, DCLeaks leaks and Guccifer 2.0 are explicitly called out as fake persona the GRU used to lend a veneer of hacktivism to their work. DCLeaks represented itself as a group of concerned Americans, at least three of whom - all catfish - had names. Alice Donovan, Jason Scott and Richard Gingrey. This was a principal conduit for information operations.
Dave Bittner: [00:04:50] So unit 26165 got the discreditable emails from the Clinton campaign and the DNC, and unit 74455 employed them in the GRU's information operations campaign. The social engineering tactics are familiar ones - spearphishing and impersonation of an individual's email address off by just one character. The malware implants included keylogging and screenshot functionality that enabled credential theft. They began covering their tracks after the DNC, suspecting something was up, hired what the indictment calls Company One - almost certainly CrowdStrike - to investigate and remediate the incident.
Dave Bittner: [00:05:33] Part of the track covering involved the creation of Guccifer 2.0 when the DNC said the Russians were behind the hack. This persona asked to be taken at face value as a Romanian successor to the original Guccifer, Marcel Lazar Lehel, a hacker of celebrities and politicians who's currently a guest of the U.S. Bureau of Prisons. Guccifer 2.0 was not a particularly convincing impostor, too obviously a camel that is a horse designed by committee and not at all a hipster hacker.
Dave Bittner: [00:06:07] The Russian officials are charged with various counts of conspiracy, aggravated identity theft, money laundering and, of course, illicit access to computers. It is, of course, unlikely in the extreme that any of these GRU hoods will ever wind up in a Yankee courtroom. But on the other hand, you never know. Someone might go to the Maldives on a honeymoon, or more likely a retirement vacation, there to be scooped up by local authorities and handed over to U.S. Marshals for extradition. One more question. So much for Fancy Bear, but is Cozy Bear feeling left out by all the attention her sister's getting?
Dave Bittner: [00:06:45] It's worth noting that NATO's meetings this week arrived at some resolutions committing to operations in cyberspace. The discussions were particularly direct in calling out hostile disinformation campaigns as a threat. Reports this week offer new details on probable Russian information operations directed against French and U.S. elections. And President Trump has said he intends to ask President Putin about Russian hacking during their upcoming summit. The indictment should render that particular conversation livelier.
Dave Bittner: [00:07:18] Ukrainian authorities say they've detected and stopped a VPNFilter attack against a chemical plant engaged in chlorine distribution to water purification plants. Details are still emerging, and the investigation is in its early stages. VPNFilter is a modular attack platform that shares some features with DarkEnergy (ph), well adapted to information stealing. It's not clear whether or how the attack might have produced physical damage, but a cyber operation that touched water distribution would be alarming.
Dave Bittner: [00:07:50] Cisco's Talos group has found a carefully constructed, highly targeted campaign against a small number of smartphone users in India. The hack is interesting because it uses a mobile device management system similar to those enterprises used for legitimate purposes in order to gain control of its victims' phones.
Dave Bittner: [00:08:09] Comment spam has resurfaced on WordPress blogs. The malicious comments direct the unwary to World Cup betting sites. Bloggers, click your comments with caution.
Dave Bittner: [00:08:20] Following revelation of the spawn of Spectre chip issues, Intel released notes on patches and mitigations for newly discovered speculative execution side-channel vulnerabilities. Chrome's site isolation feature is offered as a mitigation for Spectre-class bugs.
Dave Bittner: [00:08:38] Russia resumes its path toward internet autarchy with its parallel internet set to reach significant initial milestones at the beginning of August. It may not make economic sense, but that's not the point. Observers say it's technically possible, but it wouldn't be the sort of thing you would attempt without a certain obsessiveness about controlling the flow of information.
Dave Bittner: [00:09:00] Australia has succeeded in excluding Huawei away from an undersea communications cable that would serve the Solomon Islands and Papua New Guinea. The cable transits Australian territory, and authorities in that country have been concerned about the security threat Huawei's participation might have posed.
Dave Bittner: [00:09:18] And finally, the U.S. Army, as planned, has issued its first two direct commissions into its new cyber branch. The officers enter as first lieutenants. Such direct commissions have been offered for some years to medical and legal professions. It's a sign of the times that the senior service is now looking for hacking chops the way it's traditionally looked for JDs, MDs and RNs.
Dave Bittner: [00:09:46] Now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper entitled "More is Not More: Busting the Myth that More Threat Intel Feeds Lead to Better Security." It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper, or to register for a free ThreatConnect account, visit threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:11:06] As you may have heard, California recently passed some sweeping new privacy laws. We spoke with legal expert Ben Yelin about the new standards as they were being voted on. His early take on their importance holds up well.
Ben Yelin: [00:11:19] So this is going to be one of several items on the California ballot this fall, as there always are. Being a native Californian, you have to read up, you know, on 100-page voter guides just to make it to the voting booth. And here, we're going to - California voters are going to be voting on a very important issue, and that's the California Consumer Privacy Act. It's qualified for the ballot. It has a sufficient number of signatures.
Ben Yelin: [00:11:46] And what the measure would do is it would give consumers the right to ask companies for certain information about them that is collected, sold or disclosed to third parties. And it would allow customers to ask to whom and where that information has been collected, sold or disclosed. Now, what's particularly unique about this measure is that it would give customers a potential cause of action even if they cannot prove that their information was collected by a third party.
Ben Yelin: [00:12:19] So that's - you know, the main issue we've seen a lot of litigations having to do with electronic privacy is that oftentimes a person does not know that their information has been collected, whether it be by the government or some sort of third party private organization. And under our Constitution and under our legal system, you generally have to have standing to make it in a court of law.
Dave Bittner: [00:12:41] Right.
Ben Yelin: [00:12:41] You have to prove that you yourself have been injured, and that's often very difficult. What California is attempting to do with this ballot initiative is establish standing by statute. So every customer within the state would have a cause of action. Even if they couldn't prove, even if they didn't have any evidence that their information had been sold to a third party, they could bring litigation against the entities that collected that information. And that would absolutely lead to a lot of litigation, you know, especially if word of mouth gets around that it's, you know, a successful way for people to claim damages.
Ben Yelin: [00:13:19] You know, everybody wants their piece of the pie. And it's something that could really tie up courts. And I also think, you know, this is an instance where most of the major tech companies are located in California, and I think they have to start thinking very carefully now five months in advance of the election about compliance and how are they - how they're going to adjust to a world in which this measure is adopted by the voters.
Ben Yelin: [00:13:48] I also anticipate that there will be a lot of organized opposition to this. You know, whether that proves successful, obviously most people in principle are going to want to protect their personal information, so it'll be interesting to see how the technological companies and their allies try to sway the public otherwise.
Dave Bittner: [00:14:08] Now, given the size of California's economy, what would be the trickle down of this to how these companies deal with privacy for folks throughout the rest of the U.S. and the world?
Ben Yelin: [00:14:20] Yeah. I mean, really, this is a scalability problem. We saw it with what happened in Europe with GDPR where you have this new data privacy law and because such a large customer base was in Europe, once the company has to change its policy for one jurisdiction - all of us got a million notifications saying that Google's policies, Facebook's privacy policies had been updated - you know, it'll just become your standard business practice to adopt your privacy standards. And, you know, I don't have the exact figures in front of me, but I think California itself is the world's, like, eighth-largest economy.
Ben Yelin: [00:14:56] So, you know, if they're adopting these stringent standards with such a broad customer base, I think it's going to be in the interest of the tech companies to adjust their privacy settings, their terms of service. They generally don't want to have 50 separate terms of service arrangements with all 50 states in the United States. So, you know, they're going to try to come up with procedures and practices that comply with the most stringent standards. And if this measure were adopted, the most stringent standards would be in California.
Dave Bittner: [00:15:30] All right. Well, we will keep an eye on it. As always, Ben Yelin, thanks for joining us.
Ben Yelin: [00:15:34] Thank you.
Dave Bittner: [00:15:39] And now, some notes from our sponsor, Cylance. You remember the old song (singing) thanks for the memories. Well, sure, but no thanks for the memory-based attacks, this increasingly common class of cyberattack. The experts at Cylance will tell you it goes after memory as opposed to more traditional targets, like file directories or registry keys. They usually start when a script or file gets into an endpoint without exhibiting traditional file features. Once they're loaded, they execute and use the system's own tools and resources against the system itself. If you go to threatvector.cylance.com, you can check out their report on memory attacks. That's threatvector.cylance.com. We're pleased to say they're not just sponsors of the CyberWire. They're the people who protect our endpoints. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:16:40] My guest today is Martin Hellman. He's professor emeritus of electrical engineering at Stanford University and perhaps best known for his invention of public key cryptography in cooperation with Whitfield Diffie and Ralph Merkle. In 2015, he won the prestigious Turing Award along with Whitfield Diffie. He's the author of a number of publications, the most recent of which he co-authored with his wife, Dorothie, titled "A New Map For Relationships: Creating True Love At Home And Peace On The Planet."
Martin Hellman: [00:17:11] In March 1975, the National Bureau of Standards, as it was then called, promulgated or put forth a proposed data encryption standard for commercial - or actually for governmental unclassified use but for sensitive data. And, of course, it was going to become a commercial standard as well. Whit Diffie and I, my colleague in crime - partner in crime and I realized that the 56-bit key size was at best marginal. It's kind of like having a thousand combinations for a combination lock. It's great for locking up your bike but not so great for locking up $100 million worth of information.
Martin Hellman: [00:17:49] And so we wrote some nice letters to NBS, which they pretty much ignored. And after about six months - so now we're getting toward the later part of 1975 - we started to get more pointed, and we realized that this was in fact not a bug but a feature. NSA didn't want a publicly available standard that they could not break. And so we started to contact Congress, the media, trying to create some interest in solving what was fundamentally a political problem. And two high-level NSA employees flew out from Maryland to meet with us and told us you're wrong, but please be quiet. If you continue talking this way, you're going to cause grave harm to national security. Of course, that makes no sense (unintelligible).
Dave Bittner: [00:18:38] Right, that you're wrong, that - yeah (laughter) right.
Martin Hellman: [00:18:38] Right. What they were saying is you're right, but if you keep talking this way, you're going to cause grave harm to national security. Their concern was that we were - in telling the American public, American industry and even parts of the American government how to protect their secrets better, we were also telling criminals, foreign governments, terrorists how to protect their secrets as well. It's an unavoidable trade-off. And so I had to figure out what to do.
Dave Bittner: [00:19:02] Take me through that decision-making process because, as you describe it in the book, there's a good bit of nuance here.
Martin Hellman: [00:19:08] Oh, it was quite amazing, yes. So I went home that night to figure out the right thing to do. My intellect was telling me the right thing was to go public with this, that NSA should not make a decision all by itself in secret about what was best for the country because they were an interested party. And on the other hand, I had - and also the United States was the most - is - was and is the most computerized nation in the world whereas, in those days, the Soviet Union, our main adversary, had almost no computers, especially in commercial use, personal use.
Martin Hellman: [00:19:41] So I went home to figure out the right thing to do because these NSA people were telling me just the opposite. And while I'm trying to figure out the right thing to do, an idea pops into my head. Forget about what's right and wrong. You've got a tiger by the tail. You'll never have a better chance to make an impact on the world, to be famous, infamous, whatever. Run with it. Now, who would want to jeopardize national security for those reasons? I mean, that would be egotistical. And so at the time, I - actually now I liken it to a movie where you know how the devil's on an actor's shoulder and the angel's on the other side whispering in his ear.
Dave Bittner: [00:20:20] Sure.
Martin Hellman: [00:20:20] That was the devil whispering in my shoulder, and at the time, I thought I was able to brush the devil off my shoulder and make a rational decision to go public, that it was the right thing to do. But five years later, I realized that I had fooled myself. And while I did make the right decision - and we do know that because Admiral Bobby Inman, who was director of NSA at the time, has since said in an interview about four or five years ago that it was the right decision - I realized that I had fooled myself about my motivation.
Dave Bittner: [00:20:51] Now, there's another part of the book where you describe an interpersonal communication you had - interaction - with Admiral Bobby Inman. He was the director of NSA in the late '70s. And you two got together, but you came into that meeting with some preconceived notions.
Martin Hellman: [00:21:09] Yeah. So - and this is really - this was 1978, so a couple years after the - that first meeting. We had gone public. We did have a fight. There were congressional hearings. And I get a call from Inman's office saying the director would like to meet with you if you're open to it when he's in California in a week or two, I think it was. And so I jumped at the opportunity because we had been fighting but never directly. It was all indirect - never talking to one another.
Martin Hellman: [00:21:37] And Inman shows up in my office, let's say a week or two later, and the first words out of his mouth, which I'll never forget, are it's nice to see you don't have horns because that's how I was being described at NSA. That devil on my shoulder had been integrated into me in their eyes. And I look back - I look back at him and I looked at his head and I said, same here, because I had been portraying NSA as the devil incarnate, you know? And that's what people do in these fights. And I have to give Inman the credit for opening that door.
Martin Hellman: [00:22:15] There's one other thing he told me. It was really important. He said I'm meeting with you against the advice of all the other senior people at the agency, but I don't see the harm in talking. And that was an out-of-the-box way to think - and it's one that I've since adopted both because of that and for other reasons, primarily to save my marriage and to make my marriage better - asking more questions. My wife and I've summarized it as get curious, not furious. So our initial meeting, Inman's and mine, was very cautious. But out of that, we are now actually good friends, and he signed a statement of support about eight or 10 years ago that I had written up for work I was doing to encourage a risk assessment of nuclear deterrence.
Martin Hellman: [00:23:02] How risky is it to depend on destroying the world in an effort to keep the peace? My own research leads me to believe it's horribly risky, and I felt that the international scientific community should look at this in more detail, and Admiral Inman was one of the key signers of that statement. Now, he wouldn't have signed it if he didn't agree, but he also wouldn't have signed it if he didn't trust me.
Dave Bittner: [00:23:25] Well, Marty, I have to say it is a real pleasure speaking with you. Thank you so much for taking the time. I really appreciate it. Like I said, it was a real honor and a real pleasure to get to spend this time with you.
Martin Hellman: [00:23:36] Well, thank you, and thank you for reminding me of a wonderful period in my past life.
Dave Bittner: [00:23:43] That's Martin Hellman. His new book, co-authored with his wife, Dorothie, is "A New Map For Relationships: Creating True Love At Home And Peace On The Planet."
Dave Bittner: [00:23:56] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:24:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.